[Amin_Mansouri]

با یونیت های زیر میتونید openprocess و terminal process و .. هوک کنید.

کد:

unit Unit1;

interface

uses
   Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
   Dialogs, StdCtrls;

type
   TForm1 = class(TForm)
     Button1: TButton;
     Button2: TButton;
     procedure Button1Click(Sender: TObject);
     procedure Button2Click(Sender: TObject);
   private
     { Private declarations }
   public
     { Public declarations }
   end;

var
   Form1: TForm1;
   procedure StartHook(pid: DWORD); stdcall; external 'hookdll.dll';
   procedure EndHook; stdcall; external 'hookdll.dll';

implementation

{$R *.dfm}

procedure TForm1.Button1Click(Sender: TObject);
begin
   StartHook(GetCurrentProcessId);
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
   EndHook;
end;

end.

کد:

library Hookdll;

uses
   SysUtils,
   Classes,
   Windows,Dialogs,
   unitHook in 'unitHook.pas';


const
   HOOK_MEM_FILENAME   =   'tmp.hkt';
var
   hhk: HHOOK;
   Hook: array[0..2] of TNtHookClass;

  
   MemFile: THandle;
   startPid: PDWORD;    
   fhProcess: THandle;  



function NewOpenProcess(dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
type
   TNewOpenProcess = function (dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
begin
   if startPid^ = dwProcessId then begin
   Hook[1].UnHook;
   Result := TNewOpenProcess(Hook[1].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);
   fhProcess:=Result;
   Hook[1].Hook;
   exit;
   end;
   Hook[1].UnHook;
   Result := TNewOpenProcess(Hook[1].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);
   Hook[1].Hook;

end;

function NewTerminateProcess(hProcess: THandle;uExitCode: UINT): BOOL; Stdcall;
type
   TNewTerminateProcess = function (hProcess: THandle;uExitCode: UINT): BOOL; Stdcall;
begin
   if fhProcess = hProcess then begin
     showmessage('HAHA PWNED I am not allowed to close！');
     result := true;
     exit;
   end;
   Hook[2].UnHook;
   Result := TNewTerminateProcess(Hook[2].BaseAddr)(hProcess, uExitCode );
   Hook[2].Hook;
end;

procedure InitHook;      //Initialize Hook
begin
   Hook[1] := TNtHookClass.Create('kernel32.dll', 'OpenProcess', @NewOpenProcess);
   hook[2] := TNtHookClass.Create('kernel32.dll', 'TerminateProcess', @NewTerminateProcess);
end;

procedure UninitHook;      //Un-Initialize  Hook
var
   I: Integer;
begin
   for I := 0 to High(Hook) do
   begin
     FreeAndNil(Hook[I]);
   end;
end;

procedure MemShared();
begin
   MemFile:=OpenFileMapping(FILE_MAP_ALL_ACCESS,False, HOOK_MEM_FILENAME);    //Open the memory mapped File
   if MemFile = 0 then begin
     MemFile := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0,
                              4, HOOK_MEM_FILENAME);
   end;
   if MemFile <> 0 then
     //Map   File to variables
startPid := MapViewOfFile(MemFile,FILE_MAP_ALL_ACCESS,0,0,0);
end;

//Transfer
function HookProc(nCode, wParam, lParam: Integer): Integer; stdcall;
begin
   Result := CallNextHookEx(hhk, nCode, wParam, lParam);
end;

//Start HOOK
procedure StartHook(pid: DWORD); stdcall;
begin
   startPid^ := pid;
   hhk := SetWindowsHookEx(WH_CALLWNDPROC, HookProc, hInstance, 0);
end;

//End HOOK
procedure EndHook; stdcall;
begin
   if hhk <> 0 then
     UnhookWindowsHookEx(hhk);
end;


procedure DllEntry(dwResaon: DWORD);
begin
   case dwResaon of
     DLL_PROCESS_ATTACH: InitHook;    
     DLL_PROCESS_DETACH: UninitHook;
   end;
end;

exports
   StartHook, EndHook;

begin
   MemShared;

{Distribution of DLL programs to DllProc variable}
   DllProc: = @ DllEntry;
   {Call the DLL load processing}
   DllEntry (DLL_PROCESS_ATTACH);
end.

کد:

---------------------------    unitHook.pas
unit unitHook;

interface

uses
   Windows, Messages, Classes, SysUtils;

type

   //NtHook class related types
   TNtJmpCode=packed record   //8 Bytes
     MovEax:Byte;
     Addr:DWORD;
     JmpCode:Word;
     dwReserved:Byte;
   end;

   TNtHookClass=class(TObject)
   private
     hProcess:THandle;
     NewAddr:TNtJmpCode;
     OldAddr:array[0..7] of Byte;
     ReadOK:Boolean;
   public
     BaseAddr:Pointer;
     constructor Create(DllName,FuncName:string;NewFunc:Pointer);
     destructor Destroy; override;
     procedure Hook;
     procedure UnHook;
   end;

کد:

//==================================================
//NtHOOK Class Start
//==================================================
constructor TNtHookClass.Create(DllName: string; FuncName: string;NewFunc:Pointer);
var
   DllModule:HMODULE;
   dwReserved:DWORD;
begin
   //Get Module Handle
   DllModule:=GetModuleHandle(PChar(DllName));
   //If DllModule is not loaded use LoadLibrary
   if DllModule=0 then DllModule:=LoadLibrary(PChar(DllName));
   //Get module entry address (base address)
   BaseAddr:=Pointer(GetProcAddress(DllModule,PChar(FuncName)));
   //Get the current process handle
   hProcess:=GetCurrentProcess;
   //Pointer to point to the new address
   NewAddr.MovEax:=$B8;
   NewAddr.Addr:=DWORD(NewFunc);
   NewAddr.JmpCode:=$E0FF;
   //Save the original address
   ReadOK:=ReadProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
   //Starting block
   Hook;
end;

//Release object
destructor TNtHookClass.Destroy;
begin
   UnHook;
   CloseHandle(hProcess);

   inherited;
end;

//Starting block
procedure TNtHookClass.Hook;
var
   dwReserved:DWORD;
begin
   if (ReadOK=False) then Exit;
   //Write a new address
   WriteProcessMemory(hProcess,BaseAddr,@NewAddr,8,dwReserved);
end;

//Recovery block
procedure TNtHookClass.UnHook;
var
   dwReserved:DWORD;
begin
   if (ReadOK=False) then Exit;
   //Recovery Address
   WriteProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
end;

end.