C++ code colored by C++2HTML
应用层隐藏服务的项目 2006-03-28
HideService
#include <stdio.h>#include <tchar.h>#include <windows.h>#include <commctrl.h>#include <setupapi.h>#include <basetsd.h>#include <cfgmgr32.h>#include <regstr.h>#include <devguid.h>#define APIHOOK16
#ifdef APIHOOK16
#include "apihook16.h"#define CAPIHook CAPIHook16
#else#include "apihook32.h"#define CAPIHook CAPIHook32
#endif#pragma comment(lib, "setupapi.lib")#pragma comment(lib, "advapi32.lib")
BOOL
WINAPI
mySetupDiSetClassInstallParamsW(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
);CAPIHook g_hook_setupapi_paramsw("setupapi.dll", "SetupDiSetClassInstallParamsW", (FARPROC)mySetupDiSetClassInstallParamsW);BOOL
WINAPI
myChangeServiceConfigW(
SC_HANDLE hService,
DWORD dwServiceType,
DWORD dwStartType,
DWORD dwErrorControl,
LPCWSTR lpBinaryPathName,
LPCWSTR lpLoadOrderGroup,
LPDWORD lpdwTagId,
LPCWSTR lpDependencies,
LPCWSTR lpServiceStartName,
LPCWSTR lpPassword,
LPCWSTR lpDisplayName
);CAPIHook g_hook_advapi32_ChangeW("advapi32.dll", "ChangeServiceConfigW", (FARPROC)myChangeServiceConfigW);
LPSTR WideStringToAnsiString(LPCWSTR lpcsUnicode)
{
LPSTR lpAnsiString = NULL;
if (lpcsUnicode)
{
DWORD dwSize = wcstombs(NULL, lpcsUnicode, 0);
lpAnsiString = new char[dwSize+1];
size_t rc = wcstombs(lpAnsiString, lpcsUnicode, dwSize);lpAnsiString[dwSize] = '\0';
}
return lpAnsiString;
}
void WriteLog(char *fmt,...)
{
}
BOOL
WINAPI
mySetupDiSetClassInstallParamsW(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
)
{
BOOL ret = FALSE;#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(FALSE);g_hook_advapi32_ChangeW.Hook(FALSE);#endif
if((InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_NET)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_PCMCIA)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_CDROM)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PORTS)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_USB)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PRINTER)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_1394)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_MODEM)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_FLOPPYDISK)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_INFRARED)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_SCSIADAPTER)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid, GUID_DEVCLASS_DISKDRIVE))
)
{
WriteLog("SetupDiCallClassInstaller hook\n");
SP_PROPCHANGE_PARAMS PropChangeParams = {sizeof(SP_CLASSINSTALL_HEADER)};
PropChangeParams.ClassInstallHeader.InstallFunction = DIF_DETECT;
PropChangeParams.Scope = DICS_FLAG_GLOBAL;
PropChangeParams.StateChange = 0x0;ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData,
(SP_CLASSINSTALL_HEADER *)&PropChangeParams,
sizeof(PropChangeParams));#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(TRUE);g_hook_advapi32_ChangeW.Hook(TRUE);#endif
return ret;
}
ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData,
ClassInstallParams,
ClassInstallParamsSize);#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(TRUE);g_hook_advapi32_ChangeW.Hook(TRUE);#endif
return ret;
}
BOOL
WINAPI
myChangeServiceConfigW(
SC_HANDLE hService,
DWORD dwServiceType,
DWORD dwStartType,
DWORD dwErrorControl,
LPCWSTR lpBinaryPathName,
LPCWSTR lpLoadOrderGroup,
LPDWORD lpdwTagId,
LPCWSTR lpDependencies,
LPCWSTR lpServiceStartName,
LPCWSTR lpPassword,
LPCWSTR lpDisplayName
)
{
BOOL ret = FALSE;#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(FALSE);
g_hook_setupapi_paramsw.Hook(FALSE);#endif
LPSTR lpDisplay;
lpDisplay = WideStringToAnsiString(lpDisplayName);
if(strstr(lpDisplay ,"Cns Agent") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Cns Agent:no_change:\n");
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"HookNdis") != NULL)
{
WriteLog("ChangeServiceConfigW hook :HookNdis:no_change:\n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"Hooktdi") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Hooktdi:no_change:\n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"Hideprocess") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Hideprocess:no_change:\n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"ZzFilesensor") != NULL)
{
WriteLog("ChangeServiceConfigW hook :ZzFilesensor:no_change:\n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"Zzregsensor") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Zzregsensor:no_change:\n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;
}
XLOOP:
WriteLog("ChangeServiceConfigW hook \n");
ret = ChangeServiceConfigW(
hService,
dwServiceType,
dwStartType,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;
}
void HookAll(BOOL bHook)
{#ifdef APIHOOK16g_hook_advapi32_ChangeW.Hook(bHook);
g_hook_setupapi_paramsw.Hook(bHook);#endif
}
extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason) {
case DLL_PROCESS_ATTACH:
HookAll(TRUE);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
HookAll(FALSE);
break;
}
return 1;
}
#include <windows.h>#include <stdio.h>#include <malloc.h>#include <TlHelp32.h>#define DEFAULT_LIB "AgentHk.DLL"
char g_szExeName[MAX_PATH] = {0};
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}
BOOL WINAPI InjectLib(DWORD dwProcessId, PCSTR pszDllInject)
{
HANDLE hProcess = NULL, hThread = NULL;
char *pszDllInjectRemote = NULL;
char szLine[MAX_PATH] = {0};
