API tools faq
paste
Advertisement
Guest User

injector

a guest
Jun 3rd, 2018
211
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PureBasic 16.08 KB | None | 0 0
raw download clone embed print report
  1. ; ====================================================================================================
  2. ; Title:        API_HookEngine Module
  3. ; Description:  With this module you can hook procedures and api in windows
  4. ; Author:       Peyman
  5. ; Version:      1.0 (02 FEB 2016) initial version
  6. ;               1.1 (07 FEB 2016) added Inject DLL
  7. ;               1.2 (11 FEB 2016) improved injector, added Eject DLL & CallRemoteFunction with parrameter
  8. ; Platform:     Windows (X64 And X86) Unicode And Ansi
  9. ; License:      Free But Any improvements to be shared with the community.
  10. ; ====================================================================================================
  11.  
  12. Import "Kernel32.lib";Hotfix
  13.   GetProcAddress_(hMod.i, Name.p-ascii) As "_GetProcAddress@8"
  14. EndImport
  15.  
  16.  
  17. DeclareModule API_HookEngine
  18.   Declare.i Hook(*OldFunctionAddress, *NewFunctionAddress)
  19.   Declare.i UnHook(*hook_ptr)
  20.   Declare.i ProcAddress(ModuleName$, ProcName$)
  21.   Declare.i InjectDLL(PID, DLL$)
  22.   Declare.b EjectDLL(PID, DLL$, *_Module = #Null)
  23.   Declare.i CallRemoteFunction(PID, *Func, Proc2Call$, WaitForReturn.b = #False, *retValue = #Null, *Parameter = #Null, nSize = #Null)
  24. EndDeclareModule
  25.  
  26.  
  27. Module API_HookEngine  
  28.   EnableExplicit
  29.  
  30.   CompilerIf #PB_Compiler_Processor = #PB_Processor_x64
  31.     #INJECTOR_IS_64 = #True
  32.   CompilerElse
  33.     #INJECTOR_IS_64 = #False
  34.   CompilerEndIf
  35.  
  36.  
  37.   Structure opcode
  38.     CompilerIf #PB_Compiler_Processor = #PB_Processor_x64
  39.       mov.u
  40.     CompilerElse
  41.       mov.a
  42.     CompilerEndIf
  43.     addr.i
  44.     push.a
  45.     ret.a
  46.   EndStructure
  47.  
  48.  
  49.   Structure hookstruct
  50.     addr.i
  51.     hook.opcode
  52.     orig.a[SizeOf(opcode)]
  53.   EndStructure
  54.  
  55.  
  56.   CompilerIf #PB_Compiler_Unicode
  57.     Import "kernel32.lib"
  58.       GetProcAddress(hModule, lpProcName.p-ascii)
  59.     EndImport
  60.   CompilerElse
  61.     Import "kernel32.lib"
  62.       GetProcAddress(hModule, lpProcName.s)
  63.     EndImport
  64.   CompilerEndIf
  65.  
  66.  
  67.   Import ""
  68.     GetNativeSystemInfo(*info)
  69.   EndImport
  70.  
  71.  
  72.   Procedure.i ProcAddress(ModuleName$, ProcName$)
  73.     Protected moduleH.i
  74.    
  75.     moduleH = GetModuleHandle_(ModuleName$)
  76.     If moduleH = #Null
  77.       moduleH = LoadLibrary_(ModuleName$)
  78.       If moduleH = #Null
  79.         ProcedureReturn #Null
  80.       EndIf
  81.     EndIf
  82.    
  83.     ProcedureReturn GetProcAddress(moduleH, ProcName$)
  84.   EndProcedure
  85.  
  86.  
  87.   Procedure Hook(*OldFunctionAddress, *NewFunctionAddress)
  88.     Protected *hook_ptr.hookstruct
  89.    
  90.     If Not *OldFunctionAddress
  91.       ProcedureReturn #Null
  92.     EndIf
  93.    
  94.     *hook_ptr = AllocateMemory(SizeOf(hookstruct))
  95.     *hook_ptr\addr = *OldFunctionAddress
  96.     CompilerIf #PB_Compiler_Processor = #PB_Processor_x64
  97.       *hook_ptr\hook\mov = $B848
  98.     CompilerElse
  99.       *hook_ptr\hook\mov = $B8
  100.     CompilerEndIf
  101.     *hook_ptr\hook\addr = *NewFunctionAddress
  102.     *hook_ptr\hook\push = $50
  103.     *hook_ptr\hook\ret = $C3
  104.      
  105.     CopyMemory(*OldFunctionAddress, @*hook_ptr\orig, SizeOf(opcode))
  106.     If Not WriteProcessMemory_(GetCurrentProcess_(), *OldFunctionAddress, @*hook_ptr\hook, SizeOf(opcode), #Null)
  107.       FreeMemory(*hook_ptr)
  108.       ProcedureReturn #Null
  109.     Else
  110.       ProcedureReturn *hook_ptr
  111.     EndIf
  112.   EndProcedure
  113.  
  114.  
  115.   Procedure.i UnHook(*hook_ptr.hookstruct)
  116.     Protected retValue.i
  117.    
  118.     If *hook_ptr
  119.       If *hook_ptr\addr
  120.         If WriteProcessMemory_(GetCurrentProcess_(), *hook_ptr\addr, @*hook_ptr\orig, SizeOf(opcode), #Null)
  121.           retValue = *hook_ptr\addr
  122.           FreeMemory(*hook_ptr)
  123.           ProcedureReturn retValue
  124.         EndIf
  125.       EndIf
  126.     EndIf
  127.    
  128.     ProcedureReturn #Null
  129.   EndProcedure
  130.  
  131.  
  132.   Procedure Is64Process(PID); is the Process is 64;
  133.     Protected *IsWow64Process, retvalue, hProcess
  134.     Protected Info.SYSTEM_INFO, is_64 = #False
  135.    
  136.     GetNativeSystemInfo(Info)
  137.     If info\wProcessorArchitecture = 9 ; is a X64 os    
  138.       *IsWow64Process = ProcAddress("kernel32.dll", "IsWow64Process")
  139.       If *IsWow64Process
  140.         hProcess = OpenProcess_(#PROCESS_QUERY_INFORMATION, #False, PID)
  141.         If hProcess
  142.           CallFunctionFast(*IsWow64Process, hProcess, @retvalue)
  143.           CloseHandle_(hProcess)
  144.           If retvalue = #False
  145.             is_64 = #True
  146.           EndIf
  147.         EndIf
  148.       EndIf
  149.     EndIf
  150.    
  151.     ProcedureReturn is_64
  152.   EndProcedure
  153.  
  154.  
  155.   Procedure TraverseRemoteModules(PID, _Module$)
  156.     Protected modules.MODULEENTRY32
  157.     Protected snapshot, m_ok, modBaseAddr
  158.      
  159.     snapshot = CreateToolhelp32Snapshot_(#TH32CS_SNAPMODULE | #TH32CS_SNAPMODULE32, PID)
  160.     If snapshot
  161.       modules\dwSize = SizeOf(MODULEENTRY32)
  162.       m_ok = Module32First_(snapshot, modules)
  163.       While m_ok
  164.        
  165.         Debug PeekS(@modules\szModule)
  166.         If FindString(PeekS(@modules\szModule), _Module$, 1, #PB_String_NoCase)
  167.           modBaseAddr = modules\modBaseAddr
  168.           Break
  169.         EndIf
  170.         m_ok = Module32Next_(snapshot, modules)
  171.       Wend
  172.       CloseHandle_(snapshot)  
  173.     EndIf
  174.    
  175.     ProcedureReturn modBaseAddr
  176.   EndProcedure
  177.  
  178.  
  179.   Procedure TraverseRemoteProcs(PID, _Module$, ProcName$, *_Module = #Null)
  180.     Protected hProcess, modBaseAddr, retValue = #Null
  181.     Protected index, index2, TempChar.a, TempFunctionName.s
  182.     Protected DosHeader.IMAGE_DOS_HEADER
  183.     Protected Signature.l
  184.     Protected FileHeader.IMAGE_FILE_HEADER
  185.     Protected Is64Bit.b
  186.     Protected OptHeader64.IMAGE_OPTIONAL_HEADER64
  187.     Protected OptHeader32.IMAGE_OPTIONAL_HEADER32
  188.     Protected ExportDirectory.IMAGE_DATA_DIRECTORY
  189.     Protected ExportTable.IMAGE_EXPORT_DIRECTORY
  190.     Protected Dim ExportFunctionTable.l(0)
  191.     Protected Dim ExportNameTable.l(0)
  192.     Protected Dim ExportOrdinalTable.w(0)
  193.      
  194.      hProcess = OpenProcess_(#PROCESS_VM_READ, #False, PID)
  195.      If hProcess
  196.        If *_Module
  197.          modBaseAddr = *_Module
  198.        Else
  199.          modBaseAddr = TraverseRemoteModules(PID, _Module$)
  200.        EndIf
  201.      
  202.       If Not modBaseAddr
  203.         Goto TRM_END
  204.       EndIf
  205.      
  206.        If ReadProcessMemory_(hProcess, modBaseAddr, @DosHeader, SizeOf(IMAGE_DOS_HEADER), #Null) And DosHeader\e_magic <> $5A4D
  207.          Goto TRM_END
  208.        EndIf
  209.        
  210.        If ReadProcessMemory_(hProcess, modBaseAddr + DosHeader\e_lfanew, @Signature, SizeOf(Signature), #Null) And Signature <> $4550
  211.          Goto TRM_END
  212.        EndIf
  213.        
  214.        If Not ReadProcessMemory_(hProcess, modBaseAddr + DosHeader\e_lfanew + SizeOf(Signature), @FileHeader, SizeOf(IMAGE_FILE_HEADER), #Null)
  215.         Goto TRM_END
  216.       EndIf
  217.      
  218.        If FileHeader\SizeOfOptionalHeader = SizeOf(IMAGE_OPTIONAL_HEADER64)
  219.           Is64Bit = #True
  220.        ElseIf FileHeader\SizeOfOptionalHeader = SizeOf(IMAGE_OPTIONAL_HEADER32)
  221.           Is64Bit = #False
  222.        Else
  223.          Goto TRM_END
  224.        EndIf
  225.        
  226.        If Is64Bit
  227.           If ReadProcessMemory_(hProcess, modBaseAddr + DosHeader\e_lfanew + SizeOf(Signature) + SizeOf(IMAGE_FILE_HEADER),  @OptHeader64, FileHeader\SizeOfOptionalHeader, #Null) And OptHeader64\Magic <> $020B
  228.             Goto TRM_END
  229.           EndIf
  230.        Else
  231.           If ReadProcessMemory_(hProcess, modBaseAddr + DosHeader\e_lfanew + SizeOf(Signature) + SizeOf(IMAGE_FILE_HEADER), @OptHeader32, FileHeader\SizeOfOptionalHeader, #Null) And OptHeader32\Magic <> $010B
  232.             Goto TRM_END
  233.           EndIf
  234.         EndIf
  235.        
  236.        If Is64Bit And OptHeader64\NumberOfRvaAndSizes >= #IMAGE_DIRECTORY_ENTRY_EXPORT + 1
  237.           ExportDirectory\VirtualAddress = OptHeader64\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]\VirtualAddress
  238.           ExportDirectory\Size = OptHeader64\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]\Size
  239.        ElseIf OptHeader32\NumberOfRvaAndSizes >= #IMAGE_DIRECTORY_ENTRY_EXPORT + 1
  240.           ExportDirectory\VirtualAddress = OptHeader32\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]\VirtualAddress
  241.           ExportDirectory\Size = OptHeader32\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]\Size
  242.        Else
  243.          Goto TRM_END
  244.        EndIf
  245.        
  246.        If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportDirectory\VirtualAddress, @ExportTable, SizeOf(IMAGE_EXPORT_DIRECTORY), #Null)
  247.          Goto TRM_END
  248.        EndIf
  249.        
  250.        ReDim ExportFunctionTable(ExportTable\NumberOfFunctions)
  251.        ReDim ExportNameTable(ExportTable\NumberOfNames)
  252.        ReDim ExportOrdinalTable.w(ExportTable\NumberOfNames)
  253.        
  254.        If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportTable\AddressOfFunctions,   @ExportFunctionTable(), ExportTable\NumberOfFunctions * SizeOf(Long), #Null)
  255.          Goto TRM_END
  256.        EndIf
  257.      
  258.        If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportTable\AddressOfNames, @ExportNameTable(), ExportTable\NumberOfNames * SizeOf(Long), #Null)
  259.          Goto TRM_END
  260.        EndIf
  261.      
  262.        If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportTable\AddressOfNameOrdinals, @ExportOrdinalTable(), ExportTable\NumberOfNames * SizeOf(Word), #Null)
  263.          Goto TRM_END
  264.        EndIf
  265.  
  266.        For index = 0 To ExportTable\NumberOfNames - 1
  267.          TempFunctionName = ""
  268.          index2 = 0
  269.    
  270.          Repeat
  271.            If Not ReadProcessMemory_(hProcess, modBaseAddr + ExportNameTable(index) + index2, @TempChar, SizeOf(TempChar), #Null)
  272.              Break 2
  273.           EndIf
  274.    
  275.              If TempChar = #Null
  276.                Break
  277.              Else
  278.                TempFunctionName + Chr(TempChar)
  279.              EndIf
  280.              
  281.              index2 + 1
  282.           ForEver
  283.        
  284.          If TempFunctionName = ProcName$
  285.            retValue = modBaseAddr + ExportFunctionTable(ExportOrdinalTable(index))
  286.            Break
  287.          EndIf
  288.       Next
  289.      
  290.       TRM_END:
  291.       CloseHandle_(hProcess)
  292.       FreeArray(ExportFunctionTable())
  293.       FreeArray(ExportNameTable())
  294.       FreeArray(ExportOrdinalTable())
  295.     EndIf
  296.    
  297.     ProcedureReturn retValue
  298.   EndProcedure
  299.  
  300.  
  301.   Procedure InjectDLL(PID.i, DLL$)
  302.     Protected address, ThreadHandle, BufferSize, *buffer
  303.     Protected ProcessHandle.i, retvalue = #Null, *dll_unicode
  304.     Protected is_target_64.b = #False
  305.    
  306.     If FileSize(Dll$) > 0
  307.       is_target_64 = Is64Process(PID)
  308.       If #INJECTOR_IS_64 = is_target_64
  309.         address = ProcAddress("kernel32.dll", "LoadLibraryW")
  310.       ElseIf #INJECTOR_IS_64
  311.         address = TraverseRemoteProcs(PID, "kernel32.dll", "LoadLibraryW")
  312.       Else
  313.         Debug "X86 Injector --> X64 Target not Supported yet!!"
  314.         ProcedureReturn #Null
  315.       EndIf
  316.      
  317.       Debug address
  318.      
  319.       ProcessHandle = OpenProcess_(#PROCESS_CREATE_THREAD | #PROCESS_QUERY_INFORMATION | #PROCESS_VM_OPERATION | #PROCESS_VM_WRITE | #PROCESS_VM_READ, #False, PID)
  320.       If ProcessHandle
  321.         Debug "A"
  322.         BufferSize = Len(Dll$) * 2 + 1
  323.         *dll_unicode = AllocateMemory(BufferSize)
  324.         PokeS(*dll_unicode, Dll$, -1, #PB_Unicode)
  325.         *buffer = VirtualAllocEx_(ProcessHandle, #Null, BufferSize, #MEM_COMMIT, #PAGE_READWRITE)
  326.         If *buffer
  327.          
  328.           Debug "B"
  329.           WriteProcessMemory_(ProcessHandle, *buffer, *dll_unicode, BufferSize, #Null)
  330.           ThreadHandle = CreateRemoteThread_(ProcessHandle, #Null, #Null, address, *buffer, #Null, #Null)
  331.           If ThreadHandle
  332.             Debug "C"
  333.             WaitForSingleObject_(ThreadHandle, #INFINITE)
  334.             CloseHandle_(ThreadHandle)
  335.             retvalue = TraverseRemoteModules(PID, GetFilePart(Dll$))
  336.           EndIf
  337.           VirtualFreeEx_(ProcessHandle, *buffer, #Null, #MEM_RELEASE)          
  338.         EndIf
  339.         CloseHandle_(ProcessHandle)
  340.         FreeMemory(*dll_unicode)
  341.       EndIf
  342.     EndIf
  343.    
  344.     ProcedureReturn retvalue
  345.   EndProcedure
  346.  
  347.  
  348.   Procedure.b EjectDLL(PID, DLL$, *_Module = #Null)
  349.     Protected address, ThreadHandle
  350.     Protected ProcessHandle, retvalue = #False
  351.     Protected is_target_64.b = #False
  352.    
  353.     If FileSize(Dll$) > 0 Or *_Module
  354.       is_target_64 = Is64Process(PID)
  355.       If #INJECTOR_IS_64 = is_target_64
  356.         address = ProcAddress("kernel32.dll", "FreeLibrary")
  357.       ElseIf #INJECTOR_IS_64
  358.         address = TraverseRemoteProcs(PID, "kernel32.dll", "FreeLibrary")
  359.       Else
  360.         Debug "X86 Ejector --> X64 Target not Supported yet!!"
  361.         ProcedureReturn #False
  362.       EndIf
  363.      
  364.       If Not *_Module
  365.         *_Module = TraverseRemoteModules(PID, GetFilePart(DLL$))
  366.         If Not *_Module
  367.           ProcedureReturn #False
  368.         EndIf
  369.       EndIf
  370.      
  371.       ProcessHandle = OpenProcess_(#PROCESS_CREATE_THREAD | #PROCESS_QUERY_INFORMATION | #PROCESS_VM_OPERATION | #PROCESS_VM_WRITE | #PROCESS_VM_READ, #False, PID)
  372.       If ProcessHandle
  373.         ThreadHandle = CreateRemoteThread_(ProcessHandle, #Null, #Null, address, *_Module, #Null, #Null)
  374.         If ThreadHandle
  375.           WaitForSingleObject_(ThreadHandle, #INFINITE)
  376.           CloseHandle_(ThreadHandle)
  377.           retvalue = #True
  378.         EndIf
  379.         CloseHandle_(ProcessHandle)
  380.       EndIf
  381.     EndIf
  382.    
  383.     ProcedureReturn retvalue
  384.   EndProcedure
  385.  
  386.  
  387.   Procedure CallRemoteFunction(PID, *Func, Proc2Call$, WaitForReturn.b = #False, *retValue = #Null, *Parameter = #Null, nSize = #Null)
  388.     Protected ret, ProcessHandle, address, *buffer
  389.     Protected ThreadHandle
  390.    
  391.     ProcessHandle = OpenProcess_(#PROCESS_CREATE_THREAD | #PROCESS_QUERY_INFORMATION | #PROCESS_VM_OPERATION | #PROCESS_VM_WRITE | #PROCESS_VM_READ, #False, PID)
  392.    
  393.     If ProcessHandle
  394.       address = TraverseRemoteProcs(PID, "", Proc2Call$, *Func)
  395.       If address
  396.         *buffer = #Null
  397.         If *Parameter And nSize
  398.           *buffer = VirtualAllocEx_(ProcessHandle, #Null, nSize, #MEM_COMMIT, #PAGE_READWRITE)
  399.           WriteProcessMemory_(ProcessHandle, *buffer, *Parameter, nSize, #Null)
  400.         EndIf
  401.              
  402.         ThreadHandle = CreateRemoteThread_(ProcessHandle, #Null, #Null, address, *buffer, #Null, #Null)
  403.         If ThreadHandle
  404.           If WaitForReturn
  405.             WaitForSingleObject_(ThreadHandle, #INFINITE)
  406.             If *retValue
  407.               GetExitCodeThread_(ProcessHandle, *retValue)
  408.             EndIf
  409.           EndIf
  410.           CloseHandle_(ThreadHandle)
  411.           ret = #True
  412.         EndIf
  413.        
  414.         If *buffer
  415.           VirtualFreeEx_(ProcessHandle, *buffer, #Null, #MEM_RELEASE)
  416.         EndIf
  417.         CloseHandle_(ProcessHandle)
  418.       EndIf
  419.     EndIf
  420.    
  421.     ProcedureReturn ret
  422.   EndProcedure
  423.  
  424.  
  425. EndModule
  426.  
  427.  
  428. #PROCESS_ALL_ACCESS_VISTA_WIN7 = $1FFFFF
  429.  
  430. Prototype.i PFNCreateToolhelp32Snapshot(dwFlags.i, th32ProcessID.i) ;
  431. Prototype.b PFNProcess32First(hSnapshot.i, *lppe.PROCESSENTRY32) ;
  432. Prototype.b PFNProcess32Next(hSnapshot.i, *lppe.PROCESSENTRY32) ;
  433.  
  434. Procedure GetPidByName(p_name$)
  435.     Protected hDLL.i, process_name$
  436.     Protected PEntry.PROCESSENTRY32, hTool32.i
  437.     Protected pCreateToolhelp32Snapshot.PFNCreateToolhelp32Snapshot
  438.     Protected pProcess32First.PFNProcess32First
  439.     Protected pProcess32Next.PFNProcess32Next
  440.     Protected pid.i    
  441.     hDLL = OpenLibrary(#PB_Any,"kernel32.dll")    
  442.     If hDLL
  443.         pCreateToolhelp32Snapshot = GetFunction(hDLL,"CreateToolhelp32Snapshot")
  444.         pProcess32First = GetFunction(hDLL,"Process32FirstW")
  445.         pProcess32Next = GetFunction(hDLL,"Process32NextW")
  446.     Else
  447.       ProcedureReturn 0
  448.      
  449.     EndIf  
  450.  
  451.      
  452.     PEntry\dwSize = SizeOf(PROCESSENTRY32)
  453.     hTool32 = pCreateToolhelp32Snapshot(#TH32CS_SNAPPROCESS, 0)
  454.     pProcess32First(hTool32, @PEntry)
  455.     process_name$ = PeekS(@PEntry\szExeFile,#PB_Unicode)  
  456.     Debug GetFilePart(UCase(process_name$))
  457.     If   GetFilePart(UCase(process_name$)) = GetFilePart(UCase(p_name$) )
  458.         ProcedureReturn PEntry\th32ProcessID
  459.     EndIf
  460.     While pProcess32Next(hTool32, @PEntry) > 0
  461.       process_name$ = PeekS(@PEntry\szExeFile,#PB_Unicode)  
  462.         If  GetFilePart(UCase(process_name$)) = GetFilePart(UCase(p_name$) )
  463.             ProcedureReturn PEntry\th32ProcessID
  464.         EndIf    
  465.     Wend  
  466.     CloseLibrary(hDLL)    
  467.     ProcedureReturn 0
  468.   EndProcedure
  469.  
  470.  
  471.   UseModule API_HookEngine
  472.  
  473.   Debug GetPidByName("LinkEngKM.exe")
  474. Debug InjectDLL( GetPidByName("LinkEngKM.exe"), "D:\io8.dll")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!