unit Unit1;

interface

uses

  Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,

  Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls;

type

  TForm1 = class(TForm)

    Button1: TButton;

    Button2: TButton;

    procedure Button1Click(Sender: TObject);

    procedure Button2Click(Sender: TObject);

  private

    { Private declarations }

  public

    { Public declarations }

  end;

var

  Form1: TForm1;

  KerFunProc:pointer;

  read: array[0..4] of Byte;

implementation

{$R *.dfm}

procedure TForm1.Button1Click(Sender: TObject);

begin

  MessageBoxA(0, pansichar('hello world'), 0, 0);

end;

function msgbox(hWnd: HWND; lpText, lpCaption: pansichar; uType: UINT): Integer; stdcall;

var

  I: Integer;     //循环次数变量，每次都要写入1个字节，还原API头

  reads: byte;   //取出我们保存的5个字节，然后循环写入

  retn: size_t;

begin

  for I := 1 to 5 do

  begin

    reads := read[I - 1];   //因为数组下标从0开始，I是从1开始，则用I-1

    WriteProcessMemory(GetCurrentProcess(), Pointer(cardinal(KerFunProc) + I - 1), Pointer(@reads), 1, retn);

  end;

  result:=MessageBoxA(hwnd,'被我HOOK住了！',lpCaption,utype);

end;

procedure HookMsg();

var

  retn: size_t;

  jmp:byte;

  lengths:cardinal;

begin

  //取到API的地址

  KerFunProc := GetProcAddress(LoadLibrary(pchar('user32.dll')), pchar('MessageBoxA'));

  //读前5个字节

  ReadProcessMemory(GetCurrentProcess(), Pointer(KerFunProc), Pointer(@read), 5, retn);

  jmp:=$E9;

  lengths := cardinal(@msgbox)-cardinal(KerFunProc)-5;

  WriteProcessMemory(GetCurrentProcess(), Pointer(KerFunProc), Pointer(@jmp), 1, retn);

  WriteProcessMemory(GetCurrentProcess(), Pointer(cardinal(KerFunProc)+1), pointer(@lengths), 4, retn);

end;

procedure TForm1.Button2Click(Sender: TObject);

begin

  HookMsg();

end;

end.