PLARGE_UNICODE_STRING LargeStringAnsiToUnicode(PLARGE_UNICODE_STRING LargeAnsiString, PLARGE_UNICODE_STRING LargeUnicodeString)
{
if (LargeAnsiString == NULL)
return NULL;
if (!LargeAnsiString->Ansi)
return LargeStringDuplicate(LargeAnsiString, LargeUnicodeString);
ANSI_STRING AnsiString;
UNICODE_STRING UnicodeString;
AnsiString.Buffer = LargeAnsiString->AnsiBuffer;
AnsiString.Length = LargeAnsiString->Length;
AnsiString.MaximumLength = LargeAnsiString->MaximumLength;
if (NT_FAILED(RtlAnsiStringToUnicodeString(&UnicodeString, &AnsiString, TRUE)))
return NULL;
LargeUnicodeString->Ansi = FALSE;
LargeUnicodeString->Length = UnicodeString.Length;
LargeUnicodeString->MaximumLength = UnicodeString.MaximumLength;
LargeUnicodeString->Buffer = (ULONG64)UnicodeString.Buffer;
return LargeUnicodeString;
}
ULONG
WINAPI
QqGetModuleFileNameExW(
HANDLE Process,
PVOID Module,
PWSTR Filename,
ULONG Size
)
{
ULONG Length;
PWSTR File;
NTSTATUS Status;
PROCESS_BASIC_INFORMATION BasicInfo;
static WCHAR QQProtect[] = L"QQProtect.exe";
Length = StubGetModuleFileNameExW(Process, (HMODULE)Module, Filename, Size);
if (Length == 0 || Filename == nullptr || Size == 0)
return Length;
Status = NtQueryInformationProcess(Process, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), nullptr);
if (NT_FAILED(Status) || BasicInfo.UniqueProcessId != CurrentPid())
return Length;
File = findnamew(Filename);
CopyStruct(File, QQProtect, sizeof(QQProtect));
return File - Filename + CONST_STRLEN(QQProtect);
}
BOOL Initialize(PVOID BaseAddress)
{
if (NT_FAILED(CheckIsExplorer()))
return FALSE;
AllocConsole();
// PrintConsoleW(L"session id %d\n", GetCurrentSessionId());
/*
if (CurrentPeb()->OSMajorVersion > 5)
switch (GetCurrentSessionId())
{
case 0:
case INVALID_SESSION_ID:
return FALSE;
}
*/
LdrDisableThreadCalloutsForDll(BaseAddress);
LdrAddRefDll(LDR_ADDREF_DLL_PIN, BaseAddress);
Ps::CreateThread(
ThreadLambdaType_(PVOID)
{
return HookCallCreateProcess();
},
nullptr
);
PLARGE_UNICODE_STRING LargeStringDuplicate(PLARGE_UNICODE_STRING LargeString, PLARGE_UNICODE_STRING Destination)
{
union
{
ANSI_STRING Ansi;
UNICODE_STRING Unicode;
};
union
{
ANSI_STRING NewAnsi;
UNICODE_STRING NewUnicode;
};
if (LargeString->Ansi)
return NULL;
InitStringFromLargeString(&Unicode, LargeString);
if (NT_FAILED(RtlDuplicateUnicodeString(RTL_DUPSTR_ADD_NULL, &Unicode, &NewUnicode)))
return NULL;
Destination->Ansi = FALSE;
Destination->Length = NewUnicode.Length;
Destination->MaximumLength = NewUnicode.MaximumLength;
Destination->UnicodeBuffer = NewUnicode.Buffer;
return Destination;
}
BOOL
NTAPI
SpeedUpCreateProcessW(
PCWSTR ApplicationName,
PWSTR CommandLine,
PSECURITY_ATTRIBUTES ProcessAttributes,
PSECURITY_ATTRIBUTES ThreadAttributes,
BOOL InheritHandles,
ULONG CreationFlags,
PVOID Environment,
PCWSTR CurrentDirectory,
LPSTARTUPINFOW StartupInfo,
PPROCESS_INFORMATION ProcessInformation
)
{
BOOL Success;
PWSTR CmdLine;
NTSTATUS Status;
PWSTR Entry;
LOOP_ONCE
{
PrintConsoleW(
L"Application: %s\n"
L"Commandline: %s\n\n",
ApplicationName, CommandLine
);
if (!IsHookStartEnabled())
continue;
Entry = LookupGameInfo(ApplicationName);
