📄 cetc.c
字号:
case CS_ClearRecordList:
{
AddressListEntries=0;
break;
}
case CS_UpdateList: //update list(start:word stop:word) //request a updated list
{
WORD start,stop;
WORD i,j;
DWORD buffersize=1,pos;
char *buffer;
ADDRESSENTRY *templist;
//DbgPrint("UpdateList\n");
Receive(&start,2);
Receive(&stop,2);
//DbgPrint("start=%d\nstop=%d\n",start,stop);
//read the addresses and send the data to the client
start=start>AddressListEntries-1 ? 0:start;
stop=stop>AddressListEntries-1 ? AddressListEntries:stop;
//DbgPrint("After adjusting:\nstart=%d\nstop=%d\n",start,stop);
templist=ExAllocatePoolWithTag(NonPagedPool, (start-stop+1)*sizeof(ADDRESSENTRY),0);
if (templist!=NULL)
{
j=0;
for (i=start;i<stop;i++)
{
buffersize+=AddressList[i].size+4;
templist[j]=AddressList[i];
j++;
}
}
if (templist==NULL)
break;
//DbgPrint("Total buffer to read=%d\n",buffersize);
buffer=ExAllocatePoolWithTag(NonPagedPool, buffersize+1,0);
if (buffer!=NULL)
{
//DbgPrint("Allocated buffer\n");
buffer[0]=SC_ValueList;
pos=1;
for (i=start;i<stop;i++)
{
//DbgPrint("pos=%d\n",pos);
//DbgPrint("i=%d\n",i);
//DbgPrint("Address=%x\nSize=%x\n",AddressList[i].Address,AddressList[i].size);
*(PWORD)&buffer[pos]=i;
if (ReadProcessMemory(0,ActivePEPROCESS,(PVOID)AddressList[i].Address,(DWORD)AddressList[i].size,&buffer[pos+4]))
{
//DbgPrint("Readable\n");
*(PWORD)&buffer[pos+2]=AddressList[i].size;
//DbgPrint("Bufferdata:\n");
//DbgPrint("Itemnr=%d\n",*(PWORD)&buffer[pos]);
//DbgPrint("read=%d bytes\n",*(PWORD)&buffer[pos+2]);
pos+=4+AddressList[i].size;
}
else
{
//DbgPrint("Unreadable\n");
*(PWORD)&buffer[pos+2]=0;
pos+=4;
}
//pos+=AddressList[i].size;
}
//DbgPrint("Sending data to client\n");
buffer[pos]=SC_ValueListDone; //also tell it's the end of the list (safety first....)
Send(buffer,pos+1);
ExFreePool(buffer);
}
else //DbgPrint("Failed to allocate buffer\n");
//DbgPrint("End of UpdateList\n");
break;
}
case CS_FreezeAddress:
{
//Freeze Address (recid: word)
WORD recid;
Receive(&recid,2);
if (recid<AddressListEntries)
{
if (AddressList[i].frozen)
{
//cleanup
KeAcquireInStackQueuedSpinLock(&AddressListSpinlock,&lqh);
AddressList[i].frozen=FALSE;
KeReleaseInStackQueuedSpinLock(&lqh);
//freemem
if (AddressList[i].frozendata!=NULL)
ExFreePool(AddressList[i].frozendata);
}
AddressList[i].frozendata=ExAllocatePoolWithTag(NonPagedPool, AddressList[i].size,0);
AddressList[i].frozen=TRUE; //no spinlock required here
}
break;
}
case CS_AddAddress: //AddAddress(address:dword ,size:byte)
{
ADDRESSENTRY x;
ADDRESSENTRY *oldlist=NULL;
BYTE recordreceived=SC_AddressReceived;
Receive(&(x.Address),4);
Receive(&(x.size),1);
x.frozen=FALSE;
x.frozendata=NULL;
//DbgPrint("Address=%x - size=%d\n",x.Address,x.size);
KeAcquireInStackQueuedSpinLock(&AddressListSpinlock,&lqh);
//add to the list
//first check if there is already a list or not
if (AddressList==NULL)
{
//DbgPrint("Allocating Addresslist buffer\n");
AddressListEntries=0;
AddressListSize=0;
//allocate a buffer to store the list
AddressList=ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE,0);
if (AddressList!=NULL)
{
//DbgPrint("Allocated a AddressList. Setting AddressListSize to PAGE_SIZE(%d)\n",PAGE_SIZE);
AddressListSize=PAGE_SIZE;
//DbgPrint("AddressListSize=%d\n",AddressListSize);
}
else
{
//DbgPrint("couldn\'t allocate buffer");
break;
}
} else //DbgPrint("AddressList was already allocated. AddressListSize=%d\n",AddressListSize);
if (AddressListSize<(AddressListEntries+1)*sizeof(ADDRESSENTRY))
{
//DbgPrint("AddressListSize too small, allocating more memory\n");
//allocate a new buffer
oldlist=AddressList;
AddressList=ExAllocatePoolWithTag(NonPagedPool,AddressListSize+PAGE_SIZE,0);
if (AddressList!=NULL)
{
//DbgPrint("Copying old list to new list\n");
