Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Tools / ApiHooks 3.0 / ApiHooksEXE.bat < prev next >

Wrap

DOS Batch File | 2000-06-18 | 13.2 KB | 372 lines

;@goto translate .586P .MODEL FLAT, STDCALL OPTION CASEMAP: NONE INCLUDE WINDOWS.inc UNICODE = FALSE INCLUDE APIMACRO.mac INCLUDE NTSTATUS.inc INCLUDE NtStruc.inc INCLUDE AHinc.inc INCLUDE ApiHooks.inc PIDERROR EQU -1 INCLUDELIB iKERNEL32.lib INCLUDELIB iUSER32.lib INCLUDELIB iApiHooks.lib ;------------------------------------------------------------------------------ .DATA? ;place for non all-windows APIs CreateToolhelp32Snapshot DWORD ? Process32First DWORD ? Process32Next DWORD ? NtQueryInformationProcess DWORD ? NtQuerySystemInformation DWORD ? ;OS version W32Version DWORD ? ;place for PIDs PIDs DWORD 300H DUP (?) ;for CreateProcess stinfo STARTUPINFO <> prinfo PROCESS_INFORMATION <> DllName SIGN MAX_PATH DUP (?) ExeName SIGN MAX_PATH DUP (?) HelpLine SIGN MAX_PATH DUP (?) ;had target parameters? ExeAlone BYTE ? .CODE Errors DWORD sESU, sEEX, sEOP, sERA, sERE, sERF, sECL, sECP, sEPN, sETM ;------------------------------------------------------------------------------ TEXT sTitle,<ApiHooks for Win32, version 2.2/0> TEXT ESU, <Hooks established./0> TEXT EML, <Module loaded./0> TEXT ELU, <Module unloaded./0> TEXT EEX, <Exception occurred/:/0> TEXT EOP, <Can/-t open process/:/0> TEXT ERA, <Remote Alloc failed/:/0> TEXT ERE, <Hooks can/-t be found,/lare already present/lor are invalid/:/0> TEXT ELM, <Can/-t load module/:/0> TEXT EUL, <Module still loaded/:/0> TEXT ERF, <Remote Free failed/:/0> TEXT ECL, <ApiHooks /(-/)/(n | o | l | m | u/)[q | r] /(Hooks | Module/) /(Target | PID | ALL/) [Parameters]/l> STRING <n = create new process and apply Hooks o = open existing process and apply Hooks/l> STRING <l = create new process and load Module m = open existing process and load Module/l> STRING <u = open existing process and unload Module/l> STRING <q = no msg box if all went OK r = no msg box at all/l> STRING <Hooks = module containing hook procedures Module = module to (un)load/l> STRING <Target = process where to apply hooks PID = ID of Target process as 0x hexadecimal number/l> STRING <ALL = all processes are Targets Parameters = command line parameters for Target/0> TEXT ECP, <Can/-t create process/:/0> TEXT EPN, <Process not found/:/0> TEXT ETM, <Time out/:/0> ;non all-windows API names for GetProcAddress TEXT K32, <KERNEL32.dll/0> TEXTA CT32S,<CreateToolhelp32Snapshot/0> TEXTA P32F, <Process32First/0> TEXTA P32N, <Process32Next/0> TEXTA NTDLL,<NTDLL.dll/0> TEXTA NQIP, <NtQueryInformationProcess/0> TEXTA NQSI, <NtQuerySystemInformation/0> ;------------------------------------------------------------------------------ ;Work with command line: ;IN: ESI - string, EDI str to copy ;OUT: ESI - string, EAX - BOOL, ZF set if no next parameter GetParAndNextParPos PROC USES EDI XOR EAX, EAX ;skip 1st parameter MOV CL, '"' MOV [EDI], AL LODSB TEST AL, AL JE StringQuit CMP AL, CL JE @F DEC ESI MOV CL, ' ' @@: LODSB STOSB TEST AL, AL JE NoNextPar CMP AL, CL JNE @B MOV BYTE PTR [EDI-1] ,0 ;find start of the next par - skip spaces @@: LODSB TEST AL, AL JE NoNextPar CMP AL, ' ' JBE @B NoNextPar: MOV AL, 1 DEC ESI StringQuit: RET GetParAndNextParPos ENDP ;------------------------------------------------------------------------------ PrimaryThread PROC iMOV ESI, GetModuleHandleA iMOV EDI, GetProcAddress sWin32 ESI, sNTDLL ;get NTDLL APIs MOV EBX, EAX sWin32 EDI, EBX, sNQIP MOV NtQueryInformationProcess, EAX sWin32 EDI, EBX, sNQSI MOV NtQuerySystemInformation, EAX sWin32 ESI, sK32 ;get KERNEL32 APIs MOV EBX, EAX sWin32 EDI, EBX, sCT32S MOV CreateToolhelp32Snapshot, EAX sWin32 EDI, EBX, sP32F MOV Process32First, EAX sWin32 EDI, EBX, sP32N MOV Process32Next, EAX ;------------------------------------------------------------------------------ iWin32 GetVersion MOV W32Version, EAX ;evaluate command line CLD iWin32i GetCommandLine MOV ESI, EAX oLEA EDI, HelpLine sWin32 GetParAndNextParPos ;apihooks.exe TEST EAX, EAX JE @F ;missing parameter -> wrong line sWin32 GetParAndNextParPos ;-nq TEST EAX, EAX JE @F ;missing parameter -> wrong line MOV EBX, [EDI] sWin32 GetParAndNextParPos ;hooks.dll TEST EAX, EAX JE @F ;missing parameter -> wrong line MOV EBP, ESI ;EBP == command line for target (incl. target.exe) iWin32i ExpandEnvironmentStrings, EDI, OFFSET DllName, MAX_PATH sWin32 GetParAndNextParPos ;target.exe TEST EAX, EAX @@: JE InvCmdLine ;missing parameter -> wrong line iWin32i ExpandEnvironmentStrings, EDI, OFFSET ExeName, MAX_PATH sWin32 GetParAndNextParPos ;test if there are some parameters for target on the command line SETE ExeAlone ;note it oLEA EDI, DllName MOV EAX, EBX ;2 nd parameter -nq OR EAX, ' ' ;lowercase MOV ECX, EAX SHR ECX, 16 CMP CL, 'q' ;-?q ? JE @F CMP CL, 'r' ;-?r ? JNE AllowMsgBox MOV BYTE PTR MsgJMP-2, 0EBH ;if -?r skip over msgbox @@: MOV BYTE PTR MsgJMP-1, SkipMsg-MsgJMP ;if -?r or -?q skip msgbox if was success AllowMsgBox: CMP AL, '-' JNE InvCmdLine SHR EAX, 8 oMOV EBX, 1 ;default 1 PID in PIDs , EBX == PID counter CMP AL, 'n' ;new process & apihooks JE CreateNew CMP AL, 'o' ;existing process & apihooks JE @F MOV BYTE PTR GoToEAHT-1, (GoToLMT-GoToEAHT) ;change jump target MOV Errors[ErrorSuccess*4], sEML ;replace hooks msg MOV Errors[ErrorRemoteExec*4], sELM ;with module msg CMP AL, 'l' ;new process & load module JE CreateNew CMP AL, 'm' ;existing process& & load module JE @F MOV BYTE PTR GoToEAHT-1, (GoToUMT-GoToEAHT) ;change jump target MOV Errors[ErrorSuccess*4], sELU ;replace hooks msg MOV Errors[ErrorRemoteExec*4], sEUL ;with module msg CMP AL, 'u' ;existing process & unload module JNE InvCmdLine ;no more switches supported ;------------------------------------------------------------------------------ ;evaluate target @@: PUSH EAX ;save -?? switches SUB EDX, EDX MOV AX, 2000H oLEA ESI, ExeName OR EAX, [ESI] ;prefix 0X -> 0x oMOV ECX, 8 ;max 8 hex characters CMP AX, "x0" JNE StdName ;no 0x prefix -> target is given by name LODSW NextHexFigure: ;PID = Str2Hex(target) LODSB SUB AL, "0" JL ConvEnd CMP AL, 9 JLE HexFigure AND AL, 0DFH SUB AL, 7 HexFigure: SHL EDX, 4 OR DL, AL LOOP NextHexFigure ConvEnd: POP ECX ;restore -?? switches JMP SetPID ;------------------------------------------------------------------------------ ;target given by name StdName: CMP DWORD PTR [ESI], "LLA" ;is it ALL ? JNE @F ;no -> find process sWin32 BuildPIDList, OFFSET PIDs, SIZEOF PIDs/4 ;yes -> get all current PIDs MOV EBX, EAX CMP EAX, PIDERROR ;returned PIDERROR -> failed JE FailPIDs CMP EAX, SIZEOF PIDs/4 ;my buffer is too small oMOV EAX, PIDERROR JG FailPIDs0 ;EBX contains number