├── src ├── IDAStealth │ ├── RemoteEventReader.cpp │ ├── distorm.lib │ ├── IDAStealth.cpp │ ├── distorm_dbg.lib │ ├── ida_stealth.jpg │ ├── IDAStealth.h │ ├── RemoteEventReader.h │ ├── IDACommon.h │ ├── IPCConfigExchangeCommon.cpp │ ├── WTLCommon.h │ ├── IDAMessageLogger.h │ ├── RemoteEventListener.cpp │ ├── ResourceItem.h │ ├── IDAStealthLogWindow.h │ ├── RemoteEventListener.h │ ├── DriverControl.h │ ├── RDTSCDriver.h │ ├── IPCConfigExchangeWriter.h │ ├── IDAMessageLogger.cpp │ ├── IPCConfigExchangeCommon.h │ ├── ResourceItem.cpp │ ├── IDAStealthChooseDialog.h │ ├── WTLInputBox.h │ ├── IDAStealthRDTSCPage.h │ ├── IDAStealthPage2.h │ ├── IDAStealthDriversPage.h │ ├── StealthSession.h │ ├── IDAStealthRDTSCPage.cpp │ ├── IDAStealthWTLWrapper.h │ ├── IDAStealthPageMisc.h │ ├── IDAStealthPropertyPage.h │ ├── IDAStealthLogWindow.cpp │ ├── IPCConfigExchangeWriter.cpp │ ├── IDAStealthPage1.h │ ├── IDAStealthAboutPage.h │ ├── IDAStealthOptionsDialog.h │ ├── IDAStealthPage2.cpp │ ├── LocalStealthSession.h │ ├── IDAStealthDriversPage.cpp │ ├── IDAStealthPage1.cpp │ ├── .gitignore │ ├── IDAStealthPageMisc.cpp │ ├── RDTSCDriver.cpp │ └── DriverControl.cpp ├── HideDebugger │ ├── HideDebugger.def │ ├── distorm.lib │ ├── distorm_dbg.lib │ ├── RemoteEventCommon.h │ ├── resource.h │ ├── RemoteEventWriter.cpp │ ├── RemoteEventCommon.cpp │ ├── RemoteEventWriter.h │ ├── IPCConfigExchangeReader.h │ ├── HideDebugger.h │ ├── HideDebugger.sln │ ├── IPCConfigExchangeReader.cpp │ ├── IPCConfigExchange.h │ ├── HookHelper.h │ ├── HideDebugger.rc │ ├── ObjectTextSerialization.h │ ├── .gitignore │ ├── IPCConfigExchange.cpp │ └── HookHelper.cpp ├── NInjectLib │ ├── GenericInjector.cpp │ ├── RemoteLibCall.h │ ├── InjectLib.h │ ├── GenericInjector.h │ ├── Readme.txt │ ├── IATModifier.h │ ├── Process.h │ └── RemoteLibCall.cpp ├── RDTSCEmu │ ├── distorm │ │ ├── src │ │ │ ├── prefix.c │ │ │ ├── dummy.c │ │ │ ├── insts.h │ │ │ ├── wstring.c │ │ │ ├── operands.h │ │ │ ├── decoder.h │ │ │ ├── wstring.h │ │ │ ├── pydistorm.h │ │ │ ├── distorm.c │ │ │ ├── prefix.h │ │ │ └── textdefs.h │ │ └── config.h │ └── driver │ │ ├── drvversion.rc │ │ ├── distorm_dummy.c │ │ ├── makefile │ │ ├── HookInt.h │ │ ├── sources │ │ ├── drvcommon.h │ │ ├── RDTSCEmu.h │ │ ├── HookInt.cpp │ │ ├── RDTSCEmu.WLH.vcxproj.filters │ │ ├── drvversion.h │ │ ├── RDTSCEmu.sln │ │ └── .gitignore ├── StealthDriver │ ├── StealthDriver │ │ ├── StealthImplementation.h │ │ ├── makefile │ │ ├── sources │ │ ├── drvcommon.h │ │ ├── StealthDriver.h │ │ ├── StealthDriver.W7.vcxproj.filters │ │ ├── drvversion.h │ │ ├── drvversion.rc │ │ ├── .gitignore │ │ └── StealthDriver.cpp │ ├── .gitignore │ └── StealthDriver.sln ├── NCodeHook │ ├── NCodeHookInstantiation.h │ ├── NCodeHookItem.cpp │ ├── NCodeHookItem.h │ ├── NCodeHook.h │ └── distorm.h ├── IDAStealthRemote │ ├── IDAStealthRemote.h │ ├── resource.h │ ├── RemoteStealthServer.h │ ├── RemoteStealthClient.h │ ├── RemoteStealthSession.h │ ├── IDAStealthRemote.sln │ ├── IDAStealthRemote.cpp │ ├── RemoteStealthClient.cpp │ ├── IDAStealthRemote.rc │ ├── RemoteStealthProtocoll.h │ ├── RemoteStealthServer.cpp │ ├── RemoteStealthSession.cpp │ ├── RemoteStealthConnection.h │ └── .gitignore └── IniFileAccess │ └── IniFileAccess.h ├── bin ├── IDAStealth │ ├── IDAStealth.plw │ └── HideDebugger.dll └── IDAStealthRemote │ ├── HideDebugger.dll │ └── IDAStealthRemote.exe ├── distorm └── COPYING └── .gitignore /src/IDAStealth/RemoteEventReader.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteEventReader.h" -------------------------------------------------------------------------------- /src/HideDebugger/HideDebugger.def: -------------------------------------------------------------------------------- 1 | LIBRARY "HideDebugger" 2 | 3 | EXPORTS 4 | dummyExport @1 5 | -------------------------------------------------------------------------------- /src/IDAStealth/distorm.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/IDAStealth/distorm.lib -------------------------------------------------------------------------------- /bin/IDAStealth/IDAStealth.plw: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/bin/IDAStealth/IDAStealth.plw -------------------------------------------------------------------------------- /src/HideDebugger/distorm.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/HideDebugger/distorm.lib -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealth.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/IDAStealth/IDAStealth.cpp -------------------------------------------------------------------------------- /bin/IDAStealth/HideDebugger.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/bin/IDAStealth/HideDebugger.dll -------------------------------------------------------------------------------- /src/HideDebugger/distorm_dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/HideDebugger/distorm_dbg.lib -------------------------------------------------------------------------------- /src/IDAStealth/distorm_dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/IDAStealth/distorm_dbg.lib -------------------------------------------------------------------------------- /src/IDAStealth/ida_stealth.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/IDAStealth/ida_stealth.jpg -------------------------------------------------------------------------------- /src/NInjectLib/GenericInjector.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/NInjectLib/GenericInjector.cpp -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/prefix.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/RDTSCEmu/distorm/src/prefix.c -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/drvversion.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/src/RDTSCEmu/driver/drvversion.rc -------------------------------------------------------------------------------- /bin/IDAStealthRemote/HideDebugger.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/bin/IDAStealthRemote/HideDebugger.dll -------------------------------------------------------------------------------- /bin/IDAStealthRemote/IDAStealthRemote.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/idastealth/HEAD/bin/IDAStealthRemote/IDAStealthRemote.exe -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealth.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "IDACommon.h" 4 | #include 5 | 6 | int idaapi callback(void* user_data, int notification_code, va_list va); 7 | void localStealth(); -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/StealthImplementation.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "StealthDriver.h" 5 | 6 | void hookSysCall(StealthHook hook); 7 | void unhookSysCall(StealthHook hook); 8 | bool initSysCallHooking(); -------------------------------------------------------------------------------- /src/IDAStealth/RemoteEventReader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace IDAStealth 6 | { 7 | class RemoteEventReader 8 | { 9 | public: 10 | RemoteEventReader(); 11 | ~RemoteEventReader(); 12 | }; 13 | } -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/distorm_dummy.c: -------------------------------------------------------------------------------- 1 | #include "x86defs.c" 2 | #include "wstring.c" 3 | #include "textdefs.c" 4 | #include "prefix.c" 5 | #include "operands.c" 6 | #include "insts.c" 7 | #include "instructions.c" 8 | #include "distorm.c" 9 | #include "decoder.c" -------------------------------------------------------------------------------- /src/NCodeHook/NCodeHookInstantiation.h: -------------------------------------------------------------------------------- 1 | #include "NCodeHook.cpp" 2 | 3 | template class NCodeHook; 4 | typedef NCodeHook NCodeHookIA32; 5 | 6 | template class NCodeHook; 7 | typedef NCodeHook NCodeHookX64; -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the driver components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /src/IDAStealth/IDACommon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define USE_STANDARD_FILE_FUNCTIONS 4 | #pragma warning(disable : 4996 4512 4127 4201) 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #pragma warning(default : 4996 4512 4127 4201) -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/HookInt.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef __cplusplus 4 | extern "C" { 5 | #endif 6 | #include 7 | #include 8 | #ifdef __cplusplus 9 | }; // extern "C" 10 | #endif 11 | 12 | VOID hookInterrupt(PVOID newHandler, ULONG number, PUINT_PTR oldHandler); 13 | VOID switchToCPU(CCHAR cpu); -------------------------------------------------------------------------------- /src/NCodeHook/NCodeHookItem.cpp: -------------------------------------------------------------------------------- 1 | #include "NCodeHookItem.h" 2 | 3 | //NCodeHookItem::NCodeHookItem() 4 | //{ 5 | //} 6 | // 7 | //NCodeHookItem::~NCodeHookItem() 8 | //{ 9 | //} 10 | // 11 | //void* NCodeHookItem::getOriginalFunc() 12 | //{ 13 | // return NULL; 14 | //} 15 | // 16 | //void* NCodeHookItem::getTrampolineFunc() 17 | //{ 18 | // return NULL; 19 | //} -------------------------------------------------------------------------------- /src/IDAStealthRemote/IDAStealthRemote.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // minimum OS is Windows 2000 4 | #ifndef _WIN32_WINNT 5 | #define _WIN32_WINNT 0x0500 6 | #endif 7 | 8 | #include 9 | 10 | #pragma warning(disable : 4702) 11 | #include 12 | #pragma warning(default : 4702) 13 | 14 | #include 15 | #include "RemoteStealthServer.h" 16 | #include -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=StealthDriver 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | 7 | # Create browse info 8 | #BROWSER_INFO=1 9 | #BROWSERFILE= 10 | 11 | # Additional defines for the C/C++ preprocessor 12 | C_DEFINES=$(C_DEFINES) 13 | 14 | SOURCES=StealthDriver.cpp \ 15 | StealthImplementation.cpp \ 16 | drvversion.rc 17 | -------------------------------------------------------------------------------- /src/HideDebugger/RemoteEventCommon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // common data structures for remote event inter process communication 4 | 5 | #include 6 | 7 | namespace RemoteEvent 8 | { 9 | struct RemoteEventData 10 | { 11 | std::string functionName; 12 | unsigned int threadID; 13 | }; 14 | 15 | std::string genRemoteEventName(unsigned int processID); 16 | std::string genRemoteEventName(); 17 | } -------------------------------------------------------------------------------- /src/IDAStealth/IPCConfigExchangeCommon.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCConfigExchangeCommon.h" 2 | #include 3 | 4 | namespace IPC 5 | { 6 | std::string getSegmentName(unsigned int processID) 7 | { 8 | std::ostringstream oss; 9 | oss << "HideDebugger" << processID; 10 | return oss.str(); 11 | } 12 | 13 | std::string getSegmentName() 14 | { 15 | return getSegmentName(GetCurrentProcessId()); 16 | } 17 | } -------------------------------------------------------------------------------- /src/IDAStealth/WTLCommon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WINVER 0x0500 4 | #define _WIN32_WINNT 0x0501 5 | 6 | #include 7 | #include 8 | 9 | //#include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #define _WTL_NEW_PAGE_NOTIFY_HANDLERS 17 | #include 18 | #include -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/dummy.c: -------------------------------------------------------------------------------- 1 | // Since the DDK's nmake is limited with directories, we will bypass that with this simple hack. 2 | // Thanks to Razvan Hobeanu. 3 | // Sep 2009. 4 | 5 | #include "x86defs.c" 6 | #include "wstring.c" 7 | #include "textdefs.c" 8 | #include "prefix.c" 9 | #include "operands.c" 10 | #include "insts.c" 11 | #include "instructions.c" 12 | #include "distorm.c" 13 | #include "decoder.c" 14 | -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=RDTSCEmu 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) -DSUPPORT_64BIT_OFFSET 12 | 13 | SOURCES=RDTSCEmu.cpp \ 14 | distorm_dummy.c \ 15 | HookInt.cpp \ 16 | drvversion.rc 17 | 18 | INCLUDES=..\distorm\src; -------------------------------------------------------------------------------- /src/IDAStealth/IDAMessageLogger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // provides functionality to print messages to IDAs output window 4 | // can be called from any thread safely 5 | 6 | #include 7 | #include 8 | 9 | class IDAMessageLogger 10 | { 11 | public: 12 | IDAMessageLogger(); 13 | ~IDAMessageLogger() {} 14 | 15 | void log(const std::string& str); 16 | 17 | private: 18 | 19 | HWND hIDAWnd_; 20 | unsigned int idaMainThread_; 21 | }; -------------------------------------------------------------------------------- /src/NCodeHook/NCodeHookItem.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | struct NCodeHookItem 6 | { 7 | NCodeHookItem() : OriginalFunc(0), HookFunc(0), PatchSize(0), Trampoline(0) {}; 8 | NCodeHookItem(uintptr_t of, uintptr_t hf, uintptr_t tp, uintptr_t ps) 9 | : OriginalFunc(of), HookFunc(hf), Trampoline(tp), PatchSize(ps) 10 | { 11 | }; 12 | uintptr_t OriginalFunc; 13 | uintptr_t HookFunc; 14 | uintptr_t PatchSize; 15 | uintptr_t Trampoline; 16 | }; -------------------------------------------------------------------------------- /src/HideDebugger/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by HideDebugger.rc 4 | 5 | // Next default values for new objects 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /src/IDAStealth/RemoteEventListener.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteEventListener.h" 2 | 3 | IDAStealth::RemoteEventListener::RemoteEventListener() 4 | { 5 | //boost::thread t(boost::bind(&RemoteEventListener::backgroundThread, this)); 6 | } 7 | 8 | IDAStealth::RemoteEventListener::~RemoteEventListener() 9 | { 10 | // exit thread 11 | } 12 | 13 | void IDAStealth::RemoteEventListener::backgroundThread() 14 | { 15 | // create socket, enter infinite loop, read events, set ip and port 16 | } -------------------------------------------------------------------------------- /src/HideDebugger/RemoteEventWriter.cpp: -------------------------------------------------------------------------------- 1 | #include "ObjectTextSerialization.h" 2 | #include "RemoteEventWriter.h" 3 | 4 | using namespace RemoteEvent; 5 | 6 | RemoteEvent::RemoteEventWriter::RemoteEventWriter() : 7 | mq_(boost::interprocess::open_only, genRemoteEventName().c_str()) 8 | { 9 | } 10 | 11 | void RemoteEvent::RemoteEventWriter::sendEvent(const RemoteEventData& /*data*/) const 12 | { 13 | using namespace std; 14 | 15 | //serialize(data, mq_); 16 | //mq_.send() 17 | } -------------------------------------------------------------------------------- /src/HideDebugger/RemoteEventCommon.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteEventCommon.h" 2 | #include 3 | #include 4 | 5 | namespace RemoteEvent 6 | { 7 | // gen unique name for message queue object 8 | std::string genRemoteEventName(unsigned int processID) 9 | { 10 | std::ostringstream oss; 11 | oss << "IDAStealthRemoteEvent" << processID; 12 | return oss.str(); 13 | } 14 | 15 | std::string genRemoteEventName() 16 | { 17 | return genRemoteEventName(GetCurrentProcessId()); 18 | } 19 | } -------------------------------------------------------------------------------- /src/IDAStealth/ResourceItem.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | class ResourceItem 7 | { 8 | public: 9 | ResourceItem(HMODULE hModule, int resourceID, const std::string& resourceType); 10 | ~ResourceItem(); 11 | 12 | void* getData() const; 13 | bool saveDataToFile(const std::string& fileName) const; 14 | size_t getDataSize() const { return size_; }; 15 | 16 | private: 17 | HMODULE hModule_; 18 | int resID_; 19 | std::string resType_; 20 | mutable size_t size_; 21 | }; -------------------------------------------------------------------------------- /src/HideDebugger/RemoteEventWriter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "RemoteEventCommon.h" 5 | //#include 6 | #include 7 | 8 | namespace RemoteEvent 9 | { 10 | class RemoteEventWriter 11 | { 12 | public: 13 | 14 | RemoteEventWriter(); 15 | ~RemoteEventWriter() {} 16 | 17 | void sendEvent(const RemoteEventData& data) const; 18 | 19 | private: 20 | 21 | boost::interprocess::message_queue mq_; 22 | }; 23 | 24 | //typedef boost::shared_ptr RemoteEventWriterPtr; 25 | } -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/insts.h: -------------------------------------------------------------------------------- 1 | /* 2 | insts.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef INSTS_H 10 | #define INSTS_H 11 | 12 | #include "instructions.h" 13 | 14 | /* Root Trie DB */ 15 | extern _InstNode Instructions; 16 | /* 3DNow! Trie DB */ 17 | extern _InstNode Table_0F_0F; 18 | /* NOP/XCHG instruction. */ 19 | extern _InstInfo II_90; 20 | /* LEA instruction. */ 21 | extern _InstInfo II_8D; 22 | 23 | /* See instructions.cpp for more info. */ 24 | 25 | #endif /* INSTS_H */ 26 | -------------------------------------------------------------------------------- /src/IDAStealthRemote/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by IDAStealthRemote.rc 4 | // 5 | #define IDR_RDTSC 101 6 | #define IDR_DRV1 102 7 | #define IDR_STEALTH 102 8 | 9 | // Next default values for new objects 10 | // 11 | #ifdef APSTUDIO_INVOKED 12 | #ifndef APSTUDIO_READONLY_SYMBOLS 13 | #define _APS_NEXT_RESOURCE_VALUE 103 14 | #define _APS_NEXT_COMMAND_VALUE 40001 15 | #define _APS_NEXT_CONTROL_VALUE 1001 16 | #define _APS_NEXT_SYMED_VALUE 101 17 | #endif 18 | #endif 19 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthLogWindow.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // log window which contains all anti-debugging API events 4 | 5 | #include 6 | 7 | class IDAStealthLogWindow 8 | { 9 | public: 10 | 11 | ~IDAStealthLogWindow() {} 12 | 13 | static IDAStealthLogWindow& getInstance() 14 | { 15 | static IDAStealthLogWindow instance_; 16 | return instance_; 17 | } 18 | 19 | void show(); 20 | void addLogEntry(const std::string& entry); 21 | 22 | private: 23 | 24 | IDAStealthLogWindow(); 25 | 26 | IDAStealthLogWindow(IDAStealthLogWindow const&); 27 | IDAStealthLogWindow& operator=(IDAStealthLogWindow const&); 28 | }; 29 | -------------------------------------------------------------------------------- /src/HideDebugger/IPCConfigExchangeReader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning(disable : 4189) 4 | #include 5 | #pragma warning(default : 4189) 6 | #include 7 | #include "IDAStealth/IPCConfigExchangeCommon.h" 8 | 9 | namespace IPC 10 | { 11 | class IPCConfigExchangeReader 12 | { 13 | public: 14 | 15 | IPCConfigExchangeReader(); 16 | ~IPCConfigExchangeReader() {} 17 | 18 | std::string getConfigFile(); 19 | std::string getProfile(); 20 | unsigned int getIDAProcessID(); 21 | IPC::IPCPEHeaderData getIPCPEHeaderData(); 22 | bool isPERestoreRequired(); 23 | 24 | private: 25 | 26 | boost::interprocess::managed_shared_memory segment_; 27 | }; 28 | } -------------------------------------------------------------------------------- /src/HideDebugger/HideDebugger.h: -------------------------------------------------------------------------------- 1 | // The following ifdef block is the standard way of creating macros which make exporting 2 | // from a DLL simpler. All files within this DLL are compiled with the HIDEDEBUGGER_EXPORTS 3 | // symbol defined on the command line. this symbol should not be defined on any project 4 | // that uses this DLL. This way any other project whose source files include this file see 5 | // HIDEDEBUGGER_API functions as being imported from a DLL, whereas this DLL sees symbols 6 | // defined with this macro as being exported. 7 | #ifdef HIDEDEBUGGER_EXPORTS 8 | #define HIDEDEBUGGER_API __declspec(dllexport) 9 | #else 10 | #define HIDEDEBUGGER_API __declspec(dllimport) 11 | #endif 12 | 13 | HIDEDEBUGGER_API int dummyExport() { return 42; } -------------------------------------------------------------------------------- /src/IDAStealthRemote/RemoteStealthServer.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // implements the IDAStealth remote server 4 | 5 | #include 6 | #include 7 | #include "RemoteStealthConnection.h" 8 | #include "RemoteStealthProtocoll.h" 9 | #include 10 | 11 | namespace RemoteStealth 12 | { 13 | class RemoteStealthServer 14 | { 15 | public: 16 | 17 | RemoteStealthServer(boost::asio::io_service& ioService, unsigned short port); 18 | ~RemoteStealthServer() {} 19 | void run(); 20 | 21 | private: 22 | 23 | void session(RemoteStealthConnectionPtr connection); 24 | 25 | boost::asio::ip::tcp::acceptor acceptor_; 26 | boost::asio::io_service& ioService_; 27 | RemoteStealth::RSProtocolItem protocolItem_; 28 | }; 29 | } -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/wstring.c: -------------------------------------------------------------------------------- 1 | /* 2 | wstring.c 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #include "wstring.h" 10 | 11 | void _FASTCALL_ strcpy_WS(_WString* s, const int8_t* buf) 12 | { 13 | s->pos = (unsigned int)strlen((const char*)buf); 14 | memcpy((int8_t*)s->p, buf, s->pos + 1); 15 | } 16 | 17 | void _FASTCALL_ strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len) 18 | { 19 | s->pos = len; 20 | memcpy((int8_t*)s->p, buf, len + 1); 21 | } 22 | 23 | void _FASTCALL_ strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len) 24 | { 25 | memcpy((int8_t*)&s->p[s->pos], buf, len + 1); 26 | s->pos += len; 27 | } 28 | -------------------------------------------------------------------------------- /src/IDAStealth/RemoteEventListener.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // creates a TCP server to listen for remote events sent from the injected dll 4 | // automatically spawns a background thread to handle the blocking socket calls 5 | 6 | #include 7 | #pragma warning(disable : 4244 4512) 8 | #include 9 | #pragma warning(default : 4244 4512) 10 | #include 11 | 12 | namespace IDAStealth 13 | { 14 | class RemoteEventListener 15 | { 16 | public: 17 | 18 | RemoteEventListener(); 19 | ~RemoteEventListener(); 20 | 21 | std::string getIP() const { return ip_; } 22 | int getPort() const { return port_; } 23 | 24 | private: 25 | 26 | void backgroundThread(); 27 | std::string ip_; 28 | int port_; 29 | }; 30 | } -------------------------------------------------------------------------------- /src/IDAStealth/DriverControl.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "ResourceItem.h" 5 | 6 | class DriverControl 7 | { 8 | public: 9 | 10 | DriverControl(); 11 | ~DriverControl(); 12 | void startDriver(const ResourceItem& ri, const std::string& driverName); 13 | void stopDriver(); 14 | void setMode(unsigned int ioctlCode, void* param, size_t paramSize) const; 15 | std::string getDriverPath() const { return driverPath_; } 16 | bool isRunning() const { return running_; } 17 | 18 | private: 19 | 20 | bool running_; 21 | std::string driverPath_; 22 | std::string driverName_; 23 | std::string genRandomDrvName() const; 24 | void controlDriver(const std::string& driverPath, const std::string& driverName, bool load) const; 25 | void throwSysError(unsigned int lastError, const std::string& msg) const; 26 | }; 27 | -------------------------------------------------------------------------------- /src/NInjectLib/RemoteLibCall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #include "InjectLib.h" 7 | #include "GenericInjector.h" 8 | #include "Process.h" 9 | 10 | const int MaxFuncNameLength = 42; 11 | 12 | // class to perform a procedure call to an dll which was previously injected into a remote process 13 | class RemoteLibCall 14 | { 15 | public: 16 | RemoteLibCall(const InjectLibrary& library, const Process& process); 17 | ~RemoteLibCall(); 18 | bool remoteCall(const std::string& functionName); 19 | bool remoteCall(unsigned int exportNumber); 20 | 21 | private: 22 | bool remoteCall(); 23 | INJECT_DATAPAYLOAD createDataPayload(); 24 | INJECT_CODEPAYLOAD createCodePayload(); 25 | 26 | Process process_; 27 | HMODULE hDll_; 28 | std::string functionName_; 29 | int functionNumber_; 30 | }; 31 | -------------------------------------------------------------------------------- /src/IDAStealth/RDTSCDriver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "ResourceItem.h" 6 | 7 | class RDTSCDriver 8 | { 9 | public: 10 | 11 | RDTSCDriver(); 12 | ~RDTSCDriver(); 13 | void startDriver(const ResourceItem& ri, const std::string& driverName); 14 | void stopDriver(); 15 | bool setMode(RDTSCMode mode, unsigned int param) const; 16 | std::string getDriverPath() const { return driverPath_; } 17 | bool isRunning() const { return running_; } 18 | 19 | private: 20 | 21 | bool running_; 22 | std::string driverPath_; 23 | std::string driverName_; 24 | std::string genRandomDrvName() const; 25 | void controlDriver(const std::string& driverPath, const std::string& driverName, bool load) const; 26 | void throwSysError(unsigned int lastError, const std::string& msg) const; 27 | }; 28 | -------------------------------------------------------------------------------- /src/NInjectLib/InjectLib.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #include "GenericInjector.h" 7 | #include "Process.h" 8 | 9 | // class to inject a dll into a remote process which is already running 10 | class InjectLibrary 11 | { 12 | public: 13 | InjectLibrary(const std::string& fileName, const Process& process); 14 | InjectLibrary(HMODULE hRemoteLib, const Process& process); 15 | ~InjectLibrary(); 16 | HMODULE getDllHandle() const; 17 | const Process& getProcess() const; 18 | bool injectLib(); 19 | bool unloadLib(); 20 | 21 | private: 22 | INJECT_DATAPAYLOAD createLoadLibData(); 23 | INJECT_CODEPAYLOAD createLoadLibCode(); 24 | INJECT_DATAPAYLOAD createUnloadLibData(); 25 | INJECT_CODEPAYLOAD createUnloadLibCode(); 26 | 27 | std::string fileName_; 28 | Process process_; 29 | HMODULE hDll_; 30 | }; 31 | -------------------------------------------------------------------------------- /src/IDAStealth/IPCConfigExchangeWriter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning(disable : 4189) 4 | #include 5 | #pragma warning(default : 4189) 6 | #include 7 | #include "IPCConfigExchangeCommon.h" 8 | 9 | namespace IPC 10 | { 11 | class IPCConfigExchangeWriter 12 | { 13 | public: 14 | 15 | IPCConfigExchangeWriter(unsigned int processID); 16 | ~IPCConfigExchangeWriter() {} 17 | void setConfigFile(const std::string& configFile); 18 | void setProfile(const std::string& profile); 19 | void setIDAProcessID(unsigned int processID); 20 | void setIPCPEHeaderData(const IPCPEHeaderData& headerData); 21 | void setPERestoreRequired(bool required); 22 | void remove(); 23 | 24 | private: 25 | 26 | boost::interprocess::managed_shared_memory segment_; 27 | unsigned int processID_; 28 | }; 29 | } -------------------------------------------------------------------------------- /src/NInjectLib/GenericInjector.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "Process.h" 5 | 6 | struct INJECT_DATAPAYLOAD 7 | { 8 | void* data; 9 | size_t size; 10 | }; 11 | 12 | struct INJECT_CODEPAYLOAD 13 | { 14 | void* code; 15 | size_t size; 16 | }; 17 | 18 | // abstract base class for injection of code and data into a remote process 19 | // derived classes need to implement methods that generate specific code and data payload 20 | class GenericInjector 21 | { 22 | public: 23 | GenericInjector(const Process& process); 24 | ~GenericInjector(); 25 | 26 | void doInjection(INJECT_DATAPAYLOAD dataPayload, INJECT_CODEPAYLOAD codePayload); 27 | void* getAddrOfData() const; 28 | void* getAddrOfCode() const; 29 | 30 | private: 31 | void freeMem(); 32 | Process process_; 33 | void* injectedData_; 34 | void* injectedCode_; 35 | }; 36 | -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/operands.h: -------------------------------------------------------------------------------- 1 | /* 2 | operands.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef OPERANDS_H 10 | #define OPERANDS_H 11 | 12 | #include "../config.h" 13 | 14 | #include "decoder.h" 15 | #include "prefix.h" 16 | #include "wstring.h" 17 | #include "instructions.h" 18 | 19 | /* Return codes from extract_operand. */ 20 | typedef enum {EO_HALT, EO_CONTINUE, EO_SUFFIX} _ExOpRCType; 21 | 22 | _ExOpRCType extract_operand(_CodeInfo* ci, 23 | _WString* instructionHex, _WString* operandText, _OpType type, _OpType op2, 24 | _OperandNumberType opNum, _iflags instFlags, unsigned int modrm, 25 | _PrefixState* ps, _DecodeType dt, int* lockableInstruction); 26 | 27 | #endif /* OPERANDS_H */ 28 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAMessageLogger.cpp: -------------------------------------------------------------------------------- 1 | #include "IDAMessageLogger.h" 2 | #include "IDACommon.h" 3 | 4 | namespace 5 | { 6 | const int TimerIntervall = 66; 7 | std::string message_; 8 | } 9 | 10 | IDAMessageLogger::IDAMessageLogger() 11 | { 12 | hIDAWnd_ = (HWND)callui(ui_get_hwnd).vptr; 13 | idaMainThread_ = GetWindowThreadProcessId(hIDAWnd_, NULL); 14 | } 15 | 16 | static void CALLBACK timerCallbackProc(HWND hwnd, UINT, UINT idTimer, DWORD) 17 | { 18 | if (message_.size()) 19 | { 20 | msg("%s", message_.c_str()); 21 | message_ = ""; 22 | } 23 | KillTimer(hwnd, idTimer); 24 | } 25 | 26 | void IDAMessageLogger::log(const std::string& str) 27 | { 28 | if (GetCurrentThreadId() == idaMainThread_) msg(str.c_str()); 29 | else 30 | { 31 | message_ = str; 32 | UINT_PTR id = SetTimer(0, 0, TimerIntervall, NULL); 33 | SetTimer(hIDAWnd_, id, TimerIntervall, (TIMERPROC)timerCallbackProc); 34 | } 35 | } -------------------------------------------------------------------------------- /src/IDAStealthRemote/RemoteStealthClient.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // implements the IDAStealth remote client 4 | 5 | #include 6 | #include 7 | #include "RemoteStealthConnection.h" 8 | #include "RemoteStealthProtocoll.h" 9 | 10 | namespace RemoteStealth 11 | { 12 | class RemoteStealthClient 13 | { 14 | public: 15 | 16 | RemoteStealthClient(boost::asio::io_service& ioService, 17 | boost::asio::ip::tcp::resolver::iterator endPointIterator); 18 | ~RemoteStealthClient() {} 19 | 20 | void sendData(const RSProtocolItem& item); 21 | void connect(); 22 | 23 | private: 24 | 25 | void sendShit(const boost::asio::const_buffer& data); 26 | 27 | RemoteStealthClient& operator=(const RemoteStealthClient &); 28 | boost::asio::io_service& ioService_; 29 | boost::asio::ip::tcp::resolver::iterator endPointIterator_; 30 | RemoteStealthConnectionPtr connection_; 31 | }; 32 | } -------------------------------------------------------------------------------- /src/IDAStealthRemote/RemoteStealthSession.