BanMe Master Cheater Reputation: 0
Joined: 29 Nov 2005 Posts: 375 Location: Farmington NH, USA
|
Posted: Mon Jan 26, 2009 9:27 pm Post subject: ThreadContextTracker Plugin |
|
|
this is what im working with so far
any further suggestions or optimized implementations will be fully taken into account
Code: |
//
#define _CRT_SECURE_NO_WARNINGS
#define _WIN32_WINNT 0x501
//#define WIN32_LEAN_AND_MEAN
// Windows Header Files:
#include <windows.h>
#include <tlhelp32.h>
#include "example-c.h"
int selfid;
int pluginid=-1;
HANDLE hTarget = 0;
ULONG hTargetId = 0;
HANDLE ThreadHandleList[20] = {0};
ULONG ThreadIdList[20] = {0};
BOOL IsInitialized = FALSE;
CRITICAL_SECTION cSection;
DWORD orig_OpenThread;
DWORD orig_KernelOpenProcess;
HANDLE Monitor_KernelOpenProcess(DWORD dwAccess,BOOL Inherit,DWORD Pid);
void Hook_API();
void FnPointerChange(int Reserved);
HANDLE CheckThreadHandleInList(DWORD ThreadId)
{
int i;
HANDLE hThread = INVALID_HANDLE_VALUE;
BOOL IdInList = FALSE;
for(i=0;i<=20;i++)//search forward
{
if(ThreadIdList[i] == ThreadId)
{
IdInList= TRUE;
//Exported.ShowMessage("Handle Alread In List");
return ThreadHandleList[i];
}
}
if(IdInList == FALSE)
{
for(i=0;i<=20;i++)//searchbackward
{
if(ThreadIdList[i] == 0);
{
ThreadIdList[i] = ThreadId;
hThread = CECT.OpenThread(THREAD_ALL_ACCESS,FALSE,ThreadId);
if(hThread != INVALID_HANDLE_VALUE)
{
ThreadHandleList[i] = hThread;
//Exported.ShowMessage("Handle Not In List");
return hThread;
}
}
}
}
}
void StartThreadContextSnap(HANDLE hThread)
{
CONTEXT Context = {0};
char Buffer[255]= {0};
Context.ContextFlags = CONTEXT_FULL;
if(CECT.SuspendThread(hThread) != -1)
{
if(CECT.GetThreadContext(hThread,&Context) != 0)
{
//Exported.ShowMessage("Got Thread Context");
_itoa(Context.Eip,Buffer,16);
Exported.ShowMessage(Buffer);
memset((void*)&Buffer,0,sizeof(Buffer));
CECT.ResumeThread(hThread);
return;
}
}
Exported.ShowMessage("Failed Getting Context");
return;
}
BOOL PoolForTargetThreads(ULONG ProcessId)
{
THREADENTRY32 te32;
HANDLE hSnap,hThread;
te32.dwSize = sizeof(THREADENTRY32);
hSnap = CECT.CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,ProcessId);
if(hSnap != INVALID_HANDLE_VALUE)
{
if(CECT.Thread32First(hSnap,&te32) != FALSE)
{
do
{
if(te32.th32OwnerProcessID == ProcessId)
{
hThread = CheckThreadHandleInList(te32.th32ThreadID);
if(hThread != INVALID_HANDLE_VALUE)
{
//Exported.ShowMessage("Thread Found");
StartThreadContextSnap(hThread);
}
}
}while(CECT.Thread32Next(hSnap,&te32) != FALSE);
return TRUE;
}
}
return FALSE;
}
BOOL APIENTRY DllMain( HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
BOOL __stdcall GetVersion(PluginVersion *pv , int sizeofpluginversion)
{
pv->version= 1;
pv->pluginname = "BaNiMiZeR";
return TRUE;
}
BOOL __stdcall InitializePlugin(struct ExportedFunctions *ef , int pluginid)
{
POINTERREASSIGNMENTPLUGIN_INIT init;
HMODULE dbk32,k32;
selfid = pluginid;
Exported = *ef;
Exported.OpenedProcessHandle = 0;
Exported.OpenedProcessID = 0;
dbk32 = GetModuleHandle("dbk32.dll");
k32 = GetModuleHandle("kernel32.dll");
if(dbk32 != 0 && k32 != 0)
{
CECT.ChangeRegOnBP = (ChangeReg)GetProcAddress(dbk32,"ChangeRegOnBP");
CECT.ContinueDebugEvent = (ContinueDbg)GetProcAddress(k32,"ContinueDebugEvent");
CECT.CreateToolhelp32Snapshot = (CreateSnapshot)GetProcAddress(k32,"CreateToolhelp32Snapshot");
CECT.CreateRemoteThread = (CreateRemote)GetProcAddress(k32,"CreateRemoteThread");
CECT.DBKResumeProcess = (DBKResProcess)GetProcAddress(dbk32,"DBKResumeProcess");
CECT.DBKResumeThread = (DBKRes)GetProcAddress(dbk32,"DBKResumeThread");
CECT.DBKSuspendProcess = (DBKSusProcess)GetProcAddress(dbk32,"DBKSuspendProcess");
CECT.DBKSuspendThread = (DBKSus)GetProcAddress(dbk32,"DBKSuspendThread");
CECT.DebugActiveProcess = (DbgActive)GetProcAddress(k32,"DebugActiveProcess");
CECT.DebugProcess = (DbgProcess)GetProcAddress(dbk32,"DebugProcess");
CECT.getAlternateDebugMethod = (GetDbgMethod)GetProcAddress(dbk32,"getAlternateDebugMethod");
CECT.GetCR3 = (GCR3)GetProcAddress(dbk32,"GetCR3");
CECT.GetCR4 = (GCR4)GetProcAddress(dbk32,"GetCR4");
CECT.GetDebugportOffset = (GetDbgOffset)GetProcAddress(dbk32,"GetDebugportOffset");
CECT.GetIDTCurrentThread = (GetIDTThread)GetProcAddress(dbk32,"GetIDTCurrentThread");
CECT.GetIDTs = (GIDTs)GetProcAddress(dbk32,"GetIDTs");
CECT.GetKProcAddress = (GetKAddress)GetProcAddress(dbk32,"GetKProcAddress");
CECT.GetLoadedState = (GetState)GetProcAddress(dbk32,"GetLoadedState");
CECT.GetPEProcess = (GetProc)GetProcAddress(dbk32,"GetPEProcess");
CECT.GetPEThread = (GetThread)GetProcAddress(dbk32,"GetPEThread");
CECT.GetPhysicalAddress = (GetAddress)GetProcAddress(dbk32,"GetPhysicalAddress");
CECT.GetProcessNameFromID = (GetNameFromID)GetProcAddress(dbk32,"GetProcessNameFromID");
CECT.GetProcessNameFromPEProcess = (GetNameFromPEProcess)GetProcAddress(dbk32,"GetProcessNameFromPEProcess");
CECT.GetProcessnameOffset = (GetNameOffset)GetProcAddress(dbk32,"GetProcessnameOffset");
CECT.GetSDT = (GSDT)GetProcAddress(dbk32,"GetSDT");
CECT.GetSDTShadow = (GSDTShadow)GetProcAddress(dbk32,"GetSDTShadow");
CECT.GetThreadContext = (GetContext)GetProcAddress(k32,"GetThreadContext");
CECT.GetThreadListEntryOffset = (GetThreadListOffset)GetProcAddress(dbk32,"GetThreadListEntryOffset");
CECT.GetThreadsProcessOffset = (GetThreadsOffset)GetProcAddress(dbk32,"GetThreadsProcessOffset");
CECT.Heap32ListFirst = (HeapFirst)GetProcAddress(k32,"Heap32ListFirst");
CECT.Heap32ListNext = (HeapNext)GetProcAddress(k32,"Heap32ListNext");
CECT.IsValidHandle = (IsValid)GetProcAddress(dbk32,"IsValidHandle");
CECT.KernelAlloc = (KAlloc)GetProcAddress(dbk32,"KernelAlloc");
CECT.KernelOpenProcess = (ProcessOpen)GetProcAddress(dbk32,"OP");
CECT.KernelOpenThread = (ThreadOpen)GetProcAddress(dbk32,"OT");
CECT.KernelReadProcessMemory = (ReadProc)GetProcAddress(dbk32,"RPM");
CECT.KernelVirtualAllocEx = (VirtAllocEx)GetProcAddress(dbk32,"VAE");
CECT.KernelWriteProcessMemory = (WriteProc)GetProcAddress(dbk32,"WPM");
CECT.MakeWritable = (MkWritable)GetProcAddress(dbk32,"MakeWritable");
CECT.Module32First = (ModuleFirst)GetProcAddress(k32,"Module32First");
CECT.Module32Next = (ModuleNext)GetProcAddress(k32,"Module32Next");
CECT.OpenProcess = (ProcessOpen)GetProcAddress(k32,"OpenProcess");
