先看看explorer是怎么样来进行文件夹中的文件搜索的:
使用eXeScope打开explorer.exe资源管理器程序,打开导出部分,查找我们感兴趣的部分,在kernel32.dll中我们找到以下几个:
FindFirstFileW和FindNextFileW两个,OK,就Hook这几个函数。
查看delphi的帮助,可惜只找到FindFirst:
Delphi syntax:
function FindFirst(const Path: string; Attr: Integer; var F: TSearchRec): Integer;
Searches for the first instance of a file name with a given set of attributes in a specified directory.
没有FindFirst的定义,怎么办呢?只好到FindFirst的代码中找了。
在SysUtils单元中,找到FindFirst的定义:
function FindFirst(const Path: string; Attr: Integer; var F: TSearchRec): Integer;
const
faSpecial = faHidden or faSysFile or faVolumeID or faDirectory;
{$IFDEF MSWINDOWS}
begin
F.ExcludeAttr := not Attr and faSpecial;
F.FindHandle := FindFirstFile(PChar(Path), F.FindData);
if F.FindHandle <> INVALID_HANDLE_VALUE then
begin
Result := FindMatchingFile(F);
if Result <> 0 then FindClose(F);
end else
Result := GetLastError;
end;
哈哈,原来在这里用到了FindFirstFile,继续跟踪FindFirstFile,在Windows单元中,我们找到FindFirstFile:
function FindFirstFile; external kernel32 name 'FindFirstFileA';原来是使用了API FindFirstFileA.
定义过程:
function FindFirstFile(lpFileName: PChar; var lpFindFileData: TWIN32FindData): THandle; stdcall;
并且,看到了另外几个:
function FindFirstFileEx(lpFileName: PChar; fInfoLevelId: TFindexInfoLevels;
lpFindFileData: Pointer; fSearchOp: TFindexSearchOps; lpSearchFilter: Pointer;
dwAdditionalFlags: DWORD): BOOL; stdcall;
{$EXTERNALSYM FindFirstFileEx}
function FindFirstFileExA(lpFileName: PAnsiChar; fInfoLevelId: TFindexInfoLevels;
lpFindFileData: Pointer; fSearchOp: TFindexSearchOps; lpSearchFilter: Pointer;
dwAdditionalFlags: DWORD): BOOL; stdcall;
{$EXTERNALSYM FindFirstFileExA}
function FindFirstFileExW(lpFileName: PWideChar; fInfoLevelId: TFindexInfoLevels;
lpFindFileData: Pointer; fSearchOp: TFindexSearchOps; lpSearchFilter: Pointer;
dwAdditionalFlags: DWORD): BOOL; stdcall;
{$EXTERNALSYM FindFirstFileExW}
function FindFirstFile(lpFileName: PChar; var lpFindFileData: TWIN32FindData): THandle; stdcall;
{$EXTERNALSYM FindFirstFile}
function FindFirstFileA(lpFileName: PAnsiChar; var lpFindFileData: TWIN32FindDataA): THandle; stdcall;
{$EXTERNALSYM FindFirstFileA}
function FindFirstFileW(lpFileName: PWideChar; var lpFindFileData: TWIN32FindDataW): THandle; stdcall;
{$EXTERNALSYM FindFirstFileW}
function FindNextFile(hFindfile: THandle; var lpFindFileData: TWIN32FindData): BOOL; stdcall;
{$EXTERNALSYM FindNextFile}
function FindNextFileA(hFindfile: THandle; var lpFindFileData: TWIN32FindDataA): BOOL; stdcall;
{$EXTERNALSYM FindNextFileA}
function FindNextFileW(hFindfile: THandle; var lpFindFileData: TWIN32FindDataW): BOOL; stdcall;
{$EXTERNALSYM FindNextFileW}
好了,有了这些就够了!不过,我在Windows 2000下测试没有通过,以为Windows 2000下的explorer.exe不仅仅是通过FindFirstW,所以多Hook了几个函数,还是不行,不知道为什么? Windows XP下测试通过!
先写一个接收Hook到的文件信息的程序,很简单(用WM_COPYDATA实现两个应用程序之间的信息传递):
unit MainFrn;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
type
TMainForm = class(TForm)
FileLstBox: TListBox;
StatLabel: TLabel;
private
{ Private declarations }
procedure WMCopyData ( Var Msg : TWMCopyData );message WM_COPYDATA;
public
{ Public declarations }
end;
var
MainForm: TMainForm;
implementation
{$R *.dfm}
{ TMainForm }
procedure TMainForm.WMCopyData(var Msg: TWMCopyData);
begin
FileLstBox.Items.Add ( StrPas ( Msg.CopyDataStruct^.lpData ) );
StatLabel.Caption := 'Receive Message:' + StrPas ( Msg.CopyDataStruct^.lpData );
end;
end.
必须有一个DLL文件注入到explorer.exe进程。下面就是DLL文件:
library HookSearch;
uses
SysUtils,
Classes,
Windows,
Messages,
Variants,
Controls,
StdCtrls;
type
TSetCurrentDirectory = function ( lpPathName : PChar ): BOOL; stdcall;
TSetCurrentDirectoryA = function ( lpPathName : PAnsiChar ): BOOL; stdcall;
TSetCurrentDirectoryW = function ( lpPathName : PWideChar ): BOOL; stdcall;
TFindFirstFile = function ( lpFileName : PChar ; var lpFindFileData : TWIN32FindData ):Boolean; stdcall;
TFindFirstFileA = function ( lpFileName : PAnsiChar; var lpFindFileData : TWIN32FindDataA ):Boolean; stdcall;
TFindFirstFileW = function ( lpFileName : PWideChar; var lpFindFileData : TWIN32FindDataW ):Boolean; stdcall;
TFindFirstFileEx = function ( lpFileName: PChar; fInfoLevelId: TFindexInfoLevels;
lpFindFileData: Pointer; fSearchOp: TFindexSearchOps;
lpSearchFilter: Pointer;
dwAdditionalFlags: DWORD): BOOL; stdcall;
TFindFirstFileExA = function ( lpFileName: PAnsiChar; fInfoLevelId: TFindexInfoLevels;
lpFindFileData: Pointer; fSearchOp: TFindexSearchOps;
lpSearchFilter: Pointer;
dwAdditionalFlags: DWORD): BOOL; stdcall;
TFindFirstFileExW = function (lpFileName: PWideChar; fInfoLevelId: TFindexInfoLevels;
lpFindFileData: Pointer; fSearchOp: TFindexSearchOps;
lpSearchFilter: Pointer;
dwAdditionalFlags: DWORD): BOOL; stdcall;
TFindNextFile = function ( hFindfile: THandle; var lpFindFileData: TWIN32FindData ): BOOL; stdcall;
TFindNextFileA = function ( hFindfile: THandle; var lpFindFileData: TWIN32FindDataA ): BOOL; stdcall;
TFindNextFileW = function ( hFindfile: THandle; var lpFindFileData: TWIN32FindDataW ): BOOL; stdcall;
var
OldSetCurrentDirectory : TSetCurrentDirectory ;
OldSetCurrentDirectoryA : TSetCurrentDirectoryA;
OldSetCurrentDirectoryW : TSetCurrentDirectoryW;
OldFindFirstFile : TFindfirstFile;
OldFindFirstFileA : TFindfirstFileA;
OldFindFirstFileW : TFindfirstFileW;
OldFindFirstFileEx : TFindFirstFileEx ;
OldFindFirstFileExA : TFindFirstFileExA;
OldFindFirstFileExW : TFindFirstFileExW;
OldFindNextFile : TFindNextFile ;
OldFindNextFileA : TFindNextFileA;
OldFindNextFileW : TFindNextFileW;
{$R *.res}
type
PImage_Import_Entry = ^Image_Import_Entry;
Image_Import_Entry = record
Characteristics: DWORD;
TimeDateStamp: DWORD;
MajorVersion: Word;
MinorVersion: Word;
Name: DWORD;
LookupTable: DWORD;
end;
TImportCode = packed record
JumpInstruction : Word; //定义跳转指令jmp
AddressOfPointerToFunction : ^Pointer; //定义要跳转到的函数
end;
PImportCode = ^TImportCode;
记的要将生成的HookSearch.dll改名为Hook.dll噢,要不就要改上面的程序,将DLLFile := ExtractFilePath ( Application.ExeName ) + 'hook.dll';改为DLLFile := ExtractFilePath ( Application.ExeName ) + 'hooksearch.dll'!
在Windows XP Professional 和Delphi 7环境测试通过!
修改一下代码就可以实现文件隐藏噢! :)
迅雷专用高速下载