of PIDs in PIDs POP ECX ;restore -?? cmdline switches JMP SetPID0 @@: ;find target by name sWin32 FindProcessNT5, ESI ;ESI == OFFSET ExeName == target.exe FailPIDs0: CMP EAX, PIDERROR ;returned PIDERROR -> failed FailPIDs: MOV EDX, EAX POP ECX ;restore -?? cmdline switches oMOV EAX, ErrorProcNotFound JE Exitus SetPID: MOV PIDs[0], EDX ;found PID SetPID0: CMP CL, 'o' ;was it open existing target and apply hooks? JNE GoOn ;no -> GetFullPathName is used with -o option but not with -m -u -l -n ! MOV ECX, EDI @@: INC ECX MOV AL, [ECX] CMP AL, "\" ;if hooks.dll doesn't contain PathTo JE @F CMP AL, 0 JNE @B PUSH EAX iWin32i GetFullPathName, EDI, SIZEOF DllName, EDI, ESP ;merge CurDir+Hooks.dll POP EAX @@: JMP GoOn ;------------------------------------------ InvCmdLine: oMOV EAX, ErrorCommandLine JMP Exitus ;------------------------------------------ CreateNew: CMP ExeAlone, FALSE JE @F oLEA EBP, ExeName ;if there are no target parameters then iWin32i lstrlen, EBP MOV WORD PTR [EBP+EAX], ' ' ;append space at the end of "target.exe" @@: MOV BYTE PTR stinfo.cb, STARTUPINFO SUB ECX, ECX iWin32i CreateProcess, ECX, EBP,\ ECX, ECX, ECX,\ CREATE_SUSPENDED OR CREATE_NEW_CONSOLE,\ ECX, ECX,\ OFFSET stinfo, OFFSET prinfo TEST EAX, EAX oMOV EAX, ErrorCreateProcess JE Exitus ;can't create target oMOV PIDs[0], prinfo.dwProcessId GoOn: oLEA ESI, PIDs NextPID: DEC EBX ; --PID counter JL Exitus LODSD ;get PID PUSH NULL ;for LoadAndCall == call nothing PUSH 1 ;(un)load 1 time also 1 millisecond PUSHc EDI, EAX JMP GoToEAHT ;will be patched GoToEAHT: MOV DWORD PTR [ESP+8], 10000 ;adjust milliseconds to 10ms iWin32 EstablishApiHooksTimeNTA POP ECX ;remove parameter for LoadAndCall JMP NextPID GoToLMT: iWin32 LoadAndCallA MOV ECX, EAX ;save return code CMP ECX, ErrorTimeOut oMOV EAX, ErrorSuccess ;module was loaded -> return success JA NextPID oMOV EAX, ErrorRemoteExec JECXZ NextPID ;module wasn't loaded -> return error NextPID0: MOV EAX, ECX ;else return original error JMP NextPID GoToUMT: iWin32 UnloadModuleA POP EDX ;remove parameter for LoadAndCall MOV ECX, EAX ;save return code CMP ECX, ErrorTimeOut oMOV EAX, ErrorRemoteExec ;module wasn't unloaded -> return error JA NextPID oMOV EAX, ErrorSuccess ;module was loaded -> return success JECXZ NextPID JMP NextPID0 ;else return original error Exitus: PUSH EAX ;parameter for ExitProcess MOV EDX, Errors[EAX*4] ;choose error message TEST EAX, EAX JE MsgJMP ;will be patched MsgJMP: iWin32i MessageBox, NULL, EDX, ssTitle, MB_OK SkipMsg: MOV EBX, prinfo.hThread ;if was -n or -l target must be closed TEST EBX, EBX JE @F iWin32 CloseHandle, prinfo.hProcess ;close target process iWin32 ResumeThread, EBX ;resume its primary thread iWin32 CloseHandle, EBX ;and close it @@: iWin32 ExitProcess ;exit with error code PrimaryThread ENDP ;------------------------------------------------------------------------------- INCLUDE FindProc.inc END PrimaryThread :translate @ECHO OFF ML /c /coff /nologo ApiHooksEXE.bat eLINK ApiHooksEXE /OUT:ApiHooks.exe /IGNORE:4108,4078,4060 /nologo /STUB:PEstub.exe /SUBSYSTEM:WINDOWS /MERGE:.idata=.text /MERGE:.rdata=.text /SECTION:.text,EWR /COMMENT:" http://elicz.cjb.net http://elicz.tsx.org " eLINK -EDIT -NOLOGO ApiHooks.exe -SECTION:.text=" " -SECTION:.data=" " -RELEASE rem BIND -u ApiHooks.exe DEL ApiHooksEXE.obj PAUSE CLS