Contributorinclude 'win32ax.inc'
include 'catchy32.inc'
mes db 'Im a MessageBox!',0
cap db 'Hello World!',0
hooked db 'Hooked!!',0
start:
invoke LoadLibrary,'user32.dll'
invoke GetProcAddress,eax,'MessageBoxA'
test eax,eax
je @f
mov [addr],eax
mov ebx,eax
xor edi,edi
.while edi <= 5
push ebx
call c_Catchy
add edi,eax
add ebx,eax
.endw
push edi
push buf
push [addr]
push MyMessageBox; function to call !
call DoHook
invoke MessageBox,0,mes,cap,MB_OK
@@:invoke ExitProcess,0
proc MyMessageBox uses ebx edi esi ebp, hWnd:dword,lpText:dword,lpCaption:dword,uType:dword
push [uType]
push hooked
push hooked
push [hWnd]
mov eax,buf
call eax
ret
endp
proc DoHook uses ebx edi esi, hookproc:dword, addr:dword, buf:dword, buflen:dword
locals
lpflOldProtect dd ?
endl
mov edi, [addr]
mov ebx, [buf]
invoke VirtualProtect, edi,[buflen], PAGE_EXECUTE_READWRITE,[lpflOldProtect]
invoke RtlMoveMemory, ebx, edi,[buflen]
mov eax, [hookproc]
sub eax,edi
sub eax, 5
mov byte [edi],0xe9
mov [edi + 1], eax
invoke VirtualProtect, edi,[buflen], [lpflOldProtect], [lpflOldProtect]
mov esi,ebx
add esi,[buflen]
sub edi,ebx
sub edi,5
mov byte [esi],0xe9
mov [esi +1],edi
ret
endp
buf rb 20
addr dd ?
.end start
Simple Hook [FASM]
#1
Posted 18 December 2014 - 11:54 AM
#2
-
- Members +
-
- 12 posts
Beginner
- LocationUkraine
Posted 18 December 2014 - 12:14 PM
#3
Posted 18 December 2014 - 12:21 PM
---------------------------------------------------------------------------------------------------------------------------------
Catchy32.inc
---------------------------------------------------------------------------------------------------------------------------------
;==================================================================================================================================================
; ******** *** *********** ********* *** *** *** *** ******* *******
; *********** **** **** *********** *********** *** *** *** *** ***** ***** ***** *****
; *** *** *** *** *** *** *** *** *** *** *** ** *** ** ****
; *** *********** *** *** *********** ** ** **** ****
; *** *** *********** *** *** *** *********** *** ** *** ****
; *********** *** *** *** *********** *** *** *** ***** ***** ***********
; ********* *** *** *** ********* *** *** *** ******* ***********
;==================================================Catchy32 v1.6 - Length Disassembler Engine 32bit================================================
;SIZE=580 bytes
;Version:
;1.0-test version
;1.1-added: support prefix
;1.2-added: TableEXT
;1.3-added: support for 0F6h and 0F7h groups
;1.4-tables fixed
; -SIB byte handling fixed
;1.5-code fixed&optimized
; -processing 0F6h and 0F7h groups is corrected
; -processing 0A0h-0A3h groups is corrected
;1.6-code fixed
; -added: max lenght=15 bytes
;==================================================================================================================================================
;in: esi - pointer to opcode
;out: eax - opcode length or 0ffffffffh if error
;© sars [HI-TECH] 2003
;sars@ukrtop.com
;==================================================================================================================================================
include '\macro\proc32.inc'
c_Table:
; 01 23 45 67 89 AB CD EF
db 011h,011h,028h,000h,011h,011h,028h,000h;0Fh
db 011h,011h,028h,000h,011h,011h,028h,000h;1Fh
db 011h,011h,028h,0F0h,011h,011h,028h,0F0h;2Fh
db 011h,011h,028h,0F0h,011h,011h,028h,0F0h;3Fh
db 000h,000h,000h,000h,000h,000h,000h,000h;4Fh
db 000h,000h,000h,000h,000h,000h,000h,000h;5Fh
db 000h,011h,0FFh,0FFh,089h,023h,000h,000h;6Fh
db 022h,022h,022h,022h,022h,022h,022h,022h;7Fh
db 039h,033h,011h,011h,011h,011h,011h,011h;8Fh
db 000h,000h,000h,000h,000h,0C0h,000h,000h;9Fh
db 088h,088h,000h,000h,028h,000h,000h,000h;AFh
db 022h,022h,022h,022h,088h,088h,088h,088h;BFh
db 033h,040h,011h,039h,060h,040h,002h,000h;CFh
db 011h,011h,022h,000h,011h,011h,011h,011h;DFh
db 022h,022h,022h,022h,088h,0C2h,000h,000h;EFh
db 0F0h,0FFh,000h,011h,000h,000h,000h,011h;FFh
;==============================================
Lentable equ $-c_Table
;===============EXTENDED OPCODES===============
c_TableEXT:
; 01 23 45 67 89 AB CD EF
db 011h,011h,0E0h,000h,000h,0EEh,0E1h,003h;0Fh
db 011h,011h,011h,011h,01Eh,0EEh,0EEh,0EEh;1Fh
db 011h,011h,01Eh,01Eh,011h,011h,011h,011h;2Fh
db 000h,000h,000h,0EEh,0EEh,0EEh,0EEh,0EEh;3Fh
db 011h,011h,011h,011h,011h,011h,011h,011h;4Fh
db 011h,011h,011h,011h,011h,011h,011h,011h;5Fh
db 011h,011h,011h,011h,011h,011h,011h,011h;6Fh
db 033h,033h,011h,010h,011h,011h,011h,011h;7Fh
db 088h,088h,088h,088h,088h,088h,088h,088h;8Fh
db 011h,011h,011h,011h,011h,011h,011h,011h;9Fh
db 000h,001h,031h,011h,000h,001h,031h,011h;AFh
db 011h,011h,011h,011h,0EEh,031h,011h,011h;BFh
db 011h,031h,033h,031h,000h,000h,000h,000h;CFh
db 0E1h,011h,011h,011h,011h,011h,011h,011h;DFh
db 011h,011h,011h,011h,011h,011h,011h,011h;EFh
db 0E1h,011h,011h,011h,011h,011h,011h,01Eh;FFh
;==============================================
pref66h equ 1
pref67h equ 2
proc c_Catchy uses esi ebx, dwInst
;----Flags extraction, checks for some opcodes----
mov esi, [dwInst]
xor ecx, ecx
c_ExtFlags:
xor eax, eax
xor ebx, ebx
cdq
lodsb ;al <- opcode
mov cl, al ;cl <- opcode
cmp al, 0fh ;Test on prefix 0Fh
je c_ExtdTable
cmp word [esi-1], 20CDh ;Test on VXD call
jne c_NormTable
inc esi ;If VXD call (int 20h), then command length is 6 bytes
lodsd
jmp c_CalcLen
c_ExtdTable: ;Load flags from extended table
lodsb
inc ah ;EAX=al+100h (100h/2 - lenght first table)
c_NormTable: ;Load flags from normal table
shr eax, 1 ;Elements tables on 4 bits
mov al, byte [c_Table+eax]
c_CheckC1:
jc c_IFC1
shr eax, 4 ;Get high 4-bits block if offset is odd, otherwise...
