magicapihook.pas

how you can hook functions by small size of codes

 pbi: TPI;
 dwDupCP: DWord;
begin
 Result:=0;
 if IsWin9x then Exit;
 @NtQueryInformationProcess:=GetProcAddress(GetModuleHandle('ntdll.dll'),'NtQueryInformationProcess');
 if (@NtQueryInformationProcess<>nil) then
   if DuplicateHandle(GetCurrentProcess, dwProcessHandle, GetCurrentProcess, @dwDupCP, PROCESS_ALL_ACCESS, False, 0) then begin
     if NtQueryInformationProcess(dwDupCP,0,@pbi,SizeOf(pbi),nil)=0 then
       Result:=pbi.UniqueProcessId;
     CloseHandle(dwDupCP);
   end;
end;
(******************************************************************************)
function CalcJump(Src,Dest:DWORD):DWORD;
begin
 if(Dest<Src) then begin
   Result:=Src-Dest;
   Result:=$FFFFFFFF-Result;
   Result:=Result-4;
  end
  else begin
   Result:=Dest-Src;
   Result:=Result-5;
  end;
end;
(******************************************************************************)
function InjectDll(DllPath:string; PID_or_PHD:DWORD):Boolean;
var
 Bytes,Process,Thread,ThreadId: DWORD;
 Params: Pointer;
 LodLib,Slp,St: DWORD;
begin
 Result:=False;
 if (IsWin9x) or (DllPath='') then Exit;
 LodLib:=DWORD(GetProcAddress(GetModuleHandle('kernel32'),'LoadLibraryA'));
 Slp:=DWORD(GetProcAddress(GetModuleHandle('kernel32'),'Sleep'));
 if (@Slp=nil) or (@LodLib=nil) then Exit;
 Process:=OpenProcess(PROCESS_ALL_ACCESS,False,PID_or_PHD);
 if Process=0 then Process:=PID_or_PHD;
 Params:=VirtualAllocEx(Process,nil,$1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 if Params=nil then Exit;
 WriteProcessMemory(Process,Params,Pchar(DLLPath),Length(DllPath),Bytes);
 St:=Integer(Params)+Length(DllPath)+1;
 DWORD(Pointer(DWORD(@LoadOpCodes)+1)^):=DWORD(Params);
 DWORD(Pointer(DWORD(@LoadOpCodes)+6)^):=CalcJump(St+5,LodLib);
 DWORD(Pointer(DWORD(@LoadOpCodes)+17)^):=CalcJump(St+16,Slp);
 WriteProcessMemory(Process,Pointer(St),@LoadOpCodes,SizeOf(LoadOpCodes),Bytes);
 Thread:=CreateRemoteThread(Process,nil,0,Pointer(St),nil,0,ThreadId);
 if Thread<>0 then CloseHandle(Thread);
 CloseHandle(Process);
 Result:=True;
end;
(******************************************************************************)
function UnInjectDll(DllName:string; PID_or_PHD:DWORD):Boolean;
var
 Bytes,Process,Thread,ThreadId: DWORD;
 Params: Pointer;
 FreeLib,GetMod,St: DWORD;
begin
 Result:=False;
 if (IsWin9x) or (DllName='') then Exit;
 FreeLib:=DWORD(GetProcAddress(GetModuleHandle('kernel32'),'FreeLibrary'));
 GetMod:=DWORD(GetProcAddress(GetModuleHandle('kernel32'),'GetModuleHandleA'));
 if (@FreeLib=nil) or (@GetMod=nil) then Exit;
 Process:=OpenProcess(PROCESS_ALL_ACCESS,False,PID_or_PHD);
 if Process=0 then Process:=PID_or_PHD;
 Params:=VirtualAllocEx(Process,nil,$1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 if Params=nil then Exit;
 WriteProcessMemory(Process,Params,Pchar(DLLName),Length(DllName),Bytes);
 St:=Integer(Params)+Length(DllName)+1;
 DWORD(Pointer(DWORD(@FreeOpCodes)+1)^):=DWORD(Params);
 DWORD(Pointer(DWORD(@FreeOpCodes)+6)^):=CalcJump(St+5,GetMod);
 DWORD(Pointer(DWORD(@FreeOpCodes)+19)^):=CalcJump(St+18,FreeLib);
 WriteProcessMemory(Process,Pointer(St),@FreeOpCodes,SizeOf(FreeOpCodes),Bytes);
 Thread:=CreateRemoteThread(Process,nil,0,Pointer(St),nil,0,ThreadId);
 if Thread<>0 then CloseHandle(Thread);
 CloseHandle(Process);
 Result:=True;
end;
(******************************************************************************)
function ApiHook(ModName,ApiName:Pchar; FuncAddr,HookedApi:Pointer; var MainApi:Pointer):Boolean;
var
 dwCount,Cnt,i,Jmp: DWORD;
 P: Pointer;
 hMod,OldP,TMP: Cardinal;
begin
 Result:=False;
 if IsWin9x then Exit;
 hMod:=GetModuleHandle(ModName);
 if hMod=0 then hMod:=LoadLibrary(ModName);
 P:=GetProcAddress(hMod,ApiName);
 if P=nil then P:=FuncAddr;
 if (P=nil) or (HookedApi=nil) then Exit;
 if not VirtualProtect(P,$40,PAGE_EXECUTE_READWRITE,@OldP) then Exit;
 if ((Byte(P^)=$68) and (DWORD(Pointer(DWORD(P)+1)^)=DWORD(HookedApi))) then Exit;
 MainApi:=VirtualAlloc(nil,$1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 if MainApi=nil then Exit;
 Cnt:=0;
 for dwCount:=0 to $3F do begin
  Inc(Cnt,OpCodeLength(DWORD(P)+Cnt));
  for i:=0 to Cnt-1 do Pchar(MainApi)[i]:=Pchar(P)[i];
  if Cnt>5 then Break;
 end;
 Pchar(MainApi)[Cnt]:=Char($68);
 DWORD(Pointer(DWORD(MainApi)+Cnt+1)^):=DWORD(P)+Cnt;
 Pchar(MainApi)[Cnt+5]:=Char($C3);
 Pchar(MainApi)[Cnt+6]:=Char($99);
 if (OpCodeLength(DWORD(MainApi))=5) and ((Byte(MainApi^)=$E8) or (Byte(MAinApi^)=$E9)) then begin
  Jmp:=DWORD(P)+DWORD(Pointer(DWORD(MainApi)+1)^)+5;
  DWORD(Pointer(DWORD(MainApi)+1)^):=CalcJump(DWORD(MainApi),Jmp);
 end;
 Pchar(P)[0]:=Char($68);
 DWORD(Pointer(DWORD(P)+1)^):=DWORD(HookedApi);
 Pchar(P)[5]:=Char($C3);
 VirtualProtect(P,$40,OldP,@TMP);
 Result:=True;
end;
(******************************************************************************)
function ApiUnHook(ModName,ApiName:Pchar; FuncAddr,HookedApi:Pointer; var MainApi:Pointer):Boolean;
var
 dwCount,Cnt,i,Jmp: DWORD;
 P: Pointer;
 hMod,OldP,TMP: Cardinal;
begin
 Result:=False;
 if IsWin9x then Exit;
 hMod:=GetModuleHandle(Pchar(ModName));
 P:=GetProcAddress(hMod,Pchar(ApiName));
 if P=nil then P:=FuncAddr;
 if (P=nil) or (MainApi=nil) or (HookedApi=nil) then Exit;
 if not VirtualProtect(P,$40,PAGE_EXECUTE_READWRITE,@OldP) then Exit;
 if ((Byte(P^)<>$68) or (DWORD(Pointer(DWORD(P)+1)^)<>DWORD(HookedApi))) then Exit;
 Cnt:=0;
 for dwCount:=0 to $3F do begin
  Inc(Cnt,OpCodeLength(DWORD(MainApi)+Cnt));
  if (Byte(Pointer(DWORD(MainApi)+Cnt)^)=$C3) and (Byte(Pointer(DWORD(MainApi)+Cnt+1)^)=$99) then Break;
  for i:=0 to Cnt-1 do Pchar(P)[i]:=Pchar(MainApi)[i];
 end;
 if (OpCodeLength(DWORD(P))=5) and ((Byte(P^)=$E8) or (Byte(P^)=$E9)) then begin
  Jmp:=DWORD(MainApi)+DWORD(Pointer(DWORD(MainApi)+1)^)+5;
  DWORD(Pointer(DWORD(P)+1)^):=CalcJump(DWORD(P),Jmp);
 end;
 VirtualProtect(P,$40,OldP,@TMP);
 VirtualFree(MainApi,0,MEM_RELEASE);
 Result:=True;
end;
(******************************************************************************)
function InjectAllProc(DllPath:string):Integer;
var
 hSnapP: THandle;
 ProcInfo: ProcessEntry32;
begin
 Result:=0;
 hSnapP:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
 if hSnapP=INVALID_HANDLE_VALUE then Exit;
 ProcInfo.dwSize:=SizeOf(ProcessEntry32);
 if Process32First(hSnapP,ProcInfo) then
 repeat
  if InjectDll(DllPath,ProcInfo.th32ProcessID) then Inc(Result);
 until not Process32Next(hSnapP,ProcInfo);
 CloseHandle(hSnapP);
end;
(******************************************************************************)
function UnInjectAllProc(DllPath:string):Integer;
var
 hSnapP: THandle;
 ProcInfo: ProcessEntry32;
begin
 Result:=0;
 hSnapP:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
 if hSnapP=INVALID_HANDLE_VALUE then Exit;
 ProcInfo.dwSize:=SizeOf(ProcessEntry32);
 if Process32First(hSnapP,ProcInfo) then
 repeat
  if UnInjectDll(DllPath,ProcInfo.th32ProcessID) then Inc(Result);
 until not Process32Next(hSnapP,ProcInfo);
 CloseHandle(hSnapP);
end;
(******************************************************************************)
function RDTSC: Int64; assembler;
asm
  DB 0fh ,031h
end;
(******************************************************************************)
function IsHeuristicScan:Boolean;
var
 Tm1,Tm2: Int64;
 Tc1,Tc2: DWORD;
begin
 // Method by: Magic_h2001
 Tm1:=RDTSC;
 Tc1:=GetTickCount;
 Sleep(100);
 Tm2:=RDTSC-Tm1;
 Tc2:=GetTickCount-Tc1;
 Result:=(Tm2<50000000) or (Tc2<50);
end;
(******************************************************************************)
function OpCodeLength(Address:DWORD):DWORD; cdecl; assembler;
const
  O_UNIQUE = 0;
  O_PREFIX = 1;
  O_IMM8 = 2;
  O_IMM16 = 3;
  O_IMM24 = 4;
  O_IMM32 = 5;
  O_IMM48 = 6;
  O_MODRM = 7;
  O_MODRM8 = 8;
  O_MODRM32 = 9;
  O_EXTENDED = 10;
  O_WEIRD = 11;
  O_ERROR = 12;
asm
	pushad
	cld
	xor	edx, edx
	mov esi, Address
 	mov	ebp, esp
	push	1097F71Ch
	push	0F71C6780h
	push	17389718h
	push	101CB718h
	push	17302C17h
	push	18173017h
	push	0F715F547h
	push	4C103748h
	push	272CE7F7h
	push	0F7AC6087h
	push	1C121C52h
	push	7C10871Ch
	push	201C701Ch
	push	4767602Bh
	push	20211011h
	push	40121625h
	push	82872022h
	push	47201220h
	push	13101419h
	push	18271013h
	push	28858260h
	push	15124045h
	push	5016A0C7h
	push	28191812h
	push	0F2401812h
	push	19154127h
	push	50F0F011h
	mov	ecx, 15124710h
	push	ecx
	push	11151247h
	push	10111512h
	push	47101115h
	mov	eax, 12472015h
	push	eax
	push	eax
	push	12471A10h
	add	cl, 10h
	push	ecx
	sub	cl, 20h
	push	ecx
	xor	ecx, ecx
	dec	ecx
@@ps:
	inc  ecx
	mov  edi, esp
@@go:
	lodsb
	mov  bh, al
@@ft:
	mov  ah, [edi]
	inc  edi
	shr  ah, 4
	sub  al, ah
	jnc  @@ft
	mov	al, [edi-1]
	and	al, 0Fh
	cmp  al, O_ERROR
	jnz  @@i7
	pop	edx
	not	edx
@@i7:
	inc	edx
	cmp	al, O_UNIQUE
	jz	@@t_exit
	cmp	al, O_PREFIX
	jz	@@ps
	add  edi, 51h
	cmp  al, O_EXTENDED
	jz   @@go
		mov	edi, [ebp+((1+8)*4)+4]
@@i6:
    inc  edx
    cmp  al, O_IMM8
    jz   @@t_exit
    cmp  al, O_MODRM
    jz   @@t_modrm
    cmp  al, O_WEIRD
    jz   @@t_weird
@@i5:
    inc  edx
    cmp  al, O_IMM16
    jz   @@t_exit
    cmp  al, O_MODRM8
    jz   @@t_modrm
@@i4:
    inc  edx
    cmp  al, O_IMM24
    jz   @@t_exit
@@i3:
    inc  edx
@@i2:
    inc  edx
    pushad
    mov  al, 66h
    repnz scasb
    popad
    jnz  @@c32
@@d2:
    dec  edx
    dec  edx
@@c32:
    cmp  al, O_MODRM32
    jz   @@t_modrm
    sub  al, O_IMM32
    jz   @@t_imm32
@@i1:
    inc  edx
@@t_exit:
    jmp @@ASMEnded
@@t_modrm:
       lodsb
       mov  ah, al
       shr  al, 7
       jb   @@prmk
       jz   @@prm
       add  dl, 4
       pushad
       mov  al, 67h
       repnz scasb
       popad
       jnz  @@prm
@@d3:  sub  dl, 3
       dec  al
@@prmk:jnz  @@t_exit
       inc  edx
       inc  eax
@@prm:
       and  ah, 00000111b
       pushad
       mov  al, 67h
       repnz scasb
       popad
       jz   @@prm67chk
       cmp  ah, 04h
       jz   @@prmsib
       cmp  ah, 05h
       jnz  @@t_exit
@@prm5chk:
       dec  al
       jz   @@t_exit
@@i42: add  dl, 4
       jmp  @@t_exit
@@prm67chk:
       cmp  ax, 0600h
       jnz  @@t_exit
       inc  edx
       jmp  @@i1
@@prmsib:
       cmp  al, 00h
       jnz  @@i1
       lodsb
       and  al, 00000111b
       sub  al, 05h
       jnz  @@i1
       inc  edx
       jmp  @@i42
@@t_weird:
       test byte ptr [esi], 00111000b
       jnz  @@t_modrm
       mov  al, O_MODRM8
       shr  bh, 1
       adc  al, 0
       jmp  @@i5
@@t_imm32:
       sub  bh, 0A0h
       cmp  bh, 04h
       jae  @@d2
       pushad
       mov  al, 67h
       repnz scasb
       popad
       jnz  @@chk66t
@@d4:  dec  edx
       dec  edx
@@chk66t:
       pushad
       mov  al, 66h
       repnz scasb
       popad
       jz   @@i1
       jnz  @@d2
@@ASMEnded:
    mov esp, ebp
    mov [result+(9*4)], edx
    popad
end;
(******************************************************************************)
initialization
 if IsHeuristicScan then Halt; // undetecting from Avs...
 @OpenProcess:=GetProcAddress(GetModuleHandle('kernel32'),'OpenProcess');
 @VirtualAllocEx:=GetProcAddress(GetModuleHandle('kernel32'),'VirtualAllocEx');
 @WriteProcessMemory:=GetProcAddress(GetModuleHandle('kernel32'),'WriteProcessMemory');
 @CreateRemoteThread:=GetProcAddress(GetModuleHandle('kernel32'),'CreateRemoteThread');
 @CreateToolhelp32Snapshot:=GetProcAddress(GetModuleHandle('kernel32'),'CreateToolhelp32Snapshot');
 @Process32First:=GetProcAddress(GetModuleHandle('kernel32'),'Process32First');
 @Process32Next:=GetProcAddress(GetModuleHandle('kernel32'),'Process32Next');

end.