下面是我自己的代码库很短的例子显示了最基本的挂钩技术:
unit MethodHooker;
interface
implementation
uses
SysUtils, Windows, Classes;
procedure Patch(Address: Pointer; const NewCode; Size: Integer);
var
NumberOfBytes: DWORD;
begin
WriteProcessMemory(GetCurrentProcess, Address, @NewCode, Size, NumberOfBytes);
end;
type
PInstruction = ^TInstruction;
TInstruction = packed record
Opcode: Byte;
Offset: Integer;
end;
procedure Redirect(OldAddress, NewAddress: Pointer);
var
NewCode: TInstruction;
begin
NewCode.Opcode := $E9;//jump relative
NewCode.Offset := Integer(NewAddress)-Integer(OldAddress)-SizeOf(NewCode);
Patch(OldAddress, NewCode, SizeOf(NewCode));
end;
function GetCursorPos(var lpPoint: TPoint): BOOL; stdcall;
(* The GetCursorPos API in user32 fails if it is passed a memory address >2GB which
breaks LARGEADDRESSAWARE apps. We counter this by calling GetCursorInfo instead
which does not suffer from the same problem. *)
var
CursorInfo: TCursorInfo;
begin
CursorInfo.cbSize := SizeOf(CursorInfo);
Result := GetCursorInfo(CursorInfo);
if Result then begin
lpPoint := CursorInfo.ptScreenPos;
end else begin
lpPoint := Point(0, 0);
end;
end;
initialization
if not ModuleIsPackage then begin
if not CheckWin32Version(6, 1) then begin
//this bug was fixed in Windows 7
Redirect(@Windows.GetCursorPos, @MethodHooker.GetCursorPos);
end;
end.
非常漂亮。可以用于邪恶,或者是好的。但非常漂亮。 – 2011-03-17 19:13:34
你从哪里得到NewCode.Opcode值? – mnuzzo 2011-03-17 19:14:07
@mnuzzo Intel x86文档 – 2011-03-17 19:17:06