shubloadercore.h

此为破解装载器一书中的源代码,在看雪论坛下载的,

#if !defined(AFX_SHUBLOADERCORE_H__FD441B4D_D174_423B_9CB2_697D877CD065__INCLUDED_)
#define AFX_SHUBLOADERCORE_H__FD441B4D_D174_423B_9CB2_697D877CD065__INCLUDED_

#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000

#define DEFAULT_MSG_CAPTION "Shub-Nigurrath[ARTeam] Generic Loader"

//How many times tries to suspend the thread, used if it's busy doing something else..
#define MAX_SUSPENDTHREAD_TRIALS 10 

#define BAD_INITIALIZEPATCHSTACK		-1
#define BAD_SETVICTIMPATHANDCRC			-2
#define BAD_ACTIONSBEFORECREATEPROC		-3
#define BAD_CRCFILE						-4
#define BAD_CREATEPROCESS				-5
#define BAD_ACTIONSAFTERCREATEPROC		-6
#define BAD_ACTIONSBEFORECLOSINGLOADER	-7
#define BAD_RESUMEPROCESS				-8
#define BAD_SUSPENDPROCESS				-9
#define BAD_ACTIONSBEFOREGATEPROCEDURE  -10
#define BAD_ACTIONSAFTERGATEPROCEDURE	-11

#include <fcntl.h>
#include <io.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <tchar.h>
#include <afxwin.h>
#include <string.h>
#include <ctype.h>
#include <limits.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <iostream>
#include <process.h>
#include "l3_array/l3_str.h"
#include "l3_array/l3_stack.h"

#include "gsar.h"
#include "NTInternals.h"

//SILENT_MODE disable all the messages given back to the user, even errors. 
//It's useful in some cases when these messages might hang the victim
#ifdef _DEBUG
	#ifdef SILENT_MODE
		#undef SILENT_MODE
	#endif
#endif

//This is the protoptype of functions actions that can be performed to any patch.
typedef void (*fcnPatchCallBack) (DWORD addr);

//This class contains all the data required from a single patch.
//	address - is the RVA address of the patch
//	patch - is the new byte to substitute
//	orig - is the original byte read from the application
//	byteswritten - number of bytes written in the process
//	bytesread - number of bytes read from the process
//	msg - a message reporting the result of the patch up to now
class Patch {
public:
	//there is a different set of available constructor to give freedom of doing the patch in the way you like.
	
	//This one shouldn't ever be used, it' useless
	Patch() { 
		byteswritten=bytesread=orig=address=patch=0; 
		checkorigByte=FALSE;
		fcnCallBack=NULL;
		OnlyDoCallback=FALSE;
	}
	//Use this when you want to write a single byte at a specific location
	Patch(DWORD addr, BYTE ptc) { 
		byteswritten=bytesread=orig=0; 
		address=addr; 
		patch=ptc; 
		checkorigByte=FALSE;
		fcnCallBack=NULL;
		OnlyDoCallback=FALSE;
	}
	//Use this when you want to only write a byte at a specified address and perform a callback
	Patch(DWORD addr, BYTE ptc, fcnPatchCallBack fcn) { 
		byteswritten=bytesread=orig=0; 
		address=addr; 
		patch=ptc; 
		checkorigByte=FALSE;
		fcnCallBack=fcn;
		OnlyDoCallback=FALSE;
	}
	//Use this when you want to also to check the original byte value then patch is matches
	Patch(DWORD addr, BYTE ori, BYTE ptc) { 
		byteswritten=bytesread=0; 
		address=addr; 
		orig=ori;
		patch=ptc; 
		checkorigByte=TRUE;
		fcnCallBack=NULL;
		OnlyDoCallback=FALSE;
	}
	//Use this if you want also to call a specified callback when doing a patch
	Patch(DWORD addr, BYTE ori, BYTE ptc, fcnPatchCallBack fcn) { 
		byteswritten=bytesread=0; 
		address=addr; 
		orig=ori;
		patch=ptc; 
		checkorigByte=TRUE;
		fcnCallBack=fcn;
		OnlyDoCallback=FALSE;
	}
	//Use this when you want to only do a specific callback without having to read/write anything
	Patch(DWORD addr, fcnPatchCallBack fcn) { 
		byteswritten=bytesread=0; 
		address=addr; 
		orig=0;
		patch=0; 
		checkorigByte=FALSE;
		fcnCallBack=fcn;
		OnlyDoCallback=TRUE;
	}

	virtual ~Patch() {}

	DWORD address;
	BYTE patch; 
	
	BYTE orig;
	unsigned long byteswritten;
	unsigned long bytesread;
	fcnPatchCallBack fcnCallBack;

	TextString msg;
	//I must use some special flags, because there are no special values which can be assigned to the BYTE values that can be used 
	//as test conditions..
	BOOL checkorigByte; 
	BOOL OnlyDoCallback;

};

//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////

class ShubLoaderCore:public NTInternals {
public:
	ShubLoaderCore();
	virtual ~ShubLoaderCore() {};
	
	//This is the core part of the loader, does all the hard work.
	//The parameters are the command-line parameters of the loaders which are passed to
	//the victim as well (usually they are coming from parameters with same names from 
	//the loader's main). 
	//If you don't need them simply set all of the to NULL.
	int DoMyJob(int argc, TCHAR* argv[]);

	//Retrieves a formatted message of the last system error message. 
	//Use for you own external to the class error checking.
	TextString GetLastErrorMsg();

	//This function might be used from inside the GateCondition procedure to set the real main HWND
	//of the application. When a program is difficult to suspend, the Loader tries to suspend the 
	//whole process using undocumented low level APIs, which requires in order to be executed the 
	//handle of the main process' window.
	//If not called this tentative isn't used. Do not call if you are not experiencing problems
	//suspending the process.
	static void SetMainWnd(HWND hWnd);

	//Used to define new creation flags. Default value is CREATE_SUSPENDED and you don't need 
	//to call this method to set it.
	//If you want to specify something else, call it properly. 
	//Can be called in any funcion before the call to CreateProcess, thus one of the following:
	//PushPatchVector || SetVictimDetails || InitializePatchStack || ActionsBeforeCreateProc
	//For example to create the process in debug mode use this combination:
	//DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS | CREATE_NEW_CONSOLE
	void SetCreateProcessFlags(DWORD dwFlags);

	//Use this function in all the derived classes to get the PROCESS_INFORMATION structure.
	//If it's NULL means that the process has not been already started or something went wrong!
	PROCESS_INFORMATION* GetPI() { return &pi; }

	//Set the victim's CRC. If invoked the loader will check against the real victim's CRC.
	void SetVictimCRC(DWORD crc);

	//This define must or not be defined into the LoaderActions.h file and it modify also the
	//behaviour of the whole program. if it is defined the loader do not issue most of the errors
	//messages which are usually issued.
	//This is useful for those cases into the dialogs are disturbing the program and for those 
	//that error messages are useless.
	//An example: suppose that a victim program creates another internal thread which closes the 
	//main thread and continue running from that thread or from that thread launches another 
	//istance of itself.
	//In this case the loader couldn't be able to Suspend the thread because it would not 
	//be active anymore. An an error message will be issued. 
	//Properly writing the GateProcedure() the loader would still work (for example waiting 
	//for the main victim's windows to appear) and the error would be not meaningful. 
	//In this case you would use the SILENT_MODE set to TRUE.
	//By default is set to FALSE!
	void SetSilentMode(BOOL bVal);

	//Used to modify the starting message of the loader. If not used the loader uses a standard
	//string.
	void SetStartingMsg( TextString msg);
	void SetStartingMsg( char* msg);

	//Add a whole Vector of patch data.
	//This function takes two BYTEs vector and push each values to a stack of Patch objects, the
	//fcnPatchCallBack is applied to the last Patch of the vector, so as eventually the action is
	//performed at the end of the operation. 
	//Input parameters
	//- stkPatches stack of Patch elements where the values are pushed
	//- startAddr, the address where the vector starts. 
	//- OriVector, vector of original bytes, if NULL Patch objects will not check original values
	//- PatchVector, vector of new bytes
	//- dimension, dimension of the vector (the two vectors should be long the same)
	//- fcn, this callback will be applied to the first pushed values of the vector 
	//  (due to the stack logic will be the last applied)
	//return 0 of all went fine, otherwise an error code number <0 (see implementation for codes).
	int PushPatchVector(growing_arraystack<Patch> &stkPatches, 
			DWORD startAddr, BYTE *OriVector, BYTE *PatchVector, int dimension, 
			fcnPatchCallBack fcn );

	//Pure virtual methods, MUST be overwritten by the class derived from ShubLoaderCore which
	//implements specific actions for the specific loader, such as patches, application path, and 
	//specific gate condition.
	//
	// Only ActionsBeforeCreateProc() and ActionsAfterCreateProc() are not pure virtual, because
	// several times you don't need to do anything special here inside (derived classes are not 
	// obliged to implement them)
	
	//////////////////////////////////////////////////////////////////////////
	
	//Set the Victim's name and it's CRC (optional, using SetVictimCRC())
	//The TextString is an OUT parameter, must be set by this function
	//if you don't call SetVictimCRC from within the CRC isn't checked.
	virtual BOOL SetVictimDetails(/*OUT*/ TextString &victimFileName) { return TRUE; };
	
	//Add to the patches stack the patches to do.
	//The stkPatches variable is an OUT parameter and must be filled by the function
	//You can also use matrix of consecutive binary data, such for example coming to a dump or a long
	//patch. In this case use the PushPatchVector which pushes on the Patch stack a whole matrix of
	//consecutive patches, starting from an initial address.
	virtual BOOL InitializePatchStack(/*OUT*/ growing_arraystack<Patch> &stkPatches) { return TRUE; };
	
	//Invoke an action just before the call to CreateProcess
	virtual BOOL ActionsBeforeCreateProc() { return TRUE; };
	
	//Invoke an action just after the call to CreateProcess, while it is still SUSPENDED
	virtual BOOL ActionsAfterCreateProc() { return TRUE; };
	
	//Actions performed just before calling the gatecondition, are useful to prepare it if needed.
	virtual BOOL ActionsBeforeGateProcedure() { return TRUE; };
	
	//It's the condition till the Loader waits before Suspending the process and applying patches.
	//Returns TRUE when ready to patch.
	virtual BOOL GateProcedure() { return TRUE; };
	
	//Actions performed just after the GateProcedure to clean eventually the special settings
	//made to reach the GateProcedure.
	//This operation is done after having applied all the patches but before resuming the process.
	virtual BOOL ActionsAfterGateProcedure() { return TRUE; };
	
	//Invoke an action just before closing the loader.
	virtual BOOL ActionsBeforeClosingLoader() { return TRUE; }

	//Reflectors of the BMG_gsar class methods. Allows a controlled access to memory
	//automatically handling access to pages and error handing. Use as real Windows 
	//counterparts, in derived classes.
	BOOL ReadProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer,
		DWORD nSize, LPDWORD lpNumberOfBytesRead);
	BOOL WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, 
		DWORD nSize, LPDWORD lpNumberOfBytesWritten);

private:

	BOOL CRCFile(LPCSTR strfilename, DWORD storedCRC);
	ULONG Reflect(ULONG ref, char ch);

	static HWND m_ghMainWnd;
	static BOOL m_SilentMode;

	PROCESS_INFORMATION pi;

	BOOL m_bcheckCRC;
	DWORD m_dwVictimCRCValue; //calculated using any crc calculator

	DWORD m_dwCreationFlags;

	//It's the default starting message of the loader, shown when starting patching. 
	//Insert some credits here if you like, otherwise a standard text is used.
	//Use SetStartingMsg() to modify it.
	TextString m_startingMsg;
};




#endif // !defined(AFX_SHUBLOADERCORE_H__FD441B4D_D174_423B_9CB2_697D877CD065__INCLUDED_)