static BOOL UnloadHive(HWND hWnd)
{
WCHAR Caption[128];
LPCWSTR pszKeyPath;
HKEY hRootKey;
LONG regUnloadResult;
/* get the item key to unload */
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hRootKey);
/* load and set the caption and flags for dialog */
LoadStringW(hInst, IDS_UNLOAD_HIVE, Caption, COUNT_OF(Caption));
/* Enable the 'restore' privilege, unload the hive, disable the privilege */
EnablePrivilege(SE_RESTORE_NAME, NULL, TRUE);
regUnloadResult = RegUnLoadKeyW(hRootKey, pszKeyPath);
EnablePrivilege(SE_RESTORE_NAME, NULL, FALSE);
if(regUnloadResult == ERROR_SUCCESS)
{
/* refresh tree and list views */
RefreshTreeView(g_pChildWnd->hTreeWnd);
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hRootKey);
RefreshListView(g_pChildWnd->hListWnd, hRootKey, pszKeyPath);
}
else
{
ErrorMessageBox(hWnd, Caption, regUnloadResult);
return FALSE;
}
return TRUE;
}
static BOOL LoadHive(HWND hWnd)
{
OPENFILENAME ofn;
WCHAR Caption[128];
LPCWSTR pszKeyPath;
WCHAR xPath[LOADHIVE_KEYNAMELENGTH];
HKEY hRootKey;
WCHAR Filter[1024];
FILTERPAIR filter;
/* get the item key to load the hive in */
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hRootKey);
/* initialize the "open file" dialog */
InitOpenFileName(hWnd, &ofn);
/* build the "All Files" filter up */
filter.DisplayID = IDS_FLT_ALLFILES;
filter.FilterID = IDS_FLT_ALLFILES_FLT;
BuildFilterStrings(Filter, &filter, 1);
ofn.lpstrFilter = Filter;
/* load and set the caption and flags for dialog */
LoadStringW(hInst, IDS_LOAD_HIVE, Caption, COUNT_OF(Caption));
ofn.lpstrTitle = Caption;
ofn.Flags |= OFN_ENABLESIZING;
/* ofn.lCustData = ;*/
/* now load the hive */
if (GetOpenFileName(&ofn))
{
if (DialogBoxParamW(hInst, MAKEINTRESOURCEW(IDD_LOADHIVE), hWnd,
&LoadHive_KeyNameInHookProc, (LPARAM)xPath))
{
LONG regLoadResult;
/* Enable the 'restore' privilege, load the hive, disable the privilege */
EnablePrivilege(SE_RESTORE_NAME, NULL, TRUE);
regLoadResult = RegLoadKeyW(hRootKey, xPath, ofn.lpstrFile);
EnablePrivilege(SE_RESTORE_NAME, NULL, FALSE);
if(regLoadResult == ERROR_SUCCESS)
{
/* refresh tree and list views */
RefreshTreeView(g_pChildWnd->hTreeWnd);
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hRootKey);
RefreshListView(g_pChildWnd->hListWnd, hRootKey, pszKeyPath);
}
else
{
ErrorMessageBox(hWnd, Caption, regLoadResult);
return FALSE;
}
}
}
else
{
CheckCommDlgError(hWnd);
}
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
HMODULE hinstLib=LoadLibrary(L"ntdll.dll");
if (hinstLib == NULL)
goto END;
myZwSystemDebugControl = (_MY_ZwSystemDebugControl)GetProcAddress(hinstLib, "ZwSystemDebugControl");
if (!myZwSystemDebugControl)
{
printf("GetProcAddress ZwSystemDebugControl - error!\n");
goto END;
}
DBGKD_GET_INTERNAL_BREAKPOINT bp[20];
ULONG n;
EnablePrivilege(SE_DEBUG_NAME);
NTSTATUS status = myZwSystemDebugControl(DebugGetTraceInformation,
0, 0, bp, sizeof bp, &n);
if ( NT_SUCCESS(status) )
printf("ZwSystemDebugControl succeeded!\n");
else
printf("ZwSystemDebugControl failed - 0x%08X\n", status );
END:
if (hinstLib)
FreeLibrary(hinstLib);
return 0;
}
inline void EnableAllPrivileges()
{
for (auto i = SE_MIN_WELL_KNOWN_PRIVILEGE; i <= SE_MAX_WELL_KNOWN_PRIVILEGE; ++i)
{
EnablePrivilege(i);
}
}
bool HookProcess(LPCWSTR lpAppName)
{
bool bRet = false;
EnablePrivilege(SE_DEBUG_NAME);
DWORD Pid = FindSpecificProcess(lpAppName);
if (!Pid)
{
LogMsg("Can not find specific process: %S\n", lpAppName);
return false;
}
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, Pid);
if(NULL == hProcess)
{
LogMsg("Open %S failed %d\n", lpAppName, GetLastError());
return false;
}
//TODO: best to make sure winlogon.exe not loaded Win32HookExplorerDll.dll before inject.
//Sometimes we restart MMRService in service management, in this case there is no need to inject.
if (bRet = InjectThread(hProcess))
{
LogMsg("Inject %S success\n", lpAppName);
}
CloseHandle(hProcess);
return bRet;
}
void updatdChess() //更新棋盘数据至 chessdata
{
if (!EnablePrivilege ())
{
MyMessageBox ("EnablePrivilege", GetLastError ());
}
//获取窗口句柄
HWND gameh=::FindWindowA(NULL,g_ChessInfo.caption);
//获取窗口进程ID
DWORD processid;
::GetWindowThreadProcessId(gameh,&processid);
//打开指定进程
HANDLE processH=::OpenProcess(PROCESS_ALL_ACCESS,false,processid);
//读指定进程 内存数据
DWORD byread;
//LPCVOID pbase=(LPCVOID)0x0012A508; //棋盘数据基址
LPVOID nbuffer=(LPVOID)&chessdata; //存放棋盘数据
DWORD dwOldProtect;
if(!VirtualProtectEx (processH , g_ChessInfo.lpQPBase, sizeof (chessdata), PAGE_READWRITE, &dwOldProtect)){
MyMessageBox ("VirtualProtectEx", GetLastError ());
}
::ReadProcessMemory(processH,g_ChessInfo.lpQPBase,nbuffer,11*19,&byread);
DWORD dwNewProtect;
if(!VirtualProtectEx (processH, g_ChessInfo.lpQPBase, sizeof (chessdata), dwOldProtect, &dwNewProtect)){
MyMessageBox ("VirtualProtectEx2", GetLastError ());
}
}
int APCCallbacktoInject(_TCHAR* DLLName, DWORD ProcessID)
{
//提升进程权限
if (int rtMsg = EnablePrivilege() != 0)
return rtMsg;
HANDLE hOProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
if (hOProcess != NULL)
{
_TCHAR* pLibRemote = (_TCHAR*)VirtualAllocEx(hOProcess, NULL, 2 * wcslen(DLLName) + 1, MEM_COMMIT, PAGE_READWRITE);
if (pLibRemote != NULL)
{
if (!WriteProcessMemory(hOProcess, pLibRemote, DLLName, 2 * wcslen(DLLName) + 1, NULL))
{
PAPCFUNC pAPCFuncAddr = (PAPCFUNC)GetProcAddress(GetModuleHandle(L"Kernel32"), "LoadLibraryW");
DWORD dTid = GetTIDbyPID(ProcessID);
if (dTid != NULL && pAPCFuncAddr != NULL)
{
HANDLE hoThread = OpenThread(THREAD_ALL_ACCESS, FALSE, dTid);
if (!QueueUserAPC(pAPCFuncAddr, hoThread, (ULONG_PTR)pLibRemote))
{
wprintf(L"%s\n", L"Inject sucessful!");
}
}
}
}
}
return 0;
}
/****************************************************
* Unload injected library from the remote process. *
****************************************************/
int EjectDll()
{
HANDLE hThread;
HANDLE hProcess;
DWORD dwPID;
DWORD dwRetFreeLibrary;
// Enable DEBUG privilege
if (!EnablePrivilege(SE_DEBUG_NAME, TRUE))
return 0;
// Get remote process id
dwPID = GetPIDFromName(szProcessName);
if (dwPID == -1)
return 0;
// Open remote process
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
if (hProcess == NULL)
return 0;
// Unload the DLL from the remote process
// (via CreateRemoteThread & FreeLibrary)
hThread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary"),
(void*)hLibModule,
0,
NULL );
// Failed to unload
if (hThread == NULL)
return 0;
// Wait for FreeLibrary() to finish and get return code
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &dwRetFreeLibrary);
CloseHandle(hThread);
CloseHandle(hProcess);
// Disable DEBUG privilege
EnablePrivilege(SE_DEBUG_NAME, FALSE);
return (dwRetFreeLibrary);
}
//参数是要弹出的盘符如:G,F
bool CUsbHelper::UnInstallUsb(char szDriveName)
{
DWORD accessMode = 0, shareMode = 0;
HANDLE hDevice;
ULONG returned = 0,bResult = 0;
DWORD dwError;
shareMode = FILE_SHARE_READ | FILE_SHARE_WRITE; // default
accessMode = GENERIC_WRITE | GENERIC_READ; // default
if (szDriveName == 0)
{
return FALSE;
}
CString vol_string = _T("\\\\.\\G:");
vol_string.SetAt(4, szDriveName);
hDevice = CreateFile(vol_string,
accessMode, shareMode, NULL, OPEN_EXISTING, 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
CString debugInfo;
dwError = GetLastError();
debugInfo.Format(_T("error = %d "), dwError);
TRACE(_T("IOCTL_STORAGE_EJECT_MEDIA errorcode = %d \n"), dwError);
return FALSE;
}
//弹出U盘的具体命令。
bResult = DeviceIoControl(hDevice, IOCTL_STORAGE_EJECT_MEDIA,
NULL, 0, NULL, 0,&returned, NULL);
if (!bResult) // IOCTL failed //经实验,有时虽然失败了,U盘还是能弹出
{
CString debugInfo;
dwError = GetLastError();
debugInfo.Format(_T("error = %d "), dwError);
TRACE(_T("IOCTL_STORAGE_EJECT_MEDIA errorcode = %d \n"), dwError);
}
bResult = CloseHandle(hDevice);
if (!bResult)
{
CString debugInfo;
dwError = GetLastError();
debugInfo.Format(_T("error = %d "), dwError);
TRACE(_T("IOCTL_STORAGE_EJECT_MEDIA errorcode = %d \n"), dwError);
return FALSE;
}
EnablePrivilege(SE_DEBUG_NAME, TRUE);
ClearUsbRegKey(szDriveName);
return TRUE;
}
PrivilegeEnabler::PrivilegeEnabler(std::vector<std::wstring> const & privileges)
{
_areAllPrivilegesEnabled = true;
for (auto i = privileges.begin(); i != privileges.end(); ++i)
{
if (EnablePrivilege((*i).c_str(), TRUE) == FALSE)
{
_areAllPrivilegesEnabled = false;
}
}
}
BOOL _RefCountedPriviledgeHolder::EnablePrivilegeForCurrentProcess(LPCTSTR szPrivName, BOOL fEnable)
{
HANDLE hToken;
BOOL result = FALSE;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
result = EnablePrivilege(hToken, szPrivName, fEnable);
CloseHandle(hToken);
}
return result;
}
int _tmain(int argc, _TCHAR* argv[])
{
// 提升权限
EnablePrivilege(TRUE);
// 打开进程
HWND hwnd = FindWindow(_T("BASE"), _T("搶曽嵁庫揱丂乣 Legacy of Lunatic Kingdom. ver 1.00b")); // 日文编码就是这样...
DWORD pid;
GetWindowThreadProcessId(hwnd, &pid);
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (process == NULL)
{
printf("打开进程失败,错误代码:%u\n", GetLastError());
return 1;
}
// 要将TH15Render.dll放在本程序当前目录下
TCHAR dllPath[MAX_PATH]; // 要用绝对路径
GetCurrentDirectory(_countof(dllPath), dllPath);
_tcscat_s(dllPath, _T("\\TH15Render.dll"));
// 注入DLL
HMODULE remoteModule = InjectDll(process, dllPath);
if (remoteModule == NULL)
{
CloseHandle(process);
return 2;
}
// 暂停
printf("按回车卸载DLL\n");
getchar();
// 卸载DLL
if (!FreeRemoteDll(process, remoteModule))
{
CloseHandle(process);
return 3;
}
// 关闭进程
CloseHandle(process);
return 0;
}
void CTask::SendTask(SOCKET sock)
{
MSGINFO_S msg;
TASK task;
memset(&msg, 0, sizeof(MSGINFO_S));
msg.Msg_id = TASKLIST;
DWORD needed;
HANDLE hProcess;
HMODULE hModule;
wchar_t path[260] = _T("");
HANDLE hToken;
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
EnablePrivilege(hToken,SE_DEBUG_NAME); //尝试提升权限
Process32First(hProcessSnap, &pe32);
do
{
memset(&task, 0, sizeof(TASK));
memset(msg.context, 0, sizeof(msg.context));
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, pe32.th32ProcessID);
if (hProcess)
{
EnumProcessModules(hProcess, &hModule, sizeof(hModule), &needed);
GetModuleFileNameExW(hProcess, hModule, path, sizeof(path));
wcscpy_s(task.TaskPath, _countof(path), path);
}
wcscpy_s(task.TaskName, _countof(pe32.szExeFile), pe32.szExeFile); //进程名
task.TaskID = pe32.th32ProcessID;
task.flag = false;
memcpy(msg.context, &task, sizeof(TASK));
m_sock.MySend(sock, (char*)&msg, sizeof(MSGINFO_S));
} while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle(hProcess);
CloseHandle(hModule);
task.flag = true;
memcpy(msg.context, &task, sizeof(TASK));
m_sock.MySend(sock, (char*)&msg, sizeof(MSGINFO_S));
}
void GrantAllPrivs(HANDLE h)
{
Log(L"DEBUG: GrantAllPrivs", false);
CString privs = L"SeCreateTokenPrivilege,SeAssignPrimaryTokenPrivilege,SeLockMemoryPrivilege,SeIncreaseQuotaPrivilege,SeMachineAccountPrivilege,"
L"SeTcbPrivilege,SeSecurityPrivilege,SeTakeOwnershipPrivilege,SeLoadDriverPrivilege,SeSystemProfilePrivilege,SeSystemtimePrivilege,SeProfileSingleProcessPrivilege,"
L"SeIncreaseBasePriorityPrivilege,SeCreatePagefilePrivilege,SeCreatePermanentPrivilege,SeBackupPrivilege,SeRestorePrivilege,SeShutdownPrivilege,SeDebugPrivilege,"
L"SeAuditPrivilege,SeSystemEnvironmentPrivilege,SeChangeNotifyPrivilege,SeRemoteShutdownPrivilege,SeUndockPrivilege,SeSyncAgentPrivilege,SeEnableDelegationPrivilege,"
L"SeManageVolumePrivilege,SeImpersonatePrivilege,SeCreateGlobalPrivilege,SeTrustedCredManAccessPrivilege,SeRelabelPrivilege,SeIncreaseWorkingSetPrivilege,"
L"SeTimeZonePrivilege,SeCreateSymbolicLinkPrivilege";
wchar_t* pC = wcstok(privs.LockBuffer(), L",");
while(NULL != pC)
{
EnablePrivilege(pC, h); //needed to call CreateProcessAsUser
pC = wcstok(NULL, L",");
}
}
int isModuleUsedByProcess(DWORD dwPID, LPCTSTR szLibrary, bool *found)
{
int iReturnCode = DIAGLIB_OK;
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
*found=false;
EnablePrivilege(SE_DEBUG_NAME);
if(INVALID_HANDLE_VALUE == ( hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID)))
{
LOG_LASTERROR(L"CreateToolhelp32Snapshot failed");
return RETURN_LOG_INTERNAL_ERROR;
}
me32.dwSize = sizeof(MODULEENTRY32);
if (!Module32First (hModuleSnap, &me32))
{
LOG_LASTERROR(L"Module32First failed");
if(!CloseHandle( hModuleSnap ))
{
LOG_LASTERROR(L"CloseHandle failed");
}
return RETURN_LOG_INTERNAL_ERROR;
}
do
{
if (!lstrcmpi(szLibrary, me32.szModule))
{
*found=true;
break;
}
} while (Module32Next(hModuleSnap, &me32));
if(!CloseHandle( hModuleSnap ))
{
LOG_LASTERROR(L"CloseHandle failed");
}
return iReturnCode;
}
/*************************************
* int WinMain(
* HINSTANCE hInstance,
* HINSTANCE hPrevInstance,
* LPSTR lpCmdLine,
* int nCmdShow
* )
**************************************/
int WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow
)
{
DWORD dwPID;
// 提权,获取SE_DEBUG_NAME权限,
// 可以在其他进程的内存空间中写入、创建线程
if(0!=EnablePrivilege (SE_DEBUG_NAME))
return 0;
// 获取目录进程的PID
if(!GetProcessIdByName("explorer.exe",&dwPID))
return 0;
// 通过创建远程线程加载DLL
// 将msg.dll放置在系统目录下
if(!LoadRometeDll(dwPID,"msg.dll"))
return 0;
return 1;
}
int RemoteToInject(_TCHAR* DLLName, DWORD ProcessID)
{
//DWORD ThreadId = GetTIDbyPID(ProcessID);
//进程提取
if (int rt = EnablePrivilege() != 0)
return rt;
HANDLE hOprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
if (hOprocess != NULL)
{
_TCHAR* pLibFileRemote = (_TCHAR*)VirtualAllocEx(hOprocess, NULL, 2 * wcslen(DLLName) + 1, MEM_COMMIT, PAGE_READWRITE);
if (pLibFileRemote != NULL)
{
if (!WriteProcessMemory(hOprocess, (void*)pLibFileRemote, DLLName, 2 * wcslen(DLLName) + 1, NULL))
return GetLastError();
//Get LoadLibraryW Address
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32"), "LoadLibraryW");
if (pfnStartAddr != NULL)
{
HANDLE hRemote = CreateRemoteThread(hOprocess, NULL, 0, pfnStartAddr, (PVOID)pLibFileRemote, 0, NULL);
if (hRemote != NULL)
{
wprintf(L"%s\n", L"Inject sucessful!");
WaitForSingleObject(hRemote, INFINITE);
wprintf(L"%s\n", L"The inject was killed!");
if (!VirtualFreeEx(hOprocess, pLibFileRemote, 0, MEM_RELEASE))
return GetLastError();
}
else
return GetLastError();
}
}
else
return GetLastError();
}
else
return GetLastError();
return 0;
}
bool isModuleUsedByProcess(DWORD dwPID, LPCTSTR szLibrary)
{
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
bool bFound=false;
EnablePrivilege(SE_DEBUG_NAME);
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if (hModuleSnap == (HANDLE) - 1)
{
return false;
}
me32.dwSize = sizeof(MODULEENTRY32);
if (!Module32First (hModuleSnap, &me32))
{
CloseHandle(hModuleSnap);
return false;
}
do
{
if (!lstrcmpi(szLibrary, me32.szModule))
{
bFound=true;
break;
}
} while (Module32Next(hModuleSnap, &me32));
CloseHandle(hModuleSnap);
return bFound;
}
/* Main entry for program */
int wmain(int argc, WCHAR *argv[])
{
DWORD error = ERROR_SUCCESS;
struct CommandLineOptions opts;
if (argc == 1) /* i.e. no commandline arguments given */
{
PrintResourceString(IDS_USAGE);
return EXIT_SUCCESS;
}
error = ParseArguments(&opts, argc, argv);
if (error != ERROR_SUCCESS)
{
DisplayError(error);
return EXIT_FAILURE;
}
/* If the user wants to abort a shutdown */
if (opts.abort)
{
/* First, the program has to determine if the shutdown/restart is local
or remote. This is done since each one requires separate privileges. */
if (opts.remote_system == NULL)
EnablePrivilege(SE_SHUTDOWN_NAME, TRUE);
else
EnablePrivilege(SE_REMOTE_SHUTDOWN_NAME, TRUE);
/* Abort the delayed system shutdown specified. */
if (!AbortSystemShutdownW(opts.remote_system))
{
PrintResourceString(IDS_ERROR_ABORT);
DisplayError(GetLastError());
return EXIT_FAILURE;
}
else
{
return EXIT_SUCCESS;
}
}
/*
* If the user wants to hibernate the computer. Assume
* that the user wants to wake the computer up from
* hibernation and it should not force it on the system.
*/
if (opts.hibernate)
{
if (IsPwrHibernateAllowed())
{
EnablePrivilege(SE_SHUTDOWN_NAME, TRUE);
/* The shutdown utility cannot hibernate remote systems */
if (opts.remote_system != NULL)
{
return EXIT_FAILURE;
}
if (!SetSuspendState(TRUE, FALSE, FALSE))
{
PrintResourceString(IDS_ERROR_HIBERNATE);
DisplayError(GetLastError());
return EXIT_FAILURE;
}
else
{
PrintResourceString(IDS_ERROR_HIBERNATE_ENABLED);
return EXIT_SUCCESS;
}
}
else
{
return EXIT_FAILURE;
}
}
/* Both shutdown and restart flags cannot both be true */
if (opts.shutdown && opts.restart)
{
PrintResourceString(IDS_ERROR_SHUTDOWN_REBOOT);
return EXIT_FAILURE;
}
/* Ensure that the timout amount is not too high or a negative number */
if ((opts.shutdown_delay < 0) || (opts.shutdown_delay > MAX_TIMEOUT))
{
PrintResourceString(IDS_ERROR_TIMEOUT, opts.shutdown_delay);
return EXIT_FAILURE;
}
/* If the user wants a GUI environment */
if (opts.show_gui)
{
if (ShutdownGuiMain(opts))
return EXIT_SUCCESS;
else
return EXIT_FAILURE;
}
if (opts.logoff && (opts.remote_system == NULL))
{
/*
* NOTE: Sometimes, shutdown and logoff are used together. If the logoff
* flag is used by itself, then simply logoff. But if used with shutdown,
* then skip logging off of the computer and eventually go to the action
* for shutdown.
*/
if (!opts.shutdown && !opts.restart)
{
EnablePrivilege(SE_SHUTDOWN_NAME, TRUE);
if (ExitWindowsEx(EWX_LOGOFF, opts.reason))
{
return EXIT_SUCCESS;
}
else
{
PrintResourceString(IDS_ERROR_LOGOFF);
DisplayError(GetLastError());
return EXIT_FAILURE;
}
}
}
/*
* Since both shutting down the system and restarting calls the exact same
* function, all we need to know is if we wanted to restart or shutdown.
*/
if (opts.shutdown || opts.restart)
{
/*
* First, the program has to determine if the shutdown/restart is local
* or remote. This is done since each one requires separate privileges.
*/
if (opts.remote_system == NULL)
{
EnablePrivilege(SE_SHUTDOWN_NAME, TRUE);
}
else
{
/* TODO: Remote shutdown is not supported yet */
// EnablePrivilege(SE_REMOTE_SHUTDOWN_NAME, TRUE);
return EXIT_SUCCESS;
}
/**
** HACK: When InitiateSystemShutdownExW will become really implemented,
** activate this line and delete the other...
**
if(!InitiateSystemShutdownExW(opts.remote_system,
opts.message,
opts.shutdown_delay,
opts.force,
opts.restart,
opts.reason))
***/
if (!ExitWindowsEx((opts.shutdown ? EWX_SHUTDOWN : EWX_REBOOT) |
(opts.force ? EWX_FORCE : 0),
opts.reason))
{
/*
* If there is an error, give the proper output depending
* on whether the user wanted to shutdown or restart.
*/
if (opts.restart)
PrintResourceString(IDS_ERROR_RESTART);
else
PrintResourceString(IDS_ERROR_SHUTDOWN);
DisplayError(GetLastError());
return EXIT_FAILURE;
}
else
{
return EXIT_SUCCESS;
}
}
return EXIT_SUCCESS;
}
int EjectCode ()
{
HANDLE hProcess; // Remote process handle
DWORD *pCodeRemote; // Address of EjectFunc() in the remote process
HANDLE hThread = NULL; // The handle and ID of the thread executing
DWORD dwThreadId = 0; // the remote EjectFunc().
int nSuccess = 0; // EjectFunc() success ?
DWORD dwNumBytesCopied = 0; // Number of bytes written to the remote process.
DWORD size; // Calculated function size (= AfterFunc() - Func())
// Enable Debug privilege (needed for some processes)
EnablePrivilege(SE_DEBUG_NAME, TRUE);
// Remote INDATA and SASWindowProc() must exist
if (!pDataRemote || !pSASWinProcRemote)
return 0;
// Open the process
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcess == NULL)
return 0;
// Allocate memory in the remote process and write a copy of EjectFunc() to the allocated memory
size = (PBYTE)AfterEjectFunc - (PBYTE)EjectFunc;
pCodeRemote = (PDWORD) VirtualAllocEx(hProcess, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pCodeRemote)
{
CloseHandle(hProcess);
return 0;
}
if (!WriteProcessMemory(hProcess, pCodeRemote, &EjectFunc, size, &dwNumBytesCopied) || dwNumBytesCopied != size)
{
VirtualFreeEx(hProcess, pCodeRemote, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 0;
}
// Start execution of the remote EjectFunc()
hThread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE) pCodeRemote,
pDataRemote,
0 ,
&dwThreadId);
// Failed
if (!hThread)
{
goto END;
}
// Wait for EjectFunc() to terminate and get return code
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, (PDWORD) &nSuccess);
// Failed to restore old window procedure ?
// Then leave INJDATA and the SASWindowProc()
if (nSuccess == 0)
goto END;
// Release memory for remote INJDATA and SASWindowProc()
if (pDataRemote)
VirtualFreeEx(hProcess, pDataRemote, 0, MEM_RELEASE);
if (pSASWinProcRemote)
VirtualFreeEx(hProcess, pSASWinProcRemote, 0, MEM_RELEASE);
pDataRemote = NULL;
pSASWinProcRemote = NULL;
// MessageBeep(0); // success
END:
if (hThread)
CloseHandle(hThread);
// Release EjectFunc() memory
if (pCodeRemote)
VirtualFreeEx(hProcess, pCodeRemote, 0, MEM_RELEASE);
CloseHandle(hProcess);
// Disable the DEBUG privilege
EnablePrivilege(SE_DEBUG_NAME, FALSE);
return nSuccess; // 0=failure; 1=success
}
int InjectCode ()
{
HANDLE hProcess = 0; // Process handle
HMODULE hUser32 = 0; // Handle of user32.dll
BYTE *pCodeRemote; // Address of InjectFunc() in the remote process.
BYTE *pGetSASWndRemote; // Address of GetSASWnd() in the remote process.
HANDLE hThread = 0; // The handle and ID of the thread executing
DWORD dwThreadId = 0; // the remote InjectFunc().
INJDATA DataLocal; // INJDATA structure
BOOL fUnicode; // TRUE if remote process is Unicode
int nSuccess = 0; // Subclassing succeded?
DWORD dwNumBytesCopied = 0; // Number of bytes written to the remote process.
DWORD size; // Calculated function size (= AfterFunc() - Func())
int SearchSize; // SASWindowProc() dummy addr. search size
int nDummyOffset; // Offset in SASWindowProc() of dummy addr.
BOOL FoundDummyAddr; // Dummy INJDATA reference found in SASWindowProc() ?
HWND hSASWnd; // Window handle of Winlogon process
BYTE *p;
// Enable Debug privilege (needed for some processes)
if (!EnablePrivilege(SE_DEBUG_NAME, TRUE))
return 0;
// Get handle of "USER32.DLL"
hUser32 = GetModuleHandle("user32");
if (!hUser32)
return 0;
// Get remote process ID
PID = GetPIDFromName(szProcessName);
if (PID == -1)
return 0;
// Open remote process
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (!hProcess)
return 0;
__try
{
// Initialize INJDATA for GetSASWnd() call
strcpy(DataLocal.szClassName, "SAS Window class");
strcpy(DataLocal.szWindowName, "SAS window");
DataLocal.fnFindWindow = (FINDWINDOW) GetProcAddress(hUser32, "FindWindowA");
if (DataLocal.fnFindWindow == NULL)
__leave;
// Allocate memory in the remote process and write a copy of initialized INJDATA into it
size = sizeof(INJDATA);
pDataRemote = (PBYTE) VirtualAllocEx(hProcess, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pDataRemote)
__leave;
if (!WriteProcessMemory(hProcess, pDataRemote, &DataLocal, size, &dwNumBytesCopied) || dwNumBytesCopied != size)
__leave;
// Allocate memory in remote process and write a copy of GetSASWnd() into it
size = (PBYTE)AfterGetSASWnd - (PBYTE)GetSASWnd;
pGetSASWndRemote = (PBYTE) VirtualAllocEx(hProcess, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pGetSASWndRemote)
__leave;
if (!WriteProcessMemory(hProcess, pGetSASWndRemote, &GetSASWnd, size, &dwNumBytesCopied) || dwNumBytesCopied != size)
__leave;
// Start execution of remote GetSASWnd()
hThread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE) pGetSASWndRemote,
pDataRemote,
0 ,
&dwThreadId);
// Failed
if (!hThread)
__leave;
// Wait for GetSASWnd() to terminate and get return code (SAS Wnd handle)
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, (PDWORD) &hSASWnd);
// Didn't found "SAS window"
if (!hSASWnd)
__leave;
// Cleanup
VirtualFreeEx(hProcess, pGetSASWndRemote, 0, MEM_RELEASE);
VirtualFreeEx(hProcess, pDataRemote, 0, MEM_RELEASE);
pGetSASWndRemote = NULL;
pDataRemote = NULL;
// Allocate memory in remote process and write a copy of SASWindowProc() into it
size = (PBYTE)AfterSASWindowProc - (PBYTE)SASWindowProc;
pSASWinProcRemote = (PBYTE) VirtualAllocEx(hProcess, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pSASWinProcRemote)
__leave;
if (!WriteProcessMemory(hProcess, pSASWinProcRemote, &SASWindowProc, size, &dwNumBytesCopied) || dwNumBytesCopied != size)
__leave;
// Is remote process unicode ?
fUnicode = IsWindowUnicode(hSASWnd);
// Initialize the INJDATA structure
DataLocal.fnSetWindowLong = (SETWINDOWLONG) GetProcAddress(hUser32, fUnicode ? "SetWindowLongW" : "SetWindowLongA");
DataLocal.fnCallWindowProc = (CALLWINDOWPROC) GetProcAddress(hUser32, fUnicode ? "CallWindowProcW": "CallWindowProcA");
DataLocal.fnSASWndProc = (WNDPROC) pSASWinProcRemote;
DataLocal.hwnd = hSASWnd;
if (DataLocal.fnSetWindowLong == NULL ||
DataLocal.fnCallWindowProc == NULL)
{
__leave;
}
// Allocate memory in the remote process and write a copy of initialized INJDATA into it
size = sizeof(INJDATA);
pDataRemote = (PBYTE) VirtualAllocEx(hProcess, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pDataRemote)
__leave;
if (!WriteProcessMemory(hProcess, pDataRemote, &DataLocal, size, &dwNumBytesCopied) || dwNumBytesCopied != size)
__leave;
// Change dummy INJDATA address in SASWindowProc() by the real INJDATA pointer
p = (PBYTE)&SASWindowProc;
size = (PBYTE)AfterSASWindowProc - (PBYTE)SASWindowProc;
SearchSize = size - sizeof(DWORD) + 1;
FoundDummyAddr = FALSE;
for (; SearchSize > 0; p++, SearchSize--)
{
if (*(DWORD *)p == DUMMY_ADDR) // Found
{
nDummyOffset = p - (PBYTE)&SASWindowProc;
if (!WriteProcessMemory(hProcess, pSASWinProcRemote + nDummyOffset, &pDataRemote, sizeof(pDataRemote), &dwNumBytesCopied) ||
dwNumBytesCopied != sizeof(pDataRemote))
{
__leave;
}
FoundDummyAddr = TRUE;
break;
}
}
// Couldn't change the dummy INJDATA addr. by the real addr. in SASWindowProc() !?!
