apihexample.cpp

Cracker终结者——提供最优秀的软件保护技术

#define WIN32_LEAN_AND_MEAN
#define UNICODE
#define _UNICODE
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>

#include "..\..\AddProcessInitHandler.h"

#pragma optimize("", off)

typedef BOOL (__cdecl *TDbgPrint)(PVOID, ...);
#define PRIVDbgPrintMark 0xE1C2F3AC

BOOL APIENTRY ProcessInitHandler(HINSTANCE hntdll, DWORD fdwReason, PVOID lpvReserved) {
  TDbgPrint xxxDbgPrint = (TDbgPrint)PRIVDbgPrintMark;
  PSTR *Msgs = (PSTR*)APIHUserMark;
  xxxDbgPrint(Msgs[0], hntdll, fdwReason, lpvReserved);
  if( (*(PDWORD)((PBYTE)hntdll+((PDWORD)hntdll)[0x3C/sizeof(DWORD)] +0x28)+(DWORD)hntdll) == APIHCodeBodyMark)
    xxxDbgPrint(Msgs[1], *(PDWORD)(&hntdll-1));
  else 
    xxxDbgPrint(Msgs[2], *(PDWORD)(&hntdll-1));
  return(CallNextProcessInitHandler(hntdll, fdwReason, lpvReserved));
}
#pragma optimize("", on)

INT _tmain(int argc, TCHAR** argv) {
  if(argc > 1)  {
    PROCESS_INFORMATION pi;
    STARTUPINFO si = {sizeof(si)}; 
    if(CreateProcess(NULL, argv[1], NULL, NULL, FALSE, CREATE_SUSPENDED,
                     NULL, NULL, &si, &pi)) {
      HINSTANCE hntdll = GetModuleHandle(TEXT("ntdll.dll"));
      DWORD ProcessInitHandlerSize = (((DWORD)_tmain-(DWORD)ProcessInitHandler)+3)&~3;
      #define BufferSize 4096
      LPVOID lpRemoteBuffer; 
      if(lpRemoteBuffer = VirtualAllocEx(pi.hProcess, NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) {
        PSTR LocalBuffer[BufferSize/sizeof(PSTR)];
        LocalBuffer[0] = (PSTR)lpRemoteBuffer+12;
        LocalBuffer[1] = (PSTR)lpRemoteBuffer+12+128;
        LocalBuffer[2] = (PSTR)lpRemoteBuffer+12+128+128;
        #define Msg0 "hntdll= 0x%08X, fdwReason = %u, lpvReserved = 0x%08X\n"
        memcpy(&LocalBuffer[3], Msg0, sizeof(Msg0));
        #define Msg1 "Return address of 'CALL DllMain' = 0x%08X .. call from LdrpCallInitRoutine\n"
        memcpy(&LocalBuffer[3+128/sizeof(PSTR)], Msg1, sizeof(Msg1));
        #define Msg2 "Return address of 'CALL DllMain' = 0x%08X .. call from younger ProcessInitHandler\n"
        memcpy(&LocalBuffer[3+(128+128)/sizeof(PSTR)], Msg2, sizeof(Msg2));
        if(WriteProcessMemory(pi.hProcess, lpRemoteBuffer, &LocalBuffer, BufferSize, NULL)) {
          SetPointers(ProcessInitHandler, ProcessInitHandlerSize, PRIVDbgPrintMark, GetProcAddress(hntdll, "DbgPrint"));
          if(hAddProcessInitHandler(pi.hProcess, ProcessInitHandler, ProcessInitHandlerSize, lpRemoteBuffer))
            _tprintf(_T("1st handler succesfully added.\n"));
          else
            _tprintf(_T("Cannot add 1st handler!\n"));
          if(hAddProcessInitHandler(pi.hProcess, ProcessInitHandler, ProcessInitHandlerSize, lpRemoteBuffer))
            _tprintf(_T("2nd handler succesfully added.\n"));
          else
            _tprintf(_T("Cannot add 2nd handler!\n"));
        }
      }
      ResumeThread(pi.hThread);
      CloseHandle(pi.hThread);
      CloseHandle(pi.hProcess);
    }
    else
      _tprintf(_T("Cannot create '%s'!\n"), argv[1]);
  }
  else
    _tprintf(_T("Usage APIHexample <NewAppName>"));
  return(getch());
}