xcptlogwnt.cpp

Cracker终结者——提供最优秀的软件保护技术

#define WIN32_LEAN_AND_MEAN
//#define UNICODE
#ifdef UNICODE
  #define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <tchar.h>

#pragma comment(lib, "ntdll")
#undef _stprintf
#ifdef _UNICODE
  #define _stprintf swprintf
#else
  #define _stprintf sprintf
#endif

#pragma comment(lib, "SClientAW")
#define AH_STATIC_LINKING
#include <ApiHooks.h>


/////////////////////////////////////////////////////////
PVOID OldKiUserExceptionDispatcher  = NULL;
PVOID OldNtContinue  = NULL;

#define NUNHOOKS 2  //2 is enough for OVERWRITE/RAW
ADDR_CONTENTS UUED[NUNHOOKS];
API_UNHOOK UnhookKiUserExceptionDispatcher  = {NUNHOOKS, 0, UUED};

ADDR_CONTENTS UNTC[NUNHOOKS];
API_UNHOOK UnhookNtContinue  = {NUNHOOKS, 0, UNTC};

HANDLE hLogFile = INVALID_HANDLE_VALUE;

LONG ThreadsIn = 0, InternalException = 0;

#include "MyNTC.h"

__declspec(naked) NewNtContinue(PCONTEXT pcntx, BOOL IsApc) {
  InterlockedIncrement(&ThreadsIn);
  _asm {
    cmp  dword ptr [esp+8], FALSE
    jne  Apc
    push [esp+4]  //pcntx
    call MyNtContinue
    Apc:
  } 
  InterlockedDecrement(&ThreadsIn);
  _asm {
    jmp dword ptr OldNtContinue
  }
}

#include "MyUED.h"

__declspec(naked) NewKiUserExceptionDispatcher(PEXCEPTION_RECORD pxcpt, PCONTEXT pcntx) {
  _asm push TRUE
  InterlockedIncrement(&ThreadsIn);
  if(!InternalException) {
    InterlockedIncrement(&InternalException);
    _asm {
      push [esp+8] // pcntx
      push [esp+8] // pxcpt
      call MyUserExceptionDispatcher
      mov  [esp], eax
    }
    InterlockedDecrement(&InternalException);
  }
  InterlockedDecrement(&ThreadsIn);
  _asm {
    pop  eax 
    test eax, eax
    je   NoSEH 
    jmp  dword ptr OldKiUserExceptionDispatcher
    NoSEH:
    push eax
    push [esp+8] //pcntx
    call NewNtContinue // dword ptr OldNtContinue
  }
}

#define NHOOKS (2+1)
__EXPORT API_HOOK ApiHookChain[NHOOKS] = {
  {"ntdll.dll", "KiUserExceptionDispatcher", HOOK_OVERWRITE, &OldKiUserExceptionDispatcher, &UnhookKiUserExceptionDispatcher, NewKiUserExceptionDispatcher},
  {"ntdll.dll", "NtContinue",                HOOK_OVERWRITE, &OldNtContinue,                &UnhookNtContinue,                NewNtContinue},
  {HOOKS_END}
};

HMODULE hDLL;

BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 
  if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
    hDLL = hModule;
  }
  return(TRUE);
}

__EXPORT DWORD WINAPI StartLog(HANDLE _hLogFile, DWORD _PID) {
  hLogFile = _hLogFile;
  return(0);
}

__EXPORT VOID WINAPI StopLog(LPVOID ThreadBody) {
   while(!UnhookApis(ApiHookChain, WHOLE_AH_CHAIN))
     Sleep(127);
   if(hLogFile != INVALID_HANDLE_VALUE)
     CloseHandle(hLogFile);
   hLogFile = INVALID_HANDLE_VALUE;
   while(ThreadsIn)
     Sleep(127);
   if(OldKiUserExceptionDispatcher)
     LocalFree(OldKiUserExceptionDispatcher);
   if(OldNtContinue)
     LocalFree(OldNtContinue);
   if(ThreadBody)
     VirtualFree(ThreadBody, NULL, MEM_RELEASE);
   FreeLibraryAndExitThread(hDLL, ErrorAHTimeOut);
}