├── README.md ├── src ├── hidden_run │ ├── icon.ico │ ├── ntdll.lib │ ├── hidden_run.vcxproj.user │ ├── resource.h │ ├── hidden_run.h │ ├── hidden_run.vcxproj.filters │ ├── hidden_run.rc │ ├── hidden_run.vcxproj │ └── hidden_run.c └── hidden_run.sln └── LICENSE /README.md: -------------------------------------------------------------------------------- 1 | process-hide-tool 2 | ================= 3 | 4 | Process hide tool based on Frost driver 5 | -------------------------------------------------------------------------------- /src/hidden_run/icon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kaimi-io/process-hide-tool/HEAD/src/hidden_run/icon.ico -------------------------------------------------------------------------------- /src/hidden_run/ntdll.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kaimi-io/process-hide-tool/HEAD/src/hidden_run/ntdll.lib -------------------------------------------------------------------------------- /src/hidden_run/hidden_run.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /src/hidden_run/resource.h: -------------------------------------------------------------------------------- 1 | #define IDR_VERSION 1 2 | #define IDD_MAIN 1000 3 | #define IDC_STC1 1001 4 | #define IDC_PATH 1002 5 | #define IDC_BROWSE 1003 6 | #define IDC_LOAD 1004 7 | #define IDC_START 1005 8 | #define IDC_SYM 1006 9 | #define IDC_RUNAS 1007 10 | #define IDI_ICON 1008 11 | -------------------------------------------------------------------------------- /src/hidden_run/hidden_run.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "resource.h" 7 | 8 | #pragma comment(lib, "Shlwapi.lib") 9 | #pragma comment(lib, "ntdll.lib") 10 | 11 | #define DRV_NAME L"YOBA_ETO_TI" 12 | #define DRV_LINK_PATH L"\\\\.\\YOBA_ETO_TIDLL" 13 | #define FROST_HIDE 0x9C402408 14 | #define FROST_UNHIDE 0x9C402444 15 | #define SystemModuleInformation 11 16 | #define BUFSIZE 128 * 1024 17 | #define STOP_TIMEOUT 5000 18 | -------------------------------------------------------------------------------- /src/hidden_run.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "hidden_run", "hidden_run\hidden_run.vcxproj", "{7DA20847-BE69-4749-AA1C-4E901995275A}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {7DA20847-BE69-4749-AA1C-4E901995275A}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {7DA20847-BE69-4749-AA1C-4E901995275A}.Debug|Win32.Build.0 = Debug|Win32 14 | {7DA20847-BE69-4749-AA1C-4E901995275A}.Release|Win32.ActiveCfg = Release|Win32 15 | {7DA20847-BE69-4749-AA1C-4E901995275A}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2012 kaimi.io 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/hidden_run/hidden_run.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Resource Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | Header Files 28 | 29 | 30 | 31 | 32 | Source Files 33 | 34 | 35 | -------------------------------------------------------------------------------- /src/hidden_run/hidden_run.rc: -------------------------------------------------------------------------------- 1 | #include 2 | #include "resource.h" 3 | 4 | IDD_MAIN DIALOGEX 6,5,230,60 5 | CAPTION "Hidden Run" 6 | FONT 8,"MS Sans Serif",0,0,0 7 | STYLE WS_VISIBLE|WS_CAPTION|WS_SYSMENU|WS_MINIMIZEBOX|DS_CENTER 8 | BEGIN 9 | CONTROL "Driver path",IDC_STC1,"Static",WS_CHILD|WS_VISIBLE,4,5,34,9 10 | CONTROL "Run Hidden...",IDC_START,"Button",WS_CHILD|WS_VISIBLE|WS_DISABLED|WS_TABSTOP,172,42,54,13 11 | CONTROL "",IDC_PATH,"Edit",WS_CHILD|WS_VISIBLE|WS_TABSTOP|ES_AUTOHSCROLL,42,3,164,13,WS_EX_CLIENTEDGE 12 | CONTROL "...",IDC_BROWSE,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,210,3,16,13 13 | CONTROL "Load Driver",IDC_LOAD,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP,172,20,54,13 14 | CONTROL "Symbolic link",IDC_SYM,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP|BS_AUTOCHECKBOX,42,20,54,9 15 | CONTROL "Run as user",IDC_RUNAS,"Button",WS_CHILD|WS_VISIBLE|WS_TABSTOP|BS_AUTOCHECKBOX,100,20,62,9 16 | END 17 | 18 | IDI_ICON ICON "icon.ico" 19 | 20 | IDR_VERSION VERSIONINFO 21 | FILEVERSION 1,0,0,0 22 | PRODUCTVERSION 1,0,0,0 23 | FILEOS 0x00000004 24 | FILETYPE 0x00000001 25 | BEGIN 26 | BLOCK "StringFileInfo" 27 | BEGIN 28 | BLOCK "FFFF04B0" 29 | BEGIN 30 | VALUE "FileVersion", "1.0.0.0\0" 31 | VALUE "ProductVersion", "1.0.0.0\0" 32 | VALUE "CompanyName", "kaimi.ru\0" 33 | VALUE "FileDescription", "Hidden Run\0" 34 | VALUE "InternalName", "hidden_run.exe\0" 35 | VALUE "LegalCopyright", "(c) kaimi.ru\0" 36 | VALUE "LegalTrademarks", "(c) kaimi.ru\0" 37 | VALUE "OriginalFilename", "hidden_run.exe\0" 38 | END 39 | END 40 | BLOCK "VarFileInfo" 41 | BEGIN 42 | VALUE "Translation", 0xFFFF, 0x04B0 43 | END 44 | END 45 | 46 | -------------------------------------------------------------------------------- /src/hidden_run/hidden_run.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {7DA20847-BE69-4749-AA1C-4E901995275A} 15 | Win32Proj 16 | hidden_run 17 | 18 | 19 | 20 | Application 21 | true 22 | Unicode 23 | 24 | 25 | Application 26 | false 27 | true 28 | Unicode 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | true 42 | 43 | 44 | false 45 | 46 | 47 | 48 | 49 | 50 | Level3 51 | Disabled 52 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 53 | 54 | 55 | Windows 56 | true 57 | RequireAdministrator 58 | 59 | 60 | 61 | 62 | Level3 63 | 64 | 65 | MaxSpeed 66 | true 67 | true 68 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 69 | MultiThreaded 70 | 71 | 72 | Windows 73 | false 74 | true 75 | true 76 | RequireAdministrator 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /src/hidden_run/hidden_run.c: -------------------------------------------------------------------------------- 1 | #include "hidden_run.h" 2 | 3 | const char functions[][32] = 4 | { 5 | "ZwOpenProcess", 6 | "ZwQuerySystemInformation", 7 | "ZwReadVirtualMemory", 8 | "ZwWriteVirtualMemory", 9 | "ZwCreateUserProcess", 10 | "ZwDuplicateObject" 11 | }; 12 | 13 | BOOL (WINAPI * IsWow64Process_)(HANDLE, PBOOL); 14 | BOOL (WINAPI * CreateProcessWithTokenW_)(HANDLE, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION); 15 | BOOL load_button_state = FALSE; 16 | HINSTANCE ghInstance; 17 | HWND ghWnd; 18 | 19 | void display_error(TCHAR * message) 20 | { 21 | TCHAR