Что тут говорить, чисто для пруфа будущим хакерам
Инклуды:Код (Text):
; Searches for SSL class method table for Chrome ; ©2015 Sysenter [sysenter@jabber.no] ; Private® ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« .686p .model flat, stdcall ; 32 bit memory model option casemap :none ; case sensitive ; ************* ; include files ; ************* include E:\masm32\include\windows.inc include E:\masm32\include\kernel32.inc include E:\masm32\include\user32.inc include E:\masm32\include\msvcrt.inc include E:\masm32\include\ntdll.inc include E:\masm32\macros\macros.asm include StrIPos.inc ;поиск подстроки в строке include Catchy32.inc ;дизассемблер длин инструкций include HookAPI.inc ;хук апи с дизассемблером длин инструкций ; ********* ; libraries ; ********* includelib E:\masm32\lib\gdi32.lib includelib E:\masm32\lib\user32.lib includelib E:\masm32\lib\kernel32.lib includelib E:\masm32\lib\Comctl32.lib includelib E:\masm32\lib\comdlg32.lib includelib E:\masm32\lib\shell32.lib includelib E:\masm32\lib\msvcrt.lib .data PR_Write DWORD ? sign db 83h, 0C4h, 14h, 83h, 0C8h, 0FFh, 5Dh, 0C3h, 0F6h, 41h, 34h, 01,0 ;sign db 83h, 0C4h, 14h, 83h, 0C8h,0 base DWORD ? cnt DWORD ? stCS RTL_CRITICAL_SECTION <> .code ;Обработчик перехваченной функции newPR_Write proc near p1, p2, p3 : dword pushad invoke OutputDebugStringA,chr$(">") ;invoke MyDebugPrint,chr$("PR_Write: Len"),p3 invoke OutputDebugStringA,p2 popad ;GetBaseDelta eax push p3 push p2 push p1 call PR_Write pushad invoke OutputDebugStringA,chr$("<") popad add esp, 12 leave retn newPR_Write endp ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ;Вычисляет длину массива с Marker в конце array_Len proc InpStr: dword, Marker : byte xor ecx,ecx mov edx, InpStr _L_lenght: mov al, [ecx+edx] ;Считываем очередной символ массива inc ecx cmp al, Marker ;Сравниваем прочитанный символ с Marker jne _L_lenght dec ecx return ecx array_Len endp ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« thread proc param:PVOID LOCAL mbi:MEMORY_BASIC_INFORMATION LOCAL Address:DWORD LOCAL MemSize:DWORD LOCAL SignLen:DWORD xor eax,eax mov cnt,eax _L_Find_Module: ;invoke crt__sleep, 3000 invoke Sleep, 3000 invoke GetModuleHandleA, chr$("chrome.dll") test eax, eax jz _L_module_not_found mov base,eax invoke MyDebugPrint,chr$("DLL_PROCESS_ATTACH. Start in base:"),base invoke array_Len, addr sign, 0h mov SignLen, eax invoke MyDebugPrint,chr$("Signature lenght:"),SignLen mov eax,base mov Address,eax xor eax,eax mov MemSize,eax mov mbi.RegionSize,eax .repeat mov eax,mbi.RegionSize add Address,eax invoke VirtualQuery, Address, addr mbi, sizeof MEMORY_BASIC_INFORMATION ;Получаем размер виртуальной памяти PUSH eax invoke MyDebugPrint,chr$("Region Size:"),mbi.RegionSize invoke MyDebugPrint,chr$("BaseAddress:"),mbi.BaseAddress invoke MyDebugPrint,chr$("AllocationBase:"),mbi.AllocationBase .if mbi.AllocationBase==0 || mbi.RegionSize==0 jmp L_sign_not_found .endif invoke SetLastError,0 invoke StrIPos, mbi.BaseAddress, mbi.RegionSize,addr sign,SignLen test eax,eax jnz L_found POP eax .until eax == 0 || mbi.RegionSize==0 || mbi.AllocationBase==0 jmp L_sign_not_found L_found: PUSH eax invoke MyDebugPrint,chr$("!!!!!!!!!!Signature found in address:"),eax POP eax sub eax,27h ;39 mov PR_Write, eax push eax invoke EnterCriticalSection, addr stCS invoke SetLastError,0 pop eax invoke HookAPI,addr newPR_Write,addr PR_Write push eax invoke LeaveCriticalSection,addr stCS pop eax test eax,eax jz _L_Error_Hook return 1 L_sign_not_found: invoke GetLastError invoke MyDebugPrint,chr$("Signature not found"),eax return 1 _L_module_not_found: invoke GetLastError invoke MyDebugPrint,chr$("Module not found#"),cnt inc cnt test cnt,2 jne _L_Find_Module return 1 _L_Error_Hook: invoke GetLastError invoke MyDebugPrint,chr$("Error Hook"),eax return 1 invoke ExitThread,0 thread endp ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« start: LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD LOCAL hThread:DWORD LOCAL dwTID:DWORD .if reason == DLL_PROCESS_ATTACH invoke InitializeCriticalSection, addr stCS invoke CreateThread,0,0,addr thread,0,0,ADDR dwTID .elseif reason == DLL_PROCESS_DETACH invoke DeleteCriticalSection,addr stCS invoke MyDebugPrint,chr$("DLL_PROCESS_DETACH."),0 .endif return 1 LibMain Endp ; ########################################################################## end start
HookAPI.inc
Дизасм длинн инструкций: Catchy32.incКод (Text):
.code ;; ==================================================================================================== ;; ;; HookAPI - procedure sets hook on given API address ;; ;; replace original API start to push addr and retn to handler procedure ;; ;; creates trampoline contained replaced code of original API and return to code after it ;; ;; changes given API pointer to address of trampoline (real API code start) ;; ;; __in lpHandlerProc - pointer to handler procedure ;; ;; __inout plpAPI - pointer to API pointer ;; ;; ==================================================================================================== ;; HookAPI proc lpHandlerProc, plpAPI : dword local lpAPI : dword local flOldProtect : dword local tramp : dword mov eax, plpAPI mov eax, [eax] mov lpAPI, eax ;; Change API memory protection invoke VirtualProtect, lpAPI,32,PAGE_EXECUTE_READWRITE,addr flOldProtect test eax, eax jz @ret invoke MyDebugPrint,chr$("Hook: Memory protected"),lpAPI ;; Allocate memory for trampoline invoke VirtualAlloc, 0, 32, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE test eax, eax jz @alloc_err mov tramp,eax invoke MyDebugPrint,chr$("Hook: Memory allocated"),tramp mov edi, tramp ;; Get size of code to copy xor ecx, ecx mov esi, lpAPI @@: mov eax, ebx add eax, c_Catchy call eax cmp eax, -1 je @error_c_Catchy add esi, eax ;; esi = current code instruction add ecx, eax ;; eax = current instructions len cmp ecx, 5 jb @B pushad invoke MyDebugPrint,chr$("Hook: Code lenght"),ecx popad ;; Copy original api code to new place mov eax, edi ;; save sub esi, ecx ;; pointer to current API start rep movsb ;; Write return to original API code + len of copied code mov byte ptr [edi], 68h ;; PUSH offset original API + offsed of copied code mov dword ptr [edi+1], esi ;; addr mov byte ptr [edi+5], 0C3h ;; RETN ;; New real API address mov edi, plpAPI mov [edi], eax ;; Edit original API code start mov edi, lpAPI mov eax, lpHandlerProc mov byte ptr [edi], 0E9h ;; JMP FAR sub eax, edi sub eax, 5 mov dword ptr [edi+1], eax ;; addr jmp @oldprotect @error_c_Catchy: invoke GetLastError invoke MyDebugPrint,chr$("Hook: error_c_Catchy"),eax invoke VirtualFree, edi, 0, MEM_RELEASE invoke VirtualProtect, lpAPI, 32, flOldProtect, addr flOldProtect mov eax,0 ret @oldprotect: invoke GetLastError ;; Restore old API memory protection invoke VirtualProtect, lpAPI, 32, flOldProtect, addr flOldProtect invoke MyDebugPrint,chr$("Hook: done. no error"),eax mov eax,1 ret @alloc_err: invoke GetLastError invoke MyDebugPrint,chr$("Hook: error memory allocation"),eax ;; Restore old API memory protection invoke VirtualProtect, lpAPI, 32, flOldProtect, addr flOldProtect mov eax,0 ret @ret: invoke GetLastError invoke MyDebugPrint,chr$("Hook: error memory protection"),eax mov eax,0 ret HookAPI endp
поиск подстроки в строке: StrIPos.incКод (Text):
;================================================================================================================================================== ; ******** *** *********** ********* *** *** *** *** ******* ******* ; *********** **** **** *********** *********** *** *** *** *** ***** ***** ***** ***** ; *** *** *** *** *** *** *** *** *** *** *** ** *** ** **** ; *** *********** *** *** *********** ** ** **** **** ; *** *** *********** *** *** *** *********** *** ** *** **** ; *********** *** *** *** *********** *** *** *** ***** ***** *********** ; ********* *** *** *** ********* *** *** *** ******* *********** ;==================================================Catchy32 v1.6 - Length Disassembler Engine 32bit================================================ ;SIZE=580 bytes ;Version: ;1.0-test version ;1.1-added: support prefix ;1.2-added: TableEXT ;1.3-added: support for 0F6h and 0F7h groups ;1.4-tables fixed ; -SIB byte handling fixed ;1.5-code fixed&optimized ; -processing 0F6h and 0F7h groups is corrected ; -processing 0A0h-0A3h groups is corrected ;1.6-code fixed ; -added: max lenght=15 bytes ;================================================================================================================================================== ;in: esi - pointer to opcode ;out: eax - opcode length or 0ffffffffh if error ;(c) sars [HI-TECH] 2003 ;sars@ukrtop.com ;================================================================================================================================================== pref66h equ 1 pref67h equ 2 .code ;---------------Initial adjustment---------------- c_Catchy: pushad call c_Delta ;------------Delta-offset calculation------------- c_Delta: pop ebp sub ebp, offset c_Delta xor ecx, ecx ;----Flags extraction, checks for some opcodes---- c_ExtFlags: xor eax, eax xor ebx, ebx cdq lodsb ;al <- opcode mov cl, al ;cl <- opcode cmp al, 0fh ;Test on prefix 0Fh je c_ExtdTable cmp word ptr [esi-1], 20CDh ;Test on VXD call jne c_NormTable inc esi ;If VXD call (int 20h), then command length is 6 bytes lodsd jmp c_CalcLen c_ExtdTable: ;Load flags from extended table lodsb inc ah ;EAX=al+100h (100h/2 - lenght first table) c_NormTable: ;Load flags from normal table shr eax, 1 ;Elements tables on 4 bits mov al, byte ptr [ebp+c_Table+eax] c_CheckC1: jc c_IFC1 shr eax, 4 ;Get high 4-bits block if offset is odd, otherwise... c_IFC1: and eax, 0Fh ;...low xchg eax, ebx ;EAX will be needed for other purposes ;--------------Opcode type checking--------------- c_CheckFlags: cmp bl, 0Eh ;Test on ErrorFlag je c_Error cmp bl, 0Fh ;Test on PrefixFlag je c_Prefix or ebx, ebx ;One byte command jz c_CalcLen btr ebx, 0 ;Command with ModRM byte jc c_ModRM btr ebx, 1 ;Test on imm8,rel8 etc flag jc c_incr1 btr ebx, 2 ;Test on ptr16 etc flag jc c_incr2 ;-----imm16/32,rel16/32, etc types processing----- c_16_32: and bl, 11110111b ;Reset 16/32 sign cmp cl, 0A0h ;Processing group 0A0h-0A3h jb c_Check66h cmp cl, 0A3h ja c_Check66h test ch, pref67h jnz c_incr2 jmp c_incr4 c_Check66h: ;Processing other groups test ch, pref66h jz c_incr4 jmp c_incr2 ;---------------Prefixes processing--------------- c_Prefix: cmp cl, 66h je c_SetFlag66h cmp cl, 67h jne c_ExtFlags c_SetFlag67h: or ch, pref67h jmp c_ExtFlags c_SetFlag66h: or ch, pref66h jmp c_ExtFlags ;--------------ModR/M byte processing------------- c_ModRM: lodsb c_Check_0F6h_0F7h: ;Check on 0F6h and 0F7h groups cmp cl, 0F7h je c_GroupF6F7 cmp cl, 0F6h jne c_ModXX c_GroupF6F7: ;Processing groups 0F6h and 0F7h test al, 00111000b jnz c_ModXX test cl, 00000001b jz c_incbt1 test ch, 1 jnz c_incbt2 inc esi inc esi c_incbt2: inc esi c_incbt1: inc esi c_ModXX: ;Processing MOD bits mov edx, eax and al, 00000111b ;al <- only R/M bits test dl, 11000000b ;Check MOD bits jz c_Mod00 jp c_CheckFlags ;Or c_Mod11 js c_Mod10 c_Mod01: test ch, pref67h jnz c_incr1 ;16-bit addressing cmp al, 4 ;Check SIB je c_incr2 jmp c_incr1 c_Mod00: test ch, pref67h jz c_Mod00_32 ;32-bit addressing cmp al, 6 je c_incr2 jmp c_CheckFlags c_Mod00_32: cmp al, 4 ;Check SIB jne c_disp32 c_SIB: ;Processing SIB byte lodsb and al, 00000111b cmp al, 5 je c_incr4 jmp c_CheckFlags c_disp32: cmp al, 5 je c_incr4 jmp c_CheckFlags c_Mod10: test ch, pref67h jnz c_incr2 ;16-bit addressing cmp al, 4 ;Check SIB je c_incr5 jmp c_incr4 c_incr5: inc esi c_incr4: inc esi inc esi c_incr2: inc esi c_incr1: inc esi jmp c_CheckFlags ;-----------Command length calculation------------ c_CalcLen: sub esi, [esp+4*1] cmp esi, 15 ja c_Error mov [esp+4*7], esi jmp c_Exit ;----------------Setting the error---------------- c_Error: xor eax, eax dec eax mov [esp+4*7], eax ;---------Restore the registers and exit---------- c_Exit: popad ret ;------------------------------------------------- ;================================================================================================================================================== ;Flag tables for normal and extended Intel opcodes ;(c) sars [HI-TECH] 2003 ;sars@ukrtop.com ; ;Version: ;01-test version ;02-added: TableEXT ;03-added: new flags ;04-added: support for MMX, SSE, SSE2, 3DNOW ; ;Description: ;Size of table element is 4 bits. ;0h-one byte instruction ;1h-ModRM byte ;2h-imm8,rel8 etc ;4h-ptr16 etc ;8h-imm16/32,rel16/32 etc ;0Fh-prefix ;0Eh-unsupported opcodes ;3DNOW-Supported ;SSE-Supported ;SSE2-Supported ;MMX-Supported ;================NORMAL OPCODES================ c_Table: ; 01 23 45 67 89 AB CD EF db 011h,011h,028h,000h,011h,011h,028h,000h;0Fh db 011h,011h,028h,000h,011h,011h,028h,000h;1Fh db 011h,011h,028h,0F0h,011h,011h,028h,0F0h;2Fh db 011h,011h,028h,0F0h,011h,011h,028h,0F0h;3Fh db 000h,000h,000h,000h,000h,000h,000h,000h;4Fh db 000h,000h,000h,000h,000h,000h,000h,000h;5Fh db 000h,011h,0FFh,0FFh,089h,023h,000h,000h;6Fh db 022h,022h,022h,022h,022h,022h,022h,022h;7Fh db 039h,033h,011h,011h,011h,011h,011h,011h;8Fh db 000h,000h,000h,000h,000h,0C0h,000h,000h;9Fh db 088h,088h,000h,000h,028h,000h,000h,000h;AFh db 022h,022h,022h,022h,088h,088h,088h,088h;BFh db 033h,040h,011h,039h,060h,040h,002h,000h;CFh db 011h,011h,022h,000h,011h,011h,011h,011h;DFh db 022h,022h,022h,022h,088h,0C2h,000h,000h;EFh db 0F0h,0FFh,000h,011h,000h,000h,000h,011h;FFh ;============================================== Lentable equ $-c_Table comment ! ;===============EXTENDED OPCODES=============== c_TableEXT: ; 01 23 45 67 89 AB CD EF db 011h,011h,0E0h,000h,000h,0EEh,0E1h,003h;0Fh db 011h,011h,011h,011h,01Eh,0EEh,0EEh,0EEh;1Fh db 011h,011h,01Eh,01Eh,011h,011h,011h,011h;2Fh db 000h,000h,000h,0EEh,0EEh,0EEh,0EEh,0EEh;3Fh db 011h,011h,011h,011h,011h,011h,011h,011h;4Fh db 011h,011h,011h,011h,011h,011h,011h,011h;5Fh db 011h,011h,011h,011h,011h,011h,011h,011h;6Fh db 033h,033h,011h,010h,011h,011h,011h,011h;7Fh db 088h,088h,088h,088h,088h,088h,088h,088h;8Fh db 011h,011h,011h,011h,011h,011h,011h,011h;9Fh db 000h,001h,031h,011h,000h,001h,031h,011h;AFh db 011h,011h,011h,011h,0EEh,031h,011h,011h;BFh db 011h,031h,033h,031h,000h,000h,000h,000h;CFh db 0E1h,011h,011h,011h,011h,011h,011h,011h;DFh db 011h,011h,011h,011h,011h,011h,011h,011h;EFh db 0E1h,011h,011h,011h,011h,011h,011h,01Eh;FFh ;============================================== ! ;==================================================================================================================================================
Кому надо - сигнатуры отищет в новых версияхКод (Text):
; DEBUG MODE ---------------------------------- ENABLE_DEBUG_MODE equ TRUE .code ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« MyDebugPrint proc msg:dword,param:dword IFDEF ENABLE_DEBUG_MODE local bufferx[1024]:byte pushad invoke wsprintf, addr bufferx, chr$("%s [%08X]"), msg, param ;crt_ invoke OutputDebugStringA, addr bufferx popad ELSE nop ENDIF ret MyDebugPrint ENDP ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ;; ==================================================================================================== ;; ;; StrIPos - case insensitive search first entry of char in string ;; ;; __in lpString - pointer to string ;; ;; __in nStringLen - len of string ;; ;; __in lpSubString - pointer to substring ;; ;; __in nSubStrLen - len of substring ;; ;; Return: 0 - failed ;; ;; !0 - success, pointer to start of founded substring ;; ;; ==================================================================================================== ;; StrIPos proc uses ebx ecx edx edi esi lpString, nStringLen, lpSubString, nSubStrLen : dword ;; Check strings len xor eax, eax cmp nStringLen, eax jle @ret cmp nSubStrLen, eax jle @ret ;invoke MyDebugPrint,chr$("StrIPos step: "),1 ;; Init string vars mov esi, lpString ;; esi = first symbol pointer dec esi mov ebx, nStringLen add ebx, esi ;; ebx = last symbol pointer ;invoke MyDebugPrint,chr$("StrIPos step: "),2 @nextcycle: xor eax, eax cmp esi, ebx ;; check if last symbol in string je @ret inc esi ;; next symbol ptr search from mov ecx, esi ;; copy symbol ptr search from, for use in compare mov edi, lpSubString ;; init substring var mov edx, nSubStrLen ;; init substring var ;invoke MyDebugPrint,chr$("StrIPos step: "),3 ;; Case insensitive symbol compare @nextchar: mov al, [ecx] cmp al, [edi] je @charmatch ;invoke MyDebugPrint,chr$("StrIPos step: "),4 cmp al, "z" ja @nextcycle cmp al, "a" jb @cmpupper ;invoke MyDebugPrint,chr$("StrIPos step: "),5 sub al, 32 cmp al, [edi] je @charmatch jmp @nextcycle @cmpupper: cmp al, "Z" ja @nextcycle cmp al, "A" jb @nextcycle add al, 32 cmp al, [edi] jne @nextcycle @charmatch: ;invoke MyDebugPrint,chr$("StrIPos step: "),6 inc ecx ;; next symbol in string inc edi ;; next symbol in substring dec edx ;; substring len jnz @nextchar ;; Substring found mov eax, esi ;invoke MyDebugPrint,chr$("StrIPos step: "),7 @ret: ret StrIPos endp
Перехват в Chrome
Дата публикации 24 фев 2018
| Редактировалось 24 фев 2018