📄 wslog2dll.cpp
字号:
if(Result == SOCKET_ERROR)
Status_len = wsprintf(Status, sendfailed_templ, WSALastError);
else
Status_len = wsprintf(Status, sendsuccess_templ, Result);
}
memptr = LocalAlloc(LPTR, (SubMsg_len +Status_len +64)*sizeof(TCHAR) +sizeof(send_templ));
if(memptr) {
MainMsg = (TCHAR *)memptr;
wsprintf(MainMsg, send_templ, SubMsg, Status);
PostMsg(MainMsg);
LocalFree(MainMsg);
}
if(s_buf != azeroch)
LocalFree(s_buf);
if(Status != zeroch)
LocalFree(Status);
if(SubMsg != zeroch)
LocalFree(SubMsg);
pWSASetLastError(WSALastError);
}
return(Result);
}
/////////////////////////////////////////////////////////
// Helper Part //
/////////////////////////////////////////////////////////
typedef BOOL (WINAPI *TCreateProcessInternalW)(LPVOID, LPCWSTR, LPWSTR,
LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD,
LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION, LPVOID);
TCreateProcessInternalW OldCreateProcessInternalW = NULL;
typedef BOOL (WINAPI *TCreateProcessW)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES,
LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR,
LPSTARTUPINFOW, LPPROCESS_INFORMATION);
TCreateProcessW OldCreateProcessW = NULL;
//////////////
typedef BOOL (APIENTRY *TCallProgramEntry)(HINSTANCE, DWORD, LPVOID);
BYTE CallProgramEntrySpace[32];
TCallProgramEntry OldCallProgramEntry = (TCallProgramEntry)&CallProgramEntrySpace;
/////////////////////////////////////////////////////////
VOID WINAPI FreeWS9XProcess(LONG idx) {
DWORD k;
PDWORD p;
// BOOL IsCP = ws9xprocess[idx].PID == GetCurrentProcessId();
for(k=0, p=(PDWORD)&(ws9xprocess[idx].PID)+1; k<NWSAPIS; k++, p++) {
// if(IsCP && p)
// LocalFree((HLOCAL)*p); //can be recycled PID, thus commented
*p = NULL;
}
ws9xprocess[idx].PID = 0;
}
VOID WINAPI FillDynamic(LONG idx) {
DWORD i;
PDWORD p;
for(i=NHELPERAPIS+1, p = (PDWORD)&ws9xprocess[idx].PID+1; i<NWSAPIS+NHELPERAPIS+1; i++, p++)
ApiHookChain[i].ModuleImport = (LPSTR)p;
}
LONG WINAPI RecycleOrFindEmptyWS9XProcess(DWORD PID) {
DWORD j = -1;
for(LONG i=0; i<MAX_WSOCK9XPROCESSES; i++) {
if(ws9xprocess[i].PID != 0)
if(GetProcFlags(ws9xprocess[i].PID) & (RC_PF_NOOPEN | RC_PF_16TERM))
FreeWS9XProcess(i);
if(ws9xprocess[i].PID == 0)
if(j == -1)
j = i;
if(ws9xprocess[i].PID == PID) {
j = i;
FreeWS9XProcess(i);
//break;
}
}
if(j != -1) {
ws9xprocess[j].PID = PID;
FillDynamic(j);
}
return(j);
}
/////////////////////////////////////////////////////////
RCINFO g_RCI;
BOOL WINAPI IsWSPresent(DWORD PID) {
DWORD Result = IsModuleLoaded(&g_RCI, WSLIBName, PID, 3000);
return((Result != 0) && !((ErrorAHMin <= Result) && (Result <= ErrorAHMax)));
}
/////////////////////////////////////////////////////////
TCHAR Hooks_DLL[MAX_PATH];
__EXPORT VOID WINAPI HookProcess(DWORD PID, BOOL DoNotCheckForPresence) {
if(bIsNT)
EstablishApiHooks(&g_RCI, Hooks_DLL, PID, 5000);
else {
if(DoNotCheckForPresence || IsWSPresent(PID)) {
if(HANDLE hMU = OpenMutex(SYNCHRONIZE, FALSE, W9XPLockName)) {
WaitForSingleObject(hMU, INFINITE);
if(RecycleOrFindEmptyWS9XProcess(PID) != -1)
EstablishApiHooks(&g_RCI, (LPCTSTR)&ApiHookChain[NHELPERAPIS], PID, 5000);
ReleaseMutex(hMU);
CloseHandle(hMU);
}
}
}
}
/////////////////////////////////////////////////////////
BOOL WINAPI NewCreateProcessInternalW(LPVOID Unknown00, LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, LPVOID Unknown2C) {
BOOL Result = OldCreateProcessInternalW(Unknown00, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags | CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, Unknown2C);
if(Result && Initialized) {
HookProcess(lpProcessInformation->dwProcessId, FALSE);
if(!(dwCreationFlags & CREATE_SUSPENDED))
ResumeThread(lpProcessInformation->hThread);
}
return(Result);
}
BOOL WINAPI NewCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) {
BOOL Result = OldCreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags | CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
if(Result && Initialized) {
HookProcess(lpProcessInformation->dwProcessId, FALSE);
if(!(dwCreationFlags & CREATE_SUSPENDED))
ResumeThread(lpProcessInformation->hThread);
}
return(Result);
}
/////////////////////////////////////////////////////////
BOOL APIENTRY NewCallDllEntry(HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
// x86 EAX register must be restored before calling old function; ensured -> good compiler.
BOOL Result = OldCallProgramEntry(hModule, ul_reason_for_call, lpReserved);
if(Result && (ul_reason_for_call == DLL_PROCESS_ATTACH) && Initialized)
if(GetModuleHandleA(WSLIBName) == hModule)
HookProcess(GetCurrentProcessId(), TRUE);
return(Result);
}
__declspec(naked) NewCallProgramEntry(...) {
_asm {
cmp dword ptr [esp+4], 0
je NewCallExeEntry
cmp dword ptr [esp+8], DLL_THREAD_DETACH
jbe NewCallDllEntry
NewCallExeEntry:
jmp dword ptr OldCallProgramEntry
}
}
/////////////////////////////////////////////////////////
BOOL WasLoadedAlready = FALSE;
BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
if(WasLoadedAlready)
return(FALSE) ;//prevent attaching this module to any other 9x process!
WasLoadedAlready = TRUE;
if(bIsNT = IsNT) {
GetModuleFileName(hModule, Hooks_DLL, sizeof(Hooks_DLL)/sizeof(TCHAR));
}
else {
if(CreateMutex(NULL, FALSE, W9XPLockName) == 0)
return(FALSE);
PDWORD CallProgramEntry__ = *(PDWORD*)((PDWORD)&hModule-1);
ApiHookChain[1].ApiNameOrOrd = (LPCSTR)(*(CallProgramEntry__-1)+(DWORD)CallProgramEntry__);
}
memcpy(&g_RCI, GetDefaultRCInfo(), sizeof(g_RCI));
g_RCI.RCFlags = 0;
DisableThreadLibraryCalls(hModule);
//bypass traverse checking
HINSTANCE hntdll;
BYTE WasEn;
if(hntdll = GetModuleHandle(_T("ntdll.dll")))
if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
RAP(23, TRUE, 0, &WasEn);
if((hEV = OpenEvent(SYNCHRONIZE, FALSE, EVName)) == 0)
hEV = OpenEvent(SYNCHRONIZE, FALSE, BaseEVName);
if(RAP)
RAP(23, WasEn, 0, &WasEn);
if(hEV == NULL)
return(FALSE);
}
else
if(ul_reason_for_call == DLL_PROCESS_DETACH) {
Initialized = FALSE;
Sleep(127);
}
return(TRUE);
}
/////////////////////////////////////////////////////////
#define NHOOKS (NHELPERAPIS+1+NWSAPIS+1)
API_HOOK ApiHookChain[NHOOKS] = {
{"KERNEL32.DLL", "CreateProcessW", HOOK_OVERWRITE | HOOK_NOT_9X, &OldCreateProcessW, NULL, NewCreateProcessW},
{"", NULL, HOOK_RAW | HOOK_HARD | HOOK_NOT_NT, &OldCallProgramEntry, NULL, NewCallProgramEntry},
{HOOKS_DYNAMIC},
{WSNEWName, "gethostbyname", HOOK_OVERWRITE, &ws9xprocess[0].Oldgethostbyname, NULL, Newgethostbyname},
{WSNEWName, "send", HOOK_OVERWRITE, &ws9xprocess[0].Oldsend, NULL, Newsend},
{HOOKS_END}
};
__EXPORT PAPI_HOOK WINAPI GetApiHookChain(DWORD CallerPID) {
if(HINSTANCE hK32 = GetModuleHandle(_T("KERNEL32.dll"))) {
if(GetProcAddress(hK32, "CreateProcessInternalW")) {
ApiHookChain[0].ApiNameOrOrd = "CreateProcessInternalW";
ApiHookChain[0].ModuleImport = &OldCreateProcessInternalW;
ApiHookChain[0].HookAddress = NewCreateProcessInternalW;
}
}
if(HINSTANCE hWS = LoadLibraryA(WSOLDName)) {
if(GetModuleHandleA(WSNEWName) == NULL)
for(DWORD i=NHELPERAPIS+1; i<NWSAPIS+NHELPERAPIS+1; i++)
ApiHookChain[i].ModuleExport = WSOLDName;
if(!bIsNT)
FreeLibrary(hWS);
Initialized = TRUE;
}
ws9xprocess[0].PID = GetCurrentProcessId();
return(ApiHookChain);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -