///////////////////////////////////////////////////// // // Version 1.0 : // ////////////////////////////////////////////////// #include #include #include //#include "PeImpExp.h" #include "PEInline.h" #include "PTC.h" #include "PTC_abc.h" #ifdef PTC_SYSTEM_ACTIVED // { ////////////////////////////////////////////////// // Global Variables Declarations ////////////////////////////////////////////////// char PTC_ga_cGeneratedCode[PTC_C_CODESIZE]; long PTC_g_lCurrentRandom; long PTC_g_lProtectError; DWORD *PTC_ga_dwLinkedDLLImageBase; BOOL PTC_g_bNTSystem; DWORD PTC_g_dwLinkedDLLNumber; DWORD PTC_g_dwImportedFunctionsNumber; DWORD PTC_gs_dwOldPageProtection; char PTC_ga_szLinkedDLLName[][PTC_C_NAMESIZE] = { PTC_C_Kernel32_dllName , PTC_C_User32_dllName , PTC_C_PSAPI_dllName , PTC_C_ADVAPI32_dllName , PTC_C_GDI32_dllName , PTC_C_VERSION_dllName , PTC_C_WINMM_dllName , "" }; PTC_tdstImportedFunction PTC_ga_stImportedFunctions[] = { /* Name , dwAddress , lOwnerDLLIndex , lOtherDLLIndex */ #if defined(UNICODE) PTC_C_GetModuleHandleWName , 0L , 0 , 1 , 6 , 0 , 0 , 0 , /* 0 */ #else PTC_C_GetModuleHandleAName , 0L , 0 , 1 , 6 , 0 , 0 , 0 , /* 0 */ #endif PTC_C_FlushInstructionCacheName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_GetCurrentProcessName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_QueryPerformanceFrequencyName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , #if defined(UNICODE) PTC_C_OpenEventWName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_CreateEventWName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , /* 5 */ #else PTC_C_OpenEventAName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_CreateEventAName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , /* 5 */ #endif PTC_C_ResetEventName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_SetEventName , 0L , 0 , 1 , 0 , 0 , 0 , 0 , #if defined(UNICODE) PTC_C_CreateFileWName, 0L , 0 , 1 , 6 , 3 , 5 , 0 , #else PTC_C_CreateFileAName, 0L , 0 , 1 , 6 , 3 , 5 , 0 , #endif PTC_C_WriteFileName, 0L , 0 , 3 , 4 , 0 , 0 , 0 , PTC_C_ReadFileName, 0L , 0 , 3 , 0 , 0 , 0 , 0 , /* 10 */ PTC_C_CloseHandleName, 0L , 0 , 1 , 5 , 3 , 4 , 6 , PTC_C_SetFilePointerName, 0L , 0 , 4 , 0 , 0 , 0 , 0 , PTC_C_FlushFileBufferName, 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_QueryPerformanceCounterName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , #if defined(UNICODE) PTC_C_GetDriveTypeWName , 0L , 0 , 4 , 0 , 0 , 0 , 0 , /* 15 */ PTC_C_GetVolumeInformationWName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_GetLogicalDriveStringsWName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , #else PTC_C_GetDriveTypeAName , 0L , 0 , 4 , 0 , 0 , 0 , 0 , /* 15 */ PTC_C_GetVolumeInformationAName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_GetLogicalDriveStringsAName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , #endif PTC_C_GetFileSizeName , 0L , 0 , 3 , 1 , 6 , 5 , 0 , PTC_C_CreateToolhelp32SnapshotName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_Process32FirstName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , /* 20 */ PTC_C_Process32NextName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_Module32FirstName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_Module32NextName , 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_EnumProcessesName , 0L , 2 , 2 , 0 , 0 , 0 , 0 , PTC_C_EnumProcessModulesName , 0L , 2 , 2 , 0 , 0 , 0 , 0 , /* 25 */ #if defined(UNICODE) PTC_C_LoadLibraryWName , 0L , 0 , 3 , 4 , 1 , 6 , 0 , #else PTC_C_LoadLibraryAName , 0L , 0 , 3 , 4 , 1 , 6 , 0 , #endif PTC_C_FreeLibraryName , 0L , 0 , 4 , 1 , 6 , 5 , 3 , /* ANNECY OA - 21/07/99 { */ #if defined(UNICODE) PTC_C_GetDiskFreeSpaceWName, 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_SetFileAttributsWName, 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_GetFileAttributsWName, 0L , 0 , 6 , 5 , 3 , 0 , 0 , /* 30 */ #else PTC_C_GetDiskFreeSpaceAName, 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_SetFileAttributsAName, 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_GetFileAttributsAName, 0L , 0 , 6 , 3 , 5 , 0 , 0 , /* 30 */ #endif PTC_C_GetFileInformationByHandleName, 0L , 0 , 0 , 0 , 0 , 0 , 0 , PTC_C_SetErrorModeName, 0L , 0 , 3 , 6 , 0 , 0 , 0 , PTC_C_SetFileTimeName, 0L , 0 , 6 , 1 , 5 , 0 , 0 , PTC_C_GetFileTimeName, 0L , 0 , 6 , 3 , 5 , 1 , 0 , /* END ANNECY OA } */ "" , 0L , 0 , 0 , 0 , 0 , 0 , 0 /* 35 */ }; ////////////////////////////////////////////////// ////////////////////////////////////////////////// DWORD PTC_g_dwBeginLabelAddress[PTC_C_ChecksumTableSize]; DWORD PTC_g_dwEndLabelAddress[PTC_C_ChecksumTableSize]; BOOL PTC_g_bTakeAddresses; DWORD PTC_g_dwChecksum[PTC_C_ChecksumTableSize]; DWORD PTC_g_dwBeginLabelAddressDelete[PTC_C_ChecksumTableSize]; DWORD PTC_g_dwEndLabelAddressDelete[PTC_C_ChecksumTableSize]; ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// #define PTC_M_bCanObtainFunctionWithAnotherDLL(lIndex)\ ((PTC_ga_stImportedFunctions [lIndex] . lOwnerDLLIndex != PTC_ga_stImportedFunctions [lIndex] . lOtherDLLIndex[0]) &&\ (PTC_ga_dwLinkedDLLImageBase [PTC_ga_stImportedFunctions [lIndex] . lOtherDLLIndex[0]] != 0)) ////////////////////////////////////////////////// // Internal Functions ////////////////////////////////////////////////// char *PTC_fn_szGetFunctionExplicitName (long _lIndex); char *PTC_fn_szGetDLLExplicitName(long _lIndex); DWORD dwGetAddressOfFunctionInAnotherDLL (char *szDll,char *szFunc); void PTC_fn_vGetGetModuleHandleA (BOOL _bFirstTime); void PTC_fn_vGetOneLinkedDLLImageBase(long _iIndex , BOOL _bFirstTime); void PTC_fn_vGetOneSystemFunctionPtr (long _iIndex , BOOL _bFirstTime); void PTC_fn_vGetAllSystemFunctionsPtr(BOOL _bFirstTime); void PTC_fn_vGetAllLinkedDLLImageBase(BOOL _bFirstTime); HMODULE PTC_fn_hGetKernel32Handle(); HMODULE PTC_fn_hScanMemoryForKernel32(LPBYTE lpBuffer,int n,int step); BOOL PTC_fn_bLookForKernel32(LPBYTE lpBuffer); ////////////////////////////////////////////////////////////////////////////// // Return the Real Name of The function in PTC_ga_szImportedFunctionName array // Used to uncode the name ////////////////////////////////////////////////////////////////////////////// char PTC_g_szFunctionCurrentName[PTC_C_NAMESIZE]; char *PTC_fn_szGetFunctionExplicitName(long _lIndex) { return PTC_ga_stImportedFunctions [_lIndex] . szName; } char PTC_g_szDLLCurrentName[PTC_C_NAMESIZE]; char *PTC_fn_szGetDLLExplicitName(long _lIndex) { DWORD dwKey = *(DWORD*)(PTC_ga_szLinkedDLLName [_lIndex]); unsigned char *p_ucCryptKey = (unsigned char*) &dwKey; unsigned char cSize = (unsigned char)PTC_ga_szLinkedDLLName [_lIndex] [4]; char *p_cSource = PTC_ga_szLinkedDLLName [_lIndex] + 5; char *p_cTarget = PTC_g_szDLLCurrentName; unsigned char cCount; for (cCount = 0 ; cCount < cSize ; cCount++ , p_cSource++ , p_cTarget++ ) { *p_cTarget = (*p_cSource - p_ucCryptKey[0]) ^ p_ucCryptKey[1]; p_ucCryptKey[0] += p_ucCryptKey[2]; p_ucCryptKey[1] += p_ucCryptKey[3]; } *p_cTarget = 0; return PTC_g_szDLLCurrentName; } ////////////////////////////////////////////////// // return Absolute Address ////////////////////////////////////////////////// DWORD PTC_dwGetAddressOfFunctionInAnotherDLL(long _lFunctionIndex) { DWORD dwIndexMax , dwIndex , dwAddressEntry , dwAddress; dwIndexMax = 4; while ( PTC_ga_stImportedFunctions [_lFunctionIndex] . lOtherDLLIndex [dwIndexMax] != PTC_ga_stImportedFunctions [_lFunctionIndex] . lOwnerDLLIndex) dwIndexMax--; dwIndex = (DWORD)PTC_fn_lGetRandomRange (0 , dwIndexMax+1); dwAddressEntry = dwGetImportedFunctionEntryFromImageBase (PTC_ga_dwLinkedDLLImageBase [PTC_ga_stImportedFunctions [_lFunctionIndex] . lOtherDLLIndex[dwIndex]] , PTC_fn_szGetFunctionExplicitName (_lFunctionIndex)); dwAddress = *((DWORD*) dwAddressEntry); return (dwAddress); } ////////////////////////////////////////////////// // return OffSet Address ////////////////////////////////////////////////// DWORD PTC_dwGetExportedFunctionEntryFromImageBase(long _lFunctionIndex) { DWORD dwImageBase = PTC_ga_dwLinkedDLLImageBase [PTC_ga_stImportedFunctions [_lFunctionIndex] . lOwnerDLLIndex]; DWORD dwPtr = dwGetExportedFunctionEntryFromImageBase (dwImageBase , PTC_fn_szGetFunctionExplicitName (_lFunctionIndex)); return(dwPtr); } ////////////////////////////////////////////////// // Get 'GetModuleHandle' Ptr in USER32.dll ////////////////////////////////////////////////// void PTC_fn_vGetGetModuleHandleA(BOOL _bFirstTime) { /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionCheckSum(8,PTC_fn_vGetGetModuleHandleA); return; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_vGetGetModuleHandleA) if (_bFirstTime) { DWORD dwAddressEntry , dwAddress , dwKey; /* HANDLE hDll = GetModuleHandle (PTC_fn_szGetDLLExplicitName(PTC_C_User32Index)); dwAddressEntry = dwGetImportedFunctionEntryFromImageBase ((DWORD) hDll , PTC_fn_szGetFunctionExplicitName(PTC_C_GetModuleHandleIndex)); dwAddress = *((DWORD*) dwAddressEntry); */ PTC_ga_dwLinkedDLLImageBase [PTC_C_Kernel32Index] = (DWORD)PTC_fn_hGetKernel32Handle(); dwAddressEntry = PTC_dwGetExportedFunctionEntryFromImageBase (PTC_C_GetModuleHandleIndex); dwAddress = PTC_ga_dwLinkedDLLImageBase [PTC_C_Kernel32Index] + dwAddressEntry; dwKey = *((DWORD*) PTC_ga_stImportedFunctions [PTC_C_GetModuleHandleIndex] . szName); PTC_ga_stImportedFunctions [PTC_C_GetModuleHandleIndex] . dwAddress = dwAddress ^ dwKey; } else { DWORD dwPtr; DWORD dwKey = *((DWORD*) PTC_ga_stImportedFunctions [PTC_C_GetModuleHandleIndex] . szName); if (PTC_M_bCanObtainFunctionWithAnotherDLL(PTC_C_GetModuleHandleIndex)) { dwPtr = PTC_dwGetAddressOfFunctionInAnotherDLL (PTC_C_GetModuleHandleIndex); } else { HANDLE hDll = GetModuleHandle (PTC_fn_szGetDLLExplicitName(PTC_C_User32Index)); DWORD dwAddressEntry = dwGetImportedFunctionEntryFromImageBase ((DWORD) hDll , PTC_fn_szGetFunctionExplicitName(PTC_C_GetModuleHandleIndex)); dwPtr = *((DWORD*) dwAddressEntry); } // Test if same as previous getting if (dwPtr != PTC_ga_stImportedFunctions [PTC_C_GetModuleHandleIndex] . dwAddress) { PTC_g_lProtectError = 1; // GetModuleHandle Ptr has changed } PTC_ga_stImportedFunctions [PTC_C_GetModuleHandleIndex] . dwAddress = dwPtr ^ dwKey; } PTC_M_DeclareEndLabel(PTC_fn_vGetGetModuleHandleA); } ////////////////////////////////////////////////// // Get a DLL ImageBase ////////////////////////////////////////////////// void PTC_fn_vGetOneLinkedDLLImageBase(long _iIndex , BOOL _bFirstTime) { DWORD dwPtr = (DWORD) PTC_DirectGetModuleHandle (PTC_fn_szGetDLLExplicitName (_iIndex)); if (! _bFirstTime && (dwPtr != PTC_ga_dwLinkedDLLImageBase [_iIndex])) { PTC_g_lProtectError = 1; // GetModuleHandle Ptr has changed } PTC_ga_dwLinkedDLLImageBase [_iIndex] = dwPtr; } ////////////////////////////////////////////////// // Get One System Function Ptr ////////////////////////////////////////////////// void PTC_fn_vGetOneSystemFunctionPtr (long _iIndex , BOOL _bFirstTime) { DWORD dwPtr,dwImageBase; DWORD dwKey = *((DWORD*) PTC_ga_stImportedFunctions [_iIndex] . szName); dwImageBase = PTC_ga_dwLinkedDLLImageBase [PTC_ga_stImportedFunctions [_iIndex] . lOwnerDLLIndex]; if (dwImageBase == 0L) { PTC_ga_stImportedFunctions [_iIndex] . dwAddress = 0L; return; } if (_bFirstTime) { dwPtr = PTC_dwGetExportedFunctionEntryFromImageBase (_iIndex); dwPtr += (dwPtr ? dwImageBase : 0); } else { if (PTC_M_bCanObtainFunctionWithAnotherDLL(_iIndex)) { dwPtr = PTC_dwGetAddressOfFunctionInAnotherDLL (_iIndex); } else { dwPtr = PTC_dwGetExportedFunctionEntryFromImageBase (_iIndex); dwPtr += (dwPtr ? dwImageBase : 0); } // Test if same as previous getting if (dwPtr != PTC_ga_stImportedFunctions [_iIndex] . dwAddress) { PTC_g_lProtectError = 1; // Function Ptr has changed } } PTC_ga_stImportedFunctions [_iIndex] . dwAddress = (dwPtr ? dwPtr ^ dwKey : 0L); } ////////////////////////////////////////////////// // check for kernel32 presence ////////////////////////////////////////////////// BOOL PTC_fn_bLookForKernel32(LPBYTE lpBuffer) { BOOL bRet=FALSE; // MZ signature if (*(USHORT *) lpBuffer == IMAGE_DOS_SIGNATURE) { // PE signature if (*(DWORD *)NTSIGNATURE (lpBuffer) == IMAGE_NT_SIGNATURE) { // find dllname in export table PIMAGE_OPTIONAL_HEADER pPEOptionalHeader=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET (lpBuffer); if (pPEOptionalHeader) { // RVA of export table DWORD ExportRVA=pPEOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; if (ExportRVA) { // pointer on export table PIMAGE_EXPORT_DIRECTORY ped=(PIMAGE_EXPORT_DIRECTORY) &lpBuffer[ExportRVA]; if (ped) { // pointer on DLL name DWORD *dwPtr=(DWORD*) &lpBuffer[ped->Name]; #define MASK1 0x20202020 #define MASK2 0x00002020 #define MASK3 0x20202000 #define MASK4 0x000000FF // avoid a silly stricmp if ( (dwPtr[0] & ~MASK1) == ('NREK') ) { if ( (dwPtr[1] | MASK2) == ('23le') ) { if ( (dwPtr[2] & ~MASK3) == ('LLD.') ) { if ( (dwPtr[3] & MASK4)==0) { bRet=TRUE; } } } } } } } } } return(bRet); } ////////////////////////////////////////////////// // scan memory with exception handler to prevent from crashing ////////////////////////////////////////////////// #include /* ASM version */ HMODULE PTC_fn_hScanMemoryForKernel32(LPBYTE lpBuffer,int n,int step) { HMODULE lAddress; __asm { // jmp + push the seh routine address on the stack call set_seh // Exception handler routine mov eax,[esp+0Ch] push ebx mov ebx,[eax.Edx] // offset A8h sub [eax.Eax],ebx // offset B0h dec dword ptr [eax.Ecx] // offset ACh jnz continue_search // end the search, put a valid address in eax mov ebx,[eax.Esp] // offset C4h mov [eax.Eax],ebx continue_search: pop ebx mov eax,ExceptionContinueExecution ret set_seh: push fs:[0] mov fs:[0],esp mov eax,[lpBuffer] mov ecx,[n] mov edx,[step] try_once: mov ebx,[eax] or ecx,ecx jz not_found push eax push edx push ecx push eax call PTC_fn_bLookForKernel32 or eax,eax pop eax pop ecx pop edx pop eax jnz found sub eax,edx dec ecx jz not_found jmp try_once not_found: xor eax,eax found: mov ebx,fs:[0] mov ebx,[ebx] mov fs:[0],ebx mov [lAddress],eax } return lAddress; } ////////////////////////////////////////////////// ////////////////////////////////////////////////// HMODULE PTC_fn_hGetKernel32Handle() { static HMODULE hKernel32=0; /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionCheckSum(7,PTC_fn_hGetKernel32Handle); return NULL; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_hGetKernel32Handle) if (!hKernel32) { LPBYTE lpBuffer=0; // start scanning at 0x80000000 under NT at 0xC0000000 else __asm { mov eax,dword ptr fs:[30h] and eax,0x80000000 // NT detected if eax == 0 shr eax,1 add eax,0x80000000 mov dword ptr [lpBuffer],eax } hKernel32=PTC_fn_hScanMemoryForKernel32(lpBuffer,0x1000,0x10000); // it's fastest to scan the correct zone first if (!hKernel32) { hKernel32=PTC_fn_hScanMemoryForKernel32((LPBYTE) 0xC0000000,0x1000,0x10000); // works under W9x if (!hKernel32) { hKernel32=PTC_fn_hScanMemoryForKernel32((LPBYTE) 0x80000000,0x1000,0x10000); // works under WinNT if (!hKernel32) { hKernel32=PTC_fn_hScanMemoryForKernel32((LPBYTE) 0x00000000,0xF000,-0x10000); // should not happened } } } } return(hKernel32); PTC_M_DeclareEndLabel(PTC_fn_hGetKernel32Handle); } ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////////////////////////////////////// // Must be done after PTC_fn_vGetAllSystemFunctionsPtr() // Is NT System or W95/W98 ???? //////////////////////////////////////////////////////// void PTC_fn_vUpdateCurrentSystem() { HANDLE hSnapshotProcess; /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionCheckSum(6,PTC_fn_vUpdateCurrentSystem); return; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_vUpdateCurrentSystem) if ( PTC_ga_stImportedFunctions [PTC_C_CreateToolhelp32SnapshotIndex] . dwAddress == 0L || PTC_ga_stImportedFunctions [PTC_C_Process32FirstIndex] . dwAddress == 0L || PTC_ga_stImportedFunctions [PTC_C_Process32NextIndex] . dwAddress == 0L || PTC_ga_stImportedFunctions [PTC_C_Module32FirstIndex] . dwAddress == 0L || PTC_ga_stImportedFunctions [PTC_C_Module32NextIndex] . dwAddress == 0L) { // NT System PTC_g_bNTSystem = TRUE; // Load PSAPI.DLL PTC_LoadLibrary (PTC_fn_szGetDLLExplicitName (PTC_C_PSAPIIndex)); // update array of DLL Image Base PTC_fn_vGetOneLinkedDLLImageBase (PTC_C_PSAPIIndex , TRUE); // update array of Functions Image Base PTC_fn_vGetOneSystemFunctionPtr (PTC_C_EnumProcessesIndex , TRUE); PTC_fn_vGetOneSystemFunctionPtr (PTC_C_EnumProcessModulesIndex , TRUE); return; } // Create a ToolHelp32 snapshot containing the process list hSnapshotProcess = PTC_CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if ( hSnapshotProcess == NULL ) { PTC_g_bNTSystem = TRUE; // Load PSAPI.DLL PTC_LoadLibrary (PTC_fn_szGetDLLExplicitName (PTC_C_PSAPIIndex)); // update array of DLL Image Base PTC_fn_vGetOneLinkedDLLImageBase (PTC_C_PSAPIIndex , TRUE); // update array of Functions Image Base PTC_fn_vGetOneSystemFunctionPtr (PTC_C_EnumProcessesIndex , TRUE); PTC_fn_vGetOneSystemFunctionPtr (PTC_C_EnumProcessModulesIndex , TRUE); return; } PTC_g_bNTSystem = FALSE; PTC_M_DeclareEndLabel(PTC_fn_vUpdateCurrentSystem); } //////////////////////////////// // Uses PSAPI.dll //////////////////////////////// #ifdef _DEBUG typedef DWORD (WINAPI * PFNGETMODULEFILENAMEEXA)(HANDLE hProcess,HMODULE hModule,LPSTR lpFilename,DWORD nSize); #endif DWORD PTC_fn_dwGetRandomDLLImageBaseOnNT() { HANDLE hProcess; DWORD cbNeeded; HMODULE hModuleArray[1024]; DWORD dwModuleSelected; DWORD nModules; #ifdef _DEBUG PFNGETMODULEFILENAMEEXA pfnGetModuleFileNameExA = (PFNGETMODULEFILENAMEEXA) GetProcAddress ((HMODULE)PTC_ga_dwLinkedDLLImageBase [PTC_C_PSAPIIndex], "GetModuleFileNameExA"); char szModuleName[255]; #endif hProcess = PTC_GetCurrentProcess (); // Count number of modules if ( !PTC_EnumProcessModules(hProcess, hModuleArray, sizeof(hModuleArray), &cbNeeded ) ) { return(0L); } // Calculate number of modules in the process nModules = cbNeeded / sizeof(hModuleArray[0]); if (nModules == 1) // strange, the process uses no DLL !!!!!!!!!!!!!! { return 0L; } // choose one dwModuleSelected = PTC_fn_lGetRandomRange (0 , nModules - 1) + 1; // the first module is the process itself #ifdef _DEBUG pfnGetModuleFileNameExA(hProcess, hModuleArray [dwModuleSelected], szModuleName, sizeof(szModuleName) ); #endif return (DWORD)hModuleArray [dwModuleSelected]; } DWORD PTC_fn_dwSearchExportedFunctionInEveryDLLOnNT(char *_szCryptedName) { HANDLE hProcess; DWORD cbNeeded; HMODULE hModuleArray[1024]; DWORD nModules; DWORD dwIndex; DWORD dwResult = 0; /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionCheckSum(4,PTC_fn_dwSearchExportedFunctionInEveryDLLOnNT); return 0L; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_dwSearchExportedFunctionInEveryDLLOnNT) hProcess = PTC_GetCurrentProcess (); // Count number of modules if ( !PTC_EnumProcessModules(hProcess, hModuleArray, sizeof(hModuleArray), &cbNeeded ) ) { return(0L); } // Calculate number of modules in the process nModules = cbNeeded / sizeof(hModuleArray[0]); if (nModules == 1) // strange, the process uses no DLL !!!!!!!!!!!!!! { return 0L; } for(dwIndex = 0 ; dwIndex < nModules ; dwIndex++) { DWORD dwAddress = dwGetExportedFunctionEntryFromImageBase ((DWORD)hModuleArray [dwIndex] , _szCryptedName); if (dwAddress) dwResult++; } return dwResult; PTC_M_DeclareEndLabel(PTC_fn_dwSearchExportedFunctionInEveryDLLOnNT); } //////////////////////////////// // Uses CreateToolhelp32 function //////////////////////////////// DWORD PTC_fn_dwGetRandomDLLImageBaseOnW95W98() { HANDLE hSnapshotModule; MODULEENTRY32 modEntry; BOOL fModWalkContinue; DWORD dwNbModule, dwModuleIndex; hSnapshotModule = PTC_CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, 0 ); // current process only modEntry.dwSize = sizeof(MODULEENTRY32); for (fModWalkContinue = PTC_Module32First(hSnapshotModule,&modEntry) , dwNbModule = 0; fModWalkContinue; fModWalkContinue = PTC_Module32Next(hSnapshotModule,&modEntry) , dwNbModule++ ); // choose one dwModuleIndex = PTC_fn_lGetRandomRange (0 , dwNbModule-1) + 1; // the first module is the process itself // get selected module dwNbModule = 0; fModWalkContinue = PTC_Module32First(hSnapshotModule,&modEntry); while (dwNbModule != dwModuleIndex) { fModWalkContinue = PTC_Module32Next(hSnapshotModule,&modEntry); } // close handle PTC_CloseHandle (hSnapshotModule); return (DWORD)modEntry.hModule; } DWORD PTC_fn_dwSearchExportedFunctionInEveryDLLOnW95W98(char *_szCryptedName) { HANDLE hSnapshotModule; MODULEENTRY32 modEntry; BOOL fModWalkContinue; DWORD dwNbModule; DWORD dwResult = 0; /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionCheckSum(5,PTC_fn_dwSearchExportedFunctionInEveryDLLOnW95W98); return 0L; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_dwSearchExportedFunctionInEveryDLLOnW95W98) hSnapshotModule = PTC_CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, 0 ); // current process only modEntry.dwSize = sizeof(MODULEENTRY32); for (fModWalkContinue = PTC_Module32First(hSnapshotModule,&modEntry) , dwNbModule = 0; fModWalkContinue; fModWalkContinue = PTC_Module32Next(hSnapshotModule,&modEntry) , dwNbModule++ ) { DWORD dwAddress = dwGetExportedFunctionEntryFromImageBase ((DWORD)modEntry.hModule , _szCryptedName); if (dwAddress) dwResult++; } // close handle PTC_CloseHandle (hSnapshotModule); return dwResult; PTC_M_DeclareEndLabel(PTC_fn_dwSearchExportedFunctionInEveryDLLOnW95W98); } ////////////////////////////////////////////////// ////////////////////////////////////////////////// DWORD PTC_fn_dwSearchFunctionInImportedTableOfExe(char *_szCryptedName) { DWORD dwResult,dwAddress; DWORD dwKey = *((DWORD*) _szCryptedName); PTC_tdstImportedFunction *p_stIF = (PTC_tdstImportedFunction *) PTC_ga_stImportedFunctions; /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionCheckSum(9,PTC_fn_dwSearchFunctionInImportedTableOfExe); return 0L; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_dwSearchFunctionInImportedTableOfExe) dwResult = dwGetImportedFunctionEntryFromImageBase ((DWORD)PTC_GetModuleHandle(NULL) , _szCryptedName); dwAddress = (dwResult ? *((DWORD*) dwResult) : 0L); if (dwAddress) { while (*(p_stIF -> szName) && (strcmp(p_stIF -> szName,_szCryptedName))) p_stIF++; if(*(p_stIF -> szName)) { return (dwAddress - (p_stIF -> dwAddress ^ dwKey)); } } return (0L); PTC_M_DeclareEndLabel(PTC_fn_dwSearchFunctionInImportedTableOfExe); } ////////////////////////////////////////////////// // Get All System Functions Ptr ////////////////////////////////////////////////// void PTC_fn_vGetAllSystemFunctionsPtr(BOOL _bFirstTime) { DWORD dwIndex; for (dwIndex = 1 ; dwIndex < PTC_g_dwImportedFunctionsNumber ; dwIndex++) { PTC_fn_vGetOneSystemFunctionPtr (dwIndex , _bFirstTime); } } ////////////////////////////////////////////////// // Get all Linked ImageBase ////////////////////////////////////////////////// void PTC_fn_vGetAllLinkedDLLImageBase(BOOL _bFirstTime) { DWORD dwIndex; for (dwIndex = 0 ; dwIndex < PTC_g_dwLinkedDLLNumber ; dwIndex++) { PTC_fn_vGetOneLinkedDLLImageBase (dwIndex , _bFirstTime); } } ////////////////////////////////////////////////// // Return ... ////////////////////////////////////////////////// DWORD PTC_fn_dwGetRandomDLLImageBase() { if (PTC_g_bNTSystem) return PTC_fn_dwGetRandomDLLImageBaseOnNT (); else return PTC_fn_dwGetRandomDLLImageBaseOnW95W98 (); return 0L; } ////////////////////////////////////////////////// // Return ... ////////////////////////////////////////////////// DWORD PTC_fn_dwSearchExportedFunctionInEveryDLL(char *_szCryptedName) { /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionCheckSum(3,PTC_fn_dwSearchExportedFunctionInEveryDLL); return 0L; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_dwSearchExportedFunctionInEveryDLL) if (PTC_g_bNTSystem) return PTC_fn_dwSearchExportedFunctionInEveryDLLOnNT (_szCryptedName); else return PTC_fn_dwSearchExportedFunctionInEveryDLLOnW95W98 (_szCryptedName); return 0L; PTC_M_DeclareEndLabel(PTC_fn_dwSearchExportedFunctionInEveryDLL); } ////////////////////////////////////////////////// // Fill ////////////////////////////////////////////////// __inline void PTC_fn_vInitOneVariable (void *p_vAddr , DWORD dwSizeInByte) { long lSize = dwSizeInByte / 4; long lIndex; long *p_lValue = (long*)p_vAddr; for (lIndex = 0 ; lIndex < lSize ; lIndex++ , p_lValue++) { *p_lValue = PTC_fn_lGetRandom (); } } ////////////////////////////////////////////////// // Init Protections ////////////////////////////////////////////////// void PTC_fn_vTest(); void PTC_fn_vInit(BOOL _bFirstTime) { LARGE_INTEGER xCounter; /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionCheckSum(2,PTC_fn_vInit); return; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_vInit) // Init Random Sequence if (QueryPerformanceCounter (&xCounter)) { PTC_g_lCurrentRandom = xCounter.LowPart; } else { PTC_g_lCurrentRandom = 0x12345678; } // Fill Generated Code Buffer with random value PTC_fn_vInitOneVariable ((void*)PTC_ga_cGeneratedCode , PTC_C_CODESIZE); //VirtualProtect(PTC_ga_cGeneratedCode, PTC_C_CODESIZE, PAGE_EXECUTE, &PTC_gs_dwOldPageProtection); // Compute Size of Arrays PTC_g_dwLinkedDLLNumber = (sizeof(PTC_ga_szLinkedDLLName) / PTC_C_NAMESIZE) - 1; PTC_g_dwImportedFunctionsNumber = (sizeof(PTC_ga_stImportedFunctions) / sizeof(PTC_tdstImportedFunction)) - 1; // Allocate array of DLL Image Base PTC_ga_dwLinkedDLLImageBase = (DWORD*) malloc (PTC_g_dwLinkedDLLNumber * sizeof(DWORD)); // Fill It with random value PTC_fn_vInitOneVariable ((void*)PTC_ga_dwLinkedDLLImageBase, PTC_g_dwLinkedDLLNumber * sizeof(DWORD)); ///////////////////////////////////////////////// if (_bFirstTime) PTC_g_lProtectError = 0; // Get GetModuleHandle Ptr PTC_fn_vGetGetModuleHandleA (_bFirstTime); // Get All DLL ImageBase PTC_fn_vGetAllLinkedDLLImageBase (_bFirstTime); // Get All System functions Ptr PTC_fn_vGetAllSystemFunctionsPtr (_bFirstTime); // Is NT or W95/98 if (_bFirstTime) PTC_fn_vUpdateCurrentSystem (); PTC_M_DeclareEndLabel(PTC_fn_vInit) /////////////////////////////////////////////// PTC_fn_vTest (); } ////////////////////////////////////////////////// // DesInit Protections ////////////////////////////////////////////////// void PTC_fn_vDesInit() { /* if (PTC_ga_cGeneratedCode) { VirtualProtect(PTC_ga_cGeneratedCode, PTC_C_CODESIZE, PTC_gs_dwOldPageProtection, &PTC_gs_dwOldPageProtection); free (PTC_ga_cGeneratedCode); } */ if (PTC_ga_dwLinkedDLLImageBase) { free (PTC_ga_dwLinkedDLLImageBase); } if (PTC_g_bNTSystem) { FreeLibrary ((HMODULE)PTC_ga_dwLinkedDLLImageBase [PTC_C_PSAPIIndex]); } } ////////////////////////////////////////////////// // ////////////////////////////////////////////////// BOOL PTC_fn_bVerifyOneImportedFunctionPtr() { DWORD dwRandomImageBase = PTC_fn_dwGetRandomDLLImageBase (); if (dwRandomImageBase) { DWORD dwRandomFunctionPtr = PTC_fn_lGetRandomRange (0 , PTC_g_dwImportedFunctionsNumber); DWORD dwKey = *((DWORD*) PTC_ga_stImportedFunctions [dwRandomFunctionPtr] . szName); DWORD dwAddress = PTC_ga_stImportedFunctions [dwRandomFunctionPtr] . dwAddress; DWORD dwAddressFounded = dwGetImportedFunctionEntryFromImageBase (dwRandomImageBase , PTC_fn_szGetFunctionExplicitName(dwRandomFunctionPtr)); DWORD dwPtrFounded = ( dwAddressFounded ? *((DWORD*)dwAddressFounded) : 0L); if (dwPtrFounded && dwAddress && ((dwAddress ^ dwKey) != dwPtrFounded)) { PTC_g_lProtectError = 1; return FALSE; } } return TRUE; } ////////////////////////////////////////////////// // ////////////////////////////////////////////////// long PTC_fn_lGetCheckSum(DWORD dwBeginAddr, DWORD dwEndAddr); void PTC_fn_vInitChecksum() { /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionDelete(0,PTC_fn_vInitChecksum); return; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_vInitChecksum) memset (PTC_g_dwBeginLabelAddress , 0 , PTC_C_ChecksumTableSize * sizeof(DWORD)); memset (PTC_g_dwEndLabelAddress , 0 , PTC_C_ChecksumTableSize * sizeof(DWORD)); memset (PTC_g_dwChecksum , 0 , PTC_C_ChecksumTableSize * sizeof(DWORD)); memset (PTC_g_dwBeginLabelAddressDelete , 0 , PTC_C_ChecksumTableSize * sizeof(DWORD)); memset (PTC_g_dwEndLabelAddressDelete , 0 , PTC_C_ChecksumTableSize * sizeof(DWORD)); // PTC_g_bTakeAddresses = TRUE; // Compute Checksum SNA_fn_bGetHandleToRelocationTable (NULL); /* 0 */ SNA_fn_bGetHandleToRelocationTableInBigFile (NULL); /* 1 */ PTC_fn_vInit (TRUE); /* 2 */ PTC_fn_dwSearchExportedFunctionInEveryDLL (NULL); /* 3 */ PTC_fn_dwSearchExportedFunctionInEveryDLLOnNT (NULL); /* 4 */ PTC_fn_dwSearchExportedFunctionInEveryDLLOnW95W98 (NULL); /* 5 */ PTC_fn_vUpdateCurrentSystem (); /* 6 */ PTC_fn_hGetKernel32Handle (); /* 7 */ PTC_fn_vGetGetModuleHandleA (TRUE); /* 8 */ PTC_fn_dwSearchFunctionInImportedTableOfExe (NULL); /* 9 */ // Get addresses for delete PTC_fn_vInitChecksum (); /* 0 */ PTC_fn_vComputeAndWriteChecksumFile (); /* 1 */ PTC_fn_lGetCheckSum (0,0); /* 2 */ WinMain (NULL,NULL,NULL,0); /* 3 & 4 */ // PTC_g_bTakeAddresses = FALSE; // PTC_M_DeclareEndLabel(PTC_fn_vInitChecksum) return; } ////////////////////////////////////////////////// // ////////////////////////////////////////////////// void PTC_fn_vComputeAndWriteChecksumFile() { DWORD *p_dwBeginAddress; DWORD *p_dwEndAddress; FILE *pFile; DWORD i; DWORD dwOffsetBegin , dwOffsetEnd , dwOffset; char szText[255]; long lCheckSum; /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionDelete(1,PTC_fn_vComputeAndWriteChecksumFile); return; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_vComputeAndWriteChecksumFile) // Checksum List pFile = fopen ("CheckSum.lst" , "wt"); if (pFile) { i = 0; dwOffset = (DWORD)PTC_GetModuleHandle(NULL); p_dwBeginAddress = PTC_g_dwBeginLabelAddress; p_dwEndAddress = PTC_g_dwEndLabelAddress; while (*p_dwBeginAddress && *p_dwEndAddress) { lCheckSum = PTC_fn_lGetCheckSum(*p_dwBeginAddress , *p_dwEndAddress); dwOffsetBegin = *p_dwBeginAddress - dwOffset; dwOffsetEnd = *p_dwEndAddress - dwOffset; sprintf (szText , "%i - Begin: 0x%08x End: 0x%08x Checksum: 0x%08x\n" , i , dwOffsetBegin , dwOffsetEnd , lCheckSum); fprintf (pFile , "%i - Begin: 0x%08x End: 0x%08x Checksum: 0x%08x\n" , i , dwOffsetBegin , dwOffsetEnd , lCheckSum); p_dwBeginAddress++; p_dwEndAddress++; i++; } fclose (pFile); } // Delete List pFile = fopen ("Delete.lst" , "wt"); if (pFile) { i = 0; dwOffset = (DWORD)PTC_GetModuleHandle(NULL); p_dwBeginAddress = PTC_g_dwBeginLabelAddressDelete; p_dwEndAddress = PTC_g_dwEndLabelAddressDelete; while (*p_dwBeginAddress && *p_dwEndAddress) { dwOffsetBegin = *p_dwBeginAddress - dwOffset; dwOffsetEnd = *p_dwEndAddress - dwOffset; sprintf (szText , "%i - Begin: 0x%08x End: 0x%08x \n" , i , dwOffsetBegin , dwOffsetEnd); fprintf (pFile , "%i - Begin: 0x%08x End: 0x%08x \n" , i , dwOffsetBegin , dwOffsetEnd); p_dwBeginAddress++; p_dwEndAddress++; i++; } fclose (pFile); } PTC_M_DeclareEndLabel(PTC_fn_vComputeAndWriteChecksumFile) return; } #ifndef RETAIL /* { */ ////////////////////////////////////////////////// // Read CheckSum File ////////////////////////////////////////////////// void PTC_fn_vReadChecksumFile() { DWORD *p_dwBeginAddress = PTC_g_dwBeginLabelAddress; DWORD *p_dwEndAddress = PTC_g_dwEndLabelAddress; DWORD *p_dwCheckSum = PTC_g_dwChecksum; FILE *pFile; DWORD dwOffsetBegin , dwOffsetEnd , dwOffset; char szText[255]; char *p_cBegin , *p_cEnd , *p_cChecksum; long lChecksum; memset (PTC_g_dwBeginLabelAddress , 0 , PTC_C_ChecksumTableSize * sizeof(DWORD)); memset (PTC_g_dwEndLabelAddress , 0 , PTC_C_ChecksumTableSize * sizeof(DWORD)); memset (PTC_g_dwChecksum , 0 , PTC_C_ChecksumTableSize * sizeof(long)); pFile = fopen ("CheckSum.lst" , "rt"); if (pFile) { dwOffset = (DWORD)PTC_GetModuleHandle(NULL); while (!feof(pFile)) { if (fgets (szText , 255 , pFile)) { p_cBegin = strstr(szText,"Begin: 0x") + strlen("Begin: 0x"); p_cEnd = strstr(szText,"End: 0x") + strlen("End: 0x"); p_cChecksum = strstr(szText,"Checksum: 0x") + strlen("Checksum: 0x"); // read dwOffsetBegin sscanf (p_cBegin , "%x" , &dwOffsetBegin); // read dwOffsetEnd sscanf (p_cEnd , "%x" , &dwOffsetEnd); // read dwChecksum sscanf (p_cChecksum , "%x" , &lChecksum); *p_dwBeginAddress++ = dwOffsetBegin; *p_dwEndAddress++ = dwOffsetEnd; *p_dwCheckSum++ = (DWORD)lChecksum; } } fclose (pFile); } return; } #endif /* RETAIL } */ ////////////////////////////////////////////////// // Compute CheckSum ////////////////////////////////////////////////// long PTC_fn_lGetCheckSum(DWORD dwBeginAddr, DWORD dwEndAddr) { long lResult = 0; DWORD *dwCurrent; /* ------------------------------------------ */ /* to get begin and end addresses of function */ if (PTC_g_bTakeAddresses) { PTC_M_AddFunctionDelete(2,PTC_fn_lGetCheckSum); return (long)0; } /* ------------------------------------------ */ /* ------------------------------------------ */ PTC_M_DeclareBeginLabel(PTC_fn_lGetCheckSum) if (dwBeginAddr > dwEndAddr) { DWORD dwTmp; dwTmp = dwEndAddr; dwEndAddr = dwBeginAddr; dwBeginAddr = dwTmp; } dwBeginAddr -= (dwBeginAddr % 4); dwEndAddr -= (dwEndAddr % 4); dwCurrent = (DWORD*)dwBeginAddr; while (dwCurrent < (DWORD*)dwEndAddr) { lResult += (*(long*)dwCurrent) * (*(long*)dwCurrent); dwCurrent++; } PTC_M_DeclareEndLabel(PTC_fn_lGetCheckSum) return lResult; } ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// #ifdef _DEBUG void PTC_fn_vTestDLLImport(); #endif void PTC_fn_vTest() { #ifdef _DEBUG PTC_fn_vTestDLLImport(); #endif } #ifdef _DEBUG void PTC_fn_vTestChecksum() { DWORD *p_dwBeginAddress = PTC_g_dwBeginLabelAddress; DWORD *p_dwEndAddress = PTC_g_dwEndLabelAddress; long *p_lCheckSum = PTC_g_dwChecksum; long lCheckSum; DWORD dwError; DWORD dwOffset; // read checksum in file PTC_fn_vReadChecksumFile (); // verify dwOffset = (DWORD)PTC_GetModuleHandle(NULL); dwError = 0; while (*p_dwBeginAddress && *p_dwEndAddress) { lCheckSum = PTC_fn_lGetCheckSum(*p_dwBeginAddress + dwOffset, *p_dwEndAddress + dwOffset); if (lCheckSum != *p_lCheckSum) dwError++; p_dwBeginAddress++; p_dwEndAddress++; p_lCheckSum++; } if (dwError) MessageBox(NULL , "Error on checksum" , "ERROR" , MB_OK + MB_ICONEXCLAMATION); else MessageBox(NULL , "No Error on checksum" , "GOOD" , MB_OK + MB_ICONINFORMATION); } void PTC_fn_vTestDLLImport() { DWORD dwIndex; DWORD dwTest , dwOK , dwNo; dwTest = dwOK = dwNo = 0; for (dwIndex = 1 ; dwIndex < PTC_g_dwImportedFunctionsNumber ; dwIndex++) { PTC_tdstImportedFunction *p_stIF = PTC_ga_stImportedFunctions + dwIndex; DWORD dwIdx; DWORD dwAddress; DWORD dwKey = *((DWORD*) p_stIF -> szName); /* for (dwIdx = 0 ; dwIdx < 5 ; dwIdx++) { if ((p_stIF -> lOtherDLLIndex [dwIdx] != 0) && PTC_ga_dwLinkedDLLImageBase [p_stIF -> lOtherDLLIndex [dwIdx]]) { DWORD dwKey = *((DWORD*) p_stIF -> szName); DWORD dwAddress = p_stIF -> dwAddress; DWORD dwAddressFounded = dwGetImportedFunctionEntryFromImageBase (PTC_ga_dwLinkedDLLImageBase [p_stIF -> lOtherDLLIndex [dwIdx]] , PTC_fn_szGetFunctionExplicitName(dwIndex)); DWORD dwPtrFounded = ( dwAddressFounded ? *((DWORD*)dwAddressFounded) : 0L); dwTest++; if (dwPtrFounded && dwAddress && ((dwAddress ^ dwKey) != dwPtrFounded)) { PTC_g_lProtectError = 1; dwNo++; } else { PTC_g_lProtectError = -1; dwOK++; } } } */ dwIdx = PTC_fn_dwSearchExportedFunctionInEveryDLL(PTC_fn_szGetFunctionExplicitName(dwIndex)); dwAddress = PTC_fn_dwSearchFunctionInImportedTableOfExe(PTC_fn_szGetFunctionExplicitName(dwIndex)); if (dwAddress) { dwTest++; if( dwAddress == (p_stIF -> dwAddress ^ dwKey)) dwOK++; else dwNo++; } } } #endif ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////////////////////////////// #endif // PTC_SYSTEM_ACTIVED }