ROAInject.cpp
上传用户:tianheyiqi
上传日期:2010-04-16
资源大小:282k
文件大小:18k
源码类别:

外挂编程

开发平台:

Visual C++

  1. #define _WIN32_WINNT 0x0400
  2. #define NT
  3. #define DBG_TRACE   0
  4. #include <stdafx.h>
  5. #include <windows.h>
  6. #include <stdio.h>
  7. #include <winsock2.h>
  8. #include <malloc.h>
  9. #include "detours.h"
  10. #define PULONG_PTR PVOID
  11. #define PLONG_PTR PVOID
  12. #define ULONG_PTR PVOID
  13. #define LONG_PTR PVOID
  14. #define ENUMRESNAMEPROCA  PVOID
  15. #define ENUMRESNAMEPROCW  PVOID
  16. #define ENUMRESLANGPROCA  PVOID
  17. #define ENUMRESLANGPROCW  PVOID
  18. #define ENUMRESTYPEPROCA  PVOID
  19. #define ENUMRESTYPEPROCW  PVOID
  20. #define STGOPTIONS          PVOID
  21. static TCHAR wzExeName[MAX_PATH];
  22. static char infobuf[32];
  23. static HWND g_hWnd;
  24. static UINT g_wMsg;
  25. //////////////////////////////////////////////////////////////////////
  26. #pragma warning(disable:4127)   // Many of our asserts are constants.
  27. #ifndef _DEFINED_ASMBREAK_
  28. #define _DEFINED_ASMBREAK_
  29. #define ASMBREAK() __asm { int 3 }
  30. //#define ASMBREAK() DebugBreak()
  31. #endif // _DEFINED_ASMBREAK_
  32. #define ASSERT_ALWAYS(x)   
  33.     do {                                                        
  34. if (!(x)) {                                                 
  35.             AssertMessage(#x, __FILE__, __LINE__);              
  36. ASMBREAK();                                         
  37. }                                                           
  38.     } while (0)
  39. #ifndef NDEBUG
  40. #define ASSERT(x)           ASSERT_ALWAYS(x)
  41. #endif
  42. #define UNUSED(c)     (c) = (c)
  43. #define ARRAYOF(x)     (sizeof(x)/sizeof(x[0]))
  44. //////////////////////////////////////////////////////////////////////
  45. static HMODULE s_hInst = NULL;
  46. static WCHAR s_wzDllPath[MAX_PATH];
  47. VOID _PrintDump(SOCKET socket, PCHAR pszData, INT cbData);
  48. VOID _PrintEnter(PCSTR psz, ...);
  49. VOID _PrintExit(PCSTR psz, ...);
  50. VOID _Print(PCSTR psz, ...);
  51. VOID AssertMessage(CONST PCHAR pszMsg, CONST PCHAR pszFile, ULONG nLine);
  52. #define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr)+(DWORD)(addValue))
  53. #define FALSECLIENT_TIMEOUT 12000
  54. #define FALSECLIENT_SEND_TIMEOUT 5000
  55. #define MAX_BUFFER_LENGTH 16384
  56. ////
  57. //FUNCTION PROTOTYPES AND TYPEDEF
  58. ////
  59. BOOL IsConnected(SOCKET s);
  60. void falseClientCom();
  61. ULONG falseClientComId;
  62. SOCKET falseClient;
  63. SOCKET currentServer;
  64. HINSTANCE g_hInst=0;
  65. WSADATA WSAData;
  66. char* falseClient_send;
  67. char* falseClient_recvInject;
  68. int falseClient_sendLength;
  69. int falseClient_recvInjectLength;
  70. CRITICAL_SECTION falseClient_sendSection;
  71. CRITICAL_SECTION falseClient_recvInjectSection;
  72. CRITICAL_SECTION address_section;
  73.  
  74. //////////////////////////////////////////////////////////////////////////////
  75. //
  76. #pragma warning(disable:4100)   // Trampolines don't use formal parameters.
  77. extern "C" {
  78.     DETOUR_TRAMPOLINE(int WINAPI
  79.                       Real_WSAAsyncSelect(SOCKET s,
  80.                                        HWND hWnd,
  81.                                        unsigned int wMsg,
  82.    long lEvent),
  83.  WSAAsyncSelect);
  84.     DETOUR_TRAMPOLINE(VOID WINAPI
  85.                       Real_InitializeCriticalSection(LPCRITICAL_SECTION lpSection),
  86.                       InitializeCriticalSection);
  87.     DETOUR_TRAMPOLINE(VOID WINAPI
  88.                       Real_EnterCriticalSection(LPCRITICAL_SECTION lpSection),
  89.                       EnterCriticalSection);
  90.     DETOUR_TRAMPOLINE(VOID WINAPI
  91.                       Real_LeaveCriticalSection(LPCRITICAL_SECTION lpSection),
  92.                       LeaveCriticalSection);
  93. }
  94. DETOUR_TRAMPOLINE(DWORD WINAPI Real_GetModuleFileNameW(HMODULE a0,
  95.                                                           LPWSTR a1,
  96.                                                           DWORD a2),
  97.                   GetModuleFileNameW);
  98. DETOUR_TRAMPOLINE(BOOL WINAPI Real_CreateProcessW(LPCWSTR a0,
  99.                                                      LPWSTR a1,
  100.                                                      LPSECURITY_ATTRIBUTES a2,
  101.                                                      LPSECURITY_ATTRIBUTES a3,
  102.                                                      BOOL a4,
  103.                                                      DWORD a5,
  104.                                                      LPVOID a6,
  105.                                                      LPCWSTR a7,
  106.                                                      struct _STARTUPINFOW* a8,
  107.                                                      LPPROCESS_INFORMATION a9),
  108.                   CreateProcessW);
  109. DETOUR_TRAMPOLINE(int WINAPI Real_connect(SOCKET a0,
  110.                                              sockaddr* a1,
  111.                                              int a2),
  112.                   connect);
  113. DETOUR_TRAMPOLINE(int WINAPI Real_recv(SOCKET a0,
  114.                                           char* a1,
  115.                                           int a2,
  116.                                           int a3),
  117.                   recv);
  118. DETOUR_TRAMPOLINE(int WINAPI Real_send(SOCKET a0,
  119.                                           char* a1,
  120.                                           int a2,
  121.                                           int a3),
  122.                   send);
  123. /////////////////////////////////////////////////////////////
  124. // Detours
  125. //
  126. BOOL WINAPI Mine_CreateProcessW(LPCWSTR lpApplicationName,
  127.                                 LPWSTR lpCommandLine,
  128.                                 LPSECURITY_ATTRIBUTES lpProcessAttributes,
  129.                                 LPSECURITY_ATTRIBUTES lpThreadAttributes,
  130.                                 BOOL bInheritHandles,
  131.                                 DWORD dwCreationFlags,
  132.                                 LPVOID lpEnvironment,
  133.                                 LPCWSTR lpCurrentDirectory,
  134.                                 LPSTARTUPINFOW lpStartupInfo,
  135.                                 LPPROCESS_INFORMATION lpProcessInformation)
  136. {
  137.     _PrintEnter("CreateProcessW(%ls,%ls,%lx,%lx,%lx,%lx,%lx,%ls,%lx,%lx)n",
  138.                 lpApplicationName,
  139.                 lpCommandLine,
  140.                 lpProcessAttributes,
  141.                 lpThreadAttributes,
  142.                 bInheritHandles,
  143.                 dwCreationFlags,
  144.                 lpEnvironment,
  145.                 lpCurrentDirectory,
  146.                 lpStartupInfo,
  147.                 lpProcessInformation);
  148.     _Print("Calling DetourCreateProcessWithDllW(,%ls)n", s_wzDllPath);
  149.     
