Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Tools / ApiHooks 3.0 / ApiHooksDLL.bat < prev next >

Wrap

DOS Batch File | 2000-06-18 | 20.1 KB | 562 lines

;@goto translate .586P .MODEL FLAT, STDCALL OPTION CASEMAP: NONE INCLUDE WINDOWS.inc UNICODE = FALSE INCLUDE APIMACRO.mac INCLUDE NtStatus.inc INCLUDE AHinc.inc INCLUDE ApiHooks.inc INCLUDE NtStruc.inc INCLUDELIB iKERNEL32.lib INCLUDELIB iUSER32.lib INCLUDELIB iADVAPI32.lib ;------------------------------------------------------------------------------ .CODE ASSUME FS: NOTHING INCLUDE ApiWorks.inc TEXTA zSE_DEBUG_NAME, <SeDebugPrivilege/0> INCLUDE ModWorks.inc ;place for APIs which were retrieved via GetProcAddress ;initialzed with names of APIs for saving image size ALIGN 4 VirtualAllocEx LABEL DWORD K32 BYTE 'KERN' sK32 EQU OFFSET K32 VirtualFreeEx LABEL DWORD BYTE 'EL32' CreateToolhelp32Snapshot LABEL DWORD BYTE '.DLL' NtQueryInformationProcess LABEL DWORD BYTE 0 CT32S BYTE 'Cre' sCT32S EQU OFFSET CT32S NtQuerySystemInformation LABEL DWORD BYTE 'ateT' RtlCreateUserThread LABEL DWORD BYTE 'oolh' NtQueryInformationThread LABEL DWORD BYTE 'elp3' Thread32First LABEL DWORD BYTE '2Sna' Thread32Next LABEL DWORD BYTE 'psho' NtOpenThread LABEL DWORD BYTE 't',0 T32F BYTE 'Th' sT32F EQU OFFSET T32F W32Version LABEL DWORD BYTE 'read' CurrentProcess LABEL DWORD BYTE '32Fi' CurPID LABEL DWORD BYTE 'rst',0 RemoteAlloc DWORD RemoteAlloc9x RemoteExec DWORD RemoteExec9x RemoteFree DWORD RemoteFree9x OpenAllThreads DWORD OpenAllThreads9x ;----------------------------------------- ;For NT user thread termination is used NtTerminateThread not ExitThread, ;because KERNEL32.dll may not be present in the target process, while ;NTDLL.dll is present everywhere. For more comfort I could prepend ;LdrShutdownThread. NTThreadExit: PUSHp EAX, CurrentThread, EAX ; 4 BYTE 68H ;PUSH DWORD ;+1 NtTerminateThread DWORD ? ;+4 RET ;+1 NTThreadExitSize EQU ($-NTThreadExit) ; 10 ~ 12 = movsd,movsd,movsd ;----------------------------------------- ;names of NT APIs for GetProcAddress TEXTA VAEX, <VirtualAllocEx/0> TEXTA VFEX, <VirtualFreeEx/0> TEXTA NOPT, <NtOpenThread/0> TEXTA NQIP, <NtQueryInformationProcess/0> TEXTA NQSI, <NtQuerySystemInformation/0> TEXTA RCUT, <RtlCreateUserThread/0> TEXTA NTTH, <NtTerminateThread/0> TEXTA NQIT, <NtQueryInformationThread/0> ;================================================================================= DllMain PROC CMP DWORD PTR [ESP+8], DLL_PROCESS_ATTACH ;only this is important JNE DllMainRet iWin32 DisableThreadLibraryCalls, [ESP+4] ;don't bother with DLL_THREAD_* PUSHp ESI, EDI ;save used registers ;-------------- iWin32i GetModuleHandle, sK32 ;initialize KERNEL32 APIs iMOV ESI, GetProcAddress MOV EDI, EAX sWin32 ESI, EDI, sVAEX MOV VirtualAllocEx, EAX sWin32 ESI, EDI, sVFEX MOV VirtualFreeEx, EAX sWin32 ESI, EDI, sCT32S MOV CreateToolhelp32Snapshot, EAX sWin32 ESI, EDI, sT32F MOV Thread32First, EAX sWin32 ESI, EDI, sT32N MOV Thread32Next, EAX iWin32i GetModuleHandle, sNTDLL ;initialize NTDLL APIs MOV EDI, EAX sWin32 ESI, EDI, sNOPT MOV NtOpenThread, EAX sWin32 ESI, EDI, sNQIP MOV NtQueryInformationProcess, EAX sWin32 ESI, EDI, sNQSI MOV NtQuerySystemInformation, EAX sWin32 ESI, EDI, sRCUT MOV RtlCreateUserThread, EAX sWin32 ESI, EDI, sNTTH MOV NtTerminateThread, EAX sWin32 ESI, EDI, sNQIT MOV NtQueryInformationThread, EAX ;-------------------- ;enable debug privilege for this process if possible iWin32 GetCurrentProcess PUSH ECX ;place for hToken MOV CurrentProcess, EAX iWin32 OpenProcessToken, EAX, TOKEN_QUERY OR TOKEN_ADJUST_PRIVILEGES, ESP TEST EAX, EAX POP EDI ;hToken JE CantOpenToken ;failed ;LookupPrivValue can be excluded if I use hard ntddk value for debug priv.: 14H in LUID iWin32i LookupPrivilegeValue, NULL, szSE_DEBUG_NAME, OFFSET dbLUID TEST EAX, EAX JE CloseToken ;can't find local (numeric) representation of the privilege ;enable the privilege in my token iWin32 AdjustTokenPrivileges, EDI, FALSE, OFFSET NewState, 0, NULL, NULL CloseToken: iWin32 CloseHandle, EDI ;close hToken CantOpenToken: ;-------------------- ;initialze APIs for remote codes (ApiWorks and ModWorks) iMOV EAX, VirtualQuery MOV _VirtualQuery, EAX iMOV EAX, GetModuleFileNameA MOV _GetModuleFileNameA, EAX iMOV EAX, LoadLibraryA MOV _LoadLibraryA, EAX MOV _GetProcAddress, ESI ;in ApiWorks MOV _GetProcAddr, ESI ;in ModWorks iMOV EAX, GetModuleHandleA MOV _GetModuleHandleA, EAX MOV _DllOperation, EAX iMOV EAX, VirtualProtect MOV _VirtualProtect, EAX iMOV EAX, lstrcmpiA MOV _lstrcmpiA, EAX iMOV EAX, KERNEL32_ORD_0001 MOV _KERNEL32_ORD_0001, EAX iMOV EAX, FreeLibrary MOV _FreeLibrary, EAX ;-------------------- iWin32 GetCurrentProcessId MOV CurPID, EAX ;my PID XOR EAX, FS:TEB.pPEB ;9x Obsfucator = MyPID ^ TEB.pProcess MOV Obsfucator, EAX ;-------------------- iWin32 GetVersion MOV W32Version, EAX TEST EAX, EAX JNS DoNT DoW9x: ;9x stuff iMOV EAX, OpenProcess ADD EAX, 24H CMP DWORD PTR [EAX], 000000B9H ;is OpenThread routine present? JNE NoOpenThread9x MOV W9xOpenThread, EAX JMP Initialized DoNT: ;NT stuff MOV BYTE PTR W9xJMP0, 75H ;allow NO_UNBIND in ApiWorks: JMP -> JNE MOV RemoteAlloc, RemoteAllocNT MOV RemoteFree, RemoteFreeNT MOV OpenAllThreads,OpenAllThreadsNT CMP AL, 5 ;Win2K+ -> don't patch thread info start JAE Initialized MOV ThreadInfoStart, NT4_SYSTEM_PROCESS_INFORMATION.ThreadInformation + SYSTEM_THREAD_INFORMATION.ClientId.UniqueThread ;-------------------- NoOpenThread9x: Initialized: POPc ESI, EDI ;restore used registers ;-------------------- DllMainRet: XOR EAX, EAX INC EAX ;return TRUE RET 12 DllMain ENDP ;================================================================================= ;Exception handler sets EIP to DrWtson, ESP to xFrameESP and EAX to error code xHandler PROC MOV EDX, [ESP+12] ;context ADD EDX, CONTEXT.regEax MOV EAX, [ESP+8] ;xESP MOV [EDX+CONTEXT.regEip-CONTEXT.regEax], DrWatson MOV [EDX+CONTEXT.regEsp-CONTEXT.regEax], EAX oMOV [EDX+CONTEXT.regEax-CONTEXT.regEax], ErrorException XOR EAX, EAX ;ExceptionContinueExecution RETN xHandler ENDP ;================================================================================= ;Checks if process represented by procID is initialzed. In 9x it is always ;true. In NT it is not true if the process was created suspended and wasn't ;resumed yet. Remote thread in such a process in Win2K = crash the process. ;Returns FALSE if process is not initialized other value if is initialized. IsProcessInitializedOrNotNT PROC procID LOCAL pbi :PROCESS_BASIC_INFORMATION MOV EAX, W32Version TEST EAX, EAX JS Done ;Win9x -> always initialized iWin32 OpenProcess, PROCESS_VM_READ OR PROCESS_QUERY_INFORMATION, FALSE, procID TEST EAX, EAX PUSH TRUE ;assume initialized JE CantOpenThenInitialized ;if can't open assume initialized LEA ECX, pbi PUSH EAX ;save hProc sWin32 NtQueryInformationProcess, EAX, ProcessBasicInformation, ECX, SIZEOF pbi, NULL TEST EAX, EAX JL CloseProcess ;native api returned NTSTATUS POP ECX ;hProc MOV EAX, pbi.PebBaseAddress MOV EDX, ESP ADD EAX, PEB.pProcParameters ;address of pointer to target's parameters (of course all pointers are valid in target) PUSH ECX iWin32 ReadProcessMemory, ECX, EAX, EDX, 4, NULL ;read the pointer value CloseProcess: iWin32 CloseHandle ;close process CantOpenThenInitialized: POP EAX ;if target is not initialized, it has NULL pProcParameters Done: RET IsProcessInitializedOrNotNT ENDP ;================================================================================= ;Follow exported APIs stubs. Thre are 2 versions of each one. If NOOPT is ;defined LINKer procduces standard MS @ library (apihooks.lib). When NOOPT ;is not defined, created is iLIBrary (iapihooks.lib) and code of stubs is ;size optimized. PUBLIC EstablishApiHooksA IFDEF NOOPT EstablishApiHooksA PROC lpszDll, procID sWin32 EstablishApiHooks, lpszDll, procID, INFINITE, FALSE, FALSE RET ELSE EstablishApiHooksA PROC PUSH FALSE PUSH FALSE JMP EAHT ENDIF EstablishApiHooksA ENDP PUBLIC EstablishApiHooksW IFDEF NOOPT EstablishApiHooksW PROC lpszDll, procID sWin32 EstablishApiHooks, lpszDll, procID, INFINITE, TRUE, FALSE RET ELSE EstablishApiHooksW PROC PUSH FALSE PUSH TRUE EAHT:: sWin32 EstablishApiHooks, [ESP+20], [ESP+20], INFINITE RETN 8 ENDIF EstablishApiHooksW ENDP ;================================================================================= PUBLIC EstablishApiHooksTimeA IFDEF NOOPT EstablishApiHooksTimeA PROC lpszDll, procID, ExpTime sWin32 EstablishApiHooks, lpszDll, procID, ExpTime, FALSE, FALSE RET ELSE EstablishApiHooksTimeA PROC PUSH FALSE PUSH FALSE JMP EAHTW ENDIF EstablishApiHooksTimeA ENDP PUBLIC EstablishApiHooksTimeW IFDEF NOOPT EstablishApiHooksTimeW PROC lpszDll, procID, ExpTime sWin32 EstablishApiHooks, lpszDll, procID, ExpTime, TRUE, FALSE RET ELSE EstablishApiHooksTimeW PROC PUSH FALSE PUSH TRUE JMP EAHTW ENDIF EstablishApiHooksTimeW ENDP ;================================================================================= PUBLIC EstablishApiHooksTimeNTA IFDEF NOOPT EstablishApiHooksTimeNTA PROC lpszDll, procID, ExpTime sWin32 IsProcessInitializedOrNotNT, procID sWin32 EstablishApiHooks, lpszDll, procID, ExpTime, FALSE, EAX RET ELSE EstablishApiHooksTimeNTA PROC sWin32 IsProcessInitializedOrNotNT, [ESP+8] PUSH EAX PUSH FALSE JMP EAHTW ENDIF EstablishApiHooksTimeNTA ENDP ;--------------------------------------------- PUBLIC EstablishApiHooksTimeNTW IFDEF NOOPT EstablishApiHooksTimeNTW PROC lpszDll, procID, ExpTime sWin32 IsProcessInitializedOrNotNT, procID sWin32 EstablishApiHooks, lpszDll, procID, ExpTime, TRUE, EAX RET ELSE EstablishApiHooksTimeNTW PROC sWin32 IsProcessInitializedOrNotNT, [ESP+8] PUSH EAX PUSH TRUE EAHTW:: sWin32 EstablishApiHooks, [ESP+20], [ESP+20], [ESP+20] RETN 12 ENDIF EstablishApiHooksTimeNTW ENDP ;================================================================================= PUBLIC RemoteExecuteTime IFDEF NOOPT RemoteExecuteTime PROC procID, ExpTime, lpBlock, BlockSize, lpCodeEnd sWin32 RemoteExecute, procID, ExpTime, lpBlock, BlockSize, lpCodeEnd, FALSE RET ELSE RemoteExecuteTime PROC SUB EAX, EAX JMP REXTW ENDIF RemoteExecuteTime ENDP ;--------------------------------------------- PUBLIC RemoteExecuteTimeNT IFDEF NOOPT RemoteExecuteTimeNT PROC procID, ExpTime, lpBlock, BlockSize, lpCodeEnd sWin32 IsProcessInitializedOrNotNT, procID sWin32 RemoteExecute, procID, ExpTime, lpBlock, BlockSize, lpCodeEnd, EAX RET ELSE RemoteExecuteTimeNT PROC sWin32 IsProcessInitializedOrNotNT, [ESP+4] REXTW:: sWin32 RemoteExecute, [ESP+24], [ESP+24], [ESP+24], [ESP+24], [ESP+24], EAX RETN 20 ENDIF RemoteExecuteTimeNT ENDP ;================================================================================= ;EstablishApiHooks is example of remote code preparation before passing ;it to RemoteExec. It works with code placed in ApiWorks.inc. EstablishApiHooks PROC USES EBX ESI EDI, lpszDll, procID, ExpTime, IsUnicode, ForceRT sWin32 RemoteAlloc9x, AlienSize, 0 ;allocate memory (here in this process) TEST EAX, EAX MOV EDI, EAX oMOV EAX, ErrorException JE EAHExit ;can't allocate PUSH EDI MOV ESI, AlienScout MOV ECX, AlienSize0/4 REP MOVSD ;and copy there the block POP EBX ;for the next modifications oMOV EAX, HOOKS_DYNAMIC MOV ESI, lpszDll CMP [ESI], EAX ;check for dynamic hooks JNE @F STOSD ;positive -> build dynamic "irp" MOV EAX, ESI ;HOOKS_DYNAMIC followed by STOSD ;pointer to hooks JMP DynaHooks @@: CMP IsUnicode, ECX ;check for unicode JE CopyDll ;ansi? -> copy iWin32 WideCharToMultiByte, ECX, ECX, ESI, -1, EDI, MAX_PATH, ECX, ECX TEST EAX, EAX ;convert to multibyte ErrExc: oMOV EAX, ErrorException JE EAHFreeExit ;WCTMB failed JMP DynaHooks CopyDll: oMOV ECX, MAX_PATH @@: LODSB STOSB TEST AL, AL JE DynaHooks DEC ECX JE ErrExc JMP @B DynaHooks: LEA EAX, [EBX][@Stop-AlienScout] ;EAX = EndOf ApiWorks sWin32 RemoteExecute, procID, ExpTime, EBX, AlienSize, EAX, ForceRT EAHFreeExit: PUSH EAX sWin32 RemoteFree9x, EBX ;free help memory POP EAX EAHExit: CMP EAX, ErrorTimeOut ;evaluate error code JBE @F oMOV EAX, ErrorRemoteExec @@: RET EstablishApiHooks ENDP ;================================================================================= ;Tries to run user code in the target process represented by procID. ;ExpTime is time for operation. Block is specified by lpBlock (start), ;BlockSize and lpCodeEnd (position of end zone in the block). ;Bool ForceRT parameter tells that RemoteExec should use remote thread if ;possible. ;Returns error code. RemoteExecute PROC USES EBX ESI EDI, procID, ExpTime, lpBlock, BlockSize, lpCodeEnd, ForceRT SUB EAX, EAX PUSH xHandler ;make xframe PUSH FS:(TEB PTR [EAX]).ExceptionList MOV FS:(TEB PTR [EAX]).ExceptionList, ESP sWin32 RemoteAlloc9x, BlockSize, EAX ;place for block copy TEST EAX, EAX MOV EDI, EAX oMOV EAX, ErrorRemoteAlloc JE DrWatson ;can't allocate memory PUSH EDI MOV ESI, lpBlock MOV ECX, BlockSize REP MOVSB ;copy block POP ESI MOV EAX, procID ;compare wanted with my PID CMP EAX, CurPID JNE StrangeProcess ;============CurrentProcess ;this is this process MOV EAX, lpCodeEnd SUB EAX, lpBlock MOV BYTE PTR [EAX+ESI], 0C3H ;write RET at the CodeEnd sWin32 ESI ;and do CALL JMP FreeMe ;============CurrentProcess ;evaluate which technique to use: StrangeProcess: MOV EAX, W32Version MOV ECX, PROCESS_VM_READ OR PROCESS_VM_WRITE OR \ PROCESS_VM_OPERATION OR PROCESS_QUERY_INFORMATION oLEA EDX, RemoteExec TEST EAX, EAX JS Initialized ;Win9x always open thread technique CMP ForceRT, FALSE MOV [EDX], RemoteExec9x ;open thread JE Initialized MOV [EDX], RemoteExecNT ;remote thread OR ECX, PROCESS_CREATE_THREAD ;needed for remote thread technique Initialized: iWin32 OpenProcess, ECX, FALSE, procID TEST EAX, EAX MOV EBX, EAX oMOV EAX, ErrorOpenProcess JE FreeMe ;can't open target sWin32 RemoteAlloc, BlockSize, ABOVE2GB TEST EAX, EAX MOV EDI, EAX oMOV EAX, ErrorRemoteAlloc JE EstablishHooksExit ;can't allocate memory in the target MOV ECX, lpCodeEnd SUB ECX, lpBlock ADD ECX, ESI sWin32 RemoteExec, procID, ExpTime, ESI, BlockSize, ECX EstablishHooksExit: PUSH EAX ;save error code iWin32 CloseHandle, EBX POP EAX ;restore error code FreeMe: PUSH EAX ;save error code sWin32 RemoteFree9x, ESI ;free copy of block POP EAX ;restore error code DrWatson:: POP FS:TEB.ExceptionList ;unchain me POP ECX ;remove xframe RET RemoteExecute ENDP ;================================================================================= ;Support routines: RemoteAllocNT PROC ;BlockSize, AllocMode sWin32 VirtualAllocEx, EBX, NULL, [ESP+12], MEM_COMMIT, PAGE_EXECUTE_READWRITE RETN 8 RemoteAllocNT ENDP ;You can pass ABOVE2GB as AllocMode to allocate memory in the shared memory ;above 2GB in Win9x RemoteAlloc9x PROC BlockSize, AllocMode MOV EAX, AllocMode OR EAX, MEM_COMMIT iWin32 VirtualAlloc, NULL, BlockSize, EAX, PAGE_EXECUTE_READWRITE RET RemoteAlloc9x ENDP ;------------------------------------------------------------------------------- ;Support routines: RemoteFreeNT PROC ;Block sWin32 VirtualFreeEx, EBX, [ESP+12], NULL, MEM_RELEASE RETN 4 RemoteFreeNT ENDP RemoteFree9x PROC ;Block iWin32 VirtualFree, [ESP+12], NULL, MEM_RELEASE RETN 4 RemoteFree9x ENDP ;------------------------------------------------------------------------------- INCLUDE RemExec.inc INCLUDE HookApi.inc INCLUDE ModApis.inc ;================================================================================= END DllMain :translate @ECHO OFF ML /c /coff /nologo /DNOOPT ApiHooksDLL.bat eLINK ApiHooksDLL /OUT:ApiHooks.dll /IGNORE:4108,4078,4060,4086 /nologo /DLL /STUB:PEstub.exe /SUBSYSTEM:WINDOWS /DEF:ApiHooks.def /MERGE:.idata=.text /MERGE:.rdata=.text /SECTION:.text,EWR /BASE:0x66F00000 /COMMENT:" http://elicz.cjb.net http://elicz.tsx.org " REN ApiHooks.lib AH.lib ML /c /coff /nologo ApiHooksDLL.bat eLINK ApiHooksDLL /OUT:ApiHooks.dll /IGNORE:4108,4078,4060,4086 /nologo /DLL /STUB:PEstub.exe /SUBSYSTEM:WINDOWS /DEF:ApiHooks.def /MERGE:.idata=.text /MERGE:.rdata=.text /SECTION:.text,EWR /BASE:0x66F00000 /COMMENT:" http://elicz.cjb.net http://elicz.tsx.org " DEL ApiHooks.lib >NUL REN AH.lib ApiHooks.lib eLINK -EDIT -NOLOGO ApiHooks.dll -SECTION:.text=" " -SECTION:.reloc=" " -RELEASE DEL ApiHooksDLL.obj eLINK -LIB -nologo -MACHINE:IX86 -DEF:ApiHooks.def -OUT:iApiHooks.lib DEL ApiHooks.exp DEL iApiHooks.exp PAUSE CLS