int main(int argc, char* argv[]) { if (!LookupProcessID(TEXT("explorer.exe"), &ExplorerPID)) return -1; if (!AcquireDebugPrivelage()) return -1; hExplorer = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, ExplorerPID); if (!hExplorer) return -1; ExplorerPEBBase = (PCHAR)GetPEBAddress(hExplorer); if (!ExplorerPEBBase) { printf("failed to get EXPLORER.EXE PEB address\n"); CloseHandle(hExplorer); return -1; } WriteMem_Test(); SuperInject_Test(); CloseHandle(hExplorer); return 0; }
void main(int argc, char** argv) { int apiCnt; char pth[300] ; bool compare = false, display = false, help = false; while(argc-- > 1){ argv++; if(strcmp(*argv, "/f")==0) fullPath = true; if(strcmp(*argv, "/c")==0) compare = true; if(strcmp(*argv, "/d")==0) display = true; if(strcmp(*argv, "/?")==0) help = true; if(strcmp(*argv, "/h")==0) help = true; if(strcmp(*argv, "-h")==0) help = true; if(strcmp(*argv, "-?")==0) help = true; } if(help){ system("cls"); printf("\n" " GDI Process Scanner - \n\n" " Scans the GDISharedHandleTable for processes id's\n" " which rootkits may be trying to hide from other\n" " techniques.\n\n" " Usage: gdiprocs.exe [ /f /c /d /? ]\n" "\t/f\tDisplay Fullpath of processes\n" "\t/c\tCompare process list w/WinApi results\n" "\t/d\tDisplay GDI handle count per process\n" "\t/?\tthis help screen\n\n"); return; } lpfnNTQuery = (NTQIP *)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess"); if(lpfnNTQuery == NULL){ printf("Could not GetProcAddress(NtQueryInformationProcess)\n"); printf("Have to use default PEB offset, Probably wont work on XP SP2\n"); } HWND hWin = CreateWindow(NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL); printf("GDI Process Scanner - \n\n" "Scanning GDIShared Handle Table for unique process ids...\n\n"); PEB *p = GetPEBAddress(GetCurrentProcess()); for(int i=0; i < MAX_GDI_HANDLE; i++){ AddUniquePid( p->GdiSharedHandleTable[i].ProcessID ); } if(!GetSeDebug()) printf(" Could not get SeDebug, should run as admin\n"); if(compare){ apiCnt = TakeAPISnapShot(); printf(" Compare Mode\n %5d processes returned by WinAPI\n", apiCnt ); PruneApiTree(apiCnt); } if(allocationUp){ //chance of happening slim so not worth redesign printf(" ERROR: more than 200 processes found allocation ran out :-\\\n"); } printf(" %5d processes returned by GDI table\n\n", gdiCnt); printf(" Processes listed in GDI:\n"); printf(" -------------------------------------------------\n"); for(i=0;i<gdiCnt+1;i++){ if(gdi_pids[i] != 0){ GetProcessPath(gdi_pids[i], pth); if(display) printf("%5d - %5d - %s\n", gdi_pids[i], handleCnt[i], pth); else printf("%5d - %s\n", gdi_pids[i], pth); } } if(compare){ printf("\n\n API Processes not listed in GDI Table\n" " ---------------------------------------------------\n"); for(i=0;i<apiCnt+1;i++){ if(api_pids[i] != 0){ GetProcessPath(api_pids[i], pth); printf("%5d - %s\n", api_pids[i], pth); } } } printf("\n\n"); }
void GetProcessPath(int pid, char* buf){ //this is a round about way to avoid using EnumProcessModules and any PSAPI //functions which would likely be hooked if rootkit is present //OpenProcess or ReadProcessMemory could be too, question of how common atm... PEB peb; LDR_MODULE mod; PEB_LDR_DATA pld; unsigned long sz; char tmp[255] = {0}; char out[255] = {0}; memset(&mod,0,sizeof(mod)); memset(&peb,0,sizeof(peb)); memset(&pld,0,sizeof(pld)); HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 0, pid); void *pebAddress = (void*)GetPEBAddress(hProc); if(hProc!=0){ try{ if(!ReadProcessMemory(hProc, pebAddress, (void*)&peb, sizeof(PEB), &sz ) ){ strcpy(buf, "Could not extract PEB from remote process"); goto cleanup; } if(!ReadProcessMemory(hProc, peb.LoaderData, (void*)&pld, sizeof(PEB_LDR_DATA), &sz )){ strcpy(buf, "Could not extract Loader Data from remote process\n"); goto cleanup; } if(!ReadProcessMemory(hProc, pld.InLoadOrderModuleList.Flink , (void*)&mod, sizeof(LDR_MODULE), &sz )){ strcpy(buf, "Could not extract module Data from remote process\n"); goto cleanup; } if(!ReadProcessMemory(hProc, mod.BaseDllName, out, 254, &sz )){ sprintf(buf,"Could not extract module path from remote process ptr=0x%x\n", mod.BaseDllName ); goto cleanup; } if(ScanUnicode(out, (char*)tmp ) == 0 ){ strcpy(buf, "Error reading Scanning Unicode string"); goto cleanup; } if(fullPath){ strncpy(buf, tmp, 254); } else{ sz = strlen(tmp); while(tmp[sz] != '\\' && sz > 0) sz--; if(sz>0){ strncpy(buf, &tmp[sz+1], 254 ); }else{ strncpy(buf,tmp, 254); } } } catch(...){ strcpy(buf, "Error reading Processes PEB :("); } } else{ //strcpy(buf, "---- Could not OpenProcess ----"); strcpy(buf, "Api: "); strcat(buf, findProcessByPid(pid)); return; } cleanup: CloseHandle(hProc); }