EinTim
/
Ethereal
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

removed useless stuff

This commit is contained in:
EinTim 2022-09-09 21:52:56 +02:00
parent dd36c535a7
commit b07114f62f
4 changed files with 16 additions and 445 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
dll/HEH/MinHook.h
View File

@ -1,185 +0,0 @@
/*
* MinHook - The Minimalistic API Hooking Library for x64/x86
* Copyright (C) 2009-2017 Tsuda Kageyu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER
* OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#pragma once
#if !(defined _M_IX86) && !(defined _M_X64) && !(defined __i386__) && !(defined __x86_64__)
#error MinHook supports only x86 and x64 systems.
#endif
#include <windows.h>
// MinHook Error Codes.
typedef enum MH_STATUS
{
// Unknown error. Should not be returned.
MH_UNKNOWN = -1,
// Successful.
MH_OK = 0,
// MinHook is already initialized.
MH_ERROR_ALREADY_INITIALIZED,
// MinHook is not initialized yet, or already uninitialized.
MH_ERROR_NOT_INITIALIZED,
// The hook for the specified target function is already created.
MH_ERROR_ALREADY_CREATED,
// The hook for the specified target function is not created yet.
MH_ERROR_NOT_CREATED,
// The hook for the specified target function is already enabled.
MH_ERROR_ENABLED,
// The hook for the specified target function is not enabled yet, or already
// disabled.
MH_ERROR_DISABLED,
// The specified pointer is invalid. It points the address of non-allocated
// and/or non-executable region.
MH_ERROR_NOT_EXECUTABLE,
// The specified target function cannot be hooked.
MH_ERROR_UNSUPPORTED_FUNCTION,
// Failed to allocate memory.
MH_ERROR_MEMORY_ALLOC,
// Failed to change the memory protection.
MH_ERROR_MEMORY_PROTECT,
// The specified module is not loaded.
MH_ERROR_MODULE_NOT_FOUND,
// The specified function is not found.
MH_ERROR_FUNCTION_NOT_FOUND
}
MH_STATUS;
// Can be passed as a parameter to MH_EnableHook, MH_DisableHook,
// MH_QueueEnableHook or MH_QueueDisableHook.
#define MH_ALL_HOOKS NULL
#ifdef __cplusplus
extern "C" {
#endif
// Initialize the MinHook library. You must call this function EXACTLY ONCE
// at the beginning of your program.
MH_STATUS WINAPI MH_Initialize(VOID);
// Uninitialize the MinHook library. You must call this function EXACTLY
// ONCE at the end of your program.
MH_STATUS WINAPI MH_Uninitialize(VOID);
// Creates a hook for the specified target function, in disabled state.
// Parameters:
// pTarget [in] A pointer to the target function, which will be
// overridden by the detour function.
// pDetour [in] A pointer to the detour function, which will override
// the target function.
// ppOriginal [out] A pointer to the trampoline function, which will be
// used to call the original target function.
// This parameter can be NULL.
MH_STATUS WINAPI MH_CreateHook(LPVOID pTarget, LPVOID pDetour, LPVOID *ppOriginal);
// Creates a hook for the specified API function, in disabled state.
// Parameters:
// pszModule [in] A pointer to the loaded module name which contains the
// target function.
// pszProcName [in] A pointer to the target function name, which will be
// overridden by the detour function.
// pDetour [in] A pointer to the detour function, which will override
// the target function.
// ppOriginal [out] A pointer to the trampoline function, which will be
// used to call the original target function.
// This parameter can be NULL.
MH_STATUS WINAPI MH_CreateHookApi(
LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID *ppOriginal);
// Creates a hook for the specified API function, in disabled state.
// Parameters:
// pszModule [in] A pointer to the loaded module name which contains the
// target function.
// pszProcName [in] A pointer to the target function name, which will be
// overridden by the detour function.
// pDetour [in] A pointer to the detour function, which will override
// the target function.
// ppOriginal [out] A pointer to the trampoline function, which will be
// used to call the original target function.
// This parameter can be NULL.
// ppTarget [out] A pointer to the target function, which will be used
// with other functions.
// This parameter can be NULL.
MH_STATUS WINAPI MH_CreateHookApiEx(
LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID *ppOriginal, LPVOID *ppTarget);
// Removes an already created hook.
// Parameters:
// pTarget [in] A pointer to the target function.
MH_STATUS WINAPI MH_RemoveHook(LPVOID pTarget);
// Enables an already created hook.
// Parameters:
// pTarget [in] A pointer to the target function.
// If this parameter is MH_ALL_HOOKS, all created hooks are
// enabled in one go.
MH_STATUS WINAPI MH_EnableHook(LPVOID pTarget);
// Disables an already created hook.
// Parameters:
// pTarget [in] A pointer to the target function.
// If this parameter is MH_ALL_HOOKS, all created hooks are
// disabled in one go.
MH_STATUS WINAPI MH_DisableHook(LPVOID pTarget);
// Queues to enable an already created hook.
// Parameters:
// pTarget [in] A pointer to the target function.
// If this parameter is MH_ALL_HOOKS, all created hooks are
// queued to be enabled.
MH_STATUS WINAPI MH_QueueEnableHook(LPVOID pTarget);
// Queues to disable an already created hook.
// Parameters:
// pTarget [in] A pointer to the target function.
// If this parameter is MH_ALL_HOOKS, all created hooks are
// queued to be disabled.
MH_STATUS WINAPI MH_QueueDisableHook(LPVOID pTarget);
// Applies all queued changes in one go.
MH_STATUS WINAPI MH_ApplyQueued(VOID);
// Translates the MH_STATUS to its name as a string.
const char * WINAPI MH_StatusToString(MH_STATUS status);
#ifdef __cplusplus
}
#endif

BIN
dll/HEH/MinHook.lib
View File

Binary file not shown.

28
dll/HEH/dllmain.cpp
View File

@ -1,11 +1,9 @@
#define _CRT_SECURE_NO_WARNINGS #define _CRT_SECURE_NO_WARNINGS
#include "MinHook.h"
#include <thread> #include <thread>
#include <filesystem> #include <filesystem>
#include <fstream> #include <fstream>
#include <string> #include <string>
#include <sstream> #include <sstream>
#include "obfuscate.h"
HANDLE p; HANDLE p;
void patch(PVOID address, int opCode, int bytes) { void patch(PVOID address, int opCode, int bytes) {
DWORD protectbak, dumbshit; DWORD protectbak, dumbshit;
@ -19,9 +17,7 @@ void patchm(PVOID address, std::vector<char> bytes, int size) {
memcpy(address, bytes.data(), size); memcpy(address, bytes.data(), size);
VirtualProtect(address, size, protectbak, &dumbshit); VirtualProtect(address, size, protectbak, &dumbshit);
} }
bool neger = true;
void log(const char* msg) { void log(const char* msg) {
if (neger) {
time_t currentTime; time_t currentTime;
struct tm* localTime; struct tm* localTime;
time(&currentTime); time(&currentTime);
@ -29,36 +25,34 @@ void log(const char* msg) {
printf("[%02d:%02d:%02d] %s\n", localTime->tm_hour, localTime->tm_min, localTime->tm_sec, msg); printf("[%02d:%02d:%02d] %s\n", localTime->tm_hour, localTime->tm_min, localTime->tm_sec, msg);
} }
}
__declspec(dllexport) void lessgo(HMODULE hmod) { __declspec(dllexport) void lessgo(HMODULE hmod) {
AllocConsole(); AllocConsole();
p = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()); p = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
freopen("CONOUT$", "w", stdout); freopen("CONOUT$", "w", stdout);
DWORD64 mod = (DWORD64)LoadLibraryA(std::string(AY_OBFUSCATE("C:\\Ethereal\\Ethereal.dll")).c_str()); DWORD64 mod = (DWORD64)LoadLibraryA(std::string("C:\\Ethereal\\Ethereal.dll").c_str());
std::stringstream ss; std::stringstream ss;
ss << std::hex << mod; ss << std::hex << mod;
patch((void*)(mod + 0x000000000004A980), 0xB8, 1); patch((void*)(mod + 0x000000000004A980), 0xB8, 1);
log(AY_OBFUSCATE("Applied patch 1/10")); log("Applied patch 1/10");
patch((void*)(mod + 0x000000000004A981), 0x01, 1); patch((void*)(mod + 0x000000000004A981), 0x01, 1);
log(AY_OBFUSCATE("Applied patch 2/10")); log("Applied patch 2/10");
patch((void*)(mod + 0x000000000004A982), 0x00, 1); patch((void*)(mod + 0x000000000004A982), 0x00, 1);
log(AY_OBFUSCATE("Applied patch 3/10")); log("Applied patch 3/10");
patch((void*)(mod + 0x000000000004A983), 0x00, 1); patch((void*)(mod + 0x000000000004A983), 0x00, 1);
log(AY_OBFUSCATE("Applied patch 4/10")); log("Applied patch 4/10");
patch((void*)(mod + 0x000000000004A984), 0x00, 1); patch((void*)(mod + 0x000000000004A984), 0x00, 1);
log(AY_OBFUSCATE("Applied patch 5/10")); log("Applied patch 5/10");
patch((void*)(mod + 0x000000000004A985), 0xC3, 1); patch((void*)(mod + 0x000000000004A985), 0xC3, 1);
log(AY_OBFUSCATE("Applied patch 6/10")); log("Applied patch 6/10");
patch((void*)(mod + 0x000000000004A986), 0x90, 1); patch((void*)(mod + 0x000000000004A986), 0x90, 1);
log(AY_OBFUSCATE("Applied patch 7/10")); log("Applied patch 7/10");
patch((void*)(mod + 0x000000000004A987), 0x90, 1); patch((void*)(mod + 0x000000000004A987), 0x90, 1);
log(AY_OBFUSCATE("Applied patch 8/10")); log("Applied patch 8/10");
patch((void*)(mod + 0x000000000004A988), 0x90, 1); patch((void*)(mod + 0x000000000004A988), 0x90, 1);
log(AY_OBFUSCATE("Applied patch 9/10")); log("Applied patch 9/10");
patch((void*)(mod + 0x000000000004A989), 0x90, 1); patch((void*)(mod + 0x000000000004A989), 0x90, 1);
log(AY_OBFUSCATE("Applied patch 10/10")); log("Applied patch 10/10");
while (FindWindowA(0, "Ethereal") == NULL) Sleep(100); while (FindWindowA(0, "Ethereal") == NULL) Sleep(100);
HWND w = FindWindowA(0, "Ethereal"); HWND w = FindWindowA(0, "Ethereal");

238
dll/HEH/obfuscate.h
View File

@ -1,238 +0,0 @@
#pragma once
/* --------------------------------- ABOUT -------------------------------------
Original Author: Adam Yaxley
Website: https://github.com/adamyaxley
License: See end of file
Obfuscate
Guaranteed compile-time string literal obfuscation library for C++14
Usage:
Pass string literals into the AY_OBFUSCATE macro to obfuscate them at compile
time. AY_OBFUSCATE returns a reference to an ay::obfuscated_data object with the
following traits:
- Guaranteed obfuscation of string
The passed string is encrypted with a simple XOR cipher at compile-time to
prevent it being viewable in the binary image
- Global lifetime
The actual instantiation of the ay::obfuscated_data takes place inside a
lambda as a function level static
- Implicitly convertable to a char*
This means that you can pass it directly into functions that would normally
take a char* or a const char*
Example:
const char* obfuscated_string = AY_OBFUSCATE("Hello World");
std::cout << obfuscated_string << std::endl;
----------------------------------------------------------------------------- */
// Workaround for __LINE__ not being constexpr when /ZI (Edit and Continue) is enabled in Visual Studio
// See: https://developercommunity.visualstudio.com/t/-line-cannot-be-used-as-an-argument-for-constexpr/195665
#ifdef _MSC_VER
#define AY_CAT(X,Y) AY_CAT2(X,Y)
#define AY_CAT2(X,Y) X##Y
#define AY_LINE int(AY_CAT(__LINE__,U))
#else
#define AY_LINE __LINE__
#endif
#ifndef AY_OBFUSCATE_DEFAULT_KEY
// The default 64 bit key to obfuscate strings with.
// This can be user specified by defining AY_OBFUSCATE_DEFAULT_KEY before
// including obfuscate.h
#define AY_OBFUSCATE_DEFAULT_KEY ay::generate_key(AY_LINE)
#endif
namespace ay
{
using size_type = unsigned long long;
using key_type = unsigned long long;
// Generate a pseudo-random key that spans all 8 bytes
constexpr key_type generate_key(key_type seed)
{
// Use the MurmurHash3 64-bit finalizer to hash our seed
key_type key = seed;
key ^= (key >> 33);
key *= 0xff51afd7ed558ccd;
key ^= (key >> 33);
key *= 0xc4ceb9fe1a85ec53;
key ^= (key >> 33);
// Make sure that a bit in each byte is set
key |= 0x0101010101010101ull;
return key;
}
// Obfuscates or deobfuscates data with key
constexpr void cipher(char* data, size_type size, key_type key)
{
// Obfuscate with a simple XOR cipher based on key
for (size_type i = 0; i < size; i++)
{
data[i] ^= char(key >> ((i % 8) * 8));
}
}
// Obfuscates a string at compile time
template <size_type N, key_type KEY>
class obfuscator
{
public:
// Obfuscates the string 'data' on construction
constexpr obfuscator(const char* data)
{
// Copy data
for (size_type i = 0; i < N; i++)
{
m_data[i] = data[i];
}
// On construction each of the characters in the string is
// obfuscated with an XOR cipher based on key
cipher(m_data, N, KEY);
}
constexpr const char* data() const
{
return &m_data[0];
}
constexpr size_type size() const
{
return N;
}
constexpr key_type key() const
{
return KEY;
}
private:
char m_data[N]{};
};
// Handles decryption and re-encryption of an encrypted string at runtime
template <size_type N, key_type KEY>
class obfuscated_data
{
public:
obfuscated_data(const obfuscator<N, KEY>& obfuscator)
{
// Copy obfuscated data
for (size_type i = 0; i < N; i++)
{
m_data[i] = obfuscator.data()[i];
}
}
~obfuscated_data()
{
// Zero m_data to remove it from memory
for (size_type i = 0; i < N; i++)
{
m_data[i] = 0;
}
}
// Returns a pointer to the plain text string, decrypting it if
// necessary
operator char* ()
{
decrypt();
return m_data;
}
// Manually decrypt the string
void decrypt()
{
if (m_encrypted)
{
cipher(m_data, N, KEY);
m_encrypted = false;
}
}
// Manually re-encrypt the string
void encrypt()
{
if (!m_encrypted)
{
cipher(m_data, N, KEY);
m_encrypted = true;
}
}
// Returns true if this string is currently encrypted, false otherwise.
bool is_encrypted() const
{
return m_encrypted;
}
private:
// Local storage for the string. Call is_encrypted() to check whether or
// not the string is currently obfuscated.
char m_data[N];
// Whether data is currently encrypted
bool m_encrypted{ true };
};
// This function exists purely to extract the number of elements 'N' in the
// array 'data'
template <size_type N, key_type KEY = AY_OBFUSCATE_DEFAULT_KEY>
constexpr auto make_obfuscator(const char(&data)[N])
{
return obfuscator<N, KEY>(data);
}
}
// Obfuscates the string 'data' at compile-time and returns a reference to a
// ay::obfuscated_data object with global lifetime that has functions for
// decrypting the string and is also implicitly convertable to a char*
#define AY_OBFUSCATE(data) AY_OBFUSCATE_KEY(data, AY_OBFUSCATE_DEFAULT_KEY)
// Obfuscates the string 'data' with 'key' at compile-time and returns a
// reference to a ay::obfuscated_data object with global lifetime that has
// functions for decrypting the string and is also implicitly convertable to a
// char*
#define AY_OBFUSCATE_KEY(data, key) \
[]() -> ay::obfuscated_data<sizeof(data)/sizeof(data[0]), key>& { \
static_assert(sizeof(decltype(key)) == sizeof(ay::key_type), "key must be a 64 bit unsigned integer"); \
static_assert((key) >= (1ull << 56), "key must span all 8 bytes"); \
constexpr auto n = sizeof(data)/sizeof(data[0]); \
constexpr auto obfuscator = ay::make_obfuscator<n, key>(data); \
static auto obfuscated_data = ay::obfuscated_data<n, key>(obfuscator); \
return obfuscated_data; \
}()
/* -------------------------------- LICENSE ------------------------------------
Public Domain (http://www.unlicense.org)
This is free and unencumbered software released into the public domain.
Anyone is free to copy, modify, publish, use, compile, sell, or distribute this
software, either in source code form or as a compiled binary, for any purpose,
commercial or non-commercial, and by any means.
In jurisdictions that recognize copyright laws, the author or authors of this
software dedicate any and all copyright interest in the software to the public
domain. We make this dedication for the benefit of the public at large and to
the detriment of our heirs and successors. We intend this dedication to be an
overt act of relinquishment in perpetuity of all present and future rights to
this software under copyright law.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
----------------------------------------------------------------------------- */