Copy protection defeating

mmmmmmmmmmm

Sometimes, indeed often, there are obstacles. Or learn to ride or learn to jump over obstacles


CD-Cops
-------
If your CD is protected with CD-Cops, when executing the main .exe file, a window appears with the words CD and Cops in the title. Also, the following files will be present in the installation directory:

?
?
Eerrrmm, forgot to add these ^_^


CDCOPS.DLL
----------
Files with The .GZ_ and .W_X extentions.
To defeat this you can use the 'CD-Cops decrypter' - which should work on some CD's.


Copylok
-------
No details yet known.


Copy-Protected CD & The Bongle
------------------------------
At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).


DiscGuard
---------
A CD protected with DiscGuard will have the following files on the CD or in the installation directory:

IOSLINK.VXD
IOSLINK.SYS

At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).


LaserLock
---------
A LaserLock protected CD will have a hidden directory called "Laserlok" on it. This directory can be seen if you tell windows to "show all files". The folder was designed to contain files with unreadable errors so that the CD could not be copied correctly.
At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack). Sometimes this kind of protection can be got round using the 'Ignore Read Error' setting that a few good CD copiers have (CDRWin, Nero, DiskJuggler).


LockBlocks
----------
A LockBlocks protected CD will have 2 circles (5 mm and 3 mm), which cause a CD-R to lockup when being read.
At present there is no generic patch available, so it likely you will need to find specific patches for each CD (i.e. look for a CD crack).


SafeCast
--------
Detection on this is unknown at this moment in time.


SafeDisc
--------
A CD protected with SafeDisk will have the following files on the CD:

00000001.TMP
CLCD16.DLL
CLCD32.DLL
CLOKSPL.EXE.
GAME.EXE
GAME.ICD

To defeat this you need to Create a 1:1 copy of the CD and then use the "Generic SafeDisc Patch" (available from http://www.cdrsoft.com" to allow you to play the copy. Another method is to look for a patched game.exe file (do a search in a good search engine) and then do the following:
Create an image of the CD on your hard drive, but use the patched game.exe instead of the one actually on the CD. It is often better to use the CD-R drive to get the image file because the CD-R drive is more likely to avoid read errors.
Write the image file onto a blank CD-R at 1x (this will help to avoid errors).


SecuROM
-------
If a CD uses the SecuROM protection scheme, one of the following files will exist in the installed directory OR in the root of the CD:

CMS16.DLL
CMS_95.DLL
CMS_NT.DLL

To defeat this you can use a generic patch:
SecuROM R1: Get Generic SecuROM R2
SecuROM R2: Get Generic SecuROM R3
SecuROM R3: Get Generic SecuROM R4 v1.1
SecuROM R4: Get Generic SecuROM R5 v5.1
SecuROM R5: Get Generic SecuROM R5 v6.0


Here are some other techniques that are frequently used to protect CD's

Dummy Files
-----------
This can be detected by looking for large dummy files, mostly over 600 Mb, in the root of the CD (usually with a .AFP extension).

If the original CD is smaller than 659 Mb, you can do a CD copy which will re-create the exact Dummy Files on the copied CD. If the original CD is over 659 Mb then OverSize a 74 Minutes CD-R or just use an 80 Minutes CD-R to make an exact backup.

Illegal Table Of Contents (TOC) file
------------------------------------
This can be found by examining the tracks of the source CD. Usually there will seem to be a second data track (which is not allowed). Commonly, this track will appear after some audio tracks.

You can now bypass the illegal TOC files deliberately put on CD's as a form of protection by using a program such as 'Nero' or 'CDRWIN'. These programs have an option to ignore an illegal TOC file.


Protection Info

OverBurning CD's
----------------
To detect this, use a 74 minute writable CD and choose to do a test before writing - if the source CD has been overburned then the CD copier will come up with an error and tell you that your CD is not big enough (even if the source and destination CD's are both 74 mins!!).

To defeat this you can use a program such as 'Nero' or 'CDRWIN' to OverSize the CD-R using a capable CD-Writer . However, this can be dangerous if your CD writer does not support overburning - but there is another way! Simply get hold of an 80 minute writable and copy the source CD onto that!

The games 'Half Life', 'Kingpin', and 'Commandos' all use this method of protection.


Physical Errors
---------------
The CD is damaged on purpose. Most CD-Readers are not able to "copy" these kind of errors and will stop reading the CD. Few CD-Readers are able to copy these errors. The program 'BlindRead' can be very handy copying this protection.


PlayStation CD's
----------------
During the boot, the PSX chipset checks for an unknown sector on the CDS. This unknown sector is outside the mechanical range of the CD-Reader pickup. Therefore it is NOT possible to copy this track onto a CD-R.

To defeat this, install a modified Boot Chip (ModChip) inside the Playstation. This will trick the PlayStation so it thinks the inserted CD contains the right Country-Code & Bad Blocks.


Sega DreamCast CD's
-------------------
The Dreamcast actually uses GD-ROMs, which hold a maximum of 1Gb of Data instead of the standard 650-700 Mb. This provides a good level of copy protection as they cannot be reproduced using a standard CD-Writer.

A GD-ROM consists of 2 DATA tracks. The first is usually between 10 & 50 Mb and can be read by a normal CD-Reader. The second track is written in a high density format which is NOT accessible by a normal CD-Reader.

At the moment, there doesn't appear to be a perfect way of copying these CD's.
What are the different CD copying protections and how can I defeat them?

Here are most of the CD protections used to protect games and applications from people trying to copy them with their CD-R's. Most of the files and programs I mention here can be downloaded from http://www.cdrsoft.com .

ASTALAVISTA

Dll Injection Part TWO English

ADVERTISE by Guardian Angel: This article is not 'designed for idiots who do play the sorcerer's apprentice. This article 'aimed at those who love knowledge.
A call to friends in Italy that deal with information technology: Internet, 16 June 2009 Presidents of Parliamentary Groups Senate ROME
Dear President,
the 1415A ddl approved in the House of Deputies on 11 June us has, in many quarters, raised many doubts and misgivings as to its constitutional legitimacy and, more generally, the appropriateness of regulatory interventions that, through it, be carried out.
There is, however, a profile, so far, remained in the shade and little in-depth discussions of these days: the contents of paragraph 28. 1, whose unfortunate wording - also admitted that this was not the actual will of the extensor - is likely to determine an unacceptable restriction of freedom of expression that push online, quickly, to Italy in a position more rearward than it currently occupies (it's Forty-fourth) in the international ranking on freedom of information.


I urge you to sign the petition found at this address: http://www.firmiamo.it/norettifica otherwise of those articles, in Italy will only be a pale memory.



(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

Dll Injection Part II


Welcome back...

Last time i explained to you what DLL Injection is.
"Injecting a dll into a running process, is inserting a dll into the process's address space..
as you all -should- know is that when you load a dll, it goes to your address space, which means that,
your variables/memory in general, are all accessible with normal pointers by the dll itself."


I also explained that you need to have a knowlege of the following things:

1) Memory management...You need to know how windows manages it's memory

2) PE Headers <--the most important thing if you're doin this in win9x/ME --

3) Basic debbuging APIs...These are some apis that allow you do debug a certain app

4) enough knowlege of asm...and OPCODES of instructions I also said that my tutorial is compatible with all versions of windows.

So don't go posting me saying 'CreateRemoteThread() will do all of what you have just done'...I told you that i'm doing this tutorial for everyone. And if it would make you happy, i will add some information about the functions you can use in higher versions than WinME/9x And I'm doing the same thing I did last time. I am "NOT" pasting full code in this tutorial either. No one is stupid enough like me to even think of posting such brief article about something that is hard to learn if you had no documentation. So, therefore, it is hard to accept distributing it to the public. Programmers all think that they got tired for searching all this. They're not going to let their sweat go to waste.

So they keep telling you "GO RESEARCH ON YOUR OWN",, and probably kick you off their chat rooms. So, i'm probably doing the same thing ::D::D::D::D -- Ok you should have made that dll file that i told you about last time.

I'll assume the dll is in C:\\NazSoft\\DLLINJ32.dll (Dll to inject) Remember also, that i asked you to make an exe project, that puts the dll into its address space using LoadLibrary() Now, we're going to do something else. FORCE an app to load the dll into its address space. That's what i did to mirc.exe. But first, i need you to create the exe file! Make an exe file, that has a dialog box with a button. If the button was clicked, this happens: MessageBox( 0, "Let's see whether this function gets intercepted or not?!!", "Hello world!", MB_OK ); I'll assume you named the exe file, C:\\NazSoft\\MYMSGBOX.exe (Target process) OK, For the first section of this part, we'll inject DLLINJ32.dll into MYMSGBOX.exe in 2 different ways, 1) Using

CreateProcess().... The injector (the program that will inject) will create a new process of that program. And simply inject using the debugging facilities. Recall from PART I: "Talking at a lower level, what my API Spy exactly does is 'debug' the chosen running process and thus suspending all of its threads. It will then use some special API functions to be able to read it's private address space...

(Read/WriteProcessMemory()) It will seek some place to inject some code into. It is ASM code ofcourse. What this ASM code does is: LoadLibrary("DLLtoINJECT.dll"); And add a breakpoint after the code. Then simply let the process run, starting with the beggining address of the injected code. When the breakpoint is reached, the threads are suspended again and the API Spy restores whatever bytes it has modified and restores all the registers and thus continuing with normal execution like if nothing happened. Kind of like hypnotising someone, slapping him, and bringing him back. He'll have no idea of what just happened. Anyway, The loaded DLL does its job normally. Simple as that." 2) Use a method to inject the dll into a thread, by knowing just it's ThreadId, ProcessId, and possibly base address of the program. This method is used to inject a dll into an ALREADY running process.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

--However, there is one problem in both of these ways. To do all that, i use the debugging method. Which is not such a good idea. I'll explain why later, and an alternative that can be used in future versions of windows. Actually, WinME had my problem solved, and then NT3.1 made it better, then came WinXP, which made it even better than ever before!... We'll talk about it later --- Let's make the (Injector) --- #define TargetApp "C:\\NazSoft\\MYMSGBOX.exe" #define DLL "C:\\NazSoft\\DLLINJ32.dll" *** | | | | This is the CreateProcess() method: (*)(*)(*)(*)(*)(*)(*)


You use CreateProcess() to start the program, with DEBUG_ONLY_THIS_PROCESS flag set. This will let you use the windows' special debugging functions. If you read the link i gave you in part one about Basic Debugging, this should be no problem, and you must have seen that DebugActiveProcessStop() works _ONLY_ in WinXP and above...(There is no above. Maybe Longhorn? the new revolutionary version of blindows? i mean, windows?) This is one advantage of XP over other OS's...
(*)(*)(*)(*)(*)(*)(*)
So don't go saying, XP SUX XP SUX XP SUX This makes it a REAL problem, because if you are debugging a process, and terminate your own process, the debugged process will be terminated also, and there is no way to stop it from happening. Even visual studio 6's debugger can't keep an application being debuged from staying alive, upon closure of VC++, It always gives you a msgbox: "This command will stop the debugger. Do you wish to continue?"
--(*)(*)(*)(*)(*)(*)(*)
There you see the problem that debugging a process has, which XP fixed...This is why i said "...WinXP, which made it even better than ever before!..." :)... Actually, it didn't make it better than ever before, because CreateRemoteThread(), supported in NT3.1 and over, makes all of what i'm doing simpler. We'll talk about it later...
-- (*)(*)(*)(*)(*)(*)(*)
After you create the process, windows' loader will automatically set a break point, right before the process starts execution(because of the DEBUG_ONLY_THIS_PROCESS flag). So what you do is use WaitForDebugEvent(), and ContinueDebugEvent() to get notifications from windows, for a debugging event to occur in a process being debugged. One of them, is a breakpoint.
(*)(*)(*)(*)(*)(*)(*)
WaitForDebugEvent() just sits there waiting for an event, then suspends the execution of the thread, and returns.. It's your job to check it's return values and handle the events that you want. And then use ContinueDebugEvent() to let it continue execution.
(*)(*)(*)(*)(*)(*)(*)

--You need to keep waiting, until the target process exits, then you can exit. Because as i said, you can't stop debugging unless you terminate the target process(except in WinXP) When the first breakpoint occurs, you know that the process has been loaded in memory. Now, you need the Handle of the process, and the handle of the main thread (or any thread)

It's all gettable through CreateProcess's PROCESS_INFORMATION parameter(pInfo.hProcess, pInfo.hThread) Now that you have the process's handle, you can use ReadProcessMemory() and WriteProcessMemory() to read/write bytes into/out of the memory of the target process. (Ofcourse, you're not required to pause execution of the process in order to use these two functions, however in our case, you ARE required to ) "The process whose address space is read is typically, but not necessarily, being debugged. " is what MSDN had to say. I'll tell you why we need to pause execution. Now you know how you can use ReadProcessMemory(), and WriteProcessMemory(). What you should do is this. You need your knowlege of PE/COFF headers to find a writable address in the process's memory.

Once you have found it, you will have no problem in changing it's contents, whether it was required by the target process or not, because as i said before, the execution has been suspended, so the process won't find out that you have changed it's memory, until after it continues execution... but it will be too late at that time, cause you will have already restored whatever it was that you have changed. Just like hypnotising...
When you find a writable memory, you need to use your knowlege of asm, and the OPCODES of the instructions inorder to use WriteProcessMemory() to write in the asm instruction, which will call LoadLibrary() inorder to insert the DLL into it's address space. (Remember the exe program in part I? When it used LoadLibrary(), the MessageBox() function automatically got intercepted,

This is what should happen here. Ofcourse the dll that we made is not so good, because it has no function to restore the address of the import table that it changed. So it's your job to change the dll -if you like- and save the original address of the MessageBox() function, before chagning it to the entry point of the MyMsgBox() function, so that when you need to free the dll, you'd be able to restore the entry point of the MessageBox() function, from the entry point it has been set to ( MyMsgBox() in DLLINJ32.DLL) back to it's original entry point ( MessageBox() in USER32.DLL ) )
Ofcourse, this is not so required, because you might just leave the dll into the process's address space for ever. And when the process exits, no need to restore, cause IT EXITED. You haven't patched the exe. So everything will be restored back to it's original next time the program is started Ok, so you wrote in the asm instructions. Now, what they do is call LoadLibrary() and then breakpoint (INT 3h --OPCODE 0xCC) So that the debugger would recv a breakpoint event inorder to restore the bytes that were changed
--If you have enough knowlege of asm, you'll know that EIP is the address in memory of the current instruction being run. When you write the asm code in the target process, you need to change (after saving) the EIP register to the offset of the first byte of the asm instructions you have written in the memory address space of the process.

Then when break point occurs, restore the memory, and restore EIP to it's original address, so that the process would continue execution, like if nothing happened! You can use GetThreadContext() and SetThreadContext() in order to change/get the values of registers/flags of a running process. And these two functions "REQUIRE" the _thread_ "Not the process" to be suspended. The two functions take a thread handle, not a proces handle. Because a process can have more than one thread, a problem that might occur is that a thread will be suspended, but other threads are still running. This will wreck havoc in the system. But fortunatelly, The debugging functions will suspend the WHOLE process from running.
There is some other method i wanted to use, (other than debugging) which will have THIS problem. Because it doesn't suspend the process's execution, it will only suspend the execution of ONE thread.
(*)(*)(*)(*)(*)(*)(*)
That's why OpenThread() isn't supported in 9x, because Microsoft is afraid someone would get a thread handle, suspend it, and wreck havoc. But somehow, i donno why, WinME supports it, so do later versions...maybe Microsoft fixed something? or i donno...

This isn't our subject right now anyway... (I like writing confusing text..) ___ **WARNING**___**WARNING**___**WARNING**___**WARNING**___**WARNING**___**WARNING***
The following two paragraphs are irrelevant, so don't confuse your self, skip them for now.. ___ **WARNING**___**WARNING**___**WARNING**___**WARNING**___**WARNING**___**WARNING***
Anyway, i really think the debugging way is the best, if you can't use CreateRemoteThread()..
But if you found a way to suspend the whole thread, without the need of debugging, i think we can make the asm instructions give some notification to a FileMap (Shared memory between processes) that it has successfully loaded, so that the injector app would restore what it had chagned, so that the process would continue execution. You can let the dll do this for you. But then comes another problem, when code is injected, and run, and the dll gets loaded, what if, in the process, the thread continued execution, and it needed the portion of memory that we edited?? THERE!!! Now we have a problem!..This might cause a crash.. But then you might let the dll create some executable in a temp dir, and suspend execution. Then the executable will restore bytes, and exit, then the dll shuld somehow find a way to notify it self that it can resume thread execution..
IT NEVER ENDS!!!!! FIX A PROBLEM, FIND ANOTHER ONE...the BEST solution instead of using all that crap is either through debugging, or using CreateRemoteThread()...debugging can't be stopped, unless in WinXP, but what's the use? You can use CreateRemoteThread() instead of debugging, in XP... You can't use it in 9x/ME,,but ah well...what to do? this is the life...
Win98 will be soon out of the market. 2k already is i think. Atleast MS promised that they will remove it. It's been a whole year since the deadline they have given, but seems like it's still in the market. Maybe i don't read news alot. I've got too much work, anyway..
-- So now you understood the debugging method in a verbal way. I'll explain more about it, in a "codish" way..
BUT FIRST! let me tell you this, inorder to use ReadProcessMemory(), for finding some writable memory... You need to know the base address of the target process! I'll tell you how later.. and also, to find a writable memory, you shuld read the sections of the programs... Read about 'sections' in PE header... i usually get section ".data" as the writable part..maybe some other app has some other section? i dono... Actually, I DO know. There are apps that have sections with different names. for example, programs compiled with borland have different section names, than programs compiled in msVC++ (Another project to have fun with is, to open all exes of different compilers, in your machine, and save their import table and section names... The PE/COFF header specs should help...) If you notice, in asm programs you set sections like .CODE .DATA etc... It's all the same... VC++ uses .text, .idata and .data instead (.text == .CODE, ,.data == .DATA, , .idata == Import table ) .edata == export table, etc... (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) (*)(*)(*) (*) INJECTING A DLL INTO AN ALREADY RUNNING PROCESS (*)(*)*)(*)(*)(*)(*)(*)(*)(*)
(*)(*)(*) (*)(*)(*)
(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

And now you know all about The CreateProcess() method. The other method, injecting into an ALREADY running process,
you need to use OpenProcess() to get a process handle, from a ProcessId, then use DebugActiveProcess() to start debugging.
Read DebugActiveProcess() in msdn, you will find answers to many questions that might have been raised when i gave you
this function. I'm not going to show an example on this function. You're on your own. Sorry, wish i could help.
But i'm not giving you the butter.

Read the "Debugging a Running Process" section in Basic Debugging section in msdn.

"
To debug a process that is already running, the debugger should use DebugActiveProcess with the process
identifier retrieved by OpenProcess. DebugActiveProcess attaches the debugger to the active process.
In this case, only the active process can be ..... To detach from the process being debugged,
the debugger should use the DebugActiveProcessStop function.
"
-MSDN

DebugActiveProcessStop isn't supported in versions before WinXP......go cry baby :P

-----(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

ok, i showed you how the second method works...
Now.. the inefficient method that i was talking about... Doing all this without debugging..
You can skip this section if you want, it's for more advanced readers...
What i had in mind (I won't give code samples for this either, but this time, not because you need to reasearch on your own,
but beacuse i havn't done any code of it. And you never know, maybe this method is so inefficient, that you can't use it?)
ok here goes:

From the processes and thread section, i saw these functions:

OpenProcess, OpenThread, SuspendThread, ResumeThread

Look, get proces handle from the first function..Thread handle from the second.
Suspend the thread, use GetThreadContext/SetThreadContext and Read/WriteProcessMemory to read/write asm code
and modify/restore the registers, then Resume thread...
the asm code, can't use breakpoints, cause the app isn't debugging it, so the dll shuold somehow send some notification,
and suspend it's own execution. Then when the app recieves the notification, it will let it resume, after restoring everything.

There is more to it than just that...but you need to use your own imaginations

----(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

Somefunctions for you to look at, (interesting functions)

DebugBreak, DebugBreakProcess, DebugSetProcessKillOnExit, IsDebuggerPresent, GetStartupInfo, Sleep, SleepEx, SwitchToThread
ThreadProc, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue

There are some issues i haven't talked about here. You might encounter them ___MIGHT___
so if you did, read about TLS,,,Thread Local Storage..it shuold help you through for process's with more than one thread
(TlsAlloc, TlsFree, TlsGetValue, TlsSetValue)

----(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

You're probably mad at me like hell, and not voting for me, because i asked you to reasearch on your own.
Too bad :PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

kidding..i'm sorry dude, but i'm serious. These are issues that need work from the programmer him/her self.
You can't just let it away like that :( I'm sorry once again. Maybe if you email me(on my yahoo account)
I might help you more on this, or else, i'm sorry. Besides, i didn't have that much time to write all the code
in here..i'm truly sorry...and i applogize for any inconvenience this did.

Once again, i'm sorry

----(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

Let's see what the asm code that needs to be injected shuold look like.
There are many different ways to code it's asm code..but this is my way.
and i like it like that.

{
mov eax, 0h ; change 0h to address to LoadLibrary()
mov ebx, 0h ; change 0h to offset to dll name (almost always at the end of this code comes the dll name)
; so it can be, offset of beggining of this code + the total size of the asm code. This points you
; to whatever that's after it. Which is, the dll name

push ebx ; Push parameter of LoadLibrary() into stack (dll name)
call eax ; call LoadLibrary()
pop ebx ; Pop ebx which was pushed -- if you don't do this, you'll get a funny scary error
; If you read about opcodeVOID's NakedFunctions,, and saw the asm instructions before and after
; high level functions,, there are the code(within them) that will check for whether you have restored what you have pushed into the stack
; so basically it's required, opcodeVOID :D :D :D But, he's still right, if you are an advanced programmer
; and know what you're doing, then you have no problem
;;; and also note that where you're writing this code, it is at it's lowest level, and there aren't
;;; code to check for this..a whole program destruction might occur without you knowing
; it's kind of like when you are sick, and probably have aids, and are dying, but don't have
; a nervous system to feel it. So, you won't feel pain, this might cause you to suddenly collapse and die :D

int 3h ; break point
; Immediately after this, comes the dll's whole path "C:\NazSoft\DLLINJ32.DLL" and don't forget the null character
}

These are the OPCODES:
{
char CodePage[4096] =

{ 0xB8, 00, 00, 00, 00, // mov EAX, 0h | Pointer to LoadLibraryA() (DWORD)
0xBB, 00, 00, 00, 00, // mov EBX, 0h | DLLName to inject (DWORD)
0x53, // push EBX
0xFF, 0xD0, // call EAX
0x5b, // pop EBX
0xcc // INT 3h
};

DWORD nob=15; //Number of bytes ^^^^^^
//comes right after this, the dll name...so just do this, strcpy(CodePage[nob], Dllname) to append the dll name..
the total size is (nob + strlen(Dllname) + 1) -- strlen retreives the string, without NULL character.
So you do +1, do also add the null character
------You might ask why i declared 4096 chars? well, a codePage is 4K,,,So i just did it,,,for,,,um,,,
no reason... :D :D

}

I'll give you some OPCODE lists with this tutorial for you to have use of..
You'll have fun reading it
--by the way, go to EFnet#C++ or #asm or #win32asm and ask for a full ebook of asm..
They shuld give you a free ebook called, "The art of assembly"
--

I suddenly changed my mind and added some tutorials with the .zip file :p
I even added some unneccessary stuff :P

--(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

Here show you the code of CreateProcess() method:

--(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

declare these global vars:

CONTEXT OriginalContext; //Get/SetThreadContext's parameter
char OriginalCodePage[4096];
DWORD sizeofCP=0;
VOID* mySec; //my section...Offset of CodePage in the target process's memory, not this app's memory

BOOL InjectDLL_CreateProcess( char *TargetAPP, char *DLLTOINJECT )
{
BOOL B=FALSE, BREAK1=FALSE, BREAK2=FALSE;
STARTUPINFO sInfo;
PROCESS_INFORMATION pInfo;
DEBUG_EVENT dEvent;
DWORD ret;

ZeroMemory((VOID*)&sInfo, sizeof(sInfo));

B = CreateProcess(Filename, 0, 0, 0, FALSE, DEBUG_ONLY_THIS_PROCESS, 0, 0, &sInfo, &pInfo);
if(!B) return FALSE;

//-----
///
////
///// We need 3 things, ProcessHandle, ThreadHandle, and BaseOfImage (base address of executable file in memory)
////
///
//-----


HANDLE PHandle=pInfo.hProcess, THandle=pInfo.hThread; // Processhandle, Thread handle
VOID * BaseOfImage;
char DLLTOINJECT[] = "d:\\VCPrj\\MSNInject\\DLL\\Release\\DLL.dll";

while(1)
{
if( !(B = WaitForDebugEvent(&dEvent, INFINITE)) ) //Remember? -- dEvent is a structure that recv'es return of fucntion
return -1;

if(dEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT) //If the debug event was "Process has just been created"
{
BaseOfImage = dEvent.u.CreateProcessInfo.lpBaseOfImage; //Ok, now we have the base address of the exectable file in memory (remember before, when i said that i'll show you how to get it?)
}

if(dEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT) //if process terminated, then break the loop, so that you would exit function
break;

if(dEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT)//Check for breakpoint
{
if(dEvent.u.Exception.ExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT)
{//It is a break point;
if(BREAK1==FALSE)
{//First Breakpoint occured
B = InjectDLL( pInfo.hProcess, pInfo.hThread, BaseOfImage,
DLLTOINJECT); //The magical function, comes after this function

BREAK1 = TRUE;
if(!B)
return FALSE;
}else if(BREAK2==FALSE)
{//Second breakpoint occured (asm instructions have been all done, and int 3h was reached
ret = RestoreOriginalCodePage( PHandle, THandle, 0); //another function to restore
if(ret==0) return FALSE; //uhoh!!! Big big big big error...you need to restore what you have written, but couldn't,,,,i'll leave it to you, cause i, my self donno what to do, other than terminate the target process :P
BREAK2=TRUE;
}
}else
{ //if an Exception occured, and it wasn't a break point, then say DBG_EXCEPTION_NOT_HANDLED
//Because you haven't handled the exception, so let lindows,,i mean, windows handle it..
ContinueDebugEvent( dEvent.dwProcessId, dEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
continue;
}

}//end if

ContinueDebugEvent( dEvent.dwProcessId, dEvent.dwThreadId, DBG_CONTINUE);
//you don't need to handle event,,let it pass

}//end while()
}//end function

////////////////////

next function:

BOOL InjectDLL(HANDLE hProcess, HANDLE hThread, VOID* hModuleBase, char *DllName)
{//You must have debug access to hProcess (required for ReadProcessMemory() & WriteProcessMemory)

FARPROC LoadLibProc = GetProcAddress(GetModuleHandle("KERNEL32.dll"), "LoadLibraryA");
if(!LoadLibProc) return FALSE;

//This is the entry point addr of LoadLibrary()...It's usually, always the same for any process that loads kernel32.dll
//So unless there is some other explanation, i don't know
//But i personally found that this works all of the time


