📄 hide98.cpp
字号:
// HIDE98.cpp - main module for VxD HIDE98
#define DEVICE_MAIN
#include "hide98.h"
#include "logR0api.h"
Declare_Virtual_Device(HIDE98)
#undef DEVICE_MAIN
static HANDLE hLogFile;
int _cdecl OurFileHook(pIFSFunc pfn, int nFunction, int nDrive, int nResources, int Cp, pioreq pir)
{ if(!bEnableHook)return (*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
int iRet;
unsigned long fHan;
DWORD pAction;
DWORD iLen;
iRet=0;
switch(nFunction){
case IFSFN_OPEN:
case IFSFN_FINDOPEN:
case IFSFN_RENAME:
case IFSFN_DELETE:
case IFSFN_DIR:
if((nDrive & 0xFF) != 0xFF){
FileNm[0]= nDrive + '@';
FileNm[1]=':';
iLen=2;
_QWORD QDword;
UniToBCSPath((PBYTE)&FileNm[2], pir->ir_ppath->pp_elements, MAX_PATH, BCS_OEM,&QDword);
iLen+=QDword.ddLower ;
}
else{
iLen=FormNetPath(FileNm, pir);
}
if(ComparePath(FileNm) == FALSE){
iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
return iRet; //Do the normal work
}
else{
iRet = 5;
pir->ir_error = 5; //If the path is protected return "access denied"
return iRet;
}
}
iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
return iRet;
}
BOOL ComparePath(char* Path)
{
int i, Len;
char *UserPathPtrTmp;
UserPathPtrTmp = strupr((char*)UserPathPtr);
char szCurrentPath[MAX_PATH];
strcpy(szCurrentPath,(const char*)strupr(Path));
char* szSubHidePath=(char*)UserPathPtrTmp;
char* szSubHidePathLn;
char szHidePath[1024];
if(strstr(szSubHidePath,"\r\n")==NULL)
{
if(strstr((const char*)szCurrentPath,szSubHidePath)!=0)
{
return TRUE;
}
else
{
LOGR0_Printf(hLogFile,"ComparePath :%s isnot in %s \n",UserPathPtrTmp,szCurrentPath);
return FALSE;
}
}
while((szSubHidePathLn=strstr(szSubHidePath,"\r\n"))!=NULL)
{ if(szSubHidePathLn==szSubHidePath){
szSubHidePath=szSubHidePathLn+2;
continue;
}
memset(szHidePath,sizeof szHidePath,0);
strncpy(szHidePath,szSubHidePath,szSubHidePathLn-szSubHidePath);
szHidePath[szSubHidePathLn-szSubHidePath]=0;
szSubHidePath=szSubHidePathLn+2;
if(!isalpha(*szHidePath))continue;
LOGR0_Printf(hLogFile,"ComparePath :%s --- %s \n",szCurrentPath,szHidePath);
if(strstr((const char*)szCurrentPath,szHidePath)!=NULL)
{
return TRUE;
}
}
return FALSE;
}
int FormNetPath(char *FileNm, pioreq pir)
{
int iSizeOfUniPath, iLengthOfPath ;
char *UniPath ;
UniPath = (char *)pir->ir_aux3.aux_ptr ;
_asm
{
mov ebx, UniPath ;
xor ecx, ecx
L_MoreInUNI_1:
cmp word ptr [ebx],0
je L_FoundInUNI_1
add ebx, 2
inc ecx
jmp L_MoreInUNI_1
L_FoundInUNI_1:
shl ecx, 1
mov iSizeOfUniPath,ecx
}
_QWORD qword;
UniToBCS((PBYTE)FileNm,(string_t) pir->ir_aux3.aux_ptr, iSizeOfUniPath,
MAX_PATH, BCS_OEM,&qword ) ;
return qword.ddLower ;
}
DWORD _stdcall CVXD_CleanUp(void)
{
return(VXD_SUCCESS);
}
Hide98VM::Hide98VM(VMHANDLE hVM) : VVirtualMachine(hVM) {}
Hide98Thread::Hide98Thread(THREADHANDLE hThread) : VThread(hThread) {}
BOOL Hide98Device::OnSysDynamicDeviceInit()
{ DWORD ver = LOGR0_GetVersion();
if (ver == 0)
return FALSE; // problem: logger.vxd is not available
hLogFile = LOGR0_OpenFile("Hide98.txt", NULL);
if (hLogFile == NULL)
return FALSE; // problem: can't open the log file
LOGR0_Printf(hLogFile, "OnSysDynamicDeviceInit:Opened Hide98 Log\n");
return TRUE;
}
BOOL Hide98Device::OnSysDynamicDeviceExit()
{
if (hLogFile) {
LOGR0_Printf(hLogFile, "OnSysDynamicDeviceExit:Closed Hide98 Log\n\r");
LOGR0_CloseFile(hLogFile);
}
return TRUE;
}
DWORD Hide98Device::OnW32DeviceIoControl(PIOCTLPARAMS pDIOCParams)
{
DWORD dwRetVal = 0;
// DIOC_OPEN is sent when VxD is loaded w/ CreateFile
// (this happens just after SYS_DYNAMIC_INIT)
DWORD dwService=pDIOCParams->dioc_IOCtlCode;
if ( dwService == DIOC_OPEN )
{
LOGR0_Printf(hLogFile, "OnW32DeviceIoControl: Open\n\r");
// Must return 0 to tell WIN32 that this VxD supports DEVIOCTL
dwRetVal = 0;
return dwRetVal;
}
// DIOC_CLOSEHANDLE is sent when VxD is unloaded w/ CloseHandle
// (this happens just before SYS_DYNAMIC_EXIT)
else if ( dwService == DIOC_CLOSEHANDLE )
{
LOGR0_Printf(hLogFile, "OnW32DeviceIoControl: Closing!\n\r");
if(UserPathPtr)
HeapFree(UserPathPtr, 0);
dwRetVal = CVXD_CleanUp();
return(dwRetVal);
}
else if(dwService==INSTALL_HOOK)
{
// CALL requested service
dwRetVal = InstallHook(pDIOCParams);
return(dwRetVal);
}
else if(dwService==FILE_MEM_OPEN){
dwRetVal = OpenAndReadFile(pDIOCParams);
return(dwRetVal);
}
else if(dwService==REMOVE_HOOK){
dwRetVal = RemoveHook(pDIOCParams);
return(dwRetVal);
}
else if(dwService==MEM_COPY){
dwRetVal = MemStringCopy(pDIOCParams);
return(dwRetVal);
}
else if(dwService==DISABLE_HOOK){
dwRetVal = DisableHook(pDIOCParams);
return(dwRetVal);
}
return(dwRetVal);
}
DWORD _stdcall DisableHook(PIOCTLPARAMS pDIOCParams)
{
PDWORD pdw;
pdw = (PDWORD) pDIOCParams->dioc_InBuf;
bEnableHook=*pdw==1?TRUE:FALSE;
LOGR0_Printf(hLogFile, bEnableHook? "EnableHide:TRUE\n\r":"EnableHide:FALSE\n\r");
return 0;
}
DWORD _stdcall InstallHook(PIOCTLPARAMS pDIOCParams)
{
PDWORD pdw;
pdw = (PDWORD)pDIOCParams->dioc_OutBuf;
LOGR0_Printf(hLogFile, "InstallHook: Hook Installed Success!\n\r");
ppPrevHook=IFSMgr_InstallFileSystemApiHook(OurFileHook);
return(NO_ERROR);
}
DWORD _stdcall OpenAndReadFile(PIOCTLPARAMS pDIOCParams)
{
PDWORD pdw;
BYTE pAction=1; //Fail/Open
DWORD bRead;
WORD Error;
unsigned char *ProtFileTmp;
pdw = (PDWORD)pDIOCParams->dioc_OutBuf;
ProtFileTmp = (unsigned char *) pDIOCParams->dioc_InBuf;
strcpy(ProtectorFileName,(const char*) ProtFileTmp);
LOGR0_Printf(hLogFile, "OpenFileName: %s\n\r",ProtectorFileName);
pHandle=R0_OpenCreateFile(FALSE, ProtectorFileName,OPEN_ACCESS_READONLY
, ATTR_READONLY
, ACTION_IFEXISTS_OPEN
, R0_NO_CACHE, &Error, &pAction);
if(Error!=0)return -1;
bRead=R0_GetFileSize(pHandle, &Error);
if(Error!=0) return -1;
if(UserPathPtr){
HeapFree(UserPathPtr, 0);
UserPathPtr=NULL;
}
if(!(UserPathPtr =(PBYTE) HeapAllocate(bRead+1, HEAPZEROINIT))){
R0_CloseFile(pHandle,&Error);
return -1;
}
bRead=R0_ReadFile(FALSE,pHandle,UserPathPtr, bRead, 0, &Error);
if(Error!=0)
{
R0_CloseFile(pHandle,&Error);
HeapFree(UserPathPtr, 0);
return -1;
}
if(!R0_CloseFile(pHandle,&Error))
return -1;
*(BYTE*) (UserPathPtr+bRead) = 0x0;
LOGR0_Printf(hLogFile, "FileContent: %s\n\r",UserPathPtr);
return(NO_ERROR);
}
DWORD _stdcall RemoveHook(PIOCTLPARAMS pDIOCParams)
{
PDWORD pdw;
pdw = (PDWORD)pDIOCParams->dioc_OutBuf;
pdw[0]=IFSMgr_RemoveFileSystemApiHook(OurFileHook);
pdw[1] = HeapFree(UserPathPtr, 0);
UserPathPtr = 0;
return(NO_ERROR);
}
DWORD _stdcall MemStringCopy(PIOCTLPARAMS pDIOCParams)
{
PDWORD pdw;
BYTE pAction=1; //Fail/Open
DWORD bRead;
WORD Error;
unsigned char *pTempDir;
pdw = (PDWORD)pDIOCParams->dioc_OutBuf;
pTempDir = (unsigned char *) pDIOCParams->dioc_InBuf;
if(UserPathPtr)HeapFree(UserPathPtr, 0);
if(!(UserPathPtr =(PBYTE) HeapAllocate(pDIOCParams->dioc_cbInBuf, HEAPZEROINIT)))return 0;
strcpy((char*)UserPathPtr,(const char*) pTempDir);
LOGR0_Printf(hLogFile, "Buffer: %s\n\r",UserPathPtr);
return(NO_ERROR);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -