HOOK监控任务管理器

HOOK监控任务管理器

思路：其实比较简单，还是利用DLL，首写跟据API函数OpenProcess与TerminateProcess的结构自已编写两个与这两个API一样的函数，再利用GetProcAddress获取系统的那两个API函数入口地址，最后用WriteProcessMemory将你写的函数的地址替换掉原来系统的函数地址。这样所有调用这两系统API都将先执行你的函数。

如果只Hook其中一个函数比如只hook OpenProcess的话那么任务管理器将不能获取到你的进程信息那么会出错。如果只hook TerminateProcess那样也不行，因为一个进程的句柄在本进程与别的进程中是不一样的，所以如果你不知道自已进程在别人进程中的句柄那么是没办法hook TerminateProcess的。

本例中首先利用OpenProcess获取自已在别的进程中的句柄，然后hook TerminateProcess进程监控，如果发现有程序调用TerminateProcess并且所结束的对象正是自已，那么就给出提示窗口。

貌似讲了一大堆废话。。。还是看代码直接

------------------------------------------------调用部分

unit Unit1;

interface

uses

Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,

Dialogs, StdCtrls;

type

TForm1 = class(TForm)

Button1: TButton;

Button2: TButton;

procedure Button1Click(Sender: TObject);

procedure Button2Click(Sender: TObject);

private

{ Private declarations }

public

{ Public declarations }

end;

var

Form1: TForm1;

procedure StartHook(pid: DWORD); stdcall; external 'hookdll.dll';

procedure EndHook; stdcall; external 'hookdll.dll';

implementation

{$R *.dfm}

procedure TForm1.Button1Click(Sender: TObject);

begin

StartHook(GetCurrentProcessId);

end;

procedure TForm1.Button2Click(Sender: TObject);

begin

EndHook;

end;

end.

-----------------------------------------------------------------------------------------

DLL文件，全部实现都在这里

--------------------- Hookdll.dpr

library Hookdll;

uses

SysUtils,

Classes,

Windows,Dialogs,

unitHook in 'unitHook.pas';

const

HOOK_MEM_FILENAME = 'tmp.hkt';

var

hhk: HHOOK;

Hook: array[0..2] of TNtHookClass;

//内存映射

MemFile: THandle;

startPid: PDWORD; //保存PID

fhProcess: THandle; //保存本进程在远程进程中的句柄

//拦截 OpenProcess

function NewOpenProcess(dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THand le; stdcall;

type

TNewOpenProcess = function (dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): T Handle; stdcall;

begin

if startPid^ = dwProcessId then begin

Hook[1].UnHook;

Result := TNewOpenProcess(Hook[1].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);

fhProcess:=Result;

Hook[1].Hook;

exit;

end;

Hook[1].UnHook;

Result := TNewOpenProcess(Hook[1].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);

Hook[1].Hook;

end;

function NewTerminateProcess(hProcess: THandle;uExitCode: UINT): BOOL; Stdcall;

type

TNewTerminateProcess = function (hProcess: THandle;uExitCode: UINT): BOOL; Stdcall;

begin

if fhProcess = hProcess then begin

showmessage('不准关闭我！');

result := true;

exit;

end;

Hook[2].UnHook;

Result := TNewTerminateProcess(Hook[2].BaseAddr)(hProcess, uExitCode );

Hook[2].Hook;

end;

procedure InitHook; //安装 Hook

begin

Hook[1] := TNtHookClass.Create('kernel32.dll', 'OpenProcess', @NewOpenProcess);

hook[2] := TNtHookClass.Create('kernel32.dll', 'TerminateProcess', @NewTerminateProcess);

end;

procedure UninitHook; //删除 Hook

var

I: Integer;

begin

for I := 0 to High(Hook) do

begin

FreeAndNil(Hook[I]);

end;

end;

procedure MemShared();

begin

MemFile:=OpenFileMapping(FILE_MAP_ALL_ACCESS,False, HOOK_MEM_FILENAME); //打开内存映射文件