GetWindowThreadProcessId() IAT 挂钩:如何比较 "dwProcessID" 参数?
GetWindowThreadProcessId() IAT hooking: How compare "dwProcessID" parameter?
我使用以下代码成功挂钩 GetWindowThreadProcessId()。
现在我想检查 dwProcessID 参数是否对应于确定进程的 ID,如果是肯定的情况,则阻止执行原始函数:
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
我试过了,但没有成功:
if dwProcessID = 12345 then exit;
这是我的完整代码:
library MyLIB;
uses
Windows,
ImageHlp;
{$R *.res}
type
PGetWindowThreadProcessId = function(hWnd: THandle; dwProcessID: DWord)
: DWord; stdcall;
var
OldGetWindowThreadProcessId: PGetWindowThreadProcessId;
function HookGetWindowThreadProcessId(hWnd: THandle; dwProcessID: DWord)
: DWord; stdcall;
begin
try
// Check if is some process
except
MessageBox(0, 'Error', 'HookGetWindowThreadProcessId Error', 0);
end;
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
end;
procedure PatchIAT(strMod: PAnsichar; Alt, Neu: Pointer);
var
pImportDir: pImage_Import_Descriptor;
size: CardinaL;
Base: CardinaL;
pThunk: PDWORD;
begin
Base := GetModuleHandle(nil);
pImportDir := ImageDirectoryEntryToData(Pointer(Base), True,
IMAGE_DIRECTORY_ENTRY_IMPORT, size);
while pImportDir^.Name <> 0 Do
begin
If (lstrcmpiA(PAnsichar(pImportDir^.Name + Base), strMod) = 0) then
begin
pThunk := PDWORD(Base + pImportDir^.FirstThunk);
While pThunk^ <> 0 Do
begin
if DWord(Alt) = pThunk^ Then
begin
pThunk^ := CardinaL(Neu);
end;
Inc(pThunk);
end;
end;
Inc(pImportDir);
end;
end;
procedure DllMain(reason: Integer);
begin
case reason of
DLL_PROCESS_ATTACH:
begin
OldGetWindowThreadProcessId := GetProcAddress(GetModuleHandle(user32),
'GetWindowThreadProcessId');
PatchIAT(user32, GetProcAddress(GetModuleHandle(user32),
'GetWindowThreadProcessId'), @HookGetWindowThreadProcessId);
end;
DLL_PROCESS_DETACH:
begin
end;
end;
end;
begin
DllProc := @DllMain;
DllProc(DLL_PROCESS_ATTACH);
end.
您的 PGetWindowThreadProcessId 类型和 HookGetWindowThreadProcessId() 函数都错误地声明了 dwProcessID 参数。它是一个输出参数,因此需要声明为 var dwProcessID: DWord 或 dwProcessID: PDWord.
然后您需要调用 OldGetWindowThreadProcessId() 来检索实际的 PID,然后才能将其与任何内容进行比较。所以你的要求“in positive case prevent execute original function”是不现实的,因为你需要执行原始函数才能确定要比较的dwProcessID值。
试试这个:
type
PGetWindowThreadProcessId = function(hWnd: THandle; var dwProcessID: DWord): DWord; stdcall;
...
function HookGetWindowThreadProcessId(hWnd: THandle; var dwProcessID: DWord): DWord; stdcall;
begin
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
try
if dwProcessID = ... then
...
except
MessageBox(0, 'Error', 'HookGetWindowThreadProcessId Error', 0);
end;
end;
我使用以下代码成功挂钩 GetWindowThreadProcessId()。
现在我想检查 dwProcessID 参数是否对应于确定进程的 ID,如果是肯定的情况,则阻止执行原始函数:
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
我试过了,但没有成功:
if dwProcessID = 12345 then exit;
这是我的完整代码:
library MyLIB;
uses
Windows,
ImageHlp;
{$R *.res}
type
PGetWindowThreadProcessId = function(hWnd: THandle; dwProcessID: DWord)
: DWord; stdcall;
var
OldGetWindowThreadProcessId: PGetWindowThreadProcessId;
function HookGetWindowThreadProcessId(hWnd: THandle; dwProcessID: DWord)
: DWord; stdcall;
begin
try
// Check if is some process
except
MessageBox(0, 'Error', 'HookGetWindowThreadProcessId Error', 0);
end;
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
end;
procedure PatchIAT(strMod: PAnsichar; Alt, Neu: Pointer);
var
pImportDir: pImage_Import_Descriptor;
size: CardinaL;
Base: CardinaL;
pThunk: PDWORD;
begin
Base := GetModuleHandle(nil);
pImportDir := ImageDirectoryEntryToData(Pointer(Base), True,
IMAGE_DIRECTORY_ENTRY_IMPORT, size);
while pImportDir^.Name <> 0 Do
begin
If (lstrcmpiA(PAnsichar(pImportDir^.Name + Base), strMod) = 0) then
begin
pThunk := PDWORD(Base + pImportDir^.FirstThunk);
While pThunk^ <> 0 Do
begin
if DWord(Alt) = pThunk^ Then
begin
pThunk^ := CardinaL(Neu);
end;
Inc(pThunk);
end;
end;
Inc(pImportDir);
end;
end;
procedure DllMain(reason: Integer);
begin
case reason of
DLL_PROCESS_ATTACH:
begin
OldGetWindowThreadProcessId := GetProcAddress(GetModuleHandle(user32),
'GetWindowThreadProcessId');
PatchIAT(user32, GetProcAddress(GetModuleHandle(user32),
'GetWindowThreadProcessId'), @HookGetWindowThreadProcessId);
end;
DLL_PROCESS_DETACH:
begin
end;
end;
end;
begin
DllProc := @DllMain;
DllProc(DLL_PROCESS_ATTACH);
end.
您的 PGetWindowThreadProcessId 类型和 HookGetWindowThreadProcessId() 函数都错误地声明了 dwProcessID 参数。它是一个输出参数,因此需要声明为 var dwProcessID: DWord 或 dwProcessID: PDWord.
然后您需要调用 OldGetWindowThreadProcessId() 来检索实际的 PID,然后才能将其与任何内容进行比较。所以你的要求“in positive case prevent execute original function”是不现实的,因为你需要执行原始函数才能确定要比较的dwProcessID值。
试试这个:
type
PGetWindowThreadProcessId = function(hWnd: THandle; var dwProcessID: DWord): DWord; stdcall;
...
function HookGetWindowThreadProcessId(hWnd: THandle; var dwProcessID: DWord): DWord; stdcall;
begin
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
try
if dwProcessID = ... then
...
except
MessageBox(0, 'Error', 'HookGetWindowThreadProcessId Error', 0);
end;
end;