Jump to content
Tuts 4 You

Help Me About Plugin Importrec, And Converting Asm Source...

Apakekdah

By Apakekdah
in Programming and Coding

Recommended Posts

Apakekdah

Apakekdah

Posted
Posted

hi, is there anyone will help me, how to

i was convert asm source...

original source :

; NTkrnl protector 0.1 plugin tracer for impREC
; bpx^2k7
format PE GUI 4.0 DLL
entry e
include 'c:fasm32includewin32a.inc'
section '.code' code readable executable
e:; DLL Entrypoint
xor eax,eax
inc eax
ret 12
Trace:
push ebp
mov ebp,esp
push ebx
push esi
invoke MapViewOfFile, dword [ebp+4+4] , FILE_MAP_READ or FILE_MAP_WRITE, 0, 0, 0
mov esi, eax; We put our found proc in this map
mov ebx, dword [ebp+16+4]
invoke IsBadReadPtr, ebx, 4; Is this a valid thunk we are tracing ?
test eax, eax
jz ptr_ok1
jmp end2
ptr_ok1:
cmp dword [ebx],0000E860h; Look for ntkrnl signature
je ptr_ok2
jmp end2
ptr_ok2:
mov word [ebx+35h],9090h; nop jmp eax
call ebx; call redirector proc [eax now contains real API!]
mov ebx, esi
mov dword [ebx], eax
end2:
invoke UnmapViewOfFile, esi; Write changes
invoke CloseHandle, dword [ebp+4+4]
pop esi
pop ebx
mov eax,200
leave
ret 20
section '.idata' import data readable writeable
library kernel,'KERNEL32.DLL'
import kernel,
MapViewOfFile,'MapViewOfFile',
UnmapViewOfFile,'UnmapViewOfFile',
CloseHandle,'CloseHandle',
IsBadReadPtr,'IsBadReadPtr'
section '.edata' export data readable
export 'nt_krnlprotect_0_1.dll',
Trace,'Trace'
section '.reloc' fixups data discardable

mysouce :

.486				   ; set processor model
.model flat, stdcall   ; default STDCALL calling convention
option casemap :none   ; always use the case sensitive optioninclude e:\masm32\include\windows.inc
include e:\masm32\include\kernel32.inc
include e:\masm32\macros\macros.asmincludelib e:\masm32\lib\kernel32.libTrace PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD,:DWORD.data?
	hInstance dd ?.codeLibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD 	xor eax, eax
	inc eax	ret LibMain endpTrace proc hFileMap:DWORD, dwSizeMap:DWORD, dwTimeOut:DWORD, dwToTrace:DWORD, dwExactCall:DWORD	invoke MapViewOfFile, hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, dwSizeMap
	test eax, eax
	je error1
	mov esi, eax	mov ebx, dwToTrace
	invoke IsBadReadPtr, ebx, 4
	test eax, eax
	jne error2	mov esi, eax
	cmp dword ptr [ebx], 0E860h
	jne error3	mov word ptr [ebx+35h],9090h	call ebx	mov ebx, esi	
	mov dword ptr [ebx], eax	
	mov eax, 200
	jmp abiserror1:
	mov eax, 201
	jmp abiserror2:
	mov eax, 202
	jmp abiserror3:
	mov eax, 203
abis:
	invoke UnmapViewOfFile, hFileMap; Write changes
	invoke CloseHandle, hFileMap	ret
Trace endpend LibMain

the problem is, original code, can run (maybe, i'd never test it before, cause don't have that compiler :teehee: ) and my code, always send an error...

i'm sure i was following that direction... where is my mistake ? :2:

-

and how to debug ImportRec, when Trace function is called, so i can debug where i'm make a mistake ?

sorry for my bad english :D

:wub:

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...