delphi 检测 IAT HOOK API 的方法
type
PTIMPORT_CODE=^TIMPORT_CODE;
TIMPORT_CODE=packed record
JmpPtr:Word;
PtrAdd:^Pointer;
end;
function SHFormatDrive(hWnd: HWND;
Drive: Word;
fmtID: Word;
Options: Word): Longint
stdcall; external 'Shell32.dll' Name 'SHFormatDrive'; .............................声明一下
function GetAPIAddress(ApiPtr: Pointer): Pointer;
begin
Result := ApiPtr;
if ApiPtr= nil then
exit;
try
if (PTIMPORT_CODE(ApiPtr).JmpPtr = $25FF) then
Result := PTIMPORT_CODE(ApiPtr).PtrAdd^;
except
Result := nil;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
OrgSHFormatDrive: Pointer;
h: Cardinal;
begin
h:=LoadLibrary('Shell32.dll');
OrgSHFormatDrive:=GetProcAddress(h,'SHFormatDrive');
if GetAPIAddress(@SHFormatDrive) <> OrgSHFormatDrive then
begin
Showmessage('IAT HOOK');
end
else
begin
Showmessage('Not IAT HOOK');
end;
FreeLibrary(h);
end;
PTIMPORT_CODE=^TIMPORT_CODE;
TIMPORT_CODE=packed record
JmpPtr:Word;
PtrAdd:^Pointer;
end;
function SHFormatDrive(hWnd: HWND;
Drive: Word;
fmtID: Word;
Options: Word): Longint
stdcall; external 'Shell32.dll' Name 'SHFormatDrive'; .............................声明一下
function GetAPIAddress(ApiPtr: Pointer): Pointer;
begin
Result := ApiPtr;
if ApiPtr= nil then
exit;
try
if (PTIMPORT_CODE(ApiPtr).JmpPtr = $25FF) then
Result := PTIMPORT_CODE(ApiPtr).PtrAdd^;
except
Result := nil;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
OrgSHFormatDrive: Pointer;
h: Cardinal;
begin
h:=LoadLibrary('Shell32.dll');
OrgSHFormatDrive:=GetProcAddress(h,'SHFormatDrive');
if GetAPIAddress(@SHFormatDrive) <> OrgSHFormatDrive then
begin
Showmessage('IAT HOOK');
end
else
begin
Showmessage('Not IAT HOOK');
end;
FreeLibrary(h);
end;
推荐分享
图文皆来源于网络,内容仅做公益性分享,版权归原作者所有,如有侵权请告知删除!
Copyright © 2014 DelphiW.com 开发 源码 文档 技巧 All Rights Reserved
晋ICP备14006235号-8 晋公网安备 14108102000087号
执行时间: 0.046134948730469 seconds