www.pudn.com > API_VC_HOOK-.rar > Cdump.asm
;@GOTO TRANSLATE
.586P
.MODEL FLAT, STDCALL
OPTION CASEMAP: NONE
INCLUDE WINDOWS.inc
UNICODE = FALSE
INCLUDE APIMACRO.mac
INCLUDE ApiHooks.inc
INCLUDELIB iKERNEL32.lib
INCLUDELIB iCRTDLL.lib
INCLUDELIB iMSVCRT.lib
HFILE_ERROR EQU -1
IFDEF Hard9x
.DATA?
ELSE
bss SEGMENT 'BSS'
ENDIF
IFDEF Hard9x
MyPID DWORD ?
ENDIF
Buffer DWORD 4096/4 DUP (?)
ModName ACHAR MAX_PATH+2 DUP (?)
IFNDEF Hard9x
bss ENDS
ENDIF
.CODE kernel32
IFDEF Hard9x
DllMain PROC
iWin32 GetCurrentProcessId
CMP DWORD PTR [ESP+8] ,DLL_PROCESS_ATTACH
JNE @F
CMP MyPID, 0
JE GoOn
MOV EAX, FALSE ;fail if another proces will try to load me
RET 12
GoOn:
MOV MyPID, EAX
JMP Return
@@:
CMP DWORD PTR [ESP+8] ,DLL_PROCESS_DETACH
JNE Return
CMP EAX, MyPID
JNE Return
sWin32 UnhookApi, OFFSET UnhookGetVersion
sWin32 UnhookApi, OFFSET UnhookGetCommandLineA
sWin32 UnhookApi, OFFSET UnhookGetStartupInfoA
sWin32 UnhookApi, OFFSET Unhook__GetMainArgs
sWin32 UnhookApi, OFFSET Unhook_open_osfhandle
sWin32 UnhookApi, OFFSET Unhook__set_app_type
sWin32 UnhookApi, OFFSET UnhookGetStdHandle
sWin32 UnhookApi, OFFSET UnhookExitProcess
sWin32 UnhookApi, OFFSET UnhookLoadLibraryA
sWin32 UnhookApi, OFFSET UnhookVirtualQuery
Return:
MOV EAX, TRUE
RET 12
DllMain ENDP
UnhookApi PROC USES EBX ESI EDI, UnhStruc: PTR UNHOOK_API
MOV ESI, UnhStruc
ASSUME ESI :PTR API_UNHOOK
MOV EBX, [ESI].CurNoAddr
@@:
DEC EBX
JL UnhookFin
MOV EDI, [ESI].WhereWhat
MOV EDI, (ADDR_CONTENTS PTR [EDI][EBX*SIZEOF ADDR_CONTENTS]).ReturnWhere
CMP EDI, 80000000H ;only kernel space matters
JB @B
PUSH EAX
iWin32 VirtualProtect, EDI, 4, PAGE_READWRITE, ESP
TEST EAX, EAX
POP EDX
JE UnhookNext
MOV EAX, [ESI].WhereWhat
MOV EAX, (ADDR_CONTENTS PTR [EAX][EBX*SIZEOF ADDR_CONTENTS]).ReturnWhat
MOV [EDI], EAX
PUSH EAX
iWin32 VirtualProtect, EDI, 4, EDX, ESP
POP EAX
UnhookNext:
JMP @B
UnhookFin:
RET
ASSUME ESI: NOTHING
UnhookApi ENDP
ELSE
DllMain TEXTEQU < >
ENDIF
;------------------------------------------------------------------
NewGetVersion PROC ;for Microsoft C compilers
PUSHp EBX, ESI, EDI
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP+12]
MOV EBX, EIP
LEA ESI, [EBX+DLLstart]
iWin32 IsBadReadPtr, ESI, Shift
JNE Return
;compare DLL bytes
MOV EDI, OFFSET DLLbytes
MOV ECX, LDLLbytes
REPE CMPSB
JE @F
LEA ESI, [EBX+EXEstart]
MOV EDI, OFFSET EXEbytes
MOV ECX, LEXEbytes
REPE CMPSB
JNE Return
@@:
sWin32 DumpIt, ESI
Return:
POPc EBX, ESI, EDI
iWin32j GetVersion
NewGetVersion ENDP
;-----------------------------------------------------
NewGetCommandLineA PROC ;was for old Microsoft C compilers, is for all
; PUSHp EBX, ESI, EDI
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
; EIP EQU [ESP+12]
; MOV EBX, EIP
; LEA ESI, [EBX+DLLstart]
; iWin32 IsBadReadPtr, ESI, Shift
; JNE Return
; LEA ESI, [EBX+EXEstart]
; MOV EDI, OFFSET EXEbytes
; MOV ECX, LEXEbytes
; REPE CMPSB
; JNE Return
EIP EQU [ESP]
sWin32 DumpIt, EIP ;ESI
Return:
; POPc EBX, ESI, EDI
iWin32j GetCommandLineA
NewGetCommandLineA ENDP
;-----------------------------------------------------
NewGetStartupInfoA PROC ;for old Microsoft C compilers
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j GetStartupInfoA
NewGetStartupInfoA ENDP
NewExitProcess PROC ;always drop something
IFDEF NTonly ;to make one packer happy
BYTE 55H
BYTE 8BH, 0ECH
BYTE 6AH, 0FFH
BYTE 68H, 0FFH,0FFH,0FFH,0FFH
BYTE 68H, 0FFH,0FFH,0FFH,0FFH
BYTE 50H
LEAVE
ENDIF
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j ExitProcess
NewExitProcess ENDP
;-----------------------------------------------------
NewLoadLibraryA PROC
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
iWin32 GetModuleHandleA, [ESP+4]
TEST EAX, EAX
JE @F
iWin32j LoadLibraryA
@@:
iWin32 LoadLibraryA, [ESP+4]
TEST EAX, EAX
JE Return
PUSH EAX
sWin32 DumpIt, EAX
POP EAX
Return:
RET 4
NewLoadLibraryA ENDP
;-----------------------------------------------------
DumpIt PROC USES EBX ESI EDI, FromWhere
LOCAL Written : DWORD
MOV ESI, FromWhere
AND ESI, NOT 0FFFH
IFNDEF NTonly
CMP ESI, 80000000H
JAE DRet
ENDIF
MOV EBX, 1000H
MOV EDI, OFFSET ModName
JMP @F
IsHeader:
SUB ESI, EBX
@@:
PUSH EAX
iWin32 VirtualProtect, ESI, EBX, PAGE_READWRITE, ESP
TEST EAX, EAX
POP EDX
JE DRet
PUSH ECX
iWin32 VirtualProtect, ESI, EBX, EDX, ESP
POP EAX
iWin32 GetModuleFileNameA, ESI, EDI, MAX_PATH
TEST EAX, EAX
JE IsHeader
iWin32 _lopen, EDI, OF_READ
CMP EAX, HFILE_ERROR
JE DRet
MOV Written, EAX
iWin32 _lread, EAX, OFFSET Buffer, SIZEOF Buffer
PUSH EAX
iWin32 _lclose, Written
POP EAX
CMP EAX, HFILE_ERROR
JE DRet
MOV EBX, Buffer[3CH]
MOV EBX, Buffer[EBX+50H]
ADD EBX, (1000H -1)
AND EBX, NOT (1000H -1)
ToMem:
MOV ECX, EDI
NChar:
MOV AL, [EDI]
TEST AL, AL
JE @F
INC EDI
CMP AL, "\"
JE ToMem
JMP NChar
@@:
MOV BYTE PTR [EDI-5], '_'
iWin32 CreateFileA, ECX, GENERIC_WRITE, FILE_SHARE_READ,\
NULL, CREATE_NEW, NULL, NULL
CMP EAX, INVALID_HANDLE_VALUE
JE DRet
MOV Written, EAX
@@:
