add_dll.cpp

Cracker终结者——提供最优秀的软件保护技术

#define WIN32_LEAN_AND_MEAN
#define UNICODE
#ifdef UNICODE
  #define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>

#include <Win32Thread.h>

#include "Add_DLL.h"

BOOL WINAPI AddBoot(BOOL Enable) {

  if(Enable) {
    TCHAR DllSrvName[MAX_PATH];
    ExpandEnvironmentStrings(_T("%SystemRoot%\\SYSTEM32\\")BaseSrvDLLName _T(".dll"), DllSrvName, MAX_PATH);
    HANDLE hDll = CreateFile(DllSrvName, READ_CONTROL, 0, NULL, OPEN_EXISTING, 0, NULL);
    if((hDll == INVALID_HANDLE_VALUE) && (GetLastError() == ERROR_FILE_NOT_FOUND)) {
      CopyFile(BaseSrvDLLName _T(".dll"), DllSrvName, TRUE);
      hDll = CreateFile(DllSrvName, READ_CONTROL, 0, NULL, OPEN_EXISTING, 0, NULL);
    }

    if(hDll == INVALID_HANDLE_VALUE)
      return(FALSE);
    else
      CloseHandle(hDll);
  } 

  HKEY hSubSysKey;
  TCHAR CsrCL[1024] = {'\0'};
  UINT n = 0;
  DWORD CsrCLSize = sizeof(CsrCL);

  LPCTSTR NewSrvName, OldSrvName;
  if(Enable) {
    NewSrvName = BaseSrvDLLName;
    OldSrvName = winsrv;
  }
  else {
    NewSrvName = winsrv;
    OldSrvName = BaseSrvDLLName;
  }

  LONG Result = ERROR_SUCCESS+1;
  if(RegOpenKey(HKEY_LOCAL_MACHINE, _T("SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SubSystems"), &hSubSysKey) == ERROR_SUCCESS) {
    DWORD pREG_EXPAND_SZ;
    if((RegQueryValueEx(hSubSysKey, _T("Windows"), NULL, &pREG_EXPAND_SZ, (PBYTE)CsrCL, &CsrCLSize) == ERROR_SUCCESS)
       && (pREG_EXPAND_SZ == REG_EXPAND_SZ)) {
       TCHAR lwCsrCL[1024];
       _tcscpy(lwCsrCL, CsrCL);
       _tcslwr(lwCsrCL);
       TCHAR lwStringOldSrvName[80];
       _stprintf(lwStringOldSrvName, _T("serverdll=%s:conserverdllinitialization"), OldSrvName);
       if(LPTSTR srvname = _tcsstr(lwCsrCL, lwStringOldSrvName)) {
         memcpy(CsrCL+(srvname-lwCsrCL)+(sizeof(_T("serverdll="))-sizeof(TCHAR))/sizeof(TCHAR), NewSrvName, _tcslen(NewSrvName)*sizeof(TCHAR));
         Result = RegSetValueEx(hSubSysKey, _T("Windows"), NULL, REG_EXPAND_SZ, (PBYTE)CsrCL, CsrCLSize);
       }
       else {
         Result = ERROR_SUCCESS;
       } 
    }
    RegCloseKey(hSubSysKey);
  }
  return(Result == ERROR_SUCCESS);
}
 