BOOL bOk = FALSE;
__try {hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION |PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE,FALSE, dwProcessId);
if (hProcess == NULL) {
__leave;
}int cch = 1 + strlen(pszDllInject);
int cb = cch * sizeof(char);pszDllInjectRemote = (char *)
VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
if (pszDllInjectRemote == NULL) {
__leave;
}if (!WriteProcessMemory(hProcess, pszDllInjectRemote,
(PVOID) pszDllInject, cb, NULL)) {
__leave;
}PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if (pfnThreadRtn == NULL) {
__leave;
}hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, pszDllInjectRemote, 0, NULL);
if (hThread == NULL) {
__leave;
}WaitForSingleObject(hThread, INFINITE);
bOk = TRUE;}
__finally {if (pszDllInjectRemote != NULL)
VirtualFreeEx(hProcess, pszDllInjectRemote, 0, MEM_RELEASE);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(bOk);
}
BOOL WINAPI EjectLib(DWORD dwProcessId, PCSTR pszDllInject)
{
BOOL bOk = FALSE;HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
__try {hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == NULL) __leave;MODULEENTRY32 me = { sizeof(me) };
BOOL bFound = FALSE;
BOOL bMoreMods = Module32First(hthSnapshot, &me);
for (; bMoreMods; bMoreMods = Module32Next(hthSnapshot, &me)) {
bFound = (stricmp(me.szModule, pszDllInject) == 0) ||
(stricmp(me.szExePath, pszDllInject) == 0);
if (bFound) break;
}
if (!bFound) __leave;hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION |PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION,FALSE, dwProcessId);
if (hProcess == NULL) __leave;PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary");
if (pfnThreadRtn == NULL) __leave;hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, me.modBaseAddr, 0, NULL);
if (hThread == NULL) __leave;WaitForSingleObject(hThread, INFINITE);
bOk = TRUE;}
__finally {
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(bOk);
}
int WINAPI InjectLibAll(char *pszDllInject)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;
__try {hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, g_szExeName) == 0)
continue;
if (InjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s\n", pe.szExeFile, "DLL Injection successful.");
}
else {
printf("%s - %s\n", pe.szExeFile, "DLL Injection failed.");
}
}
}
__finally {
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI EjectLibAll(char *pszDllInject)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;
__try {hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, g_szExeName) == 0)
continue;
if (EjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s\n", pe.szExeFile, "DLL Ejection successful.");
}
else {
printf("%s - %s\n", pe.szExeFile, "DLL Ejection failed.");
}
}
}
__finally {
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI InjectLibByName(char *pszDllInject, char *pszProcName)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;
__try {hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, pszProcName) == 0) {
if (InjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s/%s - %s\n", pszDllInject, pe.szExeFile, "DLL Injection successful.");
}
else {
printf("%s/%s - %s\n", pszDllInject, pe.szExeFile, "DLL Injection failed");
}
}
}
}
__finally {
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI EjectLibByName(char *pszDllInject, char *pszProcName)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;
__try {hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, pszProcName) == 0) {
if (EjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s\n", pe.szExeFile, "DLL Ejection successful.");
}
else {
printf("%s - %s\n", pe.szExeFile, "DLL Ejection failed.");
}
}
}
}
__finally {
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return nRtn;
}BOOL EnableDebugPriv(void)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return FALSE;
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
CloseHandle(hToken);
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) {
CloseHandle(hToken);
return FALSE;
}
return TRUE;
}
BOOL __stdcall CallHook(int nPid)
{
BOOL ret = FALSE;
DWORD dwProcessId = 0;
char szProcName[MAX_PATH] = {0};
char szLine[MAX_PATH] = {0};
char szLibFile[MAX_PATH] = {0};
GetModuleFileName(0, szLine, sizeof(g_szExeName)-1);
char *ptr = strrchr(szLine, '\\');
if (ptr) {
ptr++;
strcpy(g_szExeName, ptr);
}EnableDebugPriv();
GetModuleFileName(NULL, szLibFile, sizeof(szLibFile));
strcpy(strrchr(szLibFile, '\\') + 1, DEFAULT_LIB);
FILE *fp = fopen(szLibFile, "r");
if (!fp) {return 0;
}
fclose(fp);
if (dwProcessId > 0) {if (InjectLib(dwProcessId, szLibFile)) {ret = TRUE;
}
else {ret = FALSE;
}
}
return ret;
}
BOOL __stdcall UnHook(int nPid)
{
BOOL ret = FALSE;
DWORD dwProcessId = 0;
char szProcName[MAX_PATH] = {0};
char szLine[MAX_PATH] = {0};
char szLibFile[MAX_PATH] = {0};
GetModuleFileName(0, szLine, sizeof(g_szExeName)-1);
char *ptr = strrchr(szLine, '\\');
if (ptr) {
ptr++;
strcpy(g_szExeName, ptr);
}EnableDebugPriv();
GetModuleFileName(NULL, szLibFile, sizeof(szLibFile));
strcpy(strrchr(szLibFile, '\\') + 1, DEFAULT_LIB);
FILE *fp = fopen(szLibFile, "r");
if (!fp) {return 0;
}
fclose(fp);
if (dwProcessId > 0) {if (EjectLib(dwProcessId, szLibFile)) {ret = TRUE;
}
else {ret = FALSE;
}
}
return ret;
}
注意这里隐藏服务采用HOOK MMC.EXE的方式,还可以采用全局的应用层HOOK
AgentHk.dll 是HOOK 的主要代码
CallHook.dll 是HOOK 代码的调用接口