Grzonu Blog

OllyAdvanced Bypass

Posted in Other , assembler on August 17th, 2010 by Grzonu

Recently, I dealt with further methods of detecting a debugger, and disconnecting it.
For example, applied the methodology of which I wrote two posts ago. Kozystala it with the parameter of NtQuerySystemInformation SystemHandleInformation. But if someone used the plugin OllyAdvanced Ollyego of this method is not a sound one. I tried to provoke this syscall of the previous functions. But still OllyOdvanced modify the results.
The same was the case NtOpenProcess function so that I could not open the process to get the debugger handles, or find the PID of the parent process just because OllyAdvanced change results from the parent process PID == PID my trial. As with its own procedures kozystalem calling syscall OllyAdvanced have to either assume hooks in the kernel but this method so far rejected the only option could be sysexit.
But as you know in Windows, we have two mechanisms for calling syscall (SYSENTER and INT 2E)
SYSENTER after returning to user mode and returns the INT 2E KiFastSystemCallRet back for instructions.
Enough to induce those functions and not by SYSENTER already through to the INT 2 E OllyAdvanced does not modify the results, and hence that one could easily detect a debugger.

Share:

Leave A Comment »

Song Downloader

Posted in C + + , News on July 23rd, 2010 by Grzonu

I like to download a song to himself heard as mp3 (of course for 24 )
Often I use this with wrzuty and services that allow the song to download from this site.
Unfortunately, last wrzuta way to download files changed it to resemble the way that is quite hard Megavideo difficult to download (to download you need to open the XML file and it will be a link but it can skozystac only from the IP address from which it was downloaded XML)

Part of this website that allows downloading has ceased to act as part of who introduced the Java script to fetch us a song. As with Java, I have not installed and does not intend to install so we wrote a Java applet in C + + who downloads the song from wrzuty.
Applet I wrote for myself but no I decided to make it available to a broader audience. So if someone is invited to come in handy for downloading

DOWNLOAD

Share:

Tags: download , music , music downloads , wrzuta

4 Comments »

Another method of debugger detection

Posted in C + + On July 6th, 2010 by Grzonu

Recently, I went back to study methods for detection of debuggers and invented a method based on features NtQuerySystemInformation possible that someone already hit it earlier but I could not find anything about it.

The method is very simple using the function with parameter NtQuerySystemInformation SystemHandleInformation
grab handles opened by all applications. Clamps are looking for processes that are handles to our process and check to see if this process among the clamps do not there is a clip of the type that is 0XB DebugObject if there is a sign it may be that we are debugging (though not 100% sure)

Time for some code

we need variables and functions:

  NTSTATUS NTSTATUS;
 ; DWORD dwParentPID = 0xffffffff;
 H_proc HANDLE h;
 ULONG need;	
 ; BOOL isDebug = 0;


 "ntdll" ) ; Ntdll = HMODULE GetModuleHandle ("ntdll");
 NTQSI ) GetProcAddress ( ntdll, "NtQuerySystemInformation" ) ; NTQSI NtQuerySystemInformation = (NTQSI) GetProcAddress (ntdll, "NtQuerySystemInformation");

Now call the function NtQuerySystemInformation

 ; SYSTEM_HANDLE_INFORMATION * handles = ( SYSTEM_HANDLE_INFORMATION * ) malloc ( size ) ; ntStatus = NtQuerySystemInformation ( SystemHandleInformation, handles, size, & need ) ; if ( ntStatus ! = 0 ) //jesli za maly bufor alokujemy wiekszy { free ( handles ) ; size = need ; handles = ( SYSTEM_HANDLE_INFORMATION * ) malloc ( size ) ; NtQuerySystemInformation ( SystemHandleInformation, handles, size, & need ) ; } 0x1000 size = ULONG; SYSTEM_HANDLE_INFORMATION * handles = (SYSTEM_HANDLE_INFORMATION *) malloc (size); NTSTATUS = NtQuerySystemInformation (SystemHandleInformation, handles, size, & need) if (NTSTATUS! = 0) / / if buffer too small (allocates greater free ( handles) size = need; handles = (SYSTEM_HANDLE_INFORMATION *) malloc (size); NtQuerySystemInformation (SystemHandleInformation, handles, size, & need);)

momecie cited in this structure we have all the handles handles available in the system.
We have searched and among them there are no clamps of the type 0 × 7 is a process.
If you find it so we open the process with the rights PROCESS_DUP_HANDLE
and duplicate the handle but in our process. Then check whether it is a handle to our process, and if so, check whether clamps among this process is not the type clamps DebugObject

And now the practice:

  0 ; int i = 0;
 0 ; int j = 0;
 i = 0 ; i < handles - > HandleCount ; i ++ ) for (i = 0; i <handles -> HandleCount i + +)
 (
	 handles - > Handles [ i ] . ObjectType == 7 ) //Process if (handles -> Handles [i]. ObjectType == 7) / / Process
	 (
		 PROCESS_DUP_HANDLE, FALSE,handles - > Handles [ i ] . OwnerPid ) ; h = OpenProcess (PROCESS_DUP_HANDLE, FALSE, handles -> Handles [i]. OwnerPid);
		 h ! = 0 ) if (h! = 0)
		 (
			 DuplicateHandle ( h, ( HANDLE ) handles - > Handles [ i ] . HandleValue , GetCurrentProcess ( ) , & h_proc, 0 , FALSE, DUPLICATE_SAME_ACCESS ) ) if (DuplicateHandle (h, (HANDLE), handles -> Handles [i]. HandleValue, GetCurrentProcess (), & h_proc, 0, FALSE, DUPLICATE_SAME_ACCESS))
			 (
				 GetProcessId ( h_proc ) == GetCurrentProcessId ( ) ) if (GetProcessId (h_proc) == GetCurrentProcessId ())
				 (
					 ; j = 0;
					 j < handles - > HandleCount ) while (j <handles -> HandleCount)
					 (
						 handles - > Handles [ i ] . OwnerPid == handles - > Handles [ j ] . OwnerPid && handles - > Handles [ j ] . ObjectType == 0xb ) if (handles -> Handles [i]. OwnerPid == handles -> Handles [i]. OwnerPid & & handles -> Handles [i]. ObjectType == 0XB)
						 (
						 ; isDebug = 1;
						 )
					 j + +;
					 )
				 )
			 )
		 )
	 )
 )

Printfujemy At the end of search results and release buffer

  isDebug == 1 ) if (isDebug == 1)
 (
 "Debugger wykryty \n " ) ; printf ("Debugger detected \ n");
 )
 else
 (
 "Nie wykryto debuggera \n " ) ; printf ("There was no debugger \ n");
 )
	 handles ) free ( handles ) ; if (handles) free (handles);

The whole program code can be downloaded HERE

PS.
Pure olly, this method is easily detected but, for example with the Olly plugin StrongOD is not.
This plugin makes the list m.in clamps for this process is empty. It is also quite distinctive because each program has some grip. In addition, we may check our process has a parent that handles (or does not have at all)

Share:

Tags: debugger , NtQuerySystemInformation , SYSTEM_HANDLE_INFORMATION

Leave A Comment »

Detection of IAT hookingu

Posted in C + + , Security on June 25th, 2010 by Grzonu

As promised I did so. Today I want to discuss IAT hooking, and how to detect them.
For some time I'll try to write something about hookach ETA and modifications of code.

Well, so here we go.
First a few words what is the IAT hooking itself - is a technique hookowania function by replacing the function address placed in the IAT address
function contained in another DLL, or just somewhere in memory. About the same setting hooks wrote, are not I ready to tens of
libraries, hundreds of sample code so I think that those who have not mastered as soon as possible should fill gaps kozystajac from google.

Now something about the detection of those hooks - will describe the points you have to do:
1st Exe file located in the process where you want to look for hooks.
2nd We are located in this file and check the IAT tables all the functions contained in the IAT
3rd We check how the module by. IAT should be at the function.
4th Check ImageBase and the size of the module and check whether the address in the IAT is in the range
If so, everything is OK if you do not check the module which shows the address

So much for theory.
Time to practice.

Required headers:

 <windows.h> # Include # include # include <stdio.h> <string> <Tlhelp32.h> # include # include # include <vector> <Psapi.h> <fstream> # include # include "PE_class.h" / / my class to handle PE files (it provides along with the rest of the code) # pragma comment (lib, "psapi.lib");

Global variables:

  1
 2
 3

  HANDLE hProc / / handle the process
 DWORD pid; / / ProcessID
 DWORD MainImageBase / / process ImageBase

Main:

  int argc, CHAR * argv [ ] ) int main (int argc, char * argv [])
 (
 " \n \n IAT Hook detector v. 1.0 by Grzonu \n \n " ) ; printf ("\ n \ n IAT Hook detector to Grzonu v. 1.0 \ n \ n")

 argc ! = 2 ) //sprawdzamy czy podano parametr jesli nie to wychodzimy if (argc! = 2) / / check if the parameter is given if it does not go out
 (
	 "usage: %s <pid> \n \n " ,argv [ 0 ] ) ; printf ("usage:% s <PID> \ n \ n", argv [0]);
	 ; return 0;
 )
 ( argv [ 1 ] ) ; //pobieramy PID pid = atoi (argv [1]) / / grab the PID
 ; DWORD IB = 0;
 ; ImgSize DWORD = 0;
 IB, & ImgSize ) ; //Znajdujemy ImageBase i Size procesu FindImageBase (pid, & IB, & ImgSize) / / find the process and Size ImageBase
 "ImageBase: 0x%.8x \n ImageSize: 0x%.8x \n \n " ,IB,ImgSize ) ; printf ("ImageBase: 0x% .8 x \ n ImageSize: 0x% .8 x \ n \ n", IB, ImgSize);

 PROCESS_VM_READ | PROCESS_QUERY_INFORMATION,FALSE,pid ) ; //otwieramy go hProc = OpenProcess (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid); / / open it
 hProc == 0 ) //jesli sie nie udalo to wychodzimy if (hProc == 0) / / if they have failed to quit
 (
 "can`t open process \n " ) ; printf ("can` t open process \ n ");
 ; return 0;
 )
 buf = LoadMod ( IB ) ; //ladujemy plik Char * buf = LoadMod (IB) / / Load the file
 MainImageBase = IB;
 buf ) ; PE_file PE ((HMODULE) buf);
 PE ) ; //szukamy hookow IAT (& PE) / / look for hooks
 buf ) ; //zwalniamy bufor zaalokowany w funkcji LoadMod free (buf); / / release the buffer allocated in the function LoadMod


	 ; return 0;
 )

Now we will describe each of the functions at the beginning FindImageBase () function is seeking ImageBase process and Size

  IB,DWORD * ImgSize ) //funkcja przyjmuje processID, wskazniki na bufory na dane FindImageBase DWORD (DWORD pid, DWORD * IB ImgSize DWORD *) / / function accepts ProcessID, indicators of the buffers for data
 (
 PROCESSENTRY32 lppe32;
 260 ] ; char buf [260];
	 buf, 0 , 260 ) ; memset (buf, 0, 260);
     HANDLE hSnapshot;
    TH32CS_SNAPPROCESS, 0 ) ; //robimy snapshot listy procesow hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0) / / we do a snapshot of processes
     sizeof ( PROCESSENTRY32 ) ; lppe32. dwSize = sizeof (PROCESSENTRY32);

     lppe32 ) ; Process32First (hSnapshot, & lppe32);
	     to
         (
		 lppe32. th32ProcessID == pid ) //szukamy naszego procesu if (pid == lppe32. th32ProcessID) / / look for our process
		 (
		 buf,lppe32. szExeFile ) ; strcpy (buf, lppe32. szExeFile);
		 break;
		 )

		 )
         Process32Next ( hSnapshot, & lppe32 ) ) ; while (Process32Next (hSnapshot, & lppe32));
         ; CloseHandle (hSnapshot);
 buf [ 0 ] == 0 ) //jesli nie udalo sie znalesc zwracamy 0; if (buf [0] == 0) / / If you failed to find returns 0;
 (
 ; return 0;
 )

 MODULEENTRY32 mod32;
 x ; std:: a string x;

    TH32CS_SNAPMODULE, pid ) ; //robimy snapshot listy modolow znalezionego procesu hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, pid) / / we found modolow a snapshot process
    sizeof ( MODULEENTRY32 ) ; mod32. dwSize = sizeof (MODULEENTRY32);

     mod32 ) ; Module32First (hSnapshot, & mod32);
	      to
         (
		 ; x = mod32. szExePath;
		 x. find ( buf ) ! = 0xFFFFFFFF ) //sprawdzamy czy to główna czesc programu if (x find (buf)! = 0xFFFFFFFF) / / see if the program is the main part
		 (/ / If so, complete the relevant variables
			 ( DWORD ) mod32. modBaseAddr ; * IB = (DWORD) mod32. ModBaseAddr;
			 mod32. modBaseSize ; * ImgSize = mod32. ModBaseSize;
		 )


		 )
         Module32Next ( hSnapshot, & mod32 ) ) ; while (Module32Next (hSnapshot, & mod32));
         ; CloseHandle (hSnapshot);
 ; return 1;
 )

We therefore no longer needed and ImageSize ImageBase process. Now we come to the charging function of the code module from the file which indicates the ImageBase.
This will cover not only the main program code but also all the libraries. We need to get the file because ImageSize ImageSize module
in memory very easily change it so that one looked to the code library covers just the second by changing ImageSize module in memory.

  LoadMod ( DWORD IB ) char * LoadMod (DWORD IB)
 (
 260 ] ; ProcName char [260];
 HMODULE ) IB,ProcName, 260 ) ; //pobieramy pelna sciezke do binarki modulu GetModuleFileNameEx (hProc, (HMODULE) IB ProcName, 260) / / grab the full path to a binary module
 f ( ProcName,std :: ios :: binary ) ; //otwieramy plik std:: ifstream f (ProcName, std:: ios:: binary); / / open the file
 buf ; char * buf;
 0 ,std :: ios :: end ) ; f. seekg (0, std:: ios:: end);
 f. tellg ( ) ; int size = f. tellg ();
 0 ,std :: ios :: beg ) ; f. seekg (0, std:: ios:: beg);
 char * ) malloc ( size ) ; //alokujemy bufor(pamietajmy go pozniej zwolnic) buf = (char *) malloc (size) / / allocate a buffer (remember him then release)
 buf, 0 ,size ) ; memset (buf, 0, size);
 0 ; int i = 0;
 char ch;
 i < size ) while (i <size)
 (
 ch ) ; //wczytujemy f. get (ch) / / we load
 = ch ; buf [i] = ch;
 i + +;
 )
 ; f. close ();
 //zwracamy bufor return buf; / / draw buffer
 )

Now for the main function of IAT () which aims to find all the functions imported by the applications and see if you are not hooks.
This feature kozysta several other functions which also on the way discussion.

 PE_file * PE ) { HINSTANCE hInstance = ( HINSTANCE ) PE - > buf ; PIMAGE_DOS_HEADER pdosheader = ( PIMAGE_DOS_HEADER ) hInstance ; //pobieramy naglowki PIMAGE_NT_HEADERS pntheaders = ( PIMAGE_NT_HEADERS ) ( ( DWORD ) hInstance + pdosheader - > e_lfanew ) ; //i dalej... PIMAGE_SECTION_HEADER psectionheader = ( PIMAGE_SECTION_HEADER ) ( pntheaders + 1 ) ; PIMAGE_IMPORT_DESCRIPTOR pimportdescriptor = ( PIMAGE_IMPORT_DESCRIPTOR ) ( ( DWORD ) hInstance + PE - > RVA_to_RAW ( pntheaders - > OptionalHeader. DataDirectory [ 1 ] . VirtualAddress ) ) ; //znajdujemy adres IAT w naglowku PE ale jako ze szukamy w pliku a nie w procesie pamietamy o zamianie adresu z RVA na RAW PIMAGE_THUNK_DATA pthunkdatain, pthunkdataout ; PIMAGE_IMPORT_BY_NAME pimportbyname ; DWORD dw ; PCHAR ptr ; DWORD IB ; char * buf ; DWORD ImgSize ; PIMAGE_OPTIONAL_HEADER32 opt ; DWORD address ; DWORD IAT_adr ; DWORD read ; int i = 0 ; while ( pimportdescriptor - > TimeDateStamp ! = 0 || pimportdescriptor - > Name ! = 0 ) //pobieramy tak dlugo importy az sie skoncza :) { ptr = ( PCHAR ) ( ( DWORD ) hInstance + PE - > RVA_to_RAW ( ( DWORD ) pimportdescriptor - > Name ) ) ; //Nazwa biblioteki Dll i = 0 ; IB = FindModule ( ptr ) ; //Funkcja szukajaca ImageBase na podstawie nazwy biblioteki(omowie dalej) buf = LoadMod ( IB ) ; //opisana wczesniej funkcja ladujaca kod PE_file PE2 ( ( HMODULE ) buf ) ; //ladujemy kod do klasy opt = PE2. GetOptionalHeader ( ) ; //Pobieramy odpowiedni header ImgSize = opt - > SizeOfImage ; //pobieramy potrzebne nam pole z tego headera czyli ImageSize free ( buf ) ; //zwalniamy bufor pthunkdataout = ( PIMAGE_THUNK_DATA ) ( ( DWORD ) hInstance + PE - > RVA_to_RAW ( ( DWORD ) pimportdescriptor - > FirstThunk ) ) ; //pobieramy adres gdzie zaczynaja sie adresy w IAT if ( pimportdescriptor - > Characteristics == 0 ) { pthunkdatain = pthunkdataout ; //pobieramy adres struktury z ktorej pobierzemy nazwy funkcji } else { pthunkdatain = ( PIMAGE_THUNK_DATA ) ( ( DWORD ) hInstance + PE - > RVA_to_RAW ( ( DWORD ) pimportdescriptor - > Characteristics ) ) ; //to samo ;) } while ( pthunkdatain - > u1. AddressOfData ! = NULL ) //dopuki sa jeszcze jakies funkcje { if ( ( DWORD ) pthunkdatain - > u1. Ordinal & IMAGE_ORDINAL_FLAG ) //jesli Ordinal { LPSTR x = MAKEINTRESOURCE ( LOWORD ( pthunkdatain - > u1. Ordinal ) ) ; //Ordinal address = MainImageBase + ( pimportdescriptor - > FirstThunk + ( i * 4 ) ) ; //adres bufora na adres funkcji ReadProcessMemory ( hProc, ( LPCVOID ) address, & IAT_adr, 4 , & read ) ; //Odczytujemy adres funkcji znajdujacej sie pod adresem pobranym wyzej if ( IAT_adr < IB || IAT_adr > ( IB + ImgSize ) ) //sprawdzamy czy adres miesci sie w granicach swojego modułu { //jesli nie to sprawdzamy w jakim module znajduje sie funkcja DWORD HookBase = FindHookModule ( IAT_adr ) ; //pobieramy ImageBase modułu w ktorym znajduje sie ta funkcja.(Ta funkcje omowie pozniej) char modname [ 260 ] ; if ( HookBase == 0 ) //jesli nie ma takiego modulu oznacza ze jest to poprostu zaalokowana pamiec np. przez VirtualAllocEx { strcpy ( modname, "Virtual Memory" ) ; } else //jesli jest to pobieramy sciezke do tego modułu { GetModuleFileNameEx ( hProc, ( HMODULE ) HookBase,modname, 260 ) ; } printf ( "Ord: %x(%s) --- Hooked by %s(0x%.8x) \n " ,x,ptr,modname,IAT_adr ) ; //printfujemy wynik :) } } else { pimportbyname = ( PIMAGE_IMPORT_BY_NAME ) ( PE - > RVA_to_RAW ( ( DWORD ) pthunkdatain - > u1. AddressOfData ) + ( DWORD ) hInstance ) ; address = MainImageBase + ( pimportdescriptor - > FirstThunk + ( i * 4 ) ) ; //tutaj to samo co wyzej ReadProcessMemory ( hProc, ( LPCVOID ) address, & IAT_adr, 4 , & read ) ; if ( IAT_adr < IB || IAT_adr > ( IB + ImgSize ) ) { DWORD HookBase = FindHookModule ( IAT_adr ) ; char modname [ 260 ] ; if ( HookBase == 0 ) { strcpy ( modname, "Virtual Memory" ) ; } else { GetModuleFileNameEx ( hProc, ( HMODULE ) HookBase,modname, 260 ) ; } printf ( "%s(%s) --- Hooked by %s(0x%.8x) \n " , ( char * ) pimportbyname - > Name,ptr,modname,IAT_adr ) ; } } i ++ ; //nastepna funkcja pthunkdatain ++ ; pthunkdataout ++ ; } pimportdescriptor ++ ; //nastepna DLL`ka } } IAT void (* PE_file PE) (HINSTANCE hInstance = (HINSTANCE) PE -> buf; PIMAGE_DOS_HEADER pdosheader = (PIMAGE_DOS_HEADER) hInstance; / / fetch headers PIMAGE_NT_HEADERS pntheaders = (PIMAGE_NT_HEADERS) ((DWORD) hInstance + pdosheader -> e_lfanew); / / and more ... PIMAGE_SECTION_HEADER psectionheader = (PIMAGE_SECTION_HEADER) (pntheaders + 1); PIMAGE_IMPORT_DESCRIPTOR pimportdescriptor = (PIMAGE_IMPORT_DESCRIPTOR) ((DWORD) hInstance + PE -> RVA_to_RAW (pntheaders -> OptionalHeader. DataDirectory [1]. VirtualAddress)); / / find the address of IAT in the PE header but as we seek in the file and not in the process we remember about changing the address of the RVA to RAW PIMAGE_THUNK_DATA pthunkdatain, pthunkdataout; PIMAGE_IMPORT_BY_NAME pimportbyname; DWORD dw; PCHAR ptr, DWORD IB, char * buf, DWORD ImgSize; PIMAGE_OPTIONAL_HEADER32 opt; DWORD address; DWORD IAT_adr; DWORD read; int i = 0 while (pimportdescriptor -> TimeDateStamp! = 0 | | pimportdescriptor -> Name! = 0) / / fetch so long until I'm gone Imports:) (ptr = ( PCHAR) ((DWORD) hInstance + PE -> RVA_to_RAW ((DWORD) pimportdescriptor -> Name)) / / DLL name i = 0; FindModule IB = (ptr) / / function ImageBase seeking the name of the library (overview below) buf = LoadMod (IB) / / function described earlier charging code PE_file PE2 ((HMODULE) buf); / / Load the code for the class opt = PE2. GetOptionalHeader () / / Get the appropriate header ImgSize = opt -> SizeOfImage / / we need to grab the box from the header or ImageSize free (buf); / / release the buffer pthunkdataout = (PIMAGE_THUNK_DATA) ((DWORD) hInstance + PE -> RVA_to_RAW ((DWORD) pimportdescriptor -> FirstThunk)) / / fetch address where they begin the addresses in the IAT if (pimportdescriptor -> Behaviour == 0) (pthunkdatain pthunkdataout = / / grab the address of the structure from which you retrieve the name of the function) else (pthunkdatain = (PIMAGE_THUNK_DATA) ((DWORD) hInstance + PE -> RVA_to_RAW ((DWORD) pimportdescriptor -> Behaviour)) / / same;)) while (pthunkdatain -> u1. AddressOfData! = NULL) / / unless the person are still some features (if ((DWORD) pthunkdatain -> u1. Ordinal & IMAGE_ORDINAL_FLAG) / / if Ordinal (LPSTR x = MAKEINTRESOURCE (LOWORD (pthunkdatain -> u1. Ordinal)); / / Ordinal address = MainImageBase + (pimportdescriptor -> FirstThunk + (i * 4)) / / address of buffer to the address function ReadProcessMemory (hProc (LPCVOID) address, & IAT_adr, 4, & read); / / perceive the address of the function located at the above-downloaded if (IAT_adr <IB | | IAT_adr> (IB + ImgSize)) / / check if the address of the place is Aug. within its module (/ / if it does not check the module in which there is a function DWORD HookBase = FindHookModule (IAT_adr) / / fetch ImageBase the module in which the function is located. (This discussion of the functions later) char modname [260]; if (HookBase == 0) / / if there is no such module means that it is just allocated memory for example, by VirtualAllocEx (strcpy (modname, "Virtual Memory");) else / / if it is grab the path to this module (GetModuleFileNameEx (hProc, (HMODULE) HookBase, modname, 260);) printf ("Ord:% x (% s) --- Hooked% s (0x% .8 x) \ n", x, ptr, modname, IAT_adr) / / printfujemy result:))) else (pimportbyname = (PIMAGE_IMPORT_BY_NAME) (PE -> RVA_to_RAW ((DWORD) pthunkdatain -> u1. AddressOfData) + (DWORD) hInstance); address = MainImageBase + (pimportdescriptor -> FirstThunk + ( and * 4)) / / here is the same as above ReadProcessMemory (hProc (LPCVOID) address, & IAT_adr, 4, & read); if (IAT_adr <IB | | IAT_adr> (IB + ImgSize)) (DWORD HookBase = FindHookModule (IAT_adr); char modname [260]; if (HookBase == 0) (strcpy (modname, "Virtual Memory");) else (GetModuleFileNameEx (hProc, (HMODULE) HookBase, modname, 260);) printf (" % s (% s) --- Hooked% s (0x% .8 x) \ n ", (char *) pimportbyname -> Name, ptr, modname, IAT_adr);)) i + +; / / next function pthunkdatain + +; pthunkdataout + +;) pimportdescriptor + + / / next DLL `ka))

