# hooker.py
# deals with hooking of win32 APIs.
# public domain code.
from patcher import *
from tramper import tramper
from win32api import *
from pytcc import pytcc
def create_hook (duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"):
""" create_hook (pat, duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"):
"""
c_code =\
"""
%s function (int caller, %s)
{
%s
%s RET = DUPE ( %s );
%s
return RET;
}"""
cargs = ''
symbols = ''
for arg, char in zip (cparam_types, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"):
symbols += "%s, " % char
cargs += "%s %s, " % (arg, char)
symbols = symbols [:-2]
cargs = cargs [:-2]
c_code = c_code % (restype, cargs, prelogic, restype, symbols, postlogic)
ccompiler = pytcc ()
ccompiler.add_lib_proc ("msvcrt.dll", "memset")
ccompiler.add_symbol ("DUPE", duplicate_api)
ccompiler.compile (c_code)
ccompiler.relocate ()
hook = ccompiler.get_symbol ("function")
return (c_code, hook)
def hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"):
"""hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"):
"""
pat = patcher ()
params_size = get_cparams_size (cparam_types)
pat.set_params_size (params_size)
pat.set_source_as_api (apiname, dllname)
hook_size = len (get_patch (pat.destination, pat.params_size))
tramp = tramper (pat.source, hook_size)
pat.duplicate_api = tramp
hook_ccode, hooks = create_hook (tramp, cparam_types, prelogic, postlogic, restype)
pat.c_code = hook_ccode
pat.set_destination (hooks)
return pat
if __name__ == '__main__':
# Test.
hook = hooker (\
# API to hook
apiname="OpenProcess",
# the DLL the API is in. (defaults to kernel32)
dllname="kernel32",
# (required) API parameter types. In our hook these get translated to the names A,B,C...respectively.
cparam_types=["int", "int", "int"],
# (required) the API return type.
restype="int",
# (optional) this is the code in our hook wich is executed Before the real API.
prelogic="if (C==1) {return 1111;}",
# (optional) this is the code in our hook wich is executed After the real API. The real API's return value is named RET.
postlogic="if (RET) {return 0;}"
)
# hook API.
# hook automatically unhooks itself and cleans up when it isnt refered to anymore.
hook.patch ()
print "Calling hooked OpenProcess api with process id as 1."
ret = windll.kernel32.OpenProcess (0x1f0fff, 0, 1)
print "Return value: %s" % ret
if ret == 1111: print "This test was sucesful."
else: print "Return value is unexpected."
# unhook API.
# hook.unpatch ()
#cad
My LogiX is Undeniable.
Showing posts with label 1337. Show all posts
Showing posts with label 1337. Show all posts
hooker.py
Hooking ZwOpenProcess To Protect Processes
protect processes by returning a STATUS_ACCESS_DENIED.
#include "ntddk.h"
// Hooking ZwOpenProcess to protect a process by returning a STATUS_ACCESS_DENIED
// The PID of my process
int PID = 1234; // I want to get the PID from the process "SERVER.EXE"
NTSYSAPI
NTSTATUS
NTAPI ZwOpenProcess (OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
// OldZwOpenProcess points to the original function
ZWOPENPROCESS OldZwOpenProcess;
// This is my hook function that will replace the kernel function ZwOpenProcess in the System Service Dispatch Table (SSDT)
NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL)
{
HANDLE ProcessId;
__try
{
ProcessId = ClientId->UniqueProcess;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_INVALID_PARAMETER;
}
if (ProcessId == (HANDLE)PID) // Check if the PID matches my protected process
{
return STATUS_ACCESS_DENIED; // Return a Acess Denied
}
else
{
return OldZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId); // Return the original ZwOpenProcess
}
}
Hooking explorer.exe (inject.cpp:)
//Filename:inject.cpp
#include "main.h"
typedef DWORD NTSTATUS;
struct NtCreateThreadExBuffer{
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
};
Hooking explorer.exe (main.h)
//Filename main.h #pragma once #include <windows.h> #include <iostream> #include <tlhelp32.h> #include <string> #include <stdio.h> #include <shlwapi.h> #include <fstream>
Antivirus Killer
//Kills COMODO, Avast and Micro$oft Frorefront //crashes a target process by attempting to inject a dll without enough space allocated for DLL's name //Code snippets taken from Blizzhackers.cc and Rohitab //THX to Napalm,magnetisk, and Nihil² for letting me "borrow" your code //Put together by Cpu_hacker666 //Yes, I IZ A CODE MONKEY XD #include <iostream> #include <windows.h> #include <tlhelp32.h> #include <shlwapi.h>
tramper.py
# tramper.py # Relocates bytes of an API and creates a jump from those bytes to the original API affectively negating a hook. # TODO !Recalculate Relocated Relative jmp and call addresses. # public domain code.
JPG Information
/* DESCRIPTION: Extracts any information after the actual end of a JPEG file. */ #include#include #include using namespace std; unsigned long int szFile; char * buffer; int main(int argc, char* argv[]) { char *buffer; int dataBegin; char SOI[] = { 0xFF, 0xD8 }; //Start of Image char COMM[] = { 0xFF, 0xFE }; //Comments Follow char EOI[] = { 0xFF, 0xD9 }; //End of Image ifstream fin; ofstream fout; if(argc != 3 ) { cout << "Usage: " << argv[0] << " file.jpg outputfile.ext" << endl; exit(EXIT_SUCCESS); } fin.open(argv[1], ios::binary | ios::in | ios::ate); if(!fin.is_open()) { cerr << "Error while opening input file!" << endl; exit(EXIT_FAILURE); } szFile = (unsigned long int) fin.tellg(); if(szFile < 4) { cerr << "Not a valid jpg image file!" << endl; exit(EXIT_SUCCESS); } buffer = new char[szFile]; fin.seekg (0, ios::beg); fin.read (buffer, szFile); fin.close(); if(buffer[0] != (char) 0xFF || buffer[1] != (char) 0xD8) { cerr << "Not a valid jpeg image file!" << endl; exit(EXIT_SUCCESS); } bool comments = false; for(unsigned long int i = 2; i < szFile-1; i++) { if(buffer[i] == COMM[0] && buffer[i+1] == COMM[1]) { cout << "Jpeg Comments: "; comments = true; } if(buffer[i] == EOI[0] && buffer[i+1] == EOI[1]) { if(comments){ //end comments section; comments=false; cout << endl; } cout << "Jpeg Image Size: " << i+1 << " bytes" << endl; dataBegin = i + 2; break; } if(comments) cout << (char)buffer[i]; } fout.open(argv[2], ios::out | ios::binary); if(!fout.is_open()) { cerr << "Error while opening output file!" << endl; exit(EXIT_FAILURE); } for(unsigned long int i = dataBegin; i < szFile; i++) { fout.put(buffer[i]); } fout.close(); cout << "Done Writing " << szFile - dataBegin << " bytes to " << argv[2] << endl; delete[] buffer; exit(EXIT_SUCCESS); }
Networking (LAN Manager) API Sample
This sample changes the password for an arbitrary user on an arbitrary
target machine.
When targetting a domain controller for account update operations,
be sure to target the primary domain controller for the domain.
The account settings are replicated by the primary domain controller
to each backup domain controller as appropriate. The NetGetDCName()
Lan Manager API call can be used to get the primary domain controller
computer name from a domain name.
Subscribe to:
Posts (Atom)