Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /* WAS Given to me by a 'alias' i recruited to work on the projec,t
- * For me to later find out, the code he took, was from a public website,
- * So here it is, for you'all to read over,
- * For those of you that cant code, Its a remote_thread, application for running executables
- */
- #include <windows.h>
- #include <tchar.h>
- #include <detours.h>
- #include <stdio.h>
- #include <tchar.h>
- #define NTSIGNATURE(ptr) ((LPVOID)((BYTE *)(ptr) + ((PIMAGE_DOS_HEADER)(ptr))->e_lfanew))
- #define SIZE_OF_NT_SIGNATURE (sizeof(DWORD))
- #define PEFHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE))
- #define OPTHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)))
- #define SECHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)+sizeof(IMAGE_OPTIONAL_HEADER)))
- #define RVATOVA(base,offset) ((LPVOID)((DWORD)(base)+(DWORD)(offset)))
- #define VATORVA(base,offset) ((LPVOID)((DWORD)(offset)-(DWORD)(base)))
- typedef enum _SECTION_INHERIT {
- ViewShare = 1,
- ViewUnmap = 2
- } SECTION_INHERIT;
- typedef DWORD (WINAPI *PFN_NtMapViewOfSection)( HANDLE SectionHandle,
- HANDLE ProcessHandle,
- PVOID *BaseAddress,
- ULONG ZeroBits,
- ULONG CommitSize,
- PLARGE_INTEGER SectionOffset,
- PULONG ViewSize,
- SECTION_INHERIT InheritDisposition,
- ULONG AllocationType,
- ULONG Protect
- );
- CRITICAL_SECTION _cs;
- UINT _nInitCount = 0;
- BOOL _fModified;
- WORD _OriginalCharacteristics;
- BYTE _abTrampolineNtMapViewOfSection[DETOUR_TRAMPOLINE_SIZE];
- BYTE _abTrampolineDllMain[DETOUR_TRAMPOLINE_SIZE];
- static BOOL APIENTRY PseudoDllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved ){
- if( dwReason == DLL_PROCESS_ATTACH )
- ::DisableThreadLibraryCalls( hModule );
- return TRUE;
- }
- static BOOL SetImageCharacteristics( PVOID hModule, WORD dwAdded, WORD dwRemoved, WORD* OldCharacteristics ){
- PIMAGE_FILE_HEADER pfh;
- PIMAGE_OPTIONAL_HEADER poh;
- pfh = (PIMAGE_FILE_HEADER)PEFHDROFFSET(hModule);
- poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hModule);
- WORD newCharacteristics = pfh->Characteristics;
- if( OldCharacteristics != NULL )
- *OldCharacteristics = newCharacteristics;
- newCharacteristics |= dwAdded;
- newCharacteristics &= ~dwRemoved;
- DWORD newProtect, oldProtect;
- newProtect = PAGE_EXECUTE_WRITECOPY;
- VirtualProtect(hModule,poh->SizeOfHeaders,newProtect,&oldProtect);
- pfh->Characteristics = newCharacteristics;
- VirtualProtect(hModule,poh->SizeOfHeaders,oldProtect,&newProtect);
- return TRUE;
- }
- static DWORD WINAPI Mine_NtMapViewOfSection(
- HANDLE SectionHandle,
- HANDLE ProcessHandle,
- PVOID *BaseAddress,
- ULONG ZeroBits,
- ULONG CommitSize,
- PLARGE_INTEGER SectionOffset,
- PULONG ViewSize,
- SECTION_INHERIT InheritDisposition,
- ULONG AllocationType,
- ULONG Protect
- )
- {
- PFN_NtMapViewOfSection fnNtMapViewOfSection =(PFN_NtMapViewOfSection)&_abTrampolineNtMapViewOfSection[0];
- DWORD retval = fnNtMapViewOfSection( SectionHandle,
- ProcessHandle,
- BaseAddress,
- ZeroBits,
- CommitSize,
- SectionOffset,
- ViewSize,
- InheritDisposition,
- AllocationType,
- Protect
- );
- if( _fModified )
- return retval;
- _fModified = TRUE;
- PVOID hImage = *BaseAddress;
- SetImageCharacteristics( hImage, IMAGE_FILE_DLL, IMAGE_FILE_EXECUTABLE_IMAGE, &_OriginalCharacteristics );
- PIMAGE_OPTIONAL_HEADER poh;
- poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hImage);
- DetourFunctionWithEmptyTrampoline( _abTrampolineDllMain,(PBYTE)((DWORD)hImage+poh->AddressOfEntryPoint),(PBYTE)PseudoDllMain );
- return retval;
- }
- BOOL init(){
- if( _nInitCount++ == 0 )
- ::InitializeCriticalSection( &_cs );
- return TRUE;
- }
- BOOL Uninit(){
- if( --_nInitCount == 0 )
- ::DeleteCriticalSection( &_cs );
- return TRUE;
- }
- HMODULE WINAPI wLoadEW( LPCWSTR lpszExePath ){
- ::EnterCriticalSection( &_cs );
- FARPROC NtMapViewOfSection = ::GetProcAddress( GetModuleHandleW( L"NTDLL.DLL" ), "NtMapViewOfSection" );
- memset( _abTrampolineNtMapViewOfSection, 0x90, sizeof(_abTrampolineNtMapViewOfSection) );
- memset( _abTrampolineDllMain, 0x90, sizeof(_abTrampolineDllMain) );
- DetourFunctionWithEmptyTrampoline( _abTrampolineNtMapViewOfSection,(PBYTE)NtMapViewOfSection,(PBYTE)Mine_NtMapViewOfSection );
- _fModified = FALSE;
- HMODULE h = LoadLibraryW(lpszExePath);
- _fModified = TRUE;
- DetourRemove( _abTrampolineDllMain, (PBYTE)PseudoDllMain );
- DetourRemove( _abTrampolineNtMapViewOfSection, (PBYTE)Mine_NtMapViewOfSection );
- if( h != NULL )
- SetImageCharacteristics( h, _OriginalCharacteristics, IMAGE_FILE_DLL, NULL );
- ::LeaveCriticalSection( &_cs );
- return h;
- }
- HMODULE WINAPI wLoadEA( LPCSTR lpszExePath ){
- WCHAR szPath[MAX_PATH];
- ::MultiByteToWideChar( CP_ACP, 0,
- lpszExePath, -1,
- szPath, sizeof(szPath) );
- return wLoadEW(szPath);
- }
- BOOL WINAPI wFreebin( HMODULE hModule ){
- ::EnterCriticalSection( &_cs );
- memset( _abTrampolineDllMain, 0x90, sizeof(_abTrampolineDllMain) );
- PIMAGE_OPTIONAL_HEADER poh;
- poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hModule);
- DetourFunctionWithEmptyTrampoline( _abTrampolineDllMain,(PBYTE)((DWORD)hModule+poh->AddressOfEntryPoint),(PBYTE)PseudoDllMain );
- FreeLibrary( hModule );
- ::LeaveCriticalSection( &_cs );
- return TRUE;
- }
- #include <Windows.h>
- // Non Member Functions
- NtOpenSectionPtr NtOpenSection = NULL;
- NtClosePtr NtClose = NULL;
- NtMapViewOfSectionPtr NtMapViewOfSection = NULL;
- NtUnmapViewOfSectionPtr NtUnmapViewOfSection = NULL;
- RtlInitUnicodeStringPtr RtlInitUnicodeString = NULL;
- ZwSystemDebugControlPtr ZwSystemDebugControl = NULL;
- EnumSystemFirmwareTablesPtr EnumSystemFirmwareTables = NULL;
- GetSystemFirmwareTablePtr GetSystemFirmwareTable = NULL;
- u8 * CBlockBuffer = NULL;
- u8 * EBlockBuffer = NULL;
- int wsFuncLoad(void){
- HMODULE hNtdll;
- HMODULE hKerneldll;
- hNtdll = GetModuleHandle(L"ntdll.dll");
- hKerneldll = GetModuleHandle( L"kernel32.dll" );
- if (!(hNtdll && hKerneldll))
- return FALSE;
- NtOpenSection = (NtOpenSectionPtr) GetProcAddress(hNtdll, "NtOpenSection");
- NtClose = (NtClosePtr) GetProcAddress(hNtdll, "NtClose");
- NtMapViewOfSection = (NtMapViewOfSectionPtr) GetProcAddress(hNtdll, "NtMapViewOfSection");
- NtUnmapViewOfSection = (NtUnmapViewOfSectionPtr) GetProcAddress(hNtdll, "NtUnmapViewOfSection");
- RtlInitUnicodeString = (RtlInitUnicodeStringPtr) GetProcAddress(hNtdll, "RtlInitUnicodeString");
- ZwSystemDebugControl = (ZwSystemDebugControlPtr) GetProcAddress(hNtdll, "ZwSystemDebugControl");
- EnumSystemFirmwareTables = (EnumSystemFirmwareTablesPtr) GetProcAddress(hKerneldll, "EnumSystemFirmwareTables");
- GetSystemFirmwareTable = (GetSystemFirmwareTablePtr) GetProcAddress(hKerneldll, "GetSystemFirmwareTable");
- return TRUE;
- }
- HANDLE OpenMemAccess(void){
- UNICODE_STRING usDevmem;
- OBJECT_ATTRIBUTES oaAttrs;
- NTSTATUS status;
- HANDLE hPhysMem = NULL;
- RtlInitUnicodeString(&usDevmem, L"\\device\\physicalmemory");
- InitializeObjectAttributes(&oaAttrs, &usDevmem, OBJ_CASE_INSENSITIVE, NULL, NULL);
- status = NtOpenSection(&hPhysMem, SECTION_MAP_READ, &oaAttrs);
- if (!NT_SUCCESS(status)){
- hPhysMem = NULL;
- }
- return hPhysMem;
- }
- int CloseMemAccess(HANDLE hPhysMem){
- NTSTATUS status;
- status = NtClose(hPhysMem);
- if (!NT_SUCCESS(status)){
- return FALSE;
- }
- return TRUE;
- }
- int MapMem(HANDLE hPhysMem, PVOID pBaseAddr, PDWORD pPhysAddr, PDWORD pSize){
- NTSTATUS status;
- PHYSICAL_ADDRESS paAddr;
- * (DWORD *) pBaseAddr = (DWORD) NULL;
- paAddr.HighPart = 0;
- paAddr.LowPart = *pPhysAddr;
- 00119 status = NtMapViewOfSection(hPhysMem, NtCurrentProcess(), (PVOID *) pBaseAddr, 0L,
- *pSize, &paAddr, pSize, ViewShare, 0, PAGE_READONLY);
- if (!NT_SUCCESS(status))
- {
- hPhysMem = NULL;
- return FALSE;
- }
- *pPhysAddr = paAddr.LowPart;
- return TRUE;
- }
- int UnMapMem(PVOID pBaseAddr){
- NTSTATUS status;
- status = NtUnmapViewOfSection(NtCurrentProcess(), pBaseAddr);
- if (!NT_SUCCESS(status)){
- return FALSE;
- }
- return TRUE;
- }
- static BOOL setPrivilege(LPCTSTR privilegeName, BOOL enable){
- HANDLE hToken;
- HANDLE hCurrentProcess;
- DWORD err;
- TOKEN_PRIVILEGES tkprivs;
- hCurrentProcess = GetCurrentProcess();
- if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){
- LookupPrivilegeValue(NULL, privilegeName, &tkprivs.Privileges[0].Luid);
- tkprivs.PrivilegeCount = 1; // one privilege to set
- tkprivs.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0;
- AdjustTokenPrivileges(hToken, FALSE, &tkprivs, 0, (PTOKEN_PRIVILEGES)NULL, NULL);
- }
- err = GetLastError();
- return err == ERROR_SUCCESS;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement