program Project1; uses Forms, Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Dialogs, Unit1 in 'Unit1.pas' {Form1};
function GetClassInfoA1(x: Integer;y:Integer;j:Integer): Integer; stdcall; external 'user32.dll' name 'GetClassInfoA'; function RtlMoveMemory1(x: Integer;y:Pointer;j:Integer): Integer; stdcall; external 'kernel32.dll' name 'RtlMoveMemory'; var j_apidizhi,j_old:Pointer; jmt: array[1..8] of Byte; ent: array[1..8] of Byte; j_ls:LongWord; {$R *.res} function MyGetClassInfoA(hWnd:Integer;lpText: Integer;uType:Integer): Integer; stdcall; var myclassname:array[0..254] of char; jack:Integer; begin CopyMemory(j_apidizhi, @ent, 8); CopyMemory(@myclassname,Pointer(lptext),6); if myclassname='TForm1' then begin myclassname:='hgorj3'; RtlMoveMemory1(lpText,@myclassname,6); end; jack:=GetClassInfoA1(hWnd,lpText,uType); asm pushad mov eax,j_apidizhi mov byte [eax],$B8 add eax,1 mov ebx,j_ls mov [eax],ebx add eax,4 mov byte [eax],$FF add eax,1 mov byte [eax],$E0 popad end; Result:=jack; end; begin j_apidizhi:=GetProcAddress(GetModuleHandle('user32.dll'),'GetClassInfoA'); VirtualProtect(j_apidizhi,8,64,j_old); CopyMemory(@ent, j_apidizhi, 8); //保存原指令 j_ls:=LongWord(@MyGetClassInfoA); //jmt[1]:=$e9; //jmt[2]= //Pinteger(@jmt[2])^:=MyGetClassInfoA; //CopyMemory(@jmt[2], @MyGetClassInfoA, 4); asm pushad mov eax,j_apidizhi mov byte [eax],$B8 add eax,1 mov ebx,j_ls mov [eax],ebx add eax,4 mov byte [eax],$FF add eax,1 mov byte [eax],$E0 popad end; Application.Initialize; Application.CreateForm(TForm1, Form1); Application.Run; end.
关于D的指针和内存操作还不熟练 特别是D好象没有字节集操作的概念 象易的到字节集 写到内存 指针到字节集这三个函数没有 操作不便 以待更加深入学习
关于apihook 最简单的mov eax,子程序 / jmp eax 方式 也暂时没有考虑多线程的问题