// Main program entry point int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE, LPSTR lpCmdLine, int nShowCmd) { // Try to initiate DWMAPI.DLL on Windows 7 if(IsWindows7()) { InitDWMAPI(); } // Provide a custom exception handler SetUnhandledExceptionFilter(ExceptionFilter); hAppInst = hInstance; // Make version string if (nBurnVer & 0xFF) { // private version (alpha) _stprintf(szAppBurnVer, _T("%x.%x.%x.%02x"), nBurnVer >> 20, (nBurnVer >> 16) & 0x0F, (nBurnVer >> 8) & 0xFF, nBurnVer & 0xFF); } else {
void QueryNsipHook(HWND m_hWnd,ULONG ID,CMyList *m_list) { DWORD dwReadByte; int ItemNum = m_list->GetItemCount(); int i=0; if (!IsWindows7()) { SetDlgItemTextW(m_hWnd,ID,L"不支持当前系统Nsiproxy的枚举..."); return; } SHFILEINFO shfileinfo; NsiproxyImg.Create(16,16, ILC_COLOR32, 2, 100); HIMAGELIST hImageList = NULL; SetDlgItemTextW(m_hWnd,ID,L"正在扫描Nsiproxy/Dispatch,请稍后..."); if (bIsPhysicalCheck){ SaveToFile("\r\n\r\n[---NSIPROXY.SYS---]\r\n",PhysicalFile); } if (NsiproxyDispatchBakUp) { VirtualFree(NsiproxyDispatchBakUp,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,MEM_RESERVE | MEM_COMMIT); NsiproxyDispatchBakUp = 0; } NsiproxyDispatchBakUp = (PNSIPROXYDISPATCHBAKUP)VirtualAlloc(0,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if (NsiproxyDispatchBakUp) { memset(NsiproxyDispatchBakUp,0,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2); ReadFile((HANDLE)LIST_NSIPROXY_HOOK,NsiproxyDispatchBakUp,sizeof(NSIPROXYDISPATCHBAKUP)*IRP_MJ_MAXIMUM_FUNCTION*2,&dwReadByte,0); for (i=0;i< (int)NsiproxyDispatchBakUp->ulCount;i++) { WCHAR lpwzTextOut[100]; memset(lpwzTextOut,0,sizeof(lpwzTextOut)); wsprintfW(lpwzTextOut,L"共有 %d 个数据,正在扫描第 %d 个,请稍后...",NsiproxyDispatchBakUp->ulCount,i); SetDlgItemTextW(m_hWnd,ID,lpwzTextOut); WCHAR lpwzNumber[256] = {0}; WCHAR lpwzHookType[256] = {0}; WCHAR lpwzFunction[256] = {0}; WCHAR lpwzHookModuleImage[256] = {0}; WCHAR lpwzCurrentNtfsDispatch[256] = {0}; WCHAR lpwsNtfsDispatch[256] = {0}; WCHAR lpwzHookModuleBase[256] = {0}; WCHAR lpwzHookModuleSize[256] = {0}; memset(lpwzNumber,0,sizeof(lpwzNumber)); memset(lpwzHookType,0,sizeof(lpwzHookType)); memset(lpwzFunction,0,sizeof(lpwzFunction)); memset(lpwzHookModuleImage,0,sizeof(lpwzHookModuleImage)); memset(lpwzCurrentNtfsDispatch,0,sizeof(lpwzCurrentNtfsDispatch)); memset(lpwsNtfsDispatch,0,sizeof(lpwsNtfsDispatch)); memset(lpwzHookModuleBase,0,sizeof(lpwzHookModuleBase)); memset(lpwzHookModuleSize,0,sizeof(lpwzHookModuleSize)); switch (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked) { case 0: StrCatW(lpwzHookType,L"-"); break; case 1: StrCatW(lpwzHookType,L"nsiprroxy hook"); break; case 2: StrCatW(lpwzHookType,L"nsiprroxy Inline hook"); break; } wsprintfW(lpwzNumber,L"%d",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulNumber); //wsprintfW(lpwzHookModuleImage,L"%ws",NtfsDispatchBakUp->NtfsDispatch[i].lpszBaseModule); MultiByteToWideChar( CP_ACP, 0, NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpszBaseModule, -1, lpwzHookModuleImage, strlen(NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpszBaseModule) ); wsprintfW(lpwzFunction,L"%ws",NsiproxyDispatchBakUp->NsiproxyDispatch[i].lpwzNsiproxyDispatchName); wsprintfW(lpwzCurrentNtfsDispatch,L"0x%08X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulCurrentNsiproxyDispatch); wsprintfW(lpwsNtfsDispatch,L"0x%08X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulNsiproxyDispatch); wsprintfW(lpwzHookModuleBase,L"0x%X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulModuleBase); wsprintfW(lpwzHookModuleSize,L"0x%X",NsiproxyDispatchBakUp->NsiproxyDispatch[i].ulModuleSize); WCHAR lpwzDosFullPath[256]; WCHAR lpwzWinDir[256]; WCHAR lpwzSysDisk[256]; memset(lpwzWinDir,0,sizeof(lpwzWinDir)); memset(lpwzSysDisk,0,sizeof(lpwzSysDisk)); memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath)); GetWindowsDirectoryW(lpwzWinDir,sizeof(lpwzWinDir)); memcpy(lpwzSysDisk,lpwzWinDir,4); if (wcsstr(lpwzHookModuleImage,L"\\??\\")) { //开始这种路径的处理 memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath)); wcsncpy(lpwzDosFullPath,lpwzHookModuleImage+wcslen(L"\\??\\"),wcslen(lpwzHookModuleImage)-wcslen(L"\\??\\")); goto Next; } if (wcsstr(lpwzHookModuleImage,L"\\WINDOWS\\system32\\")) { memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath)); wcscat(lpwzDosFullPath,lpwzSysDisk); wcscat(lpwzDosFullPath,lpwzHookModuleImage); //MessageBoxW(lpwzDosFullPath,lpwzFullSysName,0); goto Next; } if (wcsstr(lpwzHookModuleImage,L"\\SystemRoot\\")) { WCHAR lpwzTemp[256]; memset(lpwzTemp,0,sizeof(lpwzTemp)); memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath)); wcscat(lpwzTemp,lpwzSysDisk); wcscat(lpwzTemp,L"\\WINDOWS\\"); wcscat(lpwzDosFullPath,lpwzTemp); wcsncpy(lpwzDosFullPath+wcslen(lpwzTemp),lpwzHookModuleImage+wcslen(L"\\SystemRoot\\"),wcslen(lpwzHookModuleImage) - wcslen(L"\\SystemRoot\\")); goto Next; } //if (wcslen(lpwzHookModuleImage) == wcslen(lpwzHookModuleImage)) //{ memset(lpwzDosFullPath,0,sizeof(lpwzDosFullPath)); wcscat(lpwzDosFullPath,lpwzSysDisk); wcscat(lpwzDosFullPath,L"\\WINDOWS\\system32\\drivers\\"); wcscat(lpwzDosFullPath,lpwzHookModuleImage); goto Next; //} Next: //这里是一键体检的数据,不需要插入界面了 if (bIsPhysicalCheck){ //如果没有hook,就返回 if (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked == 0){ continue; } WCHAR lpwzSaveBuffer[1024] ={0}; CHAR lpszSaveBuffer[2024] ={0}; memset(lpwzSaveBuffer,0,sizeof(lpwzSaveBuffer)); memset(lpszSaveBuffer,0,sizeof(lpszSaveBuffer)); wsprintfW(lpwzSaveBuffer,L" --> 发现Hook:ID:%ws | 当前地址:%ws | 原始地址:%ws | 函数名:%ws | 内核模块:%ws | Hook类型:%ws\r\n", lpwzNumber,lpwzCurrentNtfsDispatch,lpwsNtfsDispatch,lpwzFunction,lpwzDosFullPath,lpwzHookType); m_list->InsertItem(0,L"NSIPROXY.SYS",RGB(77,77,77)); m_list->SetItemText(0,1,lpwzSaveBuffer); WideCharToMultiByte( CP_ACP, 0, lpwzSaveBuffer, -1, lpszSaveBuffer, wcslen(lpwzSaveBuffer)*2, NULL, NULL ); SaveToFile(lpszSaveBuffer,PhysicalFile); continue; } if (NsiproxyDispatchBakUp->NsiproxyDispatch[i].Hooked == 0) { m_list->InsertItem(i,lpwzNumber,RGB(77,77,77)); }else { m_list->InsertItem(i,lpwzNumber,RGB(255,20,147)); } m_list->SetItemText(i,1,lpwzFunction); m_list->SetItemText(i,2,lpwzCurrentNtfsDispatch); m_list->SetItemText(i,3,lpwsNtfsDispatch); m_list->SetItemText(i,4,lpwzDosFullPath); m_list->SetItemText(i,5,lpwzHookModuleBase); m_list->SetItemText(i,6,lpwzHookModuleSize); m_list->SetItemText(i,7,lpwzHookType); hImageList=(HIMAGELIST)::SHGetFileInfo(lpwzDosFullPath,0,&shfileinfo,sizeof(shfileinfo),SHGFI_ICON); NsiproxyImg.Add(shfileinfo.hIcon); m_list->SetImageList(&NsiproxyImg); m_list->SetItemImageId(i,i); DestroyIcon(shfileinfo.hIcon); } } WCHAR lpwzTextOut[100]; memset(lpwzTextOut,0,sizeof(lpwzTextOut)); wsprintfW(lpwzTextOut,L"Nsiproxy/Dispatch 扫描完毕,共有 %d 个数据",i); SetDlgItemTextW(m_hWnd,ID,lpwzTextOut); }
BOOL Install(HWND hwndDlg) { DWORD dwReadByte; char lpszInit[8] = {0}; char lpszWindowsPath[256] = {0}; char lpszNumber[256] = {0}; char lpszLoadDriverPath[256] = {0}; int i=0; memset(lpszInit,0,sizeof(lpszInit)); strcat(lpszInit,"Safe"); ReadFile((HANDLE)SAFE_SYSTEM,lpszInit,8,&dwReadByte,0); if (strcmpi("hehe",lpszInit) == NULL) { goto InitSuccess; } if (strcmpi("call",lpszInit) == NULL) { if (MessageBoxA(hwndDlg,"拒绝启动\r\n\r\n原因:无法验证当前A盾文件的完整性。文件有可能被修改、感染、或者捆绑其他程序\r\n\r\n是否前往官方下载最新版?","“A盾电脑防护”",MB_ICONERROR | MB_YESNO) == IDYES) { ShellExecuteW(0,0,L"http://www.3600safe.com/",0,0,SW_SHOW); } ExitProcess(0); } char lpszAProtectRunKey[100] = {0}; memset(lpszAProtectRunKey,0,sizeof(lpszAProtectRunKey)); QueryUserAgent(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run","A-Protect",lpszAProtectRunKey); if (strstr(lpszAProtectRunKey,"\\") != 0) { //如果是开机启动的话,如果上面的无法初始化成功,就说明驱动启动失败,就不往下执行了 MessageBoxA(hwndDlg,"“A盾电脑防护”初始化失败:\r\n\r\n1:病毒阻止了“A盾电脑防护”的启动\r\n2:某些安全软件恢复、阻止“A盾电脑防护”的钩子\r\n3:和某些杀毒或者安全软件不兼容导致“A盾电脑防护”的初始化失败\r\n4:深度防御、深度服务扫描失败,请重新启动电脑即可。","“A盾电脑防护”",MB_ICONERROR); ExitProcess(0); } GetWindowsDirectoryA( lpszWindowsPath, sizeof(lpszWindowsPath) ); //sprintf(lpszNumber,"%d",GetTickCount()); sprintf(lpszNumber,"%s","A-Protect"); char lpszSrvices[256] = {0}; sprintf(lpszSrvices,"SYSTEM\\CurrentControlSet\\Services\\%s",lpszNumber); SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); strcat(lpszWindowsPath,"\\"); strcat(lpszWindowsPath,lpszNumber); strcat(lpszWindowsPath,".sys"); BFS_WriteFile( lpszWindowsPath, lpszKernelModule, sizeof(lpszKernelModule) ); if (GetFileAttributesA(lpszWindowsPath) == INVALID_FILE_ATTRIBUTES) { if (IsWindows7()) MessageBoxA(hwndDlg,"释放驱动文件失败,win7系统下右键“以管理员身份运行”","“A盾电脑防护”",MB_ICONERROR); else MessageBoxA(hwndDlg,"释放驱动文件失败","“A盾电脑防护”",MB_ICONERROR); ExitProcess(0); } wsprintfA( lpszLoadDriverPath, "\\??\\%s", lpszWindowsPath ); if(!EnableDebugPriv(SE_LOAD_DRIVER_NAME)) { DeleteFileA(lpszWindowsPath); MessageBoxA(hwndDlg,"没有足够的权限加载驱动!","“A盾电脑防护”",MB_ICONERROR); ExitProcess(0); } // if (!InstallByZwLoadDriver(lpszLoadDriverPath,lpszNumber)) // { // SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); // // if (!LoadNTDriver(lpszNumber,lpszWindowsPath)){ // DeleteFileA(lpszWindowsPath); // SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); // MessageBoxA(hwndDlg,"加载驱动失败!","“A盾电脑防护”",MB_ICONERROR); // ExitProcess(0); // } // } if (!LoadNTDriver(lpszNumber,lpszWindowsPath)){ DeleteFileA(lpszWindowsPath); SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); MessageBoxA(hwndDlg,"加载驱动失败!","“A盾电脑防护”",MB_ICONERROR); ExitProcess(0); } DeleteFileA(lpszWindowsPath); SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); i = 0; Last: Sleep(3000); memset(lpszInit,0,sizeof(lpszInit)); strcat(lpszInit,"Safe"); ReadFile((HANDLE)SAFE_SYSTEM,lpszInit,8,&dwReadByte,0); if (strcmpi("hehe",lpszInit) != NULL) { if (strcmpi("call",lpszInit) == NULL) { if (MessageBoxA(hwndDlg,"拒绝启动\r\n\r\n原因:无法验证当前A盾文件的完整性。文件有可能被修改、感染、或者捆绑其他程序\r\n\r\n是否前往官方下载最新版?","“A盾电脑防护”",MB_ICONERROR | MB_YESNO) == IDYES) { ShellExecuteW(0,0,L"http://www.3600safe.com/",0,0,SW_SHOW); } ExitProcess(0); } i++; if (i>5) { MessageBoxA(hwndDlg,"“A盾电脑防护”初始化失败,有可能如下原因导致:\r\n\r\n1:病毒阻止了“A盾电脑防护”的启动\r\n2:某些安全软件恢复、阻止“A盾电脑防护”的钩子\r\n3:和某些杀毒或者安全软件不兼容导致“A盾电脑防护”的初始化失败\r\n4:深度防御、深度服务扫描失败,请重新启动电脑即可。","“A盾电脑防护”",MB_ICONERROR); SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); DeleteFileA(lpszWindowsPath); ExitProcess(0); } goto Last; } InitSuccess: return TRUE; }