Prompt please example (code), to correct my mistake?
I do not know how to implement it....
Fhanks in advance.
PS:
********* executable EXE *********
Code: Select all
Procedure.s PutDirektorii(PutPapka)
; PutPapka=#CSIDL_SYSTEMX86
Put$=Space(#MAX_PATH):SHGetSpecialFolderLocation_(0,PutPapka,@Raz)
SHGetPathFromIDList_(Raz, @Put$):ProcedureReturn Trim(Put$)
EndProcedure
Procedure InjectDll(NameDll.s)
hProcess=OpenProcess_(#PROCESS_CREATE_THREAD | #PROCESS_VM_OPERATION | #PROCESS_VM_READ | #PROCESS_VM_WRITE,0,Val(GetGadgetText(4)))
LL=GetProcAddress_(GetModuleHandle_(PutDirektorii(#CSIDL_SYSTEM)+"\kernel32.dll"),"LoadLibraryA")
VA=VirtualAllocEx_(hProcess,0,12,#MEM_RESERVE | #MEM_COMMIT,#PAGE_READWRITE)
WriteProcessMemory_(hProcess,VA,NameDll.s,12,0)
CreateRemoteThread_(hProcess,0,0,LL,VA,0,0)
CloseHandle_(hProcess)
EndProcedure
Procedure OpenWindow_Window_0()
Protected res=0
If OpenWindow(0, 100, 100, 145, 260, "HookMe", #PB_Window_SystemMenu)
ButtonGadget(1, 40, 60, 60, 25, "Delete")
ButtonGadget(2, 40, 20, 60, 25, "Create")
ButtonGadget(3, 40, 100, 60, 25, "MSB")
StringGadget(4, 40, 140, 60, 25, Str(GetCurrentProcessId_()), #PB_String_ReadOnly)
ButtonGadget(5, 40, 180, 60, 25, "inject")
ButtonGadget(6, 40, 220, 60, 25, "Hook")
res=1
EndIf
ProcedureReturn res
EndProcedure
If OpenWindow_Window_0()
Repeat
Event = WaitWindowEvent()
Select Event
Case #PB_Event_Gadget
EventGadget = EventGadget()
Select EventGadget
Case 1 : f$="c:\test.txt" : DeleteFile_(f$)
Case 2 : f$="c:\test.txt" : CreateFile(0,f$) : WriteString(0,"hi") : CloseFile(0)
Case 3 : MessageBox_(0," О п а . ","В н и м а н и е !", #MB_ICONHAND)
Case 5 : InjectDll("scan.dll")
Case 6
; hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, 0, 1448)
; Hook(hProcess,"kernel32.dll","DeleteFileA",@HookedProcedure1())
; Hook(hProcess,"user32.dll","MessageBoxA",@HookedProcedure2())
EndSelect
EndSelect
Until Event=#PB_Event_CloseWindow
EndIf
End
********* DLL *********
Code: Select all
Global Dim Backup(0)
Global oldP
Global buf1.s,buf2.s,buf3.s,buf4.s,buf5.s,buf6.s
Declare NewDeleteFile()
Procedure EnableDebugPrivilege()
If OpenProcessToken_(GetCurrentProcess_(),#TOKEN_ADJUST_PRIVILEGES|#TOKEN_QUERY,@hToken)
tp.TOKEN_PRIVILEGES : tp\PrivilegeCount=1
If LookupPrivilegeValue_(#Null,"SeDebugPrivilege",tp\Privileges[0]\Luid)
tp\Privileges[0]\Attributes = #SE_PRIVILEGE_ENABLED
If AdjustTokenPrivileges_(hToken,#False,@tp,SizeOf(tp),#Null,#Null)
EndIf : EndIf : EndIf
EndProcedure
EnableDebugPrivilege()
Procedure.s PutDirektorii(PutPapka)
Protected Put.s
PutPapka=#CSIDL_SYSTEMX86
Put.s=Space(#MAX_PATH):SHGetSpecialFolderLocation_(0,PutPapka,@Raz)
SHGetPathFromIDList_(Raz, @Put):ProcedureReturn Trim(Put)
EndProcedure
Procedure Hook(library$,function$,HookedProcAddr)
Protected dwAddr, old
Protected process = OpenProcess_(#PROCESS_ALL_ACCESS, 0, GetCurrentProcessId_())
old=GetModuleHandle_(library$)
dwAddr=GetProcAddress_(old,function$)
ReadProcessMemory_(process,dwAddr,@Backup(0),6,@readbytes)
Dim a.b(5) : a(0)=$E8 : a(5)=$c3 : dwCalc=HookedProcAddr-dwAddr-5 ; <--- fixed line
CopyMemory(@dwCalc,@a(1),4)
WriteProcessMemory_(process,dwAddr,@a(0),6,@written)
EndProcedure
Procedure UnHook(library$,function$)
dwAddr=GetProcAddress_(GetModuleHandle_(library$),function$)
WriteProcessMemory_(GetCurrentProcess_(),dwAddr,@Backup(0),6,@written)
EndProcedure
ProcedureDLL AttachProcess(Instance)
Hook("kernel32.dll","DeleteFileA",@NewDeleteFile())
EndProcedure
; *******************************************************
; user32.dll
Procedure NewMessageBox()
! mov eax,[esp+4]
! mov dword[v_buf1],eax ;hwnd
! mov eax,[esp+8]
! mov dword[v_buf2],eax ;text
! mov eax,[esp+12]
! mov dword[v_buf3],eax ;caption
! mov eax,[esp+16]
! mov dword[v_buf4],eax ;type
OpenFile(1,"qqqqq.txt")
FileSeek(1,Lof(1))
WriteStringN(1, "MessageBox("+Str(v_buf1)+", "+Chr($22)+buf2+Chr($22)+", "+Chr($22)+buf3+Chr($22)+", "+Str(v_buf4)+")" )
CloseFile(1)
; call_newmessagebox=delta_newmessagebox+NewUser32
; ! jmp dword[v_call_newmessagebox]
EndProcedure
; *******************************************************
; kernel32.dll
Procedure NewDeleteFile()
; ! mov eax,[esp+4]
; ! mov dword[v_buf1],eax ;name
! mov eax,[esp+8]
! mov dword[v_buf2],eax ;name
OpenFile(1,"qqqqq.txt")
FileSeek(1,Lof(1))
WriteStringN(1, buf2)
CloseFile(1)
; MessageRequester("",buf2)
; call_newdeletefile =delta_newdeletefile+NewKernel32
; ! jmp dword[v_call_newdeletefile]
UnHook("kernel32.dll","DeleteFileA")
; DeleteFile_(buf2)
OpenLibrary(1,"kernel32.dll")
CallFunction(1, "DeleteFileA", buf2)
CloseLibrary(1)
Hook("kernel32.dll","DeleteFileA",@NewDeleteFile())
EndProcedure
; *******************************************************
; !jmp @F
; !MP10 ;3 по счету
; !MP12 ;4
; !@@:
; *******************************************************
; *******************************************************
???