Embedded Files
We don't display ads so we rely on your Bitcoin donations to 1KWEk9QaiJb2NwP5YFmR24LyUBa4JyuKqZ
Post date: Mar 16, 2010 3:45:11 PM
{
Unit: uRedirectAPI
Author: steve10120
Description: Redirect imported API's, making rebuilding after dump harder.
Notes: This is just a simple [mov eax, xxxx >> jmp eax] to the API, if you want to defeat generic tracing functions you should obfuscate it somehow.
Website: hackhound.org
History: First try
}
unit uRedirectAPI;interfaceuses Windows;function RedirectAPIs(dwModule:DWORD):Boolean;type PImageImportDescriptor = ^TImageImportDescriptor; TImageImportDescriptor = packed record OriginalFirstThunk: DWORD; TimeDateStamp: DWORD; ForwarderChain: DWORD; Name: DWORD; FirstThunk: DWORD; end;type PImportByName = ^TImportByName; TImportByName = packed record Name1: DWORD; end;implementationfunction RedirectAPIs(dwModule:DWORD):Boolean;var IDH: PImageDosHeader; INH: PImageNtHeaders; IID: PImageImportDescriptor; IBN: PImportByName; pMem: Pointer; pFunction: Pointer; pWrite: ^Pointer; dwNull: DWORD; xVirtualAlloc:function(lpvAddress: Pointer; dwSize, flAllocationType, flProtect: DWORD): Pointer; stdcall;begin Result := FALSE; IDH := Pointer(dwModule); if IDH.e_magic = IMAGE_DOS_SIGNATURE then begin INH := Pointer(dwModule + IDH._lfanew); if INH.Signature = IMAGE_NT_SIGNATURE then begin xVirtualAlloc := GetProcAddress(GetModuleHandle('kernel32.dll'), 'VirtualAlloc'); VirtualProtect(Pointer(dwModule + INH.OptionalHeader.DataDirectory[1].VirtualAddress), INH.OptionalHeader.DataDirectory[1].Size, PAGE_EXECUTE_READWRITE, dwNull); IID := Pointer(dwModule + INH.OptionalHeader.DataDirectory[1].VirtualAddress); while IID.Name <> 0 do begin if IID.OriginalFirstThunk <> 0 then IBN := Pointer(dwModule + IID.OriginalFirstThunk) else IBN := Pointer(dwModule + IID.FirstThunk); pWrite := Pointer(dwModule + IID.FirstThunk); while IBN.Name1 <> 0 do begin if (IBN.Name1 and $80000000) <> 0 then begin pFunction := pWrite^; pMem := xVirtualAlloc(nil, 7, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE); if pMem <> nil then begin PByte(pMem)^ := $B8; PDWORD(DWORD(pMem) + 1)^ := DWORD(pFunction); PByte(DWORD(pMem) + 5)^ := $FF; PByte(DWORD(pMem) + 6)^ := $E0; pWrite^ := pMem; end; end else begin pFunction := pWrite^; pMem := xVirtualAlloc(nil, 7, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE); if pMem <> nil then begin PByte(pMem)^ := $B8; PDWORD(DWORD(pMem) + 1)^ := DWORD(pFunction); PByte(DWORD(pMem) + 5)^ := $FF; PByte(DWORD(pMem) + 6)^ := $E0; pWrite^ := pMem; end; end; Inc(IBN, SizeOf(IBN)); Inc(pWrite); end; Inc(IID) end; Result := TRUE; end; end;end;end.Usage:
RedirectAPIs(GetModuleHandle(nil));Google Sites
Report abuse