#include <windows.h>
#include <ntsecapi.h>
#include <tlhelp32.h>
#include <psapi.h>
#include <shlobj.h>
#pragma comment(lib,"psapi.lib")
#include <shlwapi.h>
#pragma comment(lib,"shlwapi.lib")
#include "./HookHelp.h"
#include "../Common/DebugLog.h"
#include "./Main.h"
#include "./BeginDispatch.h"
#include "../Config/Config.h"
#include "./Dispatch_NTDLL_NtQueryObject.h"
#include "./NativeAPI_NTDLL.h"
#include "./CloneAPI_KERNEL32.h"
#include "./CloneAPI_FLTLIB.h"
//
//Global
//
//PatchedProcessTable
DWORD g_dwPatchedProcessId[CONF_HookPort_MaxProcessCount];
//Current module
DWORD g_dwCurrentModule_ImageBase = 0;
DWORD g_dwCurrentModule_ImageHigh = 0;
//kernel32.dll
DWORD g_dwCloneAPIModule_KERNEL32_ImageBase = 0;
DWORD g_dwCloneAPIModule_KERNEL32_ImageHigh = 0;
//fltlib.dll
DWORD g_dwCloneAPIModule_FLTLIB_ImageBase = 0;
DWORD g_dwCloneAPIModule_FLTLIB_ImageHigh = 0;
//shell32.dll
DWORD g_dwCloneAPIModule_SHELL32_ImageBase = 0;
DWORD g_dwCloneAPIModule_SHELL32_ImageHigh = 0;
//advapi32.dll
DWORD g_dwCloneAPIModule_ADVAPI32_ImageBase = 0;
DWORD g_dwCloneAPIModule_ADVAPI32_ImageHigh = 0;
//
//HookHelp Functions
//
int GetCurrentModuleInfo( IN HMODULE hModule )
{
//Return Value:
//-1 = error
//0 = succeed
int iRet = -1;
//
//Calculate Base Address & Size of Image
//
if( hModule )
{
MODULEINFO ModInfo = {0};
if( GetModuleInformation(GetCurrentProcess(),hModule,&ModInfo,sizeof(ModInfo)) == TRUE )
{
//Base Address
g_dwCurrentModule_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
//Size of image
g_dwCurrentModule_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
if( g_dwCurrentModule_ImageBase > 0 &&
g_dwCurrentModule_ImageHigh > 0
)
{
iRet = 0;
#ifdef Dbg
WCHAR szDebugString[256] = {0};
wsprintf(szDebugString,L"CurrentModuleImageBase = [0x%08X] CurrentModuleImageHigh = [0x%08X]",g_dwCurrentModule_ImageBase,g_dwCurrentModule_ImageHigh);
DebugLog(DbgInfo,szDebugString);
#endif
}
}
}
return iRet;
}
int GetCloenAPIModuleInfo(void)
{
//Return Value:
//-1 = error
//0 = succeed
int iRet = 0;
//
//Calculate Base Address & Size of Image
//
//kernel32.dll
g_hCloneKERNEL32 = LoadLibrary( g_szCloneKERNEL32 );
if( g_hCloneKERNEL32 )
{
MODULEINFO ModInfo = {0};
if( GetModuleInformation(GetCurrentProcess(),g_hCloneKERNEL32,&ModInfo,sizeof(ModInfo)) == TRUE )
{
//Base Address
g_dwCloneAPIModule_KERNEL32_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
//Size of image
g_dwCloneAPIModule_KERNEL32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
if( g_dwCloneAPIModule_KERNEL32_ImageBase > 0 &&
g_dwCloneAPIModule_KERNEL32_ImageHigh > 0
)
{
iRet = 0;
#ifdef Dbg
WCHAR szDebugString[256] = {0};
wsprintf(
szDebugString,
L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]",