CECT.OpenThread = (ThreadOpen)GetProcAddress(k32,"OpenThread");
CECT.Process32First = (ProcFirst)GetProcAddress(k32,"Process32First");
CECT.Process32Next = (ProcNext)GetProcAddress(k32,"Process32Next");
CECT.ProtectMe = (Protect)GetProcAddress(dbk32,"ProtectMe");
CECT.ReadProcessMemory = (ReadProc)GetProcAddress(k32,"ReadProcessMemory");
CECT.ResumeThread = (ThreadResume)GetProcAddress(k32,"ResumeThread");
CECT.RetrieveDebugData = (RetrieveDbgData)GetProcAddress(dbk32,"RetrieveDebugData");
CECT.setAlternateDebugMethod = (SetDbgMethod)GetProcAddress(dbk32,"setAlternateDebugMethod");
CECT.SetCR3 = (SCR3)GetProcAddress(dbk32,"SetCR3");
CECT.SetThreadContext = (SetContext)GetProcAddress(k32,"SetThreadContext");
CECT.StartProcessWatch = (StartWatch)GetProcAddress(dbk32,"StartProcessWatch");
CECT.StopDebugging = (PVOID)GetProcAddress(dbk32,"StopDebugging");
CECT.StopRegisterChange = (PVOID)GetProcAddress(dbk32,"StopRegisterChange");
CECT.SuspendThread = (ThreadSuspend)GetProcAddress(k32,"SuspendThread");
CECT.Thread32First = (ThreadFirst)GetProcAddress(k32,"Thread32First");
CECT.Thread32Next = (ThreadNext)GetProcAddress(k32,"Thread32Next");
CECT.VirtualAllocEx = (VirtAllocEx)GetProcAddress(dbk32,"VAE");
CECT.VirtualProtect = (VirtProtect)GetProcAddress(k32,"VirtualProtect");
CECT.VirtualProtectEx = (VirtProtectEx)GetProcAddress(k32,"VirtualProtectEx");
CECT.VirtualQueryEx = (VirtQueryEx)GetProcAddress(dbk32,"VQE");
CECT.WaitForDebugEvent = (WaitDbg)GetProcAddress(k32,"WaitForDebugEvent");
CECT.WaitForProcessListData = (WaitListData)GetProcAddress(dbk32,"WaitForProcessListData");
CECT.WriteProcessMemory = (WriteProc)GetProcAddress(k32,"WriteProcessMemory");
}
init.callbackroutine = (CEP_PLUGINTYPE4)FnPointerChange;
pluginid = Exported.RegisterFunction(pluginid, ptFunctionPointerchange, &init);
Hook_API();
return TRUE;
}
BOOL __stdcall DisablePlugin(void)
{
if (pluginid!=-1)
{
if (Exported.UnregisterFunction(selfid,pluginid) == FALSE)
{
Exported.ShowMessage("Failure to unregister a plugin function"); //nothing to be done about this. the plugin is being set on stand by...
}
}
return TRUE;
}
DWORD PrevPid = 0;
HANDLE Monitor_KernelOpenProcess(DWORD Access,BOOL Inherit,DWORD Pid)
{
ProcessOpen oOpenProcess;
//Exported.ShowMessage("Hook_Entered");
hTarget = INVALID_HANDLE_VALUE;
oOpenProcess = (ProcessOpen)orig_KernelOpenProcess;
hTarget = oOpenProcess(Access,Inherit,Pid);
if(hTarget != INVALID_HANDLE_VALUE)
{
Exported.OpenedProcessHandle = hTarget;
hTargetId = GetProcessId(hTarget);
Exported.OpenedProcessID = hTargetId;
if(PrevPid != hTargetId)
{
PoolForTargetThreads(hTargetId);
PrevPid = hTargetId;
}
return hTarget;
}
Exported.ShowMessage("Fail");
return hTarget;
}
void FnPointerChange(int Reserved)
{
Hook_API();
}
void Hook_API()
{
if(*(PVOID**)Exported.KernelOpenProcess != Monitor_KernelOpenProcess)
{
orig_KernelOpenProcess = CECT.KernelOpenProcess;
*(PVOID**)Exported.KernelOpenProcess = Monitor_KernelOpenProcess;
}
if(*(PVOID**)Exported.OpenProcess != Monitor_KernelOpenProcess)
{
*(PVOID**)Exported.OpenProcess = Monitor_KernelOpenProcess;
}
}
|
Still working out the bugs but no BSOD
regards BanMe
|
|