It now had two features which discuss in detail

  char * str ) //funkcja zamieniajaca string na male litery str_tolower void (char * str) / / function of turning a string to lowercase
 (
 0 ; int i = 0;
 strlen ( str ) ; int size = strlen (str);

 i < size ) while (i <size)
 (
 = tolower ( str [ i ] ) ; str [i] = tolower (str [i]);
 i + +;
 )
 )

 * mod_name ) DWORD FindModule (char * mod_name)
 (
 MODULEENTRY32 mod32;
 x ; std:: string x;
    TH32CS_SNAPMODULE, pid ) ; //o tym juz mowilem HANDLE hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, pid); / / I have said about this
    sizeof ( MODULEENTRY32 ) ; mod32. dwSize = sizeof (MODULEENTRY32);
    ; str_tolower (mod_name);

     mod32 ) ; Module32First (hSnapshot, & mod32);
	      to
         (
		 ) ; str_tolower (mod32. szExePath);
		 ; x = mod32. szExePath;

		 x. find ( mod_name ) ! = 0xFFFFFFFF ) //jesli to szukany modul to zwracamy jego ImageBase if (x find (mod_name)! = 0xFFFFFFFF) / / if the search module is a turn of his ImageBase
		 (
			 DWORD ) mod32. modBaseAddr ; return (DWORD) mod32. modBaseAddr;
		 )


		 )
         Module32Next ( hSnapshot, & mod32 ) ) ; while (Module32Next (hSnapshot, & mod32));
         ; CloseHandle (hSnapshot);
		 ; return 0;
 )

 //funkcja szukajaca ImageBase modulu w ktorym znajduje sie funkcja FindHookModule DWORD (DWORD Address) / / function ImageBase searching module where the function
 (
 MODULEENTRY32 mod32;
    TH32CS_SNAPMODULE, pid ) ; HANDLE hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, pid);
    sizeof ( MODULEENTRY32 ) ; mod32. dwSize = sizeof (MODULEENTRY32);

     mod32 ) ; Module32First (hSnapshot, & mod32);
	      to
         (
		 Address >= ( DWORD ) mod32. modBaseAddr && Address <= ( DWORD ) ( mod32. modBaseAddr + mod32. modBaseSize ) ) //jesli adres znajduje sie w przedziale <ImageBase ; ImageBase+ImageSize> to zwracamy jego ImageBase if (Address> = (DWORD) mod32. modBaseAddr & & Address <= (DWORD) (mod32 + mod32. modBaseAddr. modBaseSize)) / / if the address is in the range <ImageBase; ImageBase+ImageSize> to turn his ImageBase
		 (
 DWORD ) mod32. modBaseAddr ; return (DWORD) mod32. modBaseAddr;
		 )

		 )
         Module32Next ( hSnapshot, & mod32 ) ) ; while (Module32Next (hSnapshot, & mod32));
         ; CloseHandle (hSnapshot);
		 ; return 0;
 )

I think this is enough for today.
The presented method is simple and yet effective (though of course I also can bypass)
If I forgot about something that will add soon!

I attach the code for VC + + and binaries
Link

Share:

Tags: hook , IAT , detection

Leave A Comment »

I'll be back

Posted in News on June 23rd, 2010 by Grzonu

Well, this post is separated from the general topic blog but I think we write
Firstly I would like to deny rumors that I was in a coma (wtf?) And cut off discussion on this subject which reportedly took place on IRC xD
So I am alive and well in August anxiously awaits the results of the baccalaureate.

In the near future I plan to write some jokes for this blog thing lately is empty and more and more people ask when I write something new.

Well kozystajac the occasion is a nice holiday

Share:

6 Comments »

April Fool's day

Posted in News on April 1st, 2010 by Grzonu

Well, as we know today is the day on various jokes
The first which I found on the web page that allegedly shackowana Gynvael Coldwind ( LINK ) page looks very realistic

Well, we are waiting for further jokes

/ / Update
Well, we were finally in
as expected in August or something niebezpiecznik.pl namely a post drafted about the fact that niebezpiecznik.pl was purchased by the Issuer Congratulations for ingenuity

Share:

Tags: April Fools' Day , Gynvael , Indykpol , niebezpiecznik , prima

Leave A Comment »

Online video search engine

Posted in News on March 16th, 2010 by Grzonu

I ran the online video search engine today.
Szukajka searches the web looking for interesting films about our title and displays the result.
Feel free to kozystania.

Share:

Tags: movies , online , search engine

Leave A Comment »

Looking for information about a person

Posted in Articles on March 14th, 2010 by Grzonu

Looking for information about a person

Often sometimes happen that we want to get a certain person as much information. Okay, do not you wonder why you let this data what we can learn.
The whole approach is to follow the thread reached the ball, that is, for example, having one or two more znaleśćich much more. Are very useful to any search engine, compare, and other such tools.
It is useful, in principle, any minimal information. IP, mail, pictures, accounts on social networking sites, friends, number, gg, an avatar on the forum just all we have. What we can do for example with the IP address ... hmmm probably only check the host, and any info on this IP for example kozystając eg ip.boo.pl
The vast majority do not get anything more off-site server hosting the ISP of the person sought. Well, but it's already something. Based on this we can determine whether the person is living in Poland, in which part of the country is located.
If you have an email address we googlowac in search of that address, thanks we get to the pages on which it is registered with the person we wanted, what they are interested. On these pages we look for things such as the number of consecutive gg, an avatar of the forum and other places. We can get on your social networking profiles such as ours-class, or photo. Well, things are not real treat for people who are trying to learn something very often people write in their profile a lot of data such as name, address, phone number, gg. We can find out who knows, what if we have mutual friends. We see often pictures from holidays, from home, from events and many other places. Sometimes it is even possible to find out where the photo was taken, if the camera was in the GPS wyposarzony as is the case with the iPhone camera `s, which allows you to save data on the location where you took pictures of what we read for example the niebezpieczniku
Images, avatars and other graphic files can be used to to learn something about the person sought for example, thanks to the website tineye.com which show us that somewhere in another place is no longer it or its modified version. Thanks again, we hit the page from which the person sought kozysta.
In most cases we are able to find much information about the person. But if someone is very anxious to google that said nothing about him is he can because in 90% of the people themselves provide information about themselves which allow them to find.

Share:

Tags: data , photo , information , IP , Pink , search

4 Comments »

Contd. Change

Posted in News on March 4th, 2010 by Grzonu

Today I started to move the site to a new, better, faster hosting. Former tranferu limit and place, and stopped enough times it almost at the border. So moved was a bigger server with 100x greater space and more than 100x bigger transfer limit I hope that it will improve the viewing experience All this thanks to the company that does not quite az.pl that gave me a free domain is still gave me the web hosting at very affordable price

In a few days some links may not work but I will try to correct it as soon as possible.

Share:

Tags: az.pl , a new web hosting

5 Comments »

Change of address

Posted in News on February 22nd, 2010 by Grzonu

Ence With today's changing the address on page grzonu.com.pl
old address will still operate in about a month parallel with the new.

Share:

Leave A Comment »

Grzonu Blog

OllyAdvanced Bypass

Song Downloader

Another method of debugger detection

Detection of IAT hookingu

I'll be back

April Fool's day

Online video search engine

Looking for information about a person

Contd. Change

Change of address

Translator

Pages

Archives

Categories

Buttons

Links