-------HEADER FILE-------
#ifndef _INCLUDE_HACKER_DLL_HADER_FILE
#define _INCLUDE_HACKER_DLL_HADER_FILE
#include <windows.h>
#include <shlwapi.h>
#define WM_THREADFINISH WM_USER+1000
typedef struct t_PDB
{
WORD Type;
WORD Refcount;
DWORD Unk0;
DWORD Unk1;
DWORD Unk2;
DWORD TermStatus;
DWORD Unk3;
DWORD DefaultHeap;
DWORD MemContext;
DWORD Flags;
DWORD pPsp;
WORD PSPSelector;
WORD MTEIndex;
WORD nThreads;
WORD nThreadsNotTerm;
WORD Unk5;
WORD nR0Threads;
DWORD HeapHandle;
WORD K16TDBSel;
WORD Unk6;
DWORD Unk7;
DWORD pEDB;
DWORD pHandleTable;
struct t_PDB *ParentPDB;
DWORD MODREFList;
DWORD ThreadList;
DWORD DebugeeCB;
DWORD LHFreeHead;
DWORD InitialR0ID;
}PDB,* PPDB;
typedef struct t_TCB
{
WORD Type;
WORD RefCount;
DWORD Unk1;
DWORD pvExcept;
DWORD TopOfStack;
DWORD BaseOfStack;
WORD K16TDB;
WORD StackSel16;
DWORD Unk2;
DWORD UserPointer;
DWORD pTIB;
WORD TIBflags;
WORD Win16MutxCnt;
DWORD DebugContext;
DWORD PtrToCurPri;
DWORD MsgQueue;
DWORD pTLSarray;
PPDB pParentPDB;
DWORD SelmanList;
DWORD Unk3;
DWORD Flags;
DWORD Status;
WORD TIBsel;
WORD EmulatorSel;
DWORD HandleCount;
DWORD WaitNodeList;
DWORD R0hThread;
DWORD ptdbx;
}TCB,* PTCB;
typedef HINSTANCE (WINAPI * LOADLIBRARY)(LPCTSTR);
typedef BOOL (WINAPI * POSTTHREADMESSAGE)(DWORD idThread,UINT Msg,WPARAM wParam,LPARAM lParam);
typedef DWORD (WINAPI* OTFUNC)(HANDLE *,DWORD,void *,void *);
typedef LPVOID (WINAPI * OBFUNC)(DWORD dwPTID);
LPVOID WINAPI GetTrueProcAddress(LPSTR lpMod,LPTSTR lpFunc);
HANDLE WINAPI OpenThreadNT(DWORD dwThreadID,BOOL bInherit);
class hackerdll
{
public:
hackerdll(char *,char *);
protected:
~hackerdll();
public:
void AddToThread(void);
protected:
LPVOID XORProcessThreadID(DWORD dwPTID);
HANDLE OpenThread2(DWORD dwThreadID,BOOL bInherit);
HANDLE OpenThreadNT(DWORD dwThreadID,BOOL bInherit);
LPVOID GetTrueProcAddress(LPSTR lpMod,LPTSTR lpFunc);
DWORD GetProcessID(LPCTSTR lpszProcessName);
DWORD GetThreadID(DWORD dwOwnerPID);
protected:
bool initok;
char hackerdllfile_[MAX_PATH];
LPVOID m_lpCodeBase,m_lpDataBase;
CONTEXT m_OldThreadContext;
HANDLE m_hInjectThread;
HANDLE hdlthd_;
DWORD idthd_;
DWORD owneridproc,owneridthd;
DWORD len_;
};
#endif
-------HEADER FILE-------
------CPP FILE-------
#include "hackerdll.h"
static HANDLE hdlthd__;
static CONTEXT cnt__;
#pragma check_stack(off)
static void hackerdllentry(void)
{
((LOADLIBRARY) 0x11111111)((char *) 0x22222222);
((POSTTHREADMESSAGE) 0x33333333)((DWORD) 0x44444444,WM_THREADFINISH,NULL,NULL);
while(true)
{
}
}
static DWORD FinishCallBack(LPVOID lpParam)
{
MSG msg_;
while(memset(& msg_,NULL,sizeof(MSG)),PeekMessage(& msg_,NULL,NULL,NULL,PM_REMOVE),msg_.message!=WM_QUIT)
{
if(msg_.message==WM_THREADFINISH)
{
SuspendThread(hdlthd__);
cnt__.ContextFlags=CONTEXT_FULL;
SetThreadContext(hdlthd__,& cnt__);
ResumeThread(hdlthd__);
break;
}
}
return true;
}
#pragma check_stack(on)
hackerdll::hackerdll(char * hackerdll_,char * owner_)
{
HINSTANCE hinstKernel,hinstUser;
LOADLIBRARY fnLoadLibrary;
POSTTHREADMESSAGE fnPostThreadMessage;
bool rt1_,rt2_,rt3_,rt4_;
