void EV_cbVirtualProtect()
{
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
BYTE* header_code=(BYTE*)malloc2(0x1000);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (void*)(sec_addr-0x1000), header_code, 0x1000, 0);
if(*(unsigned short*)header_code != 0x5A4D) //not a PE file
{
free2(header_code);
return;
}
free2(header_code);
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
sec_data=(BYTE*)malloc2(sec_size);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
unsigned int SetEnvA=0,SetEnvW=0;
SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
}
}
//SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvW);
SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
}
}
//SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvA);
}
void EV_cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
sec_data=(BYTE*)malloc2(sec_size);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
unsigned int SetEnvA=0,SetEnvW=0;
SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
}
}
SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
}
}
SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
}
void EV_cbOpenMutexA()
{
char mutex_name[20]="";
long mutex_addr=0;
long esp_addr=0;
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART);
esp_addr=(long)GetContextData(UE_ESP)+12;
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)esp_addr, &mutex_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0);
CreateMutexA(0, FALSE, mutex_name);
if(GetLastError()==ERROR_SUCCESS)
{
SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)EV_cbVirtualProtect);
}
else
{
char EV_log_message[256]="";
sprintf(EV_log_message, "[Fail] Failed to create mutex %s", mutex_name);
EV_FatalError(EV_log_message);
}
}
