SHARE
TWEET

injector

a guest Jun 3rd, 2018 117 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ; ====================================================================================================
  2. ; Title:        API_HookEngine Module
  3. ; Description:  With this module you can hook procedures and api in windows
  4. ; Author:       Peyman
  5. ; Version:      1.0 (02 FEB 2016) initial version
  6. ;               1.1 (07 FEB 2016) added Inject DLL
  7. ;               1.2 (11 FEB 2016) improved injector, added Eject DLL & CallRemoteFunction with parrameter
  8. ; Platform:     Windows (X64 And X86) Unicode And Ansi
  9. ; License:      Free But Any improvements to be shared with the community.
  10. ; ====================================================================================================
  11.  
  12. Import "Kernel32.lib";Hotfix
  13.   GetProcAddress_(hMod.i, Name.p-ascii) As "_GetProcAddress@8"
  14. EndImport
  15.  
  16.  
  17. DeclareModule API_HookEngine
  18.   Declare.i Hook(*OldFunctionAddress, *NewFunctionAddress)
  19.   Declare.i UnHook(*hook_ptr)
  20.   Declare.i ProcAddress(ModuleName$, ProcName$)
  21.   Declare.i InjectDLL(PID, DLL$)
  22.   Declare.b EjectDLL(PID, DLL$, *_Module = #Null)
  23.   Declare.i CallRemoteFunction(PID, *Func, Proc2Call$, WaitForReturn.b = #False, *retValue = #Null, *Parameter = #Null, nSize = #Null)
  24. EndDeclareModule
  25.  
  26.  
  27. Module API_HookEngine  
  28.   EnableExplicit
  29.  
  30.   CompilerIf #PB_Compiler_Processor = #PB_Processor_x64
  31.     #INJECTOR_IS_64 = #True
  32.   CompilerElse
  33.     #INJECTOR_IS_64 = #False
  34.   CompilerEndIf
  35.  
  36.  
  37.   Structure opcode
  38.     CompilerIf #PB_Compiler_Processor = #PB_Processor_x64
  39.       mov.u
  40.     CompilerElse
  41.       mov.a
  42.     CompilerEndIf
  43.     addr.i
  44.     push.a
  45.     ret.a
  46.   EndStructure
  47.  
  48.  
  49.   Structure hookstruct
  50.     addr.i
  51.     hook.opcode
  52.     orig.a[SizeOf(opcode)]
  53.   EndStructure
  54.  
  55.  
  56.   CompilerIf #PB_Compiler_Unicode
  57.     Import "kernel32.lib"
  58.       GetProcAddress(hModule, lpProcName.p-ascii)
  59.     EndImport
  60.   CompilerElse
  61.     Import "kernel32.lib"
  62.       GetProcAddress(hModule, lpProcName.s)
  63.     EndImport
  64.   CompilerEndIf
  65.  
  66.  
  67.   Import ""
  68.     GetNativeSystemInfo(*info)
  69.   EndImport
  70.  
  71.  
  72.   Procedure.i ProcAddress(ModuleName$, ProcName$)
  73.     Protected moduleH.i
  74.    
  75.     moduleH = GetModuleHandle_(ModuleName$)
  76.     If moduleH = #Null
  77.       moduleH = LoadLibrary_(ModuleName$)
  78.       If moduleH = #Null
  79.         ProcedureReturn #Null
  80.       EndIf
  81.     EndIf
  82.    
  83.     ProcedureReturn GetProcAddress(moduleH, ProcName$)
  84.   EndProcedure
  85.  
  86.  
  87.   Procedure Hook(*OldFunctionAddress, *NewFunctionAddress)
  88.     Protected *hook_ptr.hookstruct
  89.    
  90.     If Not *OldFunctionAddress
  91.       ProcedureReturn #Null
  92.     EndIf
  93.    
  94.     *hook_ptr = AllocateMemory(SizeOf(hookstruct))
  95.     *hook_ptr\addr = *OldFunctionAddress
  96.     CompilerIf #PB_Compiler_Processor = #PB_Processor_x64
  97.       *hook_ptr\hook\mov = $B848
  98.     CompilerElse
  99.       *hook_ptr\hook\mov = $B8
  100.     CompilerEndIf
  101.     *hook_ptr\hook\addr = *NewFunctionAddress
  102.     *hook_ptr\hook\push = $50
  103.     *hook_ptr\hook\ret = $C3
  104.      
  105.     CopyMemory(*OldFunctionAddress, @*hook_ptr\orig, SizeOf(opcode))
  106.     If Not WriteProcessMemory_(GetCurrentProcess_(), *OldFunctionAddress, @*hook_ptr\hook, SizeOf(opcode), #Null)
  107.       FreeMemory(*hook_ptr)
  108.       ProcedureReturn #Null
  109.     Else
  110.       ProcedureReturn *hook_ptr
  111.     EndIf
  112.   EndProcedure
  113.  
  114.  
  115.   Procedure.i UnHook(*hook_ptr.hookstruct)
  116.     Protected retValue.i
  117.    
  118.     If *hook_ptr
  119.       If *hook_ptr\addr
  120.         If WriteProcessMemory_(GetCurrentProcess_(), *hook_ptr\addr, @*hook_ptr\orig, SizeOf(opcode), #Null)
  121.           retValue = *hook_ptr\addr
  122.           FreeMemory(*hook_ptr)
  123.           ProcedureReturn retValue
  124.         EndIf
  125.       EndIf
  126.     EndIf
  127.    
  128.     ProcedureReturn #Null
  129.   EndProcedure
  130.  
  131.  
  132.   Procedure Is64Process(PID); is the Process is 64;
  133.     Protected *IsWow64Process, retvalue, hProcess
  134.     Protected Info.SYSTEM_INFO, is_64 = #False
  135.    
  136.     GetNativeSystemInfo(Info)
  137.     If info\wProcessorArchitecture = 9 ; is a X64 os    
  138.       *IsWow64Process = ProcAddress("kernel32.dll", "IsWow64Process")
  139.       If *IsWow64Process
  140.         hProcess = OpenProcess_(#PROCESS_QUERY_INFORMATION, #False, PID)
  141.         If hProcess
  142.           CallFunctionFast(*IsWow64Process, hProcess, @retvalue)
  143.           CloseHandle_(hProcess)
  144.           If retvalue = #False
  145.             is_64 = #True
  146.           EndIf
  147.         EndIf
  148.       EndIf
  149.     EndIf
  150.    
  151.     ProcedureReturn is_64
  152.   EndProcedure
  153.  
  154.  
  155.   Procedure TraverseRemoteModules(PID, _Module$)
  156.     Protected modules.MODULEENTRY32
  157.     Protected snapshot, m_ok, modBaseAddr
  158.      
  159.     snapshot = CreateToolhelp32Snapshot_(#TH32CS_SNAPMODULE | #TH32CS_SNAPMODULE32, PID)
  160.     If snapshot
  161.       modules\dwSize = SizeOf(MODULEENTRY32)
  162.       m_ok = Module32First_(snapshot, modules)
  163.       While m_ok
  164.        
  165.         Debug PeekS(@modules\szModule)
  166.         If FindString(PeekS(@modules\szModule), _Module$, 1, #PB_String_NoCase)
  167.           modBaseAddr = modules\modBaseAddr
  168.           Break
  169.         EndIf
  170.         m_ok = Module32Next_(snapshot, modules)
  171.       Wend
  172.       CloseHandle_(snapshot)  
  173.     EndIf
  174.    
  175.     ProcedureReturn modBaseAddr
  176.   EndProcedure
  177.  
  178.  
