Jump to content
Nytro

[Delphi] API Spoofing

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[snippet] API Spoofing

Author: carbon (cred)

procedure CopyMemory(Destination, Source:Pointer; dwSize:DWORD);
asm
  PUSH ECX
  PUSH ESI
  PUSH EDI
  MOV EDI, Destination
  MOV ESI, Source
  MOV ECX, dwSize
  REP MOVSB
  POP EDI
  POP ESI
  POP ECX
end;

var
  pMsgBoxA: Pointer;
  pOther:   Pointer;
  pCode:    Pointer;
  dwNull:   Pointer;
  dwRelative: DWORD;
  xMessageBoxA: function(hWindow:HWND; lpText:PChar; lpCaption:PChar; uStyle:UINT):UINT; stdcall;
begin
  pMsgBoxA := GetProcAddress(LoadLibraryA('user32.dll'), 'MessageBoxA');
  pOther := GetProcAddress(LoadLibraryA('user32.dll'), 'GetTopWindow');
  pCode := VirtualAlloc(nil, 10, MEM_COMMIT, PAGE_READWRITE);
  if ((Assigned(pMsgBoxA)) and (Assigned(pOther)) and (Assigned(pCode))) then
  begin
    PByte(pCode)^ := $55; // PUSH EBP
    PByte(DWORD(pCode) + 1)^ := $8B; // MOV EBP >>
    PByte(DWORD(pCode) + 2)^ := $EC; // , ESP
    dwRelative := DWORD(pMsgBoxA) - DWORD(pOther);
    PByte(DWORD(pCode) + 3)^ := $E9; // JMP
    PDWORD(DWORD(pCode) + 4)^ := dwRelative - 3; // user32.MessageBoxA // - 3 because the JMP is @ + 3
    VirtualProtect(pOther, 10, PAGE_EXECUTE_READWRITE, @dwNull);
    CopyMemory(pOther, pCode, 10);
    VirtualFree(pCode, 0, MEM_RELEASE);

    xMessageBoxA := Pointer(@GetTopWindow);

    xMessageBoxA(0, 'Spoofed API', 'TEST', 0);

  end;
end.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...