Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Tools / ApiHooks 2.2 / examples / ASM / Invisible / InvisibleDLL.bat < prev

Wrap

DOS Batch File | 2000-04-10 | 6.6 KB | 210 lines

;@goto translate .586P .MODEL FLAT, STDCALL OPTION CASEMAP: NONE INCLUDE WINDOWS.inc UNICODE = FALSE INCLUDE APIMACRO.mac INCLUDELIB iKERNEL32.lib INCLUDELIB iUSER32.lib INCLUDELIB iNTDLL.lib INCLUDELIB iApiHooks.lib INCLUDE ApiHooks.inc OPTION NOKEYWORD: <LENGTH> .DATA? PROCESS_BASIC_INFORMATION STRUCT ExitStatus DWORD ? PebBaseAddress DWORD ? AffinityMask DWORD ? BasePriority DWORD ? UniqueProcessId DWORD ? InheritedFromUniqueProcessId DWORD ? PROCESS_BASIC_INFORMATION ENDS ProcessBasicInformation = 0 SystemProcessInformation = 5 OrigEnumWinProc DWORD ? pbi PROCESS_BASIC_INFORMATION <> pbi2 PROCESS_BASIC_INFORMATION <> PathHooks SIGN MAX_PATH DUP (?) .CODE BeginHooks Entry MkHook , NTDLL, NtCreateThread, HOOK_BY_ADDRESS, KERNEL32 MkHook , NTDLL, CsrClientCallServer, HOOK_BY_ADDRESS, KERNEL32 MkHook , NTDLL, NtQuerySystemInformation MkHook ,USER32, EnumWindows MkHook ,USER32, GetWindow EndHooks TEXTA NTDLL, <NTDLL.dll/0> TEXTA KERNEL32, <KERNEL32.dll/0> TEXTA USER32, <USER32.dll/0> TEXTA NtCreateThread, <NtCreateThread/0> TEXTA CsrClientCallServer, <CsrClientCallServer/0> TEXTA NtQuerySystemInformation, <NtQuerySystemInformation/0> TEXTA EnumWindows, <EnumWindows/0> TEXTA GetWindow, <GetWindow/0> TEXTW Proc2Hide, <Calc.exe/0> TEXT Wind2Hide, <SciCalc/0> ;-------------------------------------------------------------------------------- DllMain: CMP DWORD PTR [ESP+8], DLL_PROCESS_ATTACH JNE @F iWin32i GetModuleFileName, [ESP+12], OFFSET PathHooks, MAX_PATH @@: PUSH TRUE POP EAX RETN 12 ;-------------------------------------------------------------------------------- NewNtCreateThread PROC lpThreadHandle, DesiredAccess, lpObjectAttributes,\ ProcessHandle, lpClientId, lpInitialContext,\ lpUserStackDescriptor, CreateSuspended AND pbi2.UniqueProcessId, 0 iWin32 NtQueryInformationProcess, ProcessHandle, ProcessBasicInformation,\ OFFSET pbi, SIZEOF pbi, NULL PUSH EAX iWin32 NtCreateThread, lpThreadHandle, DesiredAccess, lpObjectAttributes,\ ProcessHandle, lpClientId, lpInitialContext,\ lpUserStackDescriptor, CreateSuspended POP ECX PUSH EAX TEST ECX, ECX JL @F TEST EAX, EAX JL @F CMP CreateSuspended, FALSE JE @F CMP pbi.UniqueProcessId, 0 ;new process hasn't ID before 1st thread creation JNE @F iWin32 NtQueryInformationProcess, ProcessHandle, ProcessBasicInformation,\ OFFSET pbi2, SIZEOF pbi2, NULL @@: POP EAX RET NewNtCreateThread ENDP ;-------------------------------------------------------------------------------- NewCsrClientCallServer PROC lpStruc, Par1, dwCommand, StrucSize iWin32 CsrClientCallServer, lpStruc, Par1, dwCommand, StrucSize CMP dwCommand, 10000H JNE @F MOV EDX, lpStruc CMP DWORD PTR [EDX+20H], 0 JL @F MOV ECX, pbi2.UniqueProcessId JECXZ @F PUSH EAX iWin32i EstablishApiHooksTime, OFFSET PathHooks, ECX, 10000 POP EAX @@: RET NewCsrClientCallServer ENDP ;-------------------------------------------------------------------------------- NewNtQuerySystemInformation PROC USES EBX ESI, SystemInformationClass, SystemInformation,\ Length, ResultLength iWin32 NtQuerySystemInformation, SystemInformationClass, SystemInformation,\ Length, ResultLength TEST EAX, EAX JL Fin CMP SystemInformationClass, SystemProcessInformation JNE Fin MOV ESI, SystemInformation @@: MOV EBX, ESI ;prev proc CMP DWORD PTR [ESI], 0 JE Fin ADD ESI, [ESI] MOV ECX, [ESI+3CH] JECXZ @B PUSH EAX iWin32 lstrcmpiW, ECX, sProc2Hide TEST EAX, EAX POP EAX JNE @B MOV EDX, [ESI] TEST EDX, EDX JE FillZero ADD [EBX], EDX JMP @B ;all with my name FillZero: AND [EBX], EDX JMP @B ;all with my name Fin: RET NewNtQuerySystemInformation ENDP ;-------------------------------------------------------------------------------- NewEnumWindows PROC lpEnumFunc, lParam CMP OrigEnumWinProc, NULL JE @F iWin32 EnumWindows, lpEnumFunc, lParam RET @@: PUSH lpEnumFunc POP OrigEnumWinProc iWin32 EnumWindows, NewEnumProc, lParam AND OrigEnumWinProc, NULL RET NewEnumWindows ENDP NewEnumProc PROC USES ESI, hwnd, lParam iWin32i FindWindow, sWind2Hide, NULL TEST EAX, EAX JE OrigEnumP CMP EAX, hwnd PUSH TRUE POP EAX JE @F OrigEnumP: sWin32 OrigEnumWinProc, hwnd, lParam @@: RET NewEnumProc ENDP ;-------------------------------------------------------------------------------- NewGetWindow PROC USES EBX, hWnd, uCmd iWin32i FindWindow, sWind2Hide, NULL TEST EAX, EAX JE NotMe MOV EBX, EAX CMP EAX, hWnd JNE NotMe CMP uCmd, GW_CHILD JNE @F SUB EAX, EAX RET @@: iWin32 GetWindow, EAX, uCmd Next: MOV hWnd, EAX NotMe: iWin32 GetWindow, hWnd, uCmd TEST EAX, EAX JE Fin CMP EAX, EBX JE Next Fin: RET NewGetWindow ENDP ;-------------------------------------------------------------------------------- END DllMain :translate @echo off ML /c /coff /nologo InvisibleDLL.bat eLINK InvisibleDLL /out:Invisible.dll /dll /nologo /optidata /section:.text,EWR /export:Entry,@1,NONAME /base:0x47280000 /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /IGNORE:4078,4086 DEL InvisibleDLL.obj DEL Invisible.lib DEL Invisible.exp PAUSE CLS