this->initok=false;
this->idthd_=NULL;
this->hdlthd_=NULL;
this->m_lpCodeBase=NULL;
this->m_lpDataBase=NULL;
this->len_=1024;
memset(this->hackerdllfile_,NULL,MAX_PATH);
strcpy(this->hackerdllfile_,hackerdll_);
this->owneridproc=GetProcessID(owner_);
this->owneridthd=GetThreadID(this->owneridproc);
this->m_lpCodeBase=GlobalAlloc(GMEM_FIXED | GMEM_SHARE | GMEM_ZEROINIT,this->len_);
this->m_lpDataBase=GlobalAlloc(GMEM_FIXED | GMEM_SHARE | GMEM_ZEROINIT,this->len_);
if(this->m_lpCodeBase==NULL || this->m_lpDataBase==NULL)
{
return;
}
memcpy((BYTE *) this->m_lpCodeBase,(BYTE *) hackerdllentry,this->len_);
memcpy((BYTE *) this->m_lpDataBase,(BYTE *) this->hackerdllfile_,this->len_);
hinstKernel=GetModuleHandle("Kernel32.dll");
hinstUser=GetModuleHandle("User32.dll");
fnLoadLibrary=(LOADLIBRARY) GetProcAddress(hinstKernel,"LoadLibraryA");
fnPostThreadMessage=(POSTTHREADMESSAGE) GetProcAddress(hinstUser,"PostThreadMessageA");
if(fnLoadLibrary==NULL || fnPostThreadMessage==NULL)
{
return;
}
this->hdlthd_=CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE) FinishCallBack,NULL,NULL,& this->idthd_);
if(this->hdlthd_==NULL)
{
return;
}
rt1_=false;
rt2_=false;
rt3_=false;
rt4_=false;
for(DWORD i=0;i<this->len_;i++)
{
DWORD * dwPtr=(DWORD *) (((BYTE *) this->m_lpCodeBase)+i);
switch(* dwPtr)
{
case 0x11111111:
rt1_=true;
* dwPtr=(DWORD) fnLoadLibrary;
break;
case 0x22222222:
rt2_=true;
* dwPtr=(DWORD) m_lpDataBase;
break;
case 0x33333333:
rt3_=true;
* dwPtr=(DWORD) fnPostThreadMessage;
break;
case 0x44444444:
rt4_=true;
* dwPtr=(DWORD) this->idthd_;
break;
}
if(rt1_ && rt2_ && rt3_ && rt4_)
{
break;
}
}
this->initok=(rt1_ && rt2_ && rt3_ && rt4_);
}
hackerdll::~hackerdll()
{
Sleep(3000);
GlobalFree(this->m_lpCodeBase);
GlobalFree(this->m_lpDataBase);
TerminateThread(this->hdlthd_,true);
Sleep(3000);
}
LPVOID hackerdll::XORProcessThreadID(DWORD dwPTID)
{
OBFUNC obfuscate;
DWORD dwMain,* lpdw,dw1;
dwMain=(DWORD) GetTrueProcAddress("Kernel32.dll","GetCurrentThreadId");
lpdw=(LPDWORD)((DWORD) dwMain+8);
dw1=((DWORD) dwMain+12);
obfuscate=(OBFUNC) (dw1+*lpdw);
return(obfuscate(dwPTID));
}
HANDLE hackerdll::OpenThread2(DWORD dwThreadID,BOOL bInherit)
{
HANDLE hThread,hprc;
LPDWORD lp1;
DWORD dwProcessID,dwWhere,dwTable;
BOOL b1;
PTCB lpThreadObj;
PPDB ppdb;
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
GetVersionEx(& osvi);
SetLastError(50);
if(osvi.dwPlatformId==VER_PLATFORM_WIN32_NT)
{
return OpenThreadNT(dwThreadID, bInherit);
}
ppdb=(PPDB) XORProcessThreadID(GetCurrentProcessId());
lpThreadObj=(PTCB) XORProcessThreadID(dwThreadID);
/* check to make sure its valid */
if(IsBadReadPtr(lpThreadObj,sizeof(TCB)))
{
return NULL;
}
/* object type */
if(* (LPBYTE) lpThreadObj!=7)
{
return NULL;
}
dwProcessID =(DWORD) XORProcessThreadID((DWORD)lpThreadObj->pParentPDB);
if(dwProcessID==GetCurrentProcessId())
{
hprc = GetCurrentProcess();
}
else
{
hprc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
if(!hprc)
{
return NULL;
}
}
/*
* 4 is the lowest handle in the table.
* All processes have this handle.
*/
b1 = DuplicateHandle(hprc,(HANDLE) 4,GetCurrentProcess(),& hThread,THREAD_ALL_ACCESS,bInherit,NULL);
if(hprc!=GetCurrentProcess())
{
CloseHandle(hprc);
}
if(!b1)
{
return NULL;
}
dwWhere=((DWORD) hThread)>>2;
dwTable=ppdb->pHandleTable;
lp1=(LPDWORD) (dwTable+(dwWhere*8)+8);
* lp1=(DWORD) lpThreadObj;
return(hThread);
}
HANDLE hackerdll::OpenThreadNT(DWORD dwThreadID,BOOL bInherit)
{
HANDLE hThread = NULL;
DWORD struct1[] = {0x18, 0, 0, 0, 0, 0};
DWORD struct2[] = {0,dwThreadID};
HMODULE hLib = LoadLibrary("ntdll.dll");
OTFUNC OpenThatNTThread=(OTFUNC) GetProcAddress(hLib,"NtOpenThread");
struct1[3]=bInherit;
OpenThatNTThread(& hThread,THREAD_ALL_ACCESS,struct1,struct2);
FreeLibrary(hLib);
return hThread;
}
LPVOID hackerdll::GetTrueProcAddress(LPSTR lpMod,LPTSTR lpFunc)
{
LPVOID bla;
bla=GetProcAddress(GetModuleHandle(lpMod),lpFunc);
if(!bla)
{
return NULL;
}
if(* (LPBYTE) bla==0x68)
{
bla=(LPVOID) * (LPDWORD) ((DWORD)bla+1);
}
return bla;
}
void hackerdll::AddToThread(void)
{
if(!this->initok)
{
MessageBox(NULL,"init fail","fail",MB_OK);
return;
}
this->m_hInjectThread=this->OpenThread2(this->owneridthd,FALSE);
if(this->m_hInjectThread && this->m_lpCodeBase && this->m_lpDataBase)
{
SuspendThread(this->m_hInjectThread);
CONTEXT ThreadContext;
ThreadContext.ContextFlags=CONTEXT_FULL;
if(GetThreadContext(this->m_hInjectThread,& ThreadContext))
{
this->m_OldThreadContext=ThreadContext;
ThreadContext.Eip=(DWORD) this->m_lpCodeBase;
ThreadContext.ContextFlags=CONTEXT_FULL;
SetThreadContext(this->m_hInjectThread,& ThreadContext);
}
hdlthd__=this->m_hInjectThread;
cnt__=this->m_OldThreadContext;
ResumeThread(this->m_hInjectThread);
PostThreadMessage(this->owneridthd,WM_NULL,NULL,NULL);
}
}
DWORD hackerdll::GetProcessID(LPCTSTR lpszProcessName)
{
DWORD dwRet=NULL;
char * strExePath=NULL;
char * rt_=NULL;
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(hSnapshot!=INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 ProcessEntry;
ZeroMemory(& ProcessEntry,sizeof(PROCESSENTRY32));
ProcessEntry.dwSize=sizeof(PROCESSENTRY32);
BOOL bFlag=Process32First(hSnapshot,&ProcessEntry);
while(bFlag)
{
strExePath=strdup(ProcessEntry.szExeFile);
CharUpperBuff(strExePath,strlen(strExePath));
rt_=strstr(strExePath,lpszProcessName);
if(free(strExePath),rt_!=NULL)
{
dwRet=ProcessEntry.th32ProcessID;
break;
}
ProcessEntry.dwSize=sizeof(PROCESSENTRY32);
bFlag=Process32Next(hSnapshot,& ProcessEntry);
}
CloseHandle(hSnapshot);
}
return dwRet;
}
DWORD hackerdll::GetThreadID(DWORD dwOwnerPID)
{
DWORD dwRet=NULL;
HANDLE hThreadSnap=NULL;
THREADENTRY32 te32;
memset(& te32,NULL,sizeof(THREADENTRY32));
hThreadSnap=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,NULL);
if(hThreadSnap!=INVALID_HANDLE_VALUE)
{
te32.dwSize=sizeof(THREADENTRY32);
if(Thread32First(hThreadSnap,& te32))
{
do
{
if(te32.th32OwnerProcessID==dwOwnerPID)
{
dwRet=te32.th32ThreadID;
break;
}
}
while(Thread32Next(hThreadSnap, & te32));
}
CloseHandle(hThreadSnap);
}
return dwRet;
}
------CPP FILE-------
|