# hooker.py
# deals with hooking of win32 APIs.
# public domain code.
from patcher import *
from tramper import tramper
from win32api import *
from pytcc import pytcc
def create_hook (duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"):
""" create_hook (pat, duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"):
"""
c_code =\
"""
%s function (int caller, %s)
{
%s
%s RET = DUPE ( %s );
%s
return RET;
}"""
cargs = ''
symbols = ''
for arg, char in zip (cparam_types, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"):
symbols += "%s, " % char
cargs += "%s %s, " % (arg, char)
symbols = symbols [:-2]
cargs = cargs [:-2]
c_code = c_code % (restype, cargs, prelogic, restype, symbols, postlogic)
ccompiler = pytcc ()
ccompiler.add_lib_proc ("msvcrt.dll", "memset")
ccompiler.add_symbol ("DUPE", duplicate_api)
ccompiler.compile (c_code)
ccompiler.relocate ()
hook = ccompiler.get_symbol ("function")
return (c_code, hook)
def hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"):
"""hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"):
"""
pat = patcher ()
params_size = get_cparams_size (cparam_types)
pat.set_params_size (params_size)
pat.set_source_as_api (apiname, dllname)
hook_size = len (get_patch (pat.destination, pat.params_size))
tramp = tramper (pat.source, hook_size)
pat.duplicate_api = tramp
hook_ccode, hooks = create_hook (tramp, cparam_types, prelogic, postlogic, restype)
pat.c_code = hook_ccode
pat.set_destination (hooks)
return pat
if __name__ == '__main__':
# Test.
hook = hooker (\
# API to hook
apiname="OpenProcess",
# the DLL the API is in. (defaults to kernel32)
dllname="kernel32",
# (required) API parameter types. In our hook these get translated to the names A,B,C...respectively.
cparam_types=["int", "int", "int"],
# (required) the API return type.
restype="int",
# (optional) this is the code in our hook wich is executed Before the real API.
prelogic="if (C==1) {return 1111;}",
# (optional) this is the code in our hook wich is executed After the real API. The real API's return value is named RET.
postlogic="if (RET) {return 0;}"
)
# hook API.
# hook automatically unhooks itself and cleans up when it isnt refered to anymore.
hook.patch ()
print "Calling hooked OpenProcess api with process id as 1."
ret = windll.kernel32.OpenProcess (0x1f0fff, 0, 1)
print "Return value: %s" % ret
if ret == 1111: print "This test was sucesful."
else: print "Return value is unexpected."
# unhook API.
# hook.unpatch ()
#cad
My LogiX is Undeniable.
Showing posts with label Python. Show all posts
Showing posts with label Python. Show all posts
hooker.py
Opens a process by name
from win32com.client import GetObject
def OpenProcessFromName(name = "python.exe"):
"""Opens a process by name."""
PID = getPID(name)
phandle = OpenProcess(PID)
return(phandle)
Returns the PID of a given process.
from win32com.client import GetObject
def getPID(name):
"""Returns the PID of a given process."""
WMI = GetObject('winmgmts:')
processes = WMI.InstancesOf('Win32_Process')
process_list = [(p.Properties_("ProcessID").Value, p.Properties_("Name").Value) for p in processes]
for process in process_list:
if process[1] == name:
print("PID of '" + name + "': " + str(process[0]))
return process[0]
tramper.py
# tramper.py # Relocates bytes of an API and creates a jump from those bytes to the original API affectively negating a hook. # TODO !Recalculate Relocated Relative jmp and call addresses. # public domain code.
Subscribe to:
Posts (Atom)