// Don't execute the remote copy of SASWindowProc() because the pData pointer is invalid !
if (!FoundDummyAddr)
{
__leave;
}
// Allocate memory in the remote process and write a copy of InjectFunc() to the allocated memory
size = (PBYTE)AfterInjectFunc - (PBYTE)InjectFunc;
pCodeRemote = (PBYTE) VirtualAllocEx(hProcess, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pCodeRemote)
__leave;
if (!WriteProcessMemory(hProcess, pCodeRemote, &InjectFunc, size, &dwNumBytesCopied) || dwNumBytesCopied != size)
__leave;
// Start execution of remote InjectFunc()
hThread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE) pCodeRemote,
pDataRemote,
0 ,
&dwThreadId);
if (!hThread)
__leave;
// Wait for InjectFunc() to terminate and get return code
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, (PDWORD) &nSuccess);
// InjectFunc() successfull
// if (nSuccess)
// MessageBeep(0);
}
__finally
{
// Failed ?
if (!nSuccess)
{
// Release memory for INJDATA and SASWindowProc()
if (pDataRemote)
VirtualFreeEx(hProcess, pDataRemote, 0, MEM_RELEASE);
if (pSASWinProcRemote)
VirtualFreeEx(hProcess, pSASWinProcRemote, 0, MEM_RELEASE);
pDataRemote = NULL;
pSASWinProcRemote = NULL;
}
// Release remote GetSASWnd()
if (pGetSASWndRemote)
VirtualFreeEx(hProcess, pGetSASWndRemote, 0, MEM_RELEASE);
// Release remote InjectFunc() (no longer needed)
if (pCodeRemote)
VirtualFreeEx(hProcess, pCodeRemote, 0, MEM_RELEASE);
if (hThread)
CloseHandle(hThread);
}
CloseHandle(hProcess);
// Disable the DEBUG privilege
EnablePrivilege(SE_DEBUG_NAME, FALSE);
return nSuccess; // 0=failure; 1=success
}
//
// Create a primary access token for specified user account
//
HANDLE CreateToken(LPCTSTR szUserName)
{
SID_IDENTIFIER_AUTHORITY nt = SECURITY_NT_AUTHORITY;
SECURITY_QUALITY_OF_SERVICE sqos = { sizeof(sqos), SecurityAnonymous, SECURITY_STATIC_TRACKING, FALSE };
HANDLE hToken;
PSID sid;
TOKEN_USER user;
LUID authid = SYSTEM_LUID;
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, &sqos };
TOKEN_SOURCE source = {{'*', '*', 'A', 'N', 'O', 'N', '*', '*'}, {0, 0}};
HANDLE hToken2 = 0;
PTOKEN_STATISTICS stats;
PVOID tokarr[5];
int i;
DWORD status;
// Get address of Nt/ZwCreateToken from NTDLL.DLL
ZwCreateToken = (PVOID)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwCreateToken");
RtlNtStatusToDosError = (PVOID)GetProcAddress(GetModuleHandle("ntdll.dll"), "RtlNtStatusToDosError");
if(ZwCreateToken == 0 || RtlNtStatusToDosError == 0)
return 0;
// Must have SeCreateToken privilege
if(!EnablePrivilege(SE_CREATE_TOKEN_NAME, TRUE)){
DBG("EnablePrivilege failed\n");
}
// Use an existing process token as our basic for a new token
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_QUERY_SOURCE, &hToken))
return 0;
// Convert username to a SID
if((sid = GetUserSid(szUserName)) == 0)
{
CloseHandle(hToken);
return 0;
}
user.User.Attributes = 0;
user.User.Sid = sid;
if(!AllocateLocallyUniqueId(&source.SourceIdentifier))
{
free(sid);
CloseHandle(hToken);
return 0;
}
if(!GetTokenInfo(hToken, TokenStatistics, &stats))
{
free(sid);
CloseHandle(hToken);
return 0;
}
//
// Undocumented ZwCreateToken service: will not work for us
// under WIN2003, will need to do this from WINLOGON process in future?
//
status = ZwCreateToken(&hToken2, TOKEN_ALL_ACCESS, &oa, TokenPrimary,
(PLUID)&authid,
(PLARGE_INTEGER)&stats->ExpirationTime,
&user,
(PTOKEN_GROUPS) GetTokenInfo(hToken, TokenGroups, &tokarr[0]),
(PTOKEN_PRIVILEGES) GetTokenInfo(hToken, TokenPrivileges, &tokarr[1]),
(PTOKEN_OWNER) GetTokenInfo(hToken, TokenOwner, &tokarr[2]),
(PTOKEN_PRIMARY_GROUP) GetTokenInfo(hToken, TokenPrimaryGroup, &tokarr[3]),
(PTOKEN_DEFAULT_DACL) GetTokenInfo(hToken, TokenDefaultDacl, &tokarr[4]),
&source);
for(i = 0; i < 5; i++)
free(tokarr[i]);
free(stats);
free(sid);
CloseHandle(hToken);
SetLastError(RtlNtStatusToDosError(status));
return hToken2;
}
BOOL ExportRegistryFile(HWND hWnd)
{
BOOL bRet = FALSE;
OPENFILENAME ofn;
WCHAR ExportKeyPath[_MAX_PATH] = {0};
WCHAR Caption[128], szTitle[512], szText[512];
HKEY hKeyRoot;
LPCWSTR pszKeyPath;
/* Figure out which key path we are exporting */
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hKeyRoot);
GetKeyName(ExportKeyPath, COUNT_OF(ExportKeyPath), hKeyRoot, pszKeyPath);
InitOpenFileName(hWnd, &ofn);
LoadStringW(hInst, IDS_EXPORT_REG_FILE, Caption, COUNT_OF(Caption));
ofn.lpstrTitle = Caption;
/* Only set the path if a key (not the root node) is selected */
if (hKeyRoot != 0)
{
ofn.lCustData = (LPARAM) ExportKeyPath;
}
ofn.Flags = OFN_ENABLETEMPLATE | OFN_EXPLORER | OFN_ENABLEHOOK | OFN_OVERWRITEPROMPT;
ofn.lpfnHook = ExportRegistryFile_OFNHookProc;
ofn.lpTemplateName = MAKEINTRESOURCEW(IDD_EXPORTRANGE);
if (GetSaveFileName(&ofn))
{
switch (ofn.nFilterIndex)
{
case 2: /* Registry Hive Files */
{
LONG lResult;
HKEY hSubKey;
/* Open the subkey */
lResult = RegOpenKeyExW(hKeyRoot, pszKeyPath, 0, KEY_READ, &hSubKey);
if (lResult == ERROR_SUCCESS)
{
/* Enable the 'backup' privilege, save the hive then disable the privilege */
EnablePrivilege(SE_BACKUP_NAME, NULL, TRUE);
lResult = RegSaveKeyW(hSubKey, ofn.lpstrFile, NULL);
if (lResult == ERROR_ALREADY_EXISTS)
{
/*
* We are here, that means that we already said "yes" to the confirmation dialog.
* So we absolutely want to replace the hive file.
*/
if (DeleteFileW(ofn.lpstrFile))
{
/* Try again */
lResult = RegSaveKeyW(hSubKey, ofn.lpstrFile, NULL);
}
}
EnablePrivilege(SE_BACKUP_NAME, NULL, FALSE);
if (lResult != ERROR_SUCCESS)
{
/*
* If we are here, it's because RegSaveKeyW has failed for any reason.
* The problem is that even if it has failed, it has created or
* replaced the exported hive file with a new empty file. We don't
* want to keep this file, so we delete it.
