进程防杀delphi版(DLL部分)
自己程序中的一段代码,进程防杀。根据网上面流传的进程防杀的C++代码改编。
DLL部分:
PIMAGE_IMPORT_DESCRIPTOR = ^_IMAGE_IMPORT_DESCRIPTOR;
PImageImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR;
_IMAGE_IMPORT_DESCRIPTOR = packed record
CharacteristicsOrOriginalFirstThunk: DWord;
TimeDateStamp: DWord;
ForwarderChain: DWord;
Name: DWord;
FirstThunk: DWord;
end;
PIMAGE_THUNK_DATA = ^_IMAGE_THUNK_DATA;
PImageThunkData = PIMAGE_THUNK_DATA;
_IMAGE_THUNK_DATA = packed record
Case Integer of
0 : (ForwarderString: DWord);
1 : (Function_: DWord);
2 : (Ordinal: DWord);
3 : (AddressOfData: DWord);
end;
var
OriginalOpenProcess : function (dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall;
function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer;
var
pfnOriginalProc: Pointer;
pDosHeader: PImageDosHeader;
pNTHeader: PImageNtHeaders;
pImportDesc: PImageImportDescriptor;
pThunk: PImageThunkData;
dwProtectionFlags,dwScratch: DWORD;
pszModName: PAnsiChar;
begin
Result := nil;
pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule),
pszFunctionName);
pDosHeader := PImageDosHeader(hFromModule);
pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^._lfanew));
pImportDesc := PImageImportDescriptor(DWORD(pDosHeader)+
DWORD(pNTHeader^.OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
VirtualAddress));
while pImportDesc^.Name <> 0 do
begin
pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name)));
if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break;
Inc(pImportDesc);
end;
if pImportDesc^.Name = 0 then Exit;
pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk));
while pThunk^.Function_ <> 0 do
begin
if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then
begin
dwProtectionFlags := PAGE_READWRITE;
VirtualProtect(@pThunk^.Function_,4096,dwProtectionFlags,@dwScratch);
pThunk^.Function_ := DWORD(pfnNewProc);
Result := pfnOriginalProc ;
Break;
end;
Inc(pThunk);
end;
end;
function OpenProcessHandler(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall;
begin
Result := OriginalOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
if (dwProcessID = PID) and (PID <> 0) then Result := 0;
end;
//防杀的进程ID,从注册表中获得
procedure GetHookProcessID;
var
TempKey: HKEY;
DataType,Size: Integer;
begin
PID := 0;
Size := Sizeof(Integer);
if RegOpenKeyEx(HKEY_LOCAL_MACHINE,’Software\Vssoft’, 0,KEY_READ,
TempKey) = ERROR_SUCCESS then
begin
RegQueryValueEx(TempKey,’ProcessID’,nil,@DataType,PByte(@PID),@Size);
RegCloseKey(TempKey);
end;
end;
function HookOpenProcess(nCode: Integer;wParam: WPARAM;lParam: LPARAM): LRESULT;stdcall;
begin
GetHookProcessID;
if not Assigned(OriginalOpenProcess) then
OriginalOpenProcess := HookAPIFunction(GetModuleHandle(nil),
’KERNEL32.DLL’,’OpenProcess’,@OpenProcessHandler);
Result := 0;
end;
exports
HookOpenProcess;
DLL部分:
PIMAGE_IMPORT_DESCRIPTOR = ^_IMAGE_IMPORT_DESCRIPTOR;
PImageImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR;
_IMAGE_IMPORT_DESCRIPTOR = packed record
CharacteristicsOrOriginalFirstThunk: DWord;
TimeDateStamp: DWord;
ForwarderChain: DWord;
Name: DWord;
FirstThunk: DWord;
end;
PIMAGE_THUNK_DATA = ^_IMAGE_THUNK_DATA;
PImageThunkData = PIMAGE_THUNK_DATA;
_IMAGE_THUNK_DATA = packed record
Case Integer of
0 : (ForwarderString: DWord);
1 : (Function_: DWord);
2 : (Ordinal: DWord);
3 : (AddressOfData: DWord);
end;
var
OriginalOpenProcess : function (dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall;
function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer;
var
pfnOriginalProc: Pointer;
pDosHeader: PImageDosHeader;
pNTHeader: PImageNtHeaders;
pImportDesc: PImageImportDescriptor;
pThunk: PImageThunkData;
dwProtectionFlags,dwScratch: DWORD;
pszModName: PAnsiChar;
begin
Result := nil;
pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule),
pszFunctionName);
pDosHeader := PImageDosHeader(hFromModule);
pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^._lfanew));
pImportDesc := PImageImportDescriptor(DWORD(pDosHeader)+
DWORD(pNTHeader^.OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
VirtualAddress));
while pImportDesc^.Name <> 0 do
begin
pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name)));
if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break;
Inc(pImportDesc);
end;
if pImportDesc^.Name = 0 then Exit;
pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk));
while pThunk^.Function_ <> 0 do
begin
if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then
begin
dwProtectionFlags := PAGE_READWRITE;
VirtualProtect(@pThunk^.Function_,4096,dwProtectionFlags,@dwScratch);
pThunk^.Function_ := DWORD(pfnNewProc);
Result := pfnOriginalProc ;
Break;
end;
Inc(pThunk);
end;
end;
function OpenProcessHandler(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall;
begin
Result := OriginalOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
if (dwProcessID = PID) and (PID <> 0) then Result := 0;
end;
//防杀的进程ID,从注册表中获得
procedure GetHookProcessID;
var
TempKey: HKEY;
DataType,Size: Integer;
begin
PID := 0;
Size := Sizeof(Integer);
if RegOpenKeyEx(HKEY_LOCAL_MACHINE,’Software\Vssoft’, 0,KEY_READ,
TempKey) = ERROR_SUCCESS then
begin
RegQueryValueEx(TempKey,’ProcessID’,nil,@DataType,PByte(@PID),@Size);
RegCloseKey(TempKey);
end;
end;
function HookOpenProcess(nCode: Integer;wParam: WPARAM;lParam: LPARAM): LRESULT;stdcall;
begin
GetHookProcessID;
if not Assigned(OriginalOpenProcess) then
OriginalOpenProcess := HookAPIFunction(GetModuleHandle(nil),
’KERNEL32.DLL’,’OpenProcess’,@OpenProcessHandler);
Result := 0;
end;
exports
HookOpenProcess;
推荐分享
图文皆来源于网络,内容仅做公益性分享,版权归原作者所有,如有侵权请告知删除!
Copyright © 2014 DelphiW.com 开发 源码 文档 技巧 All Rights Reserved
晋ICP备14006235号-8 晋公网安备 14108102000087号
执行时间: 0.125981092453 seconds