int main(int argc, char* argv[])
{
if (!LookupProcessID(TEXT("explorer.exe"), &ExplorerPID))
return -1;
if (!AcquireDebugPrivelage())
return -1;
hExplorer = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
FALSE, ExplorerPID);
if (!hExplorer)
return -1;
ExplorerPEBBase = (PCHAR)GetPEBAddress(hExplorer);
if (!ExplorerPEBBase)
{
printf("failed to get EXPLORER.EXE PEB address\n");
CloseHandle(hExplorer);
return -1;
}
WriteMem_Test();
SuperInject_Test();
CloseHandle(hExplorer);
return 0;
}
void main(int argc, char** argv)
{
int apiCnt;
char pth[300] ;
bool compare = false, display = false, help = false;
while(argc-- > 1){
argv++;
if(strcmp(*argv, "/f")==0) fullPath = true;
if(strcmp(*argv, "/c")==0) compare = true;
if(strcmp(*argv, "/d")==0) display = true;
if(strcmp(*argv, "/?")==0) help = true;
if(strcmp(*argv, "/h")==0) help = true;
if(strcmp(*argv, "-h")==0) help = true;
if(strcmp(*argv, "-?")==0) help = true;
}
if(help){
system("cls");
printf("\n"
" GDI Process Scanner - \n\n"
" Scans the GDISharedHandleTable for processes id's\n"
" which rootkits may be trying to hide from other\n"
" techniques.\n\n"
" Usage: gdiprocs.exe [ /f /c /d /? ]\n"
"\t/f\tDisplay Fullpath of processes\n"
"\t/c\tCompare process list w/WinApi results\n"
"\t/d\tDisplay GDI handle count per process\n"
"\t/?\tthis help screen\n\n");
return;
}
lpfnNTQuery = (NTQIP *)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess");
if(lpfnNTQuery == NULL){
printf("Could not GetProcAddress(NtQueryInformationProcess)\n");
printf("Have to use default PEB offset, Probably wont work on XP SP2\n");
}
HWND hWin = CreateWindow(NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
printf("GDI Process Scanner - \n\n"
"Scanning GDIShared Handle Table for unique process ids...\n\n");
PEB *p = GetPEBAddress(GetCurrentProcess());
for(int i=0; i < MAX_GDI_HANDLE; i++){
AddUniquePid( p->GdiSharedHandleTable[i].ProcessID );
}
if(!GetSeDebug()) printf(" Could not get SeDebug, should run as admin\n");
if(compare){
apiCnt = TakeAPISnapShot();
printf(" Compare Mode\n %5d processes returned by WinAPI\n", apiCnt );
PruneApiTree(apiCnt);
}
if(allocationUp){ //chance of happening slim so not worth redesign
printf(" ERROR: more than 200 processes found allocation ran out :-\\\n");
}
printf(" %5d processes returned by GDI table\n\n", gdiCnt);
printf(" Processes listed in GDI:\n");
printf(" -------------------------------------------------\n");
for(i=0;i<gdiCnt+1;i++){
if(gdi_pids[i] != 0){
GetProcessPath(gdi_pids[i], pth);
if(display) printf("%5d - %5d - %s\n", gdi_pids[i], handleCnt[i], pth);
else printf("%5d - %s\n", gdi_pids[i], pth);
}
}
if(compare){
printf("\n\n API Processes not listed in GDI Table\n"
" ---------------------------------------------------\n");
for(i=0;i<apiCnt+1;i++){
if(api_pids[i] != 0){
GetProcessPath(api_pids[i], pth);
printf("%5d - %s\n", api_pids[i], pth);
}
}
}
printf("\n\n");
}
void GetProcessPath(int pid, char* buf){
//this is a round about way to avoid using EnumProcessModules and any PSAPI
//functions which would likely be hooked if rootkit is present
//OpenProcess or ReadProcessMemory could be too, question of how common atm...
PEB peb;
LDR_MODULE mod;
PEB_LDR_DATA pld;
unsigned long sz;
char tmp[255] = {0};
char out[255] = {0};
memset(&mod,0,sizeof(mod));
memset(&peb,0,sizeof(peb));
memset(&pld,0,sizeof(pld));
HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 0, pid);
void *pebAddress = (void*)GetPEBAddress(hProc);
if(hProc!=0){
try{
if(!ReadProcessMemory(hProc, pebAddress, (void*)&peb, sizeof(PEB), &sz ) ){
strcpy(buf, "Could not extract PEB from remote process");
goto cleanup;
}
if(!ReadProcessMemory(hProc, peb.LoaderData, (void*)&pld, sizeof(PEB_LDR_DATA), &sz )){
strcpy(buf, "Could not extract Loader Data from remote process\n");
goto cleanup;
}
if(!ReadProcessMemory(hProc, pld.InLoadOrderModuleList.Flink , (void*)&mod, sizeof(LDR_MODULE), &sz )){
strcpy(buf, "Could not extract module Data from remote process\n");
goto cleanup;
}
if(!ReadProcessMemory(hProc, mod.BaseDllName, out, 254, &sz )){
sprintf(buf,"Could not extract module path from remote process ptr=0x%x\n", mod.BaseDllName );
goto cleanup;
}
if(ScanUnicode(out, (char*)tmp ) == 0 ){
strcpy(buf, "Error reading Scanning Unicode string");
goto cleanup;
}
if(fullPath){
strncpy(buf, tmp, 254);
}
else{
sz = strlen(tmp);
while(tmp[sz] != '\\' && sz > 0) sz--;
if(sz>0){
strncpy(buf, &tmp[sz+1], 254 );
}else{
strncpy(buf,tmp, 254);
}
}
}
catch(...){
strcpy(buf, "Error reading Processes PEB :(");
}
}
else{
//strcpy(buf, "---- Could not OpenProcess ----");
strcpy(buf, "Api: ");
strcat(buf, findProcessByPid(pid));
return;
}
cleanup:
CloseHandle(hProc);
}
