PLARGE_UNICODE_STRING LargeStringAnsiToUnicode(PLARGE_UNICODE_STRING LargeAnsiString, PLARGE_UNICODE_STRING LargeUnicodeString) { if (LargeAnsiString == NULL) return NULL; if (!LargeAnsiString->Ansi) return LargeStringDuplicate(LargeAnsiString, LargeUnicodeString); ANSI_STRING AnsiString; UNICODE_STRING UnicodeString; AnsiString.Buffer = LargeAnsiString->AnsiBuffer; AnsiString.Length = LargeAnsiString->Length; AnsiString.MaximumLength = LargeAnsiString->MaximumLength; if (NT_FAILED(RtlAnsiStringToUnicodeString(&UnicodeString, &AnsiString, TRUE))) return NULL; LargeUnicodeString->Ansi = FALSE; LargeUnicodeString->Length = UnicodeString.Length; LargeUnicodeString->MaximumLength = UnicodeString.MaximumLength; LargeUnicodeString->Buffer = (ULONG64)UnicodeString.Buffer; return LargeUnicodeString; }
ULONG WINAPI QqGetModuleFileNameExW( HANDLE Process, PVOID Module, PWSTR Filename, ULONG Size ) { ULONG Length; PWSTR File; NTSTATUS Status; PROCESS_BASIC_INFORMATION BasicInfo; static WCHAR QQProtect[] = L"QQProtect.exe"; Length = StubGetModuleFileNameExW(Process, (HMODULE)Module, Filename, Size); if (Length == 0 || Filename == nullptr || Size == 0) return Length; Status = NtQueryInformationProcess(Process, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), nullptr); if (NT_FAILED(Status) || BasicInfo.UniqueProcessId != CurrentPid()) return Length; File = findnamew(Filename); CopyStruct(File, QQProtect, sizeof(QQProtect)); return File - Filename + CONST_STRLEN(QQProtect); }
BOOL Initialize(PVOID BaseAddress) { if (NT_FAILED(CheckIsExplorer())) return FALSE; AllocConsole(); // PrintConsoleW(L"session id %d\n", GetCurrentSessionId()); /* if (CurrentPeb()->OSMajorVersion > 5) switch (GetCurrentSessionId()) { case 0: case INVALID_SESSION_ID: return FALSE; } */ LdrDisableThreadCalloutsForDll(BaseAddress); LdrAddRefDll(LDR_ADDREF_DLL_PIN, BaseAddress); Ps::CreateThread( ThreadLambdaType_(PVOID) { return HookCallCreateProcess(); }, nullptr );
PLARGE_UNICODE_STRING LargeStringDuplicate(PLARGE_UNICODE_STRING LargeString, PLARGE_UNICODE_STRING Destination) { union { ANSI_STRING Ansi; UNICODE_STRING Unicode; }; union { ANSI_STRING NewAnsi; UNICODE_STRING NewUnicode; }; if (LargeString->Ansi) return NULL; InitStringFromLargeString(&Unicode, LargeString); if (NT_FAILED(RtlDuplicateUnicodeString(RTL_DUPSTR_ADD_NULL, &Unicode, &NewUnicode))) return NULL; Destination->Ansi = FALSE; Destination->Length = NewUnicode.Length; Destination->MaximumLength = NewUnicode.MaximumLength; Destination->UnicodeBuffer = NewUnicode.Buffer; return Destination; }