*/
DeleteFileW(ofn.lpstrFile);
}
/* Close the subkey */
RegCloseKey(hSubKey);
}
/* Set the return value */
bRet = (lResult == ERROR_SUCCESS);
/* Display error, if any */
if (!bRet) ErrorMessageBox(hWnd, Caption, lResult);
break;
}
case 1: /* Windows Registry Editor Version 5.00 */
case 3: /* REGEDIT4 */
default: /* All files ==> use Windows Registry Editor Version 5.00 */
{
if (!export_registry_key(ofn.lpstrFile, ExportKeyPath,
(ofn.nFilterIndex == 3 ? REG_FORMAT_4
: REG_FORMAT_5)))
{
/* Error creating the file */
LoadStringW(hInst, IDS_APP_TITLE, szTitle, COUNT_OF(szTitle));
LoadStringW(hInst, IDS_EXPORT_ERROR, szText, COUNT_OF(szText));
InfoMessageBox(hWnd, MB_OK | MB_ICONERROR, szTitle, szText, ofn.lpstrFile);
bRet = FALSE;
}
else
{
bRet = TRUE;
}
break;
}
}
}
else
{
CheckCommDlgError(hWnd);
}
return bRet;
}
static BOOL ImportRegistryFile(HWND hWnd)
{
BOOL bRet = FALSE;
OPENFILENAME ofn;
WCHAR Caption[128], szTitle[512], szText[512];
HKEY hKeyRoot;
LPCWSTR pszKeyPath;
/* Figure out in which key path we are importing */
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hKeyRoot);
InitOpenFileName(hWnd, &ofn);
LoadStringW(hInst, IDS_IMPORT_REG_FILE, Caption, COUNT_OF(Caption));
ofn.lpstrTitle = Caption;
ofn.Flags |= OFN_ENABLESIZING;
/* ofn.lCustData = ;*/
if (GetOpenFileName(&ofn))
{
/* Look at the extension of the file to determine its type */
if (ofn.nFileExtension >= 1 &&
_wcsicmp(ofn.lpstrFile + ofn.nFileExtension, L"reg") == 0) /* REGEDIT4 or Windows Registry Editor Version 5.00 */
{
/* Open the file */
FILE* fp = _wfopen(ofn.lpstrFile, L"r");
/* Import it */
if (fp == NULL || !import_registry_file(fp))
{
/* Error opening the file */
LoadStringW(hInst, IDS_APP_TITLE, szTitle, COUNT_OF(szTitle));
LoadStringW(hInst, IDS_IMPORT_ERROR, szText, COUNT_OF(szText));
InfoMessageBox(hWnd, MB_OK | MB_ICONERROR, szTitle, szText, ofn.lpstrFile);
bRet = FALSE;
}
else
{
/* Show successful import */
LoadStringW(hInst, IDS_APP_TITLE, szTitle, COUNT_OF(szTitle));
LoadStringW(hInst, IDS_IMPORT_OK, szText, COUNT_OF(szText));
InfoMessageBox(hWnd, MB_OK | MB_ICONINFORMATION, szTitle, szText, ofn.lpstrFile);
bRet = TRUE;
}
/* Close the file */
if (fp) fclose(fp);
}
else /* Registry Hive Files */
{
LoadStringW(hInst, IDS_QUERY_IMPORT_HIVE_CAPTION, szTitle, COUNT_OF(szTitle));
LoadStringW(hInst, IDS_QUERY_IMPORT_HIVE_MSG, szText, COUNT_OF(szText));
/* Display a confirmation message */
if (MessageBoxW(g_pChildWnd->hWnd, szText, szTitle, MB_ICONWARNING | MB_YESNO) == IDYES)
{
LONG lResult;
HKEY hSubKey;
/* Open the subkey */
lResult = RegOpenKeyExW(hKeyRoot, pszKeyPath, 0, KEY_WRITE, &hSubKey);
if (lResult == ERROR_SUCCESS)
{
/* Enable the 'restore' privilege, restore the hive then disable the privilege */
EnablePrivilege(SE_RESTORE_NAME, NULL, TRUE);
lResult = RegRestoreKey(hSubKey, ofn.lpstrFile, REG_FORCE_RESTORE);
EnablePrivilege(SE_RESTORE_NAME, NULL, FALSE);
/* Flush the subkey and close it */
RegFlushKey(hSubKey);
RegCloseKey(hSubKey);
}
/* Set the return value */
bRet = (lResult == ERROR_SUCCESS);
/* Display error, if any */
if (!bRet) ErrorMessageBox(hWnd, Caption, lResult);
}
}
}
else
{
CheckCommDlgError(hWnd);
}
/* refresh tree and list views */
RefreshTreeView(g_pChildWnd->hTreeWnd);
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hKeyRoot);
RefreshListView(g_pChildWnd->hListWnd, hKeyRoot, pszKeyPath);
return bRet;
}
//todo: grab the bug fixes from v2 to speed up and prevent can not close error in debug mode. ignore callback
int __stdcall EnumMutex(char* outPath){
int cnt=0;
EnablePrivilege(SE_DEBUG_NAME);
HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
if (!hNtDll) return -1;
PZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (PZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, "ZwQuerySystemInformation");
PZWDUPLICATEOBJECT ZwDuplicateObject = (PZWDUPLICATEOBJECT)GetProcAddress(hNtDll, "ZwDuplicateObject");
PZWQUERYOBJECT ZwQueryObject = (PZWQUERYOBJECT)GetProcAddress(hNtDll, "ZwQueryObject");
if( (int)ZwQuerySystemInformation == 0 || (int)ZwDuplicateObject == 0 || (int)ZwQueryObject == 0) return -2;
ULONG n = 0x1000;
PULONG p = new ULONG[n];
FILE *f = fopen(outPath,"w");
if(f == NULL) return -3;
while (ZwQuerySystemInformation(SystemHandleInformation, p, n * sizeof *p, 0) == STATUS_INFO_LENGTH_MISMATCH){
delete [] p;
p = new ULONG[n *= 2];
}
PSYSTEM_HANDLE_INFORMATION h = PSYSTEM_HANDLE_INFORMATION(p + 1);
for (ULONG i = 0; i < *p; i++){
HANDLE hObject;
OBJECT_BASIC_INFORMATION obi;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, h[i].ProcessId);
if (ZwDuplicateObject(hProcess, HANDLE(h[i].Handle), NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ATTRIBUTES)!= STATUS_SUCCESS){
continue;
}
ZwQueryObject(hObject, ObjectBasicInformation, &obi, sizeof obi, &n);
n = obi.TypeInformationLength + 2;
POBJECT_TYPE_INFORMATION oti = POBJECT_TYPE_INFORMATION(new CHAR[n]);
ZwQueryObject(hObject, ObjectTypeInformation, oti, n, &n);
if(oti[0].Name.Length > 0 && wcscmp(oti[0].Name.Buffer,L"Mutant")==0){
n = obi.NameInformationLength == 0 ? MAX_PATH * sizeof (WCHAR) : obi.NameInformationLength;
POBJECT_NAME_INFORMATION oni = POBJECT_NAME_INFORMATION(new CHAR[n]);
NTSTATUS rv = ZwQueryObject(hObject, ObjectNameInformation, oni, n, &n);
if (NT_SUCCESS(rv)){
if(oni[0].Name.Length > 0){
fprintf(f,"%ld ", h[i].ProcessId);
fprintf(f,"%.*ws\r\n", oni[0].Name.Length / 2, oni[0].Name.Buffer);
cnt++;
}
}
}
CloseHandle(hObject);
CloseHandle(hProcess);
}
delete [] p;
fclose(f);
return cnt;
}
int __stdcall EnumMutex2(_CollectionPtr *pColl, void* doEventsCallback){
int cnt=0;
char buf[600];
NTSTATUS rv;
vbCallback doEvents = (vbCallback)doEventsCallback;
if(pColl==0 || *pColl == 0) return -4;
EnablePrivilege(SE_DEBUG_NAME);
HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
if (!hNtDll) return -1;
PZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (PZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, "ZwQuerySystemInformation");
PZWDUPLICATEOBJECT ZwDuplicateObject = (PZWDUPLICATEOBJECT)GetProcAddress(hNtDll, "ZwDuplicateObject");
PZWQUERYOBJECT ZwQueryObject = (PZWQUERYOBJECT)GetProcAddress(hNtDll, "ZwQueryObject");
if( (int)ZwQuerySystemInformation == 0 || (int)ZwDuplicateObject == 0 || (int)ZwQueryObject == 0) return -2;
ULONG n = 0x1000;
PULONG p = new ULONG[n];
while (ZwQuerySystemInformation(SystemHandleInformation, p, n * sizeof *p, 0) == STATUS_INFO_LENGTH_MISMATCH){
delete [] p;
p = new ULONG[n *= 2];
}
PSYSTEM_HANDLE_INFORMATION h = PSYSTEM_HANDLE_INFORMATION(p + 1);
for (ULONG i = 0; i < *p; i++){
HANDLE hObject = 0;
OBJECT_BASIC_INFORMATION obi;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, h[i].ProcessId);
if(hProcess == 0)
continue;
//kept getting NtClose was called on a handle that was protected from close via NtSetInformationObject.