if (Entry == NULL)
break;
PrintConsoleW(L"game name: %s\n", Entry);
Status = GenerateXlAccCommandLine(&CmdLine, Entry, ApplicationName, CommandLine);
if (NT_FAILED(Status))
break;
PrintConsoleW(L"cmdline: %s\n", CmdLine);
Success = (*Shell32CreateProcessWIAT)(NULL, CmdLine, ProcessAttributes, ThreadAttributes, InheritHandles, CreationFlags, Environment, CurrentDirectory, StartupInfo, ProcessInformation);
ReleaseXlAccCommandLine(CmdLine);
if (!Success)
break;
return Success;
}
return (*Shell32CreateProcessWIAT)(ApplicationName, CommandLine, ProcessAttributes, ThreadAttributes, InheritHandles, CreationFlags, Environment, CurrentDirectory, StartupInfo, ProcessInformation);
}
BOOL InitializeNetapi32()
{
PVOID module;
NTSTATUS Status;
PLDR_MODULE Self, Netapi32;
UNICODE_STRING SystemRoot;
PVOID LoaderLockCookie;
LdrLockLoaderLock(0, nullptr, &LoaderLockCookie);
SCOPE_EXIT
{
LdrUnlockLoaderLock(0, LoaderLockCookie);
}
SCOPE_EXIT_END;
Self = FindLdrModuleByHandle(&__ImageBase);
if (Self == nullptr || Self->DllBase != &__ImageBase)
return TRUE;
Status = Rtl::GetSystemDirectory(&SystemRoot);
if (NT_FAILED(Status))
return 0;
module = Ldr::LoadDll(String(SystemRoot) + L"wtsapi32.dll");
RtlFreeUnicodeString(&SystemRoot);
LdrAddRefDll(LDR_ADDREF_DLL_PIN, module);
*(PVOID *)&StubWTSFreeMemory = GetRoutineAddress(module, "WTSFreeMemory");
*(PVOID *)&StubWTSQuerySessionInformationW = GetRoutineAddress(module, "WTSQuerySessionInformationW");
*(PVOID *)&StubWTSRegisterSessionNotification = GetRoutineAddress(module, "WTSRegisterSessionNotification");
*(PVOID *)&StubWTSUnRegisterSessionNotification = GetRoutineAddress(module, "WTSUnRegisterSessionNotification");
Netapi32 = FindLdrModuleByHandle(module);
//RemoveEntryList(&Self->InLoadOrderLinks);
//RemoveEntryList(&Self->InMemoryOrderLinks);
//RemoveEntryList(&Self->InInitializationOrderLinks);
//RtlFreeHeap(CurrentPeb()->ProcessHeap, 0, Self);
Self->DllBase = Netapi32->DllBase;
Self->EntryPoint = Netapi32->EntryPoint;
Self->SizeOfImage = Netapi32->SizeOfImage;
return TRUE;
}
EXTC NTSTATUS NTAPI Initialize()
{
NTSTATUS status;
if (helper != nullptr)
return STATUS_SUCCESS;
helper = new iTunesHelper;
//Rtl::SetExeDirectoryAsCurrent();
status = helper->iTunesInitialize();
if (NT_FAILED(status))
{
ExceptionBox(L"init iTunes failed");
return status;
}
return status;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath) {
NTSTATUS status;
WDF_DRIVER_CONFIG config;
WDF_OBJECT_ATTRIBUTES attributes;
#if defined(_DEBUG) || defined(DBG)
// if (TRUE == KdRefreshDebuggerNotPresent())
// return STATUS_UNSUCCESSFUL;// For the time being, don't load the driver if no debugger is attached
// DbgBreakPoint();
if (FALSE == KdRefreshDebuggerNotPresent())
DbgBreakPoint();
#endif
// Initialize WPP Tracing
WPP_INIT_TRACING( DriverObject, RegistryPath );
WPP_FLAG_LEVEL_ENABLED(MYDRIVER_ALL_INFO, TRACE_LEVEL_VERBOSE);
TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, "UsbCfgCtrl>> DriverEntry " __DATE__ " " __TIME__ "\r\n");
// Register a cleanup callback so that we can call WPP_CLEANUP when the framework driver object is deleted during driver unload.
WDF_OBJECT_ATTRIBUTES_INIT(&attributes);
attributes.EvtCleanupCallback = [](IN WDFOBJECT DriverObject) {
TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, "%!FUNC! Entry");
// Stop WPP Tracing
WPP_CLEANUP(WdfDriverWdmGetDriverObject((WDFDRIVER)DriverObject));
};
WDF_DRIVER_CONFIG_INIT(&config, UsbCfgDevice::CreateDevice);// UsbCfgCtrlEvtDeviceAdd);
status = WdfDriverCreate(DriverObject, RegistryPath, &attributes, &config, WDF_NO_HANDLE);
if (NT_FAILED(status)) {
TraceEvents(TRACE_LEVEL_ERROR, TRACE_DRIVER, "WdfDriverCreate failed %!STATUS!\r\n", status);
WPP_CLEANUP(DriverObject);
return status;
}
TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, "%!FUNC! Exit\r\n");
return status;
}
BOOL InitializeNetapi32()
{
PVOID module;
NTSTATUS Status;
PLDR_MODULE Self, Netapi32;
UNICODE_STRING SystemRoot;
if (StubNetbios != nullptr)
return TRUE;
Status = Rtl::GetSystemDirectory(&SystemRoot);
if (NT_FAILED(Status))
return 0;
module = Ldr::LoadDll(ml::String(SystemRoot) + L"netapi32.dll");
RtlFreeUnicodeString(&SystemRoot);
LdrAddRefDll(LDR_ADDREF_DLL_PIN, module);
*(PVOID *)&StubNetbios = GetRoutineAddress(module, "Netbios");
*(PVOID *)&StubNetApiBufferFree = GetRoutineAddress(module, "NetApiBufferFree");
*(PVOID *)&StubNetWkstaTransportEnum = GetRoutineAddress(module, "NetWkstaTransportEnum");
*(PVOID *)&StubNetWkstaUserGetInfo = GetRoutineAddress(module, "NetWkstaUserGetInfo");
Self = FindLdrModuleByHandle(&__ImageBase);
Netapi32 = FindLdrModuleByHandle(module);
//RemoveEntryList(&Self->InLoadOrderLinks);
//RemoveEntryList(&Self->InMemoryOrderLinks);
//RemoveEntryList(&Self->InInitializationOrderLinks);
//RtlFreeHeap(CurrentPeb()->ProcessHeap, 0, Self);
Self->DllBase = Netapi32->DllBase;
Self->EntryPoint = Netapi32->EntryPoint;
Self->SizeOfImage = Netapi32->SizeOfImage;
return TRUE;
}
HANDLE NTAPI AoFindFirstFileA(PCSTR FileName, PWIN32_FIND_DATAA FindFileData)
{
NTSTATUS Status;
HANDLE FindHandle;
WCHAR OriginalPath[MAX_NTPATH], HookedPath[MAX_NTPATH];
ML_FIND_DATA FindData;
Status = QueryFirstFile(
&FindHandle,
GetFileName(HookedPath, countof(HookedPath), OriginalPath, countof(OriginalPath), FileName),
&FindData
);
FindFileData->cFileName[0] = 0;
if (NT_FAILED(Status))
return NULL;
UnicodeToAnsi(FindFileData->cFileName, countof(FindFileData->cFileName), FindData.FileName);
return FindHandle;
}
NTSTATUS LeGlobalData::InitRegistryRedirection(PREGISTRY_REDIRECTION_ENTRY64 Entry64, ULONG_PTR Count, PVOID BaseAddress)
{
NTSTATUS Status;
PLEPEB LePeb;
PREGISTRY_REDIRECTION_ENTRY Entry;
if (Count == 0)
return STATUS_NO_MORE_ENTRIES;
LePeb = this->GetLePeb();
#pragma push_macro("USTR64ToUSTR")
#undef USTR64ToUSTR
#define USTR64ToUSTR(ustr64) UNICODE_STRING({ ustr64.Length, ustr64.MaximumLength, PtrAdd(ustr64.Buffer, BaseAddress) });
REGISTRY_REDIRECTION_ENTRY LocalEntry;
FOR_EACH(Entry64, Entry64, Count)
{
ULONG_PTR LastIndex;
HANDLE OriginalKey, RedirectedKey;
UNICODE_STRING KeyFullPath;
OriginalKey = nullptr;
RedirectedKey = nullptr;
Status = Reg::OpenKey(&OriginalKey, (HANDLE)Entry64->Original.Root, KEY_QUERY_VALUE, PtrAdd(Entry64->Original.SubKey.Buffer, BaseAddress));
FAIL_CONTINUE(Status);
if (Entry64->Redirected.Root != NULL)
{
Status = Reg::OpenKey(&RedirectedKey, (HANDLE)Entry64->Redirected.Root, KEY_QUERY_VALUE, PtrAdd(Entry64->Redirected.SubKey.Buffer, BaseAddress));
if (NT_FAILED(Status))
{
Reg::CloseKeyHandle(OriginalKey);
continue;
}
}
this->RegistryRedirectionEntry.Add(LocalEntry);
LastIndex = this->RegistryRedirectionEntry.GetSize() - 1;
Entry = &this->RegistryRedirectionEntry[LastIndex];
Status = QueryRegKeyFullPath(OriginalKey, &KeyFullPath);
Reg::CloseKeyHandle(OriginalKey);
if (NT_FAILED(Status))
{
Reg::CloseKeyHandle(RedirectedKey);
this->RegistryRedirectionEntry.Remove(LastIndex);
continue;
}
Entry->Original.FullPath = KeyFullPath;
RtlFreeUnicodeString(&KeyFullPath);
if (RedirectedKey != nullptr)
{
Status = QueryRegKeyFullPath(RedirectedKey, &KeyFullPath);
Reg::CloseKeyHandle(RedirectedKey);
if (NT_FAILED(Status))
{
this->RegistryRedirectionEntry.Remove(LastIndex);
continue;
}
Entry->Redirected.FullPath = KeyFullPath;
RtlFreeUnicodeString(&KeyFullPath);
}
Entry->Original.Root = (HKEY)Entry64->Original.Root;
Entry->Original.SubKey = USTR64ToUSTR(Entry64->Original.SubKey);
Entry->Original.ValueName = USTR64ToUSTR(Entry64->Original.ValueName);
Entry->Original.DataType = Entry64->Original.DataType;
Entry->Original.Data = nullptr;
Entry->Original.DataSize = 0;
Entry->Redirected.Root = (HKEY)Entry64->Redirected.Root;
Entry->Redirected.SubKey = USTR64ToUSTR(Entry64->Redirected.SubKey);
Entry->Redirected.ValueName = USTR64ToUSTR(Entry64->Redirected.ValueName);
Entry->Redirected.DataType = Entry64->Redirected.DataType;
Entry->Redirected.Data = nullptr;
Entry->Redirected.DataSize = 0;
if (Entry64->Redirected.Data != nullptr && Entry64->Redirected.DataSize != 0)
{
Entry->Redirected.DataSize = (ULONG_PTR)Entry64->Redirected.DataSize;
Entry->Redirected.Data = AllocateMemoryP(Entry->Redirected.DataSize);
if (Entry->Redirected.Data == nullptr)
{
this->RegistryRedirectionEntry.Remove(LastIndex);
continue;
}
CopyMemory(Entry->Redirected.Data, PtrAdd(Entry64->Redirected.Data, BaseAddress), Entry->Redirected.DataSize);
}
}
