format PE CONSOLE 4.0 entry start ;include 'win32a.inc' include '\fasm\include\win32ax.inc' section '.data' data readable writeable DLLHandle1 dd ? DLLHandle2 dd ? DLLHandle3 dd ? DLLHandle4 dd ? DLLName1 db 'ADVAPI32.DLL', 0 DLLFunctionAddr1a rb 64 DLLFunctionAddr1b rb 64 DLLFunctionAddr2 rb 64 DLLFunctionAddr3 rb 64 DLLFunctionAddr4 rb 64 DLLFunctionAddr5 rb 64 DLLFunctionAddr6 rb 64 DLLFunctionAddr7 rb 64 DLLFunctionAddr8 rb 64 DLLFunctionAddr9 rb 64 DLLFunctionAddr10 rb 64 DLLFunctionAddr11 rb 64 DLLFunctionAddr12 rb 64 DLLFunctionAddr13 rb 64 DLLFunctionName1a db 'CryptAcquireContextA', 0 ; [AB]USER DLLFunctionName1b db 'CryptAcquireContextW', 0 ; [AB]USER DLLFunctionName2 db 'CryptReleaseContext', 0 DLLFunctionName3 db 'CryptCreateHash', 0 DLLFunctionName4 db 'CryptHashData', 0 DLLFunctionName5 db 'CryptGetHashParam', 0 DLLFunctionName6 db 'CryptDestroyHash', 0 DLLFunctionName7 db 'CryptDeriveKey', 0 DLLFunctionName8 db 'CryptDestroyKey', 0 DLLFunctionName9 db 'CryptGenKey', 0 DLLFunctionName10 db 'CryptDecrypt', 0 DLLFunctionName11 db 'CryptEncrypt', 0 DLLFunctionName12 db 'CryptExportKey', 0 DLLFunctionName13 db 'CryptImportKey', 0 tmpDLLFunctionAddr1b rb 64 rbAddrString rb 64 ;Byte1 dw ? Byte1 db ? hConsole dd ? tmp dd ? tmp_buf db 256 dup(?) tmp_buf2 db 256 dup(?) strByte1 db 256 dup(?) ;----------------------------------------------------------------------------- ; Uninitialized data ;----------------------------------------------------------------------------- ;.data? section '.code' code readable executable start: invoke GetStdHandle, -11 cmp eax, INVALID_HANDLE_VALUE je end_loop mov [hConsole], eax invoke WriteConsole, [hConsole], <"Original USB devices enumerator v1.0 (arafel, tsech@mail.ru)",13,10>,67, tmp, 0 invoke WriteConsole, [hConsole], <"Modified, for use as an API interceptor, by: StakFallT",13,10,13,10>,58, tmp, 0 invoke WriteConsole, [hConsole], <" API Memory Address",13,10>,37, tmp, 0 invoke WriteConsole, [hConsole], <"---------------- ------------------",13,10>,39, tmp, 0 invoke LoadLibrary,DLLName1 mov [DLLHandle1], eax invoke GetProcAddress,eax,DLLFunctionName1a push eax push eax call RetrieveAddresses invoke WriteConsole, [hConsole], <"Breakpoint1",13,10>,13, tmp, 0 call LatchCryptAcquireContextA invoke WriteConsole, [hConsole], <"Breakpoint5",13,10>,13, tmp, 0 ExitProg: xor ebx, ebx end_loop: invoke ExitProcess, 0 proc LatchCryptAcquireContextA push ebx esi edi invoke WriteConsole, [hConsole], <"Breakpoint2",13,10>,13, tmp, 0 invoke wsprintf,Byte1,"%X",DLLFunctionAddr1a invoke WriteConsole, [hConsole], <"Breakpoint3",13,10>,13, tmp, 0 invoke MessageBox,0,Byte1,"Memory Contents",0 invoke WriteConsole, [hConsole], <"Breakpoint4",13,10>,13, tmp, 0 pop edi esi ebx ret endp proc RetrieveAddresses push ebx esi edi cinvoke wsprintf,DLLFunctionAddr1a,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptAcquireContextA: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 40, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName1b push eax push eax cinvoke wsprintf,DLLFunctionAddr1b,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptAcquireContextW: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 40, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName2 push eax push eax cinvoke wsprintf,DLLFunctionAddr2,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptReleaseContext: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 41, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName3 push eax push eax cinvoke wsprintf,DLLFunctionAddr3,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptCreateHash: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName4 push eax push eax cinvoke wsprintf,DLLFunctionAddr4,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptHashData: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 33, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName5 push eax push eax cinvoke wsprintf,DLLFunctionAddr5,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptGetHashParam: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName6 push eax push eax cinvoke wsprintf,DLLFunctionAddr6,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptDestroyHash: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName7 push eax push eax cinvoke wsprintf,DLLFunctionAddr7,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptDeriveKey: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName8 push eax push eax cinvoke wsprintf,DLLFunctionAddr8,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptDestroyKey: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName9 push eax push eax cinvoke wsprintf,DLLFunctionAddr9,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptGenKey: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName10 push eax push eax cinvoke wsprintf,DLLFunctionAddr10,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptDecrypt: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName11 push eax push eax cinvoke wsprintf,DLLFunctionAddr11,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptEncrypt: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName12 push eax push eax cinvoke wsprintf,DLLFunctionAddr12,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptExportKey: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 invoke GetProcAddress,[DLLHandle1],DLLFunctionName13 push eax push eax cinvoke wsprintf,DLLFunctionAddr13,"%X",eax pop eax cinvoke wsprintf,tmp_buf2,"CryptImportKey: %X",eax pop eax invoke WriteConsole, [hConsole], tmp_buf2, 30, tmp, 0 invoke WriteConsole, [hConsole], <"",13,10>, 2, tmp, 0 pop edi esi ebx ret endp section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL',\ user32,'USER32.DLL',\ advapi32,'ADVAPI32.DLL' include '\fasm\include\api\kernel32.inc' include '\fasm\include\api\user32.inc' include '\fasm\include\api\advapi32.inc'