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // used in the remote stealth scenario on the server side 4 | 5 | #include 6 | #include 7 | #include 8 | #include "RemoteStealthProtocoll.h" 9 | 10 | namespace RemoteStealth 11 | { 12 | class RemoteStealthSession : public IDAStealth::StealthSession 13 | { 14 | public: 15 | 16 | RemoteStealthSession(); 17 | ~RemoteStealthSession() {} 18 | 19 | void handleDbgAttach(const RSProtocolItem& item); 20 | void handleProcessStart(const RSProtocolItem& item); 21 | 22 | private: 23 | 24 | std::string stealthDll_; 25 | 26 | void logString(const std::string& str); 27 | ResourceItem getRDTSCDriverResource(); 28 | ResourceItem getStealthDriverResource(); 29 | std::string getStealthDllPath(); 30 | std::string serializeConfig(const std::string& configStr); 31 | }; 32 | } -------------------------------------------------------------------------------- /src/HideDebugger/HideDebugger.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HideDebugger", "HideDebugger.vcxproj", "{59339E37-7C43-4CD2-B7B5-DF10D9197655}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.Debug|Win32.Build.0 = Debug|Win32 14 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.Release|Win32.ActiveCfg = Release|Win32 15 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/IDAStealthRemote/IDAStealthRemote.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "IDAStealthRemote", "IDAStealthRemote.vcxproj", "{5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}.Debug|Win32.Build.0 = Debug|Win32 14 | {5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}.Release|Win32.ActiveCfg = Release|Win32 15 | {5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/IDAStealthRemote/IDAStealthRemote.cpp: -------------------------------------------------------------------------------- 1 | // IDAStealthRemote.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "IDAStealthRemote.h" 5 | #include 6 | 7 | using namespace std; 8 | 9 | int _tmain(int argc, char* argv[]) 10 | { 11 | try 12 | { 13 | if (!boost::filesystem::exists("HideDebugger.dll")) 14 | { 15 | cout << "HideDebugger.dll not found...terminating" << endl; 16 | return 1; 17 | } 18 | cout << "IDAStealth remote server v1.3, Jan Newger, 2009-2010" << endl << endl; 19 | unsigned short port = 4242; 20 | if (argc == 2) port = boost::lexical_cast(argv[1]); 21 | else cout << "Usage: IDAStealthRemote.exe " << endl 22 | << "Using standard port " << port << endl; 23 | cout << "Starting server..." << endl; 24 | 25 | boost::asio::io_service ioService; 26 | RemoteStealth::RemoteStealthServer server(ioService, port); 27 | server.run(); 28 | } 29 | catch (const exception& e) 30 | { 31 | cerr << e.what() << endl; 32 | } 33 | return 0; 34 | } -------------------------------------------------------------------------------- /src/IDAStealth/IPCConfigExchangeCommon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | namespace IPC 7 | { 8 | static const size_t SegmentSize = 4096; 9 | static const char* ConfigFileDataStr = "HideDebuggerPathStrData212"; 10 | static const char* ConfigFileProfileStr = "ProfileName"; 11 | static const char* IDAProcessIDStr = "IDAProcessID"; 12 | static const char* PEHeaderDataStr = "PEHeaderData"; 13 | static const char* PERestoreRequiredStr = "PERestore"; 14 | static const size_t ConfigDataSegmentSize = 2048; 15 | static const size_t ConfigProfileSegmentSize = 128; 16 | 17 | std::string getSegmentName(unsigned int processID); 18 | std::string getSegmentName(); 19 | 20 | // TODO: store everything in one struct (path, profile, etc) 21 | struct IPCPEHeaderData 22 | { 23 | IPCPEHeaderData() : imageBase(0) {} 24 | 25 | IPCPEHeaderData(uintptr_t base, const IMAGE_NT_HEADERS& headers) : 26 | imageBase(base), 27 | ntHeaders(headers) {} 28 | 29 | uintptr_t imageBase; 30 | IMAGE_NT_HEADERS ntHeaders; 31 | }; 32 | } -------------------------------------------------------------------------------- /src/IDAStealth/ResourceItem.cpp: -------------------------------------------------------------------------------- 1 | #include "ResourceItem.h" 2 | 3 | using namespace std; 4 | 5 | ResourceItem::ResourceItem(HMODULE hModule, int resourceID, const std::string& resourceType) : 6 | hModule_(hModule), 7 | resID_(resourceID), 8 | resType_(resourceType) 9 | { 10 | } 11 | 12 | ResourceItem::~ResourceItem() 13 | { 14 | } 15 | 16 | void* ResourceItem::getData() const 17 | { 18 | size_ = 0; 19 | HRSRC hResInfo = FindResource(hModule_, (LPCTSTR)resID_, resType_.c_str()); 20 | if (!hResInfo) return NULL; 21 | 22 | HGLOBAL resData = LoadResource(hModule_, hResInfo); 23 | if (!resData) return NULL; 24 | 25 | void* dataPtr = LockResource(resData); 26 | if (dataPtr) size_ = SizeofResource(hModule_, hResInfo); 27 | return dataPtr; 28 | } 29 | 30 | bool ResourceItem::saveDataToFile(const string& fileName) const 31 | { 32 | bool retVal = false; 33 | void* dataPtr = getData(); 34 | if (!dataPtr) return false; 35 | 36 | FILE* hFile; 37 | fopen_s(&hFile, fileName.c_str(), "wb"); 38 | if (!hFile) return false; 39 | 40 | if (fwrite(dataPtr, size_, 1, hFile)) retVal = true; 41 | fclose(hFile); 42 | 43 | return retVal; 44 | } -------------------------------------------------------------------------------- /src/NInjectLib/Readme.txt: -------------------------------------------------------------------------------- 1 | http://newgre.net/ninjectlib 2 | 3 | About N-InjectLib 4 | N-InjectLib is a library written in C++ which allows for injecting dynamic link libraries into a remote (i.e. foreign) process. 5 | Two techniques are available to inject a dll: the target process can be started by using the library so the first dll loaded actually is the dll to be injected, or dlls can be injected anytime while the target process is running. 6 | 7 | Changelog 8 | 07/16/2011 - v1.0.5 9 | 10 | Bugfix: Injection didn't work if the size size field of the import directory was wrong 11 | 02/14/2010 - v1.0.4 12 | 13 | Improved: Injection now also works with .NET applications 14 | Bugfix: Example was broken 15 | 11/16/2009 - v1.0.3 16 | 17 | Bugfix: Injection failed if issued from non-Administrator account 18 | Improved: Method to retrieve IBA of remote process more robust 19 | Added: Simple example on how to use the library 20 | 07/14/2008 - v1.0.2 21 | 22 | Bugfix: Injection failed if new IMAGE_IMPORT_DESCRIPTOR was outside existing sections 23 | Bugfix: Injection failed if executable had bound imports 24 | 07/06/2008 - v1.0.1 25 | 26 | Bugfix: Injection failed if IMAGE_DIRECTORY_ENTRY_IAT was zero, which is true for most packed PE images 27 | 05/19/2008 - v1.0 28 | 29 | First release -------------------------------------------------------------------------------- /src/IDAStealthRemote/RemoteStealthClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "HideDebugger/ObjectTextSerialization.h" 4 | #include "RemoteStealthClient.h" 5 | 6 | RemoteStealth::RemoteStealthClient::RemoteStealthClient(boost::asio::io_service& ioService, 7 | boost::asio::ip::tcp::resolver::iterator endPointIterator) : 8 | ioService_(ioService) 9 | { 10 | endPointIterator_ = endPointIterator; 11 | } 12 | 13 | void RemoteStealth::RemoteStealthClient::sendData(const RSProtocolItem& item) 14 | { 15 | // test 16 | //using namespace RemoteEvent; 17 | //RSProtocolItem testItem; 18 | //deserialize(testItem, boost::bind(&RemoteStealthClient::sendShit, this, _1)); 19 | // end test 20 | connection_->syncWrite(item); 21 | 22 | RSProtocolResponse response; 23 | connection_->syncRead(response); 24 | if (!response.success) 25 | throw std::runtime_error("Error while performing remote command: " + response.error); 26 | } 27 | 28 | void RemoteStealth::RemoteStealthClient::sendShit(const boost::asio::const_buffer& /*data*/) 29 | { 30 | // send over boost::asio 31 | } 32 | 33 | void RemoteStealth::RemoteStealthClient::connect() 34 | { 35 | connection_ = RemoteStealthConnectionPtr(new RemoteStealthConnection(ioService_)); 36 | connection_->socket().connect(*endPointIterator_); 37 | } -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthChooseDialog.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "WTLCommon.h" 5 | #include "IDAStealthOptionsDialog.h" 6 | #include "IDAStealthLogWindow.h" 7 | 8 | class CIDAStealthChooseDialog : public CDialogImpl 9 | { 10 | public: 11 | 12 | enum { IDD = IDD_CHOOSE }; 13 | 14 | CIDAStealthChooseDialog(HWND hWndParent) : hWndParent_(hWndParent) {} 15 | ~CIDAStealthChooseDialog() {} 16 | 17 | private: 18 | 19 | LRESULT OnClose(WORD /*wNotifyCode*/, WORD wID, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 20 | { 21 | EndDialog(wID); 22 | return 0; 23 | } 24 | 25 | LRESULT OnOptions(WORD /*wNotifyCode*/, WORD wID, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 26 | { 27 | EndDialog(wID); 28 | CIDAStealthOptionsDialog dlg("IDAStealth v1.3"); 29 | dlg.DoModal(hWndParent_); 30 | return 0; 31 | } 32 | 33 | LRESULT OnLog(WORD /*wNotifyCode*/, WORD wID, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 34 | { 35 | IDAStealthLogWindow& logWnd = IDAStealthLogWindow::getInstance(); 36 | logWnd.show(); 37 | EndDialog(wID); 38 | return 0; 39 | } 40 | 41 | BEGIN_MSG_MAP(CIDAStealthChooseDialog) 42 | COMMAND_ID_HANDLER(IDC_OPTIONS, OnOptions) 43 | COMMAND_ID_HANDLER(IDC_LOG, OnLog) 44 | COMMAND_ID_HANDLER(IDC_CLOSE, OnClose) 45 | END_MSG_MAP() 46 | 47 | HWND hWndParent_; 48 | }; -------------------------------------------------------------------------------- /src/HideDebugger/IPCConfigExchangeReader.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCConfigExchangeReader.h" 2 | 3 | using namespace IPC; 4 | 5 | IPCConfigExchangeReader::IPCConfigExchangeReader() 6 | { 7 | using namespace boost::interprocess; 8 | segment_ = managed_shared_memory(open_read_only, IPC::getSegmentName().c_str()); 9 | } 10 | 11 | std::string IPCConfigExchangeReader::getConfigFile() 12 | { 13 | std::pair dataPtr = segment_.find(IPC::ConfigFileDataStr); 14 | return std::string(dataPtr.first); 15 | } 16 | 17 | unsigned int IPCConfigExchangeReader::getIDAProcessID() 18 | { 19 | std::pair dataPtr = segment_.find(IPC::IDAProcessIDStr); 20 | return *(dataPtr.first); 21 | } 22 | 23 | std::string IPCConfigExchangeReader::getProfile() 24 | { 25 | std::pair dataPtr = segment_.find(IPC::ConfigFileProfileStr); 26 | return std::string(dataPtr.first); 27 | } 28 | 29 | IPC::IPCPEHeaderData IPCConfigExchangeReader::getIPCPEHeaderData() 30 | { 31 | std::pair dataPtr = 32 | segment_.find(IPC::PEHeaderDataStr); 33 | return *dataPtr.first; 34 | } 35 | 36 | bool IPC::IPCConfigExchangeReader::isPERestoreRequired() 37 | { 38 | std::pair dataPtr = segment_.find(IPC::PERestoreRequiredStr); 39 | return *(dataPtr.first); 40 | } -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/decoder.h: -------------------------------------------------------------------------------- 1 | /* 2 | decoder.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef DECODER_H 10 | #define DECODER_H 11 | 12 | #include "../config.h" 13 | 14 | #include "wstring.h" 15 | 16 | typedef unsigned int _iflags; 17 | 18 | /* DEFAULT instructions decoding mode. */ 19 | typedef enum {Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2} _DecodeType; 20 | 21 | typedef OFFSET_INTEGER _OffsetType; 22 | 23 | typedef struct { 24 | _WString mnemonic; 25 | _WString operands; 26 | _WString instructionHex; 27 | unsigned int size; 28 | _OffsetType offset; 29 | } _DecodedInst; 30 | 31 | typedef struct { 32 | const uint8_t* code; 33 | int codeLen; 34 | _OffsetType codeOffset; 35 | } _CodeInfo; 36 | 37 | typedef enum {DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR} _DecodeResult; 38 | _DecodeResult internal_decode(_OffsetType codeOffset, const uint8_t* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxResultCount, unsigned int* usedEntriesCount); 39 | 40 | _DecodeType ADDR_SIZE_AFFECT(_DecodeType dt, _iflags totalPrefixes); 41 | _DecodeType OP_SIZE_AFFECT(_DecodeType dt, _iflags totalPrefixes, unsigned int rex, _iflags instFlags); 42 | 43 | #endif /* DECODER_H */ 44 | -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/wstring.h: -------------------------------------------------------------------------------- 1 | /* 2 | wstring.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef WSTRING_H 10 | #define WSTRING_H 11 | 12 | #include "../config.h" 13 | 14 | /* Make sure the buffer isn't overflowed. */ 15 | #define MAX_TEXT_SIZE (60) 16 | 17 | typedef struct { 18 | unsigned int pos; 19 | int8_t p[MAX_TEXT_SIZE]; 20 | } _WString; 21 | 22 | /* 23 | * Warning, this macro should be used only when the compiler knows the size of string in advance! 24 | * This macro is used in order to spare the call to strlen when the strings are known already. 25 | * Note: sizeof includes NULL terminated character. 26 | */ 27 | #define strcat_WSN(s, t) strcatlen_WS((s), (t), sizeof((t))-1) 28 | #define strcpy_WSN(s, t) strcpylen_WS((s), (t), sizeof((t))-1) 29 | 30 | void _FASTCALL_ strcpy_WS(_WString* s, const int8_t* buf); 31 | void _FASTCALL_ strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len); 32 | void _FASTCALL_ strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len); 33 | 34 | _INLINE_ void strclear_WS(_WString* s) 35 | { 36 | s->p[0] = '\0'; 37 | s->pos = 0; 38 | } 39 | 40 | _INLINE_ void chrcat_WS(_WString* s, uint8_t ch) 41 | { 42 | s->p[s->pos] = ch; 43 | s->p[s->pos + 1] = '\0'; 44 | s->pos += 1; 45 | } 46 | 47 | 48 | #endif /* WSTRING_H */ 49 | -------------------------------------------------------------------------------- /src/HideDebugger/IPCConfigExchange.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning(disable : 4189) 4 | #include 5 | #pragma warning(default : 4189) 6 | #include 7 | #include 8 | 9 | // TODO: store everything in one struct 10 | struct IPCPEHeaderData 11 | { 12 | IPCPEHeaderData() : imageBase(0) {} 13 | 14 | IPCPEHeaderData(uintptr_t base, const IMAGE_NT_HEADERS& headers) : 15 | imageBase(base), 16 | ntHeaders(headers) {} 17 | 18 | uintptr_t imageBase; 19 | IMAGE_NT_HEADERS ntHeaders; 20 | }; 21 | 22 | class IPCConfigExchangeWriter 23 | { 24 | public: 25 | 26 | IPCConfigExchangeWriter(unsigned int processID); 27 | ~IPCConfigExchangeWriter(); 28 | void setConfigFile(const std::string& configFile); 29 | void setProfile(const std::string& profile); 30 | void setIDAProcessID(unsigned int processID); 31 | void setIPCPEHeaderData(const IPCPEHeaderData& headerData); 32 | 33 | private: 34 | 35 | boost::interprocess::managed_shared_memory segment_; 36 | unsigned int processID_; 37 | }; 38 | 39 | class IPCConfigExchangeReader 40 | { 41 | public: 42 | 43 | IPCConfigExchangeReader(); 44 | ~IPCConfigExchangeReader() {} 45 | 46 | std::string getConfigFile(); 47 | std::string getProfile(); 48 | unsigned int getIDAProcessID(); 49 | IPCPEHeaderData getIPCPEHeaderData(); 50 | 51 | private: 52 | 53 | boost::interprocess::managed_shared_memory segment_; 54 | }; -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/pydistorm.h: -------------------------------------------------------------------------------- 1 | /* 2 | pydistorm.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef PYDISTORM_H 10 | #define PYDISTORM_H 11 | 12 | #ifdef SUPPORT_64BIT_OFFSET 13 | /* 14 | * PyArg_ParseTuple/Py_BuildValue uses a format string in order to parse/build the offset. 15 | * type: int 64 16 | */ 17 | #define _PY_OFF_INT_SIZE_ "K" 18 | #else 19 | #define _PY_OFF_INT_SIZE_ "k" 20 | #endif 21 | 22 | #include "decoder.h" 23 | 24 | #ifdef __GNUC__ 25 | #include 26 | #elif _MSC_VER 27 | #include 28 | #endif 29 | 30 | PyObject* distorm_Decode(PyObject* pSelf, PyObject* pArgs); 31 | 32 | char distorm_Decode_DOCSTR[] = 33 | "Disassemble a given buffer.\r\n" 34 | #ifdef SUPPORT_64BIT_OFFSET 35 | "Decode(INT64 offset, string code, int type)\r\n" 36 | #else 37 | "Decode(unsigned long offset, string code, int type)\r\n" 38 | #endif 39 | "type:\r\n" 40 | " Decode16Bits - 16 bits decoding.\r\n" 41 | " Decode32Bits - 32 bits decoding.\r\n" 42 | " Decode64Bits - AMD64 decoding.\r\n" 43 | "Returns a list of tuples of offset, size, mnemonic and hex string.\r\n"; 44 | 45 | static PyMethodDef distormModulebMethods[] = { 46 | {"Decode", distorm_Decode, METH_VARARGS, distorm_Decode_DOCSTR}, 47 | {NULL, NULL, 0, NULL} 48 | }; 49 | 50 | #endif /* PYDISTORM_H */ 51 | 52 | -------------------------------------------------------------------------------- /src/IDAStealth/WTLInputBox.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "WTLCommon.h" 6 | 7 | class CWTLInputBox : 8 | public CDialogImpl, 9 | public CWinDataExchange 10 | { 11 | public: 12 | 13 | enum { IDD = IDD_INPUTBOX }; 14 | 15 | CWTLInputBox() {} 16 | ~CWTLInputBox() {} 17 | 18 | std::string getInput() const 19 | { 20 | if (txt_.GetLength()) 21 | { 22 | std::string retVal = (const char*)txt_; 23 | return retVal; 24 | } 25 | else return ""; 26 | } 27 | 28 | private: 29 | 30 | LRESULT OnOkClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 31 | { 32 | DoDataExchange(TRUE); 33 | EndDialog(0); 34 | return 0; 35 | } 36 | 37 | LRESULT OnCancelClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 38 | { 39 | txt_ = ""; 40 | EndDialog(0); 41 | return 0; 42 | } 43 | 44 | BOOL OnInitDialog(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/) 45 | { 46 | DoDataExchange(FALSE); 47 | return TRUE; 48 | } 49 | 50 | WTL::CString txt_; 51 | 52 | BEGIN_DDX_MAP(CWTLInputBox) 53 | DDX_TEXT(IDC_EDITBOX, txt_) 54 | END_DDX_MAP() 55 | 56 | BEGIN_MSG_MAP(CWTLInputBox) 57 | MESSAGE_HANDLER(WM_INITDIALOG, OnInitDialog) 58 | COMMAND_HANDLER(IDOK, BN_CLICKED, OnOkClick) 59 | COMMAND_HANDLER(IDCANCEL, BN_CLICKED, OnCancelClick) 60 | END_MSG_MAP() 61 | }; -------------------------------------------------------------------------------- /src/IniFileAccess/IniFileAccess.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | class IniFileAccess 8 | { 9 | public: 10 | 11 | IniFileAccess(const std::string& iniFile, const std::string& currentSection=""); 12 | ~IniFileAccess(); 13 | 14 | void setSection(const std::string& currentSection); 15 | bool wipeSection(const std::string& section) const; 16 | 17 | bool writeValue(const std::string& key, const std::string& value) const; 18 | bool writeValue(const std::string& key, int value) const; 19 | bool writeValue(const std::string& key, const BYTE* value, DWORD dataLen) const; 20 | bool writeValue(const std::string& key, bool value) const; 21 | 22 | bool readValue(const std::string& key, std::string& value) const; 23 | bool readValue(const std::string& key, int& vallue) const; 24 | bool readValue(const std::string& key, BYTE* value, DWORD dataLen) const; 25 | bool readValue(const std::string& key, bool& value) const; 26 | 27 | size_t getDataLength(const std::string& key); 28 | std::string getFileName() { return fileName_; } 29 | std::string getCurrentSection() { return section_; } 30 | std::vector getSections() const; 31 | 32 | private: 33 | 34 | bool writePrivateProfileString(const std::string& key, const std::string& value) const; 35 | bool readPrivateProfileString(const std::string& key, std::string& value) const; 36 | std::string section_; 37 | std::string fileName_; 38 | }; -------------------------------------------------------------------------------- /src/HideDebugger/HookHelper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "ntdll.h" 6 | 7 | // forward declarations 8 | 9 | void dbgPrint(const std::string& msg); 10 | DWORD handleToProcessID(HANDLE hProcess); 11 | DWORD handleToThreadID(HANDLE hThread); 12 | std::wstring getProcessName(); 13 | void restoreNTHeaders(); 14 | bool isHandleValid(HANDLE handle); 15 | 16 | // original function pointers 17 | 18 | extern NtQueryInformationProcessFPtr origNtQueryInformationProcess; 19 | extern NtSetInformationThreadFPtr origNtSetInformationThread; 20 | extern NtQueryObjectFPtr origNtQueryObject; 21 | extern NtCloseFPtr origNtClose; 22 | extern NtQuerySystemInformationFPtr origNtQuerySystemInformation; 23 | extern OutputDebugStringAFPtr origOutputDebugStringA; 24 | extern OutputDebugStringWFPtr origOutputDebugStringW; 25 | extern OpenProcessFPtr origOpenProcess; 26 | extern KiUserExceptionDispatcherFPtr origKiUserExceptDisp; 27 | extern NtSetContextThreadFPtr origSetThreadContext; 28 | extern NtGetContextThreadFPtr origGetThreadContext; 29 | extern NtYieldExecutionFPtr origNtYieldExecution; 30 | extern FindWindowAFPtr origFindWindowA; 31 | extern FindWindowWFPtr origFindWindowW; 32 | extern FindWindowExAFPtr origFindWindowExA; 33 | extern FindWindowExWFPtr origFindWindowExW; 34 | extern EnumWindowsFPtr origEnumWindows; 35 | 36 | extern const char* NTDLL; 37 | extern const char* K32DLL; 38 | extern const char* U32DLL; 39 | 40 | extern NCodeHookIA32 nCodeHook; -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthRDTSCPage.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "WTLCommon.h" 5 | #include "IDAStealthPropertyPage.h" 6 | #include 7 | #include "resource.h" 8 | 9 | class CIDAStealthRDTSCPage : 10 | public CIDAStealthPropertyPage 11 | { 12 | public: 13 | 14 | CIDAStealthRDTSCPage(CIDAStealthOptionsDialog* parentDlg) : 15 | CIDAStealthPropertyPage(parentDlg) {} 16 | ~CIDAStealthRDTSCPage() {} 17 | 18 | protected: 19 | 20 | void updateGlobalEnableState(bool globalEnable); 21 | void loadPageConfig(); 22 | bool savePageConfig(); 23 | 24 | private: 25 | 26 | typedef CIDAStealthPropertyPage BasePropertyPage; 27 | 28 | BEGIN_MSG_MAP(CIDAStealthRDTSCPage) 29 | COMMAND_HANDLER(IDC_RDTSC, BN_CLICKED, OnRDTSCClick) 30 | CHAIN_MSG_MAP(CPropertyPageImpl) 31 | CHAIN_MSG_MAP(BasePropertyPage) 32 | END_MSG_MAP() 33 | 34 | BEGIN_DDX_MAP(CIDAStealthRDTSCPage) 35 | DDX_CHECK(IDC_RDTSC, useRDTSC_) 36 | DDX_RADIO(IDC_RDTSC_ZERO, rdbIndex_) 37 | DDX_CHECK(IDC_UNLOAD_DRIVER, unloadDriver_) 38 | DDX_CHECK(IDC_RAND_NAME, randomizeName_) 39 | DDX_INT(IDC_RDTSC_DELTA, rdtscDelta_) 40 | END_DDX_MAP() 41 | 42 | void updateRDBs(HWND hWndCheckBox); 43 | LRESULT OnRDTSCClick(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 44 | 45 | bool useRDTSC_; 46 | bool unloadDriver_; 47 | bool randomizeName_; 48 | int rdtscDelta_; 49 | int rdbIndex_; 50 | }; -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/drvcommon.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Useful macros 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Author: ddkwizard.assarbad.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVCOMMON_H_VERSION__ 13 | #define __DRVCOMMON_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | #define _ANSISTRING(text) #text 21 | #define ANSISTRING(text) _ANSISTRING(text) 22 | 23 | #define _WIDESTRING(text) L##text 24 | #define WIDESTRING(text) _WIDESTRING(text) 25 | 26 | #define PRESET_UNICODE_STRING(symbol, buffer) \ 27 | UNICODE_STRING symbol = \ 28 | { \ 29 | sizeof(WIDESTRING(buffer)) - sizeof(WCHAR), \ 30 | sizeof(WIDESTRING(buffer)), \ 31 | WIDESTRING(buffer) \ 32 | }; 33 | 34 | #define CREATE_XVER(maj,min,build) maj ## , ## min ## , 0, ## build 35 | #define CREATE_FVER(maj,min,build) maj ## . ## min ## .0. ## build 36 | #define CREATE_PVER(maj,min,build) maj ## . ## min 37 | 38 | #if DBG 39 | #ifdef ADVANCED_DEBUG 40 | #define DebugPrint DbgPrint("[%s] %s (line: %d)\n", __##FILE##__, __##FUNCTION##__, __##LINE##__); DbgPrint 41 | #else 42 | #define DebugPrint DbgPrint 43 | #endif 44 | #else 45 | #define DebugPrint /##/DbgPrint 46 | #endif 47 | 48 | #endif // __DRVCOMMON_H_VERSION__ 49 | -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/drvcommon.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Useful macros 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Author: ddkwizard.assarbad.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVCOMMON_H_VERSION__ 13 | #define __DRVCOMMON_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | #define _ANSISTRING(text) #text 21 | #define ANSISTRING(text) _ANSISTRING(text) 22 | 23 | #define _WIDESTRING(text) L##text 24 | #define WIDESTRING(text) _WIDESTRING(text) 25 | 26 | #define PRESET_UNICODE_STRING(symbol, buffer) \ 27 | UNICODE_STRING symbol = \ 28 | { \ 29 | sizeof(WIDESTRING(buffer)) - sizeof(WCHAR), \ 30 | sizeof(WIDESTRING(buffer)), \ 31 | WIDESTRING(buffer) \ 32 | }; 33 | 34 | #define CREATE_XVER(maj,min,build) maj ## , ## min ## , 0, ## build 35 | #define CREATE_FVER(maj,min,build) maj ## . ## min ## .0. ## build 36 | #define CREATE_PVER(maj,min,build) maj ## . ## min 37 | 38 | #if DBG 39 | #ifdef ADVANCED_DEBUG 40 | #define DebugPrint DbgPrint("[%s] %s (line: %d)\n", __##FILE##__, __##FUNCTION##__, __##LINE##__); DbgPrint 41 | #else 42 | #define DebugPrint DbgPrint 43 | #endif 44 | #else 45 | #define DebugPrint /##/DbgPrint 46 | #endif 47 | 48 | #endif // __DRVCOMMON_H_VERSION__ 49 | -------------------------------------------------------------------------------- /distorm/COPYING: -------------------------------------------------------------------------------- 1 | :[diStorm64}: 2 | The ultimate disassembler library. 3 | Copyright (c) 2003,2004,2005,2006,2007,2008, Gil Dabah 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 7 | 8 | * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 9 | * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 10 | * Neither the name of the diStorm nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 11 | 12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 13 | -------------------------------------------------------------------------------- /src/NInjectLib/IATModifier.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "Process.h" 6 | 7 | class IATModifier 8 | { 9 | public: 10 | 11 | IATModifier(const Process& process); 12 | ~IATModifier(); 13 | std::vector readImportTable(); 14 | void setImageBase(uintptr_t address); 15 | void writeIAT(const std::vector& dlls); 16 | void writeIAT(const std::string& dll); 17 | IMAGE_NT_HEADERS readNTHeaders() const; 18 | 19 | private: 20 | 21 | DWORD pad(DWORD val, DWORD amount) { return (val+amount) & ~amount; }; 22 | DWORD padToDword(DWORD val) { return pad(val, 3); }; 23 | void* allocateMemAboveBase(void* baseAddress, size_t size); 24 | DWORD determineIIDSize(PIMAGE_IMPORT_DESCRIPTOR importDescriptorTableAddress); 25 | Process process_; 26 | PIMAGE_IMPORT_DESCRIPTOR importDescrTblAddr_; 27 | uintptr_t ntHeadersAddr_; 28 | unsigned int importDescrTblSize_; 29 | }; 30 | 31 | // general exception for this class 32 | class IATModifierException : public std::runtime_error 33 | { 34 | public: 35 | IATModifierException::IATModifierException(const std::string& msg) : std::runtime_error(msg) {}; 36 | }; 37 | 38 | // exception while writing image import descriptors 39 | class WriteIIDException : public std::runtime_error 40 | { 41 | public: 42 | WriteIIDException::WriteIIDException(const std::string& msg, const MemoryAccessException& e) : std::runtime_error(msg), innerException_(e) {}; 43 | MemoryAccessException innerException() const { return innerException_; }; 44 | 45 | private: 46 | MemoryAccessException innerException_; 47 | }; -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/RDTSCEmu.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Original filename: RDTSCEmu.h 6 | /// Project : RDTSCEmu 7 | /// Date of creation : 8 | /// Author(s) : 9 | /// 10 | /// Purpose : 11 | /// 12 | /// Revisions: 13 | /// 14 | /////////////////////////////////////////////////////////////////////////////// 15 | 16 | // $Id$ 17 | 18 | #ifndef __RDTSCEMU_H_VERSION__ 19 | #define __RDTSCEMU_H_VERSION__ 100 20 | 21 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 22 | #pragma once 23 | #endif 24 | 25 | #include "drvcommon.h" 26 | #include "drvversion.h" 27 | 28 | #define DEVICE_NAME "\\Device\\" 29 | #define SYMLINK_NAME "\\DosDevices\\" 30 | 31 | #ifndef FILE_DEVICE_RDTSCEMU 32 | #define FILE_DEVICE_RDTSCEMU 0x8000 33 | #endif 34 | 35 | // Values defined for "Method" 36 | // METHOD_BUFFERED 37 | // METHOD_IN_DIRECT 38 | // METHOD_OUT_DIRECT 39 | // METHOD_NEITHER 40 | // 41 | // Values defined for "Access" 42 | // FILE_ANY_ACCESS 43 | // FILE_READ_ACCESS 44 | // FILE_WRITE_ACCESS 45 | 46 | enum RDTSCMode 47 | { 48 | constant, 49 | increasing 50 | }; 51 | 52 | #define IOCTL_RDTSCEMU_METHOD_ALWAYS_CONST CTL_CODE(FILE_DEVICE_RDTSCEMU, 0x02, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) 53 | #define IOCTL_RDTSCEMU_METHOD_INCREASING CTL_CODE(FILE_DEVICE_RDTSCEMU, 0x03, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) 54 | 55 | #endif // __RDTSCEMU_H_VERSION__ 56 | -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/StealthDriver.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Original filename: StealthDriver.h 6 | /// Project : StealthDriver 7 | /// Date of creation : 8 | /// Author(s) : 9 | /// 10 | /// Purpose : 11 | /// 12 | /// Revisions: 13 | /// 14 | /////////////////////////////////////////////////////////////////////////////// 15 | 16 | // $Id$ 17 | 18 | #ifndef __STEALTHDRIVER_H_VERSION__ 19 | #define __STEALTHDRIVER_H_VERSION__ 100 20 | 21 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 22 | #pragma once 23 | #endif 24 | 25 | #include "drvcommon.h" 26 | #include "drvversion.h" 27 | 28 | #define STEALTH_DEVICE_NAME "\\Device\\STEALTHDRIVER" 29 | #define STEALTH_SYMLINK_NAME "\\DosDevices\\STEALTHDRIVER" 30 | 31 | #ifndef FILE_DEVICE_STEALTHDRIVER 32 | #define FILE_DEVICE_STEALTHDRIVER 0x8000 33 | #endif 34 | 35 | // Values defined for "Method" 36 | // METHOD_BUFFERED 37 | // METHOD_IN_DIRECT 38 | // METHOD_OUT_DIRECT 39 | // METHOD_NEITHER 40 | // 41 | // Values defined for "Access" 42 | // FILE_ANY_ACCESS 43 | // FILE_READ_ACCESS 44 | // FILE_WRITE_ACCESS 45 | 46 | // hook flags 47 | enum StealthHook 48 | { 49 | SH_NtSetInformationThread, 50 | SH_NtQueryInformationProcess 51 | }; 52 | 53 | const ULONG IOCTL_STEALTHDRIVER_ENABLE_HOOKS = (ULONG)CTL_CODE(FILE_DEVICE_STEALTHDRIVER, 0x801, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA); 54 | 55 | #endif // __STEALTHDRIVER_H_VERSION__ 56 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthPage2.