Advertisement
Guest User

hooking

a guest
Nov 9th, 2017
220
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Structure IMAGE_IMPORT_DESCRIPTOR
  2.   OriginalFirstThunk.l
  3.   TimeDateStamp.l
  4.   ForwarderChain.l
  5.   Name.l
  6.   FirstThunk.l
  7. EndStructure
  8.  
  9. Structure IMAGE_THUNK_DATA
  10.   *Function
  11. EndStructure
  12.  
  13. Prototype.l _ImageDirectoryEntryToData(ImageBase.l,MappedAsImage.l,DirectoryEntry.l,Size.l)
  14.  
  15.  
  16. Import "Kernel32.lib"
  17.    GetProcAddress_(hMod.i, Name.p-ascii) As "_GetProcAddress@8"
  18.  EndImport
  19.  
  20.  
  21. Procedure __MyDebug(str.s)
  22.   Debug str
  23. EndProcedure
  24. Procedure __MyError(str.s)
  25.   Debug str
  26. EndProcedure
  27. Procedure __MyWarn(str.s)
  28.   Debug str
  29. EndProcedure
  30.  
  31. Prototype.i MyCloseHandle(hFile)
  32. Global OrgCloseHandle.MyCloseHandle
  33.  
  34. Procedure __GetModuleIATLastByte(*Module.IMAGE_DOS_HEADER)
  35. Protected *Img_NT_Headers.IMAGE_NT_HEADERS
  36.   If *Module
  37.     *Img_NT_Headers = *Module + *Module\e_lfanew
  38.     If *Img_NT_Headers
  39.       If *Img_Nt_Headers\OptionalHeader
  40.         If *Img_Nt_Headers\OptionalHeader\DataDirectory[#IMAGE_DIRECTORY_ENTRY_IAT]
  41.           ProcedureReturn  *Img_Nt_Headers\OptionalHeader\DataDirectory[#IMAGE_DIRECTORY_ENTRY_IAT]\Size + *Img_Nt_Headers\OptionalHeader\DataDirectory[#IMAGE_DIRECTORY_ENTRY_IAT]\VirtualAddress
  42.         EndIf
  43.       EndIf
  44.     EndIf
  45.   EndIf
  46. ProcedureReturn #Null
  47. EndProcedure
  48.  
  49. Procedure.i __HOOKAPI_SetMemoryProtection(*Addr, iProtection)
  50.   Protected mbi.MEMORY_BASIC_INFORMATION, iOldProtection.i
  51.   If VirtualQuery_(*addr, mbi.MEMORY_BASIC_INFORMATION,SizeOf(MEMORY_BASIC_INFORMATION))
  52.     If VirtualProtect_(mbi\BaseAddress, mbi\RegionSize, iProtection, @iOldProtection)
  53.       ProcedureReturn iOldProtection
  54.     EndIf
  55.   EndIf
  56.   ProcedureReturn -1
  57. EndProcedure
  58.  
  59. Procedure.i __HOOKAPI_GetImportTable(*Module.IMAGE_DOS_HEADER)
  60.   Protected ImageDirectoryEntryToData._ImageDirectoryEntryToData
  61.   Protected *Imagehlp
  62.   Protected iErrMode.i
  63.  
  64.   Protected *ptr.LONG,*pEntryImports.IMAGE_IMPORT_DESCRIPTOR
  65.   Protected *Img_NT_Headers.IMAGE_NT_HEADERS
  66.  
  67.   If *Module
  68.  
  69. ;     ;iErrMode = SetErrorMode_(#SEM_FAILCRITICALERRORS) ; Don't display error messages
  70. ;     *Imagehlp = GetModuleHandle_("imagehlp.dll")
  71. ;    
  72. ;     ;First try To use imagehlp API (2000/XP/Vista)
  73. ;     If *Imagehlp
  74. ;       ImageDirectoryEntryToData = GetProcAddress_(*Imagehlp,"ImageDirectoryEntryToData")
  75. ;       If ImageDirectoryEntryToData
  76. ;         *pEntryImports = ImageDirectoryEntryToData(*Module, #True, #IMAGE_DIRECTORY_ENTRY_IMPORT, @lSize)    
  77. ;         If *pEntryImports
  78. ;           ProcedureReturn *pEntryImports
  79. ;         EndIf
  80. ;       EndIf  
  81. ;     EndIf
  82.    
