在函数TCnInProcessAPIHook.OnHookProc中,获取API参数指针时,通过ESP+Offset,而Offset在编译时是动态变化的。我修改了一下结构定义和部分代码,应该没啥问题,请作为参考。
1、DynamicCode结构定义修改见[+]
DynamicCode = packed record
mov: Word;
EspConst: DWORD; //++++
Push: Byte;
Self: DWORD;
Call: Word;
CallAddr: Pointer;
RetCode: Byte;
RetXX: WORD;
EventAddr: Pointer;
ExtraData: Pointer;
ParamEsp: DWORD;//++++
end;
2、procedure TCnHookAddress.InitHook修改见[+]
procedure TCnHookAddress.InitHook;
type
PStr = ^Str;
Str = array[0..3] of AnsiChar;
var
FDynamicCode: PDynamicCode;
Mark: AnsiString;
Value1, Value2: DWORD;
begin
//制定类型
FHooker.Style := HT_SHORT_JMP;
//分配内存
FDynamicCode := VirtualAlloc(nil, SizeOf(DynamicCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//保存地址
FDynamicCode^.EventAddr := @DoOnHookProc;
//写入相应语句
FDynamicCode.mov := $2589; //Mov ++++++++++++++++++++++++
FDynamicCode.EspConst := DWORD(@FDynamicCode.ParamEsp); //+++++++++++++++++
FDynamicCode^.Push := $68; //PUSH
FDynamicCode^.Self := DWORD(Self); //写上 Self
FDynamicCode^.Call := $15FF; //CALL
FDynamicCode^.CallAddr := @FDynamicCode^.EventAddr; //事件发生
FDynamicCode^.RetCode := $C2; //RET
FDynamicCode^.RetXX := FRetCount * 4; //RET XX
FDynamicCode^.ExtraData := FExtraData; //额外数据
//写入事件
FHooker.Event := FDynamicCode;
//制作 Mark
Value1 := GetCurrentProcess;
Value2 := DWORD(Self.InstructionAddr);
Mark := PStr(@Value1)^ + PStr(@Value2)^;
CopyMemory(@FHookMark[0], @Mark[1], 8);
end;
3、function TCnInProcessAPIHook.OnHookProc修改见[+]
if Assigned(OBJ.FOnAPIHookProc) then
begin
// asm //不需要了 ----------
// mov AESP, ESP
// end;
Param := Pointer(Data.ParamEsp+4);//++++++++++++++
// Param := Pointer(DWORD(AESP) + $60); //参数开始,此处随编译器变动而变//不需要了 ---------
SetLength(Params, OBJ.ParamCount); //设置参数个数
