makewin32.h

Cracker终结者——提供最优秀的软件保护技术

#ifndef _MKWIN32_
#define _MKWIN32_ 1


#define MKWIN32_NTDLL TEXT("ntdll.dll")

#ifndef STATUS_UNSUCCESSFUL
#define STATUS_UNSUCCESSFUL 0xC0000001
#endif

#ifndef _PRCWORKS_
#include <PrcWorks.h>
#endif

#ifndef _APIHOOKS_
#include <ApiHooks.h>
#endif


// registers TargetPID in calling process' CSR
// a) calling process must be Win32
// b) TargetPID must not be registered in its CSR
LONG WINAPI CreateWin32Process(HANDLE hTargetProcess, HANDLE hTargetThread, DWORD TargetPID, DWORD TargetTID, DWORD SubSys) {
  typedef LONG (WINAPI *TCCCS)(LPDWORD, DWORD, DWORD, DWORD);
  typedef LONG (WINAPI *TNTQP)(HANDLE, DWORD, DWORD*, DWORD, DWORD*);
  static TCCCS CCCS = NULL;
  static TNTQP NTQP = NULL;
  HMODULE hntdll;
  if(!CCCS || !NTQP)
    if(hntdll = GetModuleHandle(MKWIN32_NTDLL)) {
      CCCS = (TCCCS)GetProcAddress(hntdll, "CsrClientCallServer");
      NTQP = (TNTQP)GetProcAddress(hntdll, "NtQueryInformationProcess");
    }

  DWORD BaseSrvCreateProcess[0xC4/sizeof(DWORD)] ={0};
  BaseSrvCreateProcess[0x20/sizeof(DWORD)] = STATUS_UNSUCCESSFUL;
  BaseSrvCreateProcess[0x28/sizeof(DWORD)] = (DWORD)hTargetProcess;
  BaseSrvCreateProcess[0x2C/sizeof(DWORD)] = (DWORD)hTargetThread;
  BaseSrvCreateProcess[0x30/sizeof(DWORD)] = TargetPID;
  BaseSrvCreateProcess[0x34/sizeof(DWORD)] = TargetTID;
  if(SubSys == 2)
    BaseSrvCreateProcess[0x28/sizeof(DWORD)] |= 2;
  if(CCCS && NTQP) {
    DWORD BasicPI[0x18/sizeof(DWORD)] = {0};
    NTQP(hTargetProcess, 0, BasicPI, 0x18, NULL);
    BaseSrvCreateProcess[0xB0/sizeof(DWORD)] = BasicPI[0x04/sizeof(DWORD)];
    DWORD W32Ver = GetVersion();
    CCCS(BaseSrvCreateProcess, 0, 0x00010000, (LOBYTE(W32Ver)<<8)+HIBYTE(W32Ver) >0x500 ? 0x98 : 0x28);
  }
  return(BaseSrvCreateProcess[0x20/sizeof(DWORD)]);
}



// registers TargetTID in TargetPID's CSR
// a) TargetPID must be Win32
// b) requires granted debug privilege 
LONG WINAPI CreateWin32Thread(HANDLE hTargetThread, DWORD TargetPID, DWORD TargetTID) {

  LONG Result = STATUS_UNSUCCESSFUL;

  TCHAR SesFullCsrName[32];
  _stprintf(SesFullCsrName, TEXT("%u/csrss.exe"), GetSessionId(TargetPID));

  if(HANDLE hCsr = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | SYNCHRONIZE |
                        PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE |
                        PROCESS_CREATE_THREAD | READ_CONTROL,
                        FALSE, ProcessName2PID(SesFullCsrName))) {
    HANDLE DuphTargetThread;
    if(DuplicateHandle(GetCurrentProcess(), hTargetThread, hCsr, &DuphTargetThread, 0, FALSE, DUPLICATE_SAME_ACCESS)) {
      RCINFO rci = {0};   
      DWORD Params[4] = {(DWORD)DuphTargetThread, LACSTKPointer+8, TargetPID, TargetTID};
      Result = hLoadAndCall(&rci, TEXT("csrsrv.dll"), hCsr, 10000, 0, TEXT("CsrCreateRemoteThread"), 4, Params);
      hLoadAndCall(&rci, MKWIN32_NTDLL, hCsr, 5000, 0, TEXT("NtClose"), 1, &DuphTargetThread);
    }
    CloseHandle(hCsr); 
  }
  return(Result);
}

#undef MKWIN32_NTDLL

#endif