error_message[64]; 22 | 23 | swprintf_s(error_message, sizeof(error_message) / sizeof(TCHAR), L"%s - %08X", message, GetLastError()); 24 | MessageBox(ghWnd, error_message, L"Error", MB_OK | MB_ICONERROR); 25 | } 26 | 27 | BOOL install_driver(SC_HANDLE sm, TCHAR * name, TCHAR * path) 28 | { 29 | SC_HANDLE service; 30 | 31 | service = CreateService 32 | ( 33 | sm, name, name, 34 | SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, 35 | path, NULL, NULL, NULL, NULL, NULL 36 | ); 37 | 38 | if(GetLastError() == ERROR_SERVICE_EXISTS) 39 | service = OpenService(sm, name, SERVICE_ALL_ACCESS); 40 | 41 | if(service == NULL) 42 | return FALSE; 43 | 44 | if(StartService(service, 0, NULL) == FALSE) 45 | { 46 | DeleteService(service); 47 | return FALSE; 48 | } 49 | 50 | CloseServiceHandle(service); 51 | 52 | return TRUE; 53 | } 54 | 55 | BOOL remove_driver(SC_HANDLE sm, TCHAR * name) 56 | { 57 | SC_HANDLE service; 58 | SERVICE_STATUS_PROCESS ssp; 59 | DWORD bytes, wait_time, start_time; 60 | BOOL state = TRUE; 61 | 62 | 63 | service = OpenService(sm, name, SERVICE_ALL_ACCESS); 64 | if(service == NULL) 65 | return FALSE; 66 | 67 | while(1) 68 | { 69 | if(state == FALSE) 70 | { 71 | if(service) 72 | CloseServiceHandle(service); 73 | 74 | return FALSE; 75 | } 76 | 77 | 78 | if(!QueryServiceStatusEx(service, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssp, sizeof(SERVICE_STATUS_PROCESS), &bytes)) 79 | { 80 | state = FALSE; 81 | continue; 82 | } 83 | 84 | if(ssp.dwCurrentState == SERVICE_STOPPED) 85 | { 86 | break; 87 | } 88 | 89 | start_time = GetTickCount(); 90 | 91 | while(ssp.dwCurrentState == SERVICE_STOP_PENDING) 92 | { 93 | wait_time = ssp.dwWaitHint / 10; 94 | 95 | if(wait_time < 1000) 96 | wait_time = 1000; 97 | else if (wait_time > 10000) 98 | wait_time = 10000; 99 | 100 | Sleep(wait_time); 101 | 102 | if(!QueryServiceStatusEx(service, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssp, sizeof(SERVICE_STATUS_PROCESS), &bytes)) 103 | { 104 | state = FALSE; 105 | break; 106 | } 107 | 108 | if(ssp.dwCurrentState == SERVICE_STOPPED) 109 | { 110 | CloseServiceHandle(service); 111 | return TRUE; 112 | } 113 | 114 | if(GetTickCount() - start_time > STOP_TIMEOUT) 115 | { 116 | CloseServiceHandle(service); 117 | state = FALSE; 118 | display_error(L"Can't unload driver - timeout"); 119 | break; 120 | } 121 | } 122 | 123 | if(state == FALSE) 124 | continue; 125 | 126 | if(!ControlService(service, SERVICE_CONTROL_STOP, (LPSERVICE_STATUS)&ssp)) 127 | { 128 | state = FALSE; 129 | continue; 130 | } 131 | 132 | while(ssp.dwCurrentState != SERVICE_STOPPED) 133 | { 134 | Sleep(ssp.dwWaitHint); 135 | 136 | if(!QueryServiceStatusEx(service, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssp, sizeof(SERVICE_STATUS_PROCESS), &bytes)) 137 | { 138 | state = FALSE; 139 | break; 140 | } 141 | 142 | if(ssp.dwCurrentState == SERVICE_STOPPED) 143 | { 144 | CloseServiceHandle(service); 145 | return TRUE; 146 | } 147 | 148 | if(GetTickCount() - start_time > STOP_TIMEOUT) 149 | { 150 | CloseServiceHandle(service); 151 | state = FALSE; 152 | display_error(L"Can't unload driver - timeout"); 153 | break; 154 | } 155 | } 156 | 157 | if(state == FALSE) 158 | continue; 159 | 160 | if(!DeleteService(service)) 161 | { 162 | state = FALSE; 163 | continue; 164 | } 165 | 166 | break; 167 | } 168 | 169 | CloseServiceHandle(service); 170 | 171 | return TRUE; 172 | } 173 | 174 | DWORD GetOpenName(TCHAR * outbuf, const TCHAR * filter, const TCHAR * title) 175 | { 176 | OPENFILENAME ofn; 177 | TCHAR buf[MAX_PATH + 2]; 178 | TCHAR * tmp; 179 | 180 | ZeroMemory(&ofn, sizeof(OPENFILENAME)); 181 | GetModuleFileName(NULL, buf, MAX_PATH); 182 | 183 | tmp = StrRChr(buf, NULL, L'\\'); 184 | if(tmp != 0) 185 | { 186 | *tmp = 0; 187 | ofn.lpstrInitialDir = buf; 188 | } 189 | 190 | ofn.hInstance = ghInstance; 191 | ofn.hwndOwner = ghWnd; 192 | ofn.lStructSize = sizeof(OPENFILENAME); 193 | ofn.lpstrFilter = filter; 194 | ofn.nFilterIndex = 1; 195 | ofn.lpstrFile = outbuf; 196 | ofn.lpstrFile[0] = 0; 197 | ofn.lpstrFile[1] = 0; 198 | ofn.nMaxFile = MAX_PATH; 199 | ofn.lpstrTitle = title; 200 | ofn.Flags = OFN_EXPLORER | OFN_DONTADDTORECENT | OFN_FILEMUSTEXIST | OFN_LONGNAMES | OFN_NONETWORKBUTTON | OFN_PATHMUSTEXIST; 201 | 202 | return GetOpenFileName(&ofn); 203 | } 204 | 205 | DWORD compute_crc(DWORD * buffer) 206 | { 207 | int i; 208 | DWORD result = 0; 209 | 210 | for(i = 0; i < 15; i++) 211 | { 212 | /* CRC is stored in the third element */ 213 | if(i == 3) 214 | continue; 215 | result ^= 0xFF * ((buffer[i] << 16) + (buffer[i] >> 16)); 216 | } 217 | 218 | return result; 219 | } 220 | 221 | BOOL fill_buffer(DWORD * buffer, size_t buffer_size) 222 | { 223 | HMODULE ntdll, kernel32; 224 | SYSTEM_INFO sys_info; 225 | FARPROC IsWow64Process_; 226 | int i; 227 | DWORD aux; 228 | void * sys_m_inf; 229 | NTSTATUS result; 230 | 231 | if(buffer_size < sizeof(DWORD) * 17) 232 | { 233 | display_error(L"Erroneous buffer size"); 234 | return FALSE; 235 | } 236 | 237 | ZeroMemory(buffer, buffer_size); 238 | 239 | buffer[0] = GetCurrentProcessId(); 240 | 241 | GetSystemInfo(&sys_info); 242 | buffer[4] = sys_info.dwPageSize; 243 | 244 | 245 | kernel32 = GetModuleHandle(L"kernel32.dll"); 246 | if(kernel32 == NULL) 247 | { 248 | display_error(L"Can't get kernel32 handle"); 249 | return FALSE; 250 | } 251 | 252 | IsWow64Process_ = GetProcAddress(kernel32, "IsWow64Process"); 253 | if(IsWow64Process_) 254 | { 255 | if(!IsWow64Process_(GetCurrentProcess(), &i) || i == 0) 256 | { 257 | ntdll = GetModuleHandle(L"ntdll.dll"); 258 | if(ntdll == NULL) 259 | { 260 | display_error(L"Can't get ntdll handle"); 261 | return FALSE; 262 | } 263 | 264 | //5-16 265 | //5-6 7-8 266 | for(i = 0; i < sizeof(functions) / sizeof(functions[0]); i++) 267 | { 268 | aux = (DWORD)GetProcAddress(ntdll, functions[i]); 269 | buffer[2 * i + 5] = (aux == 0 ? 