globalcdll.cpp

Cracker终结者——提供最优秀的软件保护技术

#define WIN32_LEAN_AND_MEAN
//#define UNICODE
#ifdef UNICODE
  #define _UNICODE
#endif
#include <stdio.h>
#include <conio.h>
#include <string.h>
#include <windows.h>
#include <tchar.h>
#include <stdlib.h>
#define AH_STATIC_LINKING  //Hooks_DLL should bring as few modules as possible
#include "ApiHooks.h"      //link all statically (no MSVCRT)

#include "GlobalC.h"
#define IsNT ((int)GetVersion()>0)

#ifdef TRY_DEBUGGEE
  #define SAFE_DEBUGGEE
#endif


/////////////////////////////////////////////////////////
typedef struct _CMDSHOW {
    WORD MustBe2;
    WORD HowToShow;
} CMDSHOW, *LPCMDSHOW;

typedef struct _PASSTR {
    BYTE Length;
    char String[1];
} PASSTR, *LPPASSTR;

typedef struct _LOADPARMS32 {  
    LPSTR lpEnvAddress;
    LPPASSTR lpCmdLine;
    LPCMDSHOW lpCmdShow;
    DWORD dwReserved;
} LOADPARMS32, *LPLOADPARMS32;

LPVOID OldCreateProcessW = NULL;
LPVOID OldCreateProcessA = NULL;
LPVOID OldWinExec        = NULL;
LPVOID OldLoadModule     = NULL;
LPVOID OldLoadLibraryA   = NULL;
LPVOID OldLoadLibraryExA = NULL;
LPVOID OldGetProcAddress = NULL;

BOOL      WINAPI NewCreateProcessInternalW(LPVOID, LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES,
                         LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR,
                         LPSTARTUPINFOW, LPPROCESS_INFORMATION, LPVOID);
BOOL      WINAPI NewCreateProcessW(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES,
                         LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR,
                         LPSTARTUPINFOW, LPPROCESS_INFORMATION);
BOOL      WINAPI NewCreateProcessA(LPCSTR, LPSTR, LPSECURITY_ATTRIBUTES,
                         LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCSTR,
                         LPSTARTUPINFOA, LPPROCESS_INFORMATION);
UINT      WINAPI NewWinExec(LPCSTR, UINT);
DWORD     WINAPI NewLoadModule(LPCSTR, LPVOID); //LPLOADPARMS32);
HINSTANCE WINAPI NewLoadLibraryA(LPCSTR);
HINSTANCE WINAPI NewLoadLibraryExA(LPCSTR, HANDLE, DWORD);
FARPROC   WINAPI NewGetProcAddress(HMODULE, LPCSTR);

#define NUNHOOKS 256

ADDR_CONTENTS UCPW[NUNHOOKS];
ADDR_CONTENTS UCPA[NUNHOOKS];
ADDR_CONTENTS UWEX[NUNHOOKS];
ADDR_CONTENTS ULOM[NUNHOOKS];
ADDR_CONTENTS ULLA[NUNHOOKS];
ADDR_CONTENTS ULLX[NUNHOOKS];
ADDR_CONTENTS UGPA[NUNHOOKS];

API_UNHOOK UnhookCreateProcessW = {NUNHOOKS, 0, UCPW};
API_UNHOOK UnhookCreateProcessA = {NUNHOOKS, 0, UCPA};
API_UNHOOK UnhookWinExec        = {NUNHOOKS, 0, UWEX};
API_UNHOOK UnhookLoadModule     = {NUNHOOKS, 0, ULOM};
API_UNHOOK UnhookLoadLibraryA   = {NUNHOOKS, 0, ULLA};
API_UNHOOK UnhookLoadLibraryExA = {NUNHOOKS, 0, ULLX};
API_UNHOOK UnhookGetProcAddress = {NUNHOOKS, 0, UGPA};


//Only helper APIs are hooked. Empiry can be applied: specific NT and 9x hook types
//are specified.
//In fact HOOK_ALL_SAFE for all used NT APIs can be replaced by HOOK_OVERWRITE,
//while for used 9x APIs (all > 2GB) by (HOOK_BY_NAME | HOOK_BY_ADDRES + ALL_MODULES).

#define NHOOKS 9
__EXPORT API_HOOK ApiHookChain[NHOOKS] = {
  {HOOKS_DYNAMIC},  //dynamic hook chain for LoadLibrary(Ex)A in Win9x
  {"KERNEL32.DLL", "CreateProcessW", HOOK_ALL_SAFE | HOOK_NOT_9X, &OldCreateProcessW, &UnhookCreateProcessW, NewCreateProcessW},
  {"KERNEL32.DLL", "CreateProcessA", HOOK_ALL_SAFE | HOOK_NOT_NT, &OldCreateProcessA, &UnhookCreateProcessA, NewCreateProcessA},
  {"KERNEL32.DLL", "WinExec",        HOOK_ALL_SAFE | HOOK_NOT_NT, &OldWinExec,        &UnhookWinExec,        NewWinExec},
  {"KERNEL32.DLL", "LoadModule",     HOOK_ALL_SAFE | HOOK_NOT_NT, &OldLoadModule,     &UnhookLoadModule,     NewLoadModule},
  {"KERNEL32.DLL", "LoadLibraryA"  , HOOK_ALL_SAFE | HOOK_NOT_NT, &OldLoadLibraryA,   &UnhookLoadLibraryA,   NewLoadLibraryA},
  {"KERNEL32.DLL", "LoadLibraryExA", HOOK_ALL_SAFE | HOOK_NOT_NT, &OldLoadLibraryExA, &UnhookLoadLibraryExA, NewLoadLibraryExA},
  {"KERNEL32.DLL", "GetProcAddress", HOOK_ALL_SAFE | HOOK_NOT_NT, &OldGetProcAddress, &UnhookGetProcAddress, NewGetProcAddress},
  {HOOKS_END}
};


static TCHAR Hooks_DLL[MAX_PATH];

HANDLE hMS, hMU;

BOOL LikeUnhooked = FALSE;

LONG ThreadsIn = 0;

BOOL AmIDebuggee = FALSE;

BOOL bIsNT = FALSE;

#ifdef SAFE_DEBUGGEE
RCINFO TimeoutRCI;

typedef LONG (WINAPI *TNSIT)(HANDLE, DWORD, LPVOID, DWORD);
TNSIT NSIT = NULL;

DWORD WINAPI HookDebuggee(LPVOID lpRCI) {
  InterlockedIncrement(&ThreadsIn);
  DWORD AHResult = ErrorAWSuccess;
  DWORD PFl;
  PRCINFO pRCI = (PRCINFO)lpRCI;
  do {
    Sleep(1);
    PFl = hGetProcFlags(pRCI->hProcess);
  } while( (!(PFl & (RC_PF_NOOPEN | RC_PF_16TERM))) &&
           (PFl & RC_PF_NOTINITED) );

  if(!(PFl & (RC_PF_NOOPEN | RC_PF_16TERM))) {
    if(NSIT)
      NSIT(pRCI->hThread, 17, NULL, 0);
    SetThreadPriority(pRCI->hThread, THREAD_PRIORITY_HIGHEST);
    ResumeThread(pRCI->hThread);

    // Wait fo result if needed
    // WaitForSingleObject(pRCI->hThread, INFINITE);
    // GetExitCodeThread(pRCI->hThread, &AHResult);
    // if(pRCI->ProcFlags & RC_PF_NATIVE)
    //   pRCI->RtlFreeMem(pRCI->hProcess, pRCI->ThreadStack);
    // if(pRCI->RCFlags & RC_FL_OWNFREE)
    //   pRCI->RtlFreeMem(pRCI->hProcess, pRCI->ThreadBody);
    // ... report result ...
  }
  CloseHandle(pRCI->hThread);
  CloseHandle(pRCI->hProcess);
  LocalFree(lpRCI);
  InterlockedDecrement(&ThreadsIn);
  return(AHResult);
}
#endif
   
/////////////////////////////////////////////////////////
VOID WINAPI HookProcess(HANDLE hProcess, DWORD dwProcessId, const CHAR *CmdLine, BOOL IsUnicode) {
  DWORD i, j, AHResult;
  CHAR  CmdLineA[2048];
  TCHAR Msg[4096*2];

  if(IsUnicode) {
    sprintf(CmdLineA, "%S", CmdLine);
    CmdLine = CmdLineA;
  }
  i = _stprintf(Msg, TEXT("\n******\n0x%.3X='%s':\nHooking 0x%.3X='%hs' .."),
            GetCurrentProcessId(), GetCommandLine(),
            dwProcessId, CmdLine);
  WaitForSingleObject(hMU, INFINITE);
  WriteFile(hMS, Msg, (++i)*sizeof(TCHAR), &j, NULL);
  DWORD pfl = hGetProcFlags(hProcess);
  if(pfl & RC_PF_DEBUGGED) {
#ifdef TRY_DEBUGGEE
    // Target was created right now (is not initialized) and is debugged....
    // NT: Don't wait for result at all (dwMilliseconds = 0).
    LONG ExpTime = 0;
    PRCINFO lpRCI = NULL;

    if(bIsNT) {
#ifdef SAFE_DEBUGGEE
      if(lpRCI = (PRCINFO)LocalAlloc(LPTR, sizeof(RCINFO))) {
        memcpy(lpRCI, &TimeoutRCI, sizeof(RCINFO));
      }
#endif
    }
    else {
      // 9x: Different debuggers -> diferent results
      if(AmIDebuggee)
        // I belong to debug chain (initial process was created with "debug children" allowed:
        // There is a chance remote code can be executed.
        // Exception: MS debuggers (designed for NT mainly), suspend all threads in all debuggees
        //  -> this thread can wait until MS debugger resumes it.
        ExpTime = TRY_DEBUGGEE;
      else 
        // I am debugger:
        // Start thread, but don't wait for so long.
        ExpTime = 127;
    }

    AHResult = hEstablishApiHooks(lpRCI, Hooks_DLL, hProcess, ExpTime);

#ifdef SAFE_DEBUGGEE
    if(lpRCI && (AHResult==ErrorAHTimeOut)) {
      DWORD TID;
      if(!CloseHandle(CreateThread(NULL, 0,  HookDebuggee, lpRCI, 0, &TID))) {
        ResumeThread(lpRCI->hThread);
        CloseHandle(lpRCI->hThread);
        CloseHandle(lpRCI->hProcess);
        LocalFree(lpRCI);
      }
    }
#endif

#else
    AHResult = ErrorDebugged;
#endif
  }
  else {
    AHResult = hEstablishApiHooks(NULL, Hooks_DLL, hProcess, 40000);
  }
  i = _stprintf(Msg, TEXT("%s\n******"), EAHErrorMessages[AHResult-ErrorAHMin+1]);
  WriteFile(hMS, Msg, (++i)*sizeof(TCHAR), &j, NULL); 
  ReleaseMutex(hMU);
}

HMODULE hDLL;

#ifdef __TURBOC__
#pragma argsused
BOOL APIENTRY DllEntryPoint(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
#else
BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
#endif
{ 
  DWORD i;
  if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
     hDLL = hModule;
    // full Hooks_DLL name is required for interprocess loading
    GetModuleFileName(hModule, Hooks_DLL, sizeof(Hooks_DLL)/sizeof(TCHAR));
    if((hMS = CreateFile(MSName, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL)) == INVALID_HANDLE_VALUE)
      return(FALSE);
    //bypass traverse checking
    HINSTANCE hntdll;
    BYTE WasEn;
    typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
    TRAP RAP = NULL;
    if(hntdll = GetModuleHandle(_T("ntdll.dll")))
      if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
        RAP(23, TRUE, 0, &WasEn);
    if(!(hMU = OpenMutex(SYNCHRONIZE, FALSE, MUName)))
      hMU = OpenMutex(SYNCHRONIZE, FALSE, BaseMUName);
    if(!hMU) {
      CloseHandle(hMS);
      return(FALSE);
    }
    if(RAP)
      RAP(23, WasEn, 0, &WasEn);
    AmIDebuggee = hGetProcFlags(GetCurrentProcess()) & RC_PF_DEBUGGED;
    bIsNT = IsNT;
#ifdef SAFE_DEBUGGEE
    memcpy(&TimeoutRCI, GetDefaultRCInfo(), sizeof(RCINFO));
    TimeoutRCI.RCFlags = RC_FL_OWNTIMEOUT;
    if(hntdll)
      NSIT = (TNSIT)GetProcAddress(hntdll, "NtSetInformationThread");
#endif
    HINSTANCE hK32;
    if(hK32 = GetModuleHandle(_T("KERNEL32.dll")))
      if(GetProcAddress(hK32, "CreateProcessInternalW")) {
        ApiHookChain[1].ApiNameOrOrd = "CreateProcessInternalW";
        ApiHookChain[1].HookAddress = NewCreateProcessInternalW;
      } 
      
  }
  else
    if(ul_reason_for_call == DLL_PROCESS_DETACH) {
      CloseHandle(hMU);
      CloseHandle(hMS);
      if(!lpReserved)