////////////////////////////////

char CodePage[4096] =

{ 0xB8, 00, 00, 00, 00, // mov EAX, 0h | Pointer to LoadLibraryA() (DWORD)
0xBB, 00, 00, 00, 00, // mov EBX, 0h | DLLName to inject (DWORD)
0x53, // push EBX
0xFF, 0xD0, // call EAX
0x5b, // pop EBX
0xcc // INT 3h
}; //i could have used structS instead, but unfortunatelly, because of many compilers' stupid padding, i didn't >:(
int nob=15; //no of bytes

char *DLLName; //DllName
DWORD *EAX, *EBX; //Look at codepage

DLLName = (char*)((DWORD)CodePage + nob); //Set the pointers
EAX = (DWORD*)( CodePage + 1); //
EBX = (DWORD*) ( CodePage + 6); //

strcpy( DLLName, DllName ); //copy dll name
*EAX = (DWORD)LoadLibProc; //EAX==LoadLibProc
*EBX = nob; // need to do this: *EBX = *EBX + (offset of CodePage)
////////////////////////////
sizeofCP = strlen(DllName) + nob +1; //remember this? --


//Here comes the complicated part, you can use CreateRemoteThread() instead of all this, actually, but unfortunatelly
//it isn't supported in all versions of windows...but i'll tell you how to use it after this code..
//I have an example code that i found from google groups

IMAGE_DOS_HEADER DOShdr;
IMAGE_NT_HEADERS *pNThdr, NThdr;
IMAGE_SECTION_HEADER SecHdr, *pSecHdr;
IMAGE_DATA_DIRECTORY DataDir, *pDataDir; //@@@@@@@@
DWORD dwD, dwD2, read, written;
CONTEXT Context; //GetThreadContext's parameter &&
BOOL B;

Context.ContextFlags = CONTEXT_CONTROL; //look at WINNT.h header file for more information
OriginalContext.ContextFlags = CONTEXT_CONTROL;
if(!GetThreadContext( hThread, &OriginalContext)) //Save original context -- remember that currently the process is totally suspended
{
dwD = GetLastError();
return FALSE;
}

// Check to see if we have valid Headers:
//
/////////Get DOS hdr
B = ReadProcessMemory(hProcess, hModuleBase, &DOShdr, sizeof(DOShdr), &read);
if( (!B) || (read!=sizeof(DOShdr)) ) return FALSE;
if( DOShdr.e_magic != IMAGE_DOS_SIGNATURE ) //Check for `MZ
return FALSE;

//Get NT header
B = ReadProcessMemory( hProcess,
(VOID*)((DWORD)hModuleBase + (DWORD)DOShdr.e_lfanew), &NThdr, sizeof(NThdr), &read);
if( (!B) || (read!=sizeof(NThdr)) ) return FALSE;
if( NThdr.Signature != IMAGE_NT_SIGNATURE ) //Check for `PE\0\0
return 0;

// Valid EXE header!
// Look for a usable writable code page: -- this is where you seek the sections for a usable section
//

/////
//
if( (dwD=NThdr.FileHeader.NumberOfSections) < psechdr =" (IMAGE_SECTION_HEADER*)" b="FALSE;" dwd2="0" iterate="" sections="" for="" part="" which="" shouldn="" modified="" whatsoever="" because="" nazsoft="" sez="" bit="" long="" super="" novel="" give="" information="" u="" know="" confused="" listen="" when="" say="" points="" addr="" info="" from="" as="" see="" base="" addresses="" dll="" file="" functions="" are="" same="" programs="" psechdr="" isn="" true="" just="" easier="" way="" don="" use="" casting="" opers="" want="" do="" make="" sure="" correct="" amount="" was="" characteristics="" writable="" section="" const="" idata="" import="" strcmpi="" ignore="" cases="" small="" t="" find="" usable="" code="" found="" virtualaddress="" mysec="(VOID*)(SecHdr.VirtualAddress" global="" where="" asm="" instructions="" shuold="" ebx="*EBX" also="" remember="" top="" of="" stuff="" can="" read="" will="" already="" saved="" re="" going="" thread="" we="" them="" now="" starts="" mega="" occurs="" god="" knows="" uh="" system="" crash="" occur="" try="" save="" memory="" might="" injected="" must="" call="" upon="" following="" context="" b="TRUE;" change="" eip="(DWORD)mySec;" would="" be="" funny="" get="" an="" error="" all="" that="" goes="" and="" ever="" ist="" hat="" chagned="" s="" ok="" go="" back="" second="" break="" point="" another="" function="" ret="RestoreOriginalCodePage(" big="" need="" restore="" you="" but="" couldn="" ll="" leave="" it="" cause="" my="" self="" donno="" what="" to="" other="" than="" terminate="" target="" process="" break2="TRUE;" so="" lets="" have="" look="" at="" notepad="" is="" giving="" me="" a="" headache="" right="" keeps="" saying="" not="" enough="" m="" typing="" the="" rest="" in="" com="" program="" i="" love="" this="" thing="" p="" return="" if="" 0=""> successful
// if -1 -> (0xFFFFFFFF) WriteProcessMemory returned FALSE
// else -> Amount of bytes written + 1
// (to get exact amount of bytes written, you must decrement return value by one!)
//

DWORD RestoreOriginalCodePage( HANDLE hProcess, HANDLE hThread, DWORD *outSize )
{
BOOL B;
DWORD written;
CONTEXT Context;

if(outSize) *outSize = sizeofCP; //Just for user's info

Context.ContextFlags = CONTEXT_FULL; //look at winnt.h
GetThreadContext( hThread, &Context); //Get current thread context
//This isn't required, it's just for you to check the return
//value of LoadLibrary()
////It is in the EAX register (Context.Eax)

B = WriteProcessMemory( hProcess, mySec, OriginalCodePage, sizeofCP, &written );
//Restore original codepage

if(!B) return -1;

if(written!=sizeofCP)
return written+1;

//Restore context (EIP)
B=SetThreadContext( hThread, (CONST CONTEXT*)&OriginalContext);
if(!B) return -1;

return 0;
}





OK ATLAST!!!!!1

so now we're done!
You've seen how to do all this,,,now let me tell you how CreateRemoteThread() works...
You can skip this if you want...



CreateRemoteThread:

The CreateRemoteThread function creates a thread that runs in the virtual address space of another process

HANDLE CreateRemoteThread(
HANDLE hProcess, // handle to process
LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
SIZE_T dwStackSize, // initial stack size
LPTHREAD_START_ROUTINE lpStartAddress, // thread function
LPVOID lpParameter, // thread argument
DWORD dwCreationFlags, // creation option
LPDWORD lpThreadId // thread identifier
);

Parameters:

hProcess
[in] Handle to the process in which the thread is to be created. The handle must have the PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ access rights. For more information, see Process Security and Access Rights.
lpThreadAttributes
[in] Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new thread and determines whether child processes can inherit the returned handle. If lpThreadAttributes is NULL, the thread gets a default security descriptor and the handle cannot be inherited.
dwStackSize
[in] Specifies the initial size of the stack, in bytes. The system rounds this value to the nearest page. If this parameter is zero, the new thread uses the default size for the executable. For more information, see Thread Stack Size.
lpStartAddress
[in] Pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process. For more information on the thread function, see ThreadProc.
lpParameter
[in] Specifies a single value passed to the thread function.
dwCreationFlags
[in] Specifies additional flags that control the creation of the thread. If the CREATE_SUSPENDED flag is specified, the thread is created in a suspended state and will not run until the ResumeThread function is called. If this value is zero, the thread runs immediately after creation.
Windows XP: If the STACK_SIZE_PARAM_IS_A_RESERVATION flag is specified, the dwStackSize parameter specifies the initial reserve size of the stack. Otherwise, dwStackSize specifies the commit size.
lpThreadId
[out] Pointer to a variable that receives the thread identifier.
If this parameter is NULL, the thread identifier is not returned.


------

Return Values:

If the function succeeds, the return value is a handle to the new thread.

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

Note that CreateRemoteThread may succeed even if lpStartAddress points to data, code, or is not accessible.
If the start address is invalid when the thread runs, an exception occurs, and the thread terminates.
Thread termination due to a invalid start address is handled as an error exit for the thread's process.
This behavior is similar to the asynchronous nature of CreateProcess,
where the process is created even if it refers to invalid or missing dynamic-link libraries (DLLs).


-----

Remarks
The CreateRemoteThread function causes a new thread of execution to begin in the address space of the specified process. The thread has access to all objects opened by the process.

The new thread handle is created with full access to the new thread. If a security descriptor is not provided, the handle may be used in any function that requires a thread object handle. When a security descriptor is provided, an access check is performed on all subsequent uses of the handle before access is granted. If the access check denies access, the requesting process cannot use the handle to gain access to the thread.

The thread is created with a thread priority of THREAD_PRIORITY_NORMAL. Use the GetThreadPriority and SetThreadPriority functions to get and set the priority value of a thread.

When a thread terminates, the thread object attains a signaled state, satisfying any threads that were waiting for the object.

The thread object remains in the system until the thread has terminated and all handles to it have been closed through a call to CloseHandle.

The ExitProcess, ExitThread, CreateThread, CreateRemoteThread functions, and a process that is starting (as the result of a CreateProcess call) are serialized between each other within a process. Only one of these events can happen in an address space at a time. This means the following restrictions hold:

1) During process startup and DLL initialization routines, new threads can be created, but they do not begin execution until DLL initialization is done for the process.
2) Only one thread in a process can be in a DLL initialization or detach routine at a time.
3) ExitProcess does not return until no threads are in their DLL initialization or detach routines.



Terminal Services: Terminal Services isolates each terminal session by design. Therefore, CreateRemoteThread fails if the target process is in a different session than the calling process.





Windows NT/2000/XP: Included in Windows NT 3.1 and later.
Windows 95/98/Me: Unsupported.
Header: Declared in Winbase.h; include Windows.h.
Library: Use Kernel32.lib.


--------------------

ok i copied it from msdn to here :P

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&threadm=cl8L4.162599%24bm.706013%40news1.alsv1.occa.home.com&rnum=2&prev=/groups%3Fq%3DLLProc%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26selm%3Dcl8L4.162599%2524bm.706013%2540news1.alsv1.occa.home.com%26rnum%3D2

Have a look at that site
It's an example of CreateRemoteThread() somone wrote...
I hope it's explanable from there?

plz post, and tell me if there shuold be part III
to fulfill something i haven't said right now
i will be glad to
if i had time


thats it for now
my eyes are draining

ok, thank you for reading PART II of my tutorial on how to inject a dll...

quiz:

What is dll injecting? And are its uses? And how do you do it? please elaborate :D :D

cya
-NRR TGA (aka NazSoft)
-CrankHank|EFNet#C++

Write to:
the-legions@mail.ru

DLL Injection - Part ONE - English

Article in english, this a short preamble by Guardian Angel

In questo momento, che io definisco "particolare", credo che tutti quelli che si occupano di informatica o hanno a che fare con il web, non sanno piu di che cosa parlare per non essere eventualmente fatti oggetto di segnalazioni o minacce. Qualsiasi cosa comunque, potrebbe essere usata contro di te, a meno che non parli della collezione di farfalle o delle tette della strafica di turno.
Io non ho una collezione di farfalle.
Non mi piace la gomma da masticare o manipolare chili di silicone.
Non mi piacciono le strafiche, mi piacciono le donne vere, in particolare una, da sempre, e prima o poi (anzi molto presto) credo che sara' l'unica.
Sono all'antica su certe cose, quindi come sempre controcorrente. Questo blog e' controcorrente.
Noi siamo per la libera circolazione delle idee e delle conoscenze. Noi siamo per il rispetto di tutti gli esseri umani che sono uguali, nella loro diversita'.
Ricordatevi che se mando articoli come questo, non e' che voglio incitare a fare i lamer da strapazzo, perche' questo e' il modo migliore per farsi beccare e ritrovarsi in un orto di cetrioli, se diffondo articoli cosi, e' perhe' vorrei che tutti siano in grado di conoscere determinate tecniche, non a scopo lesivo per altri, bensi per sapere come evitare perlappunto di trovarsi a vendere cetrioli.

E' in inglese, ed e' destinato a quelli che sono la parte "tecnica" dei lettori, con questo intendo dire appassionati non migliori. Chiunque puo fare determinate cose, basta soltanto cominciare.

























****************************
**
** BY: NRR - TGA
** Subject: DLL Injection - Part ONE
**
** -You'll probably steal this, and change my name to your name
** Then distribute like you want
** It's not like i can do anything about it, i'm just a poor lad
** who wishes the best for everyone...that's all
** --
** The original one is in this site all the time anyway, so don't waste your time :D :D
**
** The first revision is in www.planetsourcecode.com
**
** I have made some changes on this revision, and posted it to some other sites...
**
** Revision 2
**
****************************


It's time to rock! Time to have fun...
I'll tell you what DLL Injection is...
All explained simply, as if you're a dull, dumb donkey.

"Injecting a dll into a running process, is inserting the dll into the running process's address space.."
What you all -should- know is that when a process loads a DLL, whether statically or dynamically, it gets loaded into
the process's address space. Which means that, the process's/DLL's variables/memory in general, are all accessible
with normal C++ pointers by the DLL or the Process itself.

I'll explain how it works on win95/98/ME/XP/2k/NT everywhere :D --i did it all on VC++6... so i prefer
this compiler... Should work on .NET , probably on earlier versions too, I donno :P

One good use of DLL Injection would be to program an "API Spy" for example.
I called it like so and so have many other programmers. What such similar program would do is, according to some
specifications the user has provided, "Inject" a DLL into the chosen running process which monitors certain functions
of certain loaded DLLs and saves a log file of what function arguments were passed to that particular function.

Remember that when a DLL is loaded by a process, its image is loaded into the process's address space,
thus allowing both to access each other's variables simply using c++ pointers. Very interesting ;)...

Talking at a lower level, what my API Spy exactly does is 'debug' the chosen running process and thus suspending all of its threads.
It will then use some special API functions to be able to read it's private address space...(Read/WriteProcessMemory())
It will seek some place to inject some code into. It is ASM code ofcourse. What this ASM code does is: LoadLibrary("DLLtoINJECT.dll");
And add a breakpoint after the code. Then simply let the process run, starting with the beggining address of the injected code.
When the breakpoint is reached, the threads are suspended again and the API Spy restores whatever bytes it has modified and restores
all the registers and thus continuing with normal execution like if nothing happened. Kind of like hypnotising someone, slapping him, and bringing him back.
He'll have no idea of what just happened. Anyway, The loaded DLL does its job normally. Simple as that.

I told you what I shouldn't have... Don't think about all this now... PART II Explains the debugging part...

Some of you, so called 'experts', or probably arrogantly think they are experts, might tell people about CreateRemoteThread()...
Let me tell you this my friends...

"...it works on win95/98/ME/XP/2k/NT everywhere..."
-Above

Yes, also on win3.x and win32s, provided you do some small modifications...

I made a WSOCK32.DLL spy for mirc.exe... (mIRC chat client)
MAN !!! i had fun! I posted the log file with the tute...

Basically, DLL Inection gives you FULL control over an app.
Some of you script kiddies might think it's good for hacking, but once you get the hang of it, you'll have so much fun, that you'll drop hacking.
Hacking is bad. STAY AWAY FROM HACKERS

There are things you need to know before you read this article (Sorry couldn't just show 'em all, they're too much)

http://msdn.microsoft.com can be used to learn "ALL" of them

1) Memory management...You need to know how windows manages it's memory

2) PE/COFF Headers specifications <--the most important thing if you're doin this in win9x/ME -- 3) Basic debbuging APIs...Those are some APIs that help you to debug certain apps. 4) enough knowlege of asm...and OPCODES of instructions hmmm I think, if you read the WHOLE section of "Base Services" in The MSDN library, you should be able to learn all them steps(including PE/COFF SPECS) :P :P :P,, don't worry, i'll help you enough to find the articles that you need. Except ASM ofcourse, need to get some small "asm tutorial", then learn some "32bit asm" (API) Also read about Windows' calling conventions. ASM will help. First, let me tell you, i hate lazy people. You want to learn dll injection? atleast be glad that i posted some info in here, it took me a whole week to prepare an article like this. I'm not just giving you the butter, you need to research on your own...i'm just giving you a starter, and enough info to search on your own. If you don't like researching, then this article isn't for you. i'm sorry... ---Oh, forgot to mention, I love you "Matt Pietrek" I love you. You are Number one! I hope you read this! You can count me as one of your favorite students :P :P :P lol --- OK... How do i start? I told you what DLL Injection is... Well i'll talk more about it... Check the following links to learn what you need to learn: (I'll leave the asm part to you..search for it :D) *) Don't read it, i just found it interesting :P http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsetup/html/dlldanger1.asp Base services section in msdn library is here: msdn.microsoft.com/library section: Windows Development->Windows Base Services

1) DLLs, Processes, and threads : read the dll section ( just learn to make a small dll that exports a function),
So basically, look at DllMain() dll callback function in msdn, it should be like a crash course on Dlls.
Processes, and thread, are really not necessary to read, but it's recommended to. Look at the reference instead.
Just have an overview on the function names, and what they do.. Just helps to give you some inspirations when needed :).
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp


2) Debugging: (Read the basic debugging section only. It's easy BELEIVE ME)
(For PE Headers: read the Image Help Library, or look at step 3 instead)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp

3) Download the PE/COFF Format specifications file... It's a bit hard, but as i said, i'll help you through...
Just have a small peek at the Image Help Library section... Don't screw your self up :)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dynamic_link_library_creation.asp

--- All of what i said, won't be REALLY neccessary if you are following me right.

Alright, let's start... What i'm doing is programming an API Spy. What this program does is, when the DLL I made becomes loaded into the address space of
the selected app, it monitors the MessageBoxA() function (if it was in the app's import table) and prepends "Nassoooor sez: " to every
MessageBox shown by the program. This is were knowledge of PE/COFF Format specs. is required.
(Note that i got my inspiration from Matt Pietrek's MEGA book, Windows 95 programming secrets - god bless you)

I'll start in a reverse way...
I'll make the DLL file first...
--
I'll put 3 functions in the DLL, which write the information to the log files (do them on your own :P)

HANDLE OpenLog( char *FileName );
BOOL AppendLog( HANDLE hLog, char *buffer, DWORD bufSize );
BOOL CloseLog( HANDLE hLog );
--
Read CreateFile() in msdn, it will help you make those 3 functions
OpenLog basically just does this:
return CreateFile( FileName, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, OPEN_ALWAYS, 0, 0 );
GENERIC_*: open file for read/write||
FILE_SHARE_READ: apps can read file while handle to it is opened
OPEN_ALWAYS: Open file, or create it if it does exist

AppendLog(...):
use SetFilePointer( hLog, 0, 0, FILE_END ) to set pointer to end of file
Then WriteFile() to write buffer to file :D

CloseLog(..):
CloseHandle( hLog );

that's it

--
Dude, if you haven't been able to understand all that, then believe me, this tutorial is not for you. Go out and play. Have fun, do your job. Just leave this tutorial alone.
--

First you need to make a dll, here is what it should do:

Put the 3 logfile functions in the dll...
When the dll is loaded ( in DllMain() ), and fdwReason is equal to DLL_PROCESS_ATTACH, do this:
Create the log file (OpenLog)
Append: "******************\r\nDLL_PROCESS_ATTACH\r\n"; (\r == CR, \n == LF -- in windows, atleast)
Then, Call the function that will "HOOK" MessageBox from the calling process.
........

The function that will "HOOK" MessageBox():

To hook MessageBox(), you must create a function that will be called INSTEAD of it.
Therefore, the function's definition must be exactly like the one of MessageBox:

int MessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType); //This is how it's declared in msdn

int WINAPI MyMsgBox(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype); //This is how you declare it

//WINAPI is a calling convention, Search "CALLING CONVENTIONS" on msdn, it means push the parameters of the function
into the stack from Right-To-Left, instead of Left-To-Right (aha! Did you read an asm tutorial? tsk tsk tsk)

--Just always add WINAPI when it's an API function :P

Ok, and now you need to create a function type:

typedef int(WINAPI *MyMsgBoxProc)
(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype); //I hope you know what this means?

************************************
* Always remember that IRC chat rooms will help you alot in your programming.
* download mIRC if you're using windows..mIRC is a chatting client...www.mirc.com
* Enter "EFNet" server -- Channel: #C++,,, I'm CrankHank....or ask the operators for help,they're more preferable
***********************************

Okay, Did you read about PE headers??
Here is the code of the DLL:

// Hook proc.cpp
//

#include
#include
#include
#include

using namespace std; //Don't tell me you don't know what standard C++ is??

#define LogFile "d:\\logs\\LOG.txt"
#define Append(text) AppendLog(hLogFile, text, strlen(text))
//hLogFile is the global variable defined below:

HINSTANCE g_hInst=0;
HANDLE hLogFile=0;

BOOL DoHookProcs();
PROC WINAPI HookImportedFunction(HMODULE,PSTR,PSTR,PROC); //inspiration from Matt Pietrek

BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID _Reserved)
{
switch(dwReason)
{
case DLL_PROCESS_ATTACH:
g_hInst = hInstance; //Remember dll instance

hLogFile = OpenLog( LogFile );
Append("\r\n************************\r\nDLL_PROCESS_ATTACH\r\n"); //(look at the #defines above
//The handle is a global variable in my case, so didn't need put it

DoHookProcs(); //<--main function return true; //if you return false, then the process that called LoadLibrary() will return 0 break; case DLL_THREAD_ATTACH: Append("DLL_THREAD_ATTACH\r\n"); //Remember that a program can have more than one thread break; //So you need to handle them in here, and in the next case,,,but, This is just a fast program //for processes with one thread,,works for them with multiple threads, but not all the time case DLL_THREAD_DETACH: Append("DLL_THREAD_DETACH\r\n"); // break; case DLL_PROCESS_DETACH: Append("DLL_PROCESS_DETACH\r\n********************\r\n\r\n"); //append (look at the #define) CloseLog(); //ummmmmmmmmmmmmm, guess what this does? return true; break; }//end switch(dwReason) return true; } //////// OK i hope you understood this, UNTIL NOW... Now all we have left is DoHookProcs(), then HookImportedFunction() If you haven't.. Then I think nothing from now on shall be understood.. //////////////////// /* Now, we need to "hook" MessageBoxA() If you learned PE/COFF header specs, then this should be easy What you need to know is look for the Import Table of the module loaded in memory(Running process). //You can get the module's base address by doing this: GetModuleHandle(0); (in the dll, HMODULE == BaseAddress of module) ...yeah, if you look at that address, you'll see the first bytes as the signature of a DOS MZ file!!! (READ THE PE/COFF SPECS THAT I INSTRUCTED YOU TO) ----------- After you find the import table, you iterate(enumerate) the functions imported in the dll (Note that a function will not be in the import table if it was loaded at run-time, not statically!) Look for the function that you want to hook, in our case, it's: DLLFile= USER32.DLL FUNCTION= MessageBoxA Remember that case is sensitive, and the 'A' at the end of MessageBox is also important. It's just declared like that in the DLL file, and vc++ (windows.h) does a #define MessageBox MessageBoxA Therefore MessageBox() is not a real function in the DLL, but MessageBoxA() is. ----------------- OKAY! - According to the PE/COFF specs that i told you to read.. In the .exe file, you'll find the function name in the import table, but when the image is in memory You WON'T... Only the entry point of the funcion (MessageBoxA()) will be in memory... You want the entry point. So ofcourse, you must look at the image in memory. You are already doing that. You need to get the entry point of "MessageBoxA" (in the HookImportedFunction() proc) using this: GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA"); //Note that i used GetModuleHandle... because USER32.dll is "SUPPOSED" to be already loaded, because the app calls //MessageBoxA from USER32.dll, right? So it must load the dll file in it's address space in order to do it! hehe // // So, you did GetProcAddress() to get the procaddr of MessageBoxA().... --------- Like I said, read The MSDN Library if you found an ununderstood function... and now, So you found the function in the import table... now what you need to do, is just save that value(entry point) --incase you wanted to restore it-- and replace it with your new entry point...Which will be your MyMsgBox()'s entry point.. Cool huh?? So whenever the program calls MessageBoxA()... MyMsgBox() gets called instead... In the function MyMsgBox(), you can do what ever it is that you want... And after you're done, you can either call the original MessageBoxA() function to let the program work normally as if no change has occured. BUTTTTTTTTTTTTT, not through just simply calling the function MessageBox(), doing that will be like recursively calling the MyMsgBox() function. What you must do is call the addr returned from GetProcAddres() that i told you to call, above^^ So, if you did this: OriginalMessageBoxProc = (MyMsgBoxProc)GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA"); What you then must do is this: OriginalMessageBoxProc( hWnd, lpText, lpCaption, uType ); //simple :D :D :D :D ^ |<--------------------------------\ | ok, you got that?????? now let's get to the code: | //Lets declare some things: |__________________________________________________________________ | typedef int(WINAPI *MyMsgBoxProc)(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype);//remember this? | MyMsgBoxProc OriginalMessageBoxProc; //<--------------This is where we store the original MessageBox()--/ // Macro for adding pointers/DWORDs together without C arithmetic interfering -- I got it from Matt Pietrek's book // Thought it'd be great to use.. #define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr)+(DWORD)(addValue)) //This code is very similar to Matt Pietrek's, except that it is written according to my understanding... //And Matt Pietrek's also handles Win32s --(Because they have some sort of a problem, or something) PROC WINAPI HookImportedFunction(HMODULE hModule, //Module to intercept calls from PSTR FunctionModule, //The dll file that contains the function you want to hook PSTR FunctionName, //The function that you want to hook ("MessageBoxA" in our case) PROC pfnNewProc) //New function, this gets called instead { PROC pfnOriginalProc; //Read up MSDN for these IMAGE_DOS_HEADER *pDosHeader; IMAGE_NT_HEADERS *pNTHeader; IMAGE_IMPORT_DESCRIPTOR *pImportDesc; IMAGE_THUNK_DATA *pThunk; if ( IsBadCodePtr(pfnNewProc) ) return 0; // Verify that a valid pfn was passed --look at msdn-- pfnOriginalProc = GetProcAddress(GetModuleHandle(FunctionModule), FunctionName); //remember this? if(!pfnOriginalProc) return 0; pDosHeader = (PIMAGE_DOS_HEADER)hModule; //Look at ImgHelp function reference in the Image Help Library section in msdn ////////////////// To do this in an easier way, according to your imaginations ////////////////// I'm doing it this way, so you'd learn exactly what's happening //hModule is the Process's Base address, remember? (GetModuleHandle(0)) <-- even if called in the dll, it still // gets the hModule of the calling process //---That's why i saved hInstance of DLL, g_hInst, in DllMain(), because it's the only way to get it(i think) // Tests to make sure we're looking at a module image (the 'MZ' header) if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) ) return 0; if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE ) //Image_DOS_SIGNATURE is a WORD (2bytes, 'M', 'Z' 's values)
return 0;


// The MZ header has a pointer to the PE header
pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew); //it's like doing pDosHeader + pDosHeader->e_lfanew
// e_lfanew contains a RVA to the 'PE\0\0' Header...An rva means, offset, relative to the BaseAddress of module
// (Or file offset)----pDosHeader is the base address..and e_lfanew is the RVA,,, so summing them, will give you the
// Virtual Address..


// More tests to make sure we're looking at a "PE" image
if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) )
return 0;
if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE ) //IMAGE_NT_SIGNATURE is a DWORD (4bytes, 'P', 'E', '\0', '\0' 's values)
return 0;

// We now have a valid pointer to the module's PE header. Now get a pointer to its imports section
// This is where action and adventure starts
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader, //IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

//What i just did was get the imports section by getting the RVA of it(like i did above), then adding the base addr
//to it
//////////// pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
//////////// IMAGE_DIRECTORY_ENTRY_IMPORT==1 -- Look at that PE documentation i gave you in the links section
//////////// They are the only good ones i found in the internet,,,Also Pietrek's articles in MSJ and MSDN Magazine will
//////////// Be real helpful!


//Go out if imports table doesn't exist
if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )
return 0; //pImportDesc will ==pNTHeader,, if the RVA==0,,, cause pNTHeader+0==pNTHeader -> stored in pImportDesc
//Therefore, pImportDesc==pNTHeader

// Iterate through the array of imported module descriptors, looking
// for the module whose name matches the FunctionModule parameter
while ( pImportDesc->Name ) //Name is a DWORD (RVA, to a DLL name)
{
PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);

if ( stricmp(pszModName, FunctionModule) == 0 ) //str"i"cmp,,, you should ignore cases when comparing, in our case
break; //or strcmpi() in some compilers

pImportDesc++; // Advance to next imported module descriptor
}

// Get out if we didn't find the Dll name.
// pImportDesc->Name will be non-zero if we found it.
if ( pImportDesc->Name == 0 )
return 0;

// Get a pointer to the found module's import address table (IAT) =====IMAGE_THUNK_DATA *pThunk;
pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
//This is what i was talkin about earlier...
//In pThunk, if it was image loaded in memory, you'll get the address to entry point of functions
//but in a disk file, It's a function name

// Look through the table of import addresses, of the found DLL, looking for the function's entry point
// that matches the address we got back from GetProcAddress above. (remember?)

while ( pThunk->u1.Function )
{
if ( (DWORD)pThunk->u1.Function == (DWORD)pfnOriginalProc )
{
// We found it! Overwrite the original address with the
// address of the interception function. Return the original
// address to the caller so that they can chain on to it.
pThunk->u1.Function = (PDWORD)pfnNewProc; // pfnNewProc is in the parameters of the function
//pfnOriginalProc = (PROC)(DWORD)pdw1;
return pfnOriginalProc;
}

pThunk++; // Advance to next imported function address
}

return 0; //function not found!!!!!
}
-------------------------------------------------------

THAT"S IT!!!!!!!
Ok, i'm glad we finished this function :P

remember the declarations?
{

//Lets declare some things:

typedef int(WINAPI *MyMsgBoxProc)(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype);//remember this?

MyMsgBoxProc OriginalMessageBoxProc; //<--------------This is where we store the original MessageBox() } This is how you call the above function,, OriginalMessageBoxProc = (MyMsgBoxProc)HookImportedFunction( GetModuleHandle(0), "USER32.DLL", "MessageBoxA", (PROC)MyMsgBox) ^^^^Insert this in the DoHookProcs() function... ok,,,,,,so this is the finished off dll: BOOL WINAPI DllMain(...) { . case DLL_PROCESS_ATTACH: g_hInst = hInstance; //Remember dll instance hLogFile = OpenLog( LogFile ); Append("\r\n************************\r\nDLL_PROCESS_ATTACH\r\n"); //(look at the #defines above //The handle is a global variable in my case, so didn't need put it DoHookProcs(); //<--main function return true; //if you return false, then the process that called LoadLibrary() will return 0 break; . . } and: BOOL DoHookProcs() { OriginalMessageBoxProc = (MyMsgBoxProc) HookImportedFunction( GetModuleHandle(0), "USER32.DLL", "MessageBoxA", (PROC)MyMsgBox); //check if no error occured, return false, if error, true if no error if(!OriginalMessageBoxProc) return false; return true; } okkkkkkkkk So the function MyMsgBox gets called instead of MessageBox()... Let's see how the funciton looks like,, this should be simple: int WINAPI MyMsgBox(HWND hWnd, LPCTSTR lptext, LPCTSTR lpcaption, UINT utype) { int ret; //need to save ret value ofcourse char bufText[1024], bufCaption; strcpy(bufText, "Nassoooooor sez: "); strcat(bufText, lptext); strcat(bufText, "\n\n\n SAVED TO LOG FILE!!"); strcpy(bufCaption, "Caption=="); strcat(bufCaption, lpcaption); /////Do whatever crap that you want ret = OriginalMessageBoxProc( hWnd, bufText, bufCaption, utype ); //If you call MessageBox( instead,,, // one of 2 might happen: // 1) Get redirected back to this function, so it becomes like an infinite recursion function, until crash // 2) MessageBox() of the dll will be called. It has nothing to do with the process... // --Think, which of these 2 will happeN? if you did as i told you, and read the links that i gave you, and understood // all this, then you shuld have no problem in asnwering this quesion :D :D :D // Maybe do some stuff here Append("MessageBoxA Called!\r\n\tText=\"") Append(lptext); Append("\"\r\n\tCaption=\""); Append(lpcation); Append("\"\r\n\treturn value=...); . . ................. return ret; } that's it, we're done!! okay,,, when you put these functions in the dll, make this new program: win32app: in: WinMain(..) { HMODULE hModule; MessageBox(0, "Function not intercepted!", "NazSoft INFO BOX", 0); if(! (hModule=LoadLibrary("MyDll.dll")) ) MessageBox(0, "Function could not be intercepted!", "NazSoft INFO BOX", 0); else MessageBox(0, "Function intercepted!", "NazSoft INFO BOX", 0); FreeLibrary(hModule); MessageBox(0, "Function called after freeing library,,, A program crash will occur here, because we didn't restore the import table as it was :D :D", "NazSoft INFO BOX", 0); return 0; } MyDll.dll is that compiled dll above ------------------- That's it for PART ONE... You injected a dll into a process.. but it's not what we want, cause you need source code, recompilation, etc... In part two, i'll teach you how to do this in processes not yours... Just start a program like mirc.exe,, without modifying the source code,, and intercept the winsock fucntions,,, it's gonna be fun... So until then,,,.... cyaaaaaaa then, i'm posting part 2... It's ready already ;) so hurry up
lol cya

the-legions@mail.ruNon fare esperimenti se non sai che cosa stai facendo. Soprattutto usa il cervello e non pensare di essere furbo. Ci sara' sempre qualcuno che e' piu furbo di te. Se qualcuno avesse intenzione di usare quanto sopra a scopi non chiari, e' vivamente pregato di non contribuire con un operato non in linea con i principi esposti nella premessa, a rendere solo piu potenti i Grandi Censori della Rete.

ASTALAVISTA

Viva il presidente stallone - Silvio difeso dai Papi Boys-ITALIA CHE COSA STAI FACENDO?

Dopo i risultati del voto, dopo queste notizie, ho voglia di dire una sola frase:

ITALIA CHE COSA STAI FACENDO?

Continua la disfatta dello Stato Italiano, su quasi tutti i fronti, e vorrei essere ottimista usando il condizionale, ma non lo sono affatto.

Tengo a precisare che io personalmente non ho nessuna intenzione di farmi rappresentare al Parlamento Europeo da un Borghezio o da uno "Stallone" degni di un film- commedia della peggiore saga ital-deficente.

Come cittadino italiano, critico apertamente e profondamente tutti gli italiani che, con quale coraggio non lo so ancora, continuano a NON VOLER CAPIRE che non siamo in una telenovela, o forse Mediaset e' una droga cosi potente che ha rammollito il cervello di molte persone, oppure se e' vero quel detto che "gli uomini ad una certa eta diventano maiali" ebbene, questo e' il risultato.

Come uomo e come cittadino italiano (se continua cosi rinuncio alla cittadinanza italiana e lascio quella statunitense) mi dissocio apertamente da tutto questo che io definisco "schifezza" roba che fa impallidire i giornaletti porno.

Guardian Angel e' di sinistra. Questo blog e' di sinistra. Guardian Angel sono io, lo stallone e' un a figura che potrbbe andare o in una scuderia o tra le lenzuola, dipende dai gusti, io in questo momento direi che e' una figura da DARSI ALL'IPPICA con tutti i rincoglioniti Papy Boys che pensano che una dose di Viagra sia la soluzione alle loro porcal-voglie.

No, io non sono un santo, non faccio sesso-astinenza, sono un uomo anch'io, ma non penso che la virilita' sia qualcosa che vada ostentata o peggio, debba diventare un mezzo per fare adepti. E poi ci si lamenta delle donne che vengono violentate, ci si stupisce se la tua amica ha paura a tornare a casa con l'autobus, adesso non mi stupisco piu, anzi, e' da un bel po di tempo che non mi stupisco piu di niente, da quando ho visto che pure nel mezzo di un terremoto ci sono i "Boys". E adesso lo dico.

Molte donne qui (L'AQUILA SI ABRUZZO TERREMOTO) hanno rischiato di essere infastidite, ma la parola e' un'altra, non la posso dire ma e' facile da immaginare.

Mi vergogno di tutto questo, non ho parole per esprimere il mio disappunto e la mia insoddisfazione, ce l'ho apertamente con tutti quelli che non si stanno rendendo conto che stiamo precipitando in un baratro che porta la nostra Nazione indietro di un secolo minimo, come modo di pensare e come tutto il resto.

Passo alla notizia, questa e' stata diffusa via web, purtroppo, e' una delle poche volte che avrei voluto non diffondere un bel cazzo di niente.

Silvio difeso dai Papi Boys

Notizia del 8 giugno 2009 - 09:00

Al grido di "Viva il presidente stallone", interi gruppi di lettori di Libero.it prendono le parti del Premier sostenendo che tiene alta nel mondo l'immagine dell'italiano stallone. Davvero?

di Giorgia Camandona

Chi pensava che certe foto di ragazze sdraiate a bordo piscina avrebbero fatto scalpore si sbagliava di grosso. Altro che opinione pubblica sconvolta e scioccata. Altro che indignazione. Qua nessuno è più capace di storcere il naso. Tra i lettori di Libero.it sono in tanti a difendere Berlusconi, lo osannano addirittura, per le sue (presunte) doti di latin lover, per l'immagine da macho italiano che esporta (ma non stavamo esportando grandi figuracce?). Chiamateli pure Papi Boys.

Viva il Papi che brinda al compleanno di Noemi. Viva il Papi lui sì che sa organizzare le feste. Viva il Papi che ha una bella villa in Sardegna. Viva il Papi che è ricco e famoso e tutte le donne lo vogliono. Il senso è questo. Più o meno come quando i ragazzini impazzivano sotto il balcone di Corona appena scarcerato e questo gli lanciava le mutande con il suo nome sopra. Lo stesso genere di ammirazione, per chi finisce sui giornali (non importa per quale ragione), per chi ha denaro e belle donne. Sono questi i valori dell'italiano medio.

Manu706 la butta sul che ce ne importa, mica sono affari nostri: «Non posso credere che il quotidiano spagnolo non avesse di meglio da pubblicare! Ma chi se ne frega di cosa fa Berlusconi a casa sua? Chi se ne frega di cosa fanno i suoi ospiti? Chi se ne frega se va alla festa di una ragazzina?». Lallapiro sostiene che tutte le donne vorrebbero essere al posto di quelle ritratte nelle foto, a bordo piscina: «L'invidia fa parlare.... quante vorebbero stare al posto delle veline?». Poi c'è chi tira fuori Sircana: «Penso che sia meglio avere la casa piena di belle donne ( come quelle nelle foto e tutte maggiorenni) che andare in cerca di travestiti o squillo, per strada e negli alberghi». Alvin non fa giri di parole: «Beato lui (Silvio, ndr.) che può». Qualcuno fa notare che Noemi all'epoca delle foto era minorenne e Caspiterinz ha subito la risposta pronta: «Adesso siamo al ridicolo, allora io che ospito un amico di mio figlio che ha 17 anni e mezzo sono una pedofila??????» con tanti punti interrogativi.

E infine il grande classico: è tutta invidia. Iaietta82 chiosa: «Perché è proibito stare nudi in casa o invitare qualcuno nel proprio giardino! Vabbè che siete pieni di invidia e di odio ma francamente fate davvero ridere!».

Sì, facciamo davvero ridere, ma per motivi diversi

Notizia del 5 giugno 2009 - 12:00

Sequestrate in Italia, le pubblica stamattina "El Pais". Sono cinque: tanga e topless, Berlusconi in nero, un uomo nudo e gente che prende il sole. Il premier: «Non ho nessuna paura ma questa è una violazione del privato e una aggressione scandalosa»

"Las fotos vetadas por Berlusconi", il concetto in spagnolo suona così. Alla fine è stato El Pais a pubblicare "una selezione delle fotografie delle feste del Cavaliere". I famosi scatti di Antonello Zappadu (già denunciato dal premier per violazione della privacy e tentativo di truffa) a Villa Certosa nel maggio 2008, quelli sequestrati dalla Procura di Roma. Il fotografo sardo ieri aveva buttato il sasso: le ho vendute all'estero. E oggi abbiamo scoperto a chi. El Pais ne pubblica 5: ragazze in tanga e topless, un ospite maschile nudo, Berlusconi in nero, gente varia che prende il sole sui lettini. Niente di più niente di meno.

Le facce sono oscurate, tutte tranne quella del padrone di casa. C'è da dire che i toni degli articoli che accompagnano le immagini sono piuttosto duri. Tanto che certi titoli di casa nostra sono carezze al confronto. «Le foto - si legge nell'editoriale - non violano la privacy del primo ministro ma svelano la sua deriva autoritaria. Se finora le sue uscite erano state prese come uno scherzo, oggi esistono nuovi e gravi motivi per avvertire che il premier sta mettendo a rischio il futuro dell'Italia come Stato di diritto». Stangata finale: «Un'Italia che scivola lungo la china verso la quale la sta trascinando Berlusconi non è un motivo di preoccupazione solo per gli italiani, ma per tutti gli europei».

Giornali esteri amici e complici della sinistra italiana? Manco tanto visto che su El Pais, tra i tanti sul Noemigate, c'è un titolo che recita così: "Dónde está la izquierda italiana?"

Le foto di Villa Certosa pubblicate da El Pais

La lettera di Silvio Berlusconi al Garante della Privacy dove il Premier chiede di inibire la pubblicazione delle foto che lo riguardano

Scoop di l'Espresso che racconta delle feste di capodanno del Cavaliere tra donne, gioielli, shopping, balli e bagni in piscina. Nella foto: Camilla Ferranti

Ricordate Imma, la concorrente del reality "Un due tre... Stalla!" di Mediaset? Ebene, c'era anche lei secondo l'Espresso

Insieme a Marianna e Emanuela, gemelline sexy già meteorine di Emilio Fede

Peter Gomez e Marco Lillo hanno scovato una gola profonda, una partecipante al capodanno sexy in Sardegna del Cavaliere

Quello a cui sono state invitate anche Noemi e la sua amica Roberta (all'epoca ancora 17enni), per intenderci

Colpisce, tra le varie storie riportare da l'Espresso a base di feste e donne, il racconto su Sabina Began e sul suo tatuaggio: una farfalla circondata dalla frase "L'incontro che ha cambiato la mia vita: S. B." Ecco questa si e' data all'ippica come si vede alle sue spalle

Non è la prima volta che Silvio accoglie a casa sua giovani ragazze. Il settimanale "Oggi" pubblicò alcune foto, anche in copertina, dedicate a Silvio Berlusconi e alle sue giovani ospiti

Silvio non ha gradito la pubblicazione di queste immagini e ha minacciato querele contro il settimanale

Una delle misteriose ragazze che tiene per mano Berlusconi è Angela Sozio, ex concorrente del Grande Fratello "Stasera vado a giocare a bocce"

Le Silvio's girls (Belle bocce pero')

Si proprio belle bocce Bel gioco, altro che palestra............



Adesso, mando i risultati delle bocce, cioe' delle elezioni, qui tra bocce ed elezioni SONO RIMASTO SENZA PAROLE
Comunque, quello che fa Berlusconi nella vita privata sono cavoli suoi, io ce l'ho con quelli che lo votano.

Verso Strasburgo ladrona

L'Europa svolta a destra e da noi stravince la Lega. Frena il Pdl e a sinistra cala anche il Pd. Soddisfatto? Moltissimo Grazie. Libero chiaamati solo Infostrada e' meglio per te dammi retta (G.A.)

di Daniele Passanante Evidentemente ha pagato fare proseliti sul tema dei clandestini e la Lega ha vinto ancora. In Veneto alle Provinciali si è sfiorato addirittura il testa a testa tra Carroccio e Pdl, anche se alla fine il sorpasso non c'è stato. Persino Silvio Berlusconi che in campagna elettorale si è guadagnato la tessera virtuale della Lega (era il 10 maggio quando Roberto Calderoli aveva commentato il "no" del presidente del Consiglio alla società multietnica) ha cavalcato la tigre del clandestino e Ignazio La Russa a cose fatte l'ha accusato di avere fatto propaganda a Bossi. Risultato: il Popolo della Libertà ha perso qualche consenso, complice l'astensionismo galoppante (ha votato il 67% degli aventi diritto, il 6% in meno delle ultime Europee) e forse il caso Noemi. Ma il centrodestra nel suo complesso può stare tranquillo con il 45 per cento abbondante e l'Umberto può esultare. E infatti quel 10% raggiunto a livello nazionale era al di là di ogni aspettativa: «Se ci arrivassimo - aveva detto dopo aver votato in un seggio della sua Gemonio - sarei contento, molto contento». Situazione simile anche nel centrosinistra dove cala anche il Partito democratico, fermo al 26% (alle politiche aveva ottenuto il 33,2%). I sondaggi però davano il partito guidato da Dario Franceschini al 22% solo qualche mese fa e in fondo il Pd non ha perso moltissimo, mentre l'Italia dei Valori è salita all'8%. Insieme raggiungono il 34%, in totale 3 punti circa in meno rispetto alle Politiche dell'anno scorso. Ancora una débacle per la sinistra radicale che si è presentata divisa tra Prc-Pdci da una parte e Sinistra e Libertà, dall'altra. Potevano farcela se si fossero presentati insieme: la somma dei due partitini rosso-verdi raggiunge infatti il 6,5%. E invece distinti restano a casa e ottengono l'uno il 3,4% e l'altro il 3.1% senza raggiungere la quota di sbarramento del 4%. Un risultato che sommato a quello di Pd e Idv avrebbe portato il centrosinistra al 40.5%. Senza contare i Radicali, sconfitti anche loro con il 2.4%. Passa invece col 6.5% l'Udc di Pierferdinando Casini, partito che Massimo D'Alema ha provato a portare dalla sua parte senza risultato. Se il baffo della sinistra ci fosse riuscito, l'Italia sarebbe stata spaccata esattamente in due.

Signori Signore e Indecisi "Vado a vivere in campagna"


ASTALAVISTA
Oggi siamo in lutto, per cui abbiamo a cena tutta la Santa Inquisizione.
C'e' pure Frate Pomicione.
Tanto per stare al passo coi tempi.
E Sorella Luna.
Vestita di pelle.
UMANA