📄 xcptlogw9x.cpp
字号:
#define WIN32_LEAN_AND_MEAN
//#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#pragma comment(lib, "user32")
#undef _stprintf
#ifdef _UNICODE
#define _stprintf wsprintfW
#else
#define _stprintf wsprintfA
#endif
#pragma comment(lib, "SClientAW")
#define AH_STATIC_LINKING
#include <ApiHooks.h>
/////////////////////////////////////////////////////////
BYTE Place0[32], Place1[32];
PVOID OldKiUserExceptionDispatcher = Place0;
PVOID OldNtContinue = Place1;
#define NUNHOOKS 2 //2 is enough for OVERWRITE/RAW
ADDR_CONTENTS UUED[NUNHOOKS];
API_UNHOOK UnhookKiUserExceptionDispatcher = {NUNHOOKS, 0, UUED};
ADDR_CONTENTS UNTC[NUNHOOKS];
API_UNHOOK UnhookNtContinue = {NUNHOOKS, 0, UNTC};
HANDLE hLogFile = INVALID_HANDLE_VALUE;
LONG ThreadsIn = 0, InternalException = 0;
DWORD PID = 0;
#include "MyNTC.h"
__declspec(naked) NewNtContinue(PCONTEXT pcntx) {
InterlockedIncrement(&ThreadsIn);
if(GetCurrentProcessId() == PID) {
_asm {
push [esp+4] //pcntx
call MyNtContinue
}
}
InterlockedDecrement(&ThreadsIn);
_asm {
jmp dword ptr OldNtContinue
}
}
#include "MyUED.h"
_declspec(naked) NewKiUserExceptionDispatcher(PCONTEXT pcntx, PEXCEPTION_RECORD pxcpt) {
_asm push TRUE
InterlockedIncrement(&ThreadsIn);
if(GetCurrentProcessId() == PID) {
if(!InternalException) {
InterlockedIncrement(&InternalException);
_asm {
push [esp+8] //pcntx
push [esp+16] //pxcpt
call MyUserExceptionDispatcher
mov [esp], eax
}
InterlockedDecrement(&InternalException);
}
}
InterlockedDecrement(&ThreadsIn);
_asm {
pop eax
test eax, eax
je NoSEH
jmp dword ptr OldKiUserExceptionDispatcher
NoSEH:
push [esp+4] //pcntx
call NewNtContinue // dword ptr OldNtContinue
}
}
#define NHOOKS (2+1)
__EXPORT API_HOOK ApiHookChain[NHOOKS] = {
{NULL, 0, HOOK_RAW | HOOK_HARD, &OldKiUserExceptionDispatcher, &UnhookKiUserExceptionDispatcher, NewKiUserExceptionDispatcher},
{NULL, 0, HOOK_RAW | HOOK_HARD, &OldNtContinue, &UnhookNtContinue, NewNtContinue},
{HOOKS_END}
};
HMODULE hDLL;
DWORD Inited = 0;
BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
if(!Inited) {
++Inited;
if((hDLL = hModule) < (HINSTANCE)0x80000000)
return(FALSE);
PBYTE pb = (PBYTE)GetModuleHandle(_T("KERNEL32.DLL"));
if((DWORD)pb < 0xBFF60000)
return(FALSE);
DWORD i;
__try {
for(i = 0x15000; i < 0x20000; i++)
if((*(pb+i) == 0xC7) && (*(pb+i+1) == 0x46) && (*(pb+i+2) == 0x24)
&& (*(PDWORD)(pb+i+3) > (DWORD)pb))
break;
}
__except(EXCEPTION_EXECUTE_HANDLER) {
return(FALSE);
}
if(i < 0x20000) {
ApiHookChain[0].ApiNameOrOrd = (*(LPCSTR*)(pb+i+3));
}
else
return(FALSE);
__try {
for(i = 0x6500; i < 0x9000; i++)
if( (*(pb+i+6) == 0x53) && (*(pb+i+7) == 0x6A) && (*(pb+i+8) == 0x00)
&& (*(pb+i+9) == 0x68) && (*(pb+i+11) == 0x00) && (*(pb+i+12) == 0x2A)
&& (*(pb+i+13) == 0x00) && (*(pb+i+14) == 0xE8))// && (*(pb+i+19) == 0x55))
break;
}
__except(EXCEPTION_EXECUTE_HANDLER) {
return(FALSE);
}
if(i < 0x9000) {
ApiHookChain[1].ApiNameOrOrd = (LPCSTR)(pb+i);
}
else
return(FALSE);
}
else
return(FALSE);
}
return(TRUE);
}
HANDLE hPID = NULL;
__EXPORT DWORD WINAPI StopLog(LPVOID ThreadBody) {
while(!UnhookApis(ApiHookChain, WHOLE_AH_CHAIN))
Sleep(127);
if(hLogFile != INVALID_HANDLE_VALUE)
CloseHandle(hLogFile);
if(hPID)
CloseHandle(hPID);
hLogFile = INVALID_HANDLE_VALUE;
PID = 0;
hPID = NULL;
while(ThreadsIn)
Sleep(127);
if(ThreadBody)
VirtualFree(ThreadBody, NULL, MEM_RELEASE);
FreeLibraryAndExitThread(hDLL, ErrorAHTimeOut);
return(0);
}
DWORD WINAPI WaitForPID(HANDLE hP) {
InterlockedIncrement(&ThreadsIn);
DWORD st;
while((st = WaitForSingleObject(hP, 127)) == WAIT_TIMEOUT);
InterlockedDecrement(&ThreadsIn);
if(st == WAIT_OBJECT_0)
return(StopLog(NULL));
else
return(st);
}
__EXPORT DWORD WINAPI StartLog(HANDLE _hLogFile, DWORD _PID) {
hLogFile = _hLogFile;
PID = _PID;
if(hPID = OpenProcess(SYNCHRONIZE, FALSE, PID)) {
DWORD tid;
CloseHandle(CreateThread(NULL, 0, WaitForPID, hPID, 0, &tid));
}
return(0);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -