衝擊波1.02源程式 (9千字)
////////////////////////////
/////// ********.vxd ///////
////////////////////////////
#define DEVICE_MAIN
#include "traceit.h"
Declare_Virtual_Device(TRACEIT)
#undef DEVICE_MAIN
TraceitVM::TraceitVM(VMHANDLE hVM) : VVirtualMachine(hVM) {}
TraceitThread::TraceitThread(THREADHANDLE hThread) : VThread(hThread) {}
//-----------------------------------------
#define HookNo 0x30
#define HookCode 0x30cd
VMMFault_THUNK thunkVMMFault;
PMFault_THUNK thunkPMFault;
DWORD m_Address[3];
WORD m_Code[3];
WORD m_AppCode;
BOOL m_bAppFlag;
DWORD m_OEP;
#define valueEIP (pcrs->CRS.Client_EIP)
#define mByteEIP(offset) (*(BYTE *)(valueEIP-(offset)))
#define mWordEIP(offset) (*(WORD *)(valueEIP-(offset)))
#define mDwordEIP(offset) (*(DWORD *)(valueEIP-(offset)))
//-----------------------------------------
PVOID __stdcall MyFaultHandler(VMHANDLE hVM, PCLIENT_STRUCT pcrs)
{
if(!m_bAppFlag)
{
valueEIP -= 2;
m_AppCode = *(WORD *)(*(DWORD *)pcrs->CRS.Client_ESP);
*(WORD *)(*(DWORD *)pcrs->CRS.Client_ESP)
= HookCode;
*(WORD *)m_Address[0] = m_Code[0];
*(WORD *)m_Address[1] = m_Code[1];
*(WORD *)m_Address[2] = m_Code[2];
m_bAppFlag = true;
}
else
{
valueEIP -= 2;
mWordEIP(0) = m_AppCode;
if((mDwordEIP(0-0x05) & 0x0ffffff)
== 0x0E9006A)
{
_asm
{
pusha
mov
ebp, pcrs
mov
esi, [ebp+0x24]
xor
ecx, ecx
jmp
m000001FC
m000001E2:
mov
eax, dword ptr [esi]
cmp
eax, 0x0A302E0C1
jne
m000001FA
mov
m_OEP, esi
sub
m_OEP, 00000005
jmp
m00000201
m000001FA:
dec
esi
inc
ecx
m000001FC:
cmp
ecx, 0x00000070
jne
m000001E2
m00000201:
popa
}
}
else if((mDwordEIP(0x0f) & 0x0ffffff)
== 0x0E80A6A)
{
m_OEP = valueEIP-0x0f;
}
else if(mDwordEIP(0x08) == 0x0E8006A50
&&
(mByteEIP(0x0a)
== 0x0C3 || mByteEIP(0x0b) == 0x0C3))
{
_asm
{
pusha
mov
ebp, pcrs
mov
ebx, dword ptr [ebp+0x30]
mov
ebx, dword ptr [ebx+0x04]
mov
esi, 0x0000000A
sub
ebx, esi
jmp
m_0000029C
m_00000282:
mov
eax, dword ptr [ebx]
cmp
eax, 0x083EC8B55
je
m_00000292
cmp
eax, 0x0B9EC8B55
jne
m_0000029A
m_00000292:
mov
m_OEP, ebx
jmp
m_000002A1
m_0000029A:
inc
esi
dec
ebx
m_0000029C:
cmp
esi, 0x00000030
jne
m_00000282
m_000002A1:
popa
}
}
else if(mDwordEIP(0x0f) == 0x0E800408D
&&
(mByteEIP(0x11)
== 0x0C3 || mByteEIP(0x12) == 0x0C3))
{
_asm
{
pusha
mov
ebp, pcrs
mov
ebx, dword ptr [ebp+0x30]
mov
ebx, dword ptr [ebx]
mov
esi, 0x0000000A
sub
ebx, esi
jmp
m_000002D9
m_000002C6:
mov
eax, dword ptr [ebx]
cmp
eax, 0x083EC8B55
jne
m_000002D7
mov
m_OEP, ebx
jmp
m_000002DE
m_000002D7:
inc
esi
dec
ebx
m_000002D9:
cmp
esi, 0x00000030
jne
m_000002C6
m_000002DE:
popa
}
}
else if(mWordEIP(0) == 0x0F08B &&
mDwordEIP(0x0d) == 0x083EC8B55)
{
m_OEP = valueEIP-0x0d;
}
else if(mWordEIP(0) == 0x0F08B &&
mDwordEIP(0x2c) == 0x6AEC8B55)
{
m_OEP = valueEIP-0x2c;
}
if(mDwordEIP(0) == 0x0D48AD233 &&
mDwordEIP(0x2c) == 0x6AEC8B55)
{
m_OEP = valueEIP-0x2c;
}
else if(mByteEIP(0) == 0x0A3 &&
mDwordEIP(0x26) == 0x6AEC8B55)
{
m_OEP = valueEIP-0x26-0x06;
}
else if(mWordEIP(0) == 0x0E850 &&
mDwordEIP(0x150) == 0x6AEC8B55)
{
m_OEP = valueEIP-0x150;
}
else if(mWordEIP(0) == 0x0E850 &&
mDwordEIP(0x12e) == 0x6AEC8B55)
{
m_OEP = valueEIP-0x12e;
}
else if(mWordEIP(0) == 0x0E850 &&
mDwordEIP(0x14b) == 0x6AEC8B55)
{
m_OEP = valueEIP-0x14b-0x06;
}
else if(mWordEIP(0) == 0x0E850 &&
mDwordEIP(0x0bf) == 0x83EC8B55)
{
m_OEP = valueEIP-0x0bf;
}
*(WORD *)m_Address[0] = HookCode;
*(WORD *)m_Address[1] = HookCode;
*(WORD *)m_Address[2] = HookCode;
m_bAppFlag = false;
}
return NULL;
}
BOOL TraceitDevice::OnSysDynamicDeviceInit()
{
Hook_PM_Fault(HookNo, MyFaultHandler, &thunkPMFault);
return TRUE;
}
BOOL TraceitDevice::OnSysDynamicDeviceExit()
{
Unhook_PM_Fault(HookNo, MyFaultHandler, &thunkPMFault);
return TRUE;
}
DWORD TraceitDevice::OnW32DeviceIoControl(PIOCTLPARAMS pDIOCParams)
{
switch (pDIOCParams->dioc_IOCtlCode)
{
case 1:
m_Address[0] = *(DWORD
*)(pDIOCParams->dioc_InBuf);
m_Code[0] = *(WORD
*)m_Address[0];
*(WORD *)m_Address[0]
= HookCode;
m_Address[1] = *((DWORD
*)(pDIOCParams->dioc_InBuf)+1);
m_Code[1] = *(WORD
*)m_Address[1];
*(WORD *)m_Address[1]
= HookCode;
m_Address[2] = *((DWORD
*)(pDIOCParams->dioc_InBuf)+2);
m_Code[2] = *(WORD
*)m_Address[2];
*(WORD *)m_Address[2]
= HookCode;
m_bAppFlag = false;
m_OEP = 0;
break;
case 2:
*(WORD *)m_Address[0]
= m_Code[0];
*(WORD *)m_Address[1]
= m_Code[1];
*(WORD *)m_Address[2]
= m_Code[2];
break;
case 3:
*(DWORD *)(pDIOCParams->dioc_OutBuf)
= m_OEP;
pDIOCParams->dioc_cbOutBuf
= 4;
break;
default:
break;
}
return 0;
}
////////////////////////////
/////// ********.exe ///////
////////////////////////////
// Bw2001Dlg.cpp : implementation file
//
#include "stdafx.h"
#include "Bw2001.h"
#include "Bw2001Dlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/////////////////////////////////////////////////////////////////////////////
// CBw2001Dlg dialog
CBw2001Dlg::CBw2001Dlg(CWnd* pParent /*=NULL*/)
: CDialog(CBw2001Dlg::IDD, pParent)
{
//{{AFX_DATA_INIT(CBw2001Dlg)
//}}AFX_DATA_INIT
// Note that LoadIcon does not require a subsequent DestroyIcon
in Win32
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
hDevice = INVALID_HANDLE_VALUE;
}
void CBw2001Dlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CBw2001Dlg)
DDX_Control(pDX, IDC_EDIT1, m_oep);
DDX_Control(pDX, IDC_BUTTON2, m_stop);
DDX_Control(pDX, IDC_BUTTON1, m_trace);
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CBw2001Dlg, CDialog)
//{{AFX_MSG_MAP(CBw2001Dlg)
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_BN_CLICKED(IDC_BUTTON1, OnButton1)
ON_BN_CLICKED(IDC_BUTTON2, OnButton2)
ON_WM_TIMER()
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CBw2001Dlg message handlers
BOOL CBw2001Dlg::OnInitDialog()
{
CDialog::OnInitDialog();
// Set the icon for this dialog. The framework does
this automatically
// when the application's main window is not a dialog
SetIcon(m_hIcon, TRUE);
// Set big icon
SetIcon(m_hIcon, FALSE); //
Set small icon
SetWindowPos(&wndTopMost, 0, 0, 0, 0, SWP_NOSIZE|SWP_NOMOVE);
m_trace.EnableWindow(true);
m_stop.EnableWindow(false);
m_oep.SetWindowText("00000000");
SetTimer(1, 200, NULL);
return TRUE; // return TRUE unless you set the
focus to a control
}
// If you add a minimize button to your dialog, you will need the code below
// to draw the icon. For MFC applications using the document/view
model,
// this is automatically done for you by the framework.
void CBw2001Dlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // device context for
painting
SendMessage(WM_ICONERASEBKGND, (WPARAM)
dc.GetSafeHdc(), 0);
// Center icon in client rectangle
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) /
2;
int y = (rect.Height() - cyIcon + 1) /
2;
// Draw the icon
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialog::OnPaint();
}
}
// The system calls this to obtain the cursor to display while the user drags
// the minimized window.
HCURSOR CBw2001Dlg::OnQueryDragIcon()
{
return (HCURSOR) m_hIcon;
}
void CBw2001Dlg::OnButton1()
{
static HMODULE hKernel32;
static FARPROC pAddress[3];
hKernel32 = GetModuleHandle("Kernel32.dll");
pAddress[0] = GetProcAddress(hKernel32, "GetVersion");
pAddress[1] = GetProcAddress(hKernel32, "GetModuleHandleA");
pAddress[2] = GetProcAddress(hKernel32, "GetCommandLineA");
if(pAddress[0] == NULL || pAddress[1] == NULL || pAddress[2]
== NULL)
{
AfxMessageBox("Can't find kernel functions
to hook.");
return;
}
static char VxDName[] = {"\\\\.\\TraceIT.VXD"};
if(hDevice == INVALID_HANDLE_VALUE)
{
hDevice = CreateFile(VxDName, 0,0,0,
CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, 0);
if (hDevice == INVALID_HANDLE_VALUE)
{
AfxMessageBox("Can't
load TraceIT.vxd");
return;
}
else
{
m_trace.EnableWindow(false);
m_stop.EnableWindow(true);
}
}
m_oep.SetWindowText("00000000");
DeviceIoControl(hDevice, 1, pAddress, 12, NULL, 0, NULL,
NULL);
}
void CBw2001Dlg::OnButton2()
{
if(hDevice != INVALID_HANDLE_VALUE)
{
DeviceIoControl(hDevice, 2, NULL, 0, NULL,
0, NULL, NULL);
if(CloseHandle(hDevice))
{
hDevice = INVALID_HANDLE_VALUE;
m_trace.EnableWindow(true);
m_stop.EnableWindow(false);
}
}
}
void CBw2001Dlg::OnCancel()
{
KillTimer(1);
OnButton2();
CDialog::OnCancel();
}
void CBw2001Dlg::OnTimer(UINT nIDEvent)
{
static UINT oldOEP = 0, newOEP = 0;
CString stmp;
if(hDevice != INVALID_HANDLE_VALUE)
{
DeviceIoControl(hDevice, 3, NULL, 0, &newOEP,
4, NULL, NULL);
if(newOEP != 0 && newOEP != oldOEP)
{
oldOEP = newOEP;
stmp.Format("%08X",
newOEP);
m_oep.SetWindowText(stmp);
}
}
else
{
oldOEP = newOEP = 0;
}
CDialog::OnTimer(nIDEvent);
}
相關文章
- Flagimation1.02 破解(入門) (3千字)2000-10-01
- 過去25年八大計算機病毒:衝擊波和震盪波入選2007-09-24計算機
- 趨勢科技網路病毒牆--粉碎衝擊波和震盪波等網路病毒(轉)2007-08-12
- 蘋果IDFA衝擊波:中小遊戲團隊廣告收入減少20%2021-07-19蘋果遊戲
- 衝刺92024-06-05
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- Oracle等商家關注開源問題帶來的衝擊(轉)2007-08-15Oracle
- 初學者的東西:Transoft's Server All 1.02破解
(3千字)2001-01-08Server
- 馬雲:不是網際網路衝擊了各行各業 是無知衝擊2016-10-13
- 我的PE程式加密核心程式碼(MASM 6.0) (9千字)2015-11-15加密ASM
- 餘波衝擊中,加密社群“乞求”監管!大空頭卻稱這是“極大的諷刺”?2022-11-24加密
- 雙擊和單擊事件衝突解決方法2017-03-13事件
- 破解RamDisk9xMe的安裝程式 (3千字)2001-10-07
- XDos v1.1~Dos的外殼程式 (9千字)2015-11-15
- 開關電源緩衝吸收電路:拓撲吸收、RC吸收、RCD吸收、鉗位吸收、無損吸收、LD緩衝、LR緩衝、飽和電感緩衝、濾波緩衝、振鈴_rc吸收和rcd吸收2024-05-24
- 衝擊晉升模式分析(轉載)2007-07-30模式
- 初學者(9) (3千字)2000-05-07
- 初學者(26) (9千字)2000-08-17
- 程式分析與優化 - 9 附錄 XLA的緩衝區指派2022-07-02優化
- VM - Typhoon 1.02 的破解2019-04-14
- VB黑客程式的暴破(修改)一例 (9千字)2003-02-06黑客
- 疫情衝擊海外遊戲業:遊戲平臺流量劇增,一大波展會及線下活動取消2020-03-16遊戲
- 第二次衝刺92024-05-18
- Go 對 Python 產生的衝擊2020-03-29GoPython
- 衝擊IPO:達達的負“重”上市之路2020-05-15
- 牙博士衝擊IPO:口腔生意真不錯2021-10-08
- 如何應對AI帶來的衝擊2023-03-02AI
- NPD:iPad沒有衝擊Mac銷量2010-07-08iPadMac
- 嵌入式學習資源——突破C++的虛擬指標-C++程式的緩衝區溢位攻擊2019-08-13C++指標
- 一點小意思,掃雷作弊的delphi程式碼
(9千字)2015-11-15
- SysSync Version 1.02簡單演算法分析+VB序號產生器原始碼 (8千字)2015-11-15演算法原始碼
- 面試題9-斐波那契數列2017-09-03面試題
- 逆勢衝擊IPO:理想汽車要穩住了2020-07-15
- go-zero 如何扛住流量衝擊(二)2020-11-23Go
- go-zero 如何扛住流量衝擊(一)2020-11-16Go
- 微信小程式單擊事件與長按事件衝突的解決辦法2021-11-12微信小程式事件
- ePublisher Gold v1.4 (9千字)2001-01-15Go
- 我的破解心得(9) (4千字)2001-03-13