Results 1 to 6 of 6
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    HookAPI to prevent Process Termination

    Hook Dll
    Code:
    library Hookdll;
    
    uses
       SysUtils,
       Classes,
       Windows,Dialogs,
       unitHook in 'unitHook.pas';
    
    
    const
       HOOK_MEM_FILENAME   =   'tmp.hkt';
    var
       hhk: HHOOK;
       Hook: array[0..2] of TNtHookClass;
    
      
       MemFile: THandle;
       startPid: PDWORD;    
       fhProcess: THandle;  
    
    
    
    function NewOpenProcess(dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
    type
       TNewOpenProcess = function (dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
    begin
       if startPid^ = dwProcessId then begin
       Hook[1].UnHook;
       Result := TNewOpenProcess(Hook[1].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);
       fhProcess:=Result;
       Hook[1].Hook;
       exit;
       end;
       Hook[1].UnHook;
       Result := TNewOpenProcess(Hook[1].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);
       Hook[1].Hook;
    
    end;
    
    function NewTerminateProcess(hProcess: THandle;uExitCode: UINT): BOOL; Stdcall;
    type
       TNewTerminateProcess = function (hProcess: THandle;uExitCode: UINT): BOOL; Stdcall;
    begin
       if fhProcess = hProcess then begin
         showmessage('HAHA PWNED I am not allowed to close?');
         result := true;
         exit;
       end;
       Hook[2].UnHook;
       Result := TNewTerminateProcess(Hook[2].BaseAddr)(hProcess, uExitCode );
       Hook[2].Hook;
    end;
    
    procedure InitHook;      //Initialize Hook
    begin
       Hook[1] := TNtHookClass.Create('kernel32.dll', 'OpenProcess', @NewOpenProcess);
       hook[2] := TNtHookClass.Create('kernel32.dll', 'TerminateProcess', @NewTerminateProcess);
    end;
    
    procedure UninitHook;      //Un-Initialize  Hook
    var
       I: Integer;
    begin
       for I := 0 to High(Hook) do
       begin
         FreeAndNil(Hook[I]);
       end;
    end;
    
    procedure MemShared();
    begin
       MemFile:=OpenFileMapping(FILE_MAP_ALL_ACCESS,False, HOOK_MEM_FILENAME);    //Open the memory mapped File
       if MemFile = 0 then begin
         MemFile := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0,
                                  4, HOOK_MEM_FILENAME);
       end;
       if MemFile <> 0 then
         //Map   File to variables 
     startPid := MapViewOfFile(MemFile,FILE_MAP_ALL_ACCESS,0,0,0);
    end;
    
    //Transfer 
    function HookProc(nCode, wParam, lParam: Integer): Integer; stdcall;
    begin
       Result := CallNextHookEx(hhk, nCode, wParam, lParam);
    end;
    
    //Start HOOK
    procedure StartHook(pid: DWORD); stdcall;
    begin
       startPid^ := pid;
       hhk := SetWindowsHookEx(WH_CALLWNDPROC, HookProc, hInstance, 0);
    end;
    
    //End HOOK
    procedure EndHook; stdcall;
    begin
       if hhk <> 0 then
         UnhookWindowsHookEx(hhk);
    end;
    
    
    procedure DllEntry(dwResaon: DWORD);
    begin
       case dwResaon of
         DLL_PROCESS_ATTACH: InitHook;    
         DLL_PROCESS_DETACH: UninitHook; 
       end;
    end;
    
    exports
       StartHook, EndHook;
    
    begin
       MemShared;
    
    {Distribution of DLL programs to DllProc variable}
       DllProc: = @ DllEntry;
       {Call the DLL load processing}
       DllEntry (DLL_PROCESS_ATTACH);
    end.[/delphi]
    Unit
    [delphi]unit Unit1;
    
    interface
    
    uses
       Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
       Dialogs, StdCtrls;
    
    type
       TForm1 = class(TForm)
         Button1: TButton;
         Button2: TButton;
         procedure Button1Click(Sender: TObject);
         procedure Button2Click(Sender: TObject);
       private
         { Private declarations }
       public
         { Public declarations }
       end;
    
    var
       Form1: TForm1;
       procedure StartHook(pid: DWORD); stdcall; external 'hookdll.dll';
       procedure EndHook; stdcall; external 'hookdll.dll';
    
    implementation
    
    {$R *.dfm}
    
    procedure TForm1.Button1Click(Sender: TObject);
    begin
       StartHook(GetCurrentProcessId);
    end;
    
    procedure TForm1.Button2Click(Sender: TObject);
    begin
       EndHook;
    end;
    
    end.
    unit Hook
    Code:
    unit unitHook;
    
    interface
    
    uses
       Windows, Messages, Classes, SysUtils;
    
    type
    
       //NtHook class related types
       TNtJmpCode=packed record   //8 Bytes
         MovEax:Byte;
         Addr:DWORD;
         JmpCode:Word;
         dwReserved:Byte;
       end;
    
       TNtHookClass=class(TObject)
       private
         hProcess:THandle;
         NewAddr:TNtJmpCode;
         OldAddr:array[0..7] of Byte;
         ReadOK:Boolean;
       public
         BaseAddr:Pointer;
         constructor Create(DllName,FuncName:string;NewFunc:Pointer);
         destructor Destroy; override;
         procedure Hook;
         procedure UnHook;
       end;
    implementation
    Code:
    //==================================================
    //NtHOOK Class Start
    //==================================================
    constructor TNtHookClass.Create(DllName: string; FuncName: string;NewFunc:Pointer);
    var
       DllModule:HMODULE;
       dwReserved:DWORD;
    begin
       //Get Module Handle
       DllModule:=GetModuleHandle(PChar(DllName));
       //If DllModule is not loaded use LoadLibrary
       if DllModule=0 then DllModule:=LoadLibrary(PChar(DllName));
       //Get module entry address (base address)
       BaseAddr:=Pointer(GetProcAddress(DllModule,PChar(FuncName)));
       //Get the current process handle
       hProcess:=GetCurrentProcess;
       //Pointer to point to the new address
       NewAddr.MovEax:=$B8;
       NewAddr.Addr:=DWORD(NewFunc);
       NewAddr.JmpCode:=$E0FF;
       //Save the original address
       ReadOK:=ReadProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
       //Starting block
       Hook;
    end;
    
    //Release object
    destructor TNtHookClass.Destroy;
    begin
       UnHook;
       CloseHandle(hProcess);
    
       inherited;
    end;
    
    //Starting block
    procedure TNtHookClass.Hook;
    var
       dwReserved:DWORD;
    begin
       if (ReadOK=False) then Exit;
       //Write a new address
       WriteProcessMemory(hProcess,BaseAddr,@NewAddr,8,dwReserved);
    end;
    
    //Recovery block
    procedure TNtHookClass.UnHook;
    var
       dwReserved:DWORD;
    begin
       if (ReadOK=False) then Exit;
       //Recovery Address
       WriteProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
    end;
    
    end.
    Last edited by Grooguz; 2012-05-17 at 01:46 PM.
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. #2
    Jetus
    Jetus is offline
    Guest
    Join Date
    2012 May
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Dwar, this code works perfect on 32-bit Windows platform.
    Thanks for you very much.

    But when I built this code in Delphi XE2 with x64 compiler, the program did not works
    It says:
    Access violation at address 00000000001842E5 in module 'hookdll.dll'. Write of address 0000000000000000.

    I think the problem in your unitHook.pas, in the Create constructor, here:
    Code:
       NewAddr.MovEax:=$B8;
       NewAddr.Addr:=DWORD(NewFunc);
       NewAddr.JmpCode:=$E0FF;
    Can you help me and show, how to launch this with x64 Windows?

  3. #3
    Grooguz
    Grooguz is offline
    BanHammer Holder
    Grooguz's Avatar
    Join Date
    2010 May
    Posts
    678
    Thanks Thanks Given 
    152
    Thanks Thanks Received 
    537
    Thanked in
    167 Posts
    Rep Power
    14
    I don't know delphi, but at this moment I can only point that all this code was written for 32bit OS, not for 64. And, as you have already discovered it, you got an error. I'll try to find a solution

  4. #4
    gundulapek
    gundulapek is offline
    New member
    Join Date
    2012 Feb
    Posts
    24
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    i have problem when using windows 7 64 bits .. some DLL or some function can't running well

  5. #5
    Jetus
    Jetus is offline
    Guest
    Join Date
    2012 May
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    According to this from MSDN:
    SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If an application requires the use of hooks in other processes, it is required that a 32-bit application call SetWindowsHookEx to inject a 32-bit DLL into 32-bit processes, and a 64-bit application call SetWindowsHookEx to inject a 64-bit DLL into 64-bit processes. The 32-bit and 64-bit DLLs must have different names.
    So, there are must exists two versions of dll: 32-bits and 64-bits.
    The 32-bits version works good in 32-bits Windows, but 64-bits version does not works (see my previous post).

  6. #6
    misko2k
    misko2k is offline
    Guest
    Join Date
    2012 Oct
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    And any got it working as 64 Bit platform ?

Similar Threads

  1. Replies: 2
    Last Post: 2018-04-02, 04:48 PM
  2. [C++] Process Injection
    By Dwar in forum C/C++
    Replies: 2
    Last Post: 2014-06-29, 08:00 PM
  3. [Guide] How to prevent a dc PM
    By soul in forum Aika Online
    Replies: 0
    Last Post: 2012-08-03, 02:00 PM
  4. Prevent automatic logoff ingame
    By frigate in forum TERA Online
    Replies: 2
    Last Post: 2012-06-30, 07:00 AM
  5. [Process, Services & Network] Process Hacker
    By wildspirit in forum Files & Tools
    Replies: 0
    Last Post: 2011-11-09, 05:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •