| #define hs_jmp 0x63b31d #define hs_jmp2 0x63b323 typedef int (__cdecl *hs_getprocaddress_t)( int hmodule, int a2 ); typedef int (__stdcall *hackshieldcomm_t )( int, void*, void* ); typedef signed int (__stdcall *kickproc_t)( int a1, int a2, int a3 ); hs_getprocaddress_t phs_getprocaddress = null; hackshieldcomm_t phackshieldcomm = null; kickproc_t pkickproc = null; signed int __stdcall new_kickproc( int a1, int a2, int a3 ) { return 1; } int __stdcall new_hackshieldcomm( int hscommcode, void *param1, void *param2 ) { if( hscommcode == 4 || hscommcode == 5 || hscommcode == 13 ) //kill! { if( hscommcode == 4 ) //replace kick proc { dword *dwparam1 = (dword *)param1; pkickproc = (kickproc_t)*dwparam1; *dwparam1 = (dword)new_kickproc; } int ireturn = phackshieldcomm( hscommcode, param1, param2 ); return 1; } int ireturn = phackshieldcomm( hscommcode, param1, param2 ); return ireturn; } void hookcommunication( exception_pointers* pexceptioninfo ) { dword dwebp = pexceptioninfo->contextrecord->ebp; dword dwparam2 = 0; __asm { push eax; push edx; mov eax, dwebp; mov edx, [eax+0xc]; mov dwparam2, edx; pop edx; pop eax; } if( dwparam2 == 0xa ) //this is the ordinal of some export...hmm.. { phackshieldcomm = (hackshieldcomm_t)pexceptioninfo->contextrecord->eax; pexceptioninfo->contextrecord->eax = (dword)new_hackshieldcomm; } pexceptioninfo->contextrecord->eip = hs_jmp2; return; } pvoid pcontexthandler = null; long winapi tgsexceptionhandler( exception_pointers* pexceptioninfo ) { if( pexceptioninfo->exceptionrecord->exceptioncode != exception_single_step ) { return exception_continue_search; } if( pexceptioninfo->exceptionrecord->exceptionaddress == (pvoid)hs_jmp ) { hookcommunication( pexceptioninfo ); return exception_continue_execution; } return exception_continue_search; } void initcontexthook() { pcontexthandler = addvectoredexceptionhandler( 0x50be17, tgsexceptionhandler ); context context; context.contextflags = context_debug_registers; getthreadcontext(getcurrentthread(), &context); context.dr0 = hs_jmp; context.dr7 = (1<<0)|(1<<2)|(1<<4)|(1<<6); setthreadcontext(getcurrentthread(), &context); } |
It was a bit hard to find, therefore I guess many other lazy people have same problems. Here is code, do whatever you want with it.
Again, no credits for me.
Only for GOOGLE.
Yours Sincerely,
Shirusu