g_dwCloneAPIModule_KERNEL32_ImageBase,
g_dwCloneAPIModule_KERNEL32_ImageHigh
);
DebugLog(DbgInfo,szDebugString);
#endif
}
}
}
//fltlib.dll
g_hCloneFLTLIB = LoadLibrary( g_szCloneFLTLIB );
if( g_hCloneFLTLIB )
{
MODULEINFO ModInfo = {0};
if( GetModuleInformation(GetCurrentProcess(),g_hCloneFLTLIB,&ModInfo,sizeof(ModInfo)) == TRUE )
{
//Base Address
g_dwCloneAPIModule_FLTLIB_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
//Size of image
g_dwCloneAPIModule_FLTLIB_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
if( g_dwCloneAPIModule_FLTLIB_ImageBase > 0 &&
g_dwCloneAPIModule_FLTLIB_ImageHigh > 0
)
{
iRet = 0;
#ifdef Dbg
WCHAR szDebugString[256] = {0};
wsprintf(
szDebugString,
L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]",
g_dwCloneAPIModule_FLTLIB_ImageBase,
g_dwCloneAPIModule_FLTLIB_ImageHigh
);
DebugLog(DbgInfo,szDebugString);
#endif
}
}
}
//shell32.dll
g_hCloneSHELL32 = LoadLibrary( g_szCloneSHELL32 );
if( g_hCloneSHELL32 )
{
MODULEINFO ModInfo = {0};
if( GetModuleInformation(GetCurrentProcess(),g_hCloneSHELL32,&ModInfo,sizeof(ModInfo)) == TRUE )
{
//Base Address
g_dwCloneAPIModule_SHELL32_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
//Size of image
g_dwCloneAPIModule_SHELL32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
if( g_dwCloneAPIModule_SHELL32_ImageBase > 0 &&
g_dwCloneAPIModule_SHELL32_ImageHigh > 0
)
{
iRet = 0;
#ifdef Dbg
WCHAR szDebugString[256] = {0};
wsprintf(
szDebugString,
L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]",
g_dwCloneAPIModule_SHELL32_ImageBase,
g_dwCloneAPIModule_SHELL32_ImageHigh
);
DebugLog(DbgInfo,szDebugString);
#endif
}
}
}
//advapi32.dll
g_hCloneADVAPI32 = LoadLibrary( g_szCloneADVAPI32 );
if( g_hCloneADVAPI32 )
{
MODULEINFO ModInfo = {0};
if( GetModuleInformation(GetCurrentProcess(),g_hCloneADVAPI32,&ModInfo,sizeof(ModInfo)) == TRUE )
{
//Base Address
g_dwCloneAPIModule_ADVAPI32_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
//Size of image
g_dwCloneAPIModule_ADVAPI32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
if( g_dwCloneAPIModule_ADVAPI32_ImageBase > 0 &&
g_dwCloneAPIModule_ADVAPI32_ImageHigh > 0
)
{
iRet = 0;
#ifdef Dbg
WCHAR szDebugString[256] = {0};
wsprintf(
szDebugString,
L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]",
g_dwCloneAPIModule_ADVAPI32_ImageBase,
g_dwCloneAPIModule_ADVAPI32_ImageHigh
);
DebugLog(DbgInfo,szDebugString);
#endif
}
}
}
return iRet;
}
BOOL IsBypassCaller( IN DWORD lpdwReturnAddress )
{
//Return Value:
//TRUE = bypass
//FALSE = not bypass
//
//Check Return Address
//
//Current module
if( lpdwReturnAddress >= g_dwCurrentModule_ImageBase &&
lpdwReturnAddress <= g_dwCurrentModule_ImageHigh
)
{
return TRUE;
}
//kernel32.dll
if( lpdwReturnAddress >= g_dwCloneAPIModule_KERNEL32_ImageBase &&
lpdwReturnAddress <= g_dwCloneAPIModule_KERNEL32_ImageHigh
)
{
return TRUE;
}
//fltlib.dll
if( lpdwReturnAddress >= g_dwCloneAPIModule_FLTLIB_ImageBase &&
lpdwReturnAddress <= g_dwCloneAPIModule_FLTLIB_ImageHigh
)
{
return TRUE;
}
//shell32.dll
if( lpdwReturnAddress >= g_dwCloneAPIModule_SHELL32_ImageBase &&
lpdwReturnAddress <= g_dwCloneAPIModule_SHELL32_ImageHigh
)
{
return TRUE;
}
//advapi.dll
if( lpdwReturnAddress >= g_dwCloneAPIModule_ADVAPI32_ImageBase &&
lpdwReturnAddress <= g_dwCloneAPIModule_ADVAPI32_ImageHigh
)
{
return TRUE;
}
return FALSE;
}
BOOL IsProcessPatched( IN DWORD dwProcessId ,IN BOOL bQueryInCached )
{
//Return Value:
//TRUE = Patched
//FALSE = not Patched
BOOL bRet = FALSE;
//
//Query in cached of [Patched Process Table]
//
if( bQueryInCached == TRUE )
{
for(int i=0;i<CONF_HookPort_MaxProcessCount;i++)
{
if( g_dwPatchedProcessId[i] == 0 )
{
break;
}
if( g_dwPatchedProcessId[i] == dwProcessId )
{
bRet = TRUE;
break;
}
}
return bRet;
}
//
//Query subkey [HKEY_USERS\SandBox_XXX\SYNC\PROC\(PID)]
//
HKEY hkSandBox = NULL;
WCHAR szSubKeyName[256] = {NULL};
wsprintf(
szSubKeyName,
L"%s_%s\\%s\\%s\\%d",
CONF_SoftwareReg_SandBox,
g_szSandBoxName,
CONF_SoftwareReg_SandBox_SYNC,
CONF_SoftwareReg_SandBox_SYNC_PROC,
dwProcessId
);
if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkSandBox) == ERROR_SUCCESS )
{
HANDLE hProc = NULL;
hProc = CAPI_OpenProcess( PROCESS_QUERY_INFORMATION,FALSE,dwProcessId);
if( !hProc )
{
bRet = FALSE;
}
else
{
bRet = TRUE;
}
CloseHandle(hProc)
没有合适的资源?快使用搜索试试~ 我知道了~
ring3下的沙盘源代码
共250个文件
h:119个
cpp:116个
sln:3个
3星 · 超过75%的资源 需积分: 50 86 下载量 70 浏览量
2011-03-28
20:41:03
上传
评论
收藏 300KB RAR 举报
温馨提示
一个ring3下实现的的沙盘源代码。有兴趣的可以看一下。
资源推荐
资源详情
资源评论
收起资源包目录
ring3下的沙盘源代码 (250个子文件)
HookHelp.cpp 27KB
HookHelp_File.cpp 27KB
Initalization.cpp 19KB
Dispatch_NTDLL.cpp 13KB
BeginSandBox.cpp 13KB
Dispatch_NTDLL_NtCreateFile.cpp 12KB
Install.cpp 11KB
Initalization.cpp 11KB
CloneAPI_KERNEL32.cpp 10KB
RemoteInjection.cpp 9KB
IATModifier.cpp 9KB
StopSandBox.cpp 9KB
Dispatch_NTDLL_NtSetInformationFile.cpp 8KB
DispatchRoutine.cpp 8KB
Dispatch_NTDLL_NtQueryDirectoryFile.cpp 8KB
IATProcess.cpp 7KB
Dispatch_NTDLL_NtSystemDebugControl.cpp 7KB
Dispatch_NTDLL_NtOpenFile.cpp 6KB
VerifyFiles.cpp 6KB
InlineHook.cpp 5KB
Dispatch_NTDLL_NtWriteFile.cpp 5KB
Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp 5KB
Dispatch_USER32_CreateWindowEx.cpp 5KB
Main.cpp 4KB
HookHelp_Reg.cpp 4KB
Dispatch_NTDLL_NtCreateKey.cpp 4KB
Dispatch_NTDLL_NtReadFile.cpp 4KB
Dispatch_USER32_SendMessage.cpp 4KB
Dispatch_NTDLL_NtResumeThread.cpp 3KB
Dispatch_NTDLL_NtQueryValueKey.cpp 3KB
Dispatch_NTDLL_NtQuerySystemInformation.cpp 3KB
Dispatch_NTDLL_NtOpenThread.cpp 3KB
Dispatch_ADVAPI32.cpp 3KB
Dispatch_USER32.cpp 3KB
Dispatch_NTDLL_NtCreateSemaphore.cpp 3KB
Dispatch_NTDLL_NtSetValueKey.cpp 3KB
Dispatch_ADVAPI32_CreateService.cpp 3KB
Dispatch_NTDLL_NtQueryFullAttributesFile.cpp 3KB
Dispatch_USER32_SetWindowText.cpp 3KB
Dispatch_NTDLL_NtQueryAttributesFile.cpp 3KB
Dispatch_NTDLL_NtCreateMutant.cpp 3KB
GetProcAddressEx.cpp 3KB
Dispatch_KERNEL32_CreateProcessInternal.cpp 3KB
Initalization.cpp 3KB
Dispatch_NTDLL_NtQueryObject.cpp 3KB
Dispatch_ADVAPI32_ChangeServiceConfig.cpp 3KB
Dispatch_NTDLL_NtOpenSemaphore.cpp 3KB
Dispatch_NTDLL_NtOpenMutant.cpp 3KB
BeginLauncher.cpp 2KB
Remove.cpp 2KB
Dispatch_NTDLL_NtCreateThread.cpp 2KB
Privilege.cpp 2KB
Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp 2KB
Dispatch_NTDLL_NtQueryInformationFile.cpp 2KB
Dispatch_NTDLL_NtNotifyChangeKey.cpp 2KB
Privilege.cpp 2KB
Privilege.cpp 2KB
Dispatch_NTDLL_NtConnectPort.cpp 2KB
Dispatch_NTDLL_NtOpenProcess.cpp 2KB
Dispatch_NTDLL_NtFsControlFile.cpp 2KB
Dispatch_NTDLL_NtCreateProcessEx.cpp 2KB
CloneAPI_ADVAPI32.cpp 2KB
Dispatch_NTDLL_NtCreateSection.cpp 2KB
Dispatch_NTDLL_NtSecureConnectPort.cpp 2KB
Dispatch_NTDLL_NtQueryInformationThread.cpp 2KB
Dispatch_USER32_PostMessage.cpp 2KB
Dispatch_NTDLL_NtQueryMultipleValueKey.cpp 2KB
Dispatch_NTDLL_NtQueryInformationProcess.cpp 2KB
Dispatch_NTDLL_NtCreateProcess.cpp 2KB
Dispatch_NTDLL_NtAllocateVirtualMemory.cpp 2KB
Dispatch_NTDLL_NtProtectVirtualMemory.cpp 2KB
DisplayTools.cpp 2KB
BeginDispatch.cpp 2KB
Main.cpp 2KB
Dispatch_NTDLL_NtSetSystemInformation.cpp 2KB
Dispatch_NTDLL_NtEnumerateValueKey.cpp 2KB
Dispatch_NTDLL_NtWriteVirtualMemory.cpp 2KB
Dispatch_NTDLL_NtSetInformationToken.cpp 2KB
Dispatch_NTDLL_NtOpenSection.cpp 2KB
Dispatch_NTDLL_NtCreatePort.cpp 2KB
Dispatch_ADVAPI32_StartService.cpp 2KB
Dispatch_NTDLL_NtCreateEvent.cpp 2KB
Dispatch_NTDLL_NtEnumerateKey.cpp 2KB
Dispatch_ADVAPI32_ChangeServiceConfig2.cpp 1KB
NativeAPI_NTDLL.cpp 1KB
Dispatch_NTDLL_NtSetSecurityObject.cpp 1KB
Dispatch_NTDLL_NtQueryKey.cpp 1KB
BeginHookPort.cpp 1KB
Dispatch_NTDLL_NtOpenEvent.cpp 1KB
Dispatch_NTDLL_NtOpenKey.cpp 1KB
Dispatch_NTDLL_LdrLoadDll.cpp 1KB
Dispatch_NTDLL_NtGetContextThread.cpp 1KB
CloneAPI_FLTLIB.cpp 1KB
Dispatch_NTDLL_NtDeleteValueKey.cpp 1KB
Dispatch_USER32_SetWindowsHookEx.cpp 1KB
Dispatch_NTDLL_NtSaveKey.cpp 1KB
Dispatch_NTDLL_NtRenameKey.cpp 1KB
Dispatch_NTDLL_NtDeleteFile.cpp 1KB
Dispatch_NTDLL_NtLoadDriver.cpp 1KB
Dispatch_USER32_SetWindowLong.cpp 1008B
共 250 条
- 1
- 2
- 3
「已注销」
- 粉丝: 33
- 资源: 29
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
- 1
- 2
前往页