进程防杀Delphi版(DLL部分)

最新推荐文章于 2025-05-25 13:35:30 发布

转载最新推荐文章于 2025-05-25 13:35:30 发布 · 678 阅读

文章标签：

#delphi #dll #descriptor #import #image #integer

DELPHI编程专栏收录该内容

379 篇文章

订阅专栏

本文介绍了一种通过修改DLL导入表实现API劫持的技术，详细解释了如何使用PIMAGE_IMPORT_DESCRIPTOR等数据结构定位并替换目标API，以实现对OpenProcess函数的劫持。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

DLL部分：
PIMAGE_IMPORT_DESCRIPTOR = ^_IMAGE_IMPORT_DESCRIPTOR;
  PImageImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR;
  _IMAGE_IMPORT_DESCRIPTOR = packed record
    CharacteristicsOrOriginalFirstThunk: DWord;
    TimeDateStamp: DWord;
    ForwarderChain: DWord;
    Name: DWord;
    FirstThunk: DWord;
  end;
  PIMAGE_THUNK_DATA = ^_IMAGE_THUNK_DATA;
  PImageThunkData = PIMAGE_THUNK_DATA;
  _IMAGE_THUNK_DATA = packed record
    Case Integer of
      0 : (ForwarderString: DWord);
      1 : (Function_: DWord);
      2 : (Ordinal: DWord);
      3 : (AddressOfData: DWord);
  end;

var

OriginalOpenProcess : function (dwDesiredAccess: DWORD; bInheritHandle: BOOL;
                                  dwProcessId: DWORD): THandle; stdcall;

function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
  pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer;
var
  pfnOriginalProc: Pointer;
  pDosHeader: PImageDosHeader;
  pNTHeader: PImageNtHeaders;
  pImportDesc: PImageImportDescriptor;
  pThunk: PImageThunkData;
  dwProtectionFlags,dwScratch: DWORD;
  pszModName: PAnsiChar;
begin
  Result := nil;
  pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule),
    pszFunctionName);
  pDosHeader := PImageDosHeader(hFromModule);
  pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^._lfanew));
  pImportDesc := PImageImportDescriptor(DWORD(pDosHeader)+
                                        DWORD(pNTHeader^.OptionalHeader.
                                        DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
                                        VirtualAddress));
  while pImportDesc^.Name <> 0 do
  begin
    pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name)));
    if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break;
    Inc(pImportDesc);
  end;
  if pImportDesc^.Name = 0 then Exit;
  pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk));
  while pThunk^.Function_ <> 0 do
  begin
    if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then
    begin
      dwProtectionFlags := PAGE_READWRITE;
      VirtualProtect(@pThunk^.Function_,4096,dwProtectionFlags,@dwScratch);
      pThunk^.Function_ := DWORD(pfnNewProc);
      Result := pfnOriginalProc ;
      Break;
    end;
    Inc(pThunk);
  end;
end;

function OpenProcessHandler(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
    dwProcessId: DWORD): THandle; stdcall;
begin
  Result := OriginalOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
  if (dwProcessID = PID) and (PID <> 0) then Result := 0;
end;

//防杀的进程ID，从注册表中获得
procedure GetHookProcessID;
var
  TempKey: HKEY;
  DataType,Size: Integer;
begin
  PID := 0;
  Size := Sizeof(Integer);
  if RegOpenKeyEx(HKEY_LOCAL_MACHINE,’Software/Vssoft’, 0,KEY_READ,
    TempKey) = ERROR_SUCCESS then
  begin
    RegQueryValueEx(TempKey,’ProcessID’,nil,@DataType,PByte(@PID),@Size);
    RegCloseKey(TempKey);
  end;
end;

function HookOpenProcess(nCode: Integer;wParam: WPARAM;lParam: LPARAM): LRESULT;stdcall;
begin
  GetHookProcessID;
  if not Assigned(OriginalOpenProcess) then
    OriginalOpenProcess := HookAPIFunction(GetModuleHandle(nil),
      ’KERNEL32.DLL’,’OpenProcess’,@OpenProcessHandler);
  Result := 0;
end;

exports
  HookOpenProcess;