RtlCopyMemory(AddressList,oldlist,AddressListSize);
AddressListSize+=PAGE_SIZE;
ExFreePool(oldlist);
//DbgPrint("Allocated more memory and copied the list\n");
}
else
{
//DbgPrint("Couldn\'t reallocate list\n");
AddressList=oldlist;
break;
}
}
//DbgPrint("Going to add entry\n");
AddressList[AddressListEntries]=x;
AddressListEntries++;
KeReleaseInStackQueuedSpinLock(&lqh);
//DbgPrint("Entry added\n");
//DbgPrint("AddressListSize=%d\nAddressListEntries=%d\n",AddressListSize,AddressListEntries);
Send(&recordreceived,1);
break;
}
case CS_ChangeValueOfAddress:
{
//change the address of recid x (recid: dword; bufsize:byte; buf: arrau of byte)
WORD recid;
BYTE bufsize;
char *buf;
Receive(&recid,2);
Receive(&bufsize,1);
if (bufsize!=0)
{
buf=(NonPagedPool,bufsize,0);
Receive(buf,bufsize);
if (AddressList[recid].frozen)
{
RtlCopyMemory(AddressList[recid].frozendata,buf,bufsize);
}
WriteProcessMemory(0,ActivePEPROCESS,(PVOID)AddressList[recid].Address,bufsize,buf);
ExFreePool(buf);
}
break;
}
case CS_TERMINATESERVER:
{
//DbgPrint("Terminating server\n");
Disconnect();
StopListener=TRUE;
break;
}
}
}
}
}
else
{
LARGE_INTEGER timeout;
KEVENT WaitEvent;
//wait a few seconds and try again
KeInitializeEvent(&WaitEvent, NotificationEvent, FALSE);
//DbgPrint("waiting\n");
timeout.QuadPart=-50000000; //5 seconds
KeWaitForSingleObject(&WaitEvent, Executive, KernelMode, FALSE, &timeout);
//DbgPrint("returned\n");
//DbgPrint("Error while listening\n");
Disconnect();
//break; //error while listening
}
}
}
StopListener=TRUE; //in case i got out using a break (e.g bug...)
//free the AddressList
if (AddressList!=NULL)
ExFreePool(AddressList);
//DbgPrint("Exit thread\n");
PsTerminateSystemThread(STATUS_SUCCESS);
return;
}
void InitializeCETC(void)
{
OBJECT_ATTRIBUTES oaCreateThread;
HANDLE th;
AddressList=NULL;
AddressListSize=0;
AddressListEntries=0;
ProcessNameOffset=372;
ActiveLinkOffset=136;
DebugportOffset=188;
StopListener=FALSE;
CurrentScan.process=NULL; //indicates there is no scan
CurrentScan.scanning=FALSE;
CurrentScan.scanvalue=NULL;
KeInitializeEvent(&ListenerStopped, NotificationEvent, FALSE);
KeInitializeSpinLock(&AddressListSpinlock);
{
OBJECT_ATTRIBUTES oaSendEvent;
InitializeObjectAttributes(&oaSendEvent, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
if NT_SUCCESS(ZwCreateEvent(&SendEvent,0,&oaSendEvent,SynchronizationEvent,TRUE))
//DbgPrint("Created the event\n");
else
//DbgPrint("Failed to create the event\n");
}
addressfile=0;
valuefile=0;
//DbgPrint("Spawning thread\n");
th=0;
InitializeObjectAttributes(&oaCreateThread, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
PsCreateSystemThread(&th,0L,&oaCreateThread,NULL,NULL,CETC_CORE,NULL);
if (th!=NULL)
ZwClose(th);
}
NTSTATUS UnloadCETC(void)
{
NTSTATUS ntStatus;
//DbgPrint("Unload CE-TC\n");
StopListener=TRUE;
if (FileObjectConnection!=NULL)
{
ntStatus=TdiFuncs_DisAssociateTransportAndConnection(FileObjectConnection);
if (NT_SUCCESS(ntStatus))
//DbgPrint("Disassociating worked\n");
else
//DbgPrint("Disassociating Failed!\n");
}
if (FileObjectConnection!=NULL)
{
//DbgPrint("Dereferencing Connection Object\n");
ObDereferenceObject(FileObjectConnection);
}
if (TdiHandleConnection!=NULL)
{
//DbgPrint("Dereferencing Connection Handle\n");
ZwClose(TdiHandleConnection);
}
if (FileObjectTransport!=NULL)
{
//DbgPrint("Dereferencing Transport Object\n");
ObDereferenceObject(FileObjectTransport);
}
if (TdiHandleTransport!=NULL)
{
//DbgPrint("Dereferencing Transport handle\n");
ZwClose(TdiHandleTransport);
}
ntStatus=ZwWaitForSingleObject(ListenThread,FALSE,NULL);
if (NT_SUCCESS(ntStatus))
//DbgPrint("Failed to wait for the thread\n");
return ntStatus;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -