forked from mrexodia/akt
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtemplate.h
More file actions
132 lines (132 loc) · 2.6 KB
/
template.h
File metadata and controls
132 lines (132 loc) · 2.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#define template_text "<$.%X>\r\n\
pushad\r\n\
call @f\r\n\
@@:\r\n\
pop ebp\r\n\
sub ebp, 0x%X ; newentry+5-imagebase\r\n\
\r\n\
; Store imagebase\r\n\
call @f\r\n\
@getimagebase:\r\n\
mov ebp, 0xFFFFFFFF\r\n\
ret\r\n\
@@:\r\n\
pop eax\r\n\
mov dword ptr ds:[eax+1],ebp\r\n\
\r\n\
; Get API addresses\r\n\
mov ebx, dword ptr ds:[ebp+0x%X] ; OutputDebugStringA\r\n\
lea esi, dword ptr ds:[ebp+0x%X] ; VirtualProtect\r\n\
\r\n\
; change page protection\r\n\
call @f\r\n\
\"\\x00\\x00\\x00\\x00\" ; oldprotect\r\n\
@@:\r\n\
push 0x40 ; newprotect\r\n\
push 0x50 ; size\r\n\
push ebx ; OutputDebugStringA\r\n\
call dword ptr ds:[esi] ; VirtualProtect\r\n\
\r\n\
; IAT Hook VirtualProtect\r\n\
call @vp_hook_end\r\n\
\r\n\
@hook_VirtualProtect:\r\n\
pushad\r\n\
pushfd\r\n\
call @getimagebase\r\n\
\r\n\
; restore IAT hook\r\n\
push esi\r\n\
push eax\r\n\
lea esi, dword ptr ds:[ebp+0x%X] ; VirtualProtect\r\n\
call @getvirtualprotect\r\n\
xchg dword ptr ds:[esi],eax\r\n\
pop eax\r\n\
pop esi\r\n\
\r\n\
; go to the user code\r\n\
jmp @usercode\r\n\
\r\n\
@vp_hook_end:\r\n\
pop ebp\r\n\
xchg dword ptr ds:[esi],ebp\r\n\
\r\n\
; store old VirtualProtect\r\n\
call @f\r\n\
@getvirtualprotect:\r\n\
mov eax,0xFFFFFFFF\r\n\
ret\r\n\
@@:\r\n\
pop eax\r\n\
mov dword ptr ds:[eax+1],ebp\r\n\
\r\n\
; hook OutputDebugStringA\r\n\
call @od_skip\r\n\
@od_original_bytes:\r\n\
call @f\r\n\
\"\\x90\\x90\\x90\\x90\\x90\"\r\n\
@@:\r\n\
jmp short @od_hook_back\r\n\
@od_skip:\r\n\
pop edi\r\n\
add edi,5\r\n\
mov esi,ebx\r\n\
mov ecx,5\r\n\
rep movsb\r\n\
sub esi,5\r\n\
mov byte ptr ds:[esi],0xE9\r\n\
call @od_hook_end\r\n\
\r\n\
@hook_OutputDebugStringA:\r\n\
call @f\r\n\
\"\\x%02X\" ;counter\r\n\
@@:\r\n\
pop eax\r\n\
dec byte ptr ds:[eax]\r\n\
jz short @od_execute_hook\r\n\
xor eax,eax\r\n\
inc eax\r\n\
ret 4\r\n\
@od_execute_hook:\r\n\
push edi\r\n\
push esi\r\n\
push ecx\r\n\
push ebp\r\n\
jmp short @od_original_bytes\r\n\
@od_hook_back:\r\n\
pop esi\r\n\
call @getimagebase\r\n\
mov eax,dword ptr ds:[ebp+0x%X] ; OutputDebugStringA\r\n\
mov edi,eax\r\n\
mov ecx,5\r\n\
rep movsb\r\n\
pop ebp\r\n\
pop ecx\r\n\
pop esi\r\n\
pop edi\r\n\
\r\n\
; patch CRC values\r\n\
push eax\r\n\
%s\r\n\
pop eax\r\n\
\r\n\
jmp eax ; OutputDebugStringA\r\n\
\r\n\
; continue hooking OutputDebugStringA\r\n\
@od_hook_end:\r\n\
pop eax\r\n\
sub eax,5\r\n\
sub eax,esi\r\n\
mov dword ptr ds:[esi+1],eax\r\n\
\r\n\
; restore registers and jmp to oep\r\n\
popad\r\n\
jmp $.%X ;rva of oep\r\n\
\r\n\
@usercode:\r\n\
;PLACE YOUR CODE AFTER THIS (security base is in %s, imagebase in EBP)\r\n\
;PLACE YOUR CODE BEFORE THIS\r\n\
popfd\r\n\
popad\r\n\
call @getvirtualprotect\r\n\
jmp eax"