//////////////////////////////////////////////////////////////////////////
//安装
bool GalaxyApMGR::SetupReloadOS(char *pDriverName)
{
bool bret = false;
do
{
strcpy(szReloadOsDriverName, pDriverName);
char szfilesysPath[1024];
ZeroMemory(szfilesysPath, sizeof(szfilesysPath));
GetCurrentDirectory(1022, szfilesysPath);
strcat(szfilesysPath, "\\");
strcat(szfilesysPath, pDriverName);
strcat(szfilesysPath, ".sys");
bret = LoadNTDriver(pDriverName, szfilesysPath); //如果驱动已经正在运行,也会返回成功的
if (!bret)
{
myprint("LoadDriver %s fail\r\n", szfilesysPath);
break;
}
if (SendHookPort(IOCTL_HOOKPORTBYPASS_HOOKPORT))
{
bret = m_bSetupReloadOS = true;
m_uNewOsBaseDelt = m_uNewOsBase - m_OsBaseAddress;
}
else
{
myprint("SendHookPort() fail\r\n");
}
}
while(0);
return bret;
}
void LoadAndRun()
{
char filePath[MAX_PATH] = {0};
//char LoadDriverPath[MAX_PATH] = {0};
//char ServicesName[MAX_PATH] = {0};
GetSystemDirectory(filePath,sizeof(filePath));
strcat_s(filePath,"\\");
strcat_s(filePath,SYS_NAME);
strcat_s(filePath,".sys");
//sprintf_s(ServicesName,MAX_PATH,"SYSTEM\\CurrentControlSet\\Services\\%s",SYS_NAME);
//SHDeleteKey(HKEY_LOCAL_MACHINE,ServicesName);
ExtractSysFile(filePath,KernelModule,sizeof(KernelModule));
if (GetFileAttributes(filePath) == INVALID_FILE_ATTRIBUTES)
{
ShowERR("ÊÍ·ÅÎļþʧ°Ü.");
ExitProcess(0);
}
//sprintf_s(LoadDriverPath,MAX_PATH,"\\??\\%s",filePath);
if (!EnableDebugPriv(SE_LOAD_DRIVER_NAME))
{
ShowERR("ȨÏÞ²»¹».");
ExitProcess(0);
}
if (!LoadNTDriver(SYS_NAME,filePath))
{
DeleteFile(filePath);
//SHDeleteKey(HKEY_LOCAL_MACHINE,ServicesName);
ExitProcess(0);
}
if (!StartDriver(SYS_NAME))
{
ShowERR("Æô¶¯Ê§°Ü.");
DeleteFile(filePath);
//SHDeleteKey(HKEY_LOCAL_MACHINE,ServicesName);
ExitProcess(0);
}
DeleteFile(filePath);
Init();
}
bool GalaxyApMGR::SetupMyKidispatchexcepion(char *pDriverName)
{
bool bret = false;
do
{
strcpy(szExceptionDriverName, pDriverName);
char szfilesysPath[1024];
ZeroMemory(szfilesysPath, sizeof(szfilesysPath));
GetCurrentDirectory(1022, szfilesysPath);
strcat(szfilesysPath, "\\");
strcat(szfilesysPath, pDriverName);
strcat(szfilesysPath, ".sys");
bret = LoadNTDriver(pDriverName, szfilesysPath);
if (!bret)
{
myprint("LoadDriver %s fail\r\n", szfilesysPath);
break;
}
//设置新地址,这是为了让驱动在硬编译搜索 kidispatchexception 的时候使用的
if (m_bSetupReloadOS)
{
SetNewOsAddress();
}
bret = FixExceptionDriverSymAddress();
if (!bret)
{
myprint("FixExceptionDriverSymAddress fail\r\n");
break;
}
bret = HookDIspatchException();
if (!bret)
{
myprint("HookDIspatchException fail\r\n");
break;
}
bret = HookOldFuns();
if (!bret)
{
myprint("HookOldFuns fail\r\n");
break;
}
bret = HookNew2My();
if (!bret)
{
myprint("HookNew2My fail\r\n");
break;
}
bret = SendReplace();
if (!bret)
{
myprint("SendReplace fail\r\n");
break;
}
myprint("发送Dispatch Hook 返回成功\r\n");
break;
} while (0);
m_bSetupKidisp = bret;
return bret;
}
BOOL Install(HWND hwndDlg)
{
DWORD dwReadByte;
char lpszInit[8] = {0};
char lpszWindowsPath[256] = {0};
char lpszNumber[256] = {0};
char lpszLoadDriverPath[256] = {0};
int i=0;
memset(lpszInit,0,sizeof(lpszInit));
strcat(lpszInit,"Safe");
ReadFile((HANDLE)SAFE_SYSTEM,lpszInit,8,&dwReadByte,0);
if (strcmpi("hehe",lpszInit) == NULL)
{
goto InitSuccess;
}
if (strcmpi("call",lpszInit) == NULL)
{
if (MessageBoxA(hwndDlg,"拒绝启动\r\n\r\n原因:无法验证当前A盾文件的完整性。文件有可能被修改、感染、或者捆绑其他程序\r\n\r\n是否前往官方下载最新版?","“A盾电脑防护”",MB_ICONERROR | MB_YESNO) == IDYES)
{
ShellExecuteW(0,0,L"http://www.3600safe.com/",0,0,SW_SHOW);
}
ExitProcess(0);
}
char lpszAProtectRunKey[100] = {0};
memset(lpszAProtectRunKey,0,sizeof(lpszAProtectRunKey));
QueryUserAgent(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run","A-Protect",lpszAProtectRunKey);
if (strstr(lpszAProtectRunKey,"\\") != 0)
{
//如果是开机启动的话,如果上面的无法初始化成功,就说明驱动启动失败,就不往下执行了
MessageBoxA(hwndDlg,"“A盾电脑防护”初始化失败:\r\n\r\n1:病毒阻止了“A盾电脑防护”的启动\r\n2:某些安全软件恢复、阻止“A盾电脑防护”的钩子\r\n3:和某些杀毒或者安全软件不兼容导致“A盾电脑防护”的初始化失败\r\n4:深度防御、深度服务扫描失败,请重新启动电脑即可。","“A盾电脑防护”",MB_ICONERROR);
ExitProcess(0);
}
GetWindowsDirectoryA(
lpszWindowsPath,
sizeof(lpszWindowsPath)
);
//sprintf(lpszNumber,"%d",GetTickCount());
sprintf(lpszNumber,"%s","A-Protect");
char lpszSrvices[256] = {0};
sprintf(lpszSrvices,"SYSTEM\\CurrentControlSet\\Services\\%s",lpszNumber);
SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
strcat(lpszWindowsPath,"\\");
strcat(lpszWindowsPath,lpszNumber);
strcat(lpszWindowsPath,".sys");
BFS_WriteFile(
lpszWindowsPath,
lpszKernelModule,
sizeof(lpszKernelModule)
);
if (GetFileAttributesA(lpszWindowsPath) == INVALID_FILE_ATTRIBUTES)
{
if (IsWindows7())
MessageBoxA(hwndDlg,"释放驱动文件失败,win7系统下右键“以管理员身份运行”","“A盾电脑防护”",MB_ICONERROR);
else
MessageBoxA(hwndDlg,"释放驱动文件失败","“A盾电脑防护”",MB_ICONERROR);
ExitProcess(0);
}
wsprintfA(
lpszLoadDriverPath,
"\\??\\%s",
lpszWindowsPath
);
if(!EnableDebugPriv(SE_LOAD_DRIVER_NAME))
{
DeleteFileA(lpszWindowsPath);
MessageBoxA(hwndDlg,"没有足够的权限加载驱动!","“A盾电脑防护”",MB_ICONERROR);
ExitProcess(0);
}
// if (!InstallByZwLoadDriver(lpszLoadDriverPath,lpszNumber))
// {
// SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
//
// if (!LoadNTDriver(lpszNumber,lpszWindowsPath)){
// DeleteFileA(lpszWindowsPath);
// SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
// MessageBoxA(hwndDlg,"加载驱动失败!","“A盾电脑防护”",MB_ICONERROR);
// ExitProcess(0);
// }
// }
if (!LoadNTDriver(lpszNumber,lpszWindowsPath)){
DeleteFileA(lpszWindowsPath);
SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
MessageBoxA(hwndDlg,"加载驱动失败!","“A盾电脑防护”",MB_ICONERROR);
ExitProcess(0);
}
DeleteFileA(lpszWindowsPath);
SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
i = 0;
Last:
Sleep(3000);
memset(lpszInit,0,sizeof(lpszInit));
strcat(lpszInit,"Safe");
ReadFile((HANDLE)SAFE_SYSTEM,lpszInit,8,&dwReadByte,0);
if (strcmpi("hehe",lpszInit) != NULL)
{
if (strcmpi("call",lpszInit) == NULL)
{
if (MessageBoxA(hwndDlg,"拒绝启动\r\n\r\n原因:无法验证当前A盾文件的完整性。文件有可能被修改、感染、或者捆绑其他程序\r\n\r\n是否前往官方下载最新版?","“A盾电脑防护”",MB_ICONERROR | MB_YESNO) == IDYES)
{
ShellExecuteW(0,0,L"http://www.3600safe.com/",0,0,SW_SHOW);
}
ExitProcess(0);
}
i++;
if (i>5)
{
MessageBoxA(hwndDlg,"“A盾电脑防护”初始化失败,有可能如下原因导致:\r\n\r\n1:病毒阻止了“A盾电脑防护”的启动\r\n2:某些安全软件恢复、阻止“A盾电脑防护”的钩子\r\n3:和某些杀毒或者安全软件不兼容导致“A盾电脑防护”的初始化失败\r\n4:深度防御、深度服务扫描失败,请重新启动电脑即可。","“A盾电脑防护”",MB_ICONERROR);
SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices);
DeleteFileA(lpszWindowsPath);
ExitProcess(0);
}
goto Last;
}
InitSuccess:
return TRUE;
}
void CFileMoniterView::OnInitialUpdate()
{
CListView::OnInitialUpdate();
BOOL bRet = LoadNTDriver(SERVICE_NAME, DRIVER_NAME);
if (!bRet)
{
bRet = LoadNTDriver(SERVICE_NAME, DRIVER_NAME);
if (!bRet)
{
bRet = LoadNTDriver(SERVICE_NAME, DRIVER_NAME);
if (!bRet)
{
MessageBox("加载驱动失败, 程序退出运行!");
ExitProcess(0);
return;
}
}
}
//最多开启服务3遍
bRet = Startservice(SERVICE_NAME, DRIVER_NAME);
if (!bRet)
{
bRet = Startservice(SERVICE_NAME, DRIVER_NAME);
if (!bRet)
{
if (!bRet)
{
bRet = Startservice(SERVICE_NAME, DRIVER_NAME);
if (!bRet)
{
MessageBox("启动服务失败, 程序退出运行!");
ExitProcess(0);
return;
}
}
}
}
m_pList = &GetListCtrl();
m_pList->InsertColumn(0, "计数");
m_pList->InsertColumn(1, "时间");
m_pList->InsertColumn(2, "路径");
m_pList->SetColumnWidth(0, 50);
m_pList->SetColumnWidth(1, 150);
m_pList->SetColumnWidth(2, 750);
DWORD dwRet;
gEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
gDevice = CreateFile("\\\\.\\FileMonitor",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if ( gDevice == INVALID_HANDLE_VALUE )
{
MessageBox("打开失败~");
}
else
{
// MessageBox("打开成功~");
DeviceIoControl(gDevice, IOCTL_FILEMON_SETEVENT, &gEvent, sizeof(HANDLE), NULL, 0, &dwRet, NULL);
}
AfxBeginThread(GetFileThread, this);
}
