Results 1 to 3 of 3
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,221
    Thanks
    211
    Thanked 2,224 Times in 289 Posts
    Rep Power
    10

    User/Kernel Delphi Unhooker

    This is “AFX LeakTest” written by Aphex. Delphi source contains a lot of useful material, but the most interesting part of the source is “unhook” unit, which gives you a simplest way for removing user and kernel hooks. Probably, you can build your own SSDT restoring utils.

    Features:
    • Scanning for user mode hooks
    • Scanning for kernel mode hooks
    • Removing User Hooks
    • Removing Kernel Hooks


    What inside:
    • Delphi Hooking Library
    • Access Control API interface
    • NT Status Codes API interface
    • Windows Types API interface
    • Windows Base Types API interface


    Code example:
    Code:
    //USER MODE UNHOOKING
    
    function UnhookExport(hModule: HMODULE; FunctionName: pchar): boolean;
    type
      TSections = array [0..0] of TImageSectionHeader;
    var
      ModuleName: pchar;
      ImageBase, LoadedImage, pImageBase, pSectionBase: pointer;
      Module: THandle;
      ModuleSize, BytesRead: dword;
      ImageDosHeader: PImageDosHeader;
      ImageNtHeaders: PImageNtHeaders;
      ImageExportDirectory: PImageExportDirectory;
      ExportLoop: integer;
      ExportName: pchar;
      ExportFunction: pointer;
      PNames: pdword;
      PFunctions: pdword;
      PSections: ^TSections;
      SectionLoop: integer;
      SectionBase: pointer;
      VirtualSectionSize, RawSectionSize: dword;
      LoadedAddress: pbyte;
      ExportedAddress: pbyte;
      OldProtection: dword;
      CodeLen: dword;
    begin
      Result := False;
      GetMem(ModuleName, MAX_PATH + 1);
      GetModuleFileName(hModule, ModuleName, MAX_PATH + 1);
      ExportedAddress := nil;
      LoadedAddress := nil;
      Module := CreateFile(ModuleName, GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
      SetFilePointer(Module, 0, nil, FILE_BEGIN);
      ModuleSize := GetFileSize(Module, nil);
      GetMem(LoadedImage, ModuleSize);
      ReadFile(Module, LoadedImage^, ModuleSize, BytesRead, nil);
      CloseHandle(Module);
      ImageDosHeader := PImageDosHeader(LoadedImage);
      ImageNtHeaders := PImageNtHeaders(cardinal(ImageDosHeader.e_lfanew) + cardinal(LoadedImage));
      ImageBase := VirtualAlloc(nil, ImageNtHeaders.OptionalHeader.SizeOfImage, MEM_RESERVE, PAGE_NOACCESS);
      pImageBase := ImageBase;
      SectionBase := VirtualAlloc(ImageBase, ImageNtHeaders.OptionalHeader.SizeOfHeaders, MEM_COMMIT, PAGE_READWRITE);
      pSectionBase := SectionBase;
      Move(LoadedImage^, SectionBase^, ImageNtHeaders.OptionalHeader.SizeOfHeaders);
      PSections := pointer(pchar(@(ImageNtHeaders.OptionalHeader)) + ImageNtHeaders.FileHeader.SizeOfOptionalHeader);
      for SectionLoop := 0 to ImageNtHeaders.FileHeader.NumberOfSections - 1 do
      begin
        VirtualSectionSize := PSections[SectionLoop].Misc.VirtualSize;
        RawSectionSize := PSections[SectionLoop].SizeOfRawData;
        if VirtualSectionSize < RawSectionSize then VirtualSectionSize := RawSectionSize;
        SectionBase := VirtualAlloc(PSections[SectionLoop].VirtualAddress + pchar(ImageBase), VirtualSectionSize, MEM_COMMIT, PAGE_READWRITE);
        FillChar(SectionBase^, VirtualSectionSize, 0);
        Move(pointer(cardinal(LoadedImage) + PSections[SectionLoop].PointerToRawData)^, SectionBase^, RawSectionSize);
        VirtualFree(SectionBase, 0, MEM_RELEASE);
      end;
      ImageExportDirectory := PImageExportDirectory(ImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + cardinal(ImageBase));
      PNames := pointer(cardinal(ImageExportDirectory.AddressOfNames) + cardinal(ImageBase));
      PFunctions := pointer(cardinal(ImageExportDirectory.AddressOfFunctions) + cardinal(ImageBase));
      for ExportLoop := 0 to ImageExportDirectory.NumberOfNames - 1 do
      begin
        ExportName := pchar(pdword(PNames)^ + cardinal(ImageBase));
        ExportFunction := pointer(pdword(PFunctions)^ + cardinal(ImageBase));
        if lstrcmpi(ExportName, FunctionName) = 0 then
        begin
          LoadedAddress := ExportFunction;
          Break;
        end;
        Inc(PNames);
        Inc(PFunctions);
      end;
      ImageBase := pointer(GetModuleHandle(ModuleName));
      ImageDosHeader := PImageDosHeader(ImageBase);
      ImageNtHeaders := PImageNtHeaders(cardinal(ImageDosHeader.e_lfanew) + cardinal(ImageBase));
      ImageExportDirectory := PImageExportDirectory(ImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + cardinal(ImageBase));
      PNames := pointer(cardinal(ImageExportDirectory.AddressOfNames) + cardinal(ImageBase));
      PFunctions := pointer(cardinal(ImageExportDirectory.AddressOfFunctions) + cardinal(ImageBase));
      for ExportLoop := 0 to ImageExportDirectory.NumberOfNames - 1 do
      begin
        ExportName := pchar(pdword(PNames)^ + cardinal(ImageBase));
        ExportFunction := pointer(pdword(PFunctions)^ + cardinal(ImageBase));
        if lstrcmpi(ExportName, FunctionName) = 0 then
        begin
          ExportedAddress := ExportFunction;
          Break;
        end;
        Inc(PNames);
        Inc(PFunctions);
      end;
      if ((LoadedAddress <> nil) and (ExportedAddress <> nil)) then
      begin
        if ((ExportedAddress^ <> 0) and (LoadedAddress^ <> 0) and (ExportedAddress^ <> LoadedAddress^)) then
        begin
          Result := True;
          WriteLn('Unhooking ', FunctionName, '...');
          WriteLn('');
          CodeLen := SizeOfProc(LoadedAddress);
          VirtualProtect(ExportedAddress, CodeLen, PAGE_EXECUTE_READWRITE, @OldProtection);
          CopyMemory(ExportedAddress, LoadedAddress, CodeLen);
          VirtualProtect(ExportedAddress, CodeLen, OldProtection, @OldProtection);
        end;
      end;
      FreeMem(ModuleName);
      FreeMem(LoadedImage);
      VirtualFree(pImageBase, 0, MEM_RELEASE);
      VirtualFree(pSectionBase, 0, MEM_RELEASE);
    end;
    
    function CheckExports(ImageBase: pointer; ImageExportDirectory: PImageExportDirectory): boolean;
    var
      ExportLoop: integer;
      ExportName: pchar;
      PNames: pdword;
      HooksFound: boolean;
    begin
      Result := False;
      PNames := pointer(cardinal(ImageExportDirectory.AddressOfNames) + cardinal(ImageBase));
      for ExportLoop := 0 to ImageExportDirectory.NumberOfNames - 1 do
      begin
        ExportName := pchar(pdword(PNames)^ + cardinal(ImageBase));
        HooksFound := UnhookExport(HMODULE(ImageBase), ExportName);
        if HooksFound = True then Result := True;
        Inc(PNames);
      end;
    end;
    
    procedure RemoveUserHooks;
    var
      ImageBase: pointer;
      ImageDosHeader: PImageDosHeader;
      ImageNtHeaders: PImageNtHeaders;
      ImageExportDirectory: PImageExportDirectory;
    begin
      ImageBase := pointer(GetModuleHandle('kernel32'));
      ImageDosHeader := PImageDosHeader(ImageBase);
      ImageNtHeaders := PImageNtHeaders(cardinal(ImageDosHeader.e_lfanew) + cardinal(ImageBase));
      ImageExportDirectory := PImageExportDirectory(ImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + cardinal(ImageBase));
      if ImageExportDirectory <> ImageBase then
      begin
        if ImageExportDirectory.NumberOfNames <> 0 then
        begin
          if not CheckExports(ImageBase, ImageExportDirectory) then WriteLn('No user mode hooks found!');
        end;
      end;
    end;

    Please register or login to download attachments.

    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following 6 Users Say Thank You to Dwar For This Useful Post:


  3. #2
    emoisback
    emoisback is offline
    Full member
    Join Date
    2011 Dec
    Location
    Indonesia there i'm
    Posts
    508
    Thanks
    83
    Thanked 244 Times in 68 Posts
    Rep Power
    6
    Thanks Dwar, i think we can bypass protection with this tools...
    i'll write it use delphi too..and call from C# to disable

    have example or step to removing kernel mode hook??
    Last edited by emoisback; 2012-07-24 at 03:51 PM.
    Learn from PGC for Share on PGC..


    For another Stuff i have make try to find it [Please, register to view links]
    If i have help you, please thanks and respect ..

  4. #3
    jamalcoder
    jamalcoder is offline
    Guest
    Join Date
    2014 Mar
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    nice share bro for SDDT hook i'm using Ddelphi DDK

Similar Threads

  1. [Delphi] Delphi elementclient inject
    By marcelo380 in forum Perfect World
    Replies: 0
    Last Post: 2012-06-08, 09:13 PM
  2. [Help] NPC User Lan House
    By LKMaster in forum Aika Online
    Replies: 5
    Last Post: 2012-03-22, 12:21 AM
  3. [Vbulletin Plugin] Post This Month / User
    By emoisback in forum Web, PHP
    Replies: 1
    Last Post: 2012-01-17, 10:54 AM
  4. [Delphi] Delphi Training Video
    By Dwar in forum Programming Tutorials
    Replies: 0
    Last Post: 2010-11-29, 04:10 PM
  5. CE kernel mode in 64bits
    By mottapesbr in forum General Game Research
    Replies: 2
    Last Post: 2010-11-03, 12:20 PM
Visitors found this page by searching for:

ssdt unhook delphi

delphi imagebase

delphi api hook

delphi source virtualprotect game trainer

delphi api hooking sample

com interface hooking delphi

Delphi Winsock Hooking Example by Aphex

Kernel delphi

hook kernel delphi

iat hook scan source

remove hook delphi

iat hook delphi

[Delphi]UnhookSSDT.rar

delphi unhook SSDT

http:www.progamercity.netdelphi4691-source-user-kernel-delphi-unhooker.html

user mode hook view delphidelphi winsock examplex64 pimagedosheader pimagentheaders delphiunhooking Kernel mode hooksdelphi virtualallocwinsock hook delphi aphexkernel hook delphiUserKernel Delphi Unhooker [Source] delphiuser mode unhook ssdtkernel api hook delphi

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •