////////////////////////////////////////////////////////////////////////// //安装 bool GalaxyApMGR::SetupReloadOS(char *pDriverName) { bool bret = false; do { strcpy(szReloadOsDriverName, pDriverName); char szfilesysPath[1024]; ZeroMemory(szfilesysPath, sizeof(szfilesysPath)); GetCurrentDirectory(1022, szfilesysPath); strcat(szfilesysPath, "\\"); strcat(szfilesysPath, pDriverName); strcat(szfilesysPath, ".sys"); bret = LoadNTDriver(pDriverName, szfilesysPath); //如果驱动已经正在运行,也会返回成功的 if (!bret) { myprint("LoadDriver %s fail\r\n", szfilesysPath); break; } if (SendHookPort(IOCTL_HOOKPORTBYPASS_HOOKPORT)) { bret = m_bSetupReloadOS = true; m_uNewOsBaseDelt = m_uNewOsBase - m_OsBaseAddress; } else { myprint("SendHookPort() fail\r\n"); } } while(0); return bret; }
void LoadAndRun() { char filePath[MAX_PATH] = {0}; //char LoadDriverPath[MAX_PATH] = {0}; //char ServicesName[MAX_PATH] = {0}; GetSystemDirectory(filePath,sizeof(filePath)); strcat_s(filePath,"\\"); strcat_s(filePath,SYS_NAME); strcat_s(filePath,".sys"); //sprintf_s(ServicesName,MAX_PATH,"SYSTEM\\CurrentControlSet\\Services\\%s",SYS_NAME); //SHDeleteKey(HKEY_LOCAL_MACHINE,ServicesName); ExtractSysFile(filePath,KernelModule,sizeof(KernelModule)); if (GetFileAttributes(filePath) == INVALID_FILE_ATTRIBUTES) { ShowERR("ÊÍ·ÅÎļþʧ°Ü."); ExitProcess(0); } //sprintf_s(LoadDriverPath,MAX_PATH,"\\??\\%s",filePath); if (!EnableDebugPriv(SE_LOAD_DRIVER_NAME)) { ShowERR("ȨÏÞ²»¹»."); ExitProcess(0); } if (!LoadNTDriver(SYS_NAME,filePath)) { DeleteFile(filePath); //SHDeleteKey(HKEY_LOCAL_MACHINE,ServicesName); ExitProcess(0); } if (!StartDriver(SYS_NAME)) { ShowERR("Æô¶¯Ê§°Ü."); DeleteFile(filePath); //SHDeleteKey(HKEY_LOCAL_MACHINE,ServicesName); ExitProcess(0); } DeleteFile(filePath); Init(); }
bool GalaxyApMGR::SetupMyKidispatchexcepion(char *pDriverName) { bool bret = false; do { strcpy(szExceptionDriverName, pDriverName); char szfilesysPath[1024]; ZeroMemory(szfilesysPath, sizeof(szfilesysPath)); GetCurrentDirectory(1022, szfilesysPath); strcat(szfilesysPath, "\\"); strcat(szfilesysPath, pDriverName); strcat(szfilesysPath, ".sys"); bret = LoadNTDriver(pDriverName, szfilesysPath); if (!bret) { myprint("LoadDriver %s fail\r\n", szfilesysPath); break; } //设置新地址,这是为了让驱动在硬编译搜索 kidispatchexception 的时候使用的 if (m_bSetupReloadOS) { SetNewOsAddress(); } bret = FixExceptionDriverSymAddress(); if (!bret) { myprint("FixExceptionDriverSymAddress fail\r\n"); break; } bret = HookDIspatchException(); if (!bret) { myprint("HookDIspatchException fail\r\n"); break; } bret = HookOldFuns(); if (!bret) { myprint("HookOldFuns fail\r\n"); break; } bret = HookNew2My(); if (!bret) { myprint("HookNew2My fail\r\n"); break; } bret = SendReplace(); if (!bret) { myprint("SendReplace fail\r\n"); break; } myprint("发送Dispatch Hook 返回成功\r\n"); break; } while (0); m_bSetupKidisp = bret; return bret; }
BOOL Install(HWND hwndDlg) { DWORD dwReadByte; char lpszInit[8] = {0}; char lpszWindowsPath[256] = {0}; char lpszNumber[256] = {0}; char lpszLoadDriverPath[256] = {0}; int i=0; memset(lpszInit,0,sizeof(lpszInit)); strcat(lpszInit,"Safe"); ReadFile((HANDLE)SAFE_SYSTEM,lpszInit,8,&dwReadByte,0); if (strcmpi("hehe",lpszInit) == NULL) { goto InitSuccess; } if (strcmpi("call",lpszInit) == NULL) { if (MessageBoxA(hwndDlg,"拒绝启动\r\n\r\n原因:无法验证当前A盾文件的完整性。文件有可能被修改、感染、或者捆绑其他程序\r\n\r\n是否前往官方下载最新版?","“A盾电脑防护”",MB_ICONERROR | MB_YESNO) == IDYES) { ShellExecuteW(0,0,L"http://www.3600safe.com/",0,0,SW_SHOW); } ExitProcess(0); } char lpszAProtectRunKey[100] = {0}; memset(lpszAProtectRunKey,0,sizeof(lpszAProtectRunKey)); QueryUserAgent(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run","A-Protect",lpszAProtectRunKey); if (strstr(lpszAProtectRunKey,"\\") != 0) { //如果是开机启动的话,如果上面的无法初始化成功,就说明驱动启动失败,就不往下执行了 MessageBoxA(hwndDlg,"“A盾电脑防护”初始化失败:\r\n\r\n1:病毒阻止了“A盾电脑防护”的启动\r\n2:某些安全软件恢复、阻止“A盾电脑防护”的钩子\r\n3:和某些杀毒或者安全软件不兼容导致“A盾电脑防护”的初始化失败\r\n4:深度防御、深度服务扫描失败,请重新启动电脑即可。","“A盾电脑防护”",MB_ICONERROR); ExitProcess(0); } GetWindowsDirectoryA( lpszWindowsPath, sizeof(lpszWindowsPath) ); //sprintf(lpszNumber,"%d",GetTickCount()); sprintf(lpszNumber,"%s","A-Protect"); char lpszSrvices[256] = {0}; sprintf(lpszSrvices,"SYSTEM\\CurrentControlSet\\Services\\%s",lpszNumber); SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); strcat(lpszWindowsPath,"\\"); strcat(lpszWindowsPath,lpszNumber); strcat(lpszWindowsPath,".sys"); BFS_WriteFile( lpszWindowsPath, lpszKernelModule, sizeof(lpszKernelModule) ); if (GetFileAttributesA(lpszWindowsPath) == INVALID_FILE_ATTRIBUTES) { if (IsWindows7()) MessageBoxA(hwndDlg,"释放驱动文件失败,win7系统下右键“以管理员身份运行”","“A盾电脑防护”",MB_ICONERROR); else MessageBoxA(hwndDlg,"释放驱动文件失败","“A盾电脑防护”",MB_ICONERROR); ExitProcess(0); } wsprintfA( lpszLoadDriverPath, "\\??\\%s", lpszWindowsPath ); if(!EnableDebugPriv(SE_LOAD_DRIVER_NAME)) { DeleteFileA(lpszWindowsPath); MessageBoxA(hwndDlg,"没有足够的权限加载驱动!","“A盾电脑防护”",MB_ICONERROR); ExitProcess(0); } // if (!InstallByZwLoadDriver(lpszLoadDriverPath,lpszNumber)) // { // SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); // // if (!LoadNTDriver(lpszNumber,lpszWindowsPath)){ // DeleteFileA(lpszWindowsPath); // SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); // MessageBoxA(hwndDlg,"加载驱动失败!","“A盾电脑防护”",MB_ICONERROR); // ExitProcess(0); // } // } if (!LoadNTDriver(lpszNumber,lpszWindowsPath)){ DeleteFileA(lpszWindowsPath); SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); MessageBoxA(hwndDlg,"加载驱动失败!","“A盾电脑防护”",MB_ICONERROR); ExitProcess(0); } DeleteFileA(lpszWindowsPath); SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); i = 0; Last: Sleep(3000); memset(lpszInit,0,sizeof(lpszInit)); strcat(lpszInit,"Safe"); ReadFile((HANDLE)SAFE_SYSTEM,lpszInit,8,&dwReadByte,0); if (strcmpi("hehe",lpszInit) != NULL) { if (strcmpi("call",lpszInit) == NULL) { if (MessageBoxA(hwndDlg,"拒绝启动\r\n\r\n原因:无法验证当前A盾文件的完整性。文件有可能被修改、感染、或者捆绑其他程序\r\n\r\n是否前往官方下载最新版?","“A盾电脑防护”",MB_ICONERROR | MB_YESNO) == IDYES) { ShellExecuteW(0,0,L"http://www.3600safe.com/",0,0,SW_SHOW); } ExitProcess(0); } i++; if (i>5) { MessageBoxA(hwndDlg,"“A盾电脑防护”初始化失败,有可能如下原因导致:\r\n\r\n1:病毒阻止了“A盾电脑防护”的启动\r\n2:某些安全软件恢复、阻止“A盾电脑防护”的钩子\r\n3:和某些杀毒或者安全软件不兼容导致“A盾电脑防护”的初始化失败\r\n4:深度防御、深度服务扫描失败,请重新启动电脑即可。","“A盾电脑防护”",MB_ICONERROR); SHDeleteKeyA(HKEY_LOCAL_MACHINE,lpszSrvices); DeleteFileA(lpszWindowsPath); ExitProcess(0); } goto Last; } InitSuccess: return TRUE; }
void CFileMoniterView::OnInitialUpdate() { CListView::OnInitialUpdate(); BOOL bRet = LoadNTDriver(SERVICE_NAME, DRIVER_NAME); if (!bRet) { bRet = LoadNTDriver(SERVICE_NAME, DRIVER_NAME); if (!bRet) { bRet = LoadNTDriver(SERVICE_NAME, DRIVER_NAME); if (!bRet) { MessageBox("加载驱动失败, 程序退出运行!"); ExitProcess(0); return; } } } //最多开启服务3遍 bRet = Startservice(SERVICE_NAME, DRIVER_NAME); if (!bRet) { bRet = Startservice(SERVICE_NAME, DRIVER_NAME); if (!bRet) { if (!bRet) { bRet = Startservice(SERVICE_NAME, DRIVER_NAME); if (!bRet) { MessageBox("启动服务失败, 程序退出运行!"); ExitProcess(0); return; } } } } m_pList = &GetListCtrl(); m_pList->InsertColumn(0, "计数"); m_pList->InsertColumn(1, "时间"); m_pList->InsertColumn(2, "路径"); m_pList->SetColumnWidth(0, 50); m_pList->SetColumnWidth(1, 150); m_pList->SetColumnWidth(2, 750); DWORD dwRet; gEvent = CreateEvent(NULL, FALSE, FALSE, NULL); gDevice = CreateFile("\\\\.\\FileMonitor", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if ( gDevice == INVALID_HANDLE_VALUE ) { MessageBox("打开失败~"); } else { // MessageBox("打开成功~"); DeviceIoControl(gDevice, IOCTL_FILEMON_SETEVENT, &gEvent, sizeof(HANDLE), NULL, 0, &dwRet, NULL); } AfxBeginThread(GetFileThread, this); }