sn0w
20.05.2009, 23:50
както сам с этим ебался, - решил поделиться =)
//
// Generated with Reproject v 1.0
// Copyright (c) 2009 by sn0w. All Rights Reserved.
// 2funny@inbox.ru
//
#include <windows.h>
#include <tlhelp32.h>
#pragma optimize("gsy", on)
#pragma comment(linker, "/MERGE:.rdata=.data")
#pragma comment(linker,"/MERGE:.text=.data")
#pragma comment(linker,"/SECTION:.data,ERW")
#pragma comment(linker, "/BASE:0x14150000")
#pragma comment(linker, "/ENTRY:WinMain")
#pragma comment(linker, "/VERSION:1.0")
#define BASEADDR 0x14150000
#define GUID_SysKeyboard 0x6F1D2B61
#include "inject.h"
#include "functions.h"
#include "syshook.h"
ULONG oldGetDeviceData;//buffered method
HRESULT WINAPI xGetDeviceData(DWORD d1, DWORD d2, DWORD d3, DWORD d4, DWORD d5)
{
HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD,DWORD,DWORD)) oldGetDeviceData)(d1,d2,d3,d4,d5);
return hr;
}
ULONG oldGetDeviceState;//immediate method
HRESULT WINAPI xGetDeviceState(DWORD d1, DWORD bufsize, DWORD lpbuf)
{
HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD))oldGetDevice State)(d1,bufsize,lpbuf);
if(!FAILED(hr)){
char *pkbbuf = (char*)lpbuf;
pkbbuf[0x3B] = pkbbuf[0x3B] | 0x80;
}
return hr;
}
ULONG oldCreateDevice;
HRESULT WINAPI xCreateDevice(DWORD d1, DWORD d2, DWORD d3, DWORD d4)
{
HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD,DWORD))oldCre ateDevice)(d1,d2,d3,d4);
// hook only if keyboard requested
if(*(DWORD*)d2 != GUID_SysKeyboard)
return hr;
DWORD dwKeybTable = *(DWORD*)(*(DWORD*)d3);
DWORD oldprot;
VirtualProtect((LPVOID)dwKeybTable, 0x2C, PAGE_EXECUTE_READWRITE, &oldprot);
// already hooked?
if((DWORD)xGetDeviceState == *((DWORD*)(dwKeybTable+0x24))) goto ex1;
// hook it!
oldGetDeviceState = *((DWORD*)(dwKeybTable+0x24));
*((DWORD*)(dwKeybTable+0x24)) = (DWORD)xGetDeviceState;
ex1:
// already hooked?
if((DWORD)xGetDeviceData == *((DWORD*)(dwKeybTable+0x28))) goto ex2;
// hook it!
oldGetDeviceData = *((DWORD*)(dwKeybTable+0x28));
*((DWORD*)(dwKeybTable+0x28)) = (DWORD)xGetDeviceData;
ex2:
return hr;
}
ULONG oldDirectInput8Create;
HRESULT WINAPI xDirectInput8Create(HINSTANCE hinst, DWORD dwVersion, REFIID riidltf, VOID **ppvOut, LPUNKNOWN punkOuter)
{
HRESULT ret = ((HRESULT(WINAPI*)(HINSTANCE,DWORD,REFIID,VOID**,L PUNKNOWN))oldDirectInput8Create)(hinst,dwVersion,r iidltf,ppvOut,punkOuter);
DWORD dwFuncTable = (DWORD)*((DWORD*)*ppvOut);
DWORD oldprot;
VirtualProtect((LPVOID)dwFuncTable, 0x10, PAGE_EXECUTE_READWRITE, &oldprot);
//already hooked?
if((DWORD)xCreateDevice == *((DWORD*)(dwFuncTable+0x0c))) goto ex;
//hook it
oldCreateDevice = *((DWORD*)(dwFuncTable+0x0c));
*((DWORD*)(dwFuncTable+0x0c)) = (DWORD)xCreateDevice;
ex:
return ret;
}
/*
ULONG oldLoadLibraryA;
HMODULE WINAPI xLoadLibraryA(LPCSTR lpFileName)
{
HMODULE ret = ((HMODULE(WINAPI*)(LPCSTR))oldLoadLibraryA)(lpFile Name);
WriteLog("loaded: %s\n", lpFileName);
if (lstrcmpiA(lpFileName,"dinput.dll") == 0){
if(oldDirectInput8Create==0){
ThreadControl(TRUE);
WriteLog("splicing DirectInput8Create...\n");
Splice((ULONG)GetProcAddress(ret,"DirectInput8Create"), xDirectInput8Create, &oldDirectInput8Create);
WriteLog("done\n");
ThreadControl(FALSE);
}
}
return ret;
}
*/
DWORD WINAPI RemoteMain(LPVOID lpParam)
{
LoadLibrary("kernel32.dll");
LoadLibrary("user32.dll");
LoadLibrary("advapi32.dll");
Splice_Init();
Splice((ULONG)GetProcAddress(LoadLibrary("dinput8.dll"),"DirectInput8Create"), xDirectInput8Create, &oldDirectInput8Create);
ThreadControl(FALSE); // resume execution
return 0;
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
SpawnCSProcess(RemoteMain);
return 0;
}
сорцы- http://www.sendspace.com/file/3l3e6x
//
// Generated with Reproject v 1.0
// Copyright (c) 2009 by sn0w. All Rights Reserved.
// 2funny@inbox.ru
//
#include <windows.h>
#include <tlhelp32.h>
#pragma optimize("gsy", on)
#pragma comment(linker, "/MERGE:.rdata=.data")
#pragma comment(linker,"/MERGE:.text=.data")
#pragma comment(linker,"/SECTION:.data,ERW")
#pragma comment(linker, "/BASE:0x14150000")
#pragma comment(linker, "/ENTRY:WinMain")
#pragma comment(linker, "/VERSION:1.0")
#define BASEADDR 0x14150000
#define GUID_SysKeyboard 0x6F1D2B61
#include "inject.h"
#include "functions.h"
#include "syshook.h"
ULONG oldGetDeviceData;//buffered method
HRESULT WINAPI xGetDeviceData(DWORD d1, DWORD d2, DWORD d3, DWORD d4, DWORD d5)
{
HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD,DWORD,DWORD)) oldGetDeviceData)(d1,d2,d3,d4,d5);
return hr;
}
ULONG oldGetDeviceState;//immediate method
HRESULT WINAPI xGetDeviceState(DWORD d1, DWORD bufsize, DWORD lpbuf)
{
HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD))oldGetDevice State)(d1,bufsize,lpbuf);
if(!FAILED(hr)){
char *pkbbuf = (char*)lpbuf;
pkbbuf[0x3B] = pkbbuf[0x3B] | 0x80;
}
return hr;
}
ULONG oldCreateDevice;
HRESULT WINAPI xCreateDevice(DWORD d1, DWORD d2, DWORD d3, DWORD d4)
{
HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD,DWORD))oldCre ateDevice)(d1,d2,d3,d4);
// hook only if keyboard requested
if(*(DWORD*)d2 != GUID_SysKeyboard)
return hr;
DWORD dwKeybTable = *(DWORD*)(*(DWORD*)d3);
DWORD oldprot;
VirtualProtect((LPVOID)dwKeybTable, 0x2C, PAGE_EXECUTE_READWRITE, &oldprot);
// already hooked?
if((DWORD)xGetDeviceState == *((DWORD*)(dwKeybTable+0x24))) goto ex1;
// hook it!
oldGetDeviceState = *((DWORD*)(dwKeybTable+0x24));
*((DWORD*)(dwKeybTable+0x24)) = (DWORD)xGetDeviceState;
ex1:
// already hooked?
if((DWORD)xGetDeviceData == *((DWORD*)(dwKeybTable+0x28))) goto ex2;
// hook it!
oldGetDeviceData = *((DWORD*)(dwKeybTable+0x28));
*((DWORD*)(dwKeybTable+0x28)) = (DWORD)xGetDeviceData;
ex2:
return hr;
}
ULONG oldDirectInput8Create;
HRESULT WINAPI xDirectInput8Create(HINSTANCE hinst, DWORD dwVersion, REFIID riidltf, VOID **ppvOut, LPUNKNOWN punkOuter)
{
HRESULT ret = ((HRESULT(WINAPI*)(HINSTANCE,DWORD,REFIID,VOID**,L PUNKNOWN))oldDirectInput8Create)(hinst,dwVersion,r iidltf,ppvOut,punkOuter);
DWORD dwFuncTable = (DWORD)*((DWORD*)*ppvOut);
DWORD oldprot;
VirtualProtect((LPVOID)dwFuncTable, 0x10, PAGE_EXECUTE_READWRITE, &oldprot);
//already hooked?
if((DWORD)xCreateDevice == *((DWORD*)(dwFuncTable+0x0c))) goto ex;
//hook it
oldCreateDevice = *((DWORD*)(dwFuncTable+0x0c));
*((DWORD*)(dwFuncTable+0x0c)) = (DWORD)xCreateDevice;
ex:
return ret;
}
/*
ULONG oldLoadLibraryA;
HMODULE WINAPI xLoadLibraryA(LPCSTR lpFileName)
{
HMODULE ret = ((HMODULE(WINAPI*)(LPCSTR))oldLoadLibraryA)(lpFile Name);
WriteLog("loaded: %s\n", lpFileName);
if (lstrcmpiA(lpFileName,"dinput.dll") == 0){
if(oldDirectInput8Create==0){
ThreadControl(TRUE);
WriteLog("splicing DirectInput8Create...\n");
Splice((ULONG)GetProcAddress(ret,"DirectInput8Create"), xDirectInput8Create, &oldDirectInput8Create);
WriteLog("done\n");
ThreadControl(FALSE);
}
}
return ret;
}
*/
DWORD WINAPI RemoteMain(LPVOID lpParam)
{
LoadLibrary("kernel32.dll");
LoadLibrary("user32.dll");
LoadLibrary("advapi32.dll");
Splice_Init();
Splice((ULONG)GetProcAddress(LoadLibrary("dinput8.dll"),"DirectInput8Create"), xDirectInput8Create, &oldDirectInput8Create);
ThreadControl(FALSE); // resume execution
return 0;
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
SpawnCSProcess(RemoteMain);
return 0;
}
сорцы- http://www.sendspace.com/file/3l3e6x