If people have a Win8/10 system, there is less of a possibility that they might need it (powerful enough system)!I actually don't mean it 100% works on win-non 8/10 and doesn't work on others. That just caused crash on my test win8/10 platforms and didn't on winxp/vista/7. Maybe that was just my luck/unluck.
void CpuSaver_Hook_Storm208( HANDLE hProcess ){
DWORD dwPrevProtect;
DWORD storm208_va;
DWORD offset = 0x15011370 - 0x150112E0;
BYTE data[] = { 0x89, 0xE8, 0x83, 0xE8, 0x3C, 0x6A, 0x01, 0xFF, 0xD0, 0xEB, 0xE2, 0x90 };
ReadProcessMemory( hProcess, (void*)0x004902C8, storm208_va, 4, 0 );
VirtualProtectEx( hProcess, storm208_va + offset, sizeof(data), PAGE_EXECUTE_READWRITE, &dwPrevProtect );
WriteProcessMemory( hProcess, storm208_va + offset, data, sizeof(data), 0 );
VirtualProtectEx( hProcess, storm208_va + offset, sizeof(data), dwPrevProtect, &dwPrevProtect );
}
/*
old:
1501135D 68 247D0315 PUSH OFFSET 15037D24 ; "SDlg_EndDialog"
15011362 56 PUSH ESI ; hWnd
15011363 FFD3 CALL EBX ; USER32.GetPropA
15011365 85C0 TEST EAX,EAX
15011367 75 13 JNZ SHORT 1501137C
15011369 8BCE MOV ECX,ESI
1501136B E8 40FAFFFF CALL 15010DB0
15011370 68 247D0315 PUSH OFFSET 15037D24 ; "SDlg_EndDialog"
15011375 56 PUSH ESI ; hWnd
15011376 FFD3 CALL EBX ; USER32.GetPropA
15011378 85C0 TEST EAX,EAX
1501137A 74 ED JZ SHORT 15011369
new:
...
15011370 89E8 MOV EAX,EBP // ptr to GetPropA
15011372 83E8 3C SUB EAX,3C // adjust to point at Sleep
15011375 6A 01 PUSH 1
15011377 FFD0 CALL EAX
15011379 EB E2 JMP SHORT 1501135D // loop to GetPropA
1501137B 90 NOP
*/
any reason to avoid patching in-place?Well, i just copied the idea from R!CH project, similar solution :P
Ordinal208 == storm208yeah, IDA just makes up a name for it because it is un-named...
why EBP-3C is address of Sleep?That is a typo, EBX is the pointer to GetPropA (not EBP)
yeah, IDA just makes up a name for it because it is un-named...Thx, just have not been sure that 208 is a constant between exe and dll.
in the "Exports" tab... double-clicking "Storm_208" jumps to "Ordinal208"
This can be checked by looking at it in a debugger,
checking the IAT structure by hand, or using some other tool.
That is a typo, EBX is the pointer to GetPropA (not EBP)I see, just a mistake.
which would make the first two bytes of data "89 D8" ( not "89 E8" )
GetPropA and Sleep is constant in all the systems, past and future. Can it be hardcoded as 3C?
yeah that is NOT going to work :)I see, as you wrote it's just an untested example, thx for it.
I shouldn't post things without trying them I suppose...
Move that thread to development and delete my OT post:)You right, i didn't think source code publishing will cause such big discussion...
