UNIT APIHook;{!INFOMODULENAME = 'APIHook'VERSION = '1.00'AUTHOR = 'Berse

1. UNIT APIHook;
2. {!INFO
3. MODULENAME = 'APIHook'
4. VERSION = '1.00'
5. AUTHOR = 'Berserker'
6. DESCRIPTION = 'Содержит набор процедур и функций для вторжения в процессы'
7. }
8.  
9. INTERFACE
10. USES Windows, SysUtils, TLHELP32;
11.  
12. CONST
13. C_OVERWRITEEXISTING = FALSE;
14. C_ERRORHANDLE = 0;
15. C_ASMBLOCKSIZE = 20;
16.  
17. thread_Terminate = $00000001;
18. thread_Suspend_Resume = $00000002;
19. thread_Get_Context = $00000008;
20. thread_Set_Context = $00000010;
21. thread_Set_Information = $00000020;
22. thread_Query_Information = $00000040;
23. thread_Set_Thread_Token = $00000080;
24. thread_Impersonate = $00000100;
25. thread_Direct_Impersonation = $00000200;
26. thread_All_Access = Standard_Rights_Required or Synchronize or $3FF;
27.  
28. TYPE
29. TCreateProcessFunc = FUNCTION(var PI: TProcessInformation; const SI: TStartupInfo; CurDir: PChar; Env: Pointer; CreationFlags: DWord; InheritHandles: Bool; ThreadAttrs, ProcessAttrs: PSecurityAttributes; CmdLine, AppName: PChar): INTEGER;
30. PHookBuffer = ^THookBuffer;
31. THookBuffer = ARRAY [0..4] OF BYTE;
32.  
33. {* PROCEDURES AND FUNCTIONS *}
34.  
35. {< DuplicateModule >
36. Создаёт копию библиотеки под новым именем в текущем каталоге, загружает её и возвращает её дескриптор}
37. FUNCTION DuplicateModule(name: STRING): THandle;
38. {< FullPath >
39. Возвращает полный путь к файлу в том же каталоге, что и программа}
40. FUNCTION FullPath(FileName: STRING): STRING;
41. PROCEDURE AddHook(OldProc, NewProc: POINTER; Buffer: PHookBuffer);
42. PROCEDURE RemoveHook(OldProc: POINTER; CONST Buffer: PHookBuffer);
43. PROCEDURE AddAPIHook(Module, OldProc: STRING; NewProc: POINTER; Buffer: PHookBuffer);
44. PROCEDURE RemoveAPIHook(Module, OldProc: STRING; Buffer: PHookBuffer);
45. FUNCTION GetFullPath (CONST Path: STRING): STRING;
46. PROCEDURE RunProcessWithHookDll(ExeFile, DllFile: STRING; VAR PInfo: TProcessInformation);
47. PROCEDURE KillAllThreads;
48. FUNCTION OpenThread(dwDesiredAccess: DWord; bInheritHandle: Bool; fwThreadId: DWord): THandle; STDCALL; EXTERNAL 'kernel32.dll' NAME 'OpenThread';
49.  
50. VAR
51. CmdLine: STRING = '';
52.  
53. IMPLEMENTATION
54.  
55. FUNCTION DuplicateModule(name: STRING): THandle;
56. VAR
57. FullPath: STRING;
58. FileName: STRING;
59. WinDir: STRING;
60.  
61. BEGIN
62. FullPath:=SysUtils.ExpandFileName(name);
63. FileName:='HOOK_'+ExtractFileName(name);
64. IF NOT FileExists(FullPath) THEN BEGIN
65. SetLength(WinDir, 256);
66. SetLength(WinDir, GetWindowsDirectory(@WinDir[1], 256));
67. FullPath:=WinDir+'\SYSTEM32\'+name;
68. END; // .if dll is in system32 directory
69. IF NOT FileExists(FileName) THEN BEGIN
70. IF NOT CopyFile(PCHAR(FullPath), PCHAR(FileName), C_OVERWRITEEXISTING) THEN BEGIN
71. RESULT:=C_ERRORHANDLE; EXIT;
72. END; // .if we cannot copy module
73. END; // .if there is no already hooked module in current directory
74. RESULT:=LoadLibrary(PCHAR(FileName));
75. END; // .procedure DuplicateModule
76.  
77. FUNCTION FullPath(FileName: STRING): STRING;
78. VAR
79. Buffer: STRING;
80. Temp: PCHAR;
81.  
82. BEGIN
83. SetLength(Buffer, 8092);
84. SetLength(Buffer, Windows.GetFullPathName(PCHAR(FileName), 8092, PCHAR(Buffer), Temp));
85. RESULT:=Buffer;
86. END; // .function FullPath
87.  
88. PROCEDURE AddHook(OldProc, NewProc: POINTER; Buffer: PHookBuffer);
89. VAR
90. OldPageProtect: INTEGER;
91.  
92. BEGIN
93. VirtualProtect(OldProc, 5, PAGE_EXECUTE_READWRITE, @OldPageProtect);
94. IF Buffer<>NIL THEN BEGIN
95. CopyMemory(@Buffer^[0], NewProc, 5);
96. END; // .if we want to backup old data
97. PBYTE(OldProc)^:=$E9; // jmp addr 32
98. PINTEGER(INTEGER(OldProc)+1)^:=INTEGER(NewProc)-INTEGER(OldProc)-5;
99. VirtualProtect(OldProc, 5, OldPageProtect, @OldProc);
100. END; // .procedure AddHook
101.  
102. PROCEDURE RemoveHook(OldProc: POINTER; CONST Buffer: PHookBuffer);
103. VAR
104. OldPageProtect: INTEGER;
105.  
106. BEGIN
107. VirtualProtect(OldProc, 5, PAGE_EXECUTE_READWRITE, @OldPageProtect);
108. CopyMemory(OldProc, @Buffer^[0], 5);
109. VirtualProtect(OldProc, 5, OldPageProtect, @OldProc);
110. END; // .procedure RemoveHook
111.  
112. PROCEDURE AddAPIHook(Module, OldProc: STRING; NewProc: POINTER; Buffer: PHookBuffer);
113. BEGIN
114. AddHook(GetProcAddress(LoadLibrary(PCHAR(Module)), PCHAR(OldProc)), NewProc, Buffer);
115. END; // .procedure AddAPIHook
116.  
117. PROCEDURE RemoveAPIHook(Module, OldProc: STRING; Buffer: PHookBuffer);
118. BEGIN
119. RemoveHook(GetProcAddress(LoadLibrary(PCHAR(Module)), PCHAR(OldProc)), Buffer);
120. END; // .procedure RemoveAPIHook
121.  
122. PROCEDURE Ready(EventName: STRING);
123. VAR
124. Wait: INTEGER;
125.  
126. BEGIN
127. Wait:=OpenEvent(EVENT_ALL_ACCESS, FALSE, PCHAR(EventName));
128. PulseEvent(Wait);
129. CloseHandle(Wait);
130. END; // .procedure Ready
131.  
132. FUNCTION GetFullPath (CONST Path: STRING): STRING;
133. VAR
134. Buf: STRING; // Буфер для полного пути
135. Temp: PCHAR;
136.  
137. BEGIN
138. SetLength(Buf, 1024);
139. SetLength(Buf, Windows.GetFullPathName(PCHAR(Path), 1024, @Buf[1], Temp));
140. RESULT:=Buf;
141. END; // .function GetFullPath
142.  
143. PROCEDURE RunProcessWithHookDll(ExeFile, DllFile: STRING; VAR PInfo: TProcessInformation);
144. VAR
145. si: TStartupInfo;
146. AsmBlockAddr: POINTER;
147. Temp: INTEGER;
148. WriteBuf: ARRAY[0..C_ASMBLOCKSIZE-1] OF BYTE;
149. Buf: INTEGER;
150. LibNameAddr: POINTER;
151. Kernel: INTEGER;
152.  
153. BEGIN
154. FillChar(si, SizeOf(si), #0);
155. si.cb:=SizeOf(si);
156. ExeFile:=GetFullPath(ExeFile);
157. DllFile:=GetFullPath(DllFile);
158. CreateProcess(PCHAR(ExeFile), PCHAR(CmdLine), NIL, NIL, FALSE, CREATE_SUSPENDED, NIL, PCHAR(ExtractFilePath(ExeFile)), si, PInfo);
159. AsmBlockAddr:=VirtualAllocEx(PInfo.hProcess, NIL, C_ASMBLOCKSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
160. LibNameAddr:=VirtualAllocEx(PInfo.hProcess, NIL, Length(DllFile)+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
161. Kernel:=LoadLibrary('kernel32.dll');
162. Buf:=INTEGER(@WriteBuf);
163. PBYTE(Buf)^:=$68;
164. PINTEGER(Buf+1)^:=INTEGER(LibNameAddr);
165. PBYTE(Buf+5)^:=$E8;
166. PINTEGER(Buf+6)^:=INTEGER(GetProcAddress(Kernel, 'LoadLibraryA'))-INTEGER(AsmBlockAddr)-10;
167. PBYTE(Buf+10)^:=$68;
168. PINTEGER(Buf+11)^:=0;
169. PBYTE(Buf+15)^:=$E8;
170. PINTEGER(Buf+16)^:=INTEGER(GetProcAddress(Kernel, 'ExitThread'))-INTEGER(AsmBlockAddr)-20;
171. WriteProcessMemory(PInfo.hProcess, LibNameAddr, PCHAR(DllFile), Length(DllFile)+1, CARDINAL(Temp));
172. WriteProcessMemory(PInfo.hProcess, AsmBlockAddr, @WriteBuf, C_ASMBLOCKSIZE, CARDINAL(Temp));
173. WaitForSingleObject
174. (
175. CreateRemoteThread(PInfo.hProcess, NIL, 0, AsmBlockAddr, @Temp, 0, CARDINAL(Temp)),
176. Windows.INFINITE
177. );
178. ResumeThread(PInfo.hThread);
179. END; // .procedure RunProcessWithHookDll
180.  
181. PROCEDURE KillAllThreads;
182. VAR
183. CurThread: CARDINAL;
184. CurProcess: CARDINAL;
185. hSnap: INTEGER;
186. Snap: TTHREADENTRY32;
187.  
188.  
189. BEGIN
190. CurThread:=GetCurrentThreadID;
191. CurProcess:=GetCurrentProcessID;
192. hSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
193. ZeroMemory(@Snap, SIZEOF(TTHREADENTRY32));
194. Snap.dwSize:=SIZEOF(TTHREADENTRY32);
195. IF Thread32First(hSnap, Snap) THEN BEGIN
196. REPEAT
197. IF (Snap.th32OwnerProcessID=CurProcess) AND (Snap.th32ThreadID<>CurThread) THEN BEGIN
198. TerminateThread(OpenThread(THREAD_ALL_ACCESS, TRUE, Snap.th32ThreadID), 0);
199. END; // .if
200. UNTIL NOT Thread32Next(hSnap, Snap);
201. END; // .if
202. END; // .procedure KillAllThreads
203.  
204. BEGIN
205. END.