proclogdll.cpp

Cracker终结者——提供最优秀的软件保护技术

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <ApiHooks.h>

#define LogFile "C:\\ProcLog.txt"
BOOL LogProc = FALSE;


//-----------------------------
typedef BOOL (WINAPI *TRealCreateProcessA)(LPCSTR lpApplicationName, LPSTR lpCommandLine,
             LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
             BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment,
             LPCSTR lpCurrentDirectory,  LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);

BYTE RealCreateProcessASpace[32];
TRealCreateProcessA OldRealCreateProcessA = (TRealCreateProcessA)&RealCreateProcessASpace;


BOOL WINAPI NewRealCreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine,
               LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
               BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment,
               LPCSTR lpCurrentDirectory,  LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) {
  BOOL Result = OldRealCreateProcessA(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
  if(LogProc) {
    CHAR CLA[MAX_PATH];
    if(lpApplicationName && lpCommandLine)
      wsprintfA(CLA, "%s %s", lpApplicationName, lpCommandLine);
    else
      if(lpCommandLine)
        wsprintfA(CLA, "%s", lpCommandLine);
      else
        wsprintfA(CLA, "%s", lpApplicationName);
    CHAR PRecord[MAX_PATH*2+64];
    DWORD sPRecord = wsprintfA(PRecord, "'%s' (%X) tries to spawn '%s' ..%s.\r\n\r\n", GetCommandLineA(), GetCurrentProcessId(), CLA, Result ? "succeeded" : "failed");
    HANDLE hFile;
    if((hFile = CreateFile(LogFile, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, 0, NULL)) != INVALID_HANDLE_VALUE) {
      SetFilePointer(hFile, 0, NULL, FILE_END);
      DWORD i;
      WriteFile(hFile, PRecord, sPRecord, &i, NULL);
      CloseHandle(hFile);
    }
  }
  return(Result);
}


//-----------------------------
typedef BOOL (WINAPI *TCreateProcessWin32)(LPVOID Null1, LPCSTR lpApplicationName, LPSTR lpCommandLine, LPVOID Null2,
             LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
             BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment,
             LPCSTR lpCurrentDirectory,  LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, LPVOID Null3);

BYTE CreateProcessWin32Space[32];
TCreateProcessWin32 OldCreateProcessWin32 = (TCreateProcessWin32)&CreateProcessWin32Space;

BOOL WINAPI NewCreateProcessWin32(LPVOID Null1, LPCSTR lpApplicationName, LPSTR lpCommandLine, LPVOID Null2,
               LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
               BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment,
               LPCSTR lpCurrentDirectory,  LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, LPVOID Null3) {
  BOOL Result = OldCreateProcessWin32(Null1, lpApplicationName, lpCommandLine, Null2, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, Null3);
  if(LogProc) {
    CHAR CLA[MAX_PATH];
    if(lpApplicationName && lpCommandLine)
      wsprintfA(CLA, "%s %s", lpApplicationName, lpCommandLine);
    else
      if(lpCommandLine)
        wsprintfA(CLA, "%s", lpCommandLine);
      else
        wsprintfA(CLA, "%s", lpApplicationName);
    CHAR PRecord[MAX_PATH*2+64];
    DWORD sPRecord = wsprintfA(PRecord, "'%s' (%X) tries to spawn '%s' ..%s.\r\n\r\n", GetCommandLineA(), GetCurrentProcessId(), CLA, Result ? "succeeded" : "failed");
    HANDLE hFile;
    if((hFile = CreateFile(LogFile, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, 0, NULL)) != INVALID_HANDLE_VALUE) {
      SetFilePointer(hFile, 0, NULL, FILE_END);
      DWORD i;
      WriteFile(hFile, PRecord, sPRecord, &i, NULL);
      CloseHandle(hFile);
    }
  }
  return(Result);
}


//-----------------------------
__EXPORT VOID WINAPI ControlProcLog(BOOL BeActive) {
  LogProc = BeActive;
}

//-----------------------------
__EXPORT API_HOOK  ApiHookChain[2] = {
  {NULL, NULL, HOOK_RAW | HOOK_HARD, &OldRealCreateProcessA, NULL, NewRealCreateProcessA},
  {HOOKS_END}
};

BOOL Initialized = FALSE;

BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
  if(!Initialized) {
    Initialized = TRUE;
    PDWORD GSIA = (PDWORD)GetStartupInfoA;
    if(*(GSIA-2) == 0xE95F08C4) {
      PBYTE CPA = (PBYTE)(*(GSIA-1))+(DWORD)GSIA+0x74;
      for(DWORD i=0x0; i<0x12; i++)
        if(*(CPA+i) == 0xE8) {
          GSIA = (PDWORD)(CPA+i+1+4);
          ApiHookChain[0].ModuleImport = (LPCSTR)&OldCreateProcessWin32;
          ApiHookChain[0].HookAddress = NewCreateProcessWin32;
          break;
        }
      ApiHookChain[0].ApiNameOrOrd = (LPCSTR)((*(GSIA-1))+(DWORD)GSIA);
      return(TRUE);
    }
    else
      return(FALSE);
  } 
  return(FALSE);
}