StartServiceW

Publicado por luchin On miércoles, 27 de abril de 2011 0 comentarios 

#include 
#include 
#include 
#include 
#include 
#include 
#include "Hackshield.h"

typedef HANDLE (WINAPI* CreateFileA_t)(LPCTSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile);
typedef BOOL (WINAPI* DeviceIoControl_t)(HANDLE hDevice,DWORD dwIoControlCode,LPVOID lpInBuffer,DWORD nInBufferSize,LPVOID lpOutBuffer,DWORD nOutBufferSize,LPDWORD lpBytesReturned,LPOVERLAPPED lpOverlapped);
typedef BOOL (WINAPI* StartServiceW_t)(SC_HANDLE hService, DWORD dwNumServiceArgs, LPCWSTR *lpServiceArgVectors);

HANDLE hEagle;
SC_HANDLE scEagle;
CreateFileA_t oCreateFileA;
DeviceIoControl_t oDeviceIoControl;
StartServiceW_t oStartServiceW;

bool FindModule(char* ModuleName, MODULEENTRY32& me32)
{
 HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());
 me32.dwSize = sizeof(MODULEENTRY32);

 for(BOOL Result = Module32First(hModuleSnap, &me32); Result != FALSE; Module32Next(hModuleSnap, &me32))
 {
  if(!strcmp(ModuleName, me32.szModule))
   return true;
 }

 return false;
}

//==============================================================
// hooked StartServiceW
//==============================================================
BOOL WINAPI hStartServiceW(SC_HANDLE hService, DWORD dwNumServiceArgs, LPCWSTR *lpServiceArgVectors)
{
 MessageBox(0, "k", "k", 0);

 MODULEENTRY32 me32;
 if(FindModule("EhSvc.dll", me32))
 {
  DWORD RetnAddr = (DWORD)_ReturnAddress();
  if(RetnAddr > (DWORD)me32.modBaseAddr && RetnAddr < (DWORD)me32.modBaseAddr + me32.modBaseSize)
   return FALSE;
 }

 return oStartServiceW(hService, dwNumServiceArgs, lpServiceArgVectors);
}

//==============================================================
// hooked CreateFile
//==============================================================
HANDLE WINAPI hCreateFileA(LPCTSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
{
 /*
 if(!strcmp(lpFileName, "\\\\.\\EagleNT"))
 {
  hEagle = oCreateFileA(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
  return hEagle;
 }
 */

 return oCreateFileA(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}

//==============================================================
// hooked DeviceIoControl
//==============================================================
BOOL WINAPI hDeviceIoControl(HANDLE hDevice,DWORD dwIoControlCode,LPVOID lpInBuffer,DWORD nInBufferSize,LPVOID lpOutBuffer,DWORD nOutBufferSize,LPDWORD lpBytesReturned,LPOVERLAPPED lpOverlapped)
{
 /*
 if(hDevice == hEagle)
  return TRUE;
 */

 return oDeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);
}

//==============================================================
// startup function for hackshield bypassing
//==============================================================
void Hackshield_Thread()
{
 CDetour dtDeviceIoControl;
 oDeviceIoControl = (DeviceIoControl_t)dtDeviceIoControl.SetupDetour(i368Jmp, (void*)GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "DeviceIoControl"), &hDeviceIoControl);

 CDetour dtCreateFileA;
 oCreateFileA = (CreateFileA_t)dtCreateFileA.SetupDetour(i368Jmp, (void*)GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "CreateFileA"), &hCreateFileA);

 CDetour dtStartServiceW;
 oStartServiceW = (StartServiceW_t)dtStartServiceW.SetupDetour(i368Jmp, (void*)GetProcAddress(GetModuleHandle("AdvApi32.dll"), "StartServiceW"), &hStartServiceW);
}

Publicado por luchin en 8:12

0 comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)
Twitter Delicious Facebook Digg Stumbleupon Favorites More