www.pudn.com > API_VC_HOOK-.rar > Exec.asm
;@GOTO TRANSLATE .586P .MODEL FLAT, STDCALL OPTION CASEMAP: NONE INCLUDE WINDOWS.inc UNICODE = FALSE INCLUDE APIMACRO.mac INCLUDE ApiHooks.inc INCLUDELIB iKERNEL32.lib INCLUDELIB iUSER32.lib INCLUDELIB iApiHooks.lib ;------------------------------------------------------------------ .DATA prinfo PROCESS_INFORMATION <> stinfo STARTUPINFOTEXTA HookDll, TEXTA KERNEL32, TEXTA CreateProcessA, TEXTA CreateProcessW, TEXTA LoadModule, TEXTA WinExec, TEXTA USER32, TEXTA MessageBoxA, TEXTA Free, TEXTA Captured, <*CAPTURED*/0> LOADPARMS32 STRUCT lpEnvAddress LPSTR ? lpCmdLine LPSTR ? lpCmdShow LPSTR ? dwReserved DWORD NULL LOADPARMS32 ENDS .CODE ;Any pointer dereference must be surrounded by SEH frame to catch ;invalid pointers!!! ;Helper part----------- ;------------------------------------------------------------------ NewCreateProcessA PROC lpApplicationName, lpCommandLine,\ lpProcessAttributes, lpThreadAttributes,\ bInheritHandles, dwCreationFlags, \ lpEnvironment, lpCurrentDirectory,\ lpStartupInfo, lpProcessInformation MOV EAX, dwCreationFlags OR EAX, CREATE_SUSPENDED iWin32 CreateProcessA, lpApplicationName, lpCommandLine,\ lpProcessAttributes, lpThreadAttributes,\ bInheritHandles, EAX,\ lpEnvironment, lpCurrentDirectory,\ lpStartupInfo, lpProcessInformation TEST EAX, EAX JE @Failed PUSHp EAX, EBX MOV EBX, lpProcessInformation ASSUME EBX: PTR PROCESS_INFORMATION iWin32 EstablishApiHooksA, sHookDll, [EBX].dwProcessId TEST dwCreationFlags, CREATE_SUSPENDED JNE @F iWin32 ResumeThread, [EBX].hThread @@: POPc EAX, EBX @Failed: RET NewCreateProcessA ENDP ;------------------------------------------------------------------ NewCreateProcessW PROC lpApplicationName, lpCommandLine,\ lpProcessAttributes, lpThreadAttributes,\ bInheritHandles, dwCreationFlags, \ lpEnvironment, lpCurrentDirectory,\ lpStartupInfo, lpProcessInformation MOV EAX, dwCreationFlags OR EAX, CREATE_SUSPENDED iWin32 CreateProcessW, lpApplicationName, lpCommandLine,\ lpProcessAttributes, lpThreadAttributes,\ bInheritHandles, EAX,\ lpEnvironment, lpCurrentDirectory,\ lpStartupInfo, lpProcessInformation TEST EAX, EAX JE @Failed PUSHp EAX, EBX MOV EBX, lpProcessInformation ASSUME EBX: PTR PROCESS_INFORMATION iWin32 EstablishApiHooksA, sHookDll, [EBX].dwProcessId TEST dwCreationFlags, CREATE_SUSPENDED JNE @F iWin32 ResumeThread, [EBX].hThread @@: POPc EAX, EBX @Failed: RET NewCreateProcessW ENDP ;------------------------------------------------------------------ NewLoadModule PROC lpModuleName, lpParameterBlock MOV EAX, lpParameterBlock ASSUME EAX: PTR LOADPARMS32 MOV ECX, [EAX].lpCmdShow MOV EDX, [EAX].lpCmdLine CMP WORD PTR [ECX], 2 JNE @Fail MOV CX, [ECX+2] CMP BYTE PTR [EDX], 0 MOV stinfo.wShowWindow, CX MOV ECX, 0 JE @F LEA ECX, [EDX+1] @@: iWin32 CreateProcessA, lpModuleName, ECX, \ NULL, NULL, FALSE, CREATE_SUSPENDED,\ [EAX].lpEnvAddress, NULL,\ OFFSET stinfo, OFFSET prinfo TEST EAX, EAX JNE @F @Fail: LEAVE iWin32j LoadModule @@: iWin32 EstablishApiHooksA, sHookDll, prinfo.dwProcessId iWin32 CloseHandle, prinfo.hProcess iWin32 ResumeThread, prinfo.hThread iWin32 CloseHandle, prinfo.hThread MOV EAX, 32 RET NewLoadModule ENDP ;------------------------------------------------------------------ NewWinExec PROC lpszCmdLine, fuCmdShow MOV EAX, fuCmdShow MOV stinfo.wShowWindow, AX iWin32 CreateProcessA, NULL, lpszCmdLine, \ NULL, NULL, FALSE, CREATE_SUSPENDED,\ NULL, NULL,\ OFFSET stinfo, OFFSET prinfo TEST EAX, EAX JNE @F LEAVE iWin32j WinExec @@: iWin32 EstablishApiHooksA, sHookDll, prinfo.dwProcessId iWin32 CloseHandle, prinfo.hProcess iWin32 ResumeThread, prinfo.hThread iWin32 CloseHandle, prinfo.hThread MOV EAX, 32 RET NewWinExec ENDP ;------------------------------------------------------------------ ;Executive part----------- ;------------------------------------------------------------------ NewMessageBoxA PROC hWnd, lpText, lpCaption, uType PUSHp ESI, EDI MOV EDI, lpText iWin32 lstrlen, EDI MOV ESI, (sFree + LFree-1) PUSHp EAX, EAX iWin32 VirtualProtect, EDI, EAX, PAGE_READWRITE, ESP POPc EAX, EDX ADD EDI, EAX STD MOV ECX, LFree REPE CMPSB CLD JNE @F MOV ESI, sCaptured INC EDI MOV ECX, LCaptured REP MOVSB @@: PUSH EAX iWin32 VirtualProtect, lpText, EAX, EDX, ESP POP EAX POPc ESI, EDI LEAVE iWin32j MessageBoxA NewMessageBoxA ENDP ;------------------------------------------------------------------ BeginHooks ApiHookChain ;Exec MkHook ,, CreateProcessA MkHook ,, CreateProcessW MkHook ,, LoadModule MkHook ,, WinExec MkHook ,USER32, MessageBoxA EndHooks ;------------------------------------------------------------------ END :TRANSLATE @ECHO OFF ML /c /coff /nologo Exec.bat rem LINK3 Exec /nologo /DLL /NOENTRY /EXPORT:Exec,@1,NONAME /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /MERGE:.idata=.text /IGNORE:4078 /BASE:0X77400000 LINK3 Exec /nologo /DLL /NOENTRY /EXPORT:ApiHookChain,@3 /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /MERGE:.idata=.text /IGNORE:4078 /BASE:0X77400000 DEL Exec.obj DEL Exec.exp DEL Exec.lib