0 : *(DWORD *)((BYTE *)aux + 1)); 270 | buffer[2 * i + 5 + 1] = 0; 271 | } 272 | 273 | 274 | sys_m_inf = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT, PAGE_READWRITE); 275 | if(sys_m_inf == NULL) 276 | { 277 | display_error(L"Memory allocation error"); 278 | return FALSE; 279 | } 280 | 281 | result = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, sys_m_inf, BUFSIZE, NULL); 282 | if(NT_ERROR(result)) 283 | { 284 | VirtualFree(sys_m_inf, 0, MEM_RELEASE); 285 | display_error(L"NtQuerySystemInformation error"); 286 | return FALSE; 287 | } 288 | 289 | buffer[1] = *((DWORD *)sys_m_inf + 3); 290 | buffer[2] = *((DWORD *)sys_m_inf + 4) + buffer[1]; 291 | 292 | VirtualFree(sys_m_inf, 0, MEM_RELEASE); 293 | } 294 | } 295 | 296 | buffer[3] = compute_crc(buffer); 297 | 298 | return TRUE; 299 | } 300 | 301 | BOOL hide_unhide(BOOL do_hide, TCHAR * link_path) 302 | { 303 | DWORD in_buffer[17], out_buffer, aux; 304 | HANDLE drv; 305 | 306 | if(do_hide) 307 | fill_buffer(in_buffer, sizeof(in_buffer)); 308 | else 309 | in_buffer[0] = (GetCurrentProcessId() ^ 0x77917F) + 0x29D8; 310 | 311 | 312 | drv = CreateFile 313 | ( 314 | link_path != NULL ? link_path : DRV_LINK_PATH, 315 | GENERIC_READ | GENERIC_WRITE, 316 | FILE_SHARE_READ | FILE_SHARE_WRITE, 317 | NULL, 318 | OPEN_EXISTING, 319 | FILE_ATTRIBUTE_NORMAL, 320 | 0 321 | ); 322 | 323 | if(drv == INVALID_HANDLE_VALUE) 324 | { 325 | display_error(L"Can't access driver symbolic link"); 326 | return FALSE; 327 | } 328 | 329 | if 330 | ( 331 | DeviceIoControl 332 | ( 333 | drv, 334 | do_hide ? FROST_HIDE : FROST_UNHIDE, 335 | in_buffer, 336 | do_hide ? sizeof(in_buffer) : sizeof(in_buffer[0]), 337 | &out_buffer, 338 | sizeof(out_buffer), 339 | &aux, 340 | NULL 341 | ) == FALSE 342 | ) 343 | { 344 | CloseHandle(drv); 345 | display_error(L"DeviceIoControl failed"); 346 | 347 | return FALSE; 348 | } 349 | 350 | CloseHandle(drv); 351 | 352 | 353 | return TRUE; 354 | } 355 | 356 | BOOL create_process(TCHAR * path, BOOL as_user) 357 | { 358 | STARTUPINFO si; 359 | PROCESS_INFORMATION pi; 360 | TOKEN_PRIVILEGES tkp; 361 | DWORD pid, token_rights; 362 | HWND shell_wnd; 363 | BOOL state = TRUE; 364 | HANDLE shell_process = NULL, shell_token = NULL, primary_token = NULL, process_token = NULL; 365 | HMODULE advapi; 366 | FARPROC CreateProcessWithTokenW_; 367 | 368 | ZeroMemory(&si, sizeof(STARTUPINFO)); 369 | ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); 370 | 371 | si.cb = sizeof(STARTUPINFO); 372 | 373 | if(as_user) 374 | { 375 | advapi = GetModuleHandle(L"Advapi32.dll"); 376 | if(advapi == NULL) 377 | { 378 | display_error(L"Can't get advapi32 handle"); 379 | return FALSE; 380 | } 381 | 382 | CreateProcessWithTokenW_ = GetProcAddress(advapi, "CreateProcessWithTokenW"); 383 | if(!CreateProcessWithTokenW_) 384 | { 385 | display_error(L"Can't get CreateProcessWithTokenW address"); 386 | return FALSE; 387 | } 388 | 389 | if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &process_token)) 390 | { 391 | display_error(L"OpenProcessToken failed"); 392 | return FALSE; 393 | } 394 | 395 | tkp.PrivilegeCount = 1; 396 | if(!LookupPrivilegeValue(NULL, SE_INCREASE_QUOTA_NAME, &tkp.Privileges[0].Luid)) 397 | { 398 | CloseHandle(process_token); 399 | display_error(L"LookupPrivilegeValue failed"); 400 | return FALSE; 401 | } 402 | 403 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 404 | if(!AdjustTokenPrivileges(process_token, FALSE, &tkp, 0, NULL, NULL) || GetLastError() != ERROR_SUCCESS) 405 | { 406 | CloseHandle(process_token); 407 | display_error(L"AdjustTokenPrivileges failed"); 408 | return FALSE; 409 | } 410 | 411 | CloseHandle(process_token); 412 | 413 | 414 | shell_wnd = GetShellWindow(); 415 | if(shell_wnd == NULL) 416 | { 417 | display_error(L"Can't get explorer HWND"); 418 | return FALSE; 419 | } 420 | 421 | GetWindowThreadProcessId(shell_wnd, &pid); 422 | if(pid == 0) 423 | { 424 | display_error(L"Can't get explorer pid"); 425 | return FALSE; 426 | } 427 | 428 | shell_process = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid); 429 | if(shell_process == NULL) 430 | { 431 | display_error(L"Can't open explorer process"); 432 | return FALSE; 433 | } 434 | 435 | while(1) 436 | { 437 | if(state == FALSE) 438 | { 439 | if(shell_token) 440 | CloseHandle(shell_token); 441 | if(shell_process) 442 | CloseHandle(shell_process); 443 | if(primary_token) 444 | CloseHandle(primary_token); 445 | 446 | return FALSE; 447 | } 448 | else 449 | { 450 | if(!OpenProcessToken(shell_process, TOKEN_DUPLICATE, &shell_token)) 451 | { 452 | state = FALSE; 453 | display_error(L"Can't open explorer process token"); 454 | continue; 455 | } 456 | 457 | token_rights = TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID; 458 | 459 | if(!DuplicateTokenEx(shell_token, token_rights, NULL, SecurityImpersonation, TokenPrimary, &primary_token)) 460 | { 461 | state = FALSE; 462 | display_error(L"Can't duplicate explorer process token"); 463 | continue; 464 | } 465 | 466 | if(!CreateProcessWithTokenW_(primary_token, 0, path, NULL, 0, NULL, NULL, &si, &pi)) 467 | { 468 | state = FALSE; 469 | display_error(L"CreateProcessWithTokenW_ failed"); 470 | continue; 471 | } 472 | 473 | CloseHandle(shell_token); 474 | CloseHandle(primary_token); 475 | CloseHandle(shell_process); 476 | 477 | break; 478 | } 479 | } 480 | } 481 | else 482 | { 483 | if(!CreateProcess(path, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) 484 | { 485 | display_error(L"CreateProcess failed"); 486 | return FALSE; 487 | } 488 | } 489 | 490 | CloseHandle(pi.hThread); 491 | CloseHandle(pi.hProcess); 492 | 493 | return TRUE; 494 | } 495 | 496 | int MainDlgProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam) 497 | { 498 | static HICON ico; 499 | OSVERSIONINFO version; 500 | TCHAR path[MAX_PATH], symlink[MAX_PATH]; 501 | static SC_HANDLE sm = NULL; 502 | BOOL checkbox_state; 503 | 504 | switch(uMsg) 505 | { 506 | case WM_INITDIALOG: 507 | ghWnd = hWnd; 508 | 509 | ico = LoadIcon(GetModuleHandle(NULL), MAKEINTRESOURCE(IDI_ICON)); 510 | SendMessage(hWnd, WM_SETICON, ICON_SMALL, (LPARAM)ico); 511 | 512 | sm = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_WRITE | GENERIC_EXECUTE); 513 | if(sm == NULL) 514 | { 515 | display_error(L"Can't open service manager"); 516 | DestroyIcon(ico); 517 | EndDialog(hWnd, 1); 518 | } 519 | 520 | 521 | version.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); 522 | if(GetVersionEx(&version)) 523 | { 524 | if(version.dwMajorVersion < 6) 525 | EnableWindow(GetDlgItem(hWnd, IDC_RUNAS), FALSE); 526 | } 527 | else 528 | display_error(L"Can't get OS version"); 529 | 530 | SendDlgItemMessage(hWnd, IDC_PATH, EM_LIMITTEXT, MAX_PATH, 0); 531 | break; 532 | 533 | case WM_COMMAND: 534 | switch(LOWORD(wParam)) 535 | { 536 | case IDC_START: 537 | if(GetOpenName(path, TEXT("Executable (*.exe)\0*.exe\0All files (*.*)\0*.*\0\0"), TEXT("Select exectuable to run..."))) 538 | { 539 | checkbox_state = SendDlgItemMessage(hWnd, IDC_SYM, BM_GETCHECK, 0, 0); 540 | 541 | if(checkbox_state == BST_CHECKED) 542 | { 543 | GetDlgItemText(hWnd, IDC_PATH, symlink, MAX_PATH); 544 | if(hide_unhide(TRUE, symlink) == FALSE) 545 | break; 546 | } 547 | else 548 | if(hide_unhide(TRUE, NULL) == FALSE) 549 | break; 550 | 551 | create_process(path, SendDlgItemMessage(hWnd, IDC_RUNAS, BM_GETCHECK, 0, 0) == BST_CHECKED); 552 | 553 | 554 | if(checkbox_state == BST_CHECKED) 555 | hide_unhide(FALSE, symlink); 556 | else 557 | hide_unhide(FALSE, NULL); 558 | } 559 | break; 560 | 561 | case IDC_LOAD: 562 | GetDlgItemText(hWnd, IDC_PATH, path, MAX_PATH); 563 | 564 | if(load_button_state) 565 | { 566 | if(remove_driver(sm, DRV_NAME) == FALSE) 567 | { 568 | display_error(L"Can't unload specified driver"); 569 | break; 570 | } 571 | 572 | SetDlgItemText(hWnd, IDC_LOAD, TEXT("Load driver")); 573 | load_button_state = FALSE; 574 | } 575 | else 576 | { 577 | if(install_driver(sm, DRV_NAME, path) == FALSE) 578 | { 579 | display_error(L"Can't load specified driver"); 580 | break; 581 | } 582 | 583 | SetDlgItemText(hWnd, IDC_LOAD, TEXT("Unload driver")); 584 | load_button_state = TRUE; 585 | } 586 | 587 | EnableWindow(GetDlgItem(hWnd, IDC_START), load_button_state); 588 | EnableWindow(GetDlgItem(hWnd, IDC_PATH), !load_button_state); 589 | EnableWindow(GetDlgItem(hWnd, IDC_BROWSE), !load_button_state); 590 | break; 591 | 592 | case IDC_SYM: 593 | if(SendDlgItemMessage(hWnd, IDC_SYM, BM_GETCHECK, 0, 0) == BST_CHECKED) 594 | { 595 | SetDlgItemText(hWnd, IDC_STC1, L"Symlink"); 596 | EnableWindow(GetDlgItem(hWnd, IDC_START), TRUE); 597 | EnableWindow(GetDlgItem(hWnd, IDC_BROWSE), FALSE); 598 | EnableWindow(GetDlgItem(hWnd, IDC_LOAD), FALSE); 599 | } 600 | else 601 | { 602 | SetDlgItemText(hWnd, IDC_STC1, L"Driver path"); 603 | EnableWindow(GetDlgItem(hWnd, IDC_START), load_button_state); 604 | EnableWindow(GetDlgItem(hWnd, IDC_BROWSE), !load_button_state); 605 | EnableWindow(GetDlgItem(hWnd, IDC_LOAD), TRUE); 606 | } 607 | break; 608 | 609 | case IDC_BROWSE: 610 | if(GetOpenName(path, TEXT("Driver (*.sys)\0*.sys\0All files (*.*)\0*.*\0\0"), TEXT("Select driver..."))) 611 | SetDlgItemText(hWnd, IDC_PATH, path); 612 | break; 613 | } 614 | break; 615 | 616 | case WM_CLOSE: 617 | if(sm) 618 | { 619 | remove_driver(sm, DRV_NAME); 620 | CloseServiceHandle(sm); 621 | } 622 | DestroyIcon(ico); 623 | EndDialog(hWnd, 0); 624 | break; 625 | 626 | default: 627 | return 0; 628 | } 629 | 630 | return 1; 631 | } 632 | 633 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) 634 | { 635 | ghInstance = hInstance; 636 | 637 | DialogBoxParam(hInstance, MAKEINTRESOURCE(IDD_MAIN), 0, (DLGPROC) MainDlgProc, 0); 638 | 639 | return 0; 640 | } 641 | --------------------------------------------------------------------------------