more error checking
This commit is contained in:
zeffy
14
wufuc/core.c
14
wufuc/core.c
@@ -149,10 +149,15 @@ HMODULE WINAPI _LoadLibraryExA(
|
|||||||
_In_ DWORD dwFlags
|
_In_ DWORD dwFlags
|
||||||
) {
|
) {
|
||||||
HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags);
|
HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags);
|
||||||
|
if (!result) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
_dbgprintf("Loaded library: %s.", lpFileName);
|
_dbgprintf("Loaded library: %s.", lpFileName);
|
||||||
|
|
||||||
CHAR path[MAX_PATH + 1];
|
CHAR path[MAX_PATH + 1];
|
||||||
get_svcdllA("wuauserv", path, _countof(path));
|
if (!get_svcdllA("wuauserv", path, _countof(path))) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
if (!_stricmp(lpFileName, path)) {
|
if (!_stricmp(lpFileName, path)) {
|
||||||
_dbgprintf("%s is wu module, applying patch...", lpFileName);
|
_dbgprintf("%s is wu module, applying patch...", lpFileName);
|
||||||
@@ -167,10 +172,15 @@ HMODULE WINAPI _LoadLibraryExW(
|
|||||||
_In_ DWORD dwFlags
|
_In_ DWORD dwFlags
|
||||||
) {
|
) {
|
||||||
HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags);
|
HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags);
|
||||||
|
if (!result) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
_wdbgprintf(L"Loaded library: %s.", lpFileName);
|
_wdbgprintf(L"Loaded library: %s.", lpFileName);
|
||||||
|
|
||||||
WCHAR path[MAX_PATH + 1];
|
WCHAR path[MAX_PATH + 1];
|
||||||
get_svcdllW(L"wuauserv", path, _countof(path));
|
if (!get_svcdllW(L"wuauserv", path, _countof(path))) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
if (!_wcsicmp(lpFileName, path)) {
|
if (!_wcsicmp(lpFileName, path)) {
|
||||||
_wdbgprintf(L"%s is wu module, applying patch...", lpFileName);
|
_wdbgprintf(L"%s is wu module, applying patch...", lpFileName);
|
||||||
|
|||||||
@@ -12,6 +12,9 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
|
SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
|
||||||
|
if (!hSCManager) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
TCHAR lpGroupName[256];
|
TCHAR lpGroupName[256];
|
||||||
DWORD dwProcessId;
|
DWORD dwProcessId;
|
||||||
BOOL result = get_svcpid(hSCManager, _T("wuauserv"), &dwProcessId);
|
BOOL result = get_svcpid(hSCManager, _T("wuauserv"), &dwProcessId);
|
||||||
@@ -24,7 +27,33 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
|
|||||||
}
|
}
|
||||||
TCHAR lpLibFileName[MAX_PATH + 1];
|
TCHAR lpLibFileName[MAX_PATH + 1];
|
||||||
GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
|
GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
|
||||||
InjectLibrary(dwProcessId, lpLibFileName, _countof(lpLibFileName));
|
|
||||||
|
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
|
||||||
|
if (!hProcess) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, _countof(lpLibFileName) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
|
||||||
|
if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, _countof(lpLibFileName), NULL)) {
|
||||||
|
|
||||||
|
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
|
||||||
|
if (hSnap) {
|
||||||
|
MODULEENTRY32 me;
|
||||||
|
me.dwSize = sizeof(me);
|
||||||
|
|
||||||
|
if (Module32First(hSnap, &me)) {
|
||||||
|
do {
|
||||||
|
if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} while (Module32Next(hSnap, &me));
|
||||||
|
|
||||||
|
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, _CRT_STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
|
||||||
|
CloseHandle(hThread);
|
||||||
|
}
|
||||||
|
CloseHandle(hSnap);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
CloseHandle(hProcess);
|
||||||
}
|
}
|
||||||
|
|
||||||
void CALLBACK Rundll32Unload(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
|
void CALLBACK Rundll32Unload(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
|
||||||
|
|||||||
@@ -41,7 +41,7 @@ BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessI
|
|||||||
BOOL result = FALSE;
|
BOOL result = FALSE;
|
||||||
if (QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&lpBuffer, sizeof(lpBuffer), &cbBytesNeeded)
|
if (QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&lpBuffer, sizeof(lpBuffer), &cbBytesNeeded)
|
||||||
&& lpBuffer.dwProcessId) {
|
&& lpBuffer.dwProcessId) {
|
||||||
|
|
||||||
*lpdwProcessId = lpBuffer.dwProcessId;
|
*lpdwProcessId = lpBuffer.dwProcessId;
|
||||||
_tdbgprintf(_T("Got pid for service %s: %d."), lpServiceName, *lpdwProcessId);
|
_tdbgprintf(_T("Got pid for service %s: %d."), lpServiceName, *lpdwProcessId);
|
||||||
result = TRUE;
|
result = TRUE;
|
||||||
@@ -100,7 +100,6 @@ BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPat
|
|||||||
BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
|
BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
|
||||||
DWORD uBytes = 0x100000;
|
DWORD uBytes = 0x100000;
|
||||||
LPBYTE pvData = malloc(uBytes);
|
LPBYTE pvData = malloc(uBytes);
|
||||||
|
|
||||||
RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"),
|
RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"),
|
||||||
lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes);
|
lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes);
|
||||||
|
|
||||||
@@ -108,12 +107,11 @@ BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwPro
|
|||||||
for (LPTSTR p = (LPTSTR)pvData; *p; p += _tcslen(p) + 1) {
|
for (LPTSTR p = (LPTSTR)pvData; *p; p += _tcslen(p) + 1) {
|
||||||
DWORD dwProcessId;
|
DWORD dwProcessId;
|
||||||
TCHAR group[256];
|
TCHAR group[256];
|
||||||
if (get_svcpid(hSCManager, p, &dwProcessId)) {
|
if (get_svcpid(hSCManager, p, &dwProcessId)
|
||||||
get_svcgname(hSCManager, p, group, _countof(group));
|
&& (get_svcgname(hSCManager, p, group, _countof(group)) && !_tcsicmp(group, lpServiceGroupName))) {
|
||||||
result = !_tcsicmp(group, lpServiceGroupName);
|
|
||||||
}
|
|
||||||
if (result) {
|
|
||||||
*lpdwProcessId = dwProcessId;
|
*lpdwProcessId = dwProcessId;
|
||||||
|
result = TRUE;
|
||||||
_tdbgprintf(_T("Got pid for service group %s: %d."), lpServiceGroupName, *lpdwProcessId);
|
_tdbgprintf(_T("Got pid for service group %s: %d."), lpServiceGroupName, *lpdwProcessId);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
24
wufuc/util.c
24
wufuc/util.c
@@ -80,30 +80,6 @@ BOOL FindPattern(LPCBYTE pvData, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOL InjectLibrary(DWORD dwProcessId, LPCTSTR lpLibFileName, DWORD cb) {
|
|
||||||
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
|
|
||||||
LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, cb, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
|
|
||||||
if (!WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, cb, NULL)) {
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
|
|
||||||
MODULEENTRY32 me;
|
|
||||||
me.dwSize = sizeof(me);
|
|
||||||
|
|
||||||
Module32First(hSnap, &me);
|
|
||||||
do {
|
|
||||||
if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
} while (Module32Next(hSnap, &me));
|
|
||||||
CloseHandle(hSnap);
|
|
||||||
|
|
||||||
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, _CRT_STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
|
|
||||||
CloseHandle(hThread);
|
|
||||||
CloseHandle(hProcess);
|
|
||||||
return TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb) {
|
VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb) {
|
||||||
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
|
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
|
||||||
THREADENTRY32 te;
|
THREADENTRY32 te;
|
||||||
|
|||||||
@@ -16,8 +16,6 @@ LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName);
|
|||||||
|
|
||||||
BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset);
|
BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset);
|
||||||
|
|
||||||
BOOL InjectLibrary(DWORD dwProcessId, LPCTSTR lpLibFileName, DWORD cb);
|
|
||||||
|
|
||||||
VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb);
|
VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb);
|
||||||
|
|
||||||
VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T dwSize);
|
VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T dwSize);
|
||||||
|
|||||||
Reference in New Issue
Block a user