  179.   Procedure TraverseRemoteProcs(PID, _Module$, ProcName$, *_Module = #Null)
  180.     Protected hProcess, modBaseAddr, retValue = #Null
  181.     Protected index, index2, TempChar.a, TempFunctionName.s
  182.     Protected DosHeader.IMAGE_DOS_HEADER
  183.     Protected Signature.l
  184.     Protected FileHeader.IMAGE_FILE_HEADER
  185.     Protected Is64Bit.b
  186.     Protected OptHeader64.IMAGE_OPTIONAL_HEADER64
  187.     Protected OptHeader32.IMAGE_OPTIONAL_HEADER32
  188.     Protected ExportDirectory.IMAGE_DATA_DIRECTORY
  189.     Protected ExportTable.IMAGE_EXPORT_DIRECTORY
  190.     Protected Dim ExportFunctionTable.l(0)
  191.     Protected Dim ExportNameTable.l(0)
  192.     Protected Dim ExportOrdinalTable.w(0)
  193.      
  194.      hProcess = OpenProcess_(#PROCESS_VM_READ, #False, PID)
  195.      If hProcess
  196.        If *_Module
  197.          modBaseAddr = *_Module
  198.        Else
  199.          modBaseAddr = TraverseRemoteModules(PID, _Module$)
  200.        EndIf
  201.      
  202.       If Not modBaseAddr
  203.         Goto TRM_END
  204.       EndIf
  205.      
  206.        If ReadProcessMemory_(hProcess, modBaseAddr, @DosHeader, SizeOf(IMAGE_DOS_HEADER), #Null) And DosHeader\e_magic <> $5A4D
  207.          Goto TRM_END
  208.        EndIf
  209.        
  210.        If ReadProcessMemory_(hProcess, modBaseAddr + DosHeader\e_lfanew, @Signature, SizeOf(Signature), #Null) And Signature <> $4550
  211.          Goto TRM_END
  212.        EndIf
  213.        
  214.        If Not ReadProcessMemory_(hProcess, modBaseAddr + DosHeader\e_lfanew + SizeOf(Signature), @FileHeader, SizeOf(IMAGE_FILE_HEADER), #Null)
  215.         Goto TRM_END
  216.       EndIf
  217.      
  218.        If FileHeader\SizeOfOptionalHeader = SizeOf(IMAGE_OPTIONAL_HEADER64)
  219.           Is64Bit = #True
  220.        ElseIf FileHeader\SizeOfOptionalHeader = SizeOf(IMAGE_OPTIONAL_HEADER32)
  221.           Is64Bit = #False
  222.        Else
  223.          Goto TRM_END
  224.        EndIf
  225.        
  226.        If Is64Bit
  227.           If ReadProcessMemory_(hProcess, modBaseAddr + DosHeader\e_lfanew + SizeOf(Signature) + SizeOf(IMAGE_FILE_HEADER),  @OptHeader64, FileHeader\SizeOfOptionalHeader, #Null) And OptHeader64\Magic <> $020B
  228.             Goto TRM_END
  229.           EndIf
  230.        Else
  231.           If ReadProcessMemory_(hProcess, modBaseAddr + DosHeader\e_lfanew + SizeOf(Signature) + SizeOf(IMAGE_FILE_HEADER), @OptHeader32, FileHeader\SizeOfOptionalHeader, #Null) And OptHeader32\Magic <> $010B
  232.             Goto TRM_END
  233.           EndIf
  234.         EndIf
  235.        
  236.        If Is64Bit And OptHeader64\NumberOfRvaAndSizes >= #IMAGE_DIRECTORY_ENTRY_EXPORT + 1
  237.           ExportDirectory\VirtualAddress = OptHeader64\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]\VirtualAddress
  238.           ExportDirectory\Size = OptHeader64\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]\Size
  239.        ElseIf OptHeader32\NumberOfRvaAndSizes >= #IMAGE_DIRECTORY_ENTRY_EXPORT + 1
  240.           ExportDirectory\VirtualAddress = OptHeader32\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]\VirtualAddress
  241.           ExportDirectory\Size = OptHeader32\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]\Size
  242.        Else
  243.          Goto TRM_END
  244.        EndIf
  245.        
  246.        If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportDirectory\VirtualAddress, @ExportTable, SizeOf(IMAGE_EXPORT_DIRECTORY), #Null)
  247.          Goto TRM_END
  248.        EndIf
  249.        
  250.        ReDim ExportFunctionTable(ExportTable\NumberOfFunctions)
  251.        ReDim ExportNameTable(ExportTable\NumberOfNames)
  252.        ReDim ExportOrdinalTable.w(ExportTable\NumberOfNames)
  253.        
  254.        If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportTable\AddressOfFunctions,   @ExportFunctionTable(), ExportTable\NumberOfFunctions * SizeOf(Long), #Null)
  255.          Goto TRM_END
  256.        EndIf
  257.      
  258.        If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportTable\AddressOfNames, @ExportNameTable(), ExportTable\NumberOfNames * SizeOf(Long), #Null)
  259.          Goto TRM_END
  260.        EndIf
  261.      
  262.        If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportTable\AddressOfNameOrdinals, @ExportOrdinalTable(), ExportTable\NumberOfNames * SizeOf(Word), #Null)
  263.          Goto TRM_END
  264.        EndIf
  265.  
  266.        For index = 0 To ExportTable\NumberOfNames - 1
  267.          TempFunctionName = ""
  268.          index2 = 0
  269.    
  270.          Repeat
  271.            If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportNameTable(index) + index2, @TempChar, SizeOf(TempChar), #Null)
  272.              Break 2
  273.           EndIf
  274.    
  275.              If TempChar = #Null
  276.                Break
  277.              Else
  278.                TempFunctionName + Chr(TempChar)
  279.              EndIf
  280.              
  281.              index2 + 1
  282.           ForEver
  283.        
  284.          If TempFunctionName = ProcName$
  285.            retValue = modBaseAddr + ExportFunctionTable(ExportOrdinalTable(index))
  286.            Break
  287.          EndIf
  288.       Next
  289.      
  290.       TRM_END:
  291.       CloseHandle_(hProcess)
  292.       FreeArray(ExportFunctionTable())
  293.       FreeArray(ExportNameTable())
  294.       FreeArray(ExportOrdinalTable())
  295.     EndIf
  296.    
  297.     ProcedureReturn retValue
  298.   EndProcedure
  299.  
  300.  
  301.   Procedure InjectDLL(PID.i, DLL$)
  302.     Protected address, ThreadHandle, BufferSize, *buffer
  303.     Protected ProcessHandle.i, retvalue = #Null, *dll_unicode
  304.     Protected is_target_64.b = #False
  305.    
  306.     If FileSize(Dll$) > 0
  307.       is_target_64 = Is64Process(PID)
  308.       If #INJECTOR_IS_64 = is_target_64
  309.         address = ProcAddress("kernel32.dll", "LoadLibraryW")
  310.       ElseIf #INJECTOR_IS_64
  311.         address = TraverseRemoteProcs(PID, "kernel32.dll", "LoadLibraryW")
  312.       Else
  313.         Debug "X86 Injector --> X64 Target not Supported yet!!"
  314.         ProcedureReturn #Null
  315.       EndIf
  316.      
  317.       Debug address
  318.      
  319.       ProcessHandle = OpenProcess_(#PROCESS_CREATE_THREAD | #PROCESS_QUERY_INFORMATION | #PROCESS_VM_OPERATION | #PROCESS_VM_WRITE | #PROCESS_VM_READ, #False, PID)
  320.       If ProcessHandle
  321.         Debug "A"
  322.         BufferSize = Len(Dll$) * 2 + 1
  323.         *dll_unicode = AllocateMemory(BufferSize)
  324.         PokeS(*dll_unicode, Dll$, -1, #PB_Unicode)
  325.         *buffer = VirtualAllocEx_(ProcessHandle, #Null, BufferSize, #MEM_COMMIT, #PAGE_READWRITE)
  326.         If *buffer
  327.          