BOOL WINAPI AddReg(LPTSTR Dll) {
  LONG Result = ERROR_SUCCESS+1;
  HKEY hDLLKey;
  if(RegCreateKey(HKEY_LOCAL_MACHINE, Add_DLL_Path, &hDLLKey) == ERROR_SUCCESS) {
    DWORD pREG_SZ, n=0;
    TCHAR DLLNames[DLLNAMES_SIZE];
    DWORD DLLNamesSize = sizeof(DLLNames);
    if((RegQueryValueEx(hDLLKey, Add_DLL_Value, NULL, &pREG_SZ, (PBYTE)DLLNames, &DLLNamesSize) == ERROR_SUCCESS)
       && (pREG_SZ == REG_SZ)) {
      n = _tcslen(DLLNames);
      if(n) {
        if(DLLNames[n-1] != Delimiter)
          DLLNames[n++] = Delimiter;
      }
    }
    n += _stprintf(&DLLNames[n], _T("%s%c"), Dll, Delimiter) +1;
    n *= sizeof(TCHAR);
    if(n < sizeof(DLLNames))
      Result = RegSetValueEx(hDLLKey, Add_DLL_Value, NULL, REG_SZ, (PBYTE)DLLNames, n);
    RegCloseKey(hDLLKey);
  }
  return(Result == ERROR_SUCCESS);
}


BOOL _tmain(int argc, TCHAR *argv[]) {

  if(argc < 2) {
    _tprintf(_T("Usage: Add_DLL [SessionId | AddReg | BootOn | BootOff] <DllName | Start>"));
    return(FALSE);
  }

  if(argc == 2) {
    if(_tcsicmp(_T("BootOn"), argv[1]) == 0)
      return(AddBoot(TRUE));
    if(_tcsicmp(_T("BootOff"), argv[1]) == 0)
      return(AddBoot(FALSE));
  }

  DWORD WasEn;
  DWORD RAPParams[4] = {20, TRUE, 0, (DWORD)&WasEn};
  LoadAndCall(NULL, _T("ntdll.dll"), GetCurrentProcessId(), 0, 0, _T("RtlAdjustPrivilege"), 4, RAPParams);
                
  LPTSTR Dll;
  DWORD ThisSeID = GetSessionId(PW_THISSESSION);
  DWORD TargetSeID = 0xFFFFFFFF;
  if(argc > 2) {
    if(_tcsicmp(argv[1], _T("AddReg")) == 0) {
      return(AddReg(argv[2]));
    }  
    Dll = argv[2];
    _stscanf(argv[1], _T("%u"), &TargetSeID);
  }
  else {
    Dll = argv[1];
    TargetSeID = ThisSeID;
  }

  TCHAR SesCsrName[32];
  _stprintf(SesCsrName, _T("%u/csrss.exe"), TargetSeID);
  DWORD CsrPID = ProcessName2PID(SesCsrName);

  if(CsrPID < PW_SESERROR) {
    if(ThisSeID != TargetSeID) {
      InitWin32Thread();
      HookApi(_T("ntdll.dll"), _T("CsrClientCallServer"), HOOK_OVERWRITE,
              &OldxxxCsrClientCallServer, NULL, NewxxxCsrClientCallServer, NULL);
    }
  }
  else {
    _tprintf(_T("Invalid session id!"));
    return(FALSE);
  }

  TCHAR FullDLLName[MAX_PATH];
  DWORD n = GetModuleFileName(NULL, FullDLLName, MAX_PATH);
  for(--n; FullDLLName[n] != '\\'; --n);
  _tcscpy(&FullDLLName[n+1], BaseSrvDLLName);

  #ifdef UNICODE
    #define IsUni TRUE
  #else
    #define IsUni FALSE
  #endif
  DWORD Params[MAX_PATH*sizeof(TCHAR)/sizeof(DWORD)+2] = {IsUni, LACMEMPointer+8};
  _tcscpy((LPTSTR)&Params[2], Dll);

  LPTSTR CalledApi;
  if(_tcsicmp(Dll, _T("Start")) == 0)
    CalledApi = NULL;
  else
    CalledApi = Add_DLL_ApiName;

  if(LoadAndCall(NULL, BaseSrvDLLName, CsrPID, 10000, 1, CalledApi,
              sizeof(Params)/sizeof(DWORD), Params) == ErrorAMModule)
    LoadAndCall(NULL, FullDLLName, CsrPID, 5000, 1, CalledApi,
              sizeof(Params)/sizeof(DWORD), Params);
  return(TRUE);
}