利用hook改变windows系统的默认行为

很久以前写的代码

THookClass是通用类，实现将自定义的功能覆盖windows dll 的功能

unit nt2000proc;
interface
uses windows;
type
   TImportCode=packed record
        JumpInstruction:word;
        AddressOfPointerToFunction:ppointer;
   end;
   PImportCode=^TImportCode;
   TLongJmp=packed record
        JmpCode:ShortInt;
        FuncAddr:DWord;
   end;
   THookClass=class
   private
        HProcess:Cardinal;
        AlreadyHook:boolean;
        OldCode:array[0..4]of byte;
        NewCode:TLongJmp;
   public
        OldFunction,NewFunction:pointer;
        constructor Create(oldfun,newfun:pointer);
        destructor Destroy(); override;
        procedure Restore;
        procedure Change;
   published
   end;
implementation
function FinalfunctionAddress(code:pointer):pointer;
var
        func:PImportCode;
begin
        result:=code;
        if code=nil then exit;
        try
                func:=code;
                if (func.JumpInstruction=$25FF) then
                        func:=func.AddressOfPointerToFunction^;
                result:=func;
        except
                result:=nil;
        end;
end;

{ THookClass }

procedure THookClass.Change;
var
   ncount:Dword;
begin
if (alreadyhook)or (hprocess=0)or(oldfunction=nil)or(newfunction=nil) then exit;
alreadyhook:=true;
writeprocessmemory(hprocess,oldfunction,@(newcode),5,ncount);
end;

constructor THookClass.Create(oldfun, newfun: pointer);
begin
    oldfunction:=FinalFunctionAddress(oldfun);
    newfunction:=FinalFunctionAddress(newfun);
    hprocess:=OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId);
    newcode.jmpcode:=ShortInt($E9);
    newcode.FuncAddr:=DWord(Newfunction)-Dword(Oldfunction)-5;
    move(oldfunction^,oldcode,5);
    alreadyhook:=false;
    change;
end;

destructor THookClass.Destroy();
begin
    restore;
    CloseHandle(hprocess);
    inherited Destroy;
end;

procedure THookClass.Restore;
var
   ncount:Dword;
begin
if (not alreadyhook)or (hprocess=0)or(oldfunction=nil)or(newfunction=nil) then exit;
writeprocessmemory(hprocess,oldfunction,@(oldcode),5,ncount);
alreadyhook:=false;
end;

end.

如果要屏蔽所有正在运行着的程序的功能，必须在dll中实现。如果只需要屏蔽当前exe的功能，不需要在dll中实现。

这个dll实现了将打印机的页边距设置为0的功能

library customsize;
uses
  getdccaps in 'getdccaps.pas';

exports
 installdevice,uninstalldevice,setpapersize;
 {$R *.res}
begin
end.

unit getdccaps;
interface
uses nt2000proc,windows;
var
  hook:Thookclass;
  alreadyhook:boolean;
  width,height:integer;    //0.1mm

FUNCTION SystemIsNt():boolean;
function installdevice():boolean;stdcall;
function uninstalldevice():boolean;stdcall;

implementation

FUNCTION SystemIsNt():boolean;
var osvi:TOSVersionInfo;
begin
        result:=false;
        osvi.dwOSVersionInfoSize := sizeof(TOSVersionInfo);
        if GetVersionEx (osvi) then
                result := osvi.dwPlatformId = VER_PLATFORM_WIN32_NT;

end;

function myGetDeviceCapsfunction(DC: HDC; Index: Integer): Integer;stdcall;
type
        TGetDeviceCaps=function(DC: HDC; Index: Integer):Integer;stdcall;
begin
   hook.Restore;
   case index of
   PHYSICALOFFSETX,PHYSICALOFFSETY:
           result:=0;

   else begin
           result:=TGetDeviceCaps(hook.OldFunction)(dc,index);
        end;
   end;
   hook.Change;
end;

function installdevice():boolean;stdcall;
begin
result:=false;
if SystemIsNt() then
begin
        if not alreadyhook then
        begin
                hook:=Thookclass.Create(@GetDeviceCaps,@myGetDeviceCapsfunction);
                result:=true;
                alreadyhook:=true;
        end;
end;
end;

function uninstalldevice():boolean;stdcall;
begin
result:=false;
if SystemIsNt() then
begin
        if alreadyhook then
        begin
                hook.free;
                result:=true;
                alreadyhook:=false;
        end;
end;
end;

end.