BOOL NTAPI SpeedUpCreateProcessW( PCWSTR ApplicationName, PWSTR CommandLine, PSECURITY_ATTRIBUTES ProcessAttributes, PSECURITY_ATTRIBUTES ThreadAttributes, BOOL InheritHandles, ULONG CreationFlags, PVOID Environment, PCWSTR CurrentDirectory, LPSTARTUPINFOW StartupInfo, PPROCESS_INFORMATION ProcessInformation ) { BOOL Success; PWSTR CmdLine; NTSTATUS Status; PWSTR Entry; LOOP_ONCE { PrintConsoleW( L"Application: %s\n" L"Commandline: %s\n\n", ApplicationName, CommandLine ); if (!IsHookStartEnabled()) continue; Entry = LookupGameInfo(ApplicationName); if (Entry == NULL) break; PrintConsoleW(L"game name: %s\n", Entry); Status = GenerateXlAccCommandLine(&CmdLine, Entry, ApplicationName, CommandLine); if (NT_FAILED(Status)) break; PrintConsoleW(L"cmdline: %s\n", CmdLine); Success = (*Shell32CreateProcessWIAT)(NULL, CmdLine, ProcessAttributes, ThreadAttributes, InheritHandles, CreationFlags, Environment, CurrentDirectory, StartupInfo, ProcessInformation); ReleaseXlAccCommandLine(CmdLine); if (!Success) break; return Success; } return (*Shell32CreateProcessWIAT)(ApplicationName, CommandLine, ProcessAttributes, ThreadAttributes, InheritHandles, CreationFlags, Environment, CurrentDirectory, StartupInfo, ProcessInformation); }
BOOL InitializeNetapi32() { PVOID module; NTSTATUS Status; PLDR_MODULE Self, Netapi32; UNICODE_STRING SystemRoot; PVOID LoaderLockCookie; LdrLockLoaderLock(0, nullptr, &LoaderLockCookie); SCOPE_EXIT { LdrUnlockLoaderLock(0, LoaderLockCookie); } SCOPE_EXIT_END; Self = FindLdrModuleByHandle(&__ImageBase); if (Self == nullptr || Self->DllBase != &__ImageBase) return TRUE; Status = Rtl::GetSystemDirectory(&SystemRoot); if (NT_FAILED(Status)) return 0; module = Ldr::LoadDll(String(SystemRoot) + L"wtsapi32.dll"); RtlFreeUnicodeString(&SystemRoot); LdrAddRefDll(LDR_ADDREF_DLL_PIN, module); *(PVOID *)&StubWTSFreeMemory = GetRoutineAddress(module, "WTSFreeMemory"); *(PVOID *)&StubWTSQuerySessionInformationW = GetRoutineAddress(module, "WTSQuerySessionInformationW"); *(PVOID *)&StubWTSRegisterSessionNotification = GetRoutineAddress(module, "WTSRegisterSessionNotification"); *(PVOID *)&StubWTSUnRegisterSessionNotification = GetRoutineAddress(module, "WTSUnRegisterSessionNotification"); Netapi32 = FindLdrModuleByHandle(module); //RemoveEntryList(&Self->InLoadOrderLinks); //RemoveEntryList(&Self->InMemoryOrderLinks); //RemoveEntryList(&Self->InInitializationOrderLinks); //RtlFreeHeap(CurrentPeb()->ProcessHeap, 0, Self); Self->DllBase = Netapi32->DllBase; Self->EntryPoint = Netapi32->EntryPoint; Self->SizeOfImage = Netapi32->SizeOfImage; return TRUE; }
EXTC NTSTATUS NTAPI Initialize() { NTSTATUS status; if (helper != nullptr) return STATUS_SUCCESS; helper = new iTunesHelper; //Rtl::SetExeDirectoryAsCurrent(); status = helper->iTunesInitialize(); if (NT_FAILED(status)) { ExceptionBox(L"init iTunes failed"); return status; } return status; }
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath) { NTSTATUS status; WDF_DRIVER_CONFIG config; WDF_OBJECT_ATTRIBUTES attributes; #if defined(_DEBUG) || defined(DBG) // if (TRUE == KdRefreshDebuggerNotPresent()) // return STATUS_UNSUCCESSFUL;// For the time being, don't load the driver if no debugger is attached // DbgBreakPoint(); if (FALSE == KdRefreshDebuggerNotPresent()) DbgBreakPoint(); #endif // Initialize WPP Tracing WPP_INIT_TRACING( DriverObject, RegistryPath ); WPP_FLAG_LEVEL_ENABLED(MYDRIVER_ALL_INFO, TRACE_LEVEL_VERBOSE); TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, "UsbCfgCtrl>> DriverEntry " __DATE__ " " __TIME__ "\r\n"); // Register a cleanup callback so that we can call WPP_CLEANUP when the framework driver object is deleted during driver unload. WDF_OBJECT_ATTRIBUTES_INIT(&attributes); attributes.EvtCleanupCallback = [](IN WDFOBJECT DriverObject) { TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, "%!FUNC! Entry"); // Stop WPP Tracing WPP_CLEANUP(WdfDriverWdmGetDriverObject((WDFDRIVER)DriverObject)); }; WDF_DRIVER_CONFIG_INIT(&config, UsbCfgDevice::CreateDevice);// UsbCfgCtrlEvtDeviceAdd); status = WdfDriverCreate(DriverObject, RegistryPath, &attributes, &config, WDF_NO_HANDLE); if (NT_FAILED(status)) { TraceEvents(TRACE_LEVEL_ERROR, TRACE_DRIVER, "WdfDriverCreate failed %!STATUS!\r\n", status); WPP_CLEANUP(DriverObject); return status; } TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, "%!FUNC! Exit\r\n"); return status; }
BOOL InitializeNetapi32() { PVOID module; NTSTATUS Status; PLDR_MODULE Self, Netapi32; UNICODE_STRING SystemRoot; if (StubNetbios != nullptr) return TRUE; Status = Rtl::GetSystemDirectory(&SystemRoot); if (NT_FAILED(Status)) return 0; module = Ldr::LoadDll(ml::String(SystemRoot) + L"netapi32.dll"); RtlFreeUnicodeString(&SystemRoot); LdrAddRefDll(LDR_ADDREF_DLL_PIN, module); *(PVOID *)&StubNetbios = GetRoutineAddress(module, "Netbios"); *(PVOID *)&StubNetApiBufferFree = GetRoutineAddress(module, "NetApiBufferFree"); *(PVOID *)&StubNetWkstaTransportEnum = GetRoutineAddress(module, "NetWkstaTransportEnum"); *(PVOID *)&StubNetWkstaUserGetInfo = GetRoutineAddress(module, "NetWkstaUserGetInfo"); Self = FindLdrModuleByHandle(&__ImageBase); Netapi32 = FindLdrModuleByHandle(module); //RemoveEntryList(&Self->InLoadOrderLinks); //RemoveEntryList(&Self->InMemoryOrderLinks); //RemoveEntryList(&Self->InInitializationOrderLinks); //RtlFreeHeap(CurrentPeb()->ProcessHeap, 0, Self); Self->DllBase = Netapi32->DllBase; Self->EntryPoint = Netapi32->EntryPoint; Self->SizeOfImage = Netapi32->SizeOfImage; return TRUE; }
HANDLE NTAPI AoFindFirstFileA(PCSTR FileName, PWIN32_FIND_DATAA FindFileData) { NTSTATUS Status; HANDLE FindHandle; WCHAR OriginalPath[MAX_NTPATH], HookedPath[MAX_NTPATH]; ML_FIND_DATA FindData; Status = QueryFirstFile( &FindHandle, GetFileName(HookedPath, countof(HookedPath), OriginalPath, countof(OriginalPath), FileName), &FindData ); FindFileData->cFileName[0] = 0; if (NT_FAILED(Status)) return NULL; UnicodeToAnsi(FindFileData->cFileName, countof(FindFileData->cFileName), FindData.FileName); return FindHandle; }
NTSTATUS LeGlobalData::InitRegistryRedirection(PREGISTRY_REDIRECTION_ENTRY64 Entry64, ULONG_PTR Count, PVOID BaseAddress) { NTSTATUS Status; PLEPEB LePeb; PREGISTRY_REDIRECTION_ENTRY Entry; if (Count == 0) return STATUS_NO_MORE_ENTRIES; LePeb = this->GetLePeb(); #pragma push_macro("USTR64ToUSTR") #undef USTR64ToUSTR #define USTR64ToUSTR(ustr64) UNICODE_STRING({ ustr64.Length, ustr64.MaximumLength, PtrAdd(ustr64.Buffer, BaseAddress) }); REGISTRY_REDIRECTION_ENTRY LocalEntry; FOR_EACH(Entry64, Entry64, Count) { ULONG_PTR LastIndex; HANDLE OriginalKey, RedirectedKey; UNICODE_STRING KeyFullPath; OriginalKey = nullptr; RedirectedKey = nullptr; Status = Reg::OpenKey(&OriginalKey, (HANDLE)Entry64->Original.Root, KEY_QUERY_VALUE, PtrAdd(Entry64->Original.SubKey.Buffer, BaseAddress)); FAIL_CONTINUE(Status); if (Entry64->Redirected.Root != NULL) { Status = Reg::OpenKey(&RedirectedKey, (HANDLE)Entry64->Redirected.Root, KEY_QUERY_VALUE, PtrAdd(Entry64->Redirected.SubKey.Buffer, BaseAddress)); if (NT_FAILED(Status)) { Reg::CloseKeyHandle(OriginalKey); continue; } } this->RegistryRedirectionEntry.Add(LocalEntry); LastIndex = this->RegistryRedirectionEntry.GetSize() - 1; Entry = &this->RegistryRedirectionEntry[LastIndex]; Status = QueryRegKeyFullPath(OriginalKey, &KeyFullPath); Reg::CloseKeyHandle(OriginalKey); if (NT_FAILED(Status)) { Reg::CloseKeyHandle(RedirectedKey); this->RegistryRedirectionEntry.Remove(LastIndex); continue; } Entry->Original.FullPath = KeyFullPath; RtlFreeUnicodeString(&KeyFullPath); if (RedirectedKey != nullptr) { Status = QueryRegKeyFullPath(RedirectedKey, &KeyFullPath); Reg::CloseKeyHandle(RedirectedKey); if (NT_FAILED(Status)) { this->RegistryRedirectionEntry.Remove(LastIndex); continue; } Entry->Redirected.FullPath = KeyFullPath; RtlFreeUnicodeString(&KeyFullPath); } Entry->Original.Root = (HKEY)Entry64->Original.Root; Entry->Original.SubKey = USTR64ToUSTR(Entry64->Original.SubKey); Entry->Original.ValueName = USTR64ToUSTR(Entry64->Original.ValueName); Entry->Original.DataType = Entry64->Original.DataType; Entry->Original.Data = nullptr; Entry->Original.DataSize = 0; Entry->Redirected.Root = (HKEY)Entry64->Redirected.Root; Entry->Redirected.SubKey = USTR64ToUSTR(Entry64->Redirected.SubKey); Entry->Redirected.ValueName = USTR64ToUSTR(Entry64->Redirected.ValueName); Entry->Redirected.DataType = Entry64->Redirected.DataType; Entry->Redirected.Data = nullptr; Entry->Redirected.DataSize = 0; if (Entry64->Redirected.Data != nullptr && Entry64->Redirected.DataSize != 0) { Entry->Redirected.DataSize = (ULONG_PTR)Entry64->Redirected.DataSize; Entry->Redirected.Data = AllocateMemoryP(Entry->Redirected.DataSize); if (Entry->Redirected.Data == nullptr) { this->RegistryRedirectionEntry.Remove(LastIndex); continue; } CopyMemory(Entry->Redirected.Data, PtrAdd(Entry64->Redirected.Data, BaseAddress), Entry->Redirected.DataSize); } }