Article in english, this a short preamble by Guardian Angel
In questo momento, che io definisco "particolare", credo che tutti quelli che si occupano di informatica o hanno a che fare con il web, non sanno piu di che cosa parlare per non essere eventualmente fatti oggetto di segnalazioni o minacce. Qualsiasi cosa comunque, potrebbe essere usata contro di te, a meno che non parli della collezione di farfalle o delle tette della strafica di turno.
Io non ho una collezione di farfalle.
Non mi piace la gomma da masticare o manipolare chili di silicone.
Non mi piacciono le strafiche, mi piacciono le donne vere, in particolare una, da sempre, e prima o poi (anzi molto presto) credo che sara' l'unica.
Sono all'antica su certe cose, quindi come sempre controcorrente. Questo blog e' controcorrente.
Noi siamo per la libera circolazione delle idee e delle conoscenze. Noi siamo per il rispetto di tutti gli esseri umani che sono uguali, nella loro diversita'.
Ricordatevi che se mando articoli come questo, non e' che voglio incitare a fare i lamer da strapazzo, perche' questo e' il modo migliore per farsi beccare e ritrovarsi in un orto di cetrioli, se diffondo articoli cosi, e' perhe' vorrei che tutti siano in grado di conoscere determinate tecniche, non a scopo lesivo per altri, bensi per sapere come evitare perlappunto di trovarsi a vendere cetrioli.
E' in inglese, ed e' destinato a quelli che sono la parte "tecnica" dei lettori, con questo intendo dire appassionati non migliori. Chiunque puo fare determinate cose, basta soltanto cominciare.
****************************
**
** BY: NRR - TGA
** Subject: DLL Injection - Part ONE
**
** -You'll probably steal this, and change my name to your name
** Then distribute like you want
** It's not like i can do anything about it, i'm just a poor lad
** who wishes the best for everyone...that's all
** --
** The original one is in this site all the time anyway, so don't waste your time :D :D
**
** The first revision is in www.planetsourcecode.com
**
** I have made some changes on this revision, and posted it to some other sites...
**
** Revision 2
**
****************************
It's time to rock! Time to have fun...
I'll tell you what DLL Injection is...
All explained simply, as if you're a dull, dumb donkey.
"Injecting a dll into a running process, is inserting the dll into the running process's address space.."
What you all -should- know is that when a process loads a DLL, whether statically or dynamically, it gets loaded into
the process's address space. Which means that, the process's/DLL's variables/memory in general, are all accessible
with normal C++ pointers by the DLL or the Process itself.
I'll explain how it works on win95/98/ME/XP/2k/NT everywhere :D --i did it all on VC++6... so i prefer
this compiler... Should work on .NET , probably on earlier versions too, I donno :P
One good use of DLL Injection would be to program an "API Spy" for example.
I called it like so and so have many other programmers. What such similar program would do is, according to some
specifications the user has provided, "Inject" a DLL into the chosen running process which monitors certain functions
of certain loaded DLLs and saves a log file of what function arguments were passed to that particular function.
Remember that when a DLL is loaded by a process, its image is loaded into the process's address space,
thus allowing both to access each other's variables simply using c++ pointers. Very interesting ;)...
Talking at a lower level, what my API Spy exactly does is 'debug' the chosen running process and thus suspending all of its threads.
It will then use some special API functions to be able to read it's private address space...(Read/WriteProcessMemory())
It will seek some place to inject some code into. It is ASM code ofcourse. What this ASM code does is: LoadLibrary("DLLtoINJECT.dll");
And add a breakpoint after the code. Then simply let the process run, starting with the beggining address of the injected code.
When the breakpoint is reached, the threads are suspended again and the API Spy restores whatever bytes it has modified and restores
all the registers and thus continuing with normal execution like if nothing happened. Kind of like hypnotising someone, slapping him, and bringing him back.
He'll have no idea of what just happened. Anyway, The loaded DLL does its job normally. Simple as that.
I told you what I shouldn't have... Don't think about all this now... PART II Explains the debugging part...
Some of you, so called 'experts', or probably arrogantly think they are experts, might tell people about CreateRemoteThread()...
Let me tell you this my friends...
"...it works on win95/98/ME/XP/2k/NT everywhere..."
-Above
Yes, also on win3.x and win32s, provided you do some small modifications...
I made a WSOCK32.DLL spy for mirc.exe... (mIRC chat client)
MAN !!! i had fun! I posted the log file with the tute...
Basically, DLL Inection gives you FULL control over an app.
Some of you script kiddies might think it's good for hacking, but once you get the hang of it, you'll have so much fun, that you'll drop hacking.
Hacking is bad. STAY AWAY FROM HACKERS
There are things you need to know before you read this article (Sorry couldn't just show 'em all, they're too much)
http://msdn.microsoft.com can be used to learn "ALL" of them
1) Memory management...You need to know how windows manages it's memory
2) PE/COFF Headers specifications <--the most important thing if you're doin this in win9x/ME -- 3) Basic debbuging APIs...Those are some APIs that help you to debug certain apps. 4) enough knowlege of asm...and OPCODES of instructions hmmm I think, if you read the WHOLE section of "Base Services" in The MSDN library, you should be able to learn all them steps(including PE/COFF SPECS) :P :P :P,, don't worry, i'll help you enough to find the articles that you need. Except ASM ofcourse, need to get some small "asm tutorial", then learn some "32bit asm" (API) Also read about Windows' calling conventions. ASM will help. First, let me tell you, i hate lazy people. You want to learn dll injection? atleast be glad that i posted some info in here, it took me a whole week to prepare an article like this. I'm not just giving you the butter, you need to research on your own...i'm just giving you a starter, and enough info to search on your own. If you don't like researching, then this article isn't for you. i'm sorry... ---Oh, forgot to mention, I love you "Matt Pietrek" I love you. You are Number one! I hope you read this! You can count me as one of your favorite students :P :P :P lol --- OK... How do i start? I told you what DLL Injection is... Well i'll talk more about it... Check the following links to learn what you need to learn: (I'll leave the asm part to you..search for it :D) *) Don't read it, i just found it interesting :P http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsetup/html/dlldanger1.asp Base services section in msdn library is here: msdn.microsoft.com/library section: Windows Development->Windows Base Services
1) DLLs, Processes, and threads : read the dll section ( just learn to make a small dll that exports a function),
So basically, look at DllMain() dll callback function in msdn, it should be like a crash course on Dlls.
Processes, and thread, are really not necessary to read, but it's recommended to. Look at the reference instead.
Just have an overview on the function names, and what they do.. Just helps to give you some inspirations when needed :).
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp
2) Debugging: (Read the basic debugging section only. It's easy BELEIVE ME)
(For PE Headers: read the Image Help Library, or look at step 3 instead)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp
3) Download the PE/COFF Format specifications file... It's a bit hard, but as i said, i'll help you through...
Just have a small peek at the Image Help Library section... Don't screw your self up :)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp
--- All of what i said, won't be REALLY neccessary if you are following me right.
Alright, let's start... What i'm doing is programming an API Spy. What this program does is, when the DLL I made becomes loaded into the address space of
the selected app, it monitors the MessageBoxA() function (if it was in the app's import table) and prepends "Nassoooor sez: " to every
MessageBox shown by the program. This is were knowledge of PE/COFF Format specs. is required.
(Note that i got my inspiration from Matt Pietrek's MEGA book, Windows 95 programming secrets - god bless you)
I'll start in a reverse way...
I'll make the DLL file first...
--
I'll put 3 functions in the DLL, which write the information to the log files (do them on your own :P)
HANDLE OpenLog( char *FileName );
BOOL AppendLog( HANDLE hLog, char *buffer, DWORD bufSize );
BOOL CloseLog( HANDLE hLog );
--
Read CreateFile() in msdn, it will help you make those 3 functions
OpenLog basically just does this:
return CreateFile( FileName, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, OPEN_ALWAYS, 0, 0 );
GENERIC_*: open file for read/write||
FILE_SHARE_READ: apps can read file while handle to it is opened
OPEN_ALWAYS: Open file, or create it if it does exist
AppendLog(...):
use SetFilePointer( hLog, 0, 0, FILE_END ) to set pointer to end of file
Then WriteFile() to write buffer to file :D
CloseLog(..):
CloseHandle( hLog );
that's it
--
Dude, if you haven't been able to understand all that, then believe me, this tutorial is not for you. Go out and play. Have fun, do your job. Just leave this tutorial alone.
--
First you need to make a dll, here is what it should do:
Put the 3 logfile functions in the dll...
When the dll is loaded ( in DllMain() ), and fdwReason is equal to DLL_PROCESS_ATTACH, do this:
Create the log file (OpenLog)
Append: "******************\r\nDLL_PROCESS_ATTACH\r\n"; (\r == CR, \n == LF -- in windows, atleast)
Then, Call the function that will "HOOK" MessageBox from the calling process.
........
The function that will "HOOK" MessageBox():
To hook MessageBox(), you must create a function that will be called INSTEAD of it.
Therefore, the function's definition must be exactly like the one of MessageBox:
int MessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType); //This is how it's declared in msdn
int WINAPI MyMsgBox(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype); //This is how you declare it
//WINAPI is a calling convention, Search "CALLING CONVENTIONS" on msdn, it means push the parameters of the function
into the stack from Right-To-Left, instead of Left-To-Right (aha! Did you read an asm tutorial? tsk tsk tsk)
--Just always add WINAPI when it's an API function :P
Ok, and now you need to create a function type:
typedef int(WINAPI *MyMsgBoxProc)
(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype); //I hope you know what this means?
************************************
* Always remember that IRC chat rooms will help you alot in your programming.
* download mIRC if you're using windows..mIRC is a chatting client...www.mirc.com
* Enter "EFNet" server -- Channel: #C++,,, I'm CrankHank....or ask the operators for help,they're more preferable
***********************************
Okay, Did you read about PE headers??
Here is the code of the DLL:
// Hook proc.cpp
//
#include
#include
#include
#include
using namespace std; //Don't tell me you don't know what standard C++ is??
#define LogFile "d:\\logs\\LOG.txt"
#define Append(text) AppendLog(hLogFile, text, strlen(text))
//hLogFile is the global variable defined below:
HINSTANCE g_hInst=0;
HANDLE hLogFile=0;
BOOL DoHookProcs();
PROC WINAPI HookImportedFunction(HMODULE,PSTR,PSTR,PROC); //inspiration from Matt Pietrek
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID _Reserved)
{
switch(dwReason)
{
case DLL_PROCESS_ATTACH:
g_hInst = hInstance; //Remember dll instance
hLogFile = OpenLog( LogFile );
Append("\r\n************************\r\nDLL_PROCESS_ATTACH\r\n"); //(look at the #defines above
//The handle is a global variable in my case, so didn't need put it
DoHookProcs(); //<--main function return true; //if you return false, then the process that called LoadLibrary() will return 0 break; case DLL_THREAD_ATTACH: Append("DLL_THREAD_ATTACH\r\n"); //Remember that a program can have more than one thread break; //So you need to handle them in here, and in the next case,,,but, This is just a fast program //for processes with one thread,,works for them with multiple threads, but not all the time case DLL_THREAD_DETACH: Append("DLL_THREAD_DETACH\r\n"); // break; case DLL_PROCESS_DETACH: Append("DLL_PROCESS_DETACH\r\n********************\r\n\r\n"); //append (look at the #define) CloseLog(); //ummmmmmmmmmmmmm, guess what this does? return true; break; }//end switch(dwReason) return true; } //////// OK i hope you understood this, UNTIL NOW... Now all we have left is DoHookProcs(), then HookImportedFunction() If you haven't.. Then I think nothing from now on shall be understood.. //////////////////// /* Now, we need to "hook" MessageBoxA() If you learned PE/COFF header specs, then this should be easy What you need to know is look for the Import Table of the module loaded in memory(Running process). //You can get the module's base address by doing this: GetModuleHandle(0); (in the dll, HMODULE == BaseAddress of module) ...yeah, if you look at that address, you'll see the first bytes as the signature of a DOS MZ file!!! (READ THE PE/COFF SPECS THAT I INSTRUCTED YOU TO) ----------- After you find the import table, you iterate(enumerate) the functions imported in the dll (Note that a function will not be in the import table if it was loaded at run-time, not statically!) Look for the function that you want to hook, in our case, it's: DLLFile= USER32.DLL FUNCTION= MessageBoxA Remember that case is sensitive, and the 'A' at the end of MessageBox is also important. It's just declared like that in the DLL file, and vc++ (windows.h) does a #define MessageBox MessageBoxA Therefore MessageBox() is not a real function in the DLL, but MessageBoxA() is. ----------------- OKAY! - According to the PE/COFF specs that i told you to read.. In the .exe file, you'll find the function name in the import table, but when the image is in memory You WON'T... Only the entry point of the funcion (MessageBoxA()) will be in memory... You want the entry point. So ofcourse, you must look at the image in memory. You are already doing that. You need to get the entry point of "MessageBoxA" (in the HookImportedFunction() proc) using this: GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA"); //Note that i used GetModuleHandle... because USER32.dll is "SUPPOSED" to be already loaded, because the app calls //MessageBoxA from USER32.dll, right? So it must load the dll file in it's address space in order to do it! hehe // // So, you did GetProcAddress() to get the procaddr of MessageBoxA().... --------- Like I said, read The MSDN Library if you found an ununderstood function... and now, So you found the function in the import table... now what you need to do, is just save that value(entry point) --incase you wanted to restore it-- and replace it with your new entry point...Which will be your MyMsgBox()'s entry point.. Cool huh?? So whenever the program calls MessageBoxA()... MyMsgBox() gets called instead... In the function MyMsgBox(), you can do what ever it is that you want... And after you're done, you can either call the original MessageBoxA() function to let the program work normally as if no change has occured. BUTTTTTTTTTTTTT, not through just simply calling the function MessageBox(), doing that will be like recursively calling the MyMsgBox() function. What you must do is call the addr returned from GetProcAddres() that i told you to call, above^^ So, if you did this: OriginalMessageBoxProc = (MyMsgBoxProc)GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA"); What you then must do is this: OriginalMessageBoxProc( hWnd, lpText, lpCaption, uType ); //simple :D :D :D :D ^ |<--------------------------------\ | ok, you got that?????? now let's get to the code: | //Lets declare some things: |__________________________________________________________________ | typedef int(WINAPI *MyMsgBoxProc)(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype);//remember this? | MyMsgBoxProc OriginalMessageBoxProc; //<--------------This is where we store the original MessageBox()--/ // Macro for adding pointers/DWORDs together without C arithmetic interfering -- I got it from Matt Pietrek's book // Thought it'd be great to use.. #define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr)+(DWORD)(addValue)) //This code is very similar to Matt Pietrek's, except that it is written according to my understanding... //And Matt Pietrek's also handles Win32s --(Because they have some sort of a problem, or something) PROC WINAPI HookImportedFunction(HMODULE hModule, //Module to intercept calls from PSTR FunctionModule, //The dll file that contains the function you want to hook PSTR FunctionName, //The function that you want to hook ("MessageBoxA" in our case) PROC pfnNewProc) //New function, this gets called instead { PROC pfnOriginalProc; //Read up MSDN for these IMAGE_DOS_HEADER *pDosHeader; IMAGE_NT_HEADERS *pNTHeader; IMAGE_IMPORT_DESCRIPTOR *pImportDesc; IMAGE_THUNK_DATA *pThunk; if ( IsBadCodePtr(pfnNewProc) ) return 0; // Verify that a valid pfn was passed --look at msdn-- pfnOriginalProc = GetProcAddress(GetModuleHandle(FunctionModule), FunctionName); //remember this? if(!pfnOriginalProc) return 0; pDosHeader = (PIMAGE_DOS_HEADER)hModule; //Look at ImgHelp function reference in the Image Help Library section in msdn ////////////////// To do this in an easier way, according to your imaginations ////////////////// I'm doing it this way, so you'd learn exactly what's happening //hModule is the Process's Base address, remember? (GetModuleHandle(0)) <-- even if called in the dll, it still // gets the hModule of the calling process //---That's why i saved hInstance of DLL, g_hInst, in DllMain(), because it's the only way to get it(i think) // Tests to make sure we're looking at a module image (the 'MZ' header) if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) ) return 0; if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE ) //Image_DOS_SIGNATURE is a WORD (2bytes, 'M', 'Z' 's values)
return 0;
// The MZ header has a pointer to the PE header
pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew); //it's like doing pDosHeader + pDosHeader->e_lfanew
// e_lfanew contains a RVA to the 'PE\0\0' Header...An rva means, offset, relative to the BaseAddress of module
// (Or file offset)----pDosHeader is the base address..and e_lfanew is the RVA,,, so summing them, will give you the
// Virtual Address..
// More tests to make sure we're looking at a "PE" image
if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) )
return 0;
if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE ) //IMAGE_NT_SIGNATURE is a DWORD (4bytes, 'P', 'E', '\0', '\0' 's values)
return 0;
// We now have a valid pointer to the module's PE header. Now get a pointer to its imports section
// This is where action and adventure starts
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader, //IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
//What i just did was get the imports section by getting the RVA of it(like i did above), then adding the base addr
//to it
//////////// pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
//////////// IMAGE_DIRECTORY_ENTRY_IMPORT==1 -- Look at that PE documentation i gave you in the links section
//////////// They are the only good ones i found in the internet,,,Also Pietrek's articles in MSJ and MSDN Magazine will
//////////// Be real helpful!
//Go out if imports table doesn't exist
if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )
return 0; //pImportDesc will ==pNTHeader,, if the RVA==0,,, cause pNTHeader+0==pNTHeader -> stored in pImportDesc
//Therefore, pImportDesc==pNTHeader
// Iterate through the array of imported module descriptors, looking
// for the module whose name matches the FunctionModule parameter
while ( pImportDesc->Name ) //Name is a DWORD (RVA, to a DLL name)
{
PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);
if ( stricmp(pszModName, FunctionModule) == 0 ) //str"i"cmp,,, you should ignore cases when comparing, in our case
break; //or strcmpi() in some compilers
pImportDesc++; // Advance to next imported module descriptor
}
// Get out if we didn't find the Dll name.
// pImportDesc->Name will be non-zero if we found it.
if ( pImportDesc->Name == 0 )
return 0;
// Get a pointer to the found module's import address table (IAT) =====IMAGE_THUNK_DATA *pThunk;
pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
//This is what i was talkin about earlier...
//In pThunk, if it was image loaded in memory, you'll get the address to entry point of functions
//but in a disk file, It's a function name
// Look through the table of import addresses, of the found DLL, looking for the function's entry point
// that matches the address we got back from GetProcAddress above. (remember?)
while ( pThunk->u1.Function )
{
if ( (DWORD)pThunk->u1.Function == (DWORD)pfnOriginalProc )
{
// We found it! Overwrite the original address with the
// address of the interception function. Return the original
// address to the caller so that they can chain on to it.
pThunk->u1.Function = (PDWORD)pfnNewProc; // pfnNewProc is in the parameters of the function
//pfnOriginalProc = (PROC)(DWORD)pdw1;
return pfnOriginalProc;
}
pThunk++; // Advance to next imported function address
}
return 0; //function not found!!!!!
}
-------------------------------------------------------
THAT"S IT!!!!!!!
Ok, i'm glad we finished this function :P
remember the declarations?
{
//Lets declare some things:
typedef int(WINAPI *MyMsgBoxProc)(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype);//remember this?
MyMsgBoxProc OriginalMessageBoxProc; //<--------------This is where we store the original MessageBox() } This is how you call the above function,, OriginalMessageBoxProc = (MyMsgBoxProc)HookImportedFunction( GetModuleHandle(0), "USER32.DLL", "MessageBoxA", (PROC)MyMsgBox) ^^^^Insert this in the DoHookProcs() function... ok,,,,,,so this is the finished off dll: BOOL WINAPI DllMain(...) { . case DLL_PROCESS_ATTACH: g_hInst = hInstance; //Remember dll instance hLogFile = OpenLog( LogFile ); Append("\r\n************************\r\nDLL_PROCESS_ATTACH\r\n"); //(look at the #defines above //The handle is a global variable in my case, so didn't need put it DoHookProcs(); //<--main function return true; //if you return false, then the process that called LoadLibrary() will return 0 break; . . } and: BOOL DoHookProcs() { OriginalMessageBoxProc = (MyMsgBoxProc) HookImportedFunction( GetModuleHandle(0), "USER32.DLL", "MessageBoxA", (PROC)MyMsgBox); //check if no error occured, return false, if error, true if no error if(!OriginalMessageBoxProc) return false; return true; } okkkkkkkkk So the function MyMsgBox gets called instead of MessageBox()... Let's see how the funciton looks like,, this should be simple: int WINAPI MyMsgBox(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype) { int ret; //need to save ret value ofcourse char bufText[1024], bufCaption; strcpy(bufText, "Nassoooooor sez: "); strcat(bufText, lptext); strcat(bufText, "\n\n\n SAVED TO LOG FILE!!"); strcpy(bufCaption, "Caption=="); strcat(bufCaption, lpcaption); /////Do whatever crap that you want ret = OriginalMessageBoxProc( hWnd, bufText, bufCaption, utype ); //If you call MessageBox( instead,,, // one of 2 might happen: // 1) Get redirected back to this function, so it becomes like an infinite recursion function, until crash // 2) MessageBox() of the dll will be called. It has nothing to do with the process... // --Think, which of these 2 will happeN? if you did as i told you, and read the links that i gave you, and understood // all this, then you shuld have no problem in asnwering this quesion :D :D :D // Maybe do some stuff here Append("MessageBoxA Called!\r\n\tText=\"") Append(lptext); Append("\"\r\n\tCaption=\""); Append(lpcation); Append("\"\r\n\treturn value=...); . . ................. return ret; } that's it, we're done!! okay,,, when you put these functions in the dll, make this new program: win32app: in: WinMain(..) { HMODULE hModule; MessageBox(0, "Function not intercepted!", "NazSoft INFO BOX", 0); if(! (hModule=LoadLibrary("MyDll.dll")) ) MessageBox(0, "Function could not be intercepted!", "NazSoft INFO BOX", 0); else MessageBox(0, "Function intercepted!", "NazSoft INFO BOX", 0); FreeLibrary(hModule); MessageBox(0, "Function called after freeing library,,, A program crash will occur here, because we didn't restore the import table as it was :D :D", "NazSoft INFO BOX", 0); return 0; } MyDll.dll is that compiled dll above ------------------- That's it for PART ONE... You injected a dll into a process.. but it's not what we want, cause you need source code, recompilation, etc... In part two, i'll teach you how to do this in processes not yours... Just start a program like mirc.exe,, without modifying the source code,, and intercept the winsock fucntions,,, it's gonna be fun... So until then,,,.... cyaaaaaaa then, i'm posting part 2... It's ready already ;) so hurry up
lol cya
the-legions@mail.ru
Non fare esperimenti se non sai che cosa stai facendo. Soprattutto usa il cervello e non pensare di essere furbo. Ci sara' sempre qualcuno che e' piu furbo di te. Se qualcuno avesse intenzione di usare quanto sopra a scopi non chiari, e' vivamente pregato di non contribuire con un operato non in linea con i principi esposti nella premessa, a rendere solo piu potenti i Grandi Censori della Rete.
ASTALAVISTA
Post
Invia a un amico
Salva su Delicious
![SIAMO TUTTI UGUALI (MA PARLA PER TE!)](<a href="http://s253.photobucket.com/albums/hh73/Tawdee/WEB/?action=view¤t=humor031-1.gif" target="_blank"><img src="http://i253.photobucket.com/albums/hh73/Tawdee/WEB/humor031-1.gif" border="0" alt="Photobucket"></a>)
471185122
![Abbiamo imparato a volare come gli uccelli, ma non abbiamo imparato l\](<a href="http://s253.photobucket.com/albums/hh73/Tawdee/Blog/?action=view¤t=MartinLutherKingJr.gif" target="_blank"><img src="http://i253.photobucket.com/albums/hh73/Tawdee/Blog/MartinLutherKingJr.gif" border="0" alt="Photobucket"></a>)
Bookmark licensed under .gif)
