Type PJMP = ^TJMP ; TJMP = packed record // 7 bytes jma1 : Byte ; jcod : pointer; jma2 : word ; end; var MJMP,OJMP : TJMP; // D/c ham FreeLbrary , DeviceIO, Handle of MapView, store; dFreeLib, dAddLib,DLLData,dDctv : pointer ; fAddPro : Thandle ; //Handle of Current Proccess const pLib : pChar = 'kernel32.dll'; pDio : pChar = 'DeviceIoControl'; pFree: pChar = 'FreeLibrary'; pName: pChar = 'TV_PL'; // LKQ: $88 bytes ; 0 $79 store right Result ; // dword [80] = dFreeLib ; [84] = Handle of marfix.dll lKQ : array [0 $87] of byte = ($00,$00,$02,$00,$37,$00,$01,$00,$02,$00,$01,$00,$10,$00,$07, $00,$54,$56,$26,$26,$50,$4C,$20,$20,$00,$10,$00,$7A,$80,$A7, $E2,$9A,$A7,$60,$D3,$FC,$BB,$B1,$38,$EE,$DF,$9E,$DE,$30,$00, $04,$00,$18,$0A,$D0,$07,$31,$00,$04,$00,$07,$0B,$DF,$07,$FF, $FF,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00, $00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00, $00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00, $00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00, $00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00); // Opcode replace at xxxx1AD0 address lML : array [0 $26] of byte = ($55,$E8,$00,$00,$00,$00,$5D,$8B,$D5,$5D,$81,$E2,$00,$00,$FE, $FF,$8D,$38,$8D,$32,$33,$C9,$83,$C1,$20,$F3,$A5,$8B,$06,$50, $8B,$46,$04,$FF,$D0,$C2,$04,$00,$90); function VietPro( N: Integer): boolean ; stdcall ; var dRead: Dword ; begin Try case N of 0: begin ReadProcessMemory(fAddPro,dAddLib,@OJMP,sizeOf(OJMP),dRead); result :=(dRead =sizeOf(OJMP) ); end; 1: result:= WriteProcessMemory(fAddPro,dAddLib,@OJMP,sizeOf(OJMP),dRead); else result:= WriteProcessMemory(fAddPro,dAddLib,@MJMP,sizeOf(MJMP),dRead); end; except result:= false ; end; end; procedure TVPL ; asm // Check Address mov eax,[esp] mov ecx,eax xor ax, $12EA // 1st call DeviceIoControl return at xxxx12EA test ax, ax jne @tiep // Check Opcode at xxxx215C : call xxxx1DA0 = E8 3F FF FF add ax,$215C cmp dword ptr [eax], $FFFC3FE8 jne @tiep // End check Address // OK, found correct memory ; // Un Hook push ecx push 1 call VietPro pop ecx test al, al je @end // Copy LKQ mov eax,ecx // $28Fyyyy xor ax,ax push eax sub eax, $10000 // $28E0000 lea edi,[eax] lea esi, [LKQ[0]] xor ecx, ecx add ecx, $22 // Copy lKQ = $88 bytes vao $28E0000 repz movsd // Replace code at xxxx1DA0 pop eax add ax,$1DA0 lea edi,[eax] lea esi,[LML[0]] xor ecx, ecx add ecx, $27 // Do dai lML! mov eax, ecx shr ecx, $02 repz movsd mov ecx, eax and ecx, $03 repz movsb // Jmp to origin DeviceIoControl push dAddLib // D/c cu DiviceIO ret /// Error , return back call origin @end: mov ecx,[esp] add esp,$24 // restore esp origin push ecx ret /// No, Check Address failed. Call DeviceIoControl ; @tiep:push 1 call VietPro // Un Hook test al, al je @end mov eax,[esp] mov dDctv, eax // Store origin return Address add esp,04 mov eax, dAddLib call eax // call origin DeviceIoControl push eax // store result push 2 call VietPro // Hook again pop eax push dDCtv // Restore origin return Address end; function AutoLoad( FModul: THandle): pointer; stdcall; asm mov ecx, dFreeLib mov eax, DLLData test eax, eax // Hook OK ? je @NotOK // No, return @FreeLibrary lea esi,[lKQ[$80]] mov eax, FModul // handle of makfix.dll mov [esi],eax mov [esi+04], ecx // @FreeLibrary xor ecx, ecx @NotOK: mov eax, ecx end; procedure MyDLL(Reason : integer); var fTmp,FHandle : THandle; begin case Reason of DLL_PROCESS_ATTACH: begin fAddPro := GetCurrentProcess ; if fAddPro = 0 then exit; fTmp := GetModuleHandleA(pLib); if fTmp = 0 then exit; dAddLib := GetProcAddress(fTmp,pDio); dFreeLib := GetProcAddress(fTmp,pFree); DLLData = nil ; if (dAddLib = nil) or (dFreeLib=nil) then exit; if VietPro(0)then begin FHandle := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0,$ffff, pName); if FHandle = 0 then if GetLastError = ERROR_ALREADY_EXISTS then begin FHandle := OpenFileMapping(FILE_MAP_ALL_ACCESS, False, pName); if FHandle = 0 then Exit; end else Exit; DLLData := MapViewOfFile(FHandle, FILE_MAP_ALL_ACCESS,0,0,0); if DLLData = nil then begin CloseHandle(FHandle); exit; end; MJMP.jma1 := $B8 ; MJMP.jcod := @TVPL ; // mov eax, @TVPL MJMP.jma2 := $E0FF ; // jmp eax if not VietPro(2)then begin if Assigned(DLLData) then UnmapViewOfFile(DLLData); DLLData := nil; end; end; end; . $FF, $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 ,. $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 ); // Opcode replace at xxxx1AD0 address lML : array [0 $26] of byte = ($55,$E8, $00 , $00 , $00 , $00 ,$5D,$8B,$D5,$5D,$ 81, $E2, $00 , $00 ,$FE,. $00 ,$54,$56,$26,$26,$ 50, $4C,$ 20, $ 20, $00 , $ 10 , $00 ,$7A,$ 80, $A7, $E2,$9A,$A7,$ 60, $D3,$FC,$BB,$B1,$38,$EE,$DF,$9E,$DE,$ 30, $00 , $04 , $00 , $18 ,$0A,$D0, $07 ,$ 31, $00 , $04 , $00 , $07 ,$0B,$DF, $07 ,$FF, $FF, $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 , $00 ,