KEZ
07.09.2007, 15:23
Нужно было выгрузить Outpost'овскую wl_hook.dll, следящую за всякими FindWindowEx, DdeConnect и т.п. ф-иями взаимодействия с "чем-то"
Анхукает все ф-ии из всех модулей, после чего убивает wl_hook.dll (для понту)
VOID UnhookMod( LPSTR lpModName ) {
HANDLE hFile, hMapping;
HMODULE hMod;
LPVOID hMap;
CHAR lpSystemDir[MAX_PATH*2];
ULONG b;
GetSystemDirectory( lpSystemDir, MAX_PATH-1 );
lstrcat( lpSystemDir, "\\" );
lstrcat( lpSystemDir, lpModName );
hFile = CreateFile( lpSystemDir, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0 );
if (hFile != INVALID_HANDLE_VALUE) {
hMapping = CreateFileMapping( hFile, 0, PAGE_READONLY|SEC_IMAGE, 0, 0, 0 );
if (hMapping != INVALID_HANDLE_VALUE) {
hMap = MapViewOfFile( hMapping, FILE_MAP_READ, 0, 0, 0 );
if (hMap) {
IMAGE_DOS_HEADER *dh = (IMAGE_DOS_HEADER*)hMap;
IMAGE_NT_HEADERS *nh = (IMAGE_NT_HEADERS*)((ULONG)hMap+dh->e_lfanew);
IMAGE_FILE_HEADER *fh = (IMAGE_FILE_HEADER*)&nh->FileHeader;
IMAGE_OPTIONAL_HEADER *oh = (IMAGE_OPTIONAL_HEADER*)&nh->OptionalHeader;
IMAGE_EXPORT_DIRECTORY *ed = (IMAGE_EXPORT_DIRECTORY*)((ULONG)hMap+oh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
ULONG *functionEntryPoints = (ULONG*)((ULONG)hMap+ed->AddressOfFunctions);
BYTE entryPointBytes[10], originalBytes[10];
for (int i = 0; i < ed->NumberOfFunctions; i++) {
ULONG entryVA = oh->ImageBase+functionEntryPoints[i],
entryMA = ((ULONG)hMap+functionEntryPoints[i]);
memcpy( originalBytes, (PVOID)entryMA, 10 );
ReadProcessMemory( (HANDLE)-1, (LPVOID)entryVA, (LPVOID)entryPointBytes, 10, &b );
if (memcmp( entryPointBytes, originalBytes, 10 ))
WriteProcessMemory( (HANDLE)-1, (LPVOID)entryVA, (LPVOID)originalBytes, 10, &b );
}
}
}
}
UnmapViewOfFile( hMap );
CloseHandle( hMapping );
CloseHandle( hFile );
}
VOID UnloadWLHook( VOID ) {
MODULEENTRY32 me;
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId() );
if (hSnapshot != INVALID_HANDLE_VALUE && Module32First( hSnapshot, &me )) {
do {
if (lstrcmp( me.szModule, "wl_hook.dll" )) UnhookMod( me.szModule );
} while (Module32Next( hSnapshot, &me ));
}
CloseHandle( hSnapshot );
FreeLibrary( GetModuleHandle( "wl_hook.dll" ) );
}
ставьте плюсики я герой!!!!!!!!!!!
Анхукает все ф-ии из всех модулей, после чего убивает wl_hook.dll (для понту)
VOID UnhookMod( LPSTR lpModName ) {
HANDLE hFile, hMapping;
HMODULE hMod;
LPVOID hMap;
CHAR lpSystemDir[MAX_PATH*2];
ULONG b;
GetSystemDirectory( lpSystemDir, MAX_PATH-1 );
lstrcat( lpSystemDir, "\\" );
lstrcat( lpSystemDir, lpModName );
hFile = CreateFile( lpSystemDir, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0 );
if (hFile != INVALID_HANDLE_VALUE) {
hMapping = CreateFileMapping( hFile, 0, PAGE_READONLY|SEC_IMAGE, 0, 0, 0 );
if (hMapping != INVALID_HANDLE_VALUE) {
hMap = MapViewOfFile( hMapping, FILE_MAP_READ, 0, 0, 0 );
if (hMap) {
IMAGE_DOS_HEADER *dh = (IMAGE_DOS_HEADER*)hMap;
IMAGE_NT_HEADERS *nh = (IMAGE_NT_HEADERS*)((ULONG)hMap+dh->e_lfanew);
IMAGE_FILE_HEADER *fh = (IMAGE_FILE_HEADER*)&nh->FileHeader;
IMAGE_OPTIONAL_HEADER *oh = (IMAGE_OPTIONAL_HEADER*)&nh->OptionalHeader;
IMAGE_EXPORT_DIRECTORY *ed = (IMAGE_EXPORT_DIRECTORY*)((ULONG)hMap+oh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
ULONG *functionEntryPoints = (ULONG*)((ULONG)hMap+ed->AddressOfFunctions);
BYTE entryPointBytes[10], originalBytes[10];
for (int i = 0; i < ed->NumberOfFunctions; i++) {
ULONG entryVA = oh->ImageBase+functionEntryPoints[i],
entryMA = ((ULONG)hMap+functionEntryPoints[i]);
memcpy( originalBytes, (PVOID)entryMA, 10 );
ReadProcessMemory( (HANDLE)-1, (LPVOID)entryVA, (LPVOID)entryPointBytes, 10, &b );
if (memcmp( entryPointBytes, originalBytes, 10 ))
WriteProcessMemory( (HANDLE)-1, (LPVOID)entryVA, (LPVOID)originalBytes, 10, &b );
}
}
}
}
UnmapViewOfFile( hMap );
CloseHandle( hMapping );
CloseHandle( hFile );
}
VOID UnloadWLHook( VOID ) {
MODULEENTRY32 me;
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId() );
if (hSnapshot != INVALID_HANDLE_VALUE && Module32First( hSnapshot, &me )) {
do {
if (lstrcmp( me.szModule, "wl_hook.dll" )) UnhookMod( me.szModule );
} while (Module32Next( hSnapshot, &me ));
}
CloseHandle( hSnapshot );
FreeLibrary( GetModuleHandle( "wl_hook.dll" ) );
}
ставьте плюсики я герой!!!!!!!!!!!