void CR_Module::DumpHeaders()
{
if (!IsModuleLoaded())
return;
#ifdef _UNICODE
printf("FileName: %ls, FileSize: 0x%08lX (%lu)\n",
GetFileName(), GetFileSize(), GetFileSize());
#else
printf("FileName: %s, FileSize: 0x%08lX (%lu)\n",
GetFileName(), GetFileSize(), GetFileSize());
#endif
if (DOSHeader())
{
CrDumpDOSHeader(DOSHeader());
}
if (FileHeader())
{
CrDumpFileHeader(FileHeader());
}
if (OptionalHeader32())
{
CrDumpOptionalHeader32(OptionalHeader32(), CheckSum());
}
else if (OptionalHeader64())
{
CrDumpOptionalHeader64(OptionalHeader64(), CheckSum());
}
if (SectionHeaders())
{
DWORD size = NumberOfSections();
for (DWORD i = 0; i < size; ++i)
{
printf("\n### Section #%lu ###\n", i);
CrDumpSectionHeader(SectionHeader(i));
}
}
}
//taken and adapted from http://tangentsoft.net/wskfaq/examples/dllping.html
void Find_Net(char *subnet, bool save)
{
FILE *fp;
HINSTANCE hIcmp = LoadLibrary((LPCWSTR)"ICMP.DLL");
if (hIcmp == 0)
{
printf("Error: icmp.dll missing...\n");
return;
}
typedef HANDLE (WINAPI* pfnHV)(VOID);
typedef BOOL (WINAPI* pfnBH)(HANDLE);
typedef DWORD (WINAPI* pfnDHDPWPipPDD)(HANDLE, DWORD, LPVOID, WORD,PIP_OPTION_INFORMATION, LPVOID, DWORD, DWORD);
pfnHV pIcmpCreateFile;
pfnBH pIcmpCloseHandle;
pfnDHDPWPipPDD pIcmpSendEcho;
pIcmpCreateFile = (pfnHV)GetProcAddress(hIcmp, "IcmpCreateFile");
pIcmpCloseHandle = (pfnBH)GetProcAddress(hIcmp, "IcmpCloseHandle");
pIcmpSendEcho = (pfnDHDPWPipPDD)GetProcAddress(hIcmp,"IcmpSendEcho");
if ((pIcmpCreateFile == 0) || (pIcmpCloseHandle == 0) || (pIcmpSendEcho == 0)) {
printf("unable to create the functions...");
return;
}
for(int i=1; i <= 255; i++)
{
char *ip;
ip = (char *)sprintf("%s.%c", subnet, (char)i);
if(save == true) *fp = MakeReport(ip);
struct hostent* phe;
if((phe = gethostbyname(ip)) == 0)
{
printf("error to convert ip address..");
return;
}
HANDLE hIP = pIcmpCreateFile();
if (hIP == INVALID_HANDLE_VALUE)
{
printf("Unable to open ping service");
return;
}
if(save == true) FileHeader(fp, ip);
char acPingBuffer[64];
memset(acPingBuffer, '\xAA', sizeof(acPingBuffer));
PIP_ECHO_REPLY pIpe = (PIP_ECHO_REPLY)GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT,sizeof(IP_ECHO_REPLY) + sizeof(acPingBuffer));
if (pIpe == 0) {
printf("Failed to allocate global ping packet buffer.");
return;
}
pIpe->Data = acPingBuffer;
pIpe->DataSize = sizeof(acPingBuffer);
DWORD dwStatus = pIcmpSendEcho(hIP, *((DWORD*)phe->h_addr_list[0]), acPingBuffer, sizeof(acPingBuffer), NULL, pIpe, sizeof(IP_ECHO_REPLY) + sizeof(acPingBuffer), 5000);
if (dwStatus != 0) {
//found
printf("[FOUND] %s", ip);
if(save == true) WriteOnReport(fp, ip);
}
else
continue;
GlobalFree(pIpe);
}
if(save == true) SaveReport(fp);
FreeLibrary(hIcmp);
}
bool FindProtectorSection(types::simple_ptr<unsigned char> ImgBase, ProtectorSectionInfo & info)
{
// if the section is already found?
for(UINT x = 0; x<ProtectorSections.size(); x++)
{
if (ProtectorSections[x].ImgBase == ImgBase)
{
if (ProtectorSections[x].pProtectorSection != NULL)
{
info = ProtectorSections[x];
return true;
}
return false; // caller section is found, but the .ipn1 section is not. the caller assembly is not protected
}
}
// if not - find the section
types::simple_ptr<IMAGE_DOS_HEADER> DosHeader(reinterpret_cast<IMAGE_DOS_HEADER*>((unsigned char*)ImgBase));
types::simple_ptr<IMAGE_FILE_HEADER> FileHeader(reinterpret_cast<IMAGE_FILE_HEADER*>(ImgBase + DosHeader->e_lfanew + sizeof(IMAGE_NT_SIGNATURE)));
types::simple_ptr<IMAGE_OPTIONAL_HEADER> OptionalHeader(reinterpret_cast<IMAGE_OPTIONAL_HEADER*>(ImgBase + sizeof(IMAGE_FILE_HEADER)));
types::simple_ptr<unsigned char> SectHeadersOffset(ImgBase + DosHeader->e_lfanew + sizeof(IMAGE_NT_SIGNATURE) + sizeof (IMAGE_FILE_HEADER) + sizeof(IMAGE_OPTIONAL_HEADER));
types::simple_ptr<unsigned char> SectionHeaderStart;
types::simple_ptr<IMAGE_SECTION_HEADER> SectionHeader;
for(unsigned short i = 0; i < FileHeader->NumberOfSections; i++ )
{
SectionHeaderStart = types::simple_ptr<unsigned char> (SectHeadersOffset + i * sizeof(IMAGE_SECTION_HEADER));
SectionHeader = reinterpret_cast<IMAGE_SECTION_HEADER*>((unsigned char*)SectionHeaderStart);
if (strcmp(const_cast<const char*>(reinterpret_cast<char*>(&SectionHeader->Name[0])), ".ipn1") == 0)
{
info.ImgBase = ImgBase;
info.pProtectorSection = reinterpret_cast<unsigned char*>(SectionHeader->VirtualAddress);
types::simple_ptr<unsigned char> position(SectionHeader->VirtualAddress + ImgBase);
ReadProtectorSectionData(position, info);
// Move the offset according to the RVA not the physical offset
// 1. Find the correct section for the physical offset
for(unsigned int j =0; j < FileHeader->NumberOfSections; j++)
{
SectionHeaderStart = types::simple_ptr<unsigned char>(SectHeadersOffset + j * sizeof(IMAGE_SECTION_HEADER));
SectionHeader = types::simple_ptr<IMAGE_SECTION_HEADER>(reinterpret_cast<IMAGE_SECTION_HEADER*>((unsigned char*)SectionHeaderStart));
if ((SectionHeader->PointerToRawData < info.w32HookCoreNameOffset)
&& (info.w32HookCoreNameOffset < SectionHeader->PointerToRawData + SectionHeader->SizeOfRawData ))
{
// 2. Section found. update references
unsigned int w32SectionStartRva = info.w32HookCoreNameOffset - SectionHeader->PointerToRawData;
unsigned int x64SectionStartRva = info.x64HookCoreNameOffset - SectionHeader->PointerToRawData;
// 3. Set the offset from the ImageBase with taking into account section virtual address
info.w32HookCoreNameOffset = (unsigned int)(SectionHeader->VirtualAddress + w32SectionStartRva);
info.x64HookCoreNameOffset = (unsigned int)(SectionHeader->VirtualAddress + x64SectionStartRva);
break;
}
}
return true;
}
}
info.ImgBase = ImgBase;
return false;
}
bool CScreenBuffer::Create(HDC hDev,const RECT & rc,LPCTSTR szName )
{
TrackDebugOut;
Destroy();
m_hMemDC = CreateCompatibleDC(hDev);
if(m_hMemDC == NULL){
DebugOutF(filelog::log_error,("CreateCompatibleDC failed with %d"),GetLastError() );
return false;
}
RECT rcscreen = GetDCRect(hDev);
RECT rcdest;
IntersectRect(&rcdest,&rcscreen,&rc);
LONG lWidth = rcdest.right - rcdest.left;
LONG lHeight = rcdest.bottom - rcdest.top;
LONG lBitsPPix = 32;//GetDeviceCaps(hDev,BITSPIXEL);
LONG dwImageSize = lHeight*CalculatePitch(CalculateLine(lWidth,lBitsPPix));
// save [bmp file header] + [bmp info header] + [bmp data] to the file mapping object
//DWORD filesize = 0;
LONG biClrUsed = 0;
RGBQUAD rgbquad[256];
if (lBitsPPix < 16)
{
TrackDebugOut;
biClrUsed = GetDIBColorTable(hDev,0,256,rgbquad);
}
if(!CFileMappingBitmap::Create(lWidth,lHeight,lBitsPPix,biClrUsed,rgbquad,szName))
{
return false;
}
m_hBmp = CreateDIBSection(m_hMemDC,(BITMAPINFO*)InfoHeader(),DIB_RGB_COLORS, (void**)&m_pBuff, GetHandle(), FileHeader()->bfOffBits);
if(m_hBmp == NULL){
DebugOutF(filelog::log_error,("CreateDIBSection failed %d"),GetLastError() );
return false;
}
SelectObject(m_hMemDC,m_hBmp);
//HDC hdc = GetDC(0);
BitBlt(m_hMemDC,0,0,rcdest.right-rcdest.left,rcdest.bottom-rcdest.top,hDev,rcdest.left,rcdest.top,SRCCOPY|CAPTUREBLT);
//ReleaseDC(0,hdc);
return true;
}
