::InitializeCriticalSection(§ion);
HMODULE handle = LoadLibrary(TEXT("kernel32.dll"));
HMODULE handle2 = LoadLibrary(L"msvcr90.dll");
if (handle != NULL)
{
pGetQueueCompletionStatusType = (GetQueuedCompletionStatusType)GetProcAddress(handle, "GetQueuedCompletionStatus");
pCreateFile = (CreateFileFuncType)GetProcAddress(handle, "CreateFileW");
pCreateProcess = (CreateProcessType)GetProcAddress(handle, "CreateProcessA");
}
if (handle2 != NULL)
{
psprintf_s = (_vsprintf_s_lType)GetProcAddress(handle2, "_vsprintf_s_l");
pswprintf_s = (_vswprintf_s_lType)GetProcAddress(handle2, "_vswprintf_s_l");
}
pCreateFile = (CreateFileFuncType)DetourFunction((PBYTE)pCreateFile, (PBYTE)HookCreateFile);
pCreateProcess = (CreateProcessType)DetourFunction((PBYTE)pCreateProcess, (PBYTE)HookCreateProcess);
psprintf_s = (_vsprintf_s_lType)DetourFunction((PBYTE)psprintf_s, (PBYTE)Hook_vsprintf_s_l);
pswprintf_s = (_vswprintf_s_lType)DetourFunction((PBYTE)pswprintf_s, (PBYTE)Hook_vswprintf_s_l);
handle = LoadLibrary(TEXT("kernel32.dll"));
HMODULE handle3 = LoadLibrary(L"ws2_32.dll");
if (handle3 != NULL)
{
pRecvFunc = (WSARecvType)GetProcAddress(handle3, "WSARecv");
}
pRecvFunc = (WSARecvType)DetourFunction((PBYTE)pRecvFunc, (PBYTE)HookWSARecv);
pGetQueueCompletionStatusType = (GetQueuedCompletionStatusType)DetourFunction((PBYTE)pGetQueueCompletionStatusType, (PBYTE)HookGetQueuedCompletionStatusType);
FreeLibrary(handle);
FreeLibrary(handle2);
FreeLibrary(handle3);
//#pragma comment(lib, "atlsd.lib")
#define BUFFERSIZE 512
void TracePacket(char *src, size_t size)
{
ATLTRACE("sh recv len:%02X %d", size, size);
for (int i = 0; i < size; i += 16)
{
char text[BUFFERSIZE] = { 0 };
sprintf_s(text, "sh %04X", i);
size_t lineSize = size - i;
lineSize = lineSize > 16 ? 16 : lineSize;
for (int j = 0; j < lineSize; j++)
{
sprintf_s(text, j % 4 == 0 ? "%s %02X" : "%s %02X", text, (BYTE)src[i + j]);
}
for (int j = lineSize; j < 16; j++)
{
sprintf_s(text, j % 4 == 0 ? "%s " : "%s ", text);
}
sprintf_s(text, "%s%c" , text, '\t');
for (int j = 0; j < lineSize; j++)
{
BYTE c = src[i + j];
sprintf_s(text, "%s%c", text, isprint(c) ? c : '.');
}
OutputDebugStringA(text);
}
ATLTRACE("-------------------------------------------------------");
}
typedef HANDLE (WINAPI *CreateFileFuncType)(
LPCTSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);
typedef BOOL (WINAPI *CreateProcessType)(
__in_opt LPCSTR lpApplicationName,
__inout_opt LPSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCSTR lpCurrentDirectory,
__in LPSTARTUPINFOA lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation
);
typedef int (__cdecl *_vsprintf_s_lType)(
char *string, size_t sizeInBytes, const char *format, _locale_t plocinfo, va_list ap );
typedef int (__cdecl *_vswprintf_s_lType)(
wchar_t *string, size_t sizeInWords, const wchar_t *format, _locale_t plocinfo, va_list ap );
typedef int (WSAAPI *WSARecvType)(
SOCKET s,
LPWSABUF lpBuffers,
DWORD dwBufferCount,
LPDWORD lpNumberOfBytesRecvd,
LPDWORD lpFlags,
LPWSAOVERLAPPED lpOverlapped,
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
typedef BOOL (WINAPI *GetQueuedCompletionStatusType)(
HANDLE CompletionPort,
LPDWORD lpNumberOfBytes,
PULONG_PTR lpCompletionKey,
LPOVERLAPPED* lpOverlapped,
DWORD dwMilliseconds
);
CreateFileFuncType pCreateFile = NULL;
CreateProcessType pCreateProcess = NULL;
_vsprintf_s_lType psprintf_s = NULL;
_vswprintf_s_lType pswprintf_s = NULL;
WSARecvType pRecvFunc = NULL;
GetQueuedCompletionStatusType pGetQueueCompletionStatusType = NULL;
BOOL WINAPI HookCreateProcess(
__in_opt LPCSTR lpApplicationName,
__inout_opt LPSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCSTR lpCurrentDirectory,
__in LPSTARTUPINFOA lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation
)
{
TRACE("HookCreateProcess %s", lpApplicationName);
BOOL ret = pCreateProcess(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
AfxMessageBox(L"attach Create process");
DetourRemove((PBYTE)pCreateProcess, (PBYTE)HookCreateProcess);
return ret;
}
HANDLE WINAPI HookCreateFile( LPCTSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile)
{
TRACE(L"HookCreateFile %s", lpFileName);
std::wstring strLPFileName = lpFileName;
strLPFileName = strLPFileName.substr(strLPFileName.rfind(L".")+1, strLPFileName.length());
if (strLPFileName == L"tor")
{
AfxMessageBox(L"attach CreateFile");
DetourRemove((PBYTE)pCreateFile, (PBYTE)HookCreateFile);
}
HANDLE ret = pCreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
return ret;
}
int __cdecl Hook_vsprintf_s_l(
char *string,
size_t sizeInBytes,
const char *format,
_locale_t plocinfo,
va_list ap)
{
int ret = _vsprintf_s_l(string, sizeInBytes, format, plocinfo, ap);
if (std::string(string).find("OSUpdate") == std::string::npos)
{
TRACE("fomat:%s output:%s", format, string);
}
return ret;
}
int __cdecl Hook_vswprintf_s_l(wchar_t *string,
size_t sizeInWords,
const wchar_t *format,
_locale_t plocinfo,
va_list ap)
{
int ret = _vswprintf_s_l(string, sizeInWords, format, plocinfo, ap);
TRACE(L"wfomat:%s woutput:%s", format, string);
return ret;
}
std::set<DWORD> gOverLappedAddr;
BYTE cmpBuffer[0x10];
CRITICAL_SECTION section;
int WSAAPI HookWSARecv(
SOCKET s,
LPWSABUF lpBuffers,
DWORD dwBufferCount,
LPDWORD lpNumberOfBytesRecvd,
LPDWORD lpFlags,
LPWSAOVERLAPPED lpOverlapped,
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
)
{
//TRACE(__FUNCTION__);
bool ret = pRecvFunc(s, lpBuffers, dwBufferCount, lpNumberOfBytesRecvd, lpFlags, lpOverlapped, lpCompletionRoutine);
DWORD bytes = *lpNumberOfBytesRecvd;
::EnterCriticalSection(§ion);
if (lpOverlapped != NULL)
{
gOverLappedAddr.insert((DWORD)lpOverlapped);
}
if (bytes != 0)
{
BYTE *pBuffer = (BYTE*)(*(DWORD*)((BYTE*)lpBuffers+0x4));
memcpy_s(cmpBuffer, 0x10, pBuffer, 0x10);
}
::LeaveCriticalSection(§ion);
return ret;
}
BOOL WINAPI HookGetQueuedCompletionStatusType(
HANDLE CompletionPort,
LPDWORD lpNumberOfBytes,
PULONG_PTR lpCompletionKey,
LPOVERLAPPED* lpOverlapped,
DWORD dwMilliseconds
)
{
bool ret = pGetQueueCompletionStatusType(CompletionPort, lpNumberOfBytes, lpCompletionKey, lpOverlapped, dwMilliseconds);
DWORD bytes = *lpNumberOfBytes;
if (bytes > 0)
{
DWORD overLappedAddr = *(DWORD*)lpOverlapped;
::EnterCriticalSection(§ion);
if (gOverLappedAddr.find(overLappedAddr)!= gOverLappedAddr.end() && overLappedAddr != NULL)
{
BYTE *pBuffer = (BYTE*)(*(DWORD*)((BYTE*)overLappedAddr+0x2C));
}
::LeaveCriticalSection(§ion);
}
return ret;
}
DWORD Real_Func = NULL;
std::map<DWORD, DWORD> sets;
void TracePacket(char *src, size_t size)
{
TRACE("sh recv len:%02X %d", size, size);
if (sets.find(size) != sets.end())
{
sets[size]++;
}
TRACE(L"waring first %d", sets[size]);
for (int i = 0; i < size; i += 16)
{
CString text = TEXT("");
text.Format(TEXT("sh %04X"), i);
size_t lineSize = size - i;
lineSize = lineSize > 16 ? 16 : lineSize;
for (int j = 0; j < lineSize; j ++)
{
text.Format(j % 4 == 0 ? TEXT("%s %02X") : TEXT("%s %02X"), text, (BYTE)src[i + j]);
}
for (int j = lineSize; j < 16; j ++)
{
text.Format(j % 4 == 0 ? TEXT("%s ") : TEXT("%s "), text);
}
text.Format(TEXT("%s%c"), text, '\t');
for (int j = 0; j < lineSize; j ++)
{
BYTE c = src[i + j];
text.Format(TEXT("%s%c"), text, isprint(c) ? c : '.');
}
OutputDebugString(text);
}
ATLTRACE("-------------------------------------------------------");
}
276
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
