addprocessinithandler.h

Cracker终结者——提供最优秀的软件保护技术

/*
  AddProcessInitHandler.h - execute user code before DllMains & TlsCallbacks of statically
  loaded modules are called with DLL_PROCESS_ATTACH in NT.
  32bit version for 32bit modules.
  Not optimized, not thread-safe, not leak-checked.
  Not carefully tested.
*/


#define APIHCodeBodyMark 0xE1C2F3AF
#define APIHPreviousProcessInitHandlerMark 0xE1C2F3AE
#define APIHUserMark 0xE1C2F3AD

typedef BOOL (WINAPI *TCallNextProcessInitHandler)(HINSTANCE, DWORD, LPVOID);
#define xxxCallNextProcessInitHandler(hntdll, fdwReason, lpvReserved) \
        ((TCallNextProcessInitHandler)APIHPreviousProcessInitHandlerMark)(hntdll, fdwReason, lpvReserved)

#define CallNextProcessInitHandler(hntdll, fdwReason, lpvReserved) \
        APIHPreviousProcessInitHandlerMark ? xxxCallNextProcessInitHandler(hntdll, fdwReason, lpvReserved) : TRUE

////////////////////////////////////////////////////////////////////////////////////////////////
PDWORD LocatePointer(PVOID Code, DWORD CodeSize, DWORD PointerMark) {
  PBYTE p;
  if(CodeSize > 3)
    for(p = (PBYTE)Code; p < (PBYTE)Code+CodeSize-4; p++)
      if(*(PDWORD)p == PointerMark)
        return((PDWORD)p);
  return(NULL);
}

////////////////////////////////////////////////////////////////////////////////////////////////
VOID SetPointers(PVOID Code, DWORD CodeSize, DWORD PointerMark, PVOID RealPointer) {
  PDWORD p = (PDWORD)Code;
  while(p = LocatePointer(p, CodeSize+(DWORD)Code-(DWORD)p, PointerMark))
    *p = (DWORD)RealPointer;
}

////////////////////////////////////////////////////////////////////////////////////////////////
PDWORD WINAPI Getntdll(VOID) {
  static PDWORD ntdll = (PDWORD)GetModuleHandle(TEXT("ntdll.dll"));
  return(ntdll);
}

////////////////////////////////////////////////////////////////////////////////////////////////
PDWORD WINAPI GetntdllEntry(VOID) {
  static PDWORD pntdllEntry = (PDWORD)((PBYTE)Getntdll()+*((PDWORD)Getntdll()+0x3C/sizeof(DWORD))+0x28);
  return(pntdllEntry);
}

////////////////////////////////////////////////////////////////////////////////////////////////
PVOID WINAPI ReadntdllEntry(HANDLE hProcess) {
  PVOID ntdllEntry = NULL;
  ReadProcessMemory(hProcess, GetntdllEntry(), &ntdllEntry, sizeof(ntdllEntry), NULL);
  return(ntdllEntry ? (PVOID)((DWORD)ntdllEntry+(DWORD)Getntdll()) : NULL);
}

////////////////////////////////////////////////////////////////////////////////////////////////
BOOL WINAPI WritentdllEntry(HANDLE hProcess, PVOID NewEntry) {
  DWORD OldProt;
  BOOL Result;
  if(VirtualProtectEx(hProcess, GetntdllEntry(), sizeof(NewEntry), PAGE_EXECUTE_READWRITE, &OldProt)) {
    DWORD xxxNewEntry = (DWORD)NewEntry - (DWORD)Getntdll();
    Result = WriteProcessMemory(hProcess, GetntdllEntry(), &xxxNewEntry, sizeof(xxxNewEntry), NULL);
    VirtualProtectEx(hProcess, GetntdllEntry(), sizeof(NewEntry), OldProt, &OldProt);
  }
  return(Result);
}

////////////////////////////////////////////////////////////////////////////////////////////////
BOOL WINAPI hAddProcessInitHandler(HANDLE hProcess,
                                    PVOID ProcessInitHandler,
                                    DWORD ProcessInitHandlerSize,
                                    PVOID UserPointer) {
  BOOL Result = FALSE;
  LPVOID lpLocalProcessInitHandler, lpRemoteProcessInitHandler;

  typedef LPVOID (WINAPI *TAPIHVirtualAllocEx)(HANDLE, LPVOID, DWORD, DWORD, DWORD);
  static TAPIHVirtualAllocEx APIHVirtualAllocEx = NULL;
  typedef LPVOID (WINAPI *TAPIHVirtualFreeEx)(HANDLE, LPVOID, DWORD, DWORD);
  static TAPIHVirtualFreeEx APIHVirtualFreeEx = NULL;
  if(APIHVirtualAllocEx == NULL) {
    HINSTANCE hK32 = GetModuleHandle(TEXT("KERNEL32.dll"));
    if(hK32) {
      APIHVirtualAllocEx = (TAPIHVirtualAllocEx)GetProcAddress(hK32, "VirtualAllocEx");
      APIHVirtualFreeEx = (TAPIHVirtualFreeEx)GetProcAddress(hK32, "VirtualFreeEx");
    }
  }
  if(!APIHVirtualAllocEx || !APIHVirtualFreeEx)
    return(FALSE);

  if(lpLocalProcessInitHandler = LocalAlloc(LMEM_FIXED, ProcessInitHandlerSize)) {
    if(lpRemoteProcessInitHandler = APIHVirtualAllocEx(hProcess, NULL, ProcessInitHandlerSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) {
      memcpy(lpLocalProcessInitHandler, ProcessInitHandler, ProcessInitHandlerSize);
      SetPointers(lpLocalProcessInitHandler, ProcessInitHandlerSize, APIHPreviousProcessInitHandlerMark, ReadntdllEntry(hProcess));
      SetPointers(lpLocalProcessInitHandler, ProcessInitHandlerSize, APIHCodeBodyMark, lpRemoteProcessInitHandler);
      SetPointers(lpLocalProcessInitHandler, ProcessInitHandlerSize, APIHUserMark, UserPointer);
      if(WriteProcessMemory(hProcess, lpRemoteProcessInitHandler, lpLocalProcessInitHandler, ProcessInitHandlerSize, NULL))
        if(WritentdllEntry(hProcess, lpRemoteProcessInitHandler))
          Result = TRUE; 
      if(!Result)
        APIHVirtualFreeEx(hProcess, lpRemoteProcessInitHandler, 0, MEM_RELEASE);
    } 
    LocalFree(lpLocalProcessInitHandler);
  }
  return(Result);
}
////////////////////////////////////////////////////////////////////////////////////////////////