Delphi 创建文件钩子
我试图为CreateFile创建一个钩子,所以当一个进程尝试创建一个文件时 我们创建的hookdll将通知用户:“此进程xx.exe正在尝试创建xx.exe,是否要继续?” 到目前为止,我在这里,所以我需要在这段代码中修改什么:Delphi 创建文件钩子,delphi,dll,hook,createfile,setwindowshookex,Delphi,Dll,Hook,Createfile,Setwindowshookex,我试图为CreateFile创建一个钩子,所以当一个进程尝试创建一个文件时 我们创建的hookdll将通知用户:“此进程xx.exe正在尝试创建xx.exe,是否要继续?” 到目前为止,我在这里,所以我需要在这段代码中修改什么: library CreateFileHook; uses Windows, Dialogs, SysUtils; type OldCode = packed record One: dword; two: word; end; far_jmp = packe
library CreateFileHook;
uses
Windows, Dialogs, SysUtils;
type
OldCode = packed record
One: dword;
two: word;
end;
far_jmp = packed record
PuhsOp: byte;
PushArg: pointer;
RetOp: byte;
end;
var
JmpCfw, JmpCfa: far_jmp;
OldCfw, OldCfa: OldCode;
CfwAdr, CfaAdr: pointer;
function NewCreateFileA(lpFileName: PChar;
dwDesiredAccess: DWORD;
dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition: DWORD;
dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
file_name: PWideChar;
name_len: dword;
begin
name_len := lstrlen(lpFileName) * SizeOf(WideChar) + 2;
GetMem(file_name, name_len);
StringToWideChar(lpFileName, file_name, name_len);
CreateFileW(file_name, dwDesiredAccess, dwShareMode, lpSecurityAttributes,
dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
FreeMem(file_name);
end;
function TrueCreateFileW(lpFileName: PWideChar;
dwDesiredAccess: DWORD;
dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition: DWORD;
dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
Written: dword;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE, CfwAdr,
@OldCfw, SizeOf(OldCode), Written);
CreateFileW(lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile);
WriteProcessMemory(INVALID_HANDLE_VALUE, CfwAdr,
@JmpCfw, SizeOf(far_jmp), Written);
end;
function NewCreateFileW(lpFileName: PWideChar;
dwDesiredAccess: DWORD;
dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition: DWORD;
dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
begin
TrueCreateFileW(lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile);
end;
Procedure SetHook();
var
kernel32: dword;
Bytes: dword;
begin
kernel32 := GetModuleHandle('Kernel32.dll');
CfwAdr := GetProcAddress(kernel32, 'CreateFileW');
CfaAdr := GetProcAddress(kernel32, 'CreateFileA');
ReadProcessMemory(INVALID_HANDLE_VALUE, CfwAdr, @OldCfw, SizeOf(OldCode), Bytes);
ReadProcessMemory(INVALID_HANDLE_VALUE, CfaAdr, @OldCfa, SizeOf(OldCode), Bytes);
JmpCfw.PuhsOp := $68;
JmpCfw.PushArg := @NewCreateFileW;
JmpCfw.RetOp := $C3;
JmpCfa.PuhsOp := $68;
JmpCfa.PushArg := @NewCreateFileA;
JmpCfa.RetOp := $C3;
WriteProcessMemory(INVALID_HANDLE_VALUE, CfwAdr, @JmpCfw, SizeOf(far_jmp), Bytes);
WriteProcessMemory(INVALID_HANDLE_VALUE, CfaAdr, @JmpCfa, SizeOf(far_jmp), Bytes);
end;
Procedure Unhook();
var
Bytes: dword;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE, CfaAdr, @OldCfa, SizeOf(OldCode), Bytes);
WriteProcessMemory(INVALID_HANDLE_VALUE, CfwAdr, @OldCfw, SizeOf(OldCode), Bytes);
end;
Function MessageProc(code : integer; wParam : word;
lParam : longint) : longint; stdcall;
begin
CallNextHookEx(0, Code, wParam, lparam);
Result := 0;
end;
Procedure SetGlobalHookProc();
begin
SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0);
Sleep(INFINITE);
end;
Procedure SetGlobalHook();
var
hMutex: dword;
TrId: dword;
begin
hMutex := CreateMutex(nil, false, 'CreateFileHook');
if GetLastError = 0 then
CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId) else
CloseHandle(hMutex);
end;
procedure DLLEntryPoint(dwReason: DWord);
begin
case dwReason of
DLL_PROCESS_ATTACH: begin
SetGlobalHook();
Randomize();
SetHook()
end;
DLL_PROCESS_DETACH: UnHook();
end;
end;
begin
DllProc := @DLLEntryPoint;
DLLEntryPoint(DLL_PROCESS_ATTACH);
end.
快速浏览一下,我发现这段代码有几个问题。你从哪里弄来的?我手边没有参考资料,但我很肯定你可以在网上找到你想要做的工作的例子 您不应该使用读/写进程内存,因为您在试图修改的进程中—Windows将为您执行写时复制 如果您确实想要/需要使用读/写进程内存,那么获取要使用的句柄的方法是OpenProcess 这个钩子代码是不可重入的-一个线程可能正在退出ReadFile,在另一个线程尝试调用它之前恢复重定向代码,但在第二个线程认为它只是“修复”了它之后 一种更简洁的方法是将指针保存在导入地址表中,该表指向您希望钩住的函数,然后修改该指针以调用钩子例程。现在,您可以使用保存的指针从钩子中调用原始例程
一旦(如果)你能做到这一点,就要准备好看到大量对CreateFile的调用。CreateFile用于创建/打开除物理文件以外的许多内容,例如COM端口、管道、控制台缓冲区等等。什么样的程序不调用CreateFile?您认为需要在代码中修改什么?在什么情况下,该代码对您不起作用?Weel,每次windows尝试创建文件时,我都要监视文件创建,当我的程序收到通知时,会要求用户允许或不允许该操作,我在此处找到FileMonitor源代码:但cant file如何禁止创建操作!!!为什么这么多?我想监视文件创建有很多文件监视器这里有源代码:那么有人告诉我如何禁止从源代码创建的操作吗?!!!我从来没有这样做过,但是一旦有了一个工作钩子,拒绝创建应该是将无效的\u HANDLE\u值返回给调用者,而不是调用原始函数。