// Main program entry point
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE, LPSTR lpCmdLine, int nShowCmd)
{
// Try to initiate DWMAPI.DLL on Windows 7
if(IsWindows7()) {
InitDWMAPI();
}
// Provide a custom exception handler
SetUnhandledExceptionFilter(ExceptionFilter);
hAppInst = hInstance;
// Make version string
if (nBurnVer & 0xFF) {
// private version (alpha)
_stprintf(szAppBurnVer, _T("%x.%x.%x.%02x"), nBurnVer >> 20, (nBurnVer >> 16) & 0x0F, (nBurnVer >> 8) & 0xFF, nBurnVer & 0xFF);
} else {
void QueryNsipHook(HWND m_hWnd,ULONG ID,CMyList *m_list)
{
DWORD dwReadByte;
int ItemNum = m_list->GetItemCount();
int i=0;
if (!IsWindows7())
{
SetDlgItemTextW(m_hWnd,ID,L"不支持当前系统Nsiproxy的枚举...");
return;
}
SHFILEINFO shfileinfo;
NsiproxyImg.Create(16,16, ILC_COLOR32, 2, 100);
HIMAGELIST hImageList = NULL;
SetDlgItemTextW(m_hWnd,ID,L"正在扫描Nsiproxy/Dispatch,请稍后...");
if (bIsPhysicalCheck){
SaveToFile("\r\n\r\n[---NSIPROXY.SYS---]\r\n",PhysicalFile);
}
if (NsiproxyDispatchBakUp)
{
VirtualFree(NsiproxyDispatchBakUp,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,MEM_RESERVE | MEM_COMMIT);
NsiproxyDispatchBakUp = 0;
}
NsiproxyDispatchBakUp = (PNSIPROXYDISPATCHBAKUP)VirtualAlloc(0,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (NsiproxyDispatchBakUp)
{
memset(NsiproxyDispatchBakUp,0,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2);
ReadFile((HANDLE)LIST_NSIPROXY_HOOK,NsiproxyDispatchBakUp,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,&dwReadByte,0);
for (i=0;i< (int)NsiproxyDispatchBakUp->ulCount;i++)
{
WCHAR lpwzTextOut[100];
memset(lpwzTextOut,0,sizeof(lpwzTextOut));
wsprintfW(lpwzTextOut,L"共有 %d 个数据,正在扫描第 %d 个,请稍后...",NsiproxyDispatchBakUp->ulCount,i);
SetDlgItemTextW(m_hWnd,ID,lpwzTextOut);
WCHAR lpwzNumber[256] = {0};
WCHAR lpwzHookType[256] = {0};
WCHAR lpwzFunction[256] = {0};
WCHAR lpwzHookModuleImage[256] = {0};
WCHAR lpwzCurrentNtfsDispatch[256] = {0};
WCHAR lpwsNtfsDispatch[256] = {0};
WCHAR lpwzHookModuleBase[256] = {0};
WCHAR lpwzHookModuleSize[256] = {0};
memset(lpwzNumber,0,sizeof(lpwzNumber));
memset(lpwzHookType,0,sizeof(lpwzHookType));
memset(lpwzFunction,0,sizeof(lpwzFunction));
memset(lpwzHookModuleImage,0,sizeof(lpwzHookModuleImage));
memset(lpwzCurrentNtfsDispatch,0,sizeof(lpwzCurrentNtfsDispatch));
memset(lpwsNtfsDispatch,0,sizeof(lpwsNtfsDispatch));
memset(lpwzHookModuleBase,0,sizeof(lpwzHookModuleBase));
memset(lpwzHookModuleSize,0,sizeof(lpwzHookModuleSize));
switch (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked)
{
case 0:
StrCatW(lpwzHookType,L"-");
break;
case 1:
StrCatW(lpwzHookType,L"nsiprroxy hook");
break;
case 2:
StrCatW(lpwzHookType,L"nsiprroxy Inline hook");
break;
}
wsprintfW(lpwzNumber,L"%d",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulNumber);
//wsprintfW(lpwzHookModuleImage,L"%ws",NtfsDispatchBakUp->NtfsDispatch[i].lpszBaseModule);
MultiByteToWideChar(
CP_ACP,
0,
NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpszBaseModule,
-1,
lpwzHookModuleImage,
strlen(NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpszBaseModule)
);
wsprintfW(lpwzFunction,L"%ws",NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpwzNsiproxyDispatchName);
wsprintfW(lpwzCurrentNtfsDispatch,L"0x%08X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulCurrentNsiproxyDispatch);
wsprintfW(lpwsNtfsDispatch,L"0x%08X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulNsiproxyDispatch);
wsprintfW(lpwzHookModuleBase,L"0x%X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulModuleBase);
wsprintfW(lpwzHookModuleSize,L"0x%X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulModuleSize);
WCHAR lpwzDosFullPath[256];
WCHAR lpwzWinDir[256];
WCHAR lpwzSysDisk[256];
memset(lpwzWinDir,0,sizeof(lpwzWinDir));
memset(lpwzSysDisk,0,sizeof(lpwzSysDisk));
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
GetWindowsDirectoryW(lpwzWinDir,sizeof(lpwzWinDir));
memcpy(lpwzSysDisk,lpwzWinDir,4);
if (wcsstr(lpwzHookModuleImage,L"\\??\\"))
{
//开始这种路径的处理
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcsncpy(lpwzDosFullPath,lpwzHookModuleImage+wcslen(L"\\??\\"),wcslen(lpwzHookModuleImage)-wcslen(L"\\??\\"));
goto Next;
}
if (wcsstr(lpwzHookModuleImage,L"\\WINDOWS\\system32\\"))
{
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcscat(lpwzDosFullPath,lpwzSysDisk);
wcscat(lpwzDosFullPath,lpwzHookModuleImage);
//MessageBoxW(lpwzDosFullPath,lpwzFullSysName,0);
goto Next;
}
if (wcsstr(lpwzHookModuleImage,L"\\SystemRoot\\"))
{
WCHAR lpwzTemp[256];
memset(lpwzTemp,0,sizeof(lpwzTemp));
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcscat(lpwzTemp,lpwzSysDisk);
wcscat(lpwzTemp,L"\\WINDOWS\\");
wcscat(lpwzDosFullPath,lpwzTemp);
wcsncpy(lpwzDosFullPath+wcslen(lpwzTemp),lpwzHookModuleImage+wcslen(L"\\SystemRoot\\"),wcslen(lpwzHookModuleImage) - wcslen(L"\\SystemRoot\\"));
goto Next;
}
//if (wcslen(lpwzHookModuleImage) == wcslen(lpwzHookModuleImage))
//{
memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath));
wcscat(lpwzDosFullPath,lpwzSysDisk);
wcscat(lpwzDosFullPath,L"\\WINDOWS\\system32\\drivers\\");
wcscat(lpwzDosFullPath,lpwzHookModuleImage);
goto Next;
//}
Next:
//这里是一键体检的数据,不需要插入界面了
if (bIsPhysicalCheck){
//如果没有hook,就返回
if (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked == 0){
continue;
}
WCHAR lpwzSaveBuffer[1024] ={0};
CHAR lpszSaveBuffer[2024] ={0};
memset(lpwzSaveBuffer,0,sizeof(lpwzSaveBuffer));
memset(lpszSaveBuffer,0,sizeof(lpszSaveBuffer));
wsprintfW(lpwzSaveBuffer,L" --> 发现Hook:ID:%ws | 当前地址:%ws | 原始地址:%ws | 函数名:%ws | 内核模块:%ws | Hook类型:%ws\r\n",
lpwzNumber,lpwzCurrentNtfsDispatch,lpwsNtfsDispatch,lpwzFunction,lpwzDosFullPath,lpwzHookType);
m_list->InsertItem(0,L"NSIPROXY.SYS",RGB(77,77,77));
m_list->SetItemText(0,1,lpwzSaveBuffer);
WideCharToMultiByte( CP_ACP,
0,
lpwzSaveBuffer,
-1,
lpszSaveBuffer,
wcslen(lpwzSaveBuffer)*2,
NULL,
NULL
);
SaveToFile(lpszSaveBuffer,PhysicalFile);
continue;
}
if (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked == 0)
{
m_list->InsertItem(i,lpwzNumber,RGB(77,77,77));
}else
{
m_list->InsertItem(i,lpwzNumber,RGB(255,20,147));
}
m_list->SetItemText(i,1,lpwzFunction);
m_list->SetItemText(i,2,lpwzCurrentNtfsDispatch);
m_list->SetItemText(i,3,lpwsNtfsDispatch);
m_list->SetItemText(i,4,lpwzDosFullPath);
m_list->SetItemText(i,5,lpwzHookModuleBase);
m_list->SetItemText(i,6,lpwzHookModuleSize);
m_list->SetItemText(i,7,lpwzHookType);
hImageList=(HIMAGELIST)::SHGetFileInfo(lpwzDosFullPath,0,&shfileinfo,sizeof(shfileinfo),SHGFI_ICON);
NsiproxyImg.Add(shfileinfo.hIcon);
m_list->SetImageList(&NsiproxyImg);
m_list->SetItemImageId(i,i);
DestroyIcon(shfileinfo.hIcon);
}
}
WCHAR lpwzTextOut[100];
memset(lpwzTextOut,0,sizeof(lpwzTextOut));
wsprintfW(lpwzTextOut,L"Nsiproxy/Dispatch 扫描完毕,共有 %d 个数据",i);
SetDlgItemTextW(m_hWnd,ID,lpwzTextOut);
}
BOOL Install(HWND hwndDlg)
{
DWORD dwReadByte;
char lpszInit[8] = {0};
char lpszWindowsPath[256] = {0};
char lpszNumber[256] = {0};
char lpszLoadDriverPath[256] = {0};
int i=0;
memset(lpszInit,0,sizeof(lpszInit));
strcat(lpszInit,"Safe");
ReadFile((HANDLE)SAFE_SYSTEM,lpszInit,8,&dwReadByte,0);
if (strcmpi("hehe",lpszInit) == NULL)
{
goto InitSuccess;
}
if (strcmpi("call",lpszInit) == NULL)
{
if (MessageBoxA(hwndDlg,"拒绝启动\r\n\r\n原因:无法验证当前A盾文件的完整性。文件有可能被修改、感染、或者捆绑其他程序\r\n\r\n是否前往官方下载最新版?","“A盾电脑防护”",MB_ICONERROR | MB_YESNO) == IDYES)
{
ShellExecuteW(0,0,L"http://www.3600safe.com/",0,0,SW_SHOW);
}
ExitProcess(0);
}
char lpszAProtectRunKey[100] = {0};
memset(lpszAProtectRunKey,0,sizeof(lpszAProtectRunKey));
QueryUserAgent(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run","A-Protect",lpszAProtectRunKey);
if (strstr(lpszAProtectRunKey,"\\") != 0)
{
//如果是开机启动的话,如果上面的无法初始化成功,就说明驱动启动失败,就不往下执行了
MessageBoxA(hwndDlg,"“A盾电脑防护”初始化失败:\r\n\r\n1:病毒阻止了“A盾电脑防护”的启动\r\n2:某些安全软件恢复、阻止“A盾电脑防护”的钩子\r\n3:和某些杀毒或者安全软件不兼容导致“A盾电脑防护”的初始化失败\r\n4:深度防御、深度服务扫描失败,请重新启动电脑即可。","“A盾电脑防护”",MB_ICONERROR);
ExitProcess(0);
}
GetWindowsDirectoryA(
lpszWindowsPath,
sizeof(lpszWindowsPath)
);
//sprintf(lpszNumber,"%d",GetTickCount());
sprintf(lpszNumber,"%s","A-Protect");
char lpszSrvices[256] = {0};
sprintf(lpszSrvices,"SYSTEM\\CurrentControlSet\\Services\\%s",lpszNumber);
SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
strcat(lpszWindowsPath,"\\");
strcat(lpszWindowsPath,lpszNumber);
strcat(lpszWindowsPath,".sys");
BFS_WriteFile(
lpszWindowsPath,
lpszKernelModule,
sizeof(lpszKernelModule)
);
if (GetFileAttributesA(lpszWindowsPath) == INVALID_FILE_ATTRIBUTES)
{
if (IsWindows7())
MessageBoxA(hwndDlg,"释放驱动文件失败,win7系统下右键“以管理员身份运行”","“A盾电脑防护”",MB_ICONERROR);
else
MessageBoxA(hwndDlg,"释放驱动文件失败","“A盾电脑防护”",MB_ICONERROR);
ExitProcess(0);
}
wsprintfA(
lpszLoadDriverPath,
"\\??\\%s",
lpszWindowsPath
);
if(!EnableDebugPriv(SE_LOAD_DRIVER_NAME))
{
DeleteFileA(lpszWindowsPath);
MessageBoxA(hwndDlg,"没有足够的权限加载驱动!","“A盾电脑防护”",MB_ICONERROR);
ExitProcess(0);
}
// if (!InstallByZwLoadDriver(lpszLoadDriverPath,lpszNumber))
// {
// SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
//
// if (!LoadNTDriver(lpszNumber,lpszWindowsPath)){
// DeleteFileA(lpszWindowsPath);
// SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
// MessageBoxA(hwndDlg,"加载驱动失败!","“A盾电脑防护”",MB_ICONERROR);
// ExitProcess(0);
// }
// }
if (!LoadNTDriver(lpszNumber,lpszWindowsPath)){
DeleteFileA(lpszWindowsPath);
SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
MessageBoxA(hwndDlg,"加载驱动失败!","“A盾电脑防护”",MB_ICONERROR);
ExitProcess(0);
}
DeleteFileA(lpszWindowsPath);
SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
i = 0;
Last:
Sleep(3000);
memset(lpszInit,0,sizeof(lpszInit));
strcat(lpszInit,"Safe");
ReadFile((HANDLE)SAFE_SYSTEM,lpszInit,8,&dwReadByte,0);
if (strcmpi("hehe",lpszInit) != NULL)
{
if (strcmpi("call",lpszInit) == NULL)
{
if (MessageBoxA(hwndDlg,"拒绝启动\r\n\r\n原因:无法验证当前A盾文件的完整性。文件有可能被修改、感染、或者捆绑其他程序\r\n\r\n是否前往官方下载最新版?","“A盾电脑防护”",MB_ICONERROR | MB_YESNO) == IDYES)
{
ShellExecuteW(0,0,L"http://www.3600safe.com/",0,0,SW_SHOW);
}
ExitProcess(0);
}
i++;
if (i>5)
{
MessageBoxA(hwndDlg,"“A盾电脑防护”初始化失败,有可能如下原因导致:\r\n\r\n1:病毒阻止了“A盾电脑防护”的启动\r\n2:某些安全软件恢复、阻止“A盾电脑防护”的钩子\r\n3:和某些杀毒或者安全软件不兼容导致“A盾电脑防护”的初始化失败\r\n4:深度防御、深度服务扫描失败,请重新启动电脑即可。","“A盾电脑防护”",MB_ICONERROR);
SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
DeleteFileA(lpszWindowsPath);
ExitProcess(0);
}
goto Last;
}
InitSuccess:
return TRUE;
}
