Código
.386 .model flat, stdcall option casemap:none include C:\masm32\include\windows.inc include C:\masm32\include\kernel32.inc includelib C:\masm32\lib\kernel32.lib .data ProcessId dd 0 ProcessProtect dd 0 hProcess dd 0 APIAddress dd 0 SnapshotHandle dd 0 DistanceFunc dd 0 fAddress dd 0 Bytesw dd 0 _JMP db 5 dup(?) Diference dd 0 Buff db 0 _PROCESSENTRY32 PROCESSENTRY32 <?> Process db "taskmgr.exe",0 ;Process to Hook API db "OpenProcess",0 lLibrary db "kernel32.dll",0 Protect db "notepad.exe",0 ;Process to Protect .code start: mov dword ptr[_PROCESSENTRY32.dwSize], 0128h _Begin: invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 mov dword ptr[SnapshotHandle],eax _Cmp: invoke Process32Next,dword ptr[SnapshotHandle], addr _PROCESSENTRY32 mov edi, eax invoke lstrcmp,addr Process, addr _PROCESSENTRY32.szExeFile or eax, eax jz _GetPID2 invoke lstrcmp,addr Protect, addr _PROCESSENTRY32.szExeFile or eax, eax jz _GetPID _Continue: or edi, edi jz _Exit jnz _Cmp _Proc: invoke GetModuleHandle, addr lLibrary invoke GetProcAddress, eax, addr API mov dword ptr[APIAddress], eax mov eax, offset _EndHook mov ebx, offset _Hook sub eax, ebx mov dword ptr[DistanceFunc], eax invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,dword ptr [ProcessId] mov dword ptr [hProcess], eax invoke ReadProcessMemory,dword ptr[hProcess], dword ptr [APIAddress], addr Buff, 1, addr Bytesw cmp byte ptr [Buff], 0E9h jz _Exit invoke VirtualAllocEx,dword ptr [hProcess],NULL,dword ptr[DistanceFunc],MEM_RESERVE or MEM_COMMIT,PAGE_EXECUTE_READWRITE mov dword ptr [fAddress], eax mov ecx, offset _Hook invoke VirtualProtect,ecx,10,PAGE_EXECUTE_READWRITE,addr Bytesw mov ebx, dword ptr[APIAddress] add ebx, 5 mov dword ptr[_Hook + 1], ebx mov ebx, dword ptr[ProcessProtect] mov dword ptr[_Hook + 6], ebx mov ecx, offset _Hook invoke WriteProcessMemory,dword ptr[hProcess], dword ptr [fAddress], ecx, dword ptr [DistanceFunc], addr Bytesw invoke VirtualProtectEx,dword ptr[hProcess],dword ptr [APIAddress], 5, PAGE_EXECUTE_READWRITE, addr Bytesw mov byte ptr [_JMP], 0E9h mov edx, dword ptr [fAddress] add dword ptr [APIAddress],5 sub edx, dword ptr [APIAddress] mov dword ptr [_JMP +1], edx sub dword ptr [APIAddress], 5 invoke WriteProcessMemory,dword ptr [hProcess], dword ptr[APIAddress], addr _JMP, 5, addr Bytesw invoke CloseHandle, dword ptr [hProcess] _Exit: invoke ExitProcess,0 _Hook: mov eax, 00000000h ; API Address mov ecx, 00000000h ; PID push ebp ; Stack frame mov ebp, esp pushad cmp ecx, dword ptr [ebp + 10h] jz _Hooked ; If is equal jump to Hooked popad ; Restaure registers jmp eax ; Jump to API + 5 _Hooked: popad mov esp, ebp pop ebp mov eax, 0 retn 0Ch _EndHook: _GetPID: mov eax, dword ptr [_PROCESSENTRY32.th32ProcessID] mov dword ptr[ProcessProtect],eax jmp _Found _GetPID2: mov eax, dword ptr [_PROCESSENTRY32.th32ProcessID] mov dword ptr[ProcessId],eax jmp _Cmp2 _Found: cmp [ProcessId],0 jz _Cmp jmp _Cmp2 _Cmp2: cmp dword ptr[ProcessProtect],0 jnz _Proc jmp _Cmp end start
Información:
Este es el pequeño ejemplo de enganchar(Hookear) a la función Kernel32.OpenProcess la cual permite abrir un proceso por muchos motivos (Cerrarlo, obtener información, modificar, etc).
¿Que hace exactamente?
Sencillamente enganchamos esa función y así podemos verificar si quieren abrir el proceso que nosotros designemos a proteger.
Ustedes pueden hacerle su respectiva adaptación a condiciones etc, pero me enfoque en un ejemplo y en aprender.
Mis mayores agradecimientos a Lelouch (Como me soportaste xD) y a [Zero].
Dedicado a todos mis mentores (Sobra mencionarlos)
Saludos.