PUSH EAX
iWin32 VirtualProtect, ESI, 1000H, PAGE_READWRITE, ESP
TEST EAX, EAX
POP EDI
JE @F
iWin32 _lwrite, Written, ESI, 1000H
PUSH EAX
PUSH EAX
iWin32 VirtualProtect, ESI, 1000H, EDI, ESP
POP EAX
POP EAX
CMP EAX, HFILE_ERROR
JE @F
ADD ESI, 1000H
SUB EBX, 1000H ;EAX
JG @B
@@:
iWin32 _lclose, Written
DRet:
RET
DumpIt ENDP
;Microsoft (Visual) C code patterns before GetVersion (and GetCommandLineA)
DLLstart = -19
DLLbytes BYTE 8BH,44H,24H,08H,83H,0F8H,01H,0FH,85H
LDLLbytes = $-DLLbytes
EXEstart = -12
EXEbytes BYTE 53H,56H,57H,89H,65H,0E8H,0FFH,15H
LEXEbytes = $-EXEbytes
Shift = 19
;------------------------------------------------------------------
IFDEF Soft9x
NewGetProcAddress PROC USES ESI EDI ,hLibrary, lpszProc
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
iMOV ESI, GetModuleHandleA
iMOV EDI, lstrcmpA
CmpApi MACRO __ApiNomen
sWin32 EDI, lpszProc, s&__ApiNomen
TEST EAX, EAX
JNE @F
MOV EAX, New&__ApiNomen
JMP RetMe
@@:
ENDM
sWin32 ESI, sKERNEL32
CMP EAX, hLibrary
JNE CheckCRTDLL
CmpApi GetVersion
CmpApi GetCommandLineA
CmpApi GetStartupInfoA
CmpApi GetStdHandle
CmpApi ExitProcess
CmpApi LoadLibraryA
CmpApi VirtualQuery
CmpApi GetProcAddress
CheckCRTDLL:
sWin32 ESI, sCRTDLL
CMP EAX, hLibrary
JNE CheckMSVCRT
CmpApi __GetMainArgs
CmpApi __set_app_type
CheckMSVCRT:
sWin32 ESI, sMSVCRT
CMP EAX, hLibrary
JNE CheckDone
CmpApi _open_osfhandle
CheckDone:
Return:
POPc ESI, EDI
LEAVE
iWin32j GetProcAddress
RetMe:
RET
NewGetProcAddress ENDP
ENDIF
NewVirtualQuery PROC lpvAddress, pmbiBuffer, cbLength
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
MOV EAX, lpvAddress
CMP EAX, OFFSET kernel32 - 13F0H
MOV ECX, lpvAddress
JB DoQuery
CMP EAX, OFFSET crtdll
iMOV ECX, ExitProcess
JB DoQuery
CMP EAX, OFFSET msvcrt
iMOV ECX, __GetMainArgs
JB DoQuery
CMP EAX, OFFSET msvcrt + 1000H
iMOV ECX, __set_app_type
JB DoQuery
MOV ECX, lpvAddress
DoQuery:
Return:
iWin32 VirtualQuery, ECX, pmbiBuffer, cbLength
RET
NewVirtualQuery ENDP
;------------------------------------------------------------------
.code crtdll
New__GetMainArgs PROC ;for newer C compilers
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j __GetMainArgs
New__GetMainArgs ENDP
;-----------------------------------------------------
New_open_osfhandle PROC ;for newer C compilers
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j _open_osfhandle
New_open_osfhandle ENDP
;-----------------------------------------------------
.CODE msvcrt