c_IFC1:
and eax, 0Fh ;...low
xchg eax, ebx ;EAX will be needed for other purposes
;--------------Opcode type checking---------------
c_CheckFlags:
cmp bl, 0Eh ;Test on ErrorFlag
je c_Error
cmp bl, 0Fh ;Test on PrefixFlag
je c_Prefix
or ebx, ebx ;One byte command
jz c_CalcLen
btr ebx, 0 ;Command with ModRM byte
jc c_ModRM
btr ebx, 1 ;Test on imm8,rel8 etc flag
jc c_incr1
btr ebx, 2 ;Test on ptr16 etc flag
jc c_incr2
;-----imm16/32,rel16/32, etc types processing-----
c_16_32:
and bl, 11110111b ;Reset 16/32 sign
cmp cl, 0A0h ;Processing group 0A0h-0A3h
jb c_Check66h
cmp cl, 0A3h
ja c_Check66h
test ch, pref67h
jnz c_incr2
jmp c_incr4
c_Check66h: ;Processing other groups
test ch, pref66h
jz c_incr4
jmp c_incr2
;---------------Prefixes processing---------------
c_Prefix:
cmp cl, 66h
je c_SetFlag66h
cmp cl, 67h
jne c_ExtFlags
c_SetFlag67h:
or ch, pref67h
jmp c_ExtFlags
c_SetFlag66h:
or ch, pref66h
jmp c_ExtFlags
;--------------ModR/M byte processing-------------
c_ModRM:
lodsb
c_Check_0F6h_0F7h: ;Check on 0F6h and 0F7h groups
cmp cl, 0F7h
je c_GroupF6F7
cmp cl, 0F6h
jne c_ModXX
c_GroupF6F7: ;Processing groups 0F6h and 0F7h
test al, 00111000b
jnz c_ModXX
test cl, 00000001b
jz c_incbt1
test ch, 1
jnz c_incbt2
inc esi
inc esi
c_incbt2: inc esi
c_incbt1: inc esi
c_ModXX: ;Processing MOD bits
mov edx, eax
and al, 00000111b ;al <- only R/M bits
test dl, 11000000b ;Check MOD bits
jz c_Mod00
jp c_CheckFlags ;Or c_Mod11
js c_Mod10
c_Mod01:
test ch, pref67h
jnz c_incr1 ;16-bit addressing
cmp al, 4 ;Check SIB
je c_incr2
jmp c_incr1
c_Mod00:
test ch, pref67h
jz c_Mod00_32 ;32-bit addressing
cmp al, 6
je c_incr2
jmp c_CheckFlags
c_Mod00_32:
cmp al, 4 ;Check SIB
jne c_disp32
c_SIB: ;Processing SIB byte
lodsb
and al, 00000111b
cmp al, 5
je c_incr4
jmp c_CheckFlags
c_disp32:
cmp al, 5
je c_incr4
jmp c_CheckFlags
c_Mod10:
test ch, pref67h
jnz c_incr2 ;16-bit addressing
cmp al, 4 ;Check SIB
je c_incr5
jmp c_incr4
c_incr5: inc esi
c_incr4: inc esi
inc esi
c_incr2: inc esi
c_incr1: inc esi
jmp c_CheckFlags
;-----------Command length calculation------------
c_CalcLen:
sub esi, [dwInst]
cmp esi, 15
ja c_Error
mov eax, esi
jmp c_Exit
;----------------Setting the error----------------
c_Error:
xor eax, eax
dec eax
;---------Restore the registers and exit----------
c_Exit:
ret
;-------------------------------------------------
endp
#4
Posted 18 December 2014 - 12:23 PM
0xDADA11C7, on 18 Dec 2014 - 11:14 AM, said:
What is c_Catchy? It hasn`t function of restore. Sorry, but your source not simple but ugly
if this is not simple enough for you and you dont know what a Length Disassembler Engine is, then better not read it 
- Neelix likes this
#5
Posted 18 December 2014 - 01:19 PM
And note to the cCatchy author, it is more efficient to write mov eax,-1 instead of xoring and decrementing.
- Jochen and x58 like this