  328.           Debug "B"
  329.           WriteProcessMemory_(ProcessHandle, *buffer, *dll_unicode, BufferSize, #Null)
  330.           ThreadHandle = CreateRemoteThread_(ProcessHandle, #Null, #Null, address, *buffer, #Null, #Null)
  331.           If ThreadHandle
  332.             Debug "C"
  333.             WaitForSingleObject_(ThreadHandle, #INFINITE)
  334.             CloseHandle_(ThreadHandle)
  335.             retvalue = TraverseRemoteModules(PID, GetFilePart(Dll$))
  336.           EndIf
  337.           VirtualFreeEx_(ProcessHandle, *buffer, #Null, #MEM_RELEASE)          
  338.         EndIf
  339.         CloseHandle_(ProcessHandle)
  340.         FreeMemory(*dll_unicode)
  341.       EndIf
  342.     EndIf
  343.    
  344.     ProcedureReturn retvalue
  345.   EndProcedure
  346.  
  347.  
  348.   Procedure.b EjectDLL(PID, DLL$, *_Module = #Null)
  349.     Protected address, ThreadHandle
  350.     Protected ProcessHandle, retvalue = #False
  351.     Protected is_target_64.b = #False
  352.    
  353.     If FileSize(Dll$) > 0 Or *_Module
  354.       is_target_64 = Is64Process(PID)
  355.       If #INJECTOR_IS_64 = is_target_64
  356.         address = ProcAddress("kernel32.dll", "FreeLibrary")
  357.       ElseIf #INJECTOR_IS_64
  358.         address = TraverseRemoteProcs(PID, "kernel32.dll", "FreeLibrary")
  359.       Else
  360.         Debug "X86 Ejector --> X64 Target not Supported yet!!"
  361.         ProcedureReturn #False
  362.       EndIf
  363.      
  364.       If Not *_Module
  365.         *_Module = TraverseRemoteModules(PID, GetFilePart(DLL$))
  366.         If Not *_Module
  367.           ProcedureReturn #False
  368.         EndIf
  369.       EndIf
  370.      
  371.       ProcessHandle = OpenProcess_(#PROCESS_CREATE_THREAD | #PROCESS_QUERY_INFORMATION | #PROCESS_VM_OPERATION | #PROCESS_VM_WRITE | #PROCESS_VM_READ, #False, PID)
  372.       If ProcessHandle
  373.         ThreadHandle = CreateRemoteThread_(ProcessHandle, #Null, #Null, address, *_Module, #Null, #Null)
  374.         If ThreadHandle
  375.           WaitForSingleObject_(ThreadHandle, #INFINITE)
  376.           CloseHandle_(ThreadHandle)
  377.           retvalue = #True
  378.         EndIf
  379.         CloseHandle_(ProcessHandle)
  380.       EndIf
  381.     EndIf
  382.    
  383.     ProcedureReturn retvalue
  384.   EndProcedure
  385.  
  386.  
  387.   Procedure CallRemoteFunction(PID, *Func, Proc2Call$, WaitForReturn.b = #False, *retValue = #Null, *Parameter = #Null, nSize = #Null)
  388.     Protected ret, ProcessHandle, address, *buffer
  389.     Protected ThreadHandle
  390.    
  391.     ProcessHandle = OpenProcess_(#PROCESS_CREATE_THREAD | #PROCESS_QUERY_INFORMATION | #PROCESS_VM_OPERATION | #PROCESS_VM_WRITE | #PROCESS_VM_READ, #False, PID)
  392.    
  393.     If ProcessHandle
  394.       address = TraverseRemoteProcs(PID, "", Proc2Call$, *Func)
  395.       If address
  396.         *buffer = #Null
  397.         If *Parameter And nSize
  398.           *buffer = VirtualAllocEx_(ProcessHandle, #Null, nSize, #MEM_COMMIT, #PAGE_READWRITE)
  399.           WriteProcessMemory_(ProcessHandle, *buffer, *Parameter, nSize, #Null)
  400.         EndIf
  401.              
