Создано: 26 мая 2011 06:22 New! Цитата · Личное сообщение · #1
InLine Hooker Hello,
so today I wanna release some kind of tool which I have made in the past.Maybe you have sometimes trouble to unpack some packer | protections which you want to patch and in this case you can use some usually other tools like loader's etc which have limited skills where you just can patch some single addresses etc and in many cases are loader's not working or get detected or you get trouble with some CRC checks etc.So this was also a reason for me to create this new tool which is just a small exe with some code created directly in Olly.So the main tool is the InLine Hooker_Full.exe which has enabled 10 diffrent API hook's.
How does it work? ---------------------- InLine Hooker_Full.exe + Victim file [Add file as new section on the InLine Hooker_Full.exe] + User Patch [Write your patch into InLine Hooker_Full.exe at IBase+0DCDE]
Adding of the real app is better to prevent file manipulation so the file will always creates new if you execute your InLine Hooker.The new created file is like the original file so it's untouched and you will see the diffrent if you start the new created alone. ---------------------- START OF USER PATCH --------------------- 0040DCB0 PUSHAD ; START OF USER PATCH! 0040DCB1 PUSHAD 0040DCB2 CALL 0040DCB7 ; InLine_H.0040DCB7 0040DCB7 POP EAX ; 0040DCB8 SUB EAX,3F07 ; Memsection START in EAX! 0040DCBD MOV EDI,EAX ; Memsection START to EDI,ESI,EBP,EBX! 0040DCBF MOV ESI,EAX 0040DCC1 MOV EBP,EAX 0040DCC3 MOV EBX,EAX 0040DCC5 MOV EDI,DWORD PTR DS:[EDI+68] 0040DCC8 ADD ESI,5C ; MEM START+5C = Free Address for VP old protect! 0040DCCB MOV EBP,DWORD PTR FS: ; TEB to EBP 0040DCD2 MOV EBP,DWORD PTR DS:[EBP+30] ; PEB to EBP 0040DCD6 MOV EBP,DWORD PTR DS:[EBP+8] ; ImageBase to EBP 0040DCDA NOP ; ImageBase in EBP 0040DCDB NOP ; MemStart+5C in ESI 0040DCDC NOP ; VirtualProtect in EDI 0040DCDD NOP ; EBP ESI EDI Keep the same! 0040DCDE MOV EBX,EBP ; ImageBase to EBX 0040DCE0 ADD EBX,1000 ; Add EBX 1000 = Codesection Start 0040DCE6 CMP DWORD PTR DS:[EBX],0FFFFFF ; CMP [Codesection] for XXX 0040DCEC JNZ SHORT 0040DCFC ; Jump if not equal 0040DCEE PUSH ESI ; Push MEMSEC+5C = Free DWORD Store! 0040DCEF PUSH 40 ; Push PageExeCute Read | Write! NewProtect 0040DCF1 PUSH 10 ; Push Bytes to New Protect! 0040DCF3 PUSH EBX ; Push Address Start to protect! 0040DCF4 CALL EDI ; Call VirtualProtect 0040DCF6 MOV DWORD PTR DS:[EBX],0FFFFFF ; Mov Patch to [Codesection]! 0040DCFC NOP 0040DCFD NOP ---------------- -------- Keep same --- EBP 01000000 ImageBase ESI 0009005C Mem START + 5C EDI 7C801AD0 kernel32.VirtualProtect <--- VP API ----------------- ---------- MemoryBlock+5c in ESI ----------------------- 0009005C 00000000 <-- location for VP old access store 00090060 7C800000 kernel32.7C800000 00090064 7C80AC28 kernel32.GetProcAddress 00090068 7C801AD0 kernel32.VirtualProtect 0009006C 7C801D77 kernel32.LoadLibraryA 00090070 77D10000 USER32.77D10000 00090074 66000000 MSVBVM60.66000000 00090078 77BE0000 msvcrt.77BE0000 0009007C 5F1A0000 olepro32.5F1A0000 <------- is ntdll.dll in ZW InLine Hooker! 00090080 7C80B529 kernel32.GetModuleHandleA 00090084 77C16F70 msvcrt.memcpy <--- Not hooked 00090088 7C812C8D kernel32.GetCommandLineA 0009008C 7C801EEE kernel32.GetStartupInfoA 00090090 7C8114AB kernel32.GetVersion 00090094 7C8017E5 kernel32.GetSystemTimeAsFileTime <------- is ntdll.ZwDelayExecution in ZW InLine Hooker! 00090098 6600357C MSVBVM60.ThunRTMain <--- Not hooked 0009009C 77C0537C msvcrt.__set_app_type 000900A0 77D288E1 USER32.DialogBoxParamA
The code above is just a small exsample Template so you can set any InLines you want from this address into.Also you can add many other patches too if you need till the end which here.... 0040DE54 61 POPAD 0040DE55 61 POPAD 0040DE56 C3 RETN 0040DE57 90 NOP 0040DE58 90 NOP 0040DE59 90 NOP 0040DE5A 90 NOP 0040DE5B 90 NOP 0040DE5C 90 NOP 0040DE5D 90 NOP 0040DE5E 90 NOP 0040DE5F - EB FE JMP SHORT 0040DE5F ; InLine_H.0040DE5F 0040DE61 - EB FE JMP SHORT 0040DE61 ; InLine_H.0040DE61
If you need more free space then jsut move this code deeper in the exe.The double EBFE bytes are the end marker of reading your patches.So I have test it with diffrent protections and its working with the most.I have also creates four exsample files with four diffrent protections + patches where you can see the diffrent and for you to test and check them.
The script which I have written for this tool can you use if you want to disable one till nine API hook's and if you want to change the created exe file name of your file which will created and as always I have also made three movies where you can see how it works.Maybe this tool will help you with some of your files where other tools give up.Just test it if you want and if something is not clear then you can ask on this topic of course.
PS: Read also the info files to get more infos. Note: The file will maybe detected by your Anti Virus app,no fear so its a false alert.