📄 infilter2dll.bat
字号:
;@goto translate
.586P
.MODEL FLAT, STDCALL
OPTION CASEMAP: NONE
INCLUDE WINDOWS.inc
UNICODE = FALSE
INCLUDE APIMACRO.mac
INCLUDELIB iKERNEL32.lib
INCLUDELIB iUSER32.lib
INCLUDELIB iNTDLL.lib
INCLUDELIB iApiHooks.lib
INCLUDE ApiHooks.inc
.DATA?
PROCESS_BASIC_INFORMATION STRUCT
ExitStatus DWORD ?
PebBaseAddress DWORD ?
AffinityMask DWORD ?
BasePriority DWORD ?
UniqueProcessId DWORD ?
InheritedFromUniqueProcessId DWORD ?
PROCESS_BASIC_INFORMATION ENDS
ProcessBasicInformation = 0
pbi PROCESS_BASIC_INFORMATION <>
pbi2 PROCESS_BASIC_INFORMATION <>
IFNDEF AMETHOD
ExcludeModules DWORD ?, ? ;required in non EAH* methods only
ENDIF
PathHooks SIGN MAX_PATH DUP (?)
IFDEF BMETHOD
Hooked BYTE ? ;needed in Entry method only
ENDIF
.CODE
MkUnhook CsrClientCallServer, 1
MkUnhook NtCreateThread, 1
IFDEF AMETHOD ;static hooks, EAH* method
BeginHooks Entry
MkHook ,NTDLL, NtCreateThread, HOOK_BY_ADDRESS, KERNEL32
MkHook ,NTDLL, CsrClientCallServer, HOOK_BY_ADDRESS, KERNEL32
EndHooks
ENDIF
TEXT NTDLL, <NTDLL.dll/0>
TEXT KERNEL32, <KERNEL32.dll/0>
TEXT NtCreateThread, <NtCreateThread/0>
TEXT CsrClientCallServer, <CsrClientCallServer/0>
;required by all methods -------------------------------------------------
UnhookApi PROC USES EBX ESI EDI, UnhStruc: PTR UNHOOK_API
MOV ESI, UnhStruc
ASSUME ESI :PTR API_UNHOOK
MOV EBX, [ESI].CurNoAddr
@@:
DEC EBX
JL UnhookFin
MOV EDI, [ESI].WhereWhat
MOV EDI, (ADDR_CONTENTS PTR [EDI][EBX*SIZEOF ADDR_CONTENTS]).ReturnWhere
PUSH EAX
iWin32 VirtualProtect, EDI, 4, PAGE_READWRITE, ESP
TEST EAX, EAX
POP EDX
JE UnhookNext
MOV EAX, [ESI].WhereWhat
MOV EAX, (ADDR_CONTENTS PTR [EAX][EBX*SIZEOF ADDR_CONTENTS]).ReturnWhat
MOV [EDI], EAX
PUSH EAX
iWin32 VirtualProtect, EDI, 4, EDX, ESP
POP EAX
UnhookNext:
JMP @B
UnhookFin:
RET
UnhookApi ENDP
;-------------------------------------------------------------------------
IFNDEF BMETHOD
DllMain:
CMP DWORD PTR [ESP+8], DLL_PROCESS_ATTACH
JNE @F
iWin32i GetModuleFileName, [ESP+12], OFFSET PathHooks, MAX_PATH
ENDIF
IFDEF CMETHOD
PUSH [ESP+4] ;exclude dll base
POP ExcludeModules
iWin32i HookApi, sNTDLL, sNtCreateThread, HOOK_BY_ADDRESS, sKERNEL32,\
OFFSET UnhookNtCreateThread, NewNtCreateThread, OFFSET ExcludeModules
iWin32i HookApi, sNTDLL, sCsrClientCallServer, HOOK_BY_ADDRESS, sKERNEL32,\
OFFSET UnhookCsrClientCallServer, NewCsrClientCallServer, OFFSET ExcludeModules
ENDIF
IFNDEF BMETHOD
JMP RetSuccess
@@:
CMP DWORD PTR [ESP+8], DLL_PROCESS_DETACH
JNE RetSuccess
sWin32 UnhookApi, OFFSET UnhookCsrClientCallServer
sWin32 UnhookApi, OFFSET UnhookNtCreateThread
RetSuccess:
MOV EAX, TRUE
RETN 12
Start EQU <DllMain>
ELSE
Start EQU <>
ENDIF
IFDEF BMETHOD
PUBLIC Entry
Entry PROC
CMP Hooked, FALSE
JNE EntryUnhook
OR Hooked, TRUE
MOV ExcludeModules, EAX
iWin32i GetModuleFileName, EAX, OFFSET PathHooks, MAX_PATH
iWin32i HookApi, sNTDLL, sNtCreateThread, HOOK_BY_ADDRESS, sKERNEL32,\
OFFSET UnhookNtCreateThread, NewNtCreateThread, OFFSET ExcludeModules
iWin32i HookApi, sNTDLL, sCsrClientCallServer, HOOK_BY_ADDRESS, sKERNEL32,\
OFFSET UnhookCsrClientCallServer, NewCsrClientCallServer, OFFSET ExcludeModules
MOV EAX, ExcludeModules
JMP EntryFin
EntryUnhook:
sWin32 UnhookApi, OFFSET UnhookCsrClientCallServer
sWin32 UnhookApi, OFFSET UnhookNtCreateThread
MOV EAX, NULL ;return NULL (like unloaded)
EntryFin:
RET
Entry ENDP
ENDIF
NewNtCreateThread PROC lpThreadHandle, DesiredAccess, lpObjectAttributes,\
ProcessHandle, lpClientId, lpInitialContext,\
lpUserStackDescriptor, CreateSuspended
AND pbi2.UniqueProcessId, 0
iWin32 NtQueryInformationProcess, ProcessHandle, ProcessBasicInformation,\
OFFSET pbi, SIZEOF pbi, NULL
PUSH EAX
iWin32 NtCreateThread, lpThreadHandle, DesiredAccess, lpObjectAttributes,\
ProcessHandle, lpClientId, lpInitialContext,\
lpUserStackDescriptor, CreateSuspended
POP ECX
PUSH EAX
TEST ECX, ECX
JL @F
TEST EAX, EAX
JL @F
CMP CreateSuspended, FALSE
JE @F
CMP pbi.UniqueProcessId, 0 ;new process hasn't ID before 1st thread creation
JNE @F
iWin32 NtQueryInformationProcess, ProcessHandle, ProcessBasicInformation,\
OFFSET pbi2, SIZEOF pbi2, NULL
@@:
POP EAX
RET
NewNtCreateThread ENDP
NewCsrClientCallServer PROC lpStruc, Par1, dwCommand, StrucSize
iWin32 CsrClientCallServer, lpStruc, Par1, dwCommand, StrucSize
CMP dwCommand, 10000H
JNE @F
MOV EDX, lpStruc
CMP DWORD PTR [EDX+20H], 0
JL @F
MOV ECX, pbi2.UniqueProcessId
JECXZ @F
PUSH EAX
IFDEF AMETHOD
iWin32i EstablishApiHooksTime, OFFSET PathHooks, ECX, 10000
ENDIF
IFDEF BMETHOD
iWin32i LoadAndCall, OFFSET PathHooks, ECX, 1, 1
ENDIF
IFDEF CMETHOD
iWin32i LoadAndCall, OFFSET PathHooks, ECX, 1, NULL
ENDIF
POP EAX
@@:
RET
NewCsrClientCallServer ENDP
END Start
:translate
@echo off
ML /c /coff /nologo /DAMETHOD InFilter2DLL.bat
eLINK InFilter2DLL /OUT:Infilter2A.dll /dll /nologo /optidata /section:.text,EWR /export:Entry,@1,NONAME /base:0x37280000 /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /IGNORE:4078,4086
ML /c /coff /nologo /DBMETHOD InFilter2DLL.bat
eLINK InFilter2DLL /OUT:Infilter2B.dll /noentry /dll /nologo /optidata /section:.text,EWR /export:Entry,@1,NONAME /base:0x37280000 /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /IGNORE:4078
ML /c /coff /nologo /DCMETHOD InFilter2DLL.bat
eLINK InFilter2DLL /OUT:Infilter2C.dll /dll /nologo /optidata /section:.text,EWR /base:0x37280000 /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /IGNORE:4078,4086
DEL InFilter2DLL.obj
DEL InFilter2?.lib >NUL
DEL InFilter2?.exp >NUL
PAUSE
CLS⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -