;88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 
;88888888888888888888888888888888888888                                     88888888888888888888888888888888888888
;88888888888888888888888888888888                                                  8888888888888888888888888888888
;88888888888888888888888888                                                             88888888888888888888888888
;8888888888888888888                        CreateFileA/W Hooking Script                      88888888888888888888                                                                                         
;8888888888888888888                                                                          88888888888888888888
;8888888888888888888           Author: Kyriakos Economou (@kyREcon/www.anti-reversing.com)    88888888888888888888
;8888888888888888888                                                                          88888888888888888888
;88888888888888888888888888   Features: Logs Calls to CreateFileA/W + Return Addresses   8888888888888888888888888
;888888888888888888888888888888888                                                  888888888888888888888888888888                 
;888888888888888888888888888888888888888     ODbgScript plugin v1.82.6      88888888888888888888888888888888888888
;88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888                 






;________Variables Declarations ________

var createFile

var mymemory

var param

var tmp1

var tmp2

var counter

var kernel32 

var logfile

var retAddress

var calledFrom

var hookedonce

var isAnsi

var startlogging





;_________Script Start *Main* ___________


LCLR ; clear script log window

mov startlogging, "           ------------------------------ Start ------------------------------ "

call GetCreateFileVersion

call AllocateMemory

call PrepareAllocatedMemory

Call HookCreateFile


mov hookedonce,0

mov logfile, "C:\"

ask "Enter name for logfile. Will be saved in C:\ directory. (example: log)"

add logfile, $RESULT ;\log.txt"

add logfile, ".txt"







_run:
erun
cob
cmp hookedonce,0
jne _proceed
wrt logfile, startlogging
log startlogging          


_proceed:
sto
mov tmp1, eip
sub tmp1, 5
cmp tmp1, createFile
jne _continue
call EvalCreateFileParams
inc hookedonce
_continue:
jmp _run







;_______Functions Section _________


GetCreateFileVersion:

Ask " Choose CreateFile Version. Enter 1 for CreateFileA (ANSI) or 2 for CreateFileW (UNICODE)."

cmp $RESULT,1

jne _Unicode

mov kernel32, "Kernel32.dll"
mov createFile, "CreateFileA"
mov isAnsi,1

jmp _ret

_Unicode:

cmp $RESULT,2

jne _inputerror

mov kernel32, "Kernel32.dll"
mov createFile, "CreateFileW"

jmp _ret

_inputerror:

MSG "Wrong Input. Script will now exit."

jmp _exit

_ret:

Ret




;//----------------------------------


AllocateMemory:

alloc 10

mov mymemory, $RESULT ; save address of new allocated memory

Ret

;//-----------------------------------


PrepareAllocatedMemory:

mov tmp1, mymemory
asm mymemory, "mov edi,edi"
add mymemory, 2
asm mymemory, "push ebp"
inc mymemory
asm mymemory, "mov ebp,esp"
mov mymemory, tmp1
;bp mymemory                     ; set BP on our mem EP

Ret


;//-----------------------------------


HookCreateFile:

gpa createFile, kernel32

mov createFile, $RESULT        

mov tmp1, createFile                           ; save CreateFile VA

sub createFile, mymemory

mov tmp2, FFFFFFFF

sub tmp2, createFile

sub tmp2,4

mov createFile, tmp1

fill createFile, 1, E9

inc createFile

mov counter,4


_loop1:
     
        fill createFile, 1, tmp2
        
        shr tmp2, 8
        
        inc createFile
  
        dec counter

        cmp counter,0

        jne _loop1
          

         
mov createFile, tmp1                        ;restore

mov tmp1, mymemory                           ;save

mov tmp2, createFile                        ;save

add mymemory, 5

sub createFile, mymemory                    ;calc distance



fill mymemory, 1, E9

inc mymemory

mov counter,4


_loop:

      fill mymemory, 1, createFile

      shr createFile, 8
      
      inc mymemory

      dec counter

      cmp counter,0

      jne _loop


sub mymemory,5

bp mymemory

mov mymemory, tmp1 ;restore

mov createFile,tmp2 ;restore


Ret

;//-------------------------------------------------



EvalCreateFileParams:

mov retAddress, [esp+4], 4

log "CreateFile hooked!" 
wrta logfile,"CreateFile hooked!"

mov calledFrom, retAddress, 4
sub calledFrom, 5
eval "Called from: {calledFrom}"
log $RESULT
wrta logfile, $RESULT


eval "Return Address: {retAddress}"
log $RESULT
wrta logfile, $RESULT

log " "
wrta logfile, " "

log "Analysing parameters..."
wrta logfile,"Analysing parameters..."



mov param, [esp+8]

mov tmp2,0

cmp isAnsi,1
jne _GetUnicodeString
gstr param, [7FFF]
jmp _showresult

_GetUnicodeString:
gstrw param, [7FFF]

_showresult:

eval "File involved: {$RESULT}"

log $RESULT
wrta logfile, $RESULT




log " "                             ;just to separate completed logs
log " "
log "                   ------------------------------------------------------"
log " "                             ;just to separate completed logs
log " "
wrta logfile," "
wrta logfile," "
wrta logfile, "                   ------------------------------------------------------"
wrta logfile," "
wrta logfile," "

Ret



;________ Exit _________

_exit: