Сейчас на форуме: Rio, -Sanchez-, artyavmu, CDK123, sashalogout (+8 невидимых)

 eXeL@B —› Софт, инструменты —› InLine Hooker
Посл.ответ Сообщение

Ранг: 1045.7 (!!!!), 31thx
Активность: 0.570
Статус: Участник

Создано: 26 мая 2011 06:22
· Личное сообщение · #1

InLine Hooker
Hello,

so today I wanna release some kind of tool which I have made in the past.Maybe you have sometimes trouble to unpack some packer | protections which you want to patch and in this case you can use some usually other tools like loader's etc which have limited skills where you just can patch some single addresses etc and in many cases are loader's not working or get detected or you get trouble with some CRC checks etc.So this was also a reason for me to create this new tool which is just a small exe with some code created directly in Olly.So the main tool is the InLine Hooker_Full.exe which has enabled 10 diffrent API hook's.

How does it work?
----------------------
InLine Hooker_Full.exe
+
Victim file [Add file as new section on the InLine Hooker_Full.exe]
+
User Patch [Write your patch into InLine Hooker_Full.exe at IBase+0DCDE]

Adding of the real app is better to prevent file manipulation so the file will always creates new if you execute your InLine Hooker.The new created file is like the original file so it's untouched and you will see the diffrent if you start the new created alone.
----------------------
START OF USER PATCH
---------------------
0040DCB0 PUSHAD ; START OF USER PATCH!
0040DCB1 PUSHAD
0040DCB2 CALL 0040DCB7 ; InLine_H.0040DCB7
0040DCB7 POP EAX ;
0040DCB8 SUB EAX,3F07 ; Memsection START in EAX!
0040DCBD MOV EDI,EAX ; Memsection START to EDI,ESI,EBP,EBX!
0040DCBF MOV ESI,EAX
0040DCC1 MOV EBP,EAX
0040DCC3 MOV EBX,EAX
0040DCC5 MOV EDI,DWORD PTR DS:[EDI+68]
0040DCC8 ADD ESI,5C ; MEM START+5C = Free Address for VP old protect!
0040DCCB MOV EBP,DWORD PTR FS:[18] ; TEB to EBP
0040DCD2 MOV EBP,DWORD PTR DS:[EBP+30] ; PEB to EBP
0040DCD6 MOV EBP,DWORD PTR DS:[EBP+8] ; ImageBase to EBP
0040DCDA NOP ; ImageBase in EBP
0040DCDB NOP ; MemStart+5C in ESI
0040DCDC NOP ; VirtualProtect in EDI
0040DCDD NOP ; EBP ESI EDI Keep the same!
0040DCDE MOV EBX,EBP ; ImageBase to EBX
0040DCE0 ADD EBX,1000 ; Add EBX 1000 = Codesection Start
0040DCE6 CMP DWORD PTR DS:[EBX],0FFFFFF ; CMP [Codesection] for XXX
0040DCEC JNZ SHORT 0040DCFC ; Jump if not equal
0040DCEE PUSH ESI ; Push MEMSEC+5C = Free DWORD Store!
0040DCEF PUSH 40 ; Push PageExeCute Read | Write! NewProtect
0040DCF1 PUSH 10 ; Push Bytes to New Protect!
0040DCF3 PUSH EBX ; Push Address Start to protect!
0040DCF4 CALL EDI ; Call VirtualProtect
0040DCF6 MOV DWORD PTR DS:[EBX],0FFFFFF ; Mov Patch to [Codesection]!
0040DCFC NOP
0040DCFD NOP
----------------
-------- Keep same ---
EBP 01000000 ImageBase
ESI 0009005C Mem START + 5C
EDI 7C801AD0 kernel32.VirtualProtect <--- VP API
-----------------
----------
MemoryBlock+5c in ESI
-----------------------
0009005C 00000000 <-- location for VP old access store
00090060 7C800000 kernel32.7C800000
00090064 7C80AC28 kernel32.GetProcAddress
00090068 7C801AD0 kernel32.VirtualProtect
0009006C 7C801D77 kernel32.LoadLibraryA
00090070 77D10000 USER32.77D10000
00090074 66000000 MSVBVM60.66000000
00090078 77BE0000 msvcrt.77BE0000
0009007C 5F1A0000 olepro32.5F1A0000 <------- is ntdll.dll in ZW InLine Hooker!
00090080 7C80B529 kernel32.GetModuleHandleA
00090084 77C16F70 msvcrt.memcpy <--- Not hooked
00090088 7C812C8D kernel32.GetCommandLineA
0009008C 7C801EEE kernel32.GetStartupInfoA
00090090 7C8114AB kernel32.GetVersion
00090094 7C8017E5 kernel32.GetSystemTimeAsFileTime <------- is ntdll.ZwDelayExecution in ZW InLine Hooker!
00090098 6600357C MSVBVM60.ThunRTMain <--- Not hooked
0009009C 77C0537C msvcrt.__set_app_type
000900A0 77D288E1 USER32.DialogBoxParamA

The code above is just a small exsample Template so you can set any InLines you want from this address into.Also you can add many other patches too if you need till the end which here....
0040DE54 61 POPAD
0040DE55 61 POPAD
0040DE56 C3 RETN
0040DE57 90 NOP
0040DE58 90 NOP
0040DE59 90 NOP
0040DE5A 90 NOP
0040DE5B 90 NOP
0040DE5C 90 NOP
0040DE5D 90 NOP
0040DE5E 90 NOP
0040DE5F - EB FE JMP SHORT 0040DE5F ; InLine_H.0040DE5F
0040DE61 - EB FE JMP SHORT 0040DE61 ; InLine_H.0040DE61

If you need more free space then jsut move this code deeper in the exe.The double EBFE bytes are the end marker of reading your patches.So I have test it with diffrent protections and its working with the most.I have also creates four exsample files with four diffrent protections + patches where you can see the diffrent and for you to test and check them.

The script which I have written for this tool can you use if you want to disable one till nine API hook's and if you want to change the created exe file name of your file which will created and as always I have also made three movies where you can see how it works.Maybe this tool will help you with some of your files where other tools give up.Just test it if you want and if something is not clear then you can ask on this topic of course.

PS: Read also the info files to get more infos.
Note: The file will maybe detected by your Anti Virus app,no fear so its a false alert.

http://forum.tuts4you.com/app=core&module=attach&section=attach&attach_id=7169


 eXeL@B —› Софт, инструменты —› InLine Hooker
:: Ваш ответ
Жирный  Курсив  Подчеркнутый  Перечеркнутый  {mpf5}  Код  Вставить ссылку 
:s1: :s2: :s3: :s4: :s5: :s6: :s7: :s8: :s9: :s10: :s11: :s12: :s13: :s14: :s15: :s16:


Максимальный размер аттача: 500KB.
Ваш логин: german1505 » Выход » ЛС
   Для печати Для печати