New__set_app_type PROC ;for newer C compilers
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j __set_app_type
New__set_app_type ENDP
.CODE kernel32
NewGetStdHandle PROC ;for console applications
IFDEF Hard9x
iWin32 GetCurrentProcessId
CMP EAX, MyPID
JNE Return
ENDIF
EIP EQU [ESP]
sWin32 DumpIt, EIP
Return:
iWin32j GetStdHandle
NewGetStdHandle ENDP
;-----------------------------------------------------
.DATA
IFDEF Hard9x
HHH = HOOK_ALL+H_H
ELSE
HHH = HOOK_ALL
ENDIF
IFDEF Hard9x
MkUnhook GetVersion, 19
MkUnhook GetCommandLineA,19
MkUnhook GetStartupInfoA,19
MkUnhook __GetMainArgs, 19
MkUnhook _open_osfhandle,19
MkUnhook __set_app_type, 19
MkUnhook GetStdHandle, 19
MkUnhook ExitProcess, 21
MkUnhook LoadLibraryA, 20
MkUnhook VirtualQuery, 19
ENDIF
BeginHooks Cdump
IFDEF Soft9x
MkHook , , GetProcAddress, HHH
ENDIF
MkHook , , GetVersion, HHH
MkHook , , GetCommandLineA, HHH
MkHook , , GetStartupInfoA, HHH
MkHook ,CRTDLL, __GetMainArgs, HHH
MkHook ,CRTDLL, _open_osfhandle, HHH
MkHook ,MSVCRT, __set_app_type, HHH
MkHook , , GetStdHandle, HHH
MkHook , , ExitProcess, HHH
MkHook , , LoadLibraryA, HHH
MkHook , , VirtualQuery, HHH
EndHooks
TEXTA KERNEL32,
TEXTA CRTDLL,
TEXTA MSVCRT,
IFDEF Soft9x
TEXTA GetProcAddress,
ENDIF
TEXTA GetVersion,
TEXTA GetCommandLineA,
TEXTA GetStartupInfoA,
TEXTA __GetMainArgs, <__GetMainArgs/0>
TEXTA __set_app_type, <__set_app_type/0>
TEXTA _open_osfhandle,<_open_osfhandle/0>
TEXTA GetStdHandle,
TEXTA ExitProcess,
TEXTA LoadLibraryA,
TEXTA VirtualQuery,
END DllMain
:TRANSLATE
@ECHO OFF
ML /c /coff /DNTonly /nologo Cdump.bat
LINK3 Cdump /OUT:CdumpNT.dll /MERGE:.data=kernel32 /IGNORE:4078,4060 /STUB:PESTUB.EXE /nologo /DLL /NOENTRY /EXPORT:Cdump,@1,NONAME /SUBSYSTEM:WINDOWS /MERGE:.rdata=kernel32 /MERGE:.idata=kernel32 /BASE:0X77770000
ML /c /coff /DSoft9x /nologo Cdump.bat
LINK3 Cdump /OUT:Cdump9xSoft.dll /MERGE:.data=kernel32 /IGNORE:4078,4060 /STUB:PESTUB.EXE /nologo /DLL /NOENTRY /EXPORT:Cdump,@1,NONAME /SUBSYSTEM:WINDOWS /MERGE:.rdata=kernel32 /MERGE:.idata=kernel32 /BASE:0X77770000
ML /c /coff /DHard9x /nologo Cdump.bat
LINK3 Cdump /OUT:Cdump9xHard.dll /IGNORE:4078,4060,4086,4092 /STUB:PESTUB.EXE /nologo /DLL /EXPORT:Cdump,@1,NONAME /SUBSYSTEM:WINDOWS /MERGE:.rdata=kernel32 /MERGE:.idata=kernel32 /SECTION:.data,S /SECTION:.bss,S /BASE:0XBFA50000
DEL Cdump.obj
DEL CdumpNT.exp
DEL CdumpNT.lib
DEL Cdump9xSoft.exp
DEL Cdump9xSoft.lib
DEL Cdump9xHard.exp
DEL Cdump9xHard.lib