
                         -  2.00
                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


     1. 
     2.     
     3.  
     4.  -     
     5.  
     6. 
     7.  
     8.    
     9.   
     10.    /
     11.     (/)
     12.  
     13.   (SEH)
     14.   
     15. : FUCKAPI

                                1. 
                                ~~~~~~~~~~~

                 
 ,        ,        .    
 ,                 
   -    -        YES 
 OK, ,     .
      ?
     ,  ,        ,   
 .             
   ;      ,    -  
    .   , 
            ,    ,    
       .      
 ,    .  ,   
 ,      .

            -  Hybris,  
     .  ,        ,  
             -  , 
         -    ,   
 .        ,    .
    .
           ,      , ,  ,
        
 ,   ,      : ,
    .
             .    
 ,        ,   . 
  PGN2,       ,    
  ,      .
         ,       :   
         .   PGN2
       .     
    ,                - 
    - .   PGN2    
   ,   .

           PGN2.

                    2.     
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        :
     (       
 )

    +---hostfile.exe/dll----+
    | [...]                 |
    | []        |
    | [...]                 |
    | [ ] |
    | [...]                 |
    +-----------------------+

       ()  ,   
 ,  ,  :

    +----------------------+
    | [LDRWIN32.bin]       |  <-- ,  / ,
    | [compressed_plugin1] |      
    | [compressed_plugin2] |  <--     PGN2,
    | [...]                |       
    | [DD 0]               |  <--  DWORD=0,  
    +----------------------+

                            3.  
                            ~~~~~~~~~~~~~~~~~~~~

  : (  )

    +----------------------+
    | [compressed_plugin3] |  <--    PGN2,
    | [compressed_plugin4] |       
    | [...]                |
    | [DD 0]               |  <--  DWORD=0,  
    +----------------------+

         -    ,        
 .         (  )      
     .        
   ()    . 
     ,       
 ,         .  
 ,      ,   
 ,       .
       ,          ,
    ,  
  1.     (,   )
  2.       .
                   , 
        ,   . ,  
        .

     ,           
 .

                      4.  -     
                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

               . 
   : (   )

   LDRWIN32.PluginList DD ?      <--    
           |
    +--------------+ -->   (,  PGN2)
    | list entry 1 | -->    ( PE EXE)
    +--------------+
           |
    +--------------+ --> ...
    | list entry N | --> ...
    +--------------+
           |
          NULL

list_entry              struc
list_phys               dd      ?       ; *pgn2_header, physical image
list_virt               dd      ?       ; *PE_in_memory, virtual image
list_next               dd      ?       ; next list entry or NULL
                        ends

      ,        :  -
 ,     ,      
 ;    -    PE EXE,    
  .

                             5.  
                             ~~~~~~~~~~~~~~~~~

               PE  EXE,   
      ,    ,  
   tasm'  borland c++.

     ,  PE-   
 :

   1.   (     )
   2.    (  )

      ,  PE    :

  PE2PGN:
   1.  MZ-  DOS- 
   2.   imagebase=0, physicaloffset=0
   3.       0
   4.  PE id, datetime, checksum,
       ,     
  PACKER:
   5.  
  HEADER:
   6.  PGN2- (DWORD CRC32-id, DWORD version)

       ,         PGN 2,   (
 ) -   PE EXE.

     +---------------------+
     | CRC32-id            |  ; crc32(' ')
     +---------------------+
     | version             |  ; 
     +---------------------+
     | compressed_size     |  ;    (Z_CODING)
     +---------------------+
     | decompressed_size   |  ;   
     +---------------------+
     |  PE EXE |  ;  = compressed_size
     | ...                 |
     +---------------------+

pgn2_header             struc
pgn2_id                 dd      ?       ; CRC32('lowercased name')
pgn2_version            dd      ?       ; 1,2,...  >=100000--not-in-file
pgn2_compressed         dd      ?       ; compressed data size
pgn2_decompressed       dd      ?       ; decompressed data size, PE format
; BYTE * compressed_size
                        ends

     DWORD  CRC32-id,           - 
 CRC32     .
     DWORD  version -   ,   >= 100000,  
            .  , 
         ,  
       ,           
 .        ,        
     .

                  (        
  ),   :

  - imagebase     ,   ,  
       ring3:    GlobalAlloc,  align=DWORD
       ring0:    PageAllocate, align=4K
  -    PE- , ..  
  -        (  r/w),
           
  -       -     @
  -   ,   ,
           DLL'  
  -   
  -   ( )  
  -    
  -     unload()
  -   :
     HandleEvent()   Event() ()

                                6. 
                                ~~~~~~~~~~~~

     LDRWIN32  -      ,        
 LDRWIN32.bin,      . LDRWIN32.bin -
    ,      ,
       :        
   (,   PGN2),    ,  
     ,   PE EXE-  
 .

      ,   :

 -     ;
 -       ;
 -   ;
 -    ;
 -   ;
 -       PE-;
 -   ,   ;
 -      (  );
 -     ;
 -     ,  ;
 -    -.

                LDRWIN32.ldrwin32_copy(),
               ( 
 ).               
 ,     ,    
              ,   
   .           (
 win9x)        ring-0.

        ,    LDRWIN32      public- 
 :

   PluginList -      . (.PGN2.INC)

list_entry      struc
list_phys       dd      ?       ; *pgn2_header, physical image
list_virt       dd      ?       ; *PE_in_memory, virtual image
list_next       dd      ?       ; next list entry or NULL
                ends

       DWORD',   :

   extrn   TestDword:DWORD      ; make imported entry
   mov     eax, TestDword + 2   ; FF 25 xx xx xx xx: JMP DWORD PTR [xxxxxxxx]
   mov     eax, [eax]           ; = address
   mov     eax, [eax]           ; = value

               LDRWIN32.GetPluginList(),
    PluginList  EAX.

                         7.  
                         ~~~~~~~~~~~~~~~~~~~~~~~~~~

          : 
     / .

          ,     , (),
        ;
           A     B,   B
   ,              
 ;       .

              /  
     ,    ,       , 
     " ".

                  8.    
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

               , , 
 ,    .         
  .

         :

  ,      ,  
  HandleEvent().

  ,   ,    Event()
    LDRWIN32.

            .

     ,  :

   ...
   extern  Event:PROC   ;   ,  LDRWIN32
   ...
   push    <user_param>
   push    <event_id>
   call    Event        ;  ,
   add     esp, 8       ;       
   ...
   or      eax, eax
   jnz     event_handled
event_not_handled:
   ...

   ,  C++

   ...
   int __cdecl Event(DWORD EventID, DWORD UserParam);
   ...
   if (  Event(<event_id>, <user_param>)  )
   {
     ...                // event handled
   }
   ...

    LDRWIN32.Event     
   ,    public- HandleEvent.

    ,   ,  :

   ...
   public HandleEvent   ;   
   ...
HandleEvent:
   mov eax, [esp+4]     ; event_id
   mov ecx, [esp+8]     ; user_param
   ...
   mov eax, 0/1/-1      ; return value
   retn

   ,  C++

   int __export __cdecl HandleEvent(DWORD EventID, DWORD UserParam)
   {
     if (EventID == <some_event_id>)
     {
       ...
       return 1/-1;
     }
     return 0;
   }

    ,  Event    EAX:

     0      
    -1        -1
         (  )
     N   N      1

     ,       ,        
 (   HandleEvent)         -1,      
           -1   . 
       LDRWIN32.Event           
 HandleEvent()' (  )   .

                        9.   
                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     ,            ,
    ,    - .
       ,         ()   
  ?

                   PRIORITY,   0  10
 ,           ,  
  ,   .
         PRIORITY    5,    
 .

           A,   (     )
        B,    A  PRIORITY  1
 .

             10.    /
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

         HandleEvent()  Event(),   
    ,     
    ,     DLL'  .

            DLL'  ,  
    import table    @.

  .DEF-,  TLINK32'   :

 EXPORTS
   HandleEvent
 IMPORTS
   Event = @LDRWIN32.Event
   fuckit = KERNEL32.DeleteFileA
   ...

          11.     (/)
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

              (EntryPointRVA), 
       ,       ,  
   - .       
 .      EntryPoint()    DWORD-,  
   .           - 
     unload().   ,     ,
    ,      ,   
       ,         
 .         ,  unload()   
           .   ,  
          .

  void __export __cdecl EntryPoint(DWORD oldver_unload_code)
  {
    if (oldver_unload_code == 0)
    {
      ...     ;    
    }
    else
    {
      ...     ;     ,   oldver_unload_code
              ;      
    }
  } //EntryPoint

  int __export __cdecl unload(int why)
  {
    if (why==UT_UNINSTALL)
    {
       ...    ;   
       return 0;
    }
    if (why==UT_UPDATE)
    {
       ...    ; , .. ,      
       return 1;
    }
  } //unload

           public-,        ,
        .

 1. int __cdecl ldrwin32_attach(BYTE* buf, DWORD* bufsize)

   .  -   ,
      'DD 0'.
      ,     .
     ,     'DD 0'.

                       ,  
   :

 - ,    ;   
 -  :  unload(UT_UPDATE),  exitcode
     (exitcode     - )
 -  :  
 -  : ,   ,
    , , 
 -         ,
     ,    ,  UNRESOLVED
   (      )
 -  :   ,
    exitcod   unload()'  

  ,   EV_LDRWIN32_ATTACHED


 2. void __cdecl ldrwin32_detach_me()

   ,  -    .

         ()
     1 ,     ID,   
 compressed/decompressed size.

         ,
       ,   
 .

      ,    ,
         .

     EV_LDRWIN32_DETACHED.

                         12.  
                         ~~~~~~~~~~~~~~~~~~~~~~~~~~

     ,      public-    
       cdecl ,  :

   -  PUSH    ,
     ..  CALL',  ( ) 
        [ESP+4], 2  [ESP+8].
   -     RETN (0xC3)
   -  CALL'   <ADD ESP, 4 * _>
   -    EAX,ECX,EDX
   -     EBX,ESI,EDI,EBP
   -     EAX

                         13.   (SEH)
                         ~~~~~~~~~~~~~~~~~~~~~~~~~~

  1.    SEH'       EVENT'.
          EntryPoint  unload(),  SEH',
         , .

           ,  LDRWIN32
          ,     -  ,
           . (  FL_PGN2_SEHERROR)

             
        /,   ,  (  )
         ,   . (UNRESOLVED)

  2.       PGN2    win32/ring-3,
        .. win9x/ring0- ,   ,
               ring-0.

         ring0-       ,
          .

                        14.   
                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~

      ,    ,     
   ,         . 
          :        (  )
         CRC32 ( 
 CRC32).            0,1,2    ..  
       .     ,
     ,    ,  
       .

                             15. : FUCKAPI
                             ~~~~~~~~~~~~~~~~~

                   
 /,                        
 public-,    ,     .

           ,      
  .

     ,           public-      ,
   :

   1.   @  (  )
   2.    crc32
   3.  crc32  randseed,  
           (1..255),
         

     ,                  
 public-,     kernel'    .

                                   * * *
