BOOL
NTAPI
SpeedUpCreateProcessW(
PCWSTR ApplicationName,
PWSTR CommandLine,
PSECURITY_ATTRIBUTES ProcessAttributes,
PSECURITY_ATTRIBUTES ThreadAttributes,
BOOL InheritHandles,
ULONG CreationFlags,
PVOID Environment,
PCWSTR CurrentDirectory,
LPSTARTUPINFOW StartupInfo,
PPROCESS_INFORMATION ProcessInformation
)
{
BOOL Success;
PWSTR CmdLine;
NTSTATUS Status;
PWSTR Entry;
LOOP_ONCE
{
PrintConsoleW(
L"Application: %s\n"
L"Commandline: %s\n\n",
ApplicationName, CommandLine
);
if (!IsHookStartEnabled())
continue;
Entry = LookupGameInfo(ApplicationName);
if (Entry == NULL)
break;
PrintConsoleW(L"game name: %s\n", Entry);
Status = GenerateXlAccCommandLine(&CmdLine, Entry, ApplicationName, CommandLine);
if (NT_FAILED(Status))
break;
PrintConsoleW(L"cmdline: %s\n", CmdLine);
Success = (*Shell32CreateProcessWIAT)(NULL, CmdLine, ProcessAttributes, ThreadAttributes, InheritHandles, CreationFlags, Environment, CurrentDirectory, StartupInfo, ProcessInformation);
ReleaseXlAccCommandLine(CmdLine);
if (!Success)
break;
return Success;
}
return (*Shell32CreateProcessWIAT)(ApplicationName, CommandLine, ProcessAttributes, ThreadAttributes, InheritHandles, CreationFlags, Environment, CurrentDirectory, StartupInfo, ProcessInformation);
}
CCGUI::
CCGUI(
QWidget *pParent /* = 0 */,
Qt::WFlags Flags /* = 0 */
) :
QMainWindow(pParent, Flags)
{
LOGFONTW lf;
ui.setupUi(this);
setWindowTitle(QString::fromUtf16(L"Ðdz½Ö®¼ä"));
SystemParametersInfoW(SPI_GETICONTITLELOGFONT, sizeof(lf), &lf, 0);
QFont font(QApplication::font());
font.setWeight(QFont::Normal);
font.setStyleStrategy(QFont::PreferQuality);
font.setFamily(QString::fromUtf16(lf.lfFaceName));
QApplication::setFont(font);
AllocConsole();
BOOL b;
connect(ui.actionFileExit, SIGNAL(triggered()), this, SLOT(close()));
b = connect(ui.MenuAbout, SIGNAL(aboutToShow()), this, SLOT(About()));
PrintConsoleW(L"%d\n", b);
}
NTSTATUS
HOOKPORT_CALLTYPE
HookNtOpenProcess(
PSYSCALL_INFO SysCallInfo,
PSYSTEM_CALL_ACTION Action,
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
)
{
PrintConsoleW(L"%d\n", ClientId->UniqueProcess);
return STATUS_SUCCESS;
}
LONG STDCALL DecCallback(PVOID, LPWIN32_FIND_DATAW pfd, ULONG_PTR)
{
ULONG Header;
NTSTATUS Status;
NtFileDisk file, filesrc;
file.Open(pfd->cFileName);
file.Read(&Header, 4);
file.Close();
if (Header != TAG4('SDFA'))
return 0;
CHAR FileName[MAX_PATH];
PrintConsoleW(L"%s\n", pfd->cFileName);
/*
UnicodeToAnsi(FileName, countof(FileName), pfd->cFileName);
pfopen fopen = (pfopen) 0x6585C3;
pfseek fseek = (pfseek) 0x658587;
pftell ftell = (pftell) 0x6585B9;
pfread fread = (pfread) 0x6580FA;
pfclose fclose = (pfclose)0x65994B;
fopen = old_fopen;
// fclose = (pfclose)0x659955; // zero_tc
FILE *fp = fopen(FileName, "rb");
fseek(fp, 0, SEEK_END);
Header = ftell(fp);
fseek(fp, 0, SEEK_SET);
PBYTE p = (PBYTE)AllocateMemory(Header);
if (fread(p, Header, 1, fp) == 0)
PrintConsoleW(L"failed\n");
fclose(fp);
*/
filesrc.Open(pfd->cFileName);
Header = filesrc.GetSize32();
PBYTE p = (PBYTE)AllocateMemory(Header);
filesrc.Read(p, Header);
filesrc.Close();
ULONG len;
static WCHAR suffix[] = L"_sc";
static WCHAR folder[] = L"data";
len = StrLengthW(pfd->cFileName) + 1;
RtlMoveMemory(
pfd->cFileName + CONST_STRLEN(folder) + CONST_STRLEN(suffix),
pfd->cFileName + CONST_STRLEN(folder),
len * 2 - CONST_STRLEN(folder) * sizeof(WCHAR)
);
CopyMemory(
pfd->cFileName + CONST_STRLEN(folder),
suffix,
sizeof(suffix) - sizeof(WCHAR)
);
WCHAR c, *pname;
pname = findnamew(pfd->cFileName);
c = *pname;
*pname = 0;
CreateDirectoryRecursiveW(pfd->cFileName);
*pname = c;
Status = file.Create(pfd->cFileName);
// PrintConsoleW(L"file.Create(): %08X\n", Status);
if (NT_SUCCESS(Status))
{
Status = file.Write(p, Header);
// PrintConsoleW(L"file.Write(): Status = %08X, Size = %08X\n", Status, Header);
}
FreeMemory(p);
// getch();
return 0;
}
BOOL
NTAPI
QqSetWindowPos(
HWND hWnd,
HWND hWndInsertAfter,
int X,
int Y,
int cx,
int cy,
UINT Flags
)
{
#define GROUP_WIDTH 722
#define GROUP_HEIGHT 671
#define BUDDY_WIDTH 506
#define BUDDY_HEIGHT 507
#if 0
AllocConsole();
ShowWindow(GetConsoleWindow(), SW_SHOW);
PrintConsoleW(L"%d, %d\n", cx, cy);
if (0)
{
FILE *fp;
fp = fopen("D:\\desktop\\qqlog.txt", "ab");
fprintf(fp, "%d, %d\r\n", cx, cy);
fclose(fp);
}
#endif
enum
{
UnknownWindow,
BuddyWindow,
GroupWindow,
DiscussWindow,
MessageBox,
Qq64,
};
auto GetWindowType = [] (HWND hWnd, INT cx, INT cy)
{
BOOL IsMessageBox;
PSIZE Size;
static SIZE BuddySize[] =
{
{ 553, 526 },
};
static SIZE GroupSize[] =
{
{ 614, 546 },
{ 603, 527 },
{ 623, 546 },
{ 599, 524 },
{ 598, 522 },
};
static SIZE DiscussSize[] =
{
{ 567, 545 },
{ 556, 526 },
{ 571, 545 },
};
IsMessageBox = IsWindowMessageBox(hWnd);
if (IsMessageBox)
return MessageBox;
FOR_EACH_ARRAY(Size, BuddySize)
{
if (Size->cx == cx && Size->cy == cy)
return BuddyWindow;
}
FOR_EACH_ARRAY(Size, GroupSize)
{
if (Size->cx == cx && Size->cy == cy)
return GroupWindow;
}
FOR_EACH_ARRAY(Size, DiscussSize)
{
if (Size->cx == cx && Size->cy == cy)
return DiscussWindow;
}
return UnknownWindow;
};
ForceInline VOID main2(Int argc, WChar **argv)
{
NTSTATUS Status;
WCHAR *pExePath, szDllPath[MAX_NTPATH], FullExePath[MAX_NTPATH];
STARTUPINFOW si;
PROCESS_INFORMATION pi;
#if 0
PVOID buf;
// CNtFileDisk file;
UNICODE_STRING str;
// file.Open((FIELD_BASE(FindLdrModuleByName(NULL)->InLoadOrderModuleList.Flink, LDR_MODULE, InLoadOrderModuleList))->FullDllName.Buffer);
// buf = AllocateMemory(file.GetSize32());
// file.Read(buf);
// file.Close();
RTL_CONST_STRING(str, L"OllyDbg.exe");
LoadDllFromMemory(GetNtdllHandle(), -1, &str, NULL, LMD_MAPPED_DLL);
PrintConsoleW(
L"%s handle = %08X\n"
L"%s.NtSetEvent = %08X\n",
str.Buffer, GetModuleHandleW(str.Buffer),
str.Buffer, Nt_GetProcAddress(GetModuleHandleW(str.Buffer), "NtSetEvent")
);
getch();
FreeMemory(buf);
return;
#endif
#if 1
if (argc == 1)
return;
RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, (PBOOLEAN)&Status);
while (--argc)
{
pExePath = findextw(*++argv);
if (CHAR_UPPER4W(*(PULONG64)pExePath) == CHAR_UPPER4W(TAG4W('.LNK')))
{
if (FAILED(GetPathFromLinkFile(*argv, FullExePath, countof(FullExePath))))
{
pExePath = *argv;
}
else
{
pExePath = FullExePath;
}
}
else
{
pExePath = *argv;
}
RtlGetFullPathName_U(pExePath, sizeof(szDllPath), szDllPath, NULL);
#if 0
Status = FakeCreateProcess(szDllPath, NULL);
if (!NT_SUCCESS(Status))
#else
rmnamew(szDllPath);
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
Status = CreateProcessInternalW(
NULL,
pExePath,
NULL,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
*szDllPath == 0 ? NULL : szDllPath,
&si,
&pi,
NULL);
if (!Status)
#endif
{
PrintConsoleW(L"%s: CreateProcess() failed\n", pExePath);
continue;
}
ULONG Length;
UNICODE_STRING DllFullPath;
Length = Nt_GetExeDirectory(szDllPath, countof(szDllPath));
CopyStruct(szDllPath + Length, L"XP3Viewer.dll", sizeof(L"XP3Viewer.dll"));
DllFullPath.Buffer = szDllPath;
DllFullPath.Length = (USHORT)(Length + CONST_STRLEN(L"XP3Viewer.dll"));
DllFullPath.Length *= sizeof(WCHAR);
DllFullPath.MaximumLength = DllFullPath.Length;
Status = InjectDllToRemoteProcess(pi.hProcess, pi.hThread, &DllFullPath, FALSE);
if (!NT_SUCCESS(Status))
{
// PrintError(GetLastError());
NtTerminateProcess(pi.hProcess, 0);
}
NtClose(pi.hProcess);
NtClose(pi.hThread);
}
#endif
}
PWCHAR
GetFileName(
PWCHAR pszHooked,
ULONG HookedBufferCount,
PWCHAR pszOriginal,
ULONG OriginalCount,
LPCSTR lpFileName,
BOOL IsInputUnicode = FALSE
)
{
ULONG Length, AppPathLength;
PWCHAR pszFileName;
static WCHAR szDataPath[] = L"data\\";
static WCHAR szPatch[] = L"patch\\\\\\";
static WCHAR szDataSc[] = L"data_sc\\";
if (IsInputUnicode)
{
lstrcpyW(pszOriginal, (LPWSTR)lpFileName);
}
else
{
Nt_AnsiToUnicode(pszOriginal, OriginalCount, (PCHAR)lpFileName, -1);
}
Length = RtlGetFullPathName_U(pszOriginal, HookedBufferCount * sizeof(WCHAR), pszHooked, NULL);
Length = Length / sizeof(WCHAR) + 1;
AppPathLength = g_AppPathLength;
pszFileName = pszHooked + AppPathLength;
LOOP_ONCE
{
if (StrNICompareW(pszFileName, szDataPath, countof(szDataPath) - 1) ||
StrNICompareW((PWCHAR)g_AppPathBuffer, pszHooked, AppPathLength))
{
pszFileName = pszOriginal;
break;
}
pszFileName += countof(szDataPath) - 2;
RtlMoveMemory(
pszFileName + countof(szDataSc) - countof(szDataPath),
pszFileName,
(Length - (pszFileName - pszHooked)) * sizeof(*pszFileName)
);
pszFileName -= countof(szDataPath) - 2;
CopyStruct(pszFileName, szPatch, sizeof(szPatch) - sizeof(*szPatch));
if (Nt_IsPathExists(pszHooked))
{
pszFileName = pszHooked;
break;
}
CopyStruct(pszFileName, szDataSc, sizeof(szDataSc) - sizeof(*szDataSc));
if (!Nt_IsPathExists(pszHooked))
pszFileName = pszOriginal;
else
pszFileName = pszHooked;
}
/*
AllocConsole();
PrintConsoleW(L"%s\n", pszFileName);
if (!StrICompareW(findextw(pszFileName), L".it3"))
__asm nop;
*/
#if CONSOLE_DEBUG
PrintConsoleW(L"%s\n", pszFileName);
#endif
return pszFileName;
}
ForceInline Void main2(Int argc, WChar **argv)
{
NTSTATUS Status;
WCHAR *pExePath, szDllPath[MAX_NTPATH], FullExePath[MAX_NTPATH];
STARTUPINFOW si;
PROCESS_INFORMATION pi;
if (argc == 1)
return;
RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, (PBOOLEAN)&Status);
while (--argc)
{
pExePath = findextw(*++argv);
if (CHAR_UPPER4W(*(PULONG64)pExePath) == CHAR_UPPER4W(TAG4W('.LNK')))
{
if (FAILED(GetPathFromLinkFile(*argv, FullExePath, countof(FullExePath))))
{
pExePath = *argv;
}
else
{
pExePath = FullExePath;
}
}
else
{
pExePath = *argv;
}
RtlGetFullPathName_U(pExePath, sizeof(szDllPath), szDllPath, NULL);
rmnamew(szDllPath);
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
Status = CreateProcessInternalW(
NULL,
pExePath,
NULL,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
*szDllPath == 0 ? NULL : szDllPath,
&si,
&pi,
NULL);
if (!Status)
{
PrintConsoleW(L"CreateProcess() failed.\n");
continue;
}
Status = InjectSelfToRemoteProcess(pi.hProcess, pi.hThread);
if (!NT_SUCCESS(Status))
{
// PrintError(GetLastError());
NtTerminateProcess(pi.hProcess, 0);
}
NtClose(pi.hProcess);
NtClose(pi.hThread);
}
}