Exetools - View Single Post - API-hooking

#8 03-24-2005, 16:03

Quote:

Originally Posted by MaRKuS-DJM

hi bro's,

i'm searching for a way to hook API's for a simple protected application (won't name protector

)

i heard something of an undocumented API with ordinal 1 that should be able to unprotect this memory. anybody knows about this?
or any suggestions?

Here is an example on Delphi from different public sources & articles.

Code:

//------------------------------------------------------------------------------

function ProtectAddress( Address, Flag : DWORD ): Boolean; stdcall;
var
//fa      : DWORD;  // FirstAddress
  fp,np   : DWORD;  // FirstPage / numPages
  VXDCall : Pointer;

begin
  Result  := False;

  try

// fa := Address;
   fp := 1;//Address div 4096;
   np := 1;
// DEC( fa, fa mod 4096 );
// Result := not IsBadWritePtr( Pointer(fa), np*4096 );
   if not Result then
   begin
     // Get undocumented VxDCall procedure
     VXDCall := GetProcAddress_(GetModuleHandle(kernel32), 1);
     if @VXDCall = nil then Exit;
     asm
//     push 020060000h           // PC_WRITEABLE | PC_USER | PC_STATIC
       push Flag
       push 0FFFFFFFFh           // Keep all previous bits
       push DWORD PTR [np]       // dword ptr [mbi+0Ch] # of pages
       push DWORD PTR [fp]       // dword ptr [ped] page #
       push 1000Dh               // _PageModifyPermissions (win32_service_table #)
       call DWORD PTR [VXDCall]  // VxDCall0
     end;
//   Result := not IsBadWritePtr( Pointer(fa), np*4096 );
     Result := True;
   end;

  except
  end;
end;

//------------------------------------------------------------------------------

function SetWriteAccess( Address, Size : DWORD ) : Boolean;
var
  OldProtect : DWORD;

begin
  Result     := False;

  If IsNT then
  begin

    if VirtualProtect( Pointer(Address), Size, PAGE_EXECUTE_READWRITE, OldProtect ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) = False);

  end else
  begin

    If ProtectAddress( Address, PC_USER OR PC_STATIC OR PC_WRITEABLE ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) = False);

  end;

end;

//------------------------------------------------------------------------------

function SetReadAccess( Address, Size : DWORD ) : Boolean;
var
  OldProtect : DWORD;

begin
  Result     := False;

  If IsNT then
  begin

    if VirtualProtect( Pointer(Address), Size, PAGE_EXECUTE_READ, OldProtect ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) );

  end else
  begin

    If ProtectAddress( Address, PC_USER OR PC_STATIC ) = False then Exit;
    Result := (IsBadWritePtr( Pointer(Address), Size ) );

  end;

end;

br, nerst