  402.         ThreadHandle = CreateRemoteThread_(ProcessHandle, #Null, #Null, address, *buffer, #Null, #Null)
  403.         If ThreadHandle
  404.           If WaitForReturn
  405.             WaitForSingleObject_(ThreadHandle, #INFINITE)
  406.             If *retValue
  407.               GetExitCodeThread_(ProcessHandle, *retValue)
  408.             EndIf
  409.           EndIf
  410.           CloseHandle_(ThreadHandle)
  411.           ret = #True
  412.         EndIf
  413.        
  414.         If *buffer
  415.           VirtualFreeEx_(ProcessHandle, *buffer, #Null, #MEM_RELEASE)
  416.         EndIf
  417.         CloseHandle_(ProcessHandle)
  418.       EndIf
  419.     EndIf
  420.    
  421.     ProcedureReturn ret
  422.   EndProcedure
  423.  
  424.  
  425. EndModule
  426.  
  427.  
  428. #PROCESS_ALL_ACCESS_VISTA_WIN7 = $1FFFFF
  429.  
  430. Prototype.i PFNCreateToolhelp32Snapshot(dwFlags.i, th32ProcessID.i) ;
  431. Prototype.b PFNProcess32First(hSnapshot.i, *lppe.PROCESSENTRY32) ;
  432. Prototype.b PFNProcess32Next(hSnapshot.i, *lppe.PROCESSENTRY32) ;
  433.  
  434. Procedure GetPidByName(p_name$)
  435.     Protected hDLL.i, process_name$
  436.     Protected PEntry.PROCESSENTRY32, hTool32.i
  437.     Protected pCreateToolhelp32Snapshot.PFNCreateToolhelp32Snapshot
  438.     Protected pProcess32First.PFNProcess32First
  439.     Protected pProcess32Next.PFNProcess32Next
  440.     Protected pid.i    
  441.     hDLL = OpenLibrary(#PB_Any,"kernel32.dll")    
  442.     If hDLL
  443.         pCreateToolhelp32Snapshot = GetFunction(hDLL,"CreateToolhelp32Snapshot")
  444.         pProcess32First = GetFunction(hDLL,"Process32FirstW")
  445.         pProcess32Next = GetFunction(hDLL,"Process32NextW")
  446.     Else
  447.       ProcedureReturn 0
  448.      
  449.     EndIf  
  450.  
  451.      
  452.     PEntry\dwSize = SizeOf(PROCESSENTRY32)
  453.     hTool32 = pCreateToolhelp32Snapshot(#TH32CS_SNAPPROCESS, 0)
  454.     pProcess32First(hTool32, @PEntry)
  455.     process_name$ = PeekS(@PEntry\szExeFile,#PB_Unicode)  
  456.     Debug GetFilePart(UCase(process_name$))
  457.     If   GetFilePart(UCase(process_name$)) = GetFilePart(UCase(p_name$) )
  458.         ProcedureReturn PEntry\th32ProcessID
  459.     EndIf
  460.     While pProcess32Next(hTool32, @PEntry) > 0
  461.       process_name$ = PeekS(@PEntry\szExeFile,#PB_Unicode)  
  462.         If  GetFilePart(UCase(process_name$)) = GetFilePart(UCase(p_name$) )
  463.             ProcedureReturn PEntry\th32ProcessID
  464.         EndIf    
  465.     Wend  
  466.     CloseLibrary(hDLL)    
  467.     ProcedureReturn 0
  468.   EndProcedure
  469.  
  470.  
  471.   UseModule API_HookEngine
  472.  
  473.   Debug GetPidByName("LinkEngKM.exe")
  474. Debug InjectDLL( GetPidByName("LinkEngKM.exe"), "D:\io8.dll")
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top