//also this is much faster by eliminating the DUPLICATE_SAME_ATTRIBUTES flag..no need to use the doevents callback?
if (ZwDuplicateObject(hProcess, HANDLE(h[i].Handle), NtCurrentProcess(), &hObject, 0, 0, /*DUPLICATE_SAME_ATTRIBUTES*/ NULL)!= STATUS_SUCCESS)
continue;
rv = ZwQueryObject(hObject, ObjectBasicInformation, &obi, sizeof obi, &n);
if(!NT_SUCCESS(rv))
continue;
n = obi.TypeInformationLength + 2;
POBJECT_TYPE_INFORMATION oti = POBJECT_TYPE_INFORMATION(new CHAR[n]);
rv = ZwQueryObject(hObject, ObjectTypeInformation, oti, n, &n);
if(!NT_SUCCESS(rv))
continue;
if(oti[0].Name.Length > 0 && wcscmp(oti[0].Name.Buffer,L"Mutant")==0){
n = obi.NameInformationLength == 0 ? MAX_PATH * sizeof (WCHAR) : obi.NameInformationLength;
POBJECT_NAME_INFORMATION oni = POBJECT_NAME_INFORMATION(new CHAR[n]);
rv = ZwQueryObject(hObject, ObjectNameInformation, oni, n, &n);
if (NT_SUCCESS(rv)){
if(oni[0].Name.Length > 0){
_snprintf(buf, sizeof(buf)-1, "%ld %ls", h[i].ProcessId, oni[0].Name.Buffer);
addStr(*pColl,buf);
cnt++;
}
}
}
//_snprintf(buf, sizeof(buf), "i=%d hObject=%x hProcess=%x\r\n",i,hObject,hProcess);
//OutputDebugString(buf);
if( (int)doEvents != 0 && i > 0 && i%5 == 0 )
doEvents("");
if(hObject !=0) CloseHandle(hObject);
if(hProcess!=0) CloseHandle(hProcess);
}
delete [] p;
return cnt;
}
HANDLE CreateUserToken(const char *userName,
const char *domainName, const char *sourceName)
{
debug2("-> CreateUserToken()...");
HMODULE hNtDll = NULL;
NtCreateTokenPtr NtCreateToken = NULL;
HANDLE token = INVALID_HANDLE_VALUE;
/*
* These are compounds of user's access token structure.
* The goal is setup these strutures and combine them
* into one access token using NtCreateToken() WINAPI function.
*/
LUID authId = SYSTEM_LUID;
TOKEN_USER userToken;
PTOKEN_GROUPS groupsToken = NULL;
PTOKEN_PRIVILEGES pPrivToken = NULL;
TOKEN_OWNER ownerToken;
TOKEN_PRIMARY_GROUP primaryGroupToken;
TOKEN_SOURCE sourceToken;
PTOKEN_DEFAULT_DACL pDaclToken = NULL;
LARGE_INTEGER expirationTime = {0xFFFFFFFF, 0x7FFFFFFF};
OBJECT_ATTRIBUTES oa;
/*
* Temporary variables
*/
SECURITY_QUALITY_OF_SERVICE sqos =
{
sizeof(sqos),
SecurityAnonymous,
SECURITY_STATIC_TRACKING,
FALSE
};
int i;
size_t size = 0;
wchar_t *userNameW = NULL;
DWORD cbSize;
HANDLE hProcToken = NULL;
/*
* Variables to handle error codes.
*/
int exitCode = 1;
int ntStat = 0;
/*
* Make wide char version of user's name.
*/
size = (strlen(userName) + 1) * sizeof(wchar_t);
userNameW = (wchar_t *) LocalAlloc(LPTR, size);;
swprintf(userNameW, L"%hs", userName);
/*
* Give needed privilege to current running process
*/
debug("Enabling privilege to current running process...");
EnablePrivilege("SeTcbPrivilege", 1);
EnablePrivilege("SeChangeNotifyPrivilege", 1);
EnablePrivilege("SeIncreaseQuotaPrivilege", 1);
EnablePrivilege("SeAssignPrimaryTokenPrivilege", 1);
EnablePrivilege("SeCreateTokenPrivilege", 1);
/*
* Create TOKEN_USER part
*/
debug("Setting up TOKEN_USER...");
FAIL(GetSidW(&userToken.User.Sid, userNameW));
userToken.User.Attributes = 0;
/*
* Create TOKEN_OWNER part. We assume Owner = User.
*/
debug("Setting up TOKEN_OWNER...");
FAIL(GetSidW(&ownerToken.Owner, userNameW));
/*
* Create TOKEN_SOURCE part
*/
debug("Setting up TOKEN_SOURCE...");
FAIL(AllocateLocallyUniqueId(&sourceToken.SourceIdentifier) == FALSE);
size = min(strlen(sourceName), 8);
memcpy(sourceToken.SourceName, "********", 8);
memcpy(sourceToken.SourceName, sourceName, size);
/*
* Create TOKEN_GROUPS part
*/
debug("Setting up TOKEN_GROUPS...");
FAIL(SetupTokenGroups(&groupsToken, userNameW));
/*
* Create TOKEN_PRIVILEGES part
*/
debug("Setting up TOKEN_PRIVILEGES...");
FAIL(SetupTokenPrivileges(&pPrivToken, userToken.User.Sid));
/*
* Create TOKEN_PRIMARY_GROUP part
*/
debug("Setting up TOKEN_PRIMARY GROUP...");
primaryGroupToken.PrimaryGroup = EveryoneSID();
/*
* Setup object attributes
*/
memset(&oa, 0, sizeof(oa));
oa.Length = sizeof(oa);
oa.SecurityQualityOfService = &sqos;
/*
* Setup TOKEN_DEFAULT_DACL part.
*/
debug("Setting up TOKEN_DEFAULT_DACL...");
debug("Opening current process's token...");
FAIL(OpenProcessToken(GetCurrentProcess(),
TOKEN_QUERY | TOKEN_QUERY_SOURCE,
&hProcToken) == FALSE);
debug("Retrieving TOKEN_DEFAULT_DACL...");
GetTokenInformation(hProcToken, TokenDefaultDacl, NULL, 0, &cbSize);
pDaclToken = LocalAlloc(LPTR, cbSize);
FAIL(GetTokenInformation(hProcToken, TokenDefaultDacl,
pDaclToken, cbSize, &cbSize) == FALSE);
/*
* Print debug info about parts
*/
//PrintPartsInfo(&token, TOKEN_ALL_ACCESS, &oa,
// TokenPrimary, &authId, &expirationTime,
// &userToken, groupsToken, pPrivToken,
// &ownerToken, &primaryGroupToken,
// pDaclToken, &sourceToken);
/*
* Retrieve address of NtCreateToken() function.
*/
debug("Retrieving NtCreateToken() address...");
hNtDll = GetModuleHandle("ntdll.dll");
FAIL(hNtDll == NULL);
NtCreateToken = (NtCreateTokenPtr) GetProcAddress(hNtDll, "NtCreateToken");
FAIL(NtCreateToken == NULL);
/*
* Create new user acces token from parts setted up above.
*/
debug("Creating token from parts...");
ntStat = NtCreateToken(&token, TOKEN_ALL_ACCESS, &oa,
TokenPrimary, &authId, &expirationTime,
&userToken, groupsToken, pPrivToken,
&ownerToken, &primaryGroupToken,
pDaclToken, &sourceToken);
FAIL(ntStat);
/*
* Add rights to use 'default' desktop and WinStation0.
*/
if (AddRightsToDesktopBySid(userToken.User.Sid))
{
debug("WARNING. Cannot add rights to 'winsta0\\default'!");
}
exitCode = 0;
fail:
/*
* Free allocated memory
*/
debug2("Freeing groupsToken...");
if (groupsToken)
{
/*
* We don't need to test were SIDs allocated correctly,
* becouse FreeSid() do it.
*/
for (i = 0; i < groupsToken -> GroupCount; i++)
{
FreeSid(groupsToken -> Groups[i].Sid);
}
LocalFree(groupsToken);
}
debug2("Freeing local buffers...");
LocalFree(userNameW);
LocalFree(pDaclToken);
LocalFree(pPrivToken);
debug2("Freeing SIDs...");
FreeSid(userToken.User.Sid);
FreeSid(ownerToken.Owner);
FreeSid(primaryGroupToken.PrimaryGroup);
debug2("Closing hProcToken...");
CloseHandle(hProcToken);
debug2("Closing hNtDll...");
CloseHandle(hNtDll);
/*
* Something was wrong.
*/
if (exitCode)
{
debug("ERROR. Cannot create user's acces token. (err = %u, ntStat = %x)",
GetLastError(), ntStat);
}
debug2("<- CreateUserToken()...");
return token;
}
/*****************************************
* Load a library into a remote process. *
*****************************************/
int InjectDll()
{
HANDLE hThread; // Thread handle
HANDLE hProcess; // Process handle
DWORD dwPID; // Process ID
char szLibPath[MAX_PATH]; // Full DLL path
void *pLibRemote; // Address (in the remote process) where szLibPath will be copied to
// Enable DEBUG privilege
if (!EnablePrivilege(SE_DEBUG_NAME, TRUE))
return 0;
// Get remote process id
dwPID = GetPIDFromName(szProcessName);
if (dwPID == -1)
return 0;
// Open remote process
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
if (hProcess == NULL)
return 0;
// Get full path of the DLL
if (!GetModuleFileName(hInst, szLibPath, MAX_PATH))
return 0;
strcpy(strrchr(szLibPath, '\\') + 1 , szDllName);
// Allocate memory in the remote process to store the szLibPath string
pLibRemote = VirtualAllocEx(hProcess, NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE);
if (pLibRemote == NULL)
return 0;
// Copy the szLibPath string to the remote process.
if (!WriteProcessMemory(hProcess, pLibRemote, (void*)szLibPath, sizeof(szLibPath), NULL))
return 0;
// Load the DLL into the remote process
// (via CreateRemoteThread() & LoadLibrary())
hThread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA"),
pLibRemote,
0,
NULL);
// Failed
if(hThread == NULL)
{
VirtualFreeEx(hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE);
return 0;
}
// Wait for LoadLibrary() to finish and get return code (handle of loaded library)
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &hLibModule);
CloseHandle(hThread);
CloseHandle(hProcess);
// Free remote memory for szLibPath
VirtualFreeEx(hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE);
// Remote LoadLibrary() failed
if (!hLibModule)
return 0;
// Disable DEBUG privilege
EnablePrivilege(SE_DEBUG_NAME, FALSE);
return 1;
}
int KillProcess(const wchar_t *process)
{
int iReturnCode = RETURN_OK;
LOG(L"Ask for killing %s\n",process);
bool bNone= true;
do
{
bool bFound= false;
DWORD pid=0;
EnablePrivilege(SE_DEBUG_NAME);
HANDLE hndl = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
DWORD dwsma = GetLastError();
PROCESSENTRY32 procEntry={0};
procEntry.dwSize = sizeof( PROCESSENTRY32 );
Process32First(hndl,&procEntry);
do
{
if(!_wcsicmp(procEntry.szExeFile,process))
{
bFound = true;
bNone = false;
pid = procEntry.th32ProcessID;
break;
}
} while(Process32Next(hndl,&procEntry));
CloseHandle( hndl );
//Kill the process
if(bFound)
{
HANDLE hHandle = NULL;
if(NULL != (hHandle = ::OpenProcess(PROCESS_TERMINATE,0,procEntry.th32ProcessID)))
{
DWORD dwExitCode = 0;
if(::TerminateProcess(hHandle,dwExitCode))
{
::GetExitCodeProcess(hHandle,&dwExitCode);
LOG(L" --> FOUND and KILLED pid=%ld (Return code = %ld)\n",pid,dwExitCode);
}
else
{
LOG(L" --> ERROR - Failed to kill pid=%ld (Error code from TerminateProcess = %ld)\n",pid,GetLastError());
iReturnCode = RETURN_ERR_KILLPROCESS_FAILED;
}
CloseHandle( hHandle );
Sleep(500);
}
else
{
LOG(L" --> ERROR - Failed to kill pid=%ld (Error code from OpenProcess = %ld)\n",pid,GetLastError());
iReturnCode = RETURN_ERR_KILLPROCESS_FAILED;
}
}
else
{
break;
}
if(iReturnCode!=RETURN_OK)
break;
} while(1);
if(bNone) LOG(L" --> NOT FOUND\n");
LOG(L"\n");
return iReturnCode;
}
////////////////////////////////////////////////////////////////////////////////////////////////
///////////////////////////// PRIVATE FUNCTIONS ////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////
int processFillList(Proc_LIST *processList, const wchar_t *processName)
{
int iReturnCode = DIAGLIB_OK;
if(processList == NULL)
{
return RETURN_LOG_BAD_FUNCTION_CALL;
}
if(processName)
{
LOG_TIME(L"Ask for process list (with name = %ls) --> ",processName);
}
else
{
LOG_TIME(L"Ask for list of all process --> ");
}
processList->clear();
EnablePrivilege(SE_DEBUG_NAME);
HANDLE hndl;
if(INVALID_HANDLE_VALUE == ( hndl=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0)))
{
LOG_LASTERROR(L"CreateToolhelp32Snapshot failed");
return RETURN_LOG_INTERNAL_ERROR;
}
PROCESSENTRY32 procEntry={0};
procEntry.dwSize = sizeof( PROCESSENTRY32 );
//Get progressMax if request
int progressMax = 0;
if (!Process32First(hndl, &procEntry))
{
LOG_LASTERROR(L"Process32First failed");
if(!CloseHandle( hndl ))
{
LOG_LASTERROR(L"CloseHandle failed");
}
return RETURN_LOG_INTERNAL_ERROR;
}
do
{
progressMax++;
} while (Process32Next(hndl, &procEntry));
if(!Process32First(hndl,&procEntry))
{
LOG_LASTERROR(L"Process32First failed");
if(!CloseHandle( hndl ))
{
LOG_LASTERROR(L"CloseHandle failed");
}
return RETURN_LOG_INTERNAL_ERROR;
}
progressInit(progressMax);
do
{
if(procEntry.th32ProcessID != 0)
{
if(processName == NULL)
{
processList->push_back(procEntry.th32ProcessID);
}
else if(0 == _wcsicmp(procEntry.szExeFile,processName))
{
processList->push_back(procEntry.th32ProcessID);
}
}
progressIncrement();
} while(Process32Next(hndl,&procEntry));
progressRelease();
if(!CloseHandle( hndl ))
{
LOG_LASTERROR(L"CloseHandle failed");
}
if(processList->size() == 0)
{
LOG(L"NO PROCESS FOUND\n");
}
else
{
LOG(L"pid=");
for (unsigned long i=0; i < processList->size() ; i++)
{
LOG(L"%ld,",processList->at(i));
}
LOG(L"DONE\n");
}
return iReturnCode;
}