remoteio.cpp

Cracker终结者——提供最优秀的软件保护技术

#define WIN32_LEAN_AND_MEAN
//#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>

//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>

#include <Win32Thread.h>


DWORD WINAPI AStr2DWORDs(PSTR str, PDWORD pdw) {
  return(str ? ( ( strlen( strcpy((PSTR)pdw, str) ) +sizeof(CHAR) +(sizeof(DWORD)-1) )/sizeof(DWORD)) : 0);
}

VOID _tmain(int argc, TCHAR** argv) {

  InitWin32Thread();
  HookApi(_T("ntdll.dll"), _T("CsrClientCallServer"), HOOK_OVERWRITE, &OldxxxCsrClientCallServer,
          NULL, NewxxxCsrClientCallServer, NULL);

  if(argc != 2) 
    _tprintf(_T("Usage: RemoteIO <ProcessName>"));
  else {
    TCHAR ProcessName[MAX_PATH];
    ExpandEnvironmentStrings(argv[1], ProcessName, MAX_PATH);

    HINSTANCE hntdll;
    BYTE  WasEn;
    typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
    TRAP  RAP;
    if(hntdll = GetModuleHandle(_T("ntdll.dll")))
      if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
        RAP(20, TRUE, 0, &WasEn);

    DWORD PID = ProcessName2PID(ProcessName);
    if((PID != PW_SESERROR) && (PID != PW_PIDERROR) && (PID != PW_MEMERROR)) {
      #define DLLName _T("KERNEL32.DLL")

      RCINFO lRCI; memcpy(&lRCI, GetDefaultRCInfo(), sizeof(RCINFO)); lRCI.RCFlags = RC_FL_OWNFREE;

      BOOL WasGUI = LoadAndCall(NULL, DLLName, PID, INFINITE, 1, _T("AllocConsole"), 0, NULL);

      CHAR ConTitleA[MAX_PATH] = "";
      if(!WasGUI) {
        DWORD GetConsoleTitleAPars[2] = {LACMEMPointer+0, MAX_PATH};
        LoadAndCall(&lRCI, DLLName, PID, INFINITE, 0, _T("GetConsoleTitleA"), 2, GetConsoleTitleAPars);
        ReadProcessMemory(lRCI.hProcess, (LPVOID)((DWORD)lRCI.ThreadBody+LACMEMOffset), ConTitleA, MAX_PATH, NULL);
        lRCI.RtlFreeMem(lRCI.hProcess, lRCI.ThreadBody);
        CloseHandle(lRCI.hProcess);
      }

      DWORD SetConsoleTitleAPars[5] = {LACSTKPointer+sizeof(DWORD), 'lleH', 'oC o', '!red', '\0'};
      LoadAndCall(NULL, DLLName, PID, INFINITE, 0, _T("SetConsoleTitleA"), 5, SetConsoleTitleAPars);

      DWORD _lwritePars[7] = {STD_OUTPUT_HANDLE, LACSTKPointer+3*sizeof(DWORD), 16, 'epyT', 'mos ', 'ihte', '\n!gn'};
      LoadAndCall(NULL, DLLName, PID, INFINITE, 0, _T("_lwrite"), 7, _lwritePars);

      DWORD _lreadPars[5] = {STD_INPUT_HANDLE, LACMEMPointer+0, LACMEMSize};
      DWORD nAChars = LoadAndCall(&lRCI, DLLName, PID, INFINITE, 0, _T("_lread"), 3, _lreadPars);

      CHAR LocalBuffer[LACMEMSize] = "<NOTHING>";
      ReadProcessMemory(lRCI.hProcess, (LPVOID)((DWORD)lRCI.ThreadBody+LACMEMOffset), LocalBuffer, LACMEMSize, NULL);
      lRCI.RtlFreeMem(lRCI.hProcess, lRCI.ThreadBody);
      CloseHandle(lRCI.hProcess);

      if(WasGUI)
        LoadAndCall(NULL, DLLName, PID, INFINITE, 0, _T("FreeConsole"), 0, NULL);
      else {
        DWORD SetConsoleTitleAPars2[MAX_PATH/sizeof(DWORD)] = {LACSTKPointer+sizeof(DWORD)};
        LoadAndCall(NULL, DLLName, PID, INFINITE, 0, _T("SetConsoleTitleA"), AStr2DWORDs(ConTitleA, &SetConsoleTitleAPars2[1])+1, SetConsoleTitleAPars2);
      }

      if(nAChars > LACMEMSize) //ErrorAH*
        nAChars = LACMEMSize;
      printf("User typed:\n%.*s", nAChars, LocalBuffer);
    }
    else 
      _tprintf(_T("Can't find '%s'"), argv[1]);
  }
  QuitWin32Thread();
  getch();
}