免费视频淫片aa毛片_日韩高清在线亚洲专区vr_日韩大片免费观看视频播放_亚洲欧美国产精品完整版

打開APP
userphoto
未登錄

開通VIP,暢享免費電子書等14項超值服

開通VIP

首頁

好書

留言交流

下載APP

聯(lián)系客服
Delphi屏幕取詞
屏幕取詞(Delphi)(1)

“ 屏幕取詞”的實現(xiàn)
//-----------------------------------------------------------------
1 用SetWindowsHookEx()安裝鼠標(biāo)鉤子MouseProc;
2 在屏幕上移動鼠標(biāo)時,系統(tǒng)就會調(diào)用鼠標(biāo)鉤子MouseProc;
3 進入MouseProc,獲得鼠標(biāo)的坐標(biāo)(x,y),
設(shè)置對TextOut()、ExtTextOut()等的跟蹤程序,
用invalidateRect()告訴系統(tǒng)該點(x,y)“失效”;

系統(tǒng)發(fā)出WM_PAINT消息,指示該點(x,y)處的應(yīng)用程序重繪“失效”的區(qū)域。
5 負(fù)責(zé)繪制該點()的應(yīng)用程序在受到 WM_PAINT 消息后, 就有機會調(diào)用
TextOut()、 ExtTextOut()等函數(shù)。
6 調(diào)用的函數(shù)被攔截進入跟蹤程序:設(shè)置好了的跟蹤程序截獲了該次調(diào)用,
從應(yīng)用程序的堆棧中取出 該點(x,y)“文字”的指針;
7 從應(yīng)用程序的數(shù)據(jù)段中將“文字”指針的內(nèi)容取出,即完成了一次“屏幕
抓字”;
8 退出跟蹤程序,返回到鼠標(biāo)鉤子MouseProc;
9 在MouseProc中解除對TextOut() ExtTextOut()的跟蹤;
10 退出MouseProc鼠標(biāo)鉤子程序,控制權(quán)交給系統(tǒng)。
11 在屏幕上移動鼠標(biāo),開始下一次“屏幕抓字”,返回步驟2。
//-----------------------------------------------------------------

Dll工程.

GetWordDll.dpr

//-----------------------------------------------------------------------------------

library GetWordDll;

uses
    Windows,
    SysUtils,
    Classes,
    UnitHookDll in 'UnitHookDll.pas',
    UnitNt2000Hook in 'UnitNt2000Hook.pas',
    UnitHookType in 'UnitHookType.pas';

exports
      StartHook,
      StopHook,
//      MouseWndProc,
      {以下導(dǎo)出列表都是必須的,
      不能少,因為程序要取其地址}
      NewBeginPaint,
      NewCreateCompatibleDC,
      NewTextOutA,
      NewTextOutW,
      NewExtTextOutA,
      NewExtTextOutW,
      NewDrawTextA,
      NewDrawTextW;
begin
end.

UnitHookType.pas

unit UnitHookType;

interface

uses windows, messages;

const
      MaxStringLen = 100;
      WM_MOUSEPT = WM_USER + 1138;
      MappingFileName = 'GetWord32 for 9x NT 2000';
      fBeginPaint=0;
      fGetWindowDC=1;
      fGetDC=2;
      fCreateCompatibleDC=3;
      fTextOutA=4;
      fTextOutW=5;
      fExtTextOutA=6;
      fExtTextOutW=7;
      fDrawTextA=8;
      fDrawTextW=9;
type
      PPointer = ^Pointer;
      TShareMem = packed record
          hProcWnd: HWND; {主應(yīng)用窗口句柄}
          hHookWnd: HWND; {鼠標(biāo)所在窗口}
          pMouse: TPoint; {鼠標(biāo)信息}
          DCMouse,DCCompatible: HDC;
          fTimerID: integer;
          fStrMouseQueue: array[0..MaxStringLen] of Char; {鼠標(biāo)信息串}
          nTimePassed: integer; {鼠標(biāo)停留的時間}
          bCanSpyNow: Boolean; {開始取詞}
          Text: array[0..MaxStringLen] of Char; {字符串}
      end;
      PShareMem = ^TShareMem;

implementation

end.

UnitNt2000Hook.pas

//-----------------------------------------------------------------------------------

unit UnitNt2000Hook;

interface

uses classes, Windows,SysUtils, messages,dialogs;

type
    TImportCode = packed record
       JumpInstruction: Word;
       AddressOfPointerToFunction: PPointer;
    end;
    PImportCode = ^TImportCode;
    PImage_Import_Entry = ^Image_Import_Entry;
    Image_Import_Entry = record
      Characteristics: DWORD;
      TimeDateStamp: DWORD;
      MajorVersion: Word;
      MinorVersion: Word;
      Name: DWORD;
      LookupTable: DWORD;
    end;
    TLongJmp = packed record
       JmpCode: ShortInt; {指令,用$E9來代替系統(tǒng)的指令}
       FuncAddr: DWORD; {函數(shù)地址}
    end;

    THookClass = class
    private
       Trap:boolean; {調(diào)用方式:True陷阱式,F(xiàn)alse改引入表式}
       hProcess: Cardinal; {進程句柄,只用于陷阱式}
       AlreadyHook:boolean; {是否已安裝Hook,只用于陷阱式}
       AllowChange:boolean; {是否允許安裝、卸載Hook,只用于改引入表式}
       Oldcode: array[0..4]of byte; {系統(tǒng)函數(shù)原來的前5個字節(jié)}
       Newcode: TLongJmp; {將要寫在系統(tǒng)函數(shù)的前5個字節(jié)}
    private
    public
       OldFunction,NewFunction:Pointer;{被截函數(shù)、自定義函數(shù)}
       constructor Create(IsTrap:boolean;OldFun,NewFun:pointer);
       constructor Destroy;
       procedure Restore;
       procedure Change;
    published
    end;

implementation

{取函數(shù)的實際地址。如果函數(shù)的第一個指令是Jmp,則取出它的跳轉(zhuǎn)地址(實際地址),這往往是由于程序中含有Debug調(diào)試信息引起的}
function FinalFunctionAddress(Code: Pointer): Pointer;
Var
    func: PImportCode;
begin
    Result:=Code;
    if Code=nil then exit;
    try
      func:=code;
      if (func.JumpInstruction=$25FF) then
        {指令二進制碼FF 25    匯編指令jmp [...]}
        Func:=func.AddressOfPointerToFunction^;
      result:=Func;
    except
      Result:=nil;
    end;
end;


{更改引入表中指定函數(shù)的地址,只用于改引入表式}
function PatchAddressInModule(BeenDone:Tlist;hModule: THandle; OldFunc,NewFunc: Pointer):integer;
const
     SIZE=4;
Var
     Dos: PImageDosHeader; //DOS頭
     NT: PImageNTHeaders;    //PE頭
     ImportDesc: PImage_Import_Entry;//輸入表
     rva: DWORD;     //RVA
     Func: PPointer;    //
     DLL: String;
     f: Pointer;
     written: DWORD;
     mbi_thunk:TMemoryBasicInformation;
     dwOldProtect:DWORD;
begin
    Result:=0;
    if hModule=0 then exit;
    Dos:=Pointer(hModule);
    {如果這個DLL模塊已經(jīng)處理過,則退出。BeenDone包含已處理的DLL模塊}
    if BeenDone.IndexOf(Dos)>=0 then exit;
    BeenDone.Add(Dos);{把DLL模塊名加入BeenDone}
    OldFunc:=FinalFunctionAddress(OldFunc);{取函數(shù)的實際地址}

    {如果這個DLL模塊的地址不能訪問,則退出}
    if IsBadReadPtr(Dos,SizeOf(TImageDosHeader)) then exit;
    {如果這個模塊不是以'MZ'開頭,表明不是DLL,則退出}
    if Dos.e_magic<>IMAGE_DOS_SIGNATURE then exit;{IMAGE_DOS_SIGNATURE='MZ'}//檢查數(shù)字簽名,最好再檢查一下PE

    {定位至NT Header}
    NT :=Pointer(Integer(Dos) + dos._lfanew);
    {定位至引入函數(shù)表}
    RVA:=NT^.OptionalHeader.
       DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;//導(dǎo)入表
    if RVA=0 then exit;{如果引入函數(shù)表為空,則退出}
    {把函數(shù)引入表的相對地址RVA轉(zhuǎn)換為絕對地址}
    ImportDesc := pointer(DWORD(Dos)+RVA);{Dos是此DLL模塊的首地址}//RVA->VA

    {遍歷所有被引入的下級DLL模塊}
    While (ImportDesc^.Name<>0) do
    begin
      {被引入的下級DLL模塊名字}
      DLL:=PChar(DWORD(Dos)+ImportDesc^.Name);
      {把被導(dǎo)入的下級DLL模塊當(dāng)做當(dāng)前模塊,進行遞歸調(diào)用}
      PatchAddressInModule(BeenDone,GetModuleHandle(PChar(DLL)),OldFunc,NewFunc);

      {定位至被引入的下級DLL模塊的函數(shù)表}
      Func:=Pointer(DWORD(DOS)+ImportDesc.LookupTable);
      {遍歷被引入的下級DLL模塊的所有函數(shù)}
      While Func^<>nil do
      begin
        f:=FinalFunctionAddress(Func^);{取實際地址}
        if f=OldFunc then {如果函數(shù)實際地址就是所要找的地址}
        begin
           VirtualQuery(Func,mbi_thunk, sizeof(TMemoryBasicInformation));
           VirtualProtect(Func,SIZE,PAGE_EXECUTE_WRITECOPY,mbi_thunk.Protect);{更改內(nèi)存屬性}
           WriteProcessMemory(GetCurrentProcess,Func,@NewFunc,SIZE,written);{把新函數(shù)地址覆蓋它}
           VirtualProtect(Func, SIZE, mbi_thunk.Protect,dwOldProtect);{恢復(fù)內(nèi)存屬性}
        end;
        If Written=4 then Inc(Result);
//        else showmessagefmt('error:%d',[Written]);
        Inc(Func);{下一個功能函數(shù)}
      end;
      Inc(ImportDesc);{下一個被引入的下級DLL模塊}
    end;
end;


{HOOK的入口,其中IsTrap表示是否采用陷阱式}
constructor THookClass.Create(IsTrap:boolean;OldFun,NewFun:pointer);
begin
     {求被截函數(shù)、自定義函數(shù)的實際地址}
     OldFunction:=FinalFunctionAddress(OldFun);
     NewFunction:=FinalFunctionAddress(NewFun);

     Trap:=IsTrap;
     if Trap then{如果是陷阱式}
     begin
        {以特權(quán)的方式來打開當(dāng)前進程}
        hProcess := OpenProcess(PROCESS_ALL_ACCESS,FALSE, GetCurrentProcessID);
        {生成jmp xxxx的代碼,共5字節(jié)}
        Newcode.JmpCode := ShortInt($E9); {jmp指令的十六進制代碼是E9}
        NewCode.FuncAddr := DWORD(NewFunction) - DWORD(OldFunction) - 5;
        {保存被截函數(shù)的前5個字節(jié)}
        move(OldFunction^,OldCode,5);
        {設(shè)置為還沒有開始HOOK}
        AlreadyHook:=false;
     end;
     {如果是改引入表式,將允許HOOK}
     if not Trap then AllowChange:=true;
     Change; {開始HOOK}
     {如果是改引入表式,將暫時不允許HOOK}
     if not Trap then AllowChange:=false;
end;

{HOOK的出口}
constructor THookClass.Destroy;
begin
     {如果是改引入表式,將允許HOOK}
     if not Trap then AllowChange:=true;
     Restore; {停止HOOK}
     if Trap then{如果是陷阱式}
        CloseHandle(hProcess);
end;

{開始HOOK}
procedure THookClass.Change;
var
     nCount: DWORD;
     BeenDone: TList;
begin
    if Trap then{如果是陷阱式}
    begin
      if (AlreadyHook)or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
          exit;
      AlreadyHook:=true;{表示已經(jīng)HOOK}
      WriteProcessMemory(hProcess, OldFunction, @(Newcode), 5, nCount);
    end
    else begin{如果是改引入表式}
         if (not AllowChange)or(OldFunction=nil)or(NewFunction=nil)then exit;
         BeenDone:=TList.Create; {用于存放當(dāng)前進程所有DLL模塊的名字}
         try
           PatchAddressInModule(BeenDone,GetModuleHandle(nil),OldFunction,NewFunction);
         finally
           BeenDone.Free;
         end;
    end;
end;

{恢復(fù)系統(tǒng)函數(shù)的調(diào)用}
procedure THookClass.Restore;
var
     nCount: DWORD;
     BeenDone: TList;
begin
    if Trap then{如果是陷阱式}
    begin
      if (not AlreadyHook) or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
          exit;
      WriteProcessMemory(hProcess, OldFunction, @(Oldcode), 5, nCount);
      AlreadyHook:=false;{表示退出HOOK}
    end
    else begin{如果是改引入表式}
      if (not AllowChange)or(OldFunction=nil)or(NewFunction=nil)then exit;
      BeenDone:=TList.Create;{用于存放當(dāng)前進程所有DLL模塊的名字}
      try
        PatchAddressInModule(BeenDone,GetModuleHandle(nil),NewFunction,OldFunction);
      finally
        BeenDone.Free;
      end;
    end;
end;

end

本站僅提供存儲服務(wù),所有內(nèi)容均由用戶發(fā)布,如發(fā)現(xiàn)有害或侵權(quán)內(nèi)容,請點擊舉報
打開APP,閱讀全文并永久保存 查看更多類似文章
猜你喜歡
類似文章
Delphi下調(diào)用API Hook
淺談api hook技術(shù)
Delphi利用CreateRemoteThread遠(yuǎn)程注入
用 NASM 編寫代碼
惡意代碼常用技術(shù)解析
手工打造可執(zhí)行程序
更多類似文章 >>
生活服務(wù)
分享 收藏 導(dǎo)長圖 關(guān)注 下載文章
綁定賬號成功
后續(xù)可登錄賬號暢享VIP特權(quán)!
如果VIP功能使用有故障,
可點擊這里聯(lián)系客服!

聯(lián)系客服