📄 ntgsrv.cpp
字号:
#define WIN32_LEAN_AND_MEAN
#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#define AH_STATIC_LINKING
#include <ApiHooks.h>
#define PW_STATIC_LINKING
#include <PrcWorks.h>
#include "Add_DLL.h"
typedef struct _NEWPROCMSG {
DWORD PID;
DWORD TID;
DWORD Unk08;
DWORD Unk0C;
DWORD dwCreationFlags;
} NEWPROCMSG, *PNEWPROCMSG;
LONG WINAPI NewCsrCreateProcess(HANDLE, HANDLE, PNEWPROCMSG, PVOID, DWORD, PVOID);
#define NUNHOOKS 1
ADDR_CONTENTS UCCP[NUNHOOKS];
API_UNHOOK UnhookCsrCreateProcess = {NUNHOOKS, 0, UCCP};
#define NHOOKS 3
__EXPORT API_HOOK ApiHookChain[NHOOKS] = {
{HOOKS_DYNAMIC},
{"CSRSRV.dll", "CsrCreateProcess", HOOK_BY_NAME, "basesrv.dll", &UnhookCsrCreateProcess, NewCsrCreateProcess},
{HOOKS_END}
};
TCHAR DLLNames[DLLNAMES_SIZE];
DWORD NextDLLName = 0;
RCINFO g_RCI = {0};
CRITICAL_SECTION Add_DLL_Lock;
DWORD cpid;
DWORD WINAPI Add_DLL(BOOL IsUnicode, LPCTSTR _DllName) {
TCHAR DllName[MAX_PATH];
_stprintf(DllName, _T("%s"), _DllName);
#ifdef UNICODE
if(!IsUnicode)
swprintf(DllName, L"%S", _DllName);
#else
if(IsUnicode)
sprintf(DllName, "%S", _DllName);
#endif
if(NextDLLName+_tcslen(DllName)+1 < sizeof(DLLNames)/sizeof(TCHAR)) {
EnterCriticalSection(&Add_DLL_Lock);
NextDLLName += _stprintf(&DLLNames[NextDLLName], DllName)+1;
DLLNames[NextDLLName] ='\0';
LeaveCriticalSection(&Add_DLL_Lock);
DWORD PIDs[256];
DWORD nPIDs = BuildPIDList(PIDs, sizeof(PIDs)/sizeof(DWORD), PW_THISSESSION);
if(nPIDs < PW_SESERROR)
for(UINT i = 0; i < nPIDs; i++)
EstablishApiHooks(&g_RCI, DllName, PIDs[i], 2000);
}
return(ErrorAWSuccess);
}
LONG WINAPI NewCsrCreateProcess(HANDLE hProcess, HANDLE hThread, PNEWPROCMSG pNewProcMsg, PVOID pNtSession, DWORD Par4, PVOID Par5) {
LONG Result = ORIGFN(1, 6, &hProcess);
for(LPTSTR p = DLLNames; p[0] != '\0'; p += _tcslen(p)+1)
if((hGetProcFlags(hProcess) & (RC_PF_DEBUGGED | RC_PF_NOTINITED)) == (RC_PF_DEBUGGED | RC_PF_NOTINITED))
hEstablishApiHooks(&g_RCI, p, hProcess, 0); // mini SAFE_DEBUGGEE
else
hEstablishApiHooks(&g_RCI, p, hProcess, 2000);
return(Result);
}
DWORD WINAPI HookWinlogon(PVOID Null) {
DWORD wpid;
while((wpid = ProcessName2PID(_T("winlogon.exe"))) == PW_PIDERROR)
Sleep(127);
for(LPTSTR p = DLLNames; p[0] != '\0'; p += _tcslen(p)+1)
EstablishApiHooks(&g_RCI, p, wpid, 2000);
return(wpid);
}
BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
cpid = GetCurrentProcessId();
InitializeCriticalSection(&Add_DLL_Lock);
DisableThreadLibraryCalls(hModule);
HKEY hDLLKey;
if(RegOpenKey(HKEY_LOCAL_MACHINE, Add_DLL_Path, &hDLLKey) == ERROR_SUCCESS) {
DWORD lNextDLLName = 0;
TCHAR lDLLNames[DLLNAMES_SIZE];
DWORD lDLLNamesSize = sizeof(lDLLNames);
DWORD pREG_SZ;
if((RegQueryValueEx(hDLLKey, Add_DLL_Value, NULL, &pREG_SZ, (PBYTE)lDLLNames, &lDLLNamesSize) == ERROR_SUCCESS)
&& (pREG_SZ == REG_SZ)) {
lDLLNamesSize = _tcslen(lDLLNames);
if(lDLLNamesSize) {
if(lDLLNames[lDLLNamesSize-1] != Delimiter) {
lDLLNames[lDLLNamesSize] = Delimiter;
lDLLNames[lDLLNamesSize+1] = '\0';
}
for(UINT i=0; lDLLNames[i] != '\0'; i++) {
if(lDLLNames[i] == Delimiter) {
lDLLNames[i] = '\0';
#ifdef UNICODE
#define IsUni TRUE
#else
#define IsUni FALSE
#endif
Add_DLL(IsUni, &lDLLNames[lNextDLLName]);
lNextDLLName = i+1;
}
}
}
}
RegCloseKey(hDLLKey);
}
if(UnhookCsrCreateProcess.CurNoAddr == 0) // if ntgsrv wasn't loaded using EAH
EstablishApiHooks(&g_RCI, (LPCTSTR)ApiHookChain, cpid, 0);
}
return(TRUE);
}
LONG WINAPI ConServerDllInitialization(PVOID ServerInfo) {
CloseHandle(CreateThread(NULL, 0, HookWinlogon, NULL, 0, NULL));
return(LoadAndCall(&g_RCI, winsrv, cpid, 0, 1, winsrvApi, 1, &ServerInfo));
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -