simplified some code, security improvements, etc
This commit is contained in:
zeffy
@@ -43,7 +43,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
|
|||||||
DETOUR_IAT(hm, LoadLibraryExA);
|
DETOUR_IAT(hm, LoadLibraryExA);
|
||||||
DETOUR_IAT(hm, LoadLibraryExW);
|
DETOUR_IAT(hm, LoadLibraryExW);
|
||||||
|
|
||||||
TCHAR lpServiceDll[MAX_PATH + 1];
|
TCHAR lpServiceDll[MAX_PATH];
|
||||||
get_svcdll(_T("wuauserv"), lpServiceDll, _countof(lpServiceDll));
|
get_svcdll(_T("wuauserv"), lpServiceDll, _countof(lpServiceDll));
|
||||||
|
|
||||||
HMODULE hwu = GetModuleHandle(lpServiceDll);
|
HMODULE hwu = GetModuleHandle(lpServiceDll);
|
||||||
@@ -130,7 +130,7 @@ HMODULE WINAPI _LoadLibraryExA(
|
|||||||
HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags);
|
HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags);
|
||||||
if (result) {
|
if (result) {
|
||||||
dwprintf(L"Loaded library: %S", lpFileName);
|
dwprintf(L"Loaded library: %S", lpFileName);
|
||||||
CHAR path[MAX_PATH + 1];
|
CHAR path[MAX_PATH];
|
||||||
if (!get_svcdllA("wuauserv", path, _countof(path))) {
|
if (!get_svcdllA("wuauserv", path, _countof(path))) {
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
@@ -149,7 +149,7 @@ HMODULE WINAPI _LoadLibraryExW(
|
|||||||
HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags);
|
HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags);
|
||||||
if (result) {
|
if (result) {
|
||||||
dwprintf(L"Loaded library: %s", lpFileName);
|
dwprintf(L"Loaded library: %s", lpFileName);
|
||||||
WCHAR path[MAX_PATH + 1];
|
WCHAR path[MAX_PATH];
|
||||||
if (!get_svcdllW(L"wuauserv", path, _countof(path))) {
|
if (!get_svcdllW(L"wuauserv", path, _countof(path))) {
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -36,6 +36,7 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
|
|||||||
}
|
}
|
||||||
dwprintf(L"Processor: %S", brand + i);
|
dwprintf(L"Processor: %S", brand + i);
|
||||||
|
|
||||||
|
|
||||||
SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
|
SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
|
||||||
if (!hSCManager) {
|
if (!hSCManager) {
|
||||||
return;
|
return;
|
||||||
@@ -50,34 +51,26 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
|
|||||||
if (!result) {
|
if (!result) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
TCHAR lpLibFileName[MAX_PATH + 1];
|
TCHAR lpLibFileName[MAX_PATH];
|
||||||
GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
|
GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
|
||||||
|
|
||||||
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
|
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
|
||||||
if (!hProcess) {
|
if (!hProcess) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, _countof(lpLibFileName) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
|
LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(lpLibFileName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
|
||||||
if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, _countof(lpLibFileName), NULL)) {
|
if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, _countof(lpLibFileName), NULL)) {
|
||||||
|
|
||||||
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
|
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
|
||||||
if (hSnap) {
|
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"),
|
||||||
MODULEENTRY32 me;
|
STRINGIZE(LoadLibrary)),
|
||||||
me.dwSize = sizeof(me);
|
lpBaseAddress, 0, NULL
|
||||||
|
);
|
||||||
if (Module32First(hSnap, &me)) {
|
WaitForSingleObject(hThread, INFINITE);
|
||||||
do {
|
dwprintf(L"Injected into process: %d", dwProcessId);
|
||||||
if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) {
|
CloseHandle(hThread);
|
||||||
break;
|
|
||||||
}
|
|
||||||
} while (Module32Next(hSnap, &me));
|
|
||||||
|
|
||||||
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
|
|
||||||
CloseHandle(hThread);
|
|
||||||
}
|
|
||||||
CloseHandle(hSnap);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
VirtualFreeEx(hProcess, lpBaseAddress, 0, MEM_RELEASE);
|
||||||
CloseHandle(hProcess);
|
CloseHandle(hProcess);
|
||||||
close_log();
|
close_log();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,27 +6,24 @@
|
|||||||
#include "service.h"
|
#include "service.h"
|
||||||
|
|
||||||
BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize) {
|
BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize) {
|
||||||
CHAR lpSubKey[MAX_PATH + 1];
|
CHAR lpSubKey[257];
|
||||||
sprintf_s(lpSubKey, _countof(lpSubKey), "SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName);
|
sprintf_s(lpSubKey, _countof(lpSubKey), "SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName);
|
||||||
|
DWORD cb = dwSize;
|
||||||
DWORD uBytes = _MAX_PATH + 1;
|
if (RegGetValueA(HKEY_LOCAL_MACHINE, lpSubKey, "ServiceDll", RRF_RT_REG_SZ, NULL, (PVOID)lpServiceDll, &cb)) {
|
||||||
LPBYTE pvData = malloc(uBytes);
|
return FALSE;
|
||||||
|
}
|
||||||
RegGetValueA(HKEY_LOCAL_MACHINE, lpSubKey, "ServiceDll", RRF_RT_REG_EXPAND_SZ | RRF_NOEXPAND, NULL, pvData, &uBytes);
|
dwprintf(L"Service \"%S\" DLL path: %S", lpServiceName, lpServiceDll);
|
||||||
|
|
||||||
ExpandEnvironmentStringsA((LPSTR)pvData, lpServiceDll, dwSize);
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOL get_svcdllW(LPCWSTR lpServiceName, LPWSTR lpServiceDll, DWORD dwSize) {
|
BOOL get_svcdllW(LPCWSTR lpServiceName, LPWSTR lpServiceDll, DWORD dwSize) {
|
||||||
WCHAR lpSubKey[MAX_PATH + 1];
|
WCHAR lpSubKey[257];
|
||||||
swprintf_s(lpSubKey, _countof(lpSubKey), L"SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName);
|
swprintf_s(lpSubKey, _countof(lpSubKey), L"SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName);
|
||||||
|
DWORD cb = dwSize;
|
||||||
DWORD uBytes = _MAX_PATH + 1;
|
if (RegGetValueW(HKEY_LOCAL_MACHINE, lpSubKey, L"ServiceDll", RRF_RT_REG_SZ, NULL, (PVOID)lpServiceDll, &cb)) {
|
||||||
LPBYTE pvData = malloc(uBytes);
|
return FALSE;
|
||||||
RegGetValueW(HKEY_LOCAL_MACHINE, lpSubKey, L"ServiceDll", RRF_RT_REG_EXPAND_SZ | RRF_NOEXPAND, NULL, pvData, &uBytes);
|
}
|
||||||
|
dwprintf(L"Service \"%s\" DLL path: %s", lpServiceName, lpServiceDll);
|
||||||
ExpandEnvironmentStringsW((LPWSTR)pvData, lpServiceDll, dwSize);
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -59,6 +56,7 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam
|
|||||||
if (!get_svcpath(hSCManager, lpServiceName, lpBinaryPathName, _countof(lpBinaryPathName))) {
|
if (!get_svcpath(hSCManager, lpServiceName, lpBinaryPathName, _countof(lpBinaryPathName))) {
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
int numArgs;
|
int numArgs;
|
||||||
LPWSTR *argv = CommandLineToArgv(lpBinaryPathName, &numArgs);
|
LPWSTR *argv = CommandLineToArgv(lpBinaryPathName, &numArgs);
|
||||||
if (numArgs < 3) {
|
if (numArgs < 3) {
|
||||||
@@ -105,7 +103,7 @@ BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPat
|
|||||||
}
|
}
|
||||||
|
|
||||||
BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
|
BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
|
||||||
DWORD uBytes = 0x100000;
|
DWORD uBytes = 1 << 20;
|
||||||
LPBYTE pvData = malloc(uBytes);
|
LPBYTE pvData = malloc(uBytes);
|
||||||
RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"),
|
RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"),
|
||||||
lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes);
|
lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes);
|
||||||
|
|||||||
@@ -157,12 +157,12 @@ BOOL init_log(void) {
|
|||||||
if (log_fp) {
|
if (log_fp) {
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
WCHAR filename[MAX_PATH + 1];
|
WCHAR filename[MAX_PATH];
|
||||||
GetModuleFileNameW(HINST_THISCOMPONENT, filename, _countof(filename));
|
GetModuleFileNameW(HINST_THISCOMPONENT, filename, _countof(filename));
|
||||||
WCHAR drive[_MAX_DRIVE], dir[_MAX_DIR], fname[_MAX_FNAME];
|
WCHAR drive[_MAX_DRIVE], dir[_MAX_DIR], fname[_MAX_FNAME];
|
||||||
_wsplitpath_s(filename, drive, _countof(drive), dir, _countof(dir), fname, _countof(fname), NULL, 0);
|
_wsplitpath_s(filename, drive, _countof(drive), dir, _countof(dir), fname, _countof(fname), NULL, 0);
|
||||||
|
|
||||||
WCHAR basename[MAX_PATH + 1];
|
WCHAR basename[MAX_PATH];
|
||||||
GetModuleBaseNameW(GetCurrentProcess(), NULL, basename, _countof(basename));
|
GetModuleBaseNameW(GetCurrentProcess(), NULL, basename, _countof(basename));
|
||||||
wcscat_s(fname, _countof(fname), L".");
|
wcscat_s(fname, _countof(fname), L".");
|
||||||
wcscat_s(fname, _countof(fname), basename);
|
wcscat_s(fname, _countof(fname), basename);
|
||||||
|
|||||||
Reference in New Issue
Block a user