Cracker Handbook 1.0 part 191 potx

Call DeviceIoControl ; @tiep:push 1 call VietPro // Un Hook test al, al je @end mov eax,[esp] mov dDctv, eax // Store origin return Address add esp,04 mov eax, dAddLib call eax

Type

PJMP = ^TJMP ;

TJMP = packed record // 7 bytes

jma1 : Byte ;

jcod : pointer;

jma2 : word ;

end;

var MJMP,OJMP : TJMP;

// D/c ham FreeLbrary , DeviceIO, Handle of MapView, store;

dFreeLib, dAddLib,DLLData,dDctv : pointer ;

fAddPro : Thandle ; //Handle of Current Proccess

const

pLib : pChar = 'kernel32.dll';

pDio : pChar = 'DeviceIoControl';

pFree: pChar = 'FreeLibrary';

pName: pChar = 'TV_PL';

// LKQ: $88 bytes ; 0 $79 store right Result ;

// dword [80] = dFreeLib ; [84] = Handle of marfix.dll

lKQ : array [0 $87] of byte =

($00,$00,$02,$00,$37,$00,$01,$00,$02,$00,$01,$00,$10,$00,$07, $00,$54,$56,$26,$26,$50,$4C,$20,$20,$00,$10,$00,$7A,$80,$A7, $E2,$9A,$A7,$60,$D3,$FC,$BB,$B1,$38,$EE,$DF,$9E,$DE,$30,$00, $04,$00,$18,$0A,$D0,$07,$31,$00,$04,$00,$07,$0B,$DF,$07,$FF, $FF,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00, $00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,

$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,

$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,

$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00); // Opcode replace at xxxx1AD0 address

lML : array [0 $26] of byte =

($55,$E8,$00,$00,$00,$00,$5D,$8B,$D5,$5D,$81,$E2,$00,$00,$FE, $FF,$8D,$38,$8D,$32,$33,$C9,$83,$C1,$20,$F3,$A5,$8B,$06,$50, $8B,$46,$04,$FF,$D0,$C2,$04,$00,$90);

function VietPro( N: Integer): boolean ; stdcall ;

var dRead: Dword ;

begin

Try

case N of

0: begin

ReadProcessMemory(fAddPro,dAddLib,@OJMP,sizeOf(OJMP),dRead); result :=(dRead =sizeOf(OJMP) );

end;

1: result:=

WriteProcessMemory(fAddPro,dAddLib,@OJMP,sizeOf(OJMP),dRead);

else result:=

WriteProcessMemory(fAddPro,dAddLib,@MJMP,sizeOf(MJMP),dRead);

end;

except result:= false ; end;

end;

procedure TVPL ;

asm

// - Check Address -

mov eax,[esp]

mov ecx,eax

xor ax, $12EA // 1st call DeviceIoControl return at xxxx12EA

test ax, ax

jne @tiep

// Check Opcode at xxxx215C : call xxxx1DA0 = E8 3F FF FF

add ax,$215C

cmp dword ptr [eax], $FFFC3FE8

jne @tiep

// End check Address -

// - OK, found correct memory ; -

// Un Hook -

push ecx

push 1

call VietPro

pop ecx

test al, al

je @end

// Copy LKQ -

mov eax,ecx // $28Fyyyy

xor ax,ax

push eax

sub eax, $10000 // $28E0000

lea edi,[eax]

lea esi, [LKQ[0]]

xor ecx, ecx

add ecx, $22 // Copy lKQ = $88 bytes vao $28E0000 repz movsd

// - Replace code at xxxx1DA0 -

pop eax

add ax,$1DA0

lea edi,[eax]

lea esi,[LML[0]]

xor ecx, ecx

add ecx, $27 // Do dai lML!

mov eax, ecx

shr ecx, $02

repz movsd

mov ecx, eax

and ecx, $03

repz movsb

// Jmp to origin DeviceIoControl

push dAddLib // D/c cu DiviceIO

ret

/// Error , return back call origin

@end: mov ecx,[esp]

add esp,$24 // restore esp origin

push ecx

ret

/// No, Check Address failed Call DeviceIoControl ;

@tiep:push 1

call VietPro // Un Hook

test al, al

je @end

mov eax,[esp]

mov dDctv, eax // Store origin return Address

add esp,04

mov eax, dAddLib

call eax // call origin DeviceIoControl

push eax // store result

push 2

call VietPro // Hook again

pop eax

push dDCtv // Restore origin return Address end;

function AutoLoad( FModul: THandle): pointer; stdcall; asm

mov ecx, dFreeLib

mov eax, DLLData

test eax, eax // Hook OK ?

je @NotOK // No, return @FreeLibrary lea esi,[lKQ[$80]]

mov eax, FModul // handle of makfix.dll

mov [esi],eax

mov [esi+04], ecx // @FreeLibrary

xor ecx, ecx

@NotOK: mov eax, ecx

end;

procedure MyDLL(Reason : integer);

var fTmp,FHandle : THandle;

begin

case Reason of

DLL_PROCESS_ATTACH:

begin

fAddPro := GetCurrentProcess ;

if fAddPro = 0 then exit;

fTmp := GetModuleHandleA(pLib);

if fTmp = 0 then exit;

dAddLib := GetProcAddress(fTmp,pDio); dFreeLib := GetProcAddress(fTmp,pFree); DLLData = nil ;

if (dAddLib = nil) or (dFreeLib=nil) then exit;

if VietPro(0)then

begin

FHandle := CreateFileMapping($FFFFFFFF, nil,

PAGE_READWRITE, 0,$ffff, pName);

if FHandle = 0 then

if GetLastError = ERROR_ALREADY_EXISTS then

begin

FHandle := OpenFileMapping(FILE_MAP_ALL_ACCESS, False, pName);

if FHandle = 0 then Exit;

end

else Exit;

DLLData := MapViewOfFile(FHandle,

FILE_MAP_ALL_ACCESS,0,0,0);

if DLLData = nil then

CloseHandle(FHandle);

exit;

end;

MJMP.jma1 := $B8 ;

MJMP.jcod := @TVPL ; // mov eax, @TVPL

MJMP.jma2 := $E0FF ; // jmp eax

if not VietPro(2)then

if Assigned(DLLData) then UnmapViewOfFile(DLLData);

DLLData := nil;

end;

end;

end;