View difference between Paste ID: <a href="/39r4Me6B">39r4Me6B</a> and <a href="/post/view"></a>

View difference between Paste ID: 39r4Me6B and

SHOW: | | - or go back to the newest paste.


#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <Winternl.h>
#include <assert.h>
#include <Tlhelp32.h>

#pragma pack(push, 1)
struct far_jmp
{
    BYTE PushOp;
    PVOID PushArg;
    BYTE RetOp;
};
 
struct OldCode
{
    DWORD One;
    WORD Two;
};
#pragma pack(pop) 

void StopThreads()
{
	DWORD currTh;
	HANDLE thrHandle;
	HANDLE h;
	DWORD currPr;
	THREADENTRY32 Thread;

	currTh = GetCurrentThreadId();
	currPr = GetCurrentProcessId();
	h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if(h != INVALID_HANDLE_VALUE) {
		Thread.dwSize = sizeof(THREADENTRY32);
		if(Thread32First(h, &Thread)) {
			do {
				if(Thread.th32ThreadID != currTh && Thread.th32OwnerProcessID == currPr) {
					thrHandle = OpenThread(THREAD_SUSPEND_RESUME, FALSE, Thread.th32ThreadID);
					if(thrHandle > 0) {
						SuspendThread(thrHandle);
						CloseHandle(thrHandle);
					}
				}
			}
			while(!Thread32Next(h, &Thread));
		}
		CloseHandle(h);
	}
}

void RunThreads()
{
	DWORD currTh;
	HANDLE thrHandle;
	HANDLE h;
	DWORD currPr;
	THREADENTRY32 Thread;

	currTh = GetCurrentThreadId();
	currPr = GetCurrentProcessId();
	h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if(h != INVALID_HANDLE_VALUE) {
		Thread.dwSize = sizeof(THREADENTRY32);
		if(Thread32First(h, &Thread)) {
			do {
				if(Thread.th32ThreadID != currTh && Thread.th32OwnerProcessID == currPr) {
					thrHandle = OpenThread(THREAD_SUSPEND_RESUME, FALSE, Thread.th32ThreadID);
					if(thrHandle > 0) {
						ResumeThread(thrHandle);
						CloseHandle(thrHandle);
					}
				}
			}
			while(!Thread32Next(h, &Thread));
		}
		CloseHandle(h);
	}
}

HANDLE RegQueryCurrProc;
PVOID AdrRegQuery;
OldCode OldRegQuery;
far_jmp JmpRegQuery;

typedef NTSTATUS (WINAPI *NewOpenKeyFun)(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);  

// My new function
NTSTATUS WINAPI NOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes) 
{
	FILE* outfile = fopen("syscalls.log", "a");

	
	buffer = (char*)malloc(ObjectAttributes->ObjectName->Length + 1);
	wctomb(buffer, *ObjectAttributes->ObjectName->Buffer);
	buffer[ObjectAttributes->ObjectName->Length] = '\0';
	fprintf(outfile, "%s\n", buffer);
	fclose(outfile);

    WriteProcessMemory(GetCurrentProcess(), AdrRegQuery, &OldRegQuery, sizeof(OldCode), &Written);

	//NewOpenKeyFun ZwOpenKeyAddress = 		(NewOpenKeyFun)GetProcAddress(GetModuleHandle(L"Ntdll.dll"), "ZwOpenKey");	
	NewOpenKeyFun ZwOpenKeyAddress = (NewOpenKeyFun)AdrRegQuery;

	NTSTATUS result = (*ZwOpenKeyAddress)(KeyHandle, DesiredAccess, ObjectAttributes);
	
	
    WriteProcessMemory(GetCurrentProcess(), AdrRegQuery, &JmpRegQuery, sizeof(far_jmp), &Written);
	return result;
}

void SetRegQueryHook()
{
	DWORD Written;
	AdrRegQuery = GetProcAddress(GetModuleHandle(L"Ntdll.dll"), "ZwOpenKey");
	JmpRegQuery.PushOp = 0x68;
        JmpRegQuery.PushArg = NOpenKey;
        JmpRegQuery.RetOp = 0xC3;
	ReadProcessMemory(GetCurrentProcess(), AdrRegQuery, &OldRegQuery, sizeof(OldCode), &Written);
	WriteProcessMemory(GetCurrentProcess(), AdrRegQuery, &JmpRegQuery, sizeof(far_jmp), &Written);
}

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{	
	if( (ul_reason_for_call == DLL_PROCESS_ATTACH)) {	
		StopThreads();
		SetRegQueryHook();
		RunThreads();
	}	
    return TRUE;
}