15011370 6A 01 PUSH 1
15011372 FF15 68014900 CALL DWORD PTR DS:[490168] // Sleep in exe IAT
15011378 EB E3 JMP SHORT 1501135D
1501137A 90 NOP
1501137B 90 NOP
data[] = { 0x6A, 0x01, 0xFF, 0x15, 0x68, 0x01, 0x49, 0x00, 0xEB, 0xE3, 0x90, 0x90 };
untested but same idea ( no fix-ups needed in the injected code )Code: [Select]15011370 6A 01 PUSH 1
15011372 FF15 68014900 CALL DWORD PTR DS:[490168] // Sleep in exe IAT
15011378 EB E3 JMP SHORT 1501135D
1501137A 90 NOP
1501137B 90 NOP
data[] = { 0x6A, 0x01, 0xFF, 0x15, 0x68, 0x01, 0x49, 0x00, 0xEB, 0xE3, 0x90, 0x90 };
Sleep equ 490168h
.code
push 50
call [Sleep]
; CloseHandle(HANDLE hObject)
CloseHandle equ 490160h
; CompareStringA(LCID Locale,DWORD dwCmpFlags,LPCSTR lpString1,int cchCount1,LPCSTR lpString2,int cchCount2)
CompareStringA equ 490088h
; CompareStringW(LCID Locale,DWORD dwCmpFlags,LPCWSTR lpString1,int cchCount1,LPCWSTR lpString2,int cchCount2)
CompareStringW equ 490084h
; CreateDirectoryA(LPCSTR lpPathName,LPSECURITY_ATTRIBUTES lpSecurityAttributes)
CreateDirectoryA equ 490078h
; CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes,BOOL bManualReset,BOOL bInitialState,LPCSTR lpName)
CreateEventA equ 490190h
; CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
CreateFileA equ 490164h
; CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,DWORD dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
CreateThread equ 49012Ch
; DeleteCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
DeleteCriticalSection equ 490170h
; DeleteFileA(LPCSTR lpFileName)
DeleteFileA equ 490140h
; EnterCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
EnterCriticalSection equ 490184h
; ExitProcess(UINT uExitCode)
ExitProcess equ 490114h
; ExitThread(DWORD dwExitCode)
ExitThread equ 490120h
; FileTimeToLocalFileTime(const FILETIME *lpFileTime,LPFILETIME lpLocalFileTime)
FileTimeToLocalFileTime equ 4901F8h
; FileTimeToSystemTime(const FILETIME *lpFileTime,LPSYSTEMTIME lpSystemTime)
FileTimeToSystemTime equ 4901F4h
; FindClose(HANDLE hFindFile)
FindClose equ 490144h
; FindFirstFileA(LPCSTR lpFileName,LPWIN32_FIND_DATAA lpFindFileData)
FindFirstFileA equ 49014Ch
; FindNextFileA(HANDLE hFindFile,LPWIN32_FIND_DATAA lpFindFileData)
FindNextFileA equ 490148h
; FlushFileBuffers(HANDLE hFile)
FlushFileBuffers equ 490090h
; FormatMessageA(DWORD dwFlags,LPCVOID lpSource,DWORD dwMessageId,DWORD dwLanguageId,LPSTR lpBuffer,DWORD nSize,va_list *Arguments)
FormatMessageA equ 4901D0h
; FreeEnvironmentStringsA(LPSTR)
FreeEnvironmentStringsA equ 4900CCh
; FreeEnvironmentStringsW(LPWSTR)
FreeEnvironmentStringsW equ 4900C8h
; FreeLibrary(HMODULE hLibModule)
FreeLibrary equ 4901B0h
; GetACP(void)
GetACP equ 4900E0h
; GetCPInfo(UINT CodePage,LPCPINFO lpCPInfo)
GetCPInfo equ 4900E4h
; GetCommState(HANDLE hFile,LPDCB lpDCB)
GetCommState equ 4901A0h
; GetCommandLineA(void)
GetCommandLineA equ 490154h
; GetComputerNameA(LPSTR lpBuffer,LPDWORD nSize)
GetComputerNameA equ 490074h
; GetCurrentProcess(void)
GetCurrentProcess equ 490058h
; GetCurrentThreadId(void)
GetCurrentThreadId equ 490128h
; GetDateFormatA(LCID Locale,DWORD dwFlags,const SYSTEMTIME *lpDate,LPCSTR lpFormat,LPSTR lpDateStr,int cchDate)
GetDateFormatA equ 4901F0h
; GetDiskFreeSpaceA(LPCSTR lpRootPathName,LPDWORD lpSectorsPerCluster,LPDWORD lpBytesPerSector,LPDWORD lpNumberOfFreeClusters,LPDWORD lpTotalNumberOfClusters)
GetDiskFreeSpaceA equ 4901DCh
; GetDriveTypeA(LPCSTR lpRootPathName)
GetDriveTypeA equ 490158h
; GetEnvironmentStrings(void)
GetEnvironmentStrings equ 4900C4h
; GetEnvironmentStringsW(void)
GetEnvironmentStringsW equ 4900C0h
; GetEnvironmentVariableA(LPCSTR lpName,LPSTR lpBuffer,DWORD nSize)
GetEnvironmentVariableA equ 4900B8h
; GetFileAttributesA(LPCSTR lpFileName)
GetFileAttributesA equ 4901FCh
; GetFileSize(HANDLE hFile,LPDWORD lpFileSizeHigh)
GetFileSize equ 490070h
; GetFileType(HANDLE hFile)
GetFileType equ 4900BCh
; GetLastError(void)
GetLastError equ 490150h
; GetLocalTime(LPSYSTEMTIME lpSystemTime)
GetLocalTime equ 490134h
; GetLogicalDriveStringsA(DWORD nBufferLength,LPSTR lpBuffer)
GetLogicalDriveStringsA equ 49015Ch
; GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize)
GetModuleFileNameA equ 49013Ch
; GetModuleHandleA(LPCSTR lpModuleName)
GetModuleHandleA equ 4901C0h
; GetOEMCP(void)
GetOEMCP equ 4900DCh
; GetOverlappedResult(HANDLE hFile,LPOVERLAPPED lpOverlapped,LPDWORD lpNumberOfBytesTransferred,BOOL bWait)
GetOverlappedResult equ 4901B4h
; GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
GetProcAddress equ 490174h
; GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)
GetStartupInfoA equ 49011Ch
; GetStdHandle(DWORD nStdHandle)
GetStdHandle equ 490060h
; GetStringTypeA(LCID Locale,DWORD dwInfoType,LPCSTR lpSrcStr,int cchSrc,LPWORD lpCharType)
GetStringTypeA equ 4900A4h
; GetStringTypeW(DWORD dwInfoType,LPCWSTR lpSrcStr,int cchSrc,LPWORD lpCharType)
GetStringTypeW equ 4900A0h
; GetSystemInfo(LPSYSTEM_INFO lpSystemInfo)
GetSystemInfo equ 4901E0h
; GetSystemTime(LPSYSTEMTIME lpSystemTime)
GetSystemTime equ 4901ACh
; GetTickCount(void)
GetTickCount equ 490138h
; GetTimeFormatA(LCID Locale,DWORD dwFlags,const SYSTEMTIME *lpTime,LPCSTR lpFormat,LPSTR lpTimeStr,int cchTime)
GetTimeFormatA equ 4901ECh
; GetTimeZoneInformation(LPTIME_ZONE_INFORMATION lpTimeZoneInformation)
GetTimeZoneInformation equ 4901E4h
; GetVersion(void)
GetVersion equ 490068h
; GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
GetVersionExA equ 4900B4h
; GlobalMemoryStatus(LPMEMORYSTATUS lpBuffer)
GlobalMemoryStatus equ 4901D8h
; HeapAlloc(HANDLE hHeap,DWORD dwFlags,DWORD dwBytes)
HeapAlloc equ 4900ECh
; HeapCreate(DWORD flOptions,DWORD dwInitialSize,DWORD dwMaximumSize)
HeapCreate equ 4900ACh
; HeapDestroy(HANDLE hHeap)
HeapDestroy equ 4900B0h
; HeapFree(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem)
HeapFree equ 490100h
; HeapReAlloc(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem,DWORD dwBytes)
HeapReAlloc equ 4900D8h
; HeapSize(HANDLE hHeap,DWORD dwFlags,LPCVOID lpMem)
HeapSize equ 4900D4h
; InitializeCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
InitializeCriticalSection equ 49016Ch
; InterlockedDecrement(LPLONG lpAddend)
InterlockedDecrement equ 490200h
; InterlockedIncrement(LPLONG lpAddend)
InterlockedIncrement equ 490118h
; IsBadReadPtr(const void *lp,UINT ucb)
IsBadReadPtr equ 4901BCh
; IsBadWritePtr(LPVOID lp,UINT ucb)
IsBadWritePtr equ 4901CCh
; LCMapStringA(LCID Locale,DWORD dwMapFlags,LPCSTR lpSrcStr,int cchSrc,LPSTR lpDestStr,int cchDest)
LCMapStringA equ 490108h
; LCMapStringW(LCID Locale,DWORD dwMapFlags,LPCWSTR lpSrcStr,int cchSrc,LPWSTR lpDestStr,int cchDest)
LCMapStringW equ 490104h
; LeaveCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
LeaveCriticalSection equ 490180h
; LoadLibraryA(LPCSTR lpLibFileName)
LoadLibraryA equ 490178h
; LocalAlloc(UINT uFlags,UINT uBytes)
LocalAlloc equ 490064h
; LocalFree(HLOCAL hMem)
LocalFree equ 4901A8h
; MulDiv(int nNumber,int nNumerator,int nDenominator)
MulDiv equ 4901E8h
; MultiByteToWideChar(UINT CodePage,DWORD dwFlags,LPCSTR lpMultiByteStr,int cchMultiByte,LPWSTR lpWideCharStr,int cchWideChar)
MultiByteToWideChar equ 49010Ch
; RaiseException(DWORD dwExceptionCode,DWORD dwExceptionFlags,DWORD nNumberOfArguments,const DWORD *lpArguments)
RaiseException equ 49006Ch
; ReadFile(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToRead,LPDWORD lpNumberOfBytesRead,LPOVERLAPPED lpOverlapped)
ReadFile equ 490198h
; ResetEvent(HANDLE hEvent)
ResetEvent equ 490188h
; SetCommState(HANDLE hFile,LPDCB lpDCB)
SetCommState equ 49019Ch
; SetCommTimeouts(HANDLE hFile,LPCOMMTIMEOUTS lpCommTimeouts)
SetCommTimeouts equ 4901A4h
; SetConsoleCtrlHandler(PHANDLER_ROUTINE HandlerRoutine,BOOL Add)
SetConsoleCtrlHandler equ 490130h
; SetEndOfFile(HANDLE hFile)
SetEndOfFile equ 49008Ch
; SetEnvironmentVariableA(LPCSTR lpName,LPCSTR lpValue)
SetEnvironmentVariableA equ 490080h
; SetEvent(HANDLE hEvent)
SetEvent equ 49017Ch
; SetFileAttributesA(LPCSTR lpFileName,DWORD dwFileAttributes)
SetFileAttributesA equ 49007Ch
; SetFilePointer(HANDLE hFile,LONG lDistanceToMove,PLONG lpDistanceToMoveHigh,DWORD dwMoveMethod)
SetFilePointer equ 49009Ch
; SetHandleCount(UINT uNumber)
SetHandleCount equ 49005Ch
; SetLastError(DWORD dwErrCode)
SetLastError equ 4900F8h
; SetStdHandle(DWORD nStdHandle,HANDLE hHandle)
SetStdHandle equ 490094h
; SetUnhandledExceptionFilter(LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter)
SetUnhandledExceptionFilter equ 4901D4h
; Sleep(DWORD dwMilliseconds)
Sleep equ 490168h
; TerminateProcess(HANDLE hProcess,UINT uExitCode)
TerminateProcess equ 4900E8h
; TlsAlloc(void)
TlsAlloc equ 4900FCh
; TlsGetValue(DWORD dwTlsIndex)
TlsGetValue equ 4900F4h
; TlsSetValue(DWORD dwTlsIndex,LPVOID lpTlsValue)
TlsSetValue equ 490124h
; UnhandledExceptionFilter(struct _EXCEPTION_POINTERS *ExceptionInfo)
UnhandledExceptionFilter equ 4900F0h
; VirtualAlloc(LPVOID lpAddress,DWORD dwSize,DWORD flAllocationType,DWORD flProtect)
VirtualAlloc equ 490098h
; VirtualFree(LPVOID lpAddress,DWORD dwSize,DWORD dwFreeType)
VirtualFree equ 4900A8h
; VirtualQuery(LPCVOID lpAddress,PMEMORY_BASIC_INFORMATION lpBuffer,DWORD dwLength)
VirtualQuery equ 4901C4h
; WaitForMultipleObjects(DWORD nCount,const HANDLE *lpHandles,BOOL bWaitAll,DWORD dwMilliseconds)
WaitForMultipleObjects equ 490194h
; WaitForSingleObject(HANDLE hHandle,DWORD dwMilliseconds)
WaitForSingleObject equ 49018Ch
; WideCharToMultiByte(UINT CodePage,DWORD dwFlags,LPCWSTR lpWideCharStr,int cchWideChar,LPSTR lpMultiByteStr,int cchMultiByte,LPCSTR lpDefaultChar,LPBOOL lpUsedDefaultChar)
WideCharToMultiByte equ 490110h
; WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
WriteFile equ 4901B8h
; lstrcpynA(LPSTR lpString1,LPCSTR lpString2,int iMaxLength)
lstrcpynA equ 4901C8h
Anyway, this is totally the way to go. You can never reliably hard code procedure entry points in external modules. They can be re-mapped by the OS, but in fact almost never are. The other problem is different versions of the same module will shift the entry points for the individual procedures even if the module is mapped at the same base address.I'd appreciate if you fork my project, fix that and release it as your version somewhere on bitbucket.org or anywhere else. That is my first experince with hooking and it's not perfect. I'd be glad to look into that myself and understand how to fix it, but i absolutely have no time for war2 and for such low-priority projects.