Stone's Pseudo resident APIHOOK / resident patcher

A better doc will be release on request!

Oy - welcome to the sourcecode for my perhaps largest project so far. Well
the sourcecode doesn't look like much but I garantie you that I've debugged
more doing this project than any previous project. For instance I've taken
appart the LoadLibraryA API call. I've taken appart the GetThreadContext API
and found some very surprising things about it. Something I have to believe is
a bug. It is also worth noting that this is infact a special case of a 
application debugger - well - you might think that a system debugger can debug
anything. And well.. it can. But it's not very funny debugging a debugger 
because Winice intercepts in the debug messaging. And ofcause debugging around
inside ring 0 (and changing stuff to test hypothesis) is probably the best way
of making a system unstabile. So basically what I mean is: I spend a lot of time
on this. So... I hope you enjoy it.

Anyways: All the code is mine, however the general concept is adopted from
API-spy by Matt Pietrek. While this has many similarities with Pietreks work
this is specialized to patching and intercepting with cracking in mind. 

Also I'd like to thank: Net Walker / Brazil 
			Quine/+HCU
			Acp/UCF
			Jammer / UCF
			and my landlord, friend and local expert Patriarch/PWA


Okies let's get to it.


How to use it:
Currently it's calibrated to patch target.exe so that before each MessageboxA
displays a messagebox saying something else. Obviously this needs to be made
into a patching routine or something. This should be pretty easy to figure out.

Next 3 things needs to be changed in the stnapih.asm in order to fit your purpose

1) The file name of the target needs change. This is obviously easy.

2) YOu need to find an "AbusePage". You need to find the VA of a page within
   the Image of the file. It must be Read/Write Execute. And it can't be
   where the IAT is. Basically: just use the first page of the DATA or whereever
   the program stores it's data. It is not very sensitive - just about any
   Virtual Address will do.

3) CHUNKVA needs to be filled in the VA of the chunk fitting the API function
   you wish to hook. How you find that is: pedump your file, and it'll give
   you get the first chunkRVA of each DLL the program uses. If you don't wanna
   hook the first just count the functions, starting with 0 for the first. 
   multiply this number by 4 and add the first chunk address. Then add the 
   ImageBase to get from RVA to VA.


Problems:
It's not a very compatible method. It'll do good in most cases, but not in all.
Good thing is that it'll get past checksums and hook just about any API locally.


Contacting:
email: stone@one.se
http://www.one.se/~stone


2nd&mi

