“ 屏幕取詞”的實(shí)現(xiàn)
//-----------------------------------------------------------------
1 用SetWindowsHookEx()安裝鼠標(biāo)鉤子MouseProc�����;
2 在屏幕上移動(dòng)鼠標(biāo)時(shí)�,系統(tǒng)就會(huì)調(diào)用鼠標(biāo)鉤子MouseProc;
3 進(jìn)入MouseProc���,獲得鼠標(biāo)的坐標(biāo)(x,y)����,
設(shè)置對(duì)TextOut()�����、ExtTextOut()等的跟蹤程序,
用invalidateRect()告訴系統(tǒng)該點(diǎn)(x,y)“失效”����;
4
系統(tǒng)發(fā)出WM_PAINT消息,指示該點(diǎn)(x,y)處的應(yīng)用程序重繪“失效”的區(qū)域�����。
5 負(fù)責(zé)繪制該點(diǎn)()的應(yīng)用程序在受到 WM_PAINT 消息后�����, 就有機(jī)會(huì)調(diào)用
TextOut()�����、 ExtTextOut()等函數(shù)��。
6 調(diào)用的函數(shù)被攔截進(jìn)入跟蹤程序:設(shè)置好了的跟蹤程序截獲了該次調(diào)用���,
從應(yīng)用程序的堆棧中取出 該點(diǎn)(x,y)“文字”的指針;
7 從應(yīng)用程序的數(shù)據(jù)段中將“文字”指針的內(nèi)容取出�,即完成了一次“屏幕
抓字”;
8 退出跟蹤程序�,返回到鼠標(biāo)鉤子MouseProc;
9 在MouseProc中解除對(duì)TextOut() ExtTextOut()的跟蹤;
10 退出MouseProc鼠標(biāo)鉤子程序����,控制權(quán)交給系統(tǒng)。
11 在屏幕上移動(dòng)鼠標(biāo)��,開(kāi)始下一次“屏幕抓字”��,返回步驟2�����。
//-----------------------------------------------------------------
Dll工程.
GetWordDll.dpr
//-----------------------------------------------------------------------------------
library GetWordDll;
uses
Windows,
SysUtils,
Classes,
UnitHookDll in 'UnitHookDll.pas',
UnitNt2000Hook in 'UnitNt2000Hook.pas',
UnitHookType in 'UnitHookType.pas';
exports
StartHook,
StopHook,
// MouseWndProc,
{以下導(dǎo)出列表都是必須的�����,
不能少�,因?yàn)槌绦蛞∑涞刂穧
NewBeginPaint,
NewCreateCompatibleDC,
NewTextOutA,
NewTextOutW,
NewExtTextOutA,
NewExtTextOutW,
NewDrawTextA,
NewDrawTextW;
begin
end.
UnitHookType.pas
unit UnitHookType;
interface
uses windows, messages;
const
MaxStringLen = 100;
WM_MOUSEPT = WM_USER + 1138;
MappingFileName = 'GetWord32 for 9x NT 2000';
fBeginPaint=0;
fGetWindowDC=1;
fGetDC=2;
fCreateCompatibleDC=3;
fTextOutA=4;
fTextOutW=5;
fExtTextOutA=6;
fExtTextOutW=7;
fDrawTextA=8;
fDrawTextW=9;
type
PPointer = ^Pointer;
TShareMem = packed record
hProcWnd: HWND; {主應(yīng)用窗口句柄}
hHookWnd: HWND; {鼠標(biāo)所在窗口}
pMouse: TPoint; {鼠標(biāo)信息}
DCMouse,DCCompatible: HDC;
fTimerID: integer;
fStrMouseQueue: array[0..MaxStringLen] of Char; {鼠標(biāo)信息串}
nTimePassed: integer; {鼠標(biāo)停留的時(shí)間}
bCanSpyNow: Boolean; {開(kāi)始取詞}
Text: array[0..MaxStringLen] of Char; {字符串}
end;
PShareMem = ^TShareMem;
implementation
end.
UnitNt2000Hook.pas
//-----------------------------------------------------------------------------------
unit UnitNt2000Hook;
interface
uses classes, Windows,SysUtils, messages,dialogs;
type
TImportCode = packed record
JumpInstruction: Word;
AddressOfPointerToFunction: PPointer;
end;
PImportCode = ^TImportCode;
PImage_Import_Entry = ^Image_Import_Entry;
Image_Import_Entry = record
Characteristics: DWORD;
TimeDateStamp: DWORD;
MajorVersion: Word;
MinorVersion: Word;
Name: DWORD;
LookupTable: DWORD;
end;
TLongJmp = packed record
JmpCode: ShortInt; {指令,用$E9來(lái)代替系統(tǒng)的指令}
FuncAddr: DWORD; {函數(shù)地址}
end;
THookClass = class
private
Trap:boolean; {調(diào)用方式:True陷阱式���,F(xiàn)alse改引入表式}
hProcess: Cardinal; {進(jìn)程句柄����,只用于陷阱式}
AlreadyHook:boolean; {是否已安裝Hook����,只用于陷阱式}
AllowChange:boolean; {是否允許安裝���、卸載Hook,只用于改引入表式}
Oldcode: array[0..4]of byte; {系統(tǒng)函數(shù)原來(lái)的前5個(gè)字節(jié)}
Newcode: TLongJmp; {將要寫(xiě)在系統(tǒng)函數(shù)的前5個(gè)字節(jié)}
private
public
OldFunction,NewFunction:Pointer;{被截函數(shù)�、自定義函數(shù)}
constructor Create(IsTrap:boolean;OldFun,NewFun:pointer);
constructor Destroy;
procedure Restore;
procedure Change;
published
end;
implementation
{取函數(shù)的實(shí)際地址。如果函數(shù)的第一個(gè)指令是Jmp�,則取出它的跳轉(zhuǎn)地址(實(shí)際地址),這往往是由于程序中含有Debug調(diào)試信息引起的}
function FinalFunctionAddress(Code: Pointer): Pointer;
Var
func: PImportCode;
begin
Result:=Code;
if Code=nil then exit;
try
func:=code;
if (func.JumpInstruction=$25FF) then
{指令二進(jìn)制碼FF 25 匯編指令jmp [...]}
Func:=func.AddressOfPointerToFunction^;
result:=Func;
except
Result:=nil;
end;
end;
{更改引入表中指定函數(shù)的地址���,只用于改引入表式}
function PatchAddressInModule(BeenDone:Tlist;hModule: THandle; OldFunc,NewFunc: Pointer):integer;
const
SIZE=4;
Var
Dos: PImageDosHeader; //DOS頭
NT: PImageNTHeaders; //PE頭
ImportDesc: PImage_Import_Entry;//輸入表
rva: DWORD; //RVA
Func: PPointer; //
DLL: String;
f: Pointer;
written: DWORD;
mbi_thunk:TMemoryBasicInformation;
dwOldProtect:DWORD;
begin
Result:=0;
if hModule=0 then exit;
Dos:=Pointer(hModule);
{如果這個(gè)DLL模塊已經(jīng)處理過(guò)�,則退出��。BeenDone包含已處理的DLL模塊}
if BeenDone.IndexOf(Dos)>=0 then exit;
BeenDone.Add(Dos);{把DLL模塊名加入BeenDone}
OldFunc:=FinalFunctionAddress(OldFunc);{取函數(shù)的實(shí)際地址}
{如果這個(gè)DLL模塊的地址不能訪問(wèn)���,則退出}
if IsBadReadPtr(Dos,SizeOf(TImageDosHeader)) then exit;
{如果這個(gè)模塊不是以'MZ'開(kāi)頭����,表明不是DLL�,則退出}
if Dos.e_magic<>IMAGE_DOS_SIGNATURE then exit;{IMAGE_DOS_SIGNATURE='MZ'}//檢查數(shù)字簽名,最好再檢查一下PE
{定位至NT Header}
NT :=Pointer(Integer(Dos) + dos._lfanew);
{定位至引入函數(shù)表}
RVA:=NT^.OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;//導(dǎo)入表
if RVA=0 then exit;{如果引入函數(shù)表為空,則退出}
{把函數(shù)引入表的相對(duì)地址RVA轉(zhuǎn)換為絕對(duì)地址}
ImportDesc := pointer(DWORD(Dos)+RVA);{Dos是此DLL模塊的首地址}//RVA->VA
{遍歷所有被引入的下級(jí)DLL模塊}
While (ImportDesc^.Name<>0) do
begin
{被引入的下級(jí)DLL模塊名字}
DLL:=PChar(DWORD(Dos)+ImportDesc^.Name);
{把被導(dǎo)入的下級(jí)DLL模塊當(dāng)做當(dāng)前模塊��,進(jìn)行遞歸調(diào)用}
PatchAddressInModule(BeenDone,GetModuleHandle(PChar(DLL)),OldFunc,NewFunc);
{定位至被引入的下級(jí)DLL模塊的函數(shù)表}
Func:=Pointer(DWORD(DOS)+ImportDesc.LookupTable);
{遍歷被引入的下級(jí)DLL模塊的所有函數(shù)}
While Func^<>nil do
begin
f:=FinalFunctionAddress(Func^);{取實(shí)際地址}
if f=OldFunc then {如果函數(shù)實(shí)際地址就是所要找的地址}
begin
VirtualQuery(Func,mbi_thunk, sizeof(TMemoryBasicInformation));
VirtualProtect(Func,SIZE,PAGE_EXECUTE_WRITECOPY,mbi_thunk.Protect);{更改內(nèi)存屬性}
WriteProcessMemory(GetCurrentProcess,Func,@NewFunc,SIZE,written);{把新函數(shù)地址覆蓋它}
VirtualProtect(Func, SIZE, mbi_thunk.Protect,dwOldProtect);{恢復(fù)內(nèi)存屬性}
end;
If Written=4 then Inc(Result);
// else showmessagefmt('error:%d',[Written]);
Inc(Func);{下一個(gè)功能函數(shù)}
end;
Inc(ImportDesc);{下一個(gè)被引入的下級(jí)DLL模塊}
end;
end;
{HOOK的入口����,其中IsTrap表示是否采用陷阱式}
constructor THookClass.Create(IsTrap:boolean;OldFun,NewFun:pointer);
begin
{求被截函數(shù)、自定義函數(shù)的實(shí)際地址}
OldFunction:=FinalFunctionAddress(OldFun);
NewFunction:=FinalFunctionAddress(NewFun);
Trap:=IsTrap;
if Trap then{如果是陷阱式}
begin
{以特權(quán)的方式來(lái)打開(kāi)當(dāng)前進(jìn)程}
hProcess := OpenProcess(PROCESS_ALL_ACCESS,FALSE, GetCurrentProcessID);
{生成jmp xxxx的代碼�����,共5字節(jié)}
Newcode.JmpCode := ShortInt($E9); {jmp指令的十六進(jìn)制代碼是E9}
NewCode.FuncAddr := DWORD(NewFunction) - DWORD(OldFunction) - 5;
{保存被截函數(shù)的前5個(gè)字節(jié)}
move(OldFunction^,OldCode,5);
{設(shè)置為還沒(méi)有開(kāi)始HOOK}
AlreadyHook:=false;
end;
{如果是改引入表式����,將允許HOOK}
if not Trap then AllowChange:=true;
Change; {開(kāi)始HOOK}
{如果是改引入表式,將暫時(shí)不允許HOOK}
if not Trap then AllowChange:=false;
end;
{HOOK的出口}
constructor THookClass.Destroy;
begin
{如果是改引入表式����,將允許HOOK}
if not Trap then AllowChange:=true;
Restore; {停止HOOK}
if Trap then{如果是陷阱式}
CloseHandle(hProcess);
end;
{開(kāi)始HOOK}
procedure THookClass.Change;
var
nCount: DWORD;
BeenDone: TList;
begin
if Trap then{如果是陷阱式}
begin
if (AlreadyHook)or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
exit;
AlreadyHook:=true;{表示已經(jīng)HOOK}
WriteProcessMemory(hProcess, OldFunction, @(Newcode), 5, nCount);
end
else begin{如果是改引入表式}
if (not AllowChange)or(OldFunction=nil)or(NewFunction=nil)then exit;
BeenDone:=TList.Create; {用于存放當(dāng)前進(jìn)程所有DLL模塊的名字}
try
PatchAddressInModule(BeenDone,GetModuleHandle(nil),OldFunction,NewFunction);
finally
BeenDone.Free;
end;
end;
end;
{恢復(fù)系統(tǒng)函數(shù)的調(diào)用}
procedure THookClass.Restore;
var
nCount: DWORD;
BeenDone: TList;
begin
if Trap then{如果是陷阱式}
begin
if (not AlreadyHook) or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
exit;
WriteProcessMemory(hProcess, OldFunction, @(Oldcode), 5, nCount);
AlreadyHook:=false;{表示退出HOOK}
end
else begin{如果是改引入表式}
if (not AllowChange)or(OldFunction=nil)or(NewFunction=nil)then exit;
BeenDone:=TList.Create;{用于存放當(dāng)前進(jìn)程所有DLL模塊的名字}
try
PatchAddressInModule(BeenDone,GetModuleHandle(nil),NewFunction,OldFunction);
finally
BeenDone.Free;
end;
end;
end;
end