  150.     BOOL rv = 0;
  151.     __try {
  152.         rv = DetourCreateProcessWithDllW(lpApplicationName,
  153.                                    lpCommandLine,
  154.                                    lpProcessAttributes,
  155.                                    lpThreadAttributes,
  156.                                    bInheritHandles,
  157.                                    dwCreationFlags,
  158.                                    lpEnvironment,
  159.                                    lpCurrentDirectory,
  160.                                    lpStartupInfo,
  161.                                    lpProcessInformation,
  162.                                    s_wzDllPath,
  163.                                    Real_CreateProcessW);
  164.     } __finally {
  165.         _PrintExit("CreateProcessW(,,,,,,,,,) -> %lxn", rv);
  166.     };
  167.     return rv;
  168. }
  169. int WINAPI Mine_WSAAsyncSelect(
  170.   SOCKET s,           
  171.   HWND hWnd,          
  172.   unsigned int wMsg,  
  173.   long lEvent         
  174. )
  175. {
  176. currentServer = s;
  177. Real_WSAAsyncSelect(s,hWnd,wMsg, lEvent);
  178. g_hWnd = hWnd;
  179. g_wMsg = wMsg;
  180. return 0;
  181. }
  182. int WINAPI Mine_connect(SOCKET a0,
  183.                            sockaddr* name,
  184.                            int namelen)
  185. {
  186. currentServer = a0;
  187. Real_connect(a0, name, namelen);
  188. EnterCriticalSection(&address_section);
  189. memcpy(infobuf, name->sa_data, 6);
  190. LeaveCriticalSection(&address_section);
  191.     return 0;
  192. }
  193. int WINAPI Mine_recv(SOCKET s,
  194.                         char* buf,
  195.                         int len,
  196.                         int flags)
  197. {
  198. int ret = 0;
  199. int ret2 = 0;
  200. currentServer = s;
  201. if (falseClient_recvInjectLength) {
  202. EnterCriticalSection(&falseClient_recvInjectSection);
  203. memcpy(buf,falseClient_recvInject,falseClient_recvInjectLength);
  204. ret = falseClient_recvInjectLength;
  205. falseClient_recvInjectLength = 0;
  206. LeaveCriticalSection(&falseClient_recvInjectSection);
  207. }
  208. ret2 = Real_recv(s, buf+ret, len, flags);
  209. if (ret2 != SOCKET_ERROR && ret2>0 && falseClient_sendLength + ret2 + 1 < MAX_BUFFER_LENGTH) {
  210. char* newbuf = (char*)malloc(ret2+3);
  211. unsigned short sLen = (unsigned short)ret2;
  212. memcpy(newbuf,"R",1);
  213. memcpy(newbuf+1, &sLen,2);
  214. memcpy(newbuf+3, buf+ret,ret2);
  215. EnterCriticalSection(&falseClient_sendSection);
  216. memcpy(falseClient_send+falseClient_sendLength,newbuf,ret2+3);
  217. falseClient_sendLength += ret2+3;
  218. LeaveCriticalSection(&falseClient_sendSection);
  219. free(newbuf);
  220. }
  221. if (ret2 != SOCKET_ERROR) {
  222. ret += ret2;
  223. }
  224. if (!ret) {
  225. ret = SOCKET_ERROR;
  226. WSASetLastError(WSAEWOULDBLOCK);
  227. }
  228. return ret;
  229. }
  230. int WINAPI Mine_send(SOCKET s,
  231.                         char* buf,
  232.                         int len,
  233.                         int flags)
  234. {
  235. int ret;
  236. currentServer = s;
  237. ret = Real_send(s, buf, 0, flags);
  238. if (ret != SOCKET_ERROR && len > 0 && falseClient_sendLength + len + 3 < MAX_BUFFER_LENGTH) {
  239. char* newbuf = (char*)malloc(len+3);
  240. unsigned short sLen = (unsigned short)len;
  241. memcpy(newbuf,"S",1);
  242. memcpy(newbuf+1,&sLen,2);
  243. memcpy(newbuf+3, buf,len);
  244. EnterCriticalSection(&falseClient_sendSection);
  245. memcpy(falseClient_send+falseClient_sendLength,newbuf,len+3);
  246. falseClient_sendLength += len+3;
  247. LeaveCriticalSection(&falseClient_sendSection);
  248. free(newbuf);
  249. } else {
  250. return ret;
  251. }
  252. return len;
  253. }
  254. /////////////////////////////////////////////////////////////
  255. // TrampolineWith
  256. //
  257. VOID SetDetour(PBYTE pbTrampoline, PBYTE pbDetour)
  258. {
  259. PBYTE pbRealTrampoline = NULL;
  260. PBYTE pbRealTarget = NULL;
  261. if (!DetourFunctionWithTrampolineEx(pbTrampoline, pbDetour,
  262. &pbRealTrampoline, &pbRealTarget)) {
  263. // ASSERT(!"DetourFailed!");
  264. }
  265. }
  266. VOID TrampolineWith(VOID)
  267. {
  268.     DetourFunctionWithTrampoline((PBYTE)Real_CreateProcessW,
  269.                                  (PBYTE)Mine_CreateProcessW);
  270.     DetourFunctionWithTrampoline((PBYTE)Real_WSAAsyncSelect,
  271.                                  (PBYTE)Mine_WSAAsyncSelect);
  272.     DetourFunctionWithTrampoline((PBYTE)Real_connect,
  273.                                  (PBYTE)Mine_connect);
  274.     DetourFunctionWithTrampoline((PBYTE)Real_recv,
  275.                                  (PBYTE)Mine_recv);
  276.     DetourFunctionWithTrampoline((PBYTE)Real_send,
  277.                                  (PBYTE)Mine_send);
  278. }
  279. //
  280. //////////////////////////////////////////////////////////////////////////////
  281. ////////////////////////////////////////////////////////////// Logging System.
  282. //
  283. static BOOL s_bLog = 1;
  284. static LONG s_nTlsIndent = -1;
  285. static LONG s_nTlsThread = -1;
  286. static LONG s_nThreadCnt = 0;
  287. VOID _PrintEnter(const CHAR *psz, ...)
  288. {
  289. return;
  290. }
  291. VOID _PrintExit(const CHAR *psz, ...)
  292. {
  293. return;
  294. }
  295. VOID _Print(const CHAR *psz, ...)
  296. {
  297. return;
  298. }
  299. VOID _PrintDump(SOCKET socket, PCHAR pszData, INT cbData)
  300. {
  301. return;
  302. }
  303. VOID AssertMessage(CONST PCHAR pszMsg, CONST PCHAR pszFile, ULONG nLine)
  304. {
  305. //    Syelog(SYELOG_SEVERITY_FATAL,
  306. //           "ASSERT(%s) failed in %s, line %d.n", pszMsg, pszFile, nLine);
  307. }
  308. VOID NullExport()
  309. {
  310. }
  311. //////////////////////////////////////////////////////////////////////////////
  312. //
  313. // DLL module information
  314. //
  315. BOOL ThreadAttach(HMODULE hDll)
  316. {
  317. if (s_nTlsIndent >= 0) {
  318. TlsSetValue(s_nTlsIndent, (PVOID)0);
  319. }
  320. if (s_nTlsThread >= 0) {
  321. LONG nThread = InterlockedIncrement(&s_nThreadCnt);
  322. TlsSetValue(s_nTlsThread, (PVOID)nThread);
  323. }
  324. return TRUE;
  325. }
  326. BOOL ThreadDetach(HMODULE hDll)
  327. {
  328. if (s_nTlsIndent >= 0) {
  329. TlsSetValue(s_nTlsIndent, (PVOID)0);
  330. }
  331. if (s_nTlsThread >= 0) {
  332. TlsSetValue(s_nTlsThread, (PVOID)0);
  333. }
  334. return TRUE;
  335. }
  336. BOOL ProcessAttach(HMODULE hDll)
  337. {
  338. s_bLog = FALSE;
  339. s_nTlsIndent = TlsAlloc();
  340. s_nTlsThread = TlsAlloc();
  341.     s_hInst = hDll;
  342.     memset(wzExeName, 0, sizeof(wzExeName));
  343. Real_GetModuleFileNameW(hDll, s_wzDllPath, ARRAYOF(s_wzDllPath));
  344. // Real_GetModuleFileNameW(NULL, wzExeName, ARRAYOF(wzExeName));
  345. HKEY hKey = 0;
  346. LONG lRet;
  347. lRet = RegOpenKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Gravity Soft", &hKey);
  348. if(lRet == ERROR_SUCCESS && hKey != 0)
  349. {
  350. LONG lSize = 1024;
  351. lRet = RegQueryValue(hKey, "LaunchTarget", wzExeName, &lSize);
  352. RegCloseKey(hKey);
  353. }
  354.  /*   SyelogOpen("tracetcp", SYELOG_FACILITY_APPLICATION);
  355.     Syelog(SYELOG_SEVERITY_INFORMATION,
  356.            "##################################################################n");
  357.     Syelog(SYELOG_SEVERITY_INFORMATION,
  358.            "### %lsn", wzExeName);
  359. */ TrampolineWith();
  360. ThreadAttach(hDll);
  361. s_bLog = TRUE;
  362. return TRUE;
  363. }
  364. BOOL ProcessDetach(HMODULE hDll)
  365. {
  366. ThreadDetach(hDll);
  367. s_bLog = FALSE;
  368. //    SyelogClose();
  369. if (s_nTlsIndent >= 0) {
  370. TlsFree(s_nTlsIndent);
  371. }
  372. if (s_nTlsThread >= 0) {
  373. TlsFree(s_nTlsThread);
  374. }
  375. return TRUE;
  376. }
  377. BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, PVOID lpReserved)
  378. {
  379. switch (dwReason) {
  380.   case DLL_PROCESS_ATTACH:
  381. // return ProcessAttach(hModule);
  382. g_hInst = hModule;
  383. falseClient_send = (char*)malloc(MAX_BUFFER_LENGTH);
  384. falseClient_sendLength = 0;
  385. falseClient_recvInject = (char*)malloc(MAX_BUFFER_LENGTH);
  386. falseClient_recvInjectLength = 0;
  387. currentServer = 0;
  388. WSAStartup(MAKEWORD(2,2),&WSAData);
  389. InitializeCriticalSection(&falseClient_sendSection);
  390. InitializeCriticalSection(&falseClient_recvInjectSection);
  391. InitializeCriticalSection(&address_section);
  392. CreateThread(0, 0, (LPTHREAD_START_ROUTINE)falseClientCom, 0, 0, &falseClientComId);
  393. return ProcessAttach(hModule);
  394.   case DLL_PROCESS_DETACH:
  395. free(falseClient_send);
  396. free(falseClient_recvInject);
  397. return ProcessDetach(hModule);
  398.   case DLL_THREAD_ATTACH:
  399. return ThreadAttach(hModule);
  400.   case DLL_THREAD_DETACH:
  401. return ThreadDetach(hModule);
  402. }
  403. return TRUE;
  404. }
  405. //
  406. ////
  407. //FUNCTIONS
  408. ////
  409. BOOL IsConnected(SOCKET s) {
  410. fd_set udtWrite_fd;
  411. timeval tv;
  412. tv.tv_sec = 0;
  413. tv.tv_usec = 1;
  414. long lngSocketCount = 0;
  415.     udtWrite_fd.fd_count = 1;
  416.     udtWrite_fd.fd_array[0] = s;
  417.     lngSocketCount = select(0, 0, &udtWrite_fd, 0, &tv);
  418.     return (BOOL)(lngSocketCount);
  419. }
  420. void falseClientCom() {
  421. char * falseClient_recv = (char*)malloc(MAX_BUFFER_LENGTH);
  422. unsigned short falseClient_recvLength;
  423. int index;
  424. int ret;
  425. int type;
  426. DWORD falseClient_timeout = 0;
  427. DWORD falseClient_send_timeout = 0;
  428. sockaddr_in addr;
  429. DWORD arg = 1;
  430. addr.sin_family = AF_INET;
  431. addr.sin_port = htons(2350);
  432. addr.sin_addr.s_addr = inet_addr("127.0.0.1");
  433. falseClient = socket(AF_INET, SOCK_STREAM, 0);
  434. char* keepAlivePacket = (char*)malloc(3);
  435. unsigned short keepAlivePacketLength = 0;
  436. memcpy(keepAlivePacket,"K",1);
  437. memcpy(keepAlivePacket+1,&keepAlivePacketLength,2);
  438. char* ipPackcet = (char*) malloc(32);
  439. unsigned short ipPacketLength = 32;
  440. memcpy(ipPackcet,"I",1);
  441. memcpy(ipPackcet+1, &ipPacketLength, 2);
  442. while (1) {
  443. while (!falseClient || !IsConnected(falseClient) || (GetTickCount() - falseClient_timeout >= FALSECLIENT_TIMEOUT)) {
  444. closesocket(falseClient);
  445. falseClient = socket(AF_INET, SOCK_STREAM, 0);
  446. connect(falseClient, (struct sockaddr *) &addr, sizeof(sockaddr_in));
  447. ioctlsocket(falseClient,FIONBIO,&arg);
  448. falseClient_timeout = GetTickCount();
  449. falseClient_send_timeout = GetTickCount();
  450. falseClient_sendLength = 0;
  451. }
  452. ret = Real_recv(falseClient,falseClient_recv,MAX_BUFFER_LENGTH,0);
  453. if (ret != SOCKET_ERROR && ret >= 3) {
  454. index = 0;
  455. while (index < ret) {
  456. falseClient_recvLength = *(unsigned short *)(falseClient_recv+index+1);
  457. if (ret-index < falseClient_recvLength) {
  458. MessageBox(0,"False client sent a bad message!", "False client error",0);
  459. break;
  460. }
  461. if (*(falseClient_recv+index) == 'S') {
  462. type = 0;
  463. } else if (*(falseClient_recv+index) == 'R') {
  464. type = 1;
  465. } else if (*(falseClient_recv+index) == 'K') {
  466. //Keep alive
  467. type = 2;
  468. } else {
  469. type = -1;
  470. }
  471. if (!type && currentServer && IsConnected(currentServer)) {
  472. if(strlen(wzExeName) > 0)
  473. {
  474. EnterCriticalSection(&falseClient_sendSection);
  475. int cnt = 0;
  476. int cntMax = (int)strlen(wzExeName);
  477. for(int i=0; i<falseClient_recvLength; i++)
  478. {
  479. *(falseClient_recv+index+3+i) = (*(falseClient_recv+index+3+i)) - wzExeName[cnt];
  480. if(++cnt >= cntMax)
  481. cnt = 0;
  482. }
  483. LeaveCriticalSection(&falseClient_sendSection);
  484. }
  485. Real_send(currentServer,falseClient_recv+index+3,falseClient_recvLength,0);
  486. } else if (type == 1) {
  487. EnterCriticalSection(&falseClient_recvInjectSection);
  488. memcpy(falseClient_recvInject+falseClient_recvInjectLength,falseClient_recv+index+3,falseClient_recvLength);
  489. falseClient_recvInjectLength += falseClient_recvLength;
  490. LeaveCriticalSection(&falseClient_recvInjectSection);
  491. if(falseClient_recvInjectLength > 0 && ::IsWindow(g_hWnd))
  492. {
  493. PostMessage(g_hWnd, g_wMsg, currentServer, FD_READ);
  494. }
  495. }
  496. index += falseClient_recvLength + 3;
  497. }
  498. falseClient_timeout = GetTickCount();
  499. }
  500. if (falseClient_sendLength) {
  501. EnterCriticalSection(&falseClient_sendSection);
  502. Real_send(falseClient,falseClient_send,falseClient_sendLength,0);
  503. falseClient_sendLength = 0;
  504. LeaveCriticalSection(&falseClient_sendSection);
  505. }
  506. if (GetTickCount() - falseClient_send_timeout >= FALSECLIENT_SEND_TIMEOUT) {
  507. EnterCriticalSection(&falseClient_sendSection);
  508. Real_send(falseClient,keepAlivePacket,3,0);
  509. LeaveCriticalSection(&falseClient_sendSection);
  510. falseClient_send_timeout = GetTickCount();
  511. }
  512. EnterCriticalSection(&address_section);
  513. if(infobuf[0] != 0)
  514. {
  515. memcpy(ipPackcet+3, infobuf, 6);
  516. Real_send(falseClient, ipPackcet, 32+3, 0);
  517. infobuf[0] = 0;
  518. }
  519. LeaveCriticalSection(&address_section);
  520. Sleep(50);
  521. }
  522. if(ipPackcet != 0)
  523. free(ipPackcet);
  524. if(keepAlivePacket != 0)
  525. free(keepAlivePacket);
  526. if(falseClient_recv != 0)
  527. free(falseClient_recv);
  528. }
  529. ///////////////////////////////////////////////////////////////// End of File.