MyOwnHandler proc near pushad call @F @@: pop ebp sub ebp,@B assume eax:nothing assume fs:flat mov eax,fs:[30h] mov eax,[eax+0Ch] mov eax,[eax+1Ch] mov eax,[eax] mov eax,[eax+8] mov [ebp+hKernel],eax add eax,[eax+3Ch] assume eax:ptr IMAGE_NT_HEADERS mov eax,[eax].OptionalHeader.DataDirectory.VirtualAddress add eax,[ebp+hKernel] assume eax:ptr IMAGE_EXPORT_DIRECTORY mov edx,[eax].AddressOfNames add edx,[ebp+hKernel] mov [ebp+ptrNames],edx mov edx,[eax].AddressOfFunctions add edx,[ebp+hKernel] mov [ebp+ptrFuncs],edx mov edx,[eax].AddressOfNameOrdinals add edx,[ebp+hKernel] mov [ebp+ptrOrdinals],edx push [eax].nBase pop [ebp+nBase] sub ebx,ebx mov edx,[ebp+ptrNames] assume eax:nothing CheckMore: mov ecx,[edx] add ecx,[ebp+hKernel] mov esi,[ebp+ebx+dwArray1] mov edi,[ebp+ebx+dwArray2] add edi,ebp push ebx @@: dec esi js @F mov bl,[ecx+esi] cmp bl,[edi+esi] jz @B pop ebx add edx,4 jmp CheckMore @@: pop ebx sub edx,[ebp+ptrNames] shr edx,2 ; add edx,[ebp+nBase] mov ecx,[ebp+ptrOrdinals] movzx ecx,word ptr [ecx+edx*2] mov edx,[ebp+ptrFuncs] mov edx,[edx+ecx*4] add edx,[ebp+hKernel] mov [ebp+ebx+aLoadLibraryA],edx mov edx,[ebp+ptrNames] add ebx,4 cmp ebx,ebx_max jnz CheckMore sub ebx,ebx @@: mov eax,[ebp+ebx+dwApis] add eax,ebp push eax push [ebp+hKernel] call [ebp+aGetProcAddressA] mov [ebp+ebx+aCreateFileA],eax add ebx,4 cmp ebx,api_max jnz @B lea eax,[ebp+szUser32] push eax call [ebp+aLoadLibraryA] lea edx,[ebp+szWsprintf] push edx push eax call [ebp+aGetProcAddressA] mov [ebp+aWsprintf],eax push 0 push FILE_ATTRIBUTE_NORMAL push OPEN_ALWAYS push 0 push FILE_SHARE_READ push GENERIC_WRITE lea eax,[ebp+szLogPath] push eax call [ebp+aCreateFileA] mov ebx,eax push FILE_END push 0 push 0 push ebx call [ebp+aSetFilePointer] lea eax,[esp-32] lea edx,[ebp+szApiName] lea esi,[ebp+szFormat] lea edi,[ebp+szMemory] push eax push [esp+08+04] push [esp+00+08] push [esp+04+12] push [esp+20+16] push [esp+24+20] push [esp+16+24] push [esp+28+28] push [esp+32+32] push edx push esi push edi call [ebp+aWsprintf] add esp,12*4 lea edx,[ebp+nSaved] push 0 push edx push eax push edi push ebx call [ebp+aWriteFile] push ebx call [ebp+aCloseHandle] popad db 68h ptrApi dd 0 ret ;========================================================================= szFormat db "Function: %s was called from: %08X",13,10 db "Registers:",13,10 db "EAX: %08X",13,10 db "EBX: %08X",13,10 db "ECX: %08X",13,10 db "EDX: %08X",13,10 db "ESI: %08X",13,10 db "EDI: %08X",13,10 db "EBP: %08X",13,10 db "ESP: %08X",13,10,13,10,0 format_l = ((($-szFormat)+256)+9*4) szMemory db format_l dup(0) szCreateFileA db "CreateFileA",0 szWriteFile db "WriteFile",0 szCloseHandle db "CloseHandle",0 szSetFilePointer db "SetFilePointer",0 aCreateFileA dd 0 aWriteFile dd 0 aCloseHandle dd 0 aSetFilePointer dd 0 dwApis dd offset szCreateFileA dd offset szWriteFile dd offset szCloseHandle dd offset szSetFilePointer api_max = $-dwApis szUser32 db "user32.dll",0 szWsprintf db "wsprintfA",0 aWsprintf dd 0 szLoadLibraryA db "LoadLibraryA",0 load_l = $-szLoadLibraryA szGetProcAddressA db "GetProcAddress",0 get_l = $-szGetProcAddressA dwArray1 dd load_l dd get_l dwArray2 dd offset szLoadLibraryA dd offset szGetProcAddressA aLoadLibraryA dd 0 aGetProcAddressA dd 0 ebx_max = $-aLoadLibraryA hKernel dd 0 nBase dd 0 nSaved dd 0 ptrExport dd 0 ptrNames dd 0 ptrOrdinals dd 0 ptrFuncs dd 0 szApiName db 256 dup(0) szLogPath db "ApiMon.log" log_l = (MAX_PATH-($-szLogPath)) db log_l dup(0) MyOwnHandler endp handler_l = $-MyOwnHandler