hooks.bat

Cracker终结者——提供最优秀的软件保护技术

;@GOTO -)
.586P
.MODEL FLAT
INCLUDE WINDOWS.inc
UNICODE=0
INCLUDE APIMACRO.mac
INCLUDE ApiHooks.inc
INCLUDELIB iKERNEL32
INCLUDELIB iUSER32
INCLUDELIB iIMAGEHLP

.DATA
  OldSym00     DWORD NULL
  Old004010DA  DWORD NULL
  OldSym01     DWORD NULL

  OldExitProcess    DWORD NULL

  PUBLIC       ApiHookChain
  ApiHookChain LABEL API_HOOK
  HookSym00    API_HOOK <szSym00Name, 12345678H,     HOOK_RAW,     OldSym00,    NULL, NewSym00>
  Hook004010DA API_HOOK <NULL,        004010DAH,     HOOK_RAW,     Old004010DA, NULL, New004010DA>
  HookSym01    API_HOOK <szSym01Name, 12345678H,     HOOK_RAW,     OldSym01,    NULL, NewSym01>
  HookExitProc API_HOOK <szKERNEL32,  szExitProcess, HOOK_OVERWRITE, OFFSET OldExitProcess, NULL, NewExitProcess>
  EndHooks
;------------------------------------------------------------------

.CODE
;names-------------------------------------------------------------
  TEXTA    zImgName,   <ModuleWithSymbols.exe/0>

  TEXTA    zSym00Name, <ModuleWithSymbols/:PrimaryThread/0> 
  TEXTA    z004010DA,  <004010DA - before MessageBox/0> 
  TEXTA    zSym01Name, <ModuleWithSymbols/:SecondThread/0> 
  TEXTA    zExitProcess, <ExitProcess/0> 
  TEXTA    zCaught,    <caught./0> 
  TEXTA    zKERNEL32,  <KERNEL32.dll/0> 

NewSym00   PROC
  PUSHAD
  iWin32   MessageBoxA, 0, szCaught, szSym00Name, MB_OK
  POPAD
  JMP      OldSym00
NewSym00   ENDP

New004010DA PROC
  PUSHAD
  iWin32   MessageBoxA, 0, szCaught, sz004010DA, MB_OK
  POPAD
  JMP      Old004010DA
New004010DA ENDP

NewSym01   PROC
  PUSHAD
  iWin32   MessageBoxA, 0, szCaught, szSym01Name, MB_OK
  POPAD
  JMP      OldSym01
NewSym01   ENDP

NewExitProcess PROC
  iWin32   MessageBoxA, 0, szCaught, szExitProcess, MB_OK
  JMP      OldExitProcess
NewExitProcess ENDP

xIMAGEHLP_SYMBOL STRUCT  ;DWORD aligned vs. windows.inc
    SizeOfStruct    DWORD   ?
    Address         DWORD   ?
    SizeSym         DWORD   ?
    Flags           DWORD   ?
    MaxNameLength   DWORD   ?
    NameSym         DWORD   ?
xIMAGEHLP_SYMBOL ENDS

DllMain    PROC  USES EBX ESI EDI, hinstDLL, fdwReason, lpvRsvd
  LOCAL    imsym : xIMAGEHLP_SYMBOL
  CMP      fdwReason, DLL_PROCESS_ATTACH
  JNE      DllMainNext

  iWin32   GetCurrentProcess
  MOV      EBX, EAX
  iWin32   SymInitialize, EBX, NULL, FALSE
  iWin32   SymLoadModule, EBX, NULL, szImgName, NULL, 0, 0

  ;prepare AH chain
  oLEA     ESI, ApiHookChain
  ASSUME   ESI: PTR API_HOOK
  LEA      EDI, imsym
  MOV      imsym.SizeOfStruct,  SIZEOF imsym
  MOV      imsym.MaxNameLength, SIZEOF DWORD - SIZEOF BYTE

 NewHook:
  MOV      EAX, [ESI].ModuleExport
  CMP      EAX, HOOKS_END
  JE       DllMainDone
  TEST     EAX, EAX
  JE       NextHook       ;pure raw hook; not symbol hook
  TEST     [ESI].dwFlags, HOOK_RAW
  JE       NextHook
  iWin32   SymGetSymFromName, EBX, EAX, EDI
  TEST     EAX, EAX
  JE       ZeroHook
  oMOV     [ESI].ApiNameOrOrd, imsym.Address
  JMP      NextHook
 ZeroHook:
  MOV      [ESI].dwFlags, EAX
 NextHook:
  ADD      ESI, SIZEOF API_HOOK
  JMP      NewHook

 DllMainNext:
  CMP      fdwReason, DLL_PROCESS_DETACH
  JNE      DllMainDone
  iWin32   GetCurrentProcess
  iWin32   SymCleanup, EAX

 DllMainDone:
  MOV      AL, TRUE
  RET
DllMain    ENDP
  ALIGN    4
END DllMain
:-)
@ECHO OFF
ML /c /coff /Gz /Cp /nologo Hooks.bat
eLINK Hooks /nologo /DLL /EXPORT:ApiHookChain /SUBSYSTEM:WINDOWS /OPTidata /MERGE:.rdata=.text /MERGE:.data=.text /SECTION:.text,EWR /IGNORE:4078
DEL Hooks.obj
DEL Hooks.exp
DEL Hooks.lib
PAUSE
CLS