hola
La verdad es que me da mucha vergüenza entrar en una pagina de expertos y decir esto pero he de hacerlo porque quiera o no quiera me pica el gusanillo.
el problema está en este programa que ejecuto con el fasmw
y me da el siguiente error : file not found
y sale marcado : include 'win32a.inc'
porque es as? el programa es el siguiente
;
; Basic Windows(R) 32bit hooking example in FASM, (C) 2006 Bryan "RedGhost" Power
;
; Tested on:
; Windows XP SP2
; Windows 2000 SP4
;
; If it is not working on other versions of Windows you must disassemble for the correct opcode length (at least $5 bytes).
;
; Explaination:
; Sometimes in a project you need to hook an API function for whatever reason, the easiest way is via a basic detour.
;
; A detour is inserting a jump to your hook at the start of the API, and if you choose to, emulating the instructions
; you are overwriting and then calling the original API.
;
; Here is a small example of hooking the "MessageBoxA" procedure from "user32.dl".
;
;
; here is the disassembly of "MessageBoxA" from "user32.dll" taken from OllyDbg
;
; Windows XP SP2
;
; 77D804EA > 8BFF MOV EDI,EDI ; standard windows API padding
; 77D804EC 55 PUSH EBP ; start of stack frame
; 77D804ED 8BEC MOV EBP,ESP ; right here we have exactly $5 bytes in opcodes, perfect, the length is $5
; 77D804EF 833D BC04DA77 00 CMP DWORD PTR DS:[77DA04BC],0
;
; Windows 2000 SP4
;
; 77E38098 > 55 PUSH EBP
; 77E38099 8BEC MOV EBP,ESP
; 77E3809B 51 PUSH ECX
; 77E3809C 833D 3892E677 00 CMP DWORD PTR DS:[77E69238],0 ; here it's a bit more complex, we don't have exactly $5 bytes, the length is $B
;
; here we have the disassembly while our hook is inserted
;
; Windows XP SP2
;
; 77D804EA >-E9 AA0B6888 JMP detour_e.00401099 ; the jump to our hook
; 77D804EF 833D BC04DA77 00 CMP DWORD PTR DS:[77DA04BC],0
;
; Windows 2000 SP4
;
; 77E38098 >-E9 FC8F5C88 JMP detour_e.00401099
; 77E3809D 90 NOP
; 77E3809E 90 NOP
; 77E3809F 90 NOP
; 77E380A0 90 NOP
; 77E380A1 90 NOP
; 77E380A2 90 NOP ; all these nops to keep the instructions balanced
; 77E380A3 0F85 940E0100 JNZ user32.77E48F3D
;
format PE GUI
section '.flat' readable writeable executable
entry $ ; entry point at current address
mov ecx, $5 ; number of bytes for newer service packs, a length disassembly engine skips this work
mov eax, [MessageBoxA]
cmp word [eax], $FF8B ; test if the first opcode is not "mov edi, edi" to identify an older service pack
jz @f
add ecx, $6 ; we have an older MessageBoxA version, $B bytes in total (Windows 2000 SP4)
@@:
mov esi, [MessageBoxA] ; the procedure we wish to detour
mov edi, MessageBoxA_gate ; the hook we want called when MessageBoxA is called
call insert_detour
mov [oMessageBoxA], eax ; address of the jump/call stub
; now we call MessageBoxA
; but magically we don't see the text we are passing =]
push $0
push _hello ; 'Hello World!'
push _hook_test ; 'This is a hooking example with detours in FASM!'
push $0
call [MessageBoxA]
; here we make the same call again but with oMessageBoxA
push $0
push _hello
push _hook_test
push $0
call [oMessageBoxA]
push $0
call [ExitProcess]
;---
oMessageBoxA dd ?
_hello db 'Hello World!', $0
_hook_test db 'This is a hooking example with detours in FASM!', $0
; our hook which gets called when MessageBoxA is called in this process
MessageBoxA_gate:
; modify the parameters on the stack to our own
mov dword [esp+$C], .hello_hacked
mov dword [esp+$8], .hook_test_hacked
jmp [oMessageBoxA] ; now we let MessageBoxA continue
.hello_hacked:
db 'Hacked Hello World ', $0
.hook_test_hacked:
db 'Hmm? Is this what we are supposed to see?!?', $0
;---
; Allocate some memory.
;
; ecx = length
;
; returns allocated memory address in eax
; returns $0 on failure
halloc:
cmp dword [.heapaddr], $0
jz .hinit
@@:
push ecx
push $0
push dword [.heapaddr]
call [HeapAlloc]
ret
.hinit:
; get the process heap
call [GetProcessHeap] ; .ProcessHeap is located at +$18 in the Process Environment Block
test eax, eax
jz .err
mov dword [.heapaddr], eax
jmp @b
.err:
ret
.heapaddr:
dd $0
;---
; Write a detour.
;
; esi = address of procedure (API) to detour
; edi = address of gateway (hook)
; ecx = length of opcode(s), must be atleast $5 (jmp + address = $5)
;
; returns jump/call stub in eax
; returns $0 on failure
insert_detour:
push ebx edi ebp
pushfd
cld
mov ebx, ecx ; save the length for later, a length disassembly engine is a good idea here
; allocate jump stub
mov ecx, ebx
add ecx, $5 ; +$5 for jmp + address back to original API
call halloc
test eax, eax
jz .done
; copy the instructions we are going to overwrite to our jump stub
push edi
mov ecx, ebx
mov edi, eax
rep movsb
sub esi, ebx ; movsb incremented it
pop edi
; write a jump back to the original API, skip our inserted jump
mov byte [eax+ebx], $E9 ; jmp opcode
mov edx, esi
sub edx, eax ; relative offset
sub edx, $5
mov dword [eax+ebx+1], edx
push eax ; save stub address
; get page base
mov ebp, esi
and ebp, $FFFFF000
; change protection state of the page to allow write access
push .protection
push PAGE_EXECUTE_READWRITE ; EXECUTE in case of multi-threaded or VirtualProtectEx detour
push $00001000
push ebp
push $FFFFFFFF
call [VirtualProtectEx] ; VirtualProtect calls VirtualProtectEx
; here we write the actual detour
mov byte [esi], $E9
mov edx, edi
sub edx, esi
sub edx, $5
mov dword [esi+1], edx
; pad with nops if instruction length > 5 so we don't corrupt the proceeding instructions
cmp ebx, $5
jle .cleanup
; ecx = number of nop instructions
mov ecx, ebx
sub ecx, $5
mov edi, esi
add edi, $5
mov al, $90 ; nop opcode
rep stosb
.cleanup:
; restore original protection
push .protection
push dword [.protection]
push $00001000
push ebp
push $FFFFFFFF
call [VirtualProtectEx]
pop eax ; return stub address
.done:
popfd
pop ebp edi ebx
ret
.protection:
dd ?
;---
include 'win32a.inc'
data import
dd $0, $0, $0, rva kernel32_name, rva kernel32_table
dd $0, $0, $0, rva user32_name, rva user32_table
dd $0, $0, $0, $0, $0
kernel32_table:
VirtualProtectEx dd rva _VirtualProtectEx
GetProcessHeap dd rva _GetProcessHeap
HeapAlloc dd rva _HeapAlloc
ExitProcess dd rva _ExitProcess
dd $0
user32_table:
MessageBoxA dd rva _MessageBoxA
dd $0
;kernel32
_VirtualProtectEx dw $0
db 'VirtualProtectEx', $0
_GetProcessHeap dw $0
db 'GetProcessHeap', $0
_HeapAlloc dw $0
db 'HeapAlloc', $0
_ExitProcess dw $0
db 'ExitProcess', $0
;user32
_MessageBoxA dw $0
db 'MessageBoxA', $0
kernel32_name db 'kernel32.dll', $0
user32_name db 'user32.dll', $0
end data
;---
;bye
;
; Basic Windows(R) 32bit hooking example in FASM, (C) 2006 Bryan "RedGhost" Power
;
; Tested on:
; Windows XP SP2
; Windows 2000 SP4
;
; If it is not working on other versions of Windows you must disassemble for the correct opcode length (at least $5 bytes).
;
; Explaination:
; Sometimes in a project you need to hook an API function for whatever reason, the easiest way is via a basic detour.
;
; A detour is inserting a jump to your hook at the start of the API, and if you choose to, emulating the instructions
; you are overwriting and then calling the original API.
;
; Here is a small example of hooking the "MessageBoxA" procedure from "user32.dl".
;
;
; here is the disassembly of "MessageBoxA" from "user32.dll" taken from OllyDbg
;
; Windows XP SP2
;
; 77D804EA > 8BFF MOV EDI,EDI ; standard windows API padding
; 77D804EC 55 PUSH EBP ; start of stack frame
; 77D804ED 8BEC MOV EBP,ESP ; right here we have exactly $5 bytes in opcodes, perfect, the length is $5
; 77D804EF 833D BC04DA77 00 CMP DWORD PTR DS:[77DA04BC],0
;
; Windows 2000 SP4
;
; 77E38098 > 55 PUSH EBP
; 77E38099 8BEC MOV EBP,ESP
; 77E3809B 51 PUSH ECX
; 77E3809C 833D 3892E677 00 CMP DWORD PTR DS:[77E69238],0 ; here it's a bit more complex, we don't have exactly $5 bytes, the length is $B
;
; here we have the disassembly while our hook is inserted
;
; Windows XP SP2
;
; 77D804EA >-E9 AA0B6888 JMP detour_e.00401099 ; the jump to our hook
; 77D804EF 833D BC04DA77 00 CMP DWORD PTR DS:[77DA04BC],0
;
; Windows 2000 SP4
;
; 77E38098 >-E9 FC8F5C88 JMP detour_e.00401099
; 77E3809D 90 NOP
; 77E3809E 90 NOP
; 77E3809F 90 NOP
; 77E380A0 90 NOP
; 77E380A1 90 NOP
; 77E380A2 90 NOP ; all these nops to keep the instructions balanced
; 77E380A3 0F85 940E0100 JNZ user32.77E48F3D
;
format PE GUI
section '.flat' readable writeable executable
entry $ ; entry point at current address
mov ecx, $5 ; number of bytes for newer service packs, a length disassembly engine skips this work
mov eax, [MessageBoxA]
cmp word [eax], $FF8B ; test if the first opcode is not "mov edi, edi" to identify an older service pack
jz @f
add ecx, $6 ; we have an older MessageBoxA version, $B bytes in total (Windows 2000 SP4)
@@:
mov esi, [MessageBoxA] ; the procedure we wish to detour
mov edi, MessageBoxA_gate ; the hook we want called when MessageBoxA is called
call insert_detour
mov [oMessageBoxA], eax ; address of the jump/call stub
; now we call MessageBoxA
; but magically we don't see the text we are passing =]
push $0
push _hello ; 'Hello World!'
push _hook_test ; 'This is a hooking example with detours in FASM!'
push $0
call [MessageBoxA]
; here we make the same call again but with oMessageBoxA
push $0
push _hello
push _hook_test
push $0
call [oMessageBoxA]
push $0
call [ExitProcess]
;---
oMessageBoxA dd ?
_hello db 'Hello World!', $0
_hook_test db 'This is a hooking example with detours in FASM!', $0
; our hook which gets called when MessageBoxA is called in this process
MessageBoxA_gate:
; modify the parameters on the stack to our own
mov dword [esp+$C], .hello_hacked
mov dword [esp+$8], .hook_test_hacked
jmp [oMessageBoxA] ; now we let MessageBoxA continue
.hello_hacked:
db 'Hacked Hello World ', $0
.hook_test_hacked:
db 'Hmm? Is this what we are supposed to see?!?', $0
;---
; Allocate some memory.
;
; ecx = length
;
; returns allocated memory address in eax
; returns $0 on failure
halloc:
cmp dword [.heapaddr], $0
jz .hinit
@@:
push ecx
push $0
push dword [.heapaddr]
call [HeapAlloc]
ret
.hinit:
; get the process heap
call [GetProcessHeap] ; .ProcessHeap is located at +$18 in the Process Environment Block
test eax, eax
jz .err
mov dword [.heapaddr], eax
jmp @b
.err:
ret
.heapaddr:
dd $0
;---
; Write a detour.
;
; esi = address of procedure (API) to detour
; edi = address of gateway (hook)
; ecx = length of opcode(s), must be atleast $5 (jmp + address = $5)
;
; returns jump/call stub in eax
; returns $0 on failure
insert_detour:
push ebx edi ebp
pushfd
cld
mov ebx, ecx ; save the length for later, a length disassembly engine is a good idea here
; allocate jump stub
mov ecx, ebx
add ecx, $5 ; +$5 for jmp + address back to original API
call halloc
test eax, eax
jz .done
; copy the instructions we are going to overwrite to our jump stub
push edi
mov ecx, ebx
mov edi, eax
rep movsb
sub esi, ebx ; movsb incremented it
pop edi
; write a jump back to the original API, skip our inserted jump
mov byte [eax+ebx], $E9 ; jmp opcode
mov edx, esi
sub edx, eax ; relative offset
sub edx, $5
mov dword [eax+ebx+1], edx
push eax ; save stub address
; get page base
mov ebp, esi
and ebp, $FFFFF000
; change protection state of the page to allow write access
push .protection
push PAGE_EXECUTE_READWRITE ; EXECUTE in case of multi-threaded or VirtualProtectEx detour
push $00001000
push ebp
push $FFFFFFFF
call [VirtualProtectEx] ; VirtualProtect calls VirtualProtectEx
; here we write the actual detour
mov byte [esi], $E9
mov edx, edi
sub edx, esi
sub edx, $5
mov dword [esi+1], edx
; pad with nops if instruction length > 5 so we don't corrupt the proceeding instructions
cmp ebx, $5
jle .cleanup
; ecx = number of nop instructions
mov ecx, ebx
sub ecx, $5
mov edi, esi
add edi, $5
mov al, $90 ; nop opcode
rep stosb
.cleanup:
; restore original protection
push .protection
push dword [.protection]
push $00001000
push ebp
push $FFFFFFFF
call [VirtualProtectEx]
pop eax ; return stub address
.done:
popfd
pop ebp edi ebx
ret
.protection:
dd ?
;---
include 'win32a.inc'
data import
dd $0, $0, $0, rva kernel32_name, rva kernel32_table
dd $0, $0, $0, rva user32_name, rva user32_table
dd $0, $0, $0, $0, $0
kernel32_table:
VirtualProtectEx dd rva _VirtualProtectEx
GetProcessHeap dd rva _GetProcessHeap
HeapAlloc dd rva _HeapAlloc
ExitProcess dd rva _ExitProcess
dd $0
user32_table:
MessageBoxA dd rva _MessageBoxA
dd $0
;kernel32
_VirtualProtectEx dw $0
db 'VirtualProtectEx', $0
_GetProcessHeap dw $0
db 'GetProcessHeap', $0
_HeapAlloc dw $0
db 'HeapAlloc', $0
_ExitProcess dw $0
db 'ExitProcess', $0
;user32
_MessageBoxA dw $0
db 'MessageBoxA', $0
kernel32_name db 'kernel32.dll', $0
user32_name db 'user32.dll', $0
end data
;---
;bye