Cracker Handbook 1.0 part 191 potx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (16.91 KB, 5 trang )
Type
PJMP = ^TJMP ;
TJMP = packed record // 7 bytes
jma1 : Byte ;
jcod : pointer;
jma2 : word ;
end;
var MJMP,OJMP : TJMP;
// D/c ham FreeLbrary , DeviceIO, Handle of MapView, store;
dFreeLib, dAddLib,DLLData,dDctv : pointer ;
fAddPro : Thandle ; //Handle of Current Proccess
const
pLib : pChar = 'kernel32.dll';
pDio : pChar = 'DeviceIoControl';
pFree: pChar = 'FreeLibrary';
pName: pChar = 'TV_PL';
// LKQ: $88 bytes ; 0 $79 store right Result ;
// dword [80] = dFreeLib ; [84] = Handle of marfix.dll
lKQ : array [0 $87] of byte =
($00,$00,$02,$00,$37,$00,$01,$00,$02,$00,$01,$00,$10,$00,$07,
$00,$54,$56,$26,$26,$50,$4C,$20,$20,$00,$10,$00,$7A,$80,$A7,
$E2,$9A,$A7,$60,$D3,$FC,$BB,$B1,$38,$EE,$DF,$9E,$DE,$30,$00,
$04,$00,$18,$0A,$D0,$07,$31,$00,$04,$00,$07,$0B,$DF,$07,$FF,
$FF,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,
$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,
$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,
$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,
$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00);
// Opcode replace at xxxx1AD0 address
lML : array [0 $26] of byte =
($55,$E8,$00,$00,$00,$00,$5D,$8B,$D5,$5D,$81,$E2,$00,$00,$FE,
$FF,$8D,$38,$8D,$32,$33,$C9,$83,$C1,$20,$F3,$A5,$8B,$06,$50,
$8B,$46,$04,$FF,$D0,$C2,$04,$00,$90);
function VietPro( N: Integer): boolean ; stdcall ;
var dRead: Dword ;
begin
Try
case N of
0: begin
ReadProcessMemory(fAddPro,dAddLib,@OJMP,sizeOf(OJMP),dRead);
result :=(dRead =sizeOf(OJMP) );
end;
1: result:=
WriteProcessMemory(fAddPro,dAddLib,@OJMP,sizeOf(OJMP),dRead);
else result:=
WriteProcessMemory(fAddPro,dAddLib,@MJMP,sizeOf(MJMP),dRead);
end;
except result:= false ; end;
end;
procedure TVPL ;
asm
// Check Address
mov eax,[esp]
mov ecx,eax
xor ax, $12EA // 1st call DeviceIoControl return at xxxx12EA
test ax, ax
jne @tiep
// Check Opcode at xxxx215C : call xxxx1DA0 = E8 3F FF FF
add ax,$215C
cmp dword ptr [eax], $FFFC3FE8
jne @tiep
// End check Address
// OK, found correct memory ;
// Un Hook
push ecx
push 1
call VietPro
pop ecx
test al, al
je @end
// Copy LKQ
mov eax,ecx // $28Fyyyy
xor ax,ax
push eax
sub eax, $10000 // $28E0000
lea edi,[eax]
lea esi, [LKQ[0]]
xor ecx, ecx
add ecx, $22 // Copy lKQ = $88 bytes vao $28E0000
repz movsd
// Replace code at xxxx1DA0
pop eax
add ax,$1DA0
lea edi,[eax]
lea esi,[LML[0]]
xor ecx, ecx
add ecx, $27 // Do dai lML!
mov eax, ecx
shr ecx, $02
repz movsd
mov ecx, eax
and ecx, $03
repz movsb
// Jmp to origin DeviceIoControl
push dAddLib // D/c cu DiviceIO
ret
/// Error , return back call origin
@end: mov ecx,[esp]
add esp,$24 // restore esp origin
push ecx
ret
/// No, Check Address failed. Call DeviceIoControl ;
@tiep:push 1
call VietPro // Un Hook
test al, al
je @end
mov eax,[esp]
mov dDctv, eax // Store origin return Address
add esp,04
mov eax, dAddLib
call eax // call origin DeviceIoControl
push eax // store result
push 2
call VietPro // Hook again
pop eax
push dDCtv // Restore origin return Address
end;
function AutoLoad( FModul: THandle): pointer; stdcall;
asm
mov ecx, dFreeLib
mov eax, DLLData
test eax, eax // Hook OK ?
je @NotOK // No, return @FreeLibrary
lea esi,[lKQ[$80]]
mov eax, FModul // handle of makfix.dll
mov [esi],eax
mov [esi+04], ecx // @FreeLibrary
xor ecx, ecx
@NotOK: mov eax, ecx
end;
procedure MyDLL(Reason : integer);
var fTmp,FHandle : THandle;
begin
case Reason of
DLL_PROCESS_ATTACH:
begin
fAddPro := GetCurrentProcess ;
if fAddPro = 0 then exit;
fTmp := GetModuleHandleA(pLib);
if fTmp = 0 then exit;
dAddLib := GetProcAddress(fTmp,pDio);
dFreeLib := GetProcAddress(fTmp,pFree);
DLLData = nil ;
if (dAddLib = nil) or (dFreeLib=nil) then exit;
if VietPro(0)then
begin
FHandle := CreateFileMapping($FFFFFFFF, nil,
PAGE_READWRITE, 0,$ffff, pName);
if FHandle = 0 then
if GetLastError = ERROR_ALREADY_EXISTS then
begin
FHandle := OpenFileMapping(FILE_MAP_ALL_ACCESS,
False, pName);
if FHandle = 0 then Exit;
end
else Exit;
DLLData := MapViewOfFile(FHandle,
FILE_MAP_ALL_ACCESS,0,0,0);
if DLLData = nil then
begin
CloseHandle(FHandle);
exit;
end;
MJMP.jma1 := $B8 ;
MJMP.jcod := @TVPL ; // mov eax, @TVPL
MJMP.jma2 := $E0FF ; // jmp eax
if not VietPro(2)then
begin
if Assigned(DLLData) then UnmapViewOfFile(DLLData);
DLLData := nil;
end;
end;
end;
