ring3下的沙盘源代码资源-CSDN文库

共250个文件

h：119个

cpp：116个

sln：3个

Ring3

3星 · 超过75%的资源需积分: 50 70 浏览量 2011-03-28 20:41:03 上传评论收藏 300KB RAR 举报

资源推荐

资源详情

资源评论

收起资源包目录

ring3下的沙盘源代码（250个子文件）

HookHelp.cpp 27KB

HookHelp_File.cpp 27KB

Initalization.cpp 19KB

Dispatch_NTDLL.cpp 13KB

BeginSandBox.cpp 13KB

Dispatch_NTDLL_NtCreateFile.cpp 12KB

Install.cpp 11KB

Initalization.cpp 11KB

CloneAPI_KERNEL32.cpp 10KB

RemoteInjection.cpp 9KB

IATModifier.cpp 9KB

StopSandBox.cpp 9KB

Dispatch_NTDLL_NtSetInformationFile.cpp 8KB

DispatchRoutine.cpp 8KB

Dispatch_NTDLL_NtQueryDirectoryFile.cpp 8KB

IATProcess.cpp 7KB

Dispatch_NTDLL_NtSystemDebugControl.cpp 7KB

Dispatch_NTDLL_NtOpenFile.cpp 6KB

VerifyFiles.cpp 6KB

InlineHook.cpp 5KB

Dispatch_NTDLL_NtWriteFile.cpp 5KB

Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp 5KB

Dispatch_USER32_CreateWindowEx.cpp 5KB

Main.cpp 4KB

HookHelp_Reg.cpp 4KB

Dispatch_NTDLL_NtCreateKey.cpp 4KB

Dispatch_NTDLL_NtReadFile.cpp 4KB

Dispatch_USER32_SendMessage.cpp 4KB

Dispatch_NTDLL_NtResumeThread.cpp 3KB

Dispatch_NTDLL_NtQueryValueKey.cpp 3KB

Dispatch_NTDLL_NtQuerySystemInformation.cpp 3KB

Dispatch_NTDLL_NtOpenThread.cpp 3KB

Dispatch_ADVAPI32.cpp 3KB

Dispatch_USER32.cpp 3KB

Dispatch_NTDLL_NtCreateSemaphore.cpp 3KB

Dispatch_NTDLL_NtSetValueKey.cpp 3KB

Dispatch_ADVAPI32_CreateService.cpp 3KB

Dispatch_NTDLL_NtQueryFullAttributesFile.cpp 3KB

Dispatch_USER32_SetWindowText.cpp 3KB

Dispatch_NTDLL_NtQueryAttributesFile.cpp 3KB

Dispatch_NTDLL_NtCreateMutant.cpp 3KB

GetProcAddressEx.cpp 3KB

Dispatch_KERNEL32_CreateProcessInternal.cpp 3KB

Initalization.cpp 3KB

Dispatch_NTDLL_NtQueryObject.cpp 3KB

Dispatch_ADVAPI32_ChangeServiceConfig.cpp 3KB

Dispatch_NTDLL_NtOpenSemaphore.cpp 3KB

Dispatch_NTDLL_NtOpenMutant.cpp 3KB

BeginLauncher.cpp 2KB

Remove.cpp 2KB

Dispatch_NTDLL_NtCreateThread.cpp 2KB

Privilege.cpp 2KB

Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp 2KB

Dispatch_NTDLL_NtQueryInformationFile.cpp 2KB

Dispatch_NTDLL_NtNotifyChangeKey.cpp 2KB

Privilege.cpp 2KB

Dispatch_NTDLL_NtConnectPort.cpp 2KB

Dispatch_NTDLL_NtOpenProcess.cpp 2KB

Dispatch_NTDLL_NtFsControlFile.cpp 2KB

Dispatch_NTDLL_NtCreateProcessEx.cpp 2KB

CloneAPI_ADVAPI32.cpp 2KB

Dispatch_NTDLL_NtCreateSection.cpp 2KB

Dispatch_NTDLL_NtSecureConnectPort.cpp 2KB

Dispatch_NTDLL_NtQueryInformationThread.cpp 2KB

Dispatch_USER32_PostMessage.cpp 2KB

Dispatch_NTDLL_NtQueryMultipleValueKey.cpp 2KB

Dispatch_NTDLL_NtQueryInformationProcess.cpp 2KB

Dispatch_NTDLL_NtCreateProcess.cpp 2KB

Dispatch_NTDLL_NtAllocateVirtualMemory.cpp 2KB

Dispatch_NTDLL_NtProtectVirtualMemory.cpp 2KB

DisplayTools.cpp 2KB

BeginDispatch.cpp 2KB

Main.cpp 2KB

Dispatch_NTDLL_NtSetSystemInformation.cpp 2KB

Dispatch_NTDLL_NtEnumerateValueKey.cpp 2KB

Dispatch_NTDLL_NtWriteVirtualMemory.cpp 2KB

Dispatch_NTDLL_NtSetInformationToken.cpp 2KB

Dispatch_NTDLL_NtOpenSection.cpp 2KB

Dispatch_NTDLL_NtCreatePort.cpp 2KB

Dispatch_ADVAPI32_StartService.cpp 2KB

Dispatch_NTDLL_NtCreateEvent.cpp 2KB

Dispatch_NTDLL_NtEnumerateKey.cpp 2KB

Dispatch_ADVAPI32_ChangeServiceConfig2.cpp 1KB

NativeAPI_NTDLL.cpp 1KB

Dispatch_NTDLL_NtSetSecurityObject.cpp 1KB

Dispatch_NTDLL_NtQueryKey.cpp 1KB

BeginHookPort.cpp 1KB

Dispatch_NTDLL_NtOpenEvent.cpp 1KB

Dispatch_NTDLL_NtOpenKey.cpp 1KB

Dispatch_NTDLL_LdrLoadDll.cpp 1KB

Dispatch_NTDLL_NtGetContextThread.cpp 1KB

CloneAPI_FLTLIB.cpp 1KB

Dispatch_NTDLL_NtDeleteValueKey.cpp 1KB

Dispatch_USER32_SetWindowsHookEx.cpp 1KB

Dispatch_NTDLL_NtSaveKey.cpp 1KB

Dispatch_NTDLL_NtRenameKey.cpp 1KB

Dispatch_NTDLL_NtDeleteFile.cpp 1KB

Dispatch_NTDLL_NtLoadDriver.cpp 1KB

Dispatch_USER32_SetWindowLong.cpp 1008B

共 250 条

#include <windows.h> #include <ntsecapi.h> #include <tlhelp32.h> #include <psapi.h> #include <shlobj.h> #pragma comment(lib,"psapi.lib") #include <shlwapi.h> #pragma comment(lib,"shlwapi.lib") #include "./HookHelp.h" #include "../Common/DebugLog.h" #include "./Main.h" #include "./BeginDispatch.h" #include "../Config/Config.h" #include "./Dispatch_NTDLL_NtQueryObject.h" #include "./NativeAPI_NTDLL.h" #include "./CloneAPI_KERNEL32.h" #include "./CloneAPI_FLTLIB.h" // //Global // //PatchedProcessTable DWORD g_dwPatchedProcessId[CONF_HookPort_MaxProcessCount]; //Current module DWORD g_dwCurrentModule_ImageBase = 0; DWORD g_dwCurrentModule_ImageHigh = 0; //kernel32.dll DWORD g_dwCloneAPIModule_KERNEL32_ImageBase = 0; DWORD g_dwCloneAPIModule_KERNEL32_ImageHigh = 0; //fltlib.dll DWORD g_dwCloneAPIModule_FLTLIB_ImageBase = 0; DWORD g_dwCloneAPIModule_FLTLIB_ImageHigh = 0; //shell32.dll DWORD g_dwCloneAPIModule_SHELL32_ImageBase = 0; DWORD g_dwCloneAPIModule_SHELL32_ImageHigh = 0; //advapi32.dll DWORD g_dwCloneAPIModule_ADVAPI32_ImageBase = 0; DWORD g_dwCloneAPIModule_ADVAPI32_ImageHigh = 0; // //HookHelp Functions // int GetCurrentModuleInfo( IN HMODULE hModule ) { //Return Value: //-1 = error //0 = succeed int iRet = -1; // //Calculate Base Address & Size of Image // if( hModule ) { MODULEINFO ModInfo = {0}; if( GetModuleInformation(GetCurrentProcess(),hModule,&ModInfo,sizeof(ModInfo)) == TRUE ) { //Base Address g_dwCurrentModule_ImageBase = (DWORD)ModInfo.lpBaseOfDll; //Size of image g_dwCurrentModule_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage; if( g_dwCurrentModule_ImageBase > 0 && g_dwCurrentModule_ImageHigh > 0 ) { iRet = 0; #ifdef Dbg WCHAR szDebugString[256] = {0}; wsprintf(szDebugString,L"CurrentModuleImageBase = [0x%08X] CurrentModuleImageHigh = [0x%08X]",g_dwCurrentModule_ImageBase,g_dwCurrentModule_ImageHigh); DebugLog(DbgInfo,szDebugString); #endif } } } return iRet; } int GetCloenAPIModuleInfo(void) { //Return Value: //-1 = error //0 = succeed int iRet = 0; // //Calculate Base Address & Size of Image // //kernel32.dll g_hCloneKERNEL32 = LoadLibrary( g_szCloneKERNEL32 ); if( g_hCloneKERNEL32 ) { MODULEINFO ModInfo = {0}; if( GetModuleInformation(GetCurrentProcess(),g_hCloneKERNEL32,&ModInfo,sizeof(ModInfo)) == TRUE ) { //Base Address g_dwCloneAPIModule_KERNEL32_ImageBase = (DWORD)ModInfo.lpBaseOfDll; //Size of image g_dwCloneAPIModule_KERNEL32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage; if( g_dwCloneAPIModule_KERNEL32_ImageBase > 0 && g_dwCloneAPIModule_KERNEL32_ImageHigh > 0 ) { iRet = 0; #ifdef Dbg WCHAR szDebugString[256] = {0}; wsprintf( szDebugString, L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]", g_dwCloneAPIModule_KERNEL32_ImageBase, g_dwCloneAPIModule_KERNEL32_ImageHigh ); DebugLog(DbgInfo,szDebugString); #endif } } } //fltlib.dll g_hCloneFLTLIB = LoadLibrary( g_szCloneFLTLIB ); if( g_hCloneFLTLIB ) { MODULEINFO ModInfo = {0}; if( GetModuleInformation(GetCurrentProcess(),g_hCloneFLTLIB,&ModInfo,sizeof(ModInfo)) == TRUE ) { //Base Address g_dwCloneAPIModule_FLTLIB_ImageBase = (DWORD)ModInfo.lpBaseOfDll; //Size of image g_dwCloneAPIModule_FLTLIB_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage; if( g_dwCloneAPIModule_FLTLIB_ImageBase > 0 && g_dwCloneAPIModule_FLTLIB_ImageHigh > 0 ) { iRet = 0; #ifdef Dbg WCHAR szDebugString[256] = {0}; wsprintf( szDebugString, L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]", g_dwCloneAPIModule_FLTLIB_ImageBase, g_dwCloneAPIModule_FLTLIB_ImageHigh ); DebugLog(DbgInfo,szDebugString); #endif } } } //shell32.dll g_hCloneSHELL32 = LoadLibrary( g_szCloneSHELL32 ); if( g_hCloneSHELL32 ) { MODULEINFO ModInfo = {0}; if( GetModuleInformation(GetCurrentProcess(),g_hCloneSHELL32,&ModInfo,sizeof(ModInfo)) == TRUE ) { //Base Address g_dwCloneAPIModule_SHELL32_ImageBase = (DWORD)ModInfo.lpBaseOfDll; //Size of image g_dwCloneAPIModule_SHELL32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage; if( g_dwCloneAPIModule_SHELL32_ImageBase > 0 && g_dwCloneAPIModule_SHELL32_ImageHigh > 0 ) { iRet = 0; #ifdef Dbg WCHAR szDebugString[256] = {0}; wsprintf( szDebugString, L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]", g_dwCloneAPIModule_SHELL32_ImageBase, g_dwCloneAPIModule_SHELL32_ImageHigh ); DebugLog(DbgInfo,szDebugString); #endif } } } //advapi32.dll g_hCloneADVAPI32 = LoadLibrary( g_szCloneADVAPI32 ); if( g_hCloneADVAPI32 ) { MODULEINFO ModInfo = {0}; if( GetModuleInformation(GetCurrentProcess(),g_hCloneADVAPI32,&ModInfo,sizeof(ModInfo)) == TRUE ) { //Base Address g_dwCloneAPIModule_ADVAPI32_ImageBase = (DWORD)ModInfo.lpBaseOfDll; //Size of image g_dwCloneAPIModule_ADVAPI32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage; if( g_dwCloneAPIModule_ADVAPI32_ImageBase > 0 && g_dwCloneAPIModule_ADVAPI32_ImageHigh > 0 ) { iRet = 0; #ifdef Dbg WCHAR szDebugString[256] = {0}; wsprintf( szDebugString, L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]", g_dwCloneAPIModule_ADVAPI32_ImageBase, g_dwCloneAPIModule_ADVAPI32_ImageHigh ); DebugLog(DbgInfo,szDebugString); #endif } } } return iRet; } BOOL IsBypassCaller( IN DWORD lpdwReturnAddress ) { //Return Value: //TRUE = bypass //FALSE = not bypass // //Check Return Address // //Current module if( lpdwReturnAddress >= g_dwCurrentModule_ImageBase && lpdwReturnAddress <= g_dwCurrentModule_ImageHigh ) { return TRUE; } //kernel32.dll if( lpdwReturnAddress >= g_dwCloneAPIModule_KERNEL32_ImageBase && lpdwReturnAddress <= g_dwCloneAPIModule_KERNEL32_ImageHigh ) { return TRUE; } //fltlib.dll if( lpdwReturnAddress >= g_dwCloneAPIModule_FLTLIB_ImageBase && lpdwReturnAddress <= g_dwCloneAPIModule_FLTLIB_ImageHigh ) { return TRUE; } //shell32.dll if( lpdwReturnAddress >= g_dwCloneAPIModule_SHELL32_ImageBase && lpdwReturnAddress <= g_dwCloneAPIModule_SHELL32_ImageHigh ) { return TRUE; } //advapi.dll if( lpdwReturnAddress >= g_dwCloneAPIModule_ADVAPI32_ImageBase && lpdwReturnAddress <= g_dwCloneAPIModule_ADVAPI32_ImageHigh ) { return TRUE; } return FALSE; } BOOL IsProcessPatched( IN DWORD dwProcessId ,IN BOOL bQueryInCached ) { //Return Value: //TRUE = Patched //FALSE = not Patched BOOL bRet = FALSE; // //Query in cached of [Patched Process Table] // if( bQueryInCached == TRUE ) { for(int i=0;i<CONF_HookPort_MaxProcessCount;i++) { if( g_dwPatchedProcessId[i] == 0 ) { break; } if( g_dwPatchedProcessId[i] == dwProcessId ) { bRet = TRUE; break; } } return bRet; } // //Query subkey [HKEY_USERS\SandBox_XXX\SYNC\PROC\(PID)] // HKEY hkSandBox = NULL; WCHAR szSubKeyName[256] = {NULL}; wsprintf( szSubKeyName, L"%s_%s\\%s\\%s\\%d", CONF_SoftwareReg_SandBox, g_szSandBoxName, CONF_SoftwareReg_SandBox_SYNC, CONF_SoftwareReg_SandBox_SYNC_PROC, dwProcessId ); if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkSandBox) == ERROR_SUCCESS ) { HANDLE hProc = NULL; hProc = CAPI_OpenProcess( PROCESS_QUERY_INFORMATION,FALSE,dwProcessId); if( !hProc ) { bRet = FALSE; } else { bRet = TRUE; } CloseHandle(hProc)

评论收藏

内容反馈