  83.     ;If imagehlp api is not available
  84.     *Img_NT_Headers = *Module + *Module\e_lfanew
  85.     If *Img_NT_Headers
  86.       *ptr = *Img_Nt_Headers\OptionalHeader\DataDirectory[#IMAGE_DIRECTORY_ENTRY_IMPORT]
  87.       If *ptr
  88.         *pEntryImports = *Module + *ptr\l
  89.         ProcedureReturn *pEntryImports
  90.       EndIf
  91.     EndIf
  92.  
  93.   EndIf
  94.   ProcedureReturn #Null
  95. EndProcedure
  96.  
  97. Procedure.i __HOOKAPI_GetExportTable(*Module.IMAGE_DOS_HEADER)
  98.   Protected ImageDirectoryEntryToData._ImageDirectoryEntryToData
  99.   Protected *Imagehlp
  100.   Protected iErrMode.i
  101.  
  102.   Protected *ptr.LONG,*pEntryExports.IMAGE_EXPORT_DIRECTORY
  103.   Protected *Img_NT_Headers.IMAGE_NT_HEADERS
  104.  
  105.   If *Module
  106.  
  107. ;     ;iErrMode = SetErrorMode_(#SEM_FAILCRITICALERRORS) ; Don't display error messages
  108. ;     *Imagehlp = GetModuleHandle_("imagehlp.dll")
  109. ;     ;SetErrorMode_(iErrMode)
  110. ;    
  111. ;     ; First try to use imagehlp API (2000/XP/Vista)
  112. ;      If *Imagehlp
  113. ;        ImageDirectoryEntryToData = GetProcAddress_(*Imagehlp,"ImageDirectoryEntryToData")
  114. ;        If ImageDirectoryEntryToData
  115. ;          *pEntryExports = ImageDirectoryEntryToData(*Module, #True, #IMAGE_DIRECTORY_ENTRY_EXPORT, @lSize)    
  116. ;          If *pEntryExports
  117. ;            ProcedureReturn *pEntryExports
  118. ;          EndIf
  119. ;        EndIf  
  120. ;      EndIf
  121.    
  122.     ;If imagehlp api is not available
  123.     *Img_NT_Headers = *Module + *Module\e_lfanew
  124.     If *Img_NT_Headers
  125.       *ptr = *Img_Nt_Headers\OptionalHeader\DataDirectory[#IMAGE_DIRECTORY_ENTRY_EXPORT]
  126.       If *ptr
  127.         *pEntryExports = *Module + *ptr\l
  128.         ProcedureReturn *pEntryExports
  129.       EndIf
  130.     EndIf
  131.  
  132.   EndIf
  133.   ProcedureReturn #Null
  134. EndProcedure
  135.  
  136.  
  137. Procedure.s __GetRealModuleName(sModule.s)
  138.   ;CompilerIf #USE_NOT_RECOMMENDED_WIN8_VIRTUAL_FILE_FIX
  139.   ;  ProcedureReturn sModule ; Just always return the file name
  140.   ;CompilerElse
  141.     If OSVersion() >= #PB_OS_Windows_8 ; F�r WINDOWS 8
  142.       Protected modulehandle, result.s = sModule
  143.       ; Echten Modulnamen ermittelt notwendig, weil in den Importtabellen der DLLs steht api-ms...
  144.       ; Da wir aber KernelBase.dll anstelle von Kernel32.dll hooken und GetModuleHandle("api-ms...") das gleiche wie f�r KernelBase.dll zur�ckgibt,
  145.       ; m�ssen wir sicherstellen, das die Funktionen auch gehookt werden (ohne __GetRealModuleName() w�rde es nicht gehookt werden, das api-ms...dll <> KernelBase.dll!)
  146.       modulehandle = GetModuleHandle_(sModule)
  147.       If modulehandle <> #Null;If it fails return at least sModule
  148.         result.s = Space(2048 + 1)
  149.         If GetModuleFileName_(modulehandle, @result, 2048) = 0
  150.           result = sModule ; 0 bedeuted fehler
  151.         EndIf  
  152.       EndIf
  153.       ProcedureReturn result
  154.      
  155.     Else
  156.       ProcedureReturn sModule ; F�R < WIN 8 einfach den Modulnamen zur�ckgeben
  157.     EndIf
  158.  
  159.   ;CompilerEndIf  
  160. EndProcedure
  161.  
  162. Procedure.i __HOOKAPI_ReplaceImportedFunctionInModule(hModule.i,sModuleName.s, sFunction.s, *NewFunctionPtr, *OldFunction)
  163. Protected  *ImportedDLLs.IMAGE_IMPORT_DESCRIPTOR, LastByte.i
  164. Protected sName.s, addr1.i, *itd.IMAGE_THUNK_DATA, iOldProtection.i
  165.  
  166. If *OldFunction
  167.  
  168.   *ImportedDLLs.IMAGE_IMPORT_DESCRIPTOR = __HOOKAPI_GetImportTable(hModule)
  169.   If *ImportedDLLs
  170.     LastByte.i = __GetModuleIATLastByte(hModule) + hModule
  171.  
  172.  
  173.     While *ImportedDLLs\Name And *ImportedDLLs\FirstThunk
  174.      
  175.       sName.s = ""
  176.       If *ImportedDLLs\Name And *ImportedDLLs\FirstThunk
  177.      
  178.         addr1 = *ImportedDLLs\Name + hModule;RvaToVa(hModule,*ImportedDLLs\Name)
  179.         If *ImportedDLLs\Name And LastByte - (*ImportedDLLs\FirstThunk + hModule) > 0 And hModule
  180.           ;XXXDebug = *ImportedDLLs\Name
  181.           ;sName.s = UCase(PeekS(hModule + *ImportedDLLs\Name))
  182.           sName.s = UCase(PeekS(addr1,-1, #PB_Ascii))   ; 2010-08-31
  183.         EndIf
  184.        
  185.       EndIf
  186.       ;__HookLogDebug( sName
  187.      
  188.       If UCase(__GetRealModuleName(sName)) = UCase(__GetRealModuleName(sModuleName))
  189.         *itd.IMAGE_THUNK_DATA = *ImportedDLLs\FirstThunk + hModule
  190.         If *ImportedDLLs\FirstThunk
  191.          
  192.         ;*itd.IMAGE_THUNK_DATA = RvaToVa(hModule,*ImportedDLLs\FirstThunk)
  193.         ;If *itd
  194.                
  195.         While *itd\Function
  196.           If *itd\Function = *OldFunction
  197.             iOldProtection.i = __HOOKAPI_SetMemoryProtection(*itd, #PAGE_EXECUTE_READWRITE)
  198.  
  199.             If iOldProtection <> -1
  200.               *itd\Function = *NewFunctionPtr ; Set new Function pointer
  201.               __MyDebug("replace pointer for " + sFunction)
  202.               __HOOKAPI_SetMemoryProtection(*itd, iOldProtection)
  203.             Else
  204.               __MyError("ERROR: cannot set memory protection")
  205.             EndIf
  206.            
  207.           EndIf
  208.           *itd + SizeOf(IMAGE_THUNK_DATA)
  209.         Wend
  210.         EndIf
  211.        
  212.       EndIf
  213.      
  214.       *ImportedDLLs + SizeOf(IMAGE_IMPORT_DESCRIPTOR)
  215.     Wend
  216.  
  217.   Else
  218.     __MyError("ERROR: cannot get import table")
  219.   EndIf
  220.  
  221. Else
  222.  
  223. EndIf
  224.  
  225. EndProcedure
  226.  
  227. Procedure.i __HOOKAPI_ReplaceExportedFunctionInModule(sModuleName.s, sFunction.s, *NewFunctionPtr, *OldFunction)
  228. Protected hModule.i, *ExportedFunctions.IMAGE_EXPORT_DIRECTORY
  229. Protected *Addr.Integer, i.i, iOldProtection.i
  230.  
  231. hModule.i = GetModuleHandle_(sModuleName.s)
  232.  
  233. If *OldFunction And *NewFunctionPtr And hModule
  234.  
  235.  
  236.   *ExportedFunctions.IMAGE_EXPORT_DIRECTORY = __HOOKAPI_GetExportTable(hModule)
  237.   If *ExportedFunctions
  238.  
  239.     *Addr.Integer = *ExportedFunctions\AddressOfFunctions + hModule
  240.    
  241.     If *Addr
  242.       For i = 0 To *ExportedFunctions\NumberOfFunctions - 1
  243.    
  244.         If *Addr\i + hModule = *OldFunction
  245.  
  246.           iOldProtection.i = __HOOKAPI_SetMemoryProtection(*Addr, #PAGE_EXECUTE_READWRITE)
  247.           If iOldProtection <> -1
  248.             ;k= *Addr\i
  249.             ;MessageBox_(0,Str(*Addr),Str(IsBadWritePtr_(*addr,4)),#MB_OK)
  250.            
  251.             *Addr\i = *NewFunctionPtr - hModule
  252.             ;new = k;*NewFunctionPtr - hModule
  253.             ;WriteProcessMemory_(GetCurrentProcess_(),*Addr,@new,4,#Null)
  254.            
  255.             __HOOKAPI_SetMemoryProtection(*Addr, iOldProtection)
  256.           EndIf
  257.         EndIf
  258.         *Addr + SizeOf(Integer)
  259.       Next
  260.     EndIf
  261.      
  262.   EndIf
  263. EndIf
  264.  
  265. EndProcedure
  266.  
  267.  
  268. Procedure.s __GetModuleFullPath(sModule.s)
  269.   Protected hModule.i,sName.s
  270.   hModule = GetModuleHandle_(sModule)
  271.   If hModule
  272.     sName.s =Space(#MAX_PATH+1)
  273.     GetModuleFileName_(hModule, @sName, #MAX_PATH)
  274.     If Trim(sName) <> ""
  275.       sModule = sName  
  276.     EndIf
  277.   EndIf
  278.   ProcedureReturn sModule
  279. EndProcedure
  280.  
  281.  
  282.  
  283. Procedure.i __HOOKAPI_ReplaceImportedFunctionInAllModules(sModuleName.s, sFunction.s, *NewFunctionPtr, *OldFunction)
  284.   Protected iResult.i, snapshot.i, modulehandle.MODULEENTRY32
  285.  
  286.   iResult.i = #False
  287.   snapshot = CreateToolhelp32Snapshot_(#TH32CS_SNAPMODULE, 0)
  288.   If snapshot
  289.  
  290.       modulehandle.MODULEENTRY32
  291.       modulehandle\dwSize = SizeOf(MODULEENTRY32)
  292.      
  293.       If Module32First_(snapshot, @modulehandle)
  294.         While Module32Next_(snapshot, @modulehandle)        
  295.           If modulehandle\hModule
  296.            
  297.             ;If Not __IsModuleInBlackList(PeekS(@modulehandle\szModule))  ; 2010-08-30 ; 2010-09-13 Unicode Bugfix  
  298.               ;If g_VirtualFile\bFirstFunctionModuleOutput
  299.               __MyDebug("Hooking import table of " + __GetModuleFullPath(PeekS(@modulehandle\szModule)))  ; 2010-08-30  ; 2010-09-13 Unicode Bugfix
  300.               ;EndIf
  301.               iResult = __HOOKAPI_ReplaceImportedFunctionInModule(modulehandle\hModule, sModuleName, sFunction, *NewFunctionPtr, *OldFunction)            
  302.             ;Else
  303.             ;    __MyDebug(PeekS(@modulehandle\szModule) + " is in black list, ignoring...")  ; 2010-08-30   ; 2010-09-13 Unicode Bugfix        
  304.             ;EndIf  
  305.           EndIf
  306.         Wend
  307.       EndIf    
  308.        
  309.       If OrgCloseHandle
  310.         OrgCloseHandle(snapshot)
  311.       Else
  312.         __MyWarn("Orginal CloseHandle is null, handle cannot be released!")
  313.       EndIf  
  314.       ;CloseHandle_(snapshot)
  315.   EndIf
  316.    
  317.   iResult = __HOOKAPI_ReplaceImportedFunctionInModule(GetModuleHandle_(0), sModuleName, sFunction, *NewFunctionPtr, *OldFunction)            
  318.  
  319.   ProcedureReturn iResult
  320. EndProcedure
  321.  
  322.  
  323. Procedure.i __HookApi(sModule.s, sFunction.s, *NewFunction, bHookExport = #True, bHookImport = #True)
  324.   Protected *OldFunction
  325.  
  326.   If *NewFunction
  327.     __MyDebug("Hooking function " + sModule + " " + sFunction)
  328.     *OldFunction = GetProcAddress_(GetModuleHandle_(sModule), sFunction)
  329.    
  330.     If bHookImport
  331.       __HOOKAPI_ReplaceImportedFunctionInAllModules(sModule.s, sFunction.s, *NewFunction, *OldFunction)
  332.     EndIf
  333.     If bHookExport
  334.       __HOOKAPI_ReplaceExportedFunctionInModule(sModule.s, sFunction.s, *NewFunction, *OldFunction)
  335.     EndIf  
  336.     ProcedureReturn *OldFunction
  337.   EndIf
  338. EndProcedure
  339.  
  340.  
  341. Procedure wix(a)
  342. Debug "wix"  
  343. EndProcedure
  344.  
  345.  
  346. old = __HookApi("Kernel32.dll", "LoadLibraryW",@wix())
  347.  
  348. Debug old
  349. LoadLibrary_("xxy")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement