format PE CONSOLE 4.0 entry start ;include 'win32a.inc' include 'c:\fasm\include\win32ax.inc' section '.data' data readable writeable DLLHandle dw ? DLLName db 'advapi32.dll',0 DLLFunctionAddr dw ? hConsole dd ? tmp dd ? tmp_buf db 256 dup(?) tmp_buf2 db 256 dup(?) ;----------------------------------------------------------------------------- ; Uninitialized data ;----------------------------------------------------------------------------- ;.data? section '.code' code readable executable start: invoke GetStdHandle, -11 cmp eax, INVALID_HANDLE_VALUE je end_loop mov [hConsole], eax invoke WriteConsole, [hConsole], <"Original USB devices enumerator v1.0 (arafel, tsech@mail.ru)",13,10>,67, tmp, 0 invoke WriteConsole, [hConsole], <"Modified, for use as an API interceptor, by: StakFallT",13,10,13,10>,58, tmp, 0 invoke GetModuleHandle, DLLName, 0 ;invoke GetModuleHandle, "advapi32.dll", 0 mov dword [DLLHandle], eax cinvoke wsprintf, tmp_buf2, <"ADVAPI32.dll handle: %i",13,10>, DLLHandle invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"Locating Memory Address of CryptAcquireContext for interception...", 13, 10>, 68, tmp, 0 invoke GetProcAddress, [DLLHandle], "CryptAcquireContext", 0 cmp eax, 0 je AcquireCryptAcquireContextAddrFailed jne AcquireCryptAcquireContextAddrPassed AcquireCryptAcquireContextAddrFailed: invoke WriteConsole, [hConsole], <"GetProcAddr on CryptAcquireContextA returned 0 (failed)!",13,10>,60,tmp,0 jmp ExitProg AcquireCryptAcquireContextAddrPassed: mov dword [DLLFunctionAddr], eax cinvoke wsprintf, tmp_buf2, <"CryptAcquireContext Memory Address: %li", 13, 10>, [DLLFunctionAddr] invoke WriteConsole, [hConsole], tmp_buf2, 40, tmp, 0 invoke WriteConsole, [hConsole], DLLFunctionAddr, 15, tmp, 0 ExitProg: xor ebx, ebx end_loop: invoke ExitProcess, 0 section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL',\ user32,'USER32.DLL',\ advapi32,'ADVAPI32.DLL' include 'c:\fasm\include\api\kernel32.inc' include 'c:\fasm\include\api\user32.inc' include 'c:\fasm\include\api\advapi32.inc'