1	-
1	+	#include <windows.h>
2		#include <stdio.h>
3		#include <stdlib.h>
4		#include <Winternl.h>
5		#include <assert.h>
6		#include <Tlhelp32.h>
7
8		#pragma pack(push, 1)
9		struct far_jmp
10		{
11		BYTE PushOp;
12		PVOID PushArg;
13		BYTE RetOp;
14		};
15
16		struct OldCode
17		{
18		DWORD One;
19		WORD Two;
20		};
21		#pragma pack(pop)
22
23		void StopThreads()
24		{
25		DWORD currTh;
26		HANDLE thrHandle;
27		HANDLE h;
28		DWORD currPr;
29		THREADENTRY32 Thread;
30
31		currTh = GetCurrentThreadId();
32		currPr = GetCurrentProcessId();
33		h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
34		if(h != INVALID_HANDLE_VALUE) {
35		Thread.dwSize = sizeof(THREADENTRY32);
36		if(Thread32First(h, &Thread)) {
37		do {
38		if(Thread.th32ThreadID != currTh && Thread.th32OwnerProcessID == currPr) {
39		thrHandle = OpenThread(THREAD_SUSPEND_RESUME, FALSE, Thread.th32ThreadID);
40		if(thrHandle > 0) {
41		SuspendThread(thrHandle);
42		CloseHandle(thrHandle);
43		}
44		}
45		}
46		while(!Thread32Next(h, &Thread));
47		}
48		CloseHandle(h);
49		}
50		}
51
52		void RunThreads()
53		{
54		DWORD currTh;
55		HANDLE thrHandle;
56		HANDLE h;
57		DWORD currPr;
58		THREADENTRY32 Thread;
59
60		currTh = GetCurrentThreadId();
61		currPr = GetCurrentProcessId();
62		h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
63		if(h != INVALID_HANDLE_VALUE) {
64		Thread.dwSize = sizeof(THREADENTRY32);
65		if(Thread32First(h, &Thread)) {
66		do {
67		if(Thread.th32ThreadID != currTh && Thread.th32OwnerProcessID == currPr) {
68		thrHandle = OpenThread(THREAD_SUSPEND_RESUME, FALSE, Thread.th32ThreadID);
69		if(thrHandle > 0) {
70		ResumeThread(thrHandle);
71		CloseHandle(thrHandle);
72		}
73		}
74		}
75		while(!Thread32Next(h, &Thread));
76		}
77		CloseHandle(h);
78		}
79		}
80
81		HANDLE RegQueryCurrProc;
82		PVOID AdrRegQuery;
83		OldCode OldRegQuery;
84		far_jmp JmpRegQuery;
85
86		typedef NTSTATUS (WINAPI *NewOpenKeyFun)(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
87
88		// My new function
89		NTSTATUS WINAPI NOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes)
90		{
91		FILE* outfile = fopen("syscalls.log", "a");
92
93
94		buffer = (char*)malloc(ObjectAttributes->ObjectName->Length + 1);
95		wctomb(buffer, *ObjectAttributes->ObjectName->Buffer);
96		buffer[ObjectAttributes->ObjectName->Length] = '\0';
97		fprintf(outfile, "%s\n", buffer);
98		fclose(outfile);
99
100		WriteProcessMemory(GetCurrentProcess(), AdrRegQuery, &OldRegQuery, sizeof(OldCode), &Written);
101
102		//NewOpenKeyFun ZwOpenKeyAddress = (NewOpenKeyFun)GetProcAddress(GetModuleHandle(L"Ntdll.dll"), "ZwOpenKey");
103		NewOpenKeyFun ZwOpenKeyAddress = (NewOpenKeyFun)AdrRegQuery;
104
105		NTSTATUS result = (*ZwOpenKeyAddress)(KeyHandle, DesiredAccess, ObjectAttributes);
106
107
108		WriteProcessMemory(GetCurrentProcess(), AdrRegQuery, &JmpRegQuery, sizeof(far_jmp), &Written);
109		return result;
110		}
111
112		void SetRegQueryHook()
113		{
114		DWORD Written;
115		AdrRegQuery = GetProcAddress(GetModuleHandle(L"Ntdll.dll"), "ZwOpenKey");
116		JmpRegQuery.PushOp = 0x68;
117		JmpRegQuery.PushArg = NOpenKey;
118		JmpRegQuery.RetOp = 0xC3;
119		ReadProcessMemory(GetCurrentProcess(), AdrRegQuery, &OldRegQuery, sizeof(OldCode), &Written);
120		WriteProcessMemory(GetCurrentProcess(), AdrRegQuery, &JmpRegQuery, sizeof(far_jmp), &Written);
121		}
122
123		BOOL APIENTRY DllMain( HANDLE hModule,
124		DWORD ul_reason_for_call,
125		LPVOID lpReserved
126		)
127		{
128		if( (ul_reason_for_call == DLL_PROCESS_ATTACH)) {
129		StopThreads();
130		SetRegQueryHook();
131		RunThreads();
132		}
133		return TRUE;
134		}