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "WTLCommon.h" 5 | #include "IDAStealthPropertyPage.h" 6 | #include 7 | #include "resource.h" 8 | 9 | class CIDAStealthOptionsDialog; 10 | 11 | class CIDAStealthPage2 : 12 | public CIDAStealthPropertyPage 13 | { 14 | public: 15 | 16 | CIDAStealthPage2(CIDAStealthOptionsDialog* parentDlg) : 17 | CIDAStealthPropertyPage(parentDlg) {} 18 | ~CIDAStealthPage2() {} 19 | 20 | protected: 21 | 22 | void updateGlobalEnableState(bool newState); 23 | void loadPageConfig(); 24 | bool savePageConfig(); 25 | 26 | private: 27 | 28 | BEGIN_DDX_MAP(CIDAStealthPage2) 29 | DDX_CHECK(IDC_BLOCKINPUT, blockInput_) 30 | DDX_CHECK(IDC_SUSPENDTHREAD, suspThread_) 31 | DDX_CHECK(IDC_TERMINATE, ntTerminate_) 32 | DDX_CHECK(IDC_PARENTPROCESS, parentProcess_) 33 | DDX_CHECK(IDC_HIDEIDAPROCESS, hideIDAProcess_) 34 | DDX_CHECK(IDC_HIDEIDAWND, hideIDAWnd_) 35 | DDX_CHECK(IDC_DBGPRNTEXCEPT, dbgPrintExcp_) 36 | DDX_CHECK(IDC_OPENPROCESS, openProcess_) 37 | DDX_CHECK(IDC_SWITCH, switch_) 38 | DDX_CHECK(IDC_ANTIATTACH, antiAttach_) 39 | DDX_CHECK(IDC_NTYIELD, ntYield_) 40 | DDX_CHECK(IDC_OUTDBGSTR, outputDbgStr_) 41 | DDX_CHECK(IDC_NTSIT, ntSetInfoThread_) 42 | END_DDX_MAP() 43 | 44 | bool blockInput_; 45 | bool suspThread_; 46 | bool ntTerminate_; 47 | bool parentProcess_; 48 | bool hideIDAProcess_; 49 | bool hideIDAWnd_; 50 | bool dbgPrintExcp_; 51 | bool openProcess_; 52 | bool switch_; 53 | bool antiAttach_; 54 | bool ntYield_; 55 | bool outputDbgStr_; 56 | bool ntSetInfoThread_; 57 | }; 58 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthDriversPage.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "WTLCommon.h" 5 | #include "IDAStealthPropertyPage.h" 6 | #include 7 | #include "resource.h" 8 | 9 | class CIDAStealthDriversPage : 10 | public CIDAStealthPropertyPage 11 | { 12 | public: 13 | 14 | CIDAStealthDriversPage(CIDAStealthOptionsDialog* parentDlg) : 15 | CIDAStealthPropertyPage(parentDlg) {} 16 | ~CIDAStealthDriversPage() {} 17 | 18 | protected: 19 | 20 | void updateGlobalEnableState(bool globalEnable); 21 | void loadPageConfig(); 22 | bool savePageConfig(); 23 | 24 | private: 25 | 26 | typedef CIDAStealthPropertyPage BasePropertyPage; 27 | 28 | BEGIN_MSG_MAP(CIDAStealthDriversPage) 29 | COMMAND_HANDLER(IDC_RDTSC, BN_CLICKED, OnRDTSCClick) 30 | CHAIN_MSG_MAP(CPropertyPageImpl) 31 | CHAIN_MSG_MAP(BasePropertyPage) 32 | END_MSG_MAP() 33 | 34 | BEGIN_DDX_MAP(CIDAStealthDriversPage) 35 | DDX_CHECK(IDC_RDTSC, useRDTSC_) 36 | DDX_RADIO(IDC_RDTSC_ZERO, rdbIndex_) 37 | DDX_CHECK(IDC_UNLOAD_DRIVER, unloadRDTSCDrv_) 38 | DDX_CHECK(IDC_RAND_NAME, randomizeName_) 39 | DDX_INT(IDC_RDTSC_DELTA, rdtscDelta_) 40 | DDX_CHECK(IDC_UNLOAD_STEALTH_DRV, unloadStealthDrv_) 41 | DDX_CHECK(IDC_NTSIT_DRV, ntSITDrv_) 42 | DDX_CHECK(IDC_NTQIP_DRV, ntQIPDrv_) 43 | END_DDX_MAP() 44 | 45 | void updateRDBs(HWND hWndCheckBox); 46 | LRESULT OnRDTSCClick(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 47 | 48 | bool useRDTSC_; 49 | bool unloadRDTSCDrv_; 50 | bool unloadStealthDrv_; 51 | bool ntSITDrv_; 52 | bool ntQIPDrv_; 53 | bool randomizeName_; 54 | int rdtscDelta_; 55 | int rdbIndex_; 56 | }; -------------------------------------------------------------------------------- /src/IDAStealth/StealthSession.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // shared functionality between IDAStealth and RemoteStealth to inject the HideDebugger dll 4 | // into a new or already running process 5 | // independent of any IDA API 6 | 7 | #include 8 | #include 9 | #include 10 | #include "IPCConfigExchangeWriter.h" 11 | #include 12 | #include "ResourceItem.h" 13 | #include "DriverControl.h" 14 | 15 | namespace IDAStealth 16 | { 17 | // encapsulates basic functionality to start IDAStealth as soon as 18 | // the debuggee starts or when the debugger attaches to the debuggee 19 | class StealthSession 20 | { 21 | public: 22 | 23 | StealthSession() {} 24 | virtual ~StealthSession() {} 25 | 26 | virtual void handleDbgAttach(unsigned int processID, const std::string& configFile, const std::string profile); 27 | virtual void handleProcessStart(unsigned int processID, uintptr_t baseAddress, 28 | const std::string& configFile, const std::string profile); 29 | virtual void handleProcessExit(); 30 | 31 | protected: 32 | 33 | virtual void logString(const std::string& str) =0; 34 | virtual ResourceItem getRDTSCDriverResource() =0; 35 | virtual ResourceItem getStealthDriverResource() =0; 36 | virtual std::string getStealthDllPath() =0; 37 | 38 | void handleRtlGetNtGlobalFlags(unsigned int processID); 39 | void performCommonInit(); 40 | void startDrivers(); 41 | void stopDrivers(); 42 | 43 | private: 44 | 45 | typedef boost::shared_ptr IPCConfigExchangeWriter_Ptr; 46 | 47 | void dbgAttachThread(unsigned int processID, const std::string& configFile, const std::string profile); 48 | 49 | IPCConfigExchangeWriter_Ptr ipc_; 50 | DriverControl rdtscDriver_; 51 | DriverControl stealthDriver_; 52 | }; 53 | } -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/distorm.c: -------------------------------------------------------------------------------- 1 | /* 2 | distorm.c 3 | 4 | :[diStorm64}: C Library Interface 5 | The ultimate disassembler library (80x86, AMD64) 6 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 7 | This library is licensed under the BSD license. See the file COPYING. 8 | */ 9 | 10 | #include "../config.h" 11 | #include "decoder.h" 12 | #include "x86defs.h" 13 | 14 | /* C LIBRARY EXPORTS */ 15 | #ifdef SUPPORT_64BIT_OFFSET 16 | _DLLEXPORT_ _DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount) 17 | #else 18 | _DLLEXPORT_ _DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount) 19 | #endif 20 | { 21 | *usedInstructionsCount = 0; 22 | 23 | /* I use codeLen as a signed variable in order to ease detection of underflow... and besides - */ 24 | if (codeLen < 0) { 25 | return DECRES_INPUTERR; 26 | } 27 | 28 | if ((dt != Decode16Bits) && (dt != Decode32Bits) && (dt != Decode64Bits)) { 29 | return DECRES_INPUTERR; 30 | } 31 | 32 | if (code == NULL || result == NULL) { 33 | return DECRES_INPUTERR; 34 | } 35 | 36 | /* Assume length=0 is success. */ 37 | if (codeLen == 0) { 38 | return DECRES_SUCCESS; 39 | } 40 | 41 | /* We need to supply at least 15 entries so the internal_decoder could return anything possible. */ 42 | if (maxInstructions < INST_MAXIMUM_SIZE) { 43 | return DECRES_MEMORYERR; 44 | } 45 | 46 | return internal_decode(codeOffset, code, codeLen, dt, result, maxInstructions, usedInstructionsCount); 47 | } 48 | 49 | _DLLEXPORT_ unsigned int distorm_version() 50 | { 51 | return DISTORM_VER; 52 | } 53 | -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/HookInt.cpp: -------------------------------------------------------------------------------- 1 | #include "HookInt.h" 2 | 3 | extern "C" KAFFINITY KeSetAffinityThread(IN PKTHREAD Thread, IN KAFFINITY Affinity); 4 | 5 | #define RESTORE_INTS 6 | #define DISABLE_INTS 7 | 8 | #define MAKELONG(a, b) ((ULONG)(((USHORT)(((ULONG)(a)) & 0xffff)) | ((ULONG)((USHORT)(((ULONG)(b)) & 0xffff))) << 16)) 9 | 10 | // layout of data struct retrieved from sidt instruction 11 | typedef struct 12 | { 13 | USHORT limit; 14 | USHORT lowBase; 15 | USHORT highBase; 16 | } IDT_INFO, *PIDT_INFO; 17 | 18 | // simplified layout of an IDT entry 19 | // (all the flag details have been omitted, we don't change them anyway) 20 | typedef struct 21 | { 22 | USHORT lowOffset; 23 | USHORT segSelector; 24 | USHORT flags; 25 | USHORT highOffset; 26 | } IDT_ENTRY, *PIDT_ENTRY; 27 | 28 | IDT_INFO getIDTInfo() 29 | { 30 | IDT_INFO retVal; 31 | __asm 32 | { 33 | sidt retVal 34 | //mov eax, fs:[0]KPCR.IDT 35 | //mov retVal, eax 36 | } 37 | return retVal; 38 | } 39 | 40 | VOID hookInterrupt(PVOID newHandler, ULONG number, PUINT_PTR oldHandler) 41 | { 42 | IDT_INFO info; 43 | __asm sidt info; 44 | PIDT_ENTRY idt = (PIDT_ENTRY)MAKELONG(info.lowBase, info.highBase); 45 | 46 | // save EFLAGS, then disable interrupts 47 | __asm pushfd 48 | __asm cli 49 | 50 | UINT_PTR origHandler = (ULONG)(idt[number].highOffset) << 16 | idt[number].lowOffset; 51 | 52 | idt[number].lowOffset = (USHORT)newHandler; 53 | idt[number].highOffset = (USHORT)((ULONG)newHandler >> 16); 54 | if (oldHandler) *oldHandler = origHandler; 55 | 56 | // CLI just clears the IF in EFLAGS so we don't need to execute STI here 57 | // by popping the previously pushed EFLAGS we revert to the original state 58 | __asm popfd 59 | } 60 | 61 | VOID switchToCPU(CCHAR cpu) 62 | { 63 | KeSetAffinityThread(KeGetCurrentThread(), 1 << cpu); 64 | } -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/prefix.h: -------------------------------------------------------------------------------- 1 | /* 2 | prefix.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef PREFIX_H 10 | #define PREFIX_H 11 | 12 | #include "../config.h" 13 | 14 | #include "decoder.h" 15 | #include "wstring.h" 16 | 17 | /* 18 | * This holds the prefixes state for the current instruction we decode. 19 | * totalPrefixes includes all specific prefixes that the instruction got. 20 | * start is a pointer to the first prefix to take into account. 21 | * last is a pointer to the last byte we scanned. 22 | * Other pointers are used to keep track of prefixes positions and help us know if they appeared already and where. 23 | */ 24 | typedef struct { 25 | unsigned int unusedCount, specialPrefixesSize, isREXPrefixValid; 26 | _iflags totalPrefixes, usedPrefixes; 27 | const uint8_t *lokrepPos, *segovrdPos, *opsizePos, *addrsizePos, *rexpos, *start, *last; 28 | } _PrefixState; 29 | 30 | /* Describe the type of the prefix and which one it was in a flag manner. */ 31 | typedef enum {PRE_NONE = -1, PRE_LOKREP, PRE_SEGOVRD, PRE_OPSIZE, PRE_ADDRSIZE, PRE_REX} _PrefixType; 32 | 33 | typedef struct { 34 | _iflags flag; 35 | _PrefixType type; 36 | } _PrefixInfo; 37 | 38 | /* 39 | * Intel supports 4 types of prefixes, whereas AMD supports 5 types (lock is seperated from rep/nz). 40 | * REX is the fifth prefix type, this time I'm based on AMD64. 41 | */ 42 | #define MAX_PREFIXES (5) 43 | 44 | int is_prefix(unsigned int ch, _DecodeType dt); 45 | void decode_prefixes(const uint8_t* code, int codeLen, _PrefixState* ps, _DecodeType dt); 46 | void get_unused_prefixes_list(uint8_t unusedList[MAX_PREFIXES], _PrefixState* ps); 47 | 48 | void str_seg_text(_WString* s, _PrefixState* ps, _DecodeType dt); 49 | 50 | #endif /* PREFIX_H */ 51 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthRDTSCPage.cpp: -------------------------------------------------------------------------------- 1 | #include "IDAStealthRDTSCPage.h" 2 | 3 | void CIDAStealthRDTSCPage::updateGlobalEnableState(bool newState) 4 | { 5 | BOOL state = newState ? TRUE : FALSE; 6 | ::EnableWindow(GetDlgItem(IDC_RDTSC), state); 7 | ::EnableWindow(GetDlgItem(IDC_RDTSC_ZERO), state); 8 | ::EnableWindow(GetDlgItem(IDC_RDTSC_INCREASING), state); 9 | ::EnableWindow(GetDlgItem(IDC_RDTSC_DELTA), state); 10 | ::EnableWindow(GetDlgItem(IDC_UNLOAD_DRIVER), state); 11 | ::EnableWindow(GetDlgItem(IDC_RAND_NAME), state); 12 | } 13 | 14 | void CIDAStealthRDTSCPage::updateRDBs(HWND hWndCheckBox) 15 | { 16 | CButton chkRDTSC = hWndCheckBox; 17 | CButton rdbZero = GetDlgItem(IDC_RDTSC_ZERO); 18 | CButton rdbIncr = GetDlgItem(IDC_RDTSC_INCREASING); 19 | BOOL checked = (chkRDTSC.GetCheck()) ? TRUE : FALSE; 20 | rdbZero.EnableWindow(checked); 21 | rdbIncr.EnableWindow(checked); 22 | } 23 | 24 | LRESULT CIDAStealthRDTSCPage::OnRDTSCClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND hWndCtl, BOOL& /*bHandled*/) 25 | { 26 | updateRDBs(hWndCtl); 27 | return 0; 28 | } 29 | 30 | void CIDAStealthRDTSCPage::loadPageConfig() 31 | { 32 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 33 | useRDTSC_ = config.getUseRDTSC(); 34 | rdbIndex_ = (config.getRDTSCMode() == constant) ? 0 : 1; 35 | unloadDriver_ = config.getUnloadRDTSC(); 36 | randomizeName_ = config.getRandRDTSCName(); 37 | rdtscDelta_ = config.getRDTSCIncrDelta(); 38 | DoDataExchange(FALSE); 39 | updateRDBs(GetDlgItem(IDC_RDTSC)); 40 | } 41 | 42 | bool CIDAStealthRDTSCPage::savePageConfig() 43 | { 44 | if (DoDataExchange(TRUE)) 45 | { 46 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 47 | config.setUseRDTSC(useRDTSC_); 48 | if (rdbIndex_) config.setRDTSCMode(increasing); 49 | else config.setRDTSCMode(constant); 50 | config.setUnloadRDTSC(unloadDriver_); 51 | config.setRandRDTSCName(randomizeName_); 52 | config.setRDTSCIncrDelta(rdtscDelta_); 53 | return true; 54 | } 55 | else return false; 56 | } -------------------------------------------------------------------------------- /src/IDAStealthRemote/IDAStealthRemote.rc: -------------------------------------------------------------------------------- 1 | // Microsoft Visual C++ generated resource script. 2 | // 3 | #include "resource.h" 4 | 5 | #define APSTUDIO_READONLY_SYMBOLS 6 | ///////////////////////////////////////////////////////////////////////////// 7 | // 8 | // Generated from the TEXTINCLUDE 2 resource. 9 | // 10 | #include "afxres.h" 11 | 12 | ///////////////////////////////////////////////////////////////////////////// 13 | #undef APSTUDIO_READONLY_SYMBOLS 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // English (U.S.) resources 17 | 18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 19 | #ifdef _WIN32 20 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 21 | #pragma code_page(1252) 22 | #endif //_WIN32 23 | 24 | #ifdef APSTUDIO_INVOKED 25 | ///////////////////////////////////////////////////////////////////////////// 26 | // 27 | // TEXTINCLUDE 28 | // 29 | 30 | 1 TEXTINCLUDE 31 | BEGIN 32 | "resource.h\0" 33 | END 34 | 35 | 2 TEXTINCLUDE 36 | BEGIN 37 | "#include ""afxres.h""\r\n" 38 | "\0" 39 | END 40 | 41 | 3 TEXTINCLUDE 42 | BEGIN 43 | "\r\n" 44 | "\0" 45 | END 46 | 47 | #endif // APSTUDIO_INVOKED 48 | 49 | 50 | ///////////////////////////////////////////////////////////////////////////// 51 | // 52 | // DRV 53 | // 54 | 55 | IDR_RDTSC DRV "..\\RDTSCEmu\\driver\\objfre_wxp_x86\\i386\\RDTSCEmu.sys" 56 | IDR_STEALTH DRV "..\\StealthDriver\\StealthDriver\\objfre_wxp_x86\\i386\\StealthDriver.sys" 57 | #endif // English (U.S.) resources 58 | ///////////////////////////////////////////////////////////////////////////// 59 | 60 | 61 | 62 | #ifndef APSTUDIO_INVOKED 63 | ///////////////////////////////////////////////////////////////////////////// 64 | // 65 | // Generated from the TEXTINCLUDE 3 resource. 66 | // 67 | 68 | 69 | ///////////////////////////////////////////////////////////////////////////// 70 | #endif // not APSTUDIO_INVOKED 71 | 72 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthWTLWrapper.h: -------------------------------------------------------------------------------- 1 | // global wrapper to encapsulate all WTL boiler plate code 2 | // and to initialize the IDAStealth GUI (singleton class) 3 | 4 | #include "WTLCommon.h" 5 | #include "IDAStealthChooseDialog.h" 6 | #include 7 | 8 | #if defined _M_IX86 9 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"") 10 | #elif defined _M_IA64 11 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='ia64' publicKeyToken='6595b64144ccf1df' language='*'\"") 12 | #elif defined _M_X64 13 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"") 14 | #else 15 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"") 16 | #endif 17 | 18 | class IDAStealthWTLWrapper 19 | { 20 | public: 21 | 22 | static IDAStealthWTLWrapper& getInstance() 23 | { 24 | static IDAStealthWTLWrapper instance_; 25 | return instance_; 26 | } 27 | 28 | ~IDAStealthWTLWrapper() 29 | { 30 | module_.Term(); 31 | ::CoUninitialize(); 32 | } 33 | 34 | void showGUI(HWND hWndParent) 35 | { 36 | //CIDAStealthChooseDialog dlg(hWndParent); 37 | //dlg.DoModal(hWndParent); 38 | CIDAStealthOptionsDialog dlg("IDAStealth v1.3"); 39 | dlg.DoModal(hWndParent); 40 | } 41 | 42 | private: 43 | 44 | IDAStealthWTLWrapper() 45 | { 46 | HRESULT hRes = ::CoInitialize(NULL); 47 | ATLASSERT(SUCCEEDED(hRes)); 48 | AtlInitCommonControls(ICC_BAR_CLASSES | ICC_LINK_CLASS); 49 | hRes = module_.Init(NULL, GetModuleHandle(NULL)); 50 | ATLASSERT(SUCCEEDED(hRes)); 51 | } 52 | 53 | IDAStealthWTLWrapper(IDAStealthWTLWrapper const&); 54 | IDAStealthWTLWrapper& operator=(IDAStealthWTLWrapper const&); 55 | 56 | CAppModule module_; 57 | }; -------------------------------------------------------------------------------- /src/IDAStealthRemote/RemoteStealthProtocoll.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // defines the protocol used between client and server 4 | 5 | #pragma warning(disable : 4512) 6 | #include 7 | #include 8 | #pragma warning(default : 4512) 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | namespace RemoteStealth 15 | { 16 | enum ProcessEvent { ProcessStart, ProcessAttach, ProcessExit }; 17 | 18 | struct RSProtocolItem 19 | { 20 | RSProtocolItem(unsigned int pID, uintptr_t base, ProcessEvent pEvent, 21 | const std::string& configStr, const std::string currentProfile, 22 | const std::string& reIP, int rePort) : 23 | processID(pID), 24 | baseAddress(base), 25 | procEvent(pEvent), 26 | serializedConfigFile(configStr), 27 | profile(currentProfile), 28 | remoteEventIP(reIP), 29 | remoteEventPort(rePort) {} 30 | 31 | RSProtocolItem() : 32 | processID(0), 33 | baseAddress(0), 34 | procEvent(ProcessStart), 35 | remoteEventPort(0) {} 36 | 37 | unsigned int processID; 38 | uintptr_t baseAddress; 39 | ProcessEvent procEvent; 40 | std::string serializedConfigFile; 41 | std::string profile; 42 | std::string remoteEventIP; 43 | int remoteEventPort; 44 | 45 | template 46 | void serialize(Archive& ar, const unsigned int) 47 | { 48 | ar & processID; 49 | ar & baseAddress; 50 | ar & procEvent; 51 | ar & serializedConfigFile; 52 | ar & profile; 53 | ar & remoteEventIP; 54 | ar & remoteEventPort; 55 | } 56 | }; 57 | 58 | // response sent from the remote side to indicate success / error of an operation 59 | struct RSProtocolResponse 60 | { 61 | RSProtocolResponse(bool succ, const std::string& err) : 62 | success(succ), 63 | error(err) {} 64 | RSProtocolResponse() : success(false) {} 65 | 66 | template 67 | void serialize(Archive& ar, const unsigned int) 68 | { 69 | ar & success; 70 | ar & error; 71 | } 72 | 73 | bool success; 74 | std::string error; 75 | }; 76 | } -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthPageMisc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "IDAStealthPropertyPage.h" 4 | #include 5 | #include "WTLCommon.h" 6 | #include "resource.h" 7 | 8 | class CIDAStealthOptionsDialog; 9 | 10 | class CIDAStealthPageMisc : 11 | public CIDAStealthPropertyPage 12 | { 13 | public: 14 | 15 | CIDAStealthPageMisc(CIDAStealthOptionsDialog* parentDlg) : 16 | CIDAStealthPropertyPage(parentDlg) {} 17 | ~CIDAStealthPageMisc() {} 18 | 19 | protected: 20 | 21 | void updateGlobalEnableState(bool /*newState*/); 22 | void loadPageConfig(); 23 | bool savePageConfig(); 24 | 25 | private: 26 | 27 | LRESULT OnAddProfileClick(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 28 | LRESULT OnDelProfileClick(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 29 | 30 | BOOL OnInitDialog(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& bHandled); 31 | LRESULT OnProfilesSelChange(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 32 | void switchProfile(); 33 | void initComboBox(); 34 | 35 | typedef CIDAStealthPropertyPage BasePropertyPage; 36 | 37 | BEGIN_MSG_MAP(CIDAStealthPageMisc) 38 | MESSAGE_HANDLER(WM_INITDIALOG, OnInitDialog) 39 | COMMAND_HANDLER(IDC_ADD_PROFILE, BN_CLICKED, OnAddProfileClick) 40 | COMMAND_HANDLER(IDC_DEL_PROFILE, BN_CLICKED, OnDelProfileClick) 41 | COMMAND_CODE_HANDLER(CBN_SELCHANGE, OnProfilesSelChange) 42 | CHAIN_MSG_MAP(CPropertyPageImpl) 43 | CHAIN_MSG_MAP(BasePropertyPage) 44 | END_MSG_MAP() 45 | 46 | CComboBox cboProfiles_; 47 | int rdbPatchingMethod_; 48 | bool passExceptions_; 49 | int tcpPort_; 50 | bool haltInSEH_; 51 | bool haltAfterSEH_; 52 | bool logSEH_; 53 | 54 | BEGIN_DDX_MAP(CIDAStealthPageMisc) 55 | DDX_CONTROL_HANDLE(IDC_PROFILES, cboProfiles_) 56 | DDX_RADIO(IDC_AUTO_SELECTION, rdbPatchingMethod_) 57 | DDX_CHECK(IDC_PASS_EXCEPTIONS, passExceptions_) 58 | DDX_CHECK(IDC_HALT_IN_SEH, haltInSEH_) 59 | DDX_CHECK(IDC_HALT_AFTER_SEH, haltAfterSEH_) 60 | DDX_CHECK(IDC_LOG_SEH, logSEH_) 61 | DDX_INT(IDC_TCP_PORT, tcpPort_) 62 | END_DDX_MAP() 63 | }; -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/RDTSCEmu.WLH.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {8c8464c3-94f6-42b9-af0a-154f425afc44} 6 | cpp;c;cxx;def;asm;mc 7 | 8 | 9 | {01f514fb-7c9b-4569-9d0c-063d62c9bf1c} 10 | h;hpp;hxx 11 | 12 | 13 | {d3ad0b22-b1d3-4697-9796-4d9aaac9a9c9} 14 | rc;mc;ico;cur;bmp;dlg;rc2 15 | 16 | 17 | {b4eaacb1-328d-421d-8d95-ceea2cbd6d60} 18 | * 19 | 20 | 21 | 22 | 23 | Source Files 24 | 25 | 26 | Source Files 27 | 28 | 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files 44 | 45 | 46 | 47 | 48 | Resource Files 49 | 50 | 51 | 52 | 53 | Special Files 54 | 55 | 56 | Special Files 57 | 58 | 59 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthPropertyPage.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // common base class for all property pages 4 | 5 | #include 6 | #include "WTLCommon.h" 7 | 8 | class CIDAStealthOptionsDialog; 9 | 10 | template 11 | class CIDAStealthPropertyPage : 12 | public CPropertyPageImpl, 13 | public CWinDataExchange 14 | { 15 | public: 16 | 17 | enum { IDD = idd }; 18 | 19 | CIDAStealthPropertyPage(CIDAStealthOptionsDialog* parentDlg) : 20 | parentDlg_(parentDlg), 21 | globalEnable_(false), 22 | isInitialized_(false) {} 23 | virtual ~CIDAStealthPropertyPage() {} 24 | 25 | // only update this page if its currently active - otherwise controls might not have been created yet 26 | void setGlobalEnableState(bool globalEnable) 27 | { 28 | globalEnable_ = globalEnable; 29 | if (isInitialized_) 30 | { 31 | updateGlobalEnableState(globalEnable); 32 | } 33 | } 34 | 35 | // shield deriving class from errors if page has not yet been created 36 | // if page hasn't been activated, default values are loaded anyway, 37 | // so no need to save them explicitly 38 | void saveConfig() 39 | { 40 | if (isInitialized_) savePageConfig(); 41 | } 42 | 43 | void loadConfig() 44 | { 45 | if (isInitialized_) loadPageConfig(); 46 | } 47 | 48 | int OnSetActive() 49 | { 50 | updateGlobalEnableState(globalEnable_); 51 | return 0; 52 | } 53 | 54 | int OnApply() 55 | { 56 | if (savePageConfig()) return PSNRET_NOERROR; 57 | else return PSNRET_INVALID; 58 | } 59 | 60 | protected: 61 | 62 | BOOL OnInitDialog(HWND /*hwndFocus*/, LPARAM /*lParam*/) 63 | { 64 | isInitialized_ = true; 65 | loadPageConfig(); 66 | return TRUE; 67 | } 68 | 69 | BEGIN_MSG_MAP(CIDAStealthPropertyPage) 70 | MSG_WM_INITDIALOG(OnInitDialog) 71 | CHAIN_MSG_MAP(CPropertyPageImpl) 72 | END_MSG_MAP() 73 | 74 | // methods derived classes need to implement 75 | virtual void updateGlobalEnableState(bool newState) =0; 76 | virtual void loadPageConfig() =0; 77 | virtual bool savePageConfig() =0; 78 | 79 | CIDAStealthOptionsDialog* parentDlg_; 80 | 81 | private: 82 | 83 | bool globalEnable_; 84 | bool isInitialized_; 85 | }; -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/StealthDriver.W7.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {ada07106-66ec-48c1-8b99-dc600fa9ef84} 6 | cpp;c;cxx;def;asm;mc 7 | 8 | 9 | {52a1afab-99f4-41fb-87e3-035187c99522} 10 | h;hpp;hxx 11 | 12 | 13 | {a27f9d3b-cd65-454e-bc22-fe1216f687cd} 14 | rc;mc;ico;cur;bmp;dlg;rc2 15 | 16 | 17 | {1e6aa2ed-8936-401e-bb61-067511380b0e} 18 | * 19 | 20 | 21 | 22 | 23 | Source Files 24 | 25 | 26 | Source Files 27 | 28 | 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files 44 | 45 | 46 | 47 | 48 | Resource Files 49 | 50 | 51 | 52 | 53 | Special Files 54 | 55 | 56 | Special Files 57 | 58 | 59 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthLogWindow.cpp: -------------------------------------------------------------------------------- 1 | #include "IDACommon.h" 2 | #include "IDAStealthLogWindow.h" 3 | 4 | IDAStealthLogWindow::IDAStealthLogWindow() 5 | { 6 | } 7 | 8 | // column widths 9 | const int widths[] = { 4, 20, 8 }; 10 | // column headers 11 | const char* header[] = 12 | { 13 | "#", 14 | "Anti Debugging Measure", 15 | "Address" 16 | }; 17 | 18 | ulong idaapi sizer(void* /*obj*/) 19 | { 20 | msg("returning number of descriptions!!!\n"); 21 | return 1; 22 | } 23 | 24 | // function that generates the list line 25 | void idaapi desc(void* /*obj*/, ulong n, char* const* arrptr) 26 | { 27 | // generate column headers 28 | if (n == 0) 29 | { 30 | for (int i=0; i 2 | #pragma warning(disable : 4244 4512) 3 | #include 4 | #pragma warning(default : 4244 4512) 5 | #include 6 | #include "RemoteStealthServer.h" 7 | #include "RemoteStealthSession.h" 8 | 9 | using namespace RemoteStealth; 10 | 11 | RemoteStealthServer::RemoteStealthServer(boost::asio::io_service& ioService, unsigned short port) : 12 | acceptor_(ioService, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port)), 13 | ioService_(ioService) 14 | { 15 | } 16 | 17 | void RemoteStealth::RemoteStealthServer::run() 18 | { 19 | for (;;) 20 | { 21 | RemoteStealthConnectionPtr connection(new RemoteStealthConnection(ioService_)); 22 | acceptor_.accept(connection->socket()); 23 | std::cout << "Accepted connection from " 24 | << connection->socket().remote_endpoint().address() 25 | << std::endl; 26 | boost::thread t(boost::bind(&RemoteStealthServer::session, this, connection)); 27 | } 28 | } 29 | 30 | void RemoteStealth::RemoteStealthServer::session(RemoteStealthConnectionPtr connection) 31 | { 32 | try 33 | { 34 | RemoteStealthSession stealthSession; 35 | for (;;) 36 | { 37 | // read via connection stuff 38 | RSProtocolItem item; 39 | connection->syncRead(item); 40 | 41 | try 42 | { 43 | switch (item.procEvent) 44 | { 45 | case ProcessStart: 46 | std::cout << "process start: process ID = " << item.processID << ", base addr = 0x" << std::hex << item.baseAddress << std::endl; 47 | stealthSession.handleProcessStart(item); 48 | break; 49 | 50 | case ProcessAttach: 51 | stealthSession.handleDbgAttach(item); 52 | break; 53 | 54 | case ProcessExit: 55 | stealthSession.handleProcessExit(); 56 | break; 57 | } 58 | } 59 | catch (std::exception& e) 60 | { 61 | connection->syncWrite(RSProtocolResponse(false, e.what())); 62 | } 63 | // send response 64 | connection->syncWrite(RSProtocolResponse(true, "")); 65 | if (item.procEvent == ProcessExit) return; 66 | } 67 | } 68 | catch (const std::exception& e) 69 | { 70 | std::cerr << "Error while handling connection: " << e.what() << std::endl; 71 | } 72 | } -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/drvversion.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Defines for the version information in the resource file 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Author: ddkwizard.assarbad.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVVERSION_H_VERSION__ 13 | #define __DRVVERSION_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | // --------------------------------------------------------------------------- 21 | // Several defines have to be given before including this file. These are: 22 | // --------------------------------------------------------------------------- 23 | #define TEXT_AUTHOR Jan Newger // author (optional value) 24 | #define PRD_MAJVER 1 // major product version 25 | #define PRD_MINVER 3 // minor product version 26 | #define PRD_BUILD 0 // build number for product 27 | #define FILE_MAJVER 1 // major file version 28 | #define FILE_MINVER 3 // minor file version 29 | #define FILE_BUILD 0 // build file number 30 | #define DRV_YEAR 2009-2010 // current year or timespan (e.g. 2003-2007) 31 | #define TEXT_WEBSITE http:/##/newgre.net // website 32 | #define TEXT_PRODUCTNAME StealthDriver // product's name 33 | #define TEXT_FILEDESC StealthDriver // component description 34 | #define TEXT_COMPANY // company 35 | #define TEXT_MODULE StealthDriver // module name 36 | #define TEXT_COPYRIGHT Copyright \xA9 DRV_YEAR TEXT_COMPANY // copyright information 37 | // #define TEXT_SPECIALBUILD // optional comment for special builds 38 | #define TEXT_INTERNALNAME StealthDriver.sys // copyright information 39 | // #define TEXT_COMMENTS // optional comments 40 | // --------------------------------------------------------------------------- 41 | // ... well, that's it. Pretty self-explanatory ;) 42 | // --------------------------------------------------------------------------- 43 | 44 | #endif // __DRVVERSION_H_VERSION__ 45 | -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/src/textdefs.h: -------------------------------------------------------------------------------- 1 | /* 2 | textdefs.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef TEXTDEFS_H 10 | #define TEXTDEFS_H 11 | 12 | #include "../config.h" 13 | 14 | #include "wstring.h" 15 | 16 | #define PLUS_DISP_CHR '+' 17 | #define MINUS_DISP_CHR '-' 18 | /* CHR0 is used for FPU, ST(i) register */ 19 | #define OPEN_CHR0 '(' 20 | #define CLOSE_CHR0 ')' 21 | #define OPEN_CHR '[' 22 | #define CLOSE_CHR ']' 23 | extern int8_t SEP_STR[3]; 24 | #define SEP_CHR ',' 25 | #define SP_CHR ' ' 26 | #define SEG_OFF_CHR ':' 27 | 28 | /* 29 | Naming Convention: 30 | 31 | * get - returns a pointer to a string. 32 | * str - concatenates to string. 33 | 34 | * hex - means the function is used for hex dump (number is padded to required size) - Little Endian output. 35 | * code - means the function is used for disassembled instruction - Big Endian output. 36 | * off - means the function is used for 64bit offset - Big Endian output. 37 | 38 | * sp - space character in front of the string. 39 | * h - '0x' in front of the string. 40 | 41 | * b - byte 42 | * w - word 43 | * dw - double word 44 | * qw - quad word 45 | 46 | * all numbers are in HEX. 47 | */ 48 | 49 | extern int8_t TextBTable[256][4]; 50 | 51 | _INLINE_ int8_t* get_hex_b(unsigned int x) 52 | { 53 | return &TextBTable[x & 255][1]; /* Skip space character. */ 54 | } 55 | 56 | void _FASTCALL_ str_hex_b(_WString* s, unsigned int x); 57 | void _FASTCALL_ str_code_hb(_WString* s, unsigned int x); 58 | 59 | void _FASTCALL_ str_hex_sp_b(_WString* s, unsigned int x); 60 | void _FASTCALL_ str_code_sp_hb(_WString* s, unsigned int x); 61 | 62 | void _FASTCALL_ str_hex_sp_w(_WString* s, unsigned int x); 63 | void _FASTCALL_ str_code_hw(_WString* s, unsigned int x); 64 | 65 | void _FASTCALL_ str_hex_sp_dw(_WString* s, uint32_t x); 66 | void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x); 67 | 68 | void _FASTCALL_ str_hex_sp_qw(_WString* s, uint8_t src[8]); 69 | void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8]); 70 | 71 | #ifdef SUPPORT_64BIT_OFFSET 72 | void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x); 73 | #endif 74 | 75 | #endif /* TEXTDEFS_H */ 76 | -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/drvversion.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Defines for the version information in the resource file 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Author: ddkwizard.assarbad.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVVERSION_H_VERSION__ 13 | #define __DRVVERSION_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | // --------------------------------------------------------------------------- 21 | // Several defines have to be given before including this file. These are: 22 | // --------------------------------------------------------------------------- 23 | #define TEXT_AUTHOR // author (optional value) 24 | #define PRD_MAJVER 1 // major product version 25 | #define PRD_MINVER 0 // minor product version 26 | #define PRD_BUILD 0 // build number for product 27 | #define FILE_MAJVER 1 // major file version 28 | #define FILE_MINVER 0 // minor file version 29 | #define FILE_BUILD 0 // build file number 30 | #define DRV_YEAR 2009 // current year or timespan (e.g. 2003-2007) 31 | #define TEXT_WEBSITE http:/##/www.newgre.net // website 32 | #define TEXT_PRODUCTNAME Supercool driver-based tool // product's name 33 | #define TEXT_FILEDESC The driver for the supercool driver-based tool // component description 34 | #define TEXT_COMPANY // company 35 | #define TEXT_MODULE RDTSCEmu // module name 36 | #define TEXT_COPYRIGHT Copyright \xA9 DRV_YEAR TEXT_COMPANY // copyright information 37 | // #define TEXT_SPECIALBUILD // optional comment for special builds 38 | #define TEXT_INTERNALNAME RDTSCEmu.sys // copyright information 39 | // #define TEXT_COMMENTS // optional comments 40 | // --------------------------------------------------------------------------- 41 | // ... well, that's it. Pretty self-explanatory ;) 42 | // --------------------------------------------------------------------------- 43 | 44 | #endif // __DRVVERSION_H_VERSION__ 45 | -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/drvversion.rc: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// The version information resource. Depends on "drvversion.h" header file. 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Created by: ddkwizard\.assarbad\.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #include 13 | #include 14 | 15 | #ifdef RC_INVOKED 16 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 17 | #include "drvcommon.h" 18 | #include "drvversion.h" 19 | 20 | #ifdef DBG 21 | #define ACTUAL_FILEFLAGS VS_FF_DEBUG 22 | #else 23 | #define ACTUAL_FILEFLAGS 0 24 | #endif 25 | 26 | VS_VERSION_INFO VERSIONINFO 27 | FILEVERSION CREATE_XVER(FILE_MAJVER, FILE_MINVER, FILE_BUILD) 28 | PRODUCTVERSION CREATE_XVER(PRD_MAJVER, PRD_MINVER, 0) 29 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 30 | FILEFLAGS ACTUAL_FILEFLAGS 31 | FILEOS VOS_NT 32 | FILETYPE VFT_DRV 33 | FILESUBTYPE VFT2_DRV_SYSTEM 34 | BEGIN 35 | BLOCK "StringFileInfo" 36 | BEGIN 37 | BLOCK "000004b0" 38 | BEGIN 39 | #ifdef TEXT_AUTHOR 40 | VALUE "Author", ANSISTRING(TEXT_AUTHOR) 41 | #endif 42 | #ifdef TEXT_COMMENTS 43 | VALUE "Comments", ANSISTRING(TEXT_COMMENTS) 44 | #endif 45 | VALUE "CompanyName", ANSISTRING(TEXT_COMPANY) 46 | VALUE "FileDescription", ANSISTRING(TEXT_FILEDESC) 47 | VALUE "FileVersion", ANSISTRING(CREATE_FVER(FILE_MAJVER, FILE_MINVER, FILE_BUILD)) 48 | VALUE "InternalName", ANSISTRING(TEXT_INTERNALNAME) 49 | VALUE "LegalCopyright", ANSISTRING(TEXT_COPYRIGHT) 50 | VALUE "OriginalFilename", ANSISTRING(TEXT_MODULE) 51 | VALUE "ProductName", ANSISTRING(TEXT_PRODUCTNAME) 52 | VALUE "ProductVersion", ANSISTRING(CREATE_PVER(PRD_MAJVER, PRD_MINVER, PRD_BUILD)) 53 | #ifdef TEXT_SPECIALBUILD 54 | VALUE "SpecialBuild", ANSISTRING(TEXT_SPECIALBUILD) 55 | #endif 56 | VALUE "Website", ANSISTRING(TEXT_WEBSITE) 57 | END 58 | END 59 | BLOCK "VarFileInfo" 60 | BEGIN 61 | VALUE "Translation", 0x0, 1200 62 | END 63 | END 64 | 65 | #endif // RC_INVOKED 66 | -------------------------------------------------------------------------------- /src/IDAStealth/IPCConfigExchangeWriter.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCConfigExchangeWriter.h" 2 | 3 | using namespace IPC; 4 | 5 | IPCConfigExchangeWriter::IPCConfigExchangeWriter(unsigned int processID) : 6 | processID_(processID) 7 | { 8 | using namespace boost::interprocess; 9 | std::string name = getSegmentName(processID); 10 | try 11 | { 12 | shared_memory_object::remove(name.c_str()); 13 | segment_ = managed_shared_memory(create_only, name.c_str(), SegmentSize); 14 | segment_.construct(ConfigFileDataStr)[ConfigDataSegmentSize](0); 15 | segment_.construct(ConfigFileProfileStr)[ConfigProfileSegmentSize](0); 16 | segment_.construct(IDAProcessIDStr)[1](0); 17 | segment_.construct(PEHeaderDataStr)[1](); 18 | segment_.construct(PERestoreRequiredStr)[1](false); 19 | } 20 | catch (const std::exception&) 21 | { 22 | shared_memory_object::remove(name.c_str()); 23 | throw; 24 | } 25 | } 26 | 27 | void IPCConfigExchangeWriter::setConfigFile(const std::string& configFile) 28 | { 29 | std::pair segmentData = segment_.find(ConfigFileDataStr); 30 | strcpy_s(segmentData.first, segmentData.second, configFile.c_str()); 31 | } 32 | 33 | void IPCConfigExchangeWriter::setIDAProcessID(unsigned int processID) 34 | { 35 | std::pair segmentData = segment_.find(IDAProcessIDStr); 36 | *(segmentData.first) = processID; 37 | } 38 | 39 | void IPCConfigExchangeWriter::setProfile(const std::string& profile) 40 | { 41 | std::pair segmentData = segment_.find(ConfigFileProfileStr); 42 | strcpy_s(segmentData.first, segmentData.second, profile.c_str()); 43 | } 44 | 45 | void IPCConfigExchangeWriter::setIPCPEHeaderData(const IPCPEHeaderData& headerData) 46 | { 47 | std::pair segmentData = 48 | segment_.find(PEHeaderDataStr); 49 | *segmentData.first = headerData; 50 | } 51 | 52 | void IPC::IPCConfigExchangeWriter::setPERestoreRequired(bool required) 53 | { 54 | std::pair segmentData = segment_.find(PERestoreRequiredStr); 55 | *(segmentData.first) = required; 56 | } 57 | 58 | void IPCConfigExchangeWriter::remove() 59 | { 60 | boost::interprocess::shared_memory_object::remove(getSegmentName(processID_).c_str()); 61 | } -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthPage1.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "WTLCommon.h" 5 | #include "IDAStealthPropertyPage.h" 6 | #include 7 | #include "resource.h" 8 | 9 | class CIDAStealthOptionsDialog; 10 | 11 | class CIDAStealthPage1 : 12 | public CIDAStealthPropertyPage 13 | { 14 | public: 15 | 16 | enum { IDD = IDD_DIALOG1 }; 17 | 18 | CIDAStealthPage1(CIDAStealthOptionsDialog* parentDlg) : 19 | CIDAStealthPropertyPage(parentDlg) {} 20 | ~CIDAStealthPage1() {} 21 | 22 | void OnDataExchangeError(UINT nCtrlID, BOOL bSave); 23 | 24 | protected: 25 | 26 | void updateGlobalEnableState(bool newState); 27 | void loadPageConfig(); 28 | bool savePageConfig(); 29 | 30 | private: 31 | 32 | // we need a typedef - otherwise macro throws errors 33 | typedef CIDAStealthPropertyPage BasePropertyPage; 34 | 35 | BEGIN_MSG_MAP(CIDAStealthPage1) 36 | COMMAND_HANDLER(IDC_DBGSTART, BN_CLICKED, OnDbgEnableClick) 37 | COMMAND_HANDLER(IDC_DBGATTACH, BN_CLICKED, OnDbgEnableClick) 38 | CHAIN_MSG_MAP(CPropertyPageImpl) 39 | CHAIN_MSG_MAP(BasePropertyPage) 40 | END_MSG_MAP() 41 | 42 | BEGIN_DDX_MAP(CIDAStealthPage1) 43 | DDX_CHECK(IDC_NTQO, ntQueryObj_) 44 | DDX_CHECK(IDC_RTLNTGF, rtlGetFlags_) 45 | DDX_CHECK(IDC_NTQSI, ntQuerySysInfo_) 46 | DDX_CHECK(IDC_NTQIP, ntQueryInfoProc_) 47 | DDX_CHECK(IDC_GETTICKCOUNT, getTickCount_) 48 | DDX_CHECK(IDC_PROTECTDRS, protectDRs_) 49 | DDX_CHECK(IDC_GETVERSION, getVersion_) 50 | DDX_CHECK(IDC_NTCLOSE, ntClose_) 51 | DDX_CHECK(IDC_DBGPRESENT, dbgPresent_) 52 | DDX_CHECK(IDC_NTGF, ntGF_) 53 | DDX_CHECK(IDC_NTHF, ntHF_) 54 | DDX_INT(IDC_TICK_DELTA, tickDelta_) 55 | DDX_CHECK(IDC_DBGATTACH, dbgAttach_) 56 | DDX_CHECK(IDC_DBGSTART, dbgStart_) 57 | END_DDX_MAP() 58 | 59 | LRESULT OnDbgEnableClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/); 60 | 61 | bool ntQueryObj_; 62 | bool rtlGetFlags_; 63 | bool ntQuerySysInfo_; 64 | bool ntQueryInfoProc_; 65 | bool getTickCount_; 66 | bool protectDRs_; 67 | bool getVersion_; 68 | bool ntClose_; 69 | bool dbgPresent_; 70 | bool ntGF_; 71 | bool ntHF_; 72 | int tickDelta_; 73 | bool dbgAttach_; 74 | bool dbgStart_; 75 | bool oldState_; 76 | }; 77 | -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthAboutPage.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "ResourceItem.h" 6 | 7 | #include "WTLCommon.h" 8 | 9 | class CIDAStealthAboutPage : 10 | public CPropertyPageImpl 11 | { 12 | public: 13 | 14 | enum { IDD = IDD_ABOUT }; 15 | 16 | CIDAStealthAboutPage() 17 | { 18 | } 19 | 20 | ~CIDAStealthAboutPage() 21 | { 22 | GlobalFree(hGlobal_); 23 | } 24 | 25 | private: 26 | 27 | BEGIN_MSG_MAP(CIDAStealthPropertyPage) 28 | MSG_WM_INITDIALOG(OnInitDialog) 29 | MESSAGE_HANDLER(WM_PAINT, OnPaint) 30 | NOTIFY_HANDLER_EX(IDC_SYSLINK, NM_CLICK, OnLinkClick) 31 | CHAIN_MSG_MAP(CPropertyPageImpl) 32 | END_MSG_MAP() 33 | 34 | // draw picture manually, because if we let windows draw it via the picture box 35 | // there are some nasty artifacts in the logo; no idea why 36 | LRESULT OnPaint(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/) 37 | { 38 | PAINTSTRUCT ps; 39 | HDC dc = BeginPaint(&ps); 40 | RECT r; 41 | GetWindowRect(&r); 42 | logo_.Draw(dc, ((r.right-r.left) - logo_.GetWidth()) / 2, 15); 43 | EndPaint(&ps); 44 | return 0; 45 | } 46 | 47 | BOOL OnInitDialog(HWND /*hwndFocus*/, LPARAM /*lParam*/) 48 | { 49 | ResourceItem ri(GetModuleHandle("IDAStealth.plw"), IDR_LOGO, "JPG"); 50 | LPVOID resData = ri.getData(); 51 | DWORD jpegSize = ri.getDataSize(); 52 | 53 | hGlobal_ = GlobalAlloc(GMEM_MOVEABLE, jpegSize); 54 | LPVOID jpegData = GlobalLock(hGlobal_); 55 | memcpy(jpegData, resData, jpegSize); 56 | GlobalUnlock(hGlobal_); 57 | 58 | LPSTREAM jpegStream = NULL; 59 | CreateStreamOnHGlobal(hGlobal_, TRUE, &jpegStream); 60 | logo_.Load(jpegStream); 61 | jpegStream->Release(); 62 | 63 | // initialize syslink control 64 | linkCtrl_ = GetDlgItem(IDC_SYSLINK); 65 | LITEM item; 66 | item.mask = LIF_ITEMINDEX | LIF_URL; 67 | item.iLink = 0; 68 | lstrcpyW(item.szUrl, L"http://newgre.net/idastealth"); 69 | linkCtrl_.SetItem(&item); 70 | 71 | return FALSE; 72 | } 73 | 74 | LRESULT OnLinkClick(LPNMHDR pnmh) 75 | { 76 | PNMLINK pNMLink = (PNMLINK)pnmh; 77 | ShellExecuteW(m_hWnd, L"open", pNMLink->item.szUrl, NULL, NULL, SW_SHOWNORMAL); 78 | return 0; 79 | } 80 | 81 | CLinkCtrl linkCtrl_; 82 | CImage logo_; 83 | HGLOBAL hGlobal_; 84 | }; -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthOptionsDialog.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "WTLCommon.h" 4 | #include "IDAStealthPage1.h" 5 | #include "IDAStealthPage2.h" 6 | #include "IDAStealthDriversPage.h" 7 | #include "IDAStealthAboutPage.h" 8 | #include "IDAStealthPageMisc.h" 9 | 10 | class CIDAStealthOptionsDialog : public CPropertySheetImpl 11 | { 12 | public: 13 | 14 | CIDAStealthOptionsDialog(LPCTSTR title) : CPropertySheetImpl(title) 15 | { 16 | page1_ = new CIDAStealthPage1(this); 17 | page2_ = new CIDAStealthPage2(this); 18 | page3_ = new CIDAStealthDriversPage(this); 19 | page4_ = new CIDAStealthPageMisc(this); 20 | AddPage(*page1_); 21 | AddPage(*page2_); 22 | AddPage(*page3_); 23 | AddPage(*page4_); 24 | AddPage(pageAbout_); 25 | m_psh.dwFlags |= PSH_NOAPPLYNOW | PSH_NOCONTEXTHELP; 26 | } 27 | 28 | ~CIDAStealthOptionsDialog() 29 | { 30 | delete page1_; 31 | delete page2_; 32 | delete page3_; 33 | delete page4_; 34 | } 35 | 36 | void flushConfig() 37 | { 38 | // force each page to perform DDX and save its config 39 | page1_->saveConfig(); 40 | page2_->saveConfig(); 41 | page3_->saveConfig(); 42 | page4_->saveConfig(); 43 | } 44 | 45 | void loadNewProfile(const std::string& profileName) 46 | { 47 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 48 | config.switchToProfile(profileName); 49 | page1_->loadConfig(); 50 | page2_->loadConfig(); 51 | page3_->loadConfig(); 52 | page4_->loadConfig(); 53 | } 54 | 55 | void updateGlobalEnableState(bool globalEnable) 56 | { 57 | page1_->setGlobalEnableState(globalEnable); 58 | page2_->setGlobalEnableState(globalEnable); 59 | page3_->setGlobalEnableState(globalEnable); 60 | page4_->setGlobalEnableState(globalEnable); 61 | } 62 | 63 | private: 64 | 65 | BEGIN_MSG_MAP(CIDAStealthOptionsDialog) 66 | MESSAGE_HANDLER(WM_SHOWWINDOW, OnShowWindow) 67 | CHAIN_MSG_MAP(CPropertySheetImpl) 68 | END_MSG_MAP() 69 | 70 | LRESULT OnShowWindow(UINT /*uMsg*/, WPARAM wParam, LPARAM /*lParam*/, BOOL& bHandled) 71 | { 72 | if (wParam == TRUE) CenterWindow(); 73 | bHandled = FALSE; 74 | return 0; 75 | } 76 | 77 | CIDAStealthPage1* page1_; 78 | CIDAStealthPage2* page2_; 79 | CIDAStealthDriversPage* page3_; 80 | CIDAStealthPageMisc* page4_; 81 | CIDAStealthAboutPage pageAbout_; 82 | }; -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/RDTSCEmu.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RDTSCEmu.WLH", "RDTSCEmu.WLH.vcxproj", "{8B566A2C-41AC-40FF-B1EF-8AD47A208093}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | WLH checked|Win32 = WLH checked|Win32 9 | WLH free|Win32 = WLH free|Win32 10 | WLH2K checked|Win32 = WLH2K checked|Win32 11 | WLH2K free|Win32 = WLH2K free|Win32 12 | WLHNET checked|Win32 = WLHNET checked|Win32 13 | WLHNET free|Win32 = WLHNET free|Win32 14 | WLHXP checked|Win32 = WLHXP checked|Win32 15 | WLHXP free|Win32 = WLHXP free|Win32 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH checked|Win32.ActiveCfg = WLH checked|Win32 19 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH checked|Win32.Build.0 = WLH checked|Win32 20 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH free|Win32.ActiveCfg = WLH free|Win32 21 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH free|Win32.Build.0 = WLH free|Win32 22 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH2K checked|Win32.ActiveCfg = WLH2K checked|Win32 23 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH2K checked|Win32.Build.0 = WLH2K checked|Win32 24 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH2K free|Win32.ActiveCfg = WLH2K free|Win32 25 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH2K free|Win32.Build.0 = WLH2K free|Win32 26 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHNET checked|Win32.ActiveCfg = WLHNET checked|Win32 27 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHNET checked|Win32.Build.0 = WLHNET checked|Win32 28 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHNET free|Win32.ActiveCfg = WLHNET free|Win32 29 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHNET free|Win32.Build.0 = WLHNET free|Win32 30 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHXP checked|Win32.ActiveCfg = WLHXP checked|Win32 31 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHXP checked|Win32.Build.0 = WLHXP checked|Win32 32 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHXP free|Win32.ActiveCfg = WLHXP free|Win32 33 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHXP free|Win32.Build.0 = WLHXP free|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | EndGlobal 39 | -------------------------------------------------------------------------------- /src/IDAStealthRemote/RemoteStealthSession.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "RemoteStealthConnection.h" 4 | #include "RemoteStealthSession.h" 5 | #include "resource.h" 6 | #include 7 | 8 | namespace 9 | { 10 | std::string StealthDllFileName = "HideDebugger.dll"; 11 | } 12 | 13 | RemoteStealth::RemoteStealthSession::RemoteStealthSession() 14 | { 15 | char buffer[MAX_PATH]; 16 | GetModuleFileName(NULL, buffer, MAX_PATH); 17 | boost::filesystem::path p = buffer; 18 | p.remove_leaf(); 19 | p /= StealthDllFileName; 20 | stealthDll_ = p.string(); 21 | } 22 | 23 | void RemoteStealth::RemoteStealthSession::handleDbgAttach(const RSProtocolItem& item) 24 | { 25 | std::string configFile = serializeConfig(item.serializedConfigFile); 26 | StealthSession::handleDbgAttach(item.processID, configFile, item.profile); 27 | } 28 | 29 | void RemoteStealth::RemoteStealthSession::handleProcessStart(const RSProtocolItem& item) 30 | { 31 | std::string configFile = serializeConfig(item.serializedConfigFile); 32 | StealthSession::handleProcessStart(item.processID, item.baseAddress, configFile, item.profile); 33 | } 34 | 35 | // serialize config to config file and return path of file 36 | std::string RemoteStealth::RemoteStealthSession::serializeConfig(const std::string& configStr) 37 | { 38 | using namespace std; 39 | 40 | char tmpPath[MAX_PATH]; 41 | char tmpFileName[MAX_PATH]; 42 | 43 | GetTempPath(MAX_PATH, tmpPath); 44 | if (!GetTempFileName(tmpPath, "h4x0r", 0, tmpFileName)) 45 | throw runtime_error("Error while trying to serialize configuration to file: unable to get path for temp file"); 46 | 47 | ofstream ofs(tmpFileName); 48 | ofs.write(configStr.c_str(), configStr.length()); 49 | cout << "saving config to file: " << tmpFileName << endl; 50 | return string(tmpFileName); 51 | } 52 | 53 | void RemoteStealth::RemoteStealthSession::logString(const std::string& str) 54 | { 55 | std::cout << str << std::endl; 56 | } 57 | 58 | ResourceItem RemoteStealth::RemoteStealthSession::getRDTSCDriverResource() 59 | { 60 | return ResourceItem(GetModuleHandle(NULL), IDR_RDTSC, "DRV"); 61 | } 62 | 63 | ResourceItem RemoteStealth::RemoteStealthSession::getStealthDriverResource() 64 | { 65 | return ResourceItem(GetModuleHandle(NULL), IDR_STEALTH, "DRV"); 66 | } 67 | 68 | std::string RemoteStealth::RemoteStealthSession::getStealthDllPath() 69 | { 70 | return stealthDll_; 71 | } -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthPage2.cpp: -------------------------------------------------------------------------------- 1 | #include "IDAStealthPage2.h" 2 | 3 | void CIDAStealthPage2::loadPageConfig() 4 | { 5 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 6 | blockInput_ = config.getBlockInput(); 7 | suspThread_ = config.getSuspendThread(); 8 | ntTerminate_ = config.getNtTerminate(); 9 | parentProcess_ = config.getFakeParentProcess(); 10 | hideIDAProcess_ = config.getHideIDAProcess(); 11 | hideIDAWnd_ = config.getHideIDAWindow(); 12 | dbgPrintExcp_ = config.getDbgPrintException(); 13 | openProcess_ = config.getOpenProcess(); 14 | switch_ = config.getSwitchDesktop(); 15 | antiAttach_ = config.getKillAntiAttach(); 16 | ntYield_ = config.getNtYieldExecution(); 17 | outputDbgStr_ = config.getOutputDbgStr(); 18 | ntSetInfoThread_ = config.getNtSetInfoThread(); 19 | DoDataExchange(FALSE); 20 | } 21 | 22 | bool CIDAStealthPage2::savePageConfig() 23 | { 24 | if (DoDataExchange(TRUE)) 25 | { 26 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 27 | config.setBlockInput(blockInput_); 28 | config.setSuspendThread(suspThread_); 29 | config.setNtTerminate(ntTerminate_); 30 | config.setFakeParentProcess(parentProcess_); 31 | config.setHideIDAProcess(hideIDAProcess_); 32 | config.setHideIDAWindow(hideIDAWnd_); 33 | config.setDbgPrintException(dbgPrintExcp_); 34 | config.setOpenProcess(openProcess_); 35 | config.setSwitchDesktop(switch_); 36 | config.setKillAntiAttach(antiAttach_); 37 | config.setNtYieldExecution(ntYield_); 38 | config.setOutputDbgStr(outputDbgStr_); 39 | config.setNtSetInfoThread(ntSetInfoThread_); 40 | return true; 41 | } 42 | else return false; 43 | } 44 | 45 | void CIDAStealthPage2::updateGlobalEnableState(bool newState) 46 | { 47 | BOOL state = newState ? TRUE : FALSE; 48 | ::EnableWindow(GetDlgItem(IDC_BLOCKINPUT), state); 49 | ::EnableWindow(GetDlgItem(IDC_SUSPENDTHREAD), state); 50 | ::EnableWindow(GetDlgItem(IDC_TERMINATE), state); 51 | ::EnableWindow(GetDlgItem(IDC_PARENTPROCESS), state); 52 | ::EnableWindow(GetDlgItem(IDC_HIDEIDAPROCESS), state); 53 | ::EnableWindow(GetDlgItem(IDC_HIDEIDAWND), state); 54 | ::EnableWindow(GetDlgItem(IDC_DBGPRNTEXCEPT), state); 55 | ::EnableWindow(GetDlgItem(IDC_OPENPROCESS), state); 56 | ::EnableWindow(GetDlgItem(IDC_SWITCH), state); 57 | ::EnableWindow(GetDlgItem(IDC_ANTIATTACH), state); 58 | ::EnableWindow(GetDlgItem(IDC_NTYIELD), state); 59 | ::EnableWindow(GetDlgItem(IDC_OUTDBGSTR), state); 60 | ::EnableWindow(GetDlgItem(IDC_NTSIT), state); 61 | } -------------------------------------------------------------------------------- /src/IDAStealth/LocalStealthSession.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // implements logic for the local IDAStealth plugin 4 | // includes client for the remote debugging stealth server 5 | // relies on IDA API being present 6 | 7 | #include 8 | #include 9 | #include 10 | #include "IDAMessageLogger.h" 11 | #include 12 | #include 13 | #include 14 | #include "RemoteEventListener.h" 15 | #include "ResourceItem.h" 16 | #include 17 | #include "StealthSession.h" 18 | 19 | namespace IDAStealth 20 | { 21 | class LocalStealthSession : public StealthSession 22 | { 23 | public: 24 | 25 | LocalStealthSession() : 26 | resolver_(boost::asio::ip::tcp::resolver(ioService_)), 27 | remoteSession_(false), 28 | rtlDispatchExceptionAddr_(0), 29 | ntContinueCallAddr_(0) {} 30 | ~LocalStealthSession() {} 31 | 32 | void handleDbgAttach(unsigned int processID, const std::string& configFile, const std::string profile); 33 | void handleProcessStart(unsigned int processID, uintptr_t baseAddress, const std::string& configFile, 34 | const std::string profile); 35 | void handleProcessExit(); 36 | void handleBreakPoint(thid_t threadID, ea_t ea); 37 | 38 | private: 39 | 40 | typedef boost::shared_ptr RemoteStealthClient_Ptr; 41 | 42 | void logString(const std::string& str); 43 | ResourceItem getRDTSCDriverResource(); 44 | ResourceItem getStealthDriverResource(); 45 | std::string getStealthDllPath(); 46 | void sendRemoteCommand(const RemoteStealth::RSProtocolItem& item); 47 | void connectToServer(); 48 | std::string readConfigFile(const std::string& fileName); 49 | bool isWin32RemoteDebugger() const; 50 | bool isLocalWin32Debugger() const; 51 | bool isLocalWindbg() const; 52 | uintptr_t getRtlDispatchExceptionAddr() const; 53 | uintptr_t getNtContinueCallAddr() const; 54 | void initSEHMonitoring() const; 55 | void cleanupSEHMonitoring() const; 56 | bool setBP(ea_t ea) const; 57 | 58 | IDAMessageLogger logger_; 59 | RemoteStealthClient_Ptr client_; 60 | boost::asio::io_service ioService_; 61 | boost::asio::ip::tcp::resolver resolver_; 62 | bool remoteSession_; 63 | RemoteEventListener reListener_; 64 | 65 | mutable uintptr_t rtlDispatchExceptionAddr_; 66 | mutable uintptr_t ntContinueCallAddr_; 67 | typedef boost::tuple BPHit; 68 | std::set sehHandlerBps_; 69 | std::set postSEHBps_; 70 | }; 71 | } -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthDriversPage.cpp: -------------------------------------------------------------------------------- 1 | #include "IDAStealthDriversPage.h" 2 | #include "IDACommon.h" 3 | 4 | void CIDAStealthDriversPage::updateGlobalEnableState(bool newState) 5 | { 6 | BOOL state = newState ? TRUE : FALSE; 7 | ::EnableWindow(GetDlgItem(IDC_RDTSC), state); 8 | ::EnableWindow(GetDlgItem(IDC_RDTSC_ZERO), state); 9 | ::EnableWindow(GetDlgItem(IDC_RDTSC_INCREASING), state); 10 | ::EnableWindow(GetDlgItem(IDC_RDTSC_DELTA), state); 11 | ::EnableWindow(GetDlgItem(IDC_UNLOAD_DRIVER), state); 12 | ::EnableWindow(GetDlgItem(IDC_RAND_NAME), state); 13 | ::EnableWindow(GetDlgItem(IDC_NTSIT_DRV), state); 14 | ::EnableWindow(GetDlgItem(IDC_UNLOAD_STEALTH_DRV), state); 15 | ::EnableWindow(GetDlgItem(IDC_NTQIP_DRV), state); 16 | 17 | // handle radio buttons for RDTSC driver here - EnableWindow has no effect 18 | // if invoked from WM_INITDIALOG (as is the case in loadPageConfig()) 19 | updateRDBs(GetDlgItem(IDC_RDTSC)); 20 | } 21 | 22 | void CIDAStealthDriversPage::updateRDBs(HWND hWndCheckBox) 23 | { 24 | CButton chkRDTSC = hWndCheckBox; 25 | CButton rdbZero = GetDlgItem(IDC_RDTSC_ZERO); 26 | CButton rdbIncr = GetDlgItem(IDC_RDTSC_INCREASING); 27 | BOOL checked = (chkRDTSC.GetCheck()) ? TRUE : FALSE; 28 | rdbZero.EnableWindow(checked); 29 | rdbIncr.EnableWindow(checked); 30 | } 31 | 32 | LRESULT CIDAStealthDriversPage::OnRDTSCClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND hWndCtl, BOOL& /*bHandled*/) 33 | { 34 | updateRDBs(hWndCtl); 35 | return 0; 36 | } 37 | 38 | void CIDAStealthDriversPage::loadPageConfig() 39 | { 40 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 41 | useRDTSC_ = config.getUseRDTSC(); 42 | rdbIndex_ = (config.getRDTSCMode() == constant) ? 0 : 1; 43 | unloadRDTSCDrv_ = config.getUnloadRDTSC(); 44 | randomizeName_ = config.getRandRDTSCName(); 45 | rdtscDelta_ = config.getRDTSCIncrDelta(); 46 | ntSITDrv_ = config.getStealthNtSetInfoThread(); 47 | unloadStealthDrv_ = config.getUnloadStealth(); 48 | ntQIPDrv_ = config.getStealthNtQueryInfoProcess(); 49 | DoDataExchange(FALSE); 50 | } 51 | 52 | bool CIDAStealthDriversPage::savePageConfig() 53 | { 54 | if (DoDataExchange(TRUE)) 55 | { 56 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 57 | config.setUseRDTSC(useRDTSC_); 58 | if (rdbIndex_) config.setRDTSCMode(increasing); 59 | else config.setRDTSCMode(constant); 60 | config.setUnloadRDTSC(unloadRDTSCDrv_); 61 | config.setRandRDTSCName(randomizeName_); 62 | config.setRDTSCIncrDelta(rdtscDelta_); 63 | config.setStealthNtSetInfoThread(ntSITDrv_); 64 | config.setUnloadStealth(unloadStealthDrv_); 65 | config.setStealthNtQueryInfoProcess(ntQIPDrv_); 66 | bool useStealthDriver = ntSITDrv_ || ntQIPDrv_; 67 | config.setUseStealthDriver(useStealthDriver); 68 | return true; 69 | } 70 | else return false; 71 | } -------------------------------------------------------------------------------- /src/HideDebugger/HideDebugger.rc: -------------------------------------------------------------------------------- 1 | // Microsoft Visual C++ generated resource script. 2 | // 3 | #include "resource.h" 4 | 5 | #define APSTUDIO_READONLY_SYMBOLS 6 | ///////////////////////////////////////////////////////////////////////////// 7 | // 8 | // Generated from the TEXTINCLUDE 2 resource. 9 | // 10 | #include "afxres.h" 11 | 12 | ///////////////////////////////////////////////////////////////////////////// 13 | #undef APSTUDIO_READONLY_SYMBOLS 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // English (U.S.) resources 17 | 18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 19 | #ifdef _WIN32 20 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 21 | #pragma code_page(1252) 22 | #endif //_WIN32 23 | 24 | #ifdef APSTUDIO_INVOKED 25 | ///////////////////////////////////////////////////////////////////////////// 26 | // 27 | // TEXTINCLUDE 28 | // 29 | 30 | 1 TEXTINCLUDE 31 | BEGIN 32 | "resource.h\0" 33 | END 34 | 35 | 2 TEXTINCLUDE 36 | BEGIN 37 | "#include ""afxres.h""\r\n" 38 | "\0" 39 | END 40 | 41 | 3 TEXTINCLUDE 42 | BEGIN 43 | "\r\n" 44 | "\0" 45 | END 46 | 47 | #endif // APSTUDIO_INVOKED 48 | 49 | 50 | ///////////////////////////////////////////////////////////////////////////// 51 | // 52 | // Version 53 | // 54 | 55 | VS_VERSION_INFO VERSIONINFO 56 | FILEVERSION 1,3,0,0 57 | PRODUCTVERSION 1,3,0,0 58 | FILEFLAGSMASK 0x17L 59 | #ifdef _DEBUG 60 | FILEFLAGS 0x1L 61 | #else 62 | FILEFLAGS 0x0L 63 | #endif 64 | FILEOS 0x4L 65 | FILETYPE 0x2L 66 | FILESUBTYPE 0x0L 67 | BEGIN 68 | BLOCK "StringFileInfo" 69 | BEGIN 70 | BLOCK "040904b0" 71 | BEGIN 72 | VALUE "FileDescription", "HideDebugger Dynamic Link Library" 73 | VALUE "FileVersion", "1, 3, 0, 0" 74 | VALUE "InternalName", "HideDebugger" 75 | VALUE "LegalCopyright", "Copyright (C) 2008-2010 Jan Newger" 76 | VALUE "OriginalFilename", "HideDebugger.dll" 77 | VALUE "ProductName", "HideDebugger Dynamic Link Library" 78 | VALUE "ProductVersion", "1, 3, 0, 0" 79 | END 80 | END 81 | BLOCK "VarFileInfo" 82 | BEGIN 83 | VALUE "Translation", 0x409, 1200 84 | END 85 | END 86 | 87 | #endif // English (U.S.) resources 88 | ///////////////////////////////////////////////////////////////////////////// 89 | 90 | 91 | 92 | #ifndef APSTUDIO_INVOKED 93 | ///////////////////////////////////////////////////////////////////////////// 94 | // 95 | // Generated from the TEXTINCLUDE 3 resource. 96 | // 97 | 98 | 99 | ///////////////////////////////////////////////////////////////////////////// 100 | #endif // not APSTUDIO_INVOKED 101 | 102 | -------------------------------------------------------------------------------- /src/NInjectLib/Process.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | class Process 9 | { 10 | public: 11 | 12 | //Process(HANDLE hProcess); 13 | Process(DWORD processID); 14 | Process::Process(const Process& instance); 15 | Process& Process::operator=(const Process& instance); 16 | ~Process(); 17 | 18 | LPVOID allocMem(DWORD size) const; 19 | LPVOID allocMem(DWORD size, DWORD allocationType) const; 20 | LPVOID allocMem(DWORD size, LPVOID desiredAddress, DWORD allocationType) const; 21 | bool freeMem(LPVOID address) const; 22 | void writeMemory(LPVOID address, LPCVOID data, DWORD size) const; 23 | void readMemory(LPVOID address, LPVOID buffer, DWORD size) const; 24 | MEMORY_BASIC_INFORMATION queryMemory(LPVOID address) const; 25 | DWORD protectMemory(LPVOID address, SIZE_T size, DWORD protect) const; 26 | bool startThread(LPVOID address, LPVOID param); 27 | void waitForThread(); 28 | std::vector Process::getModules() const; 29 | 30 | uintptr_t getImageBase(HANDLE hThread) const; 31 | uintptr_t getImageBase() const; 32 | 33 | private: 34 | 35 | bool duplicateHandle(HANDLE hSrc, HANDLE* hDest); 36 | void throwSysError(const char* msg, DWORD lastError) const; 37 | 38 | HANDLE hProcess_; 39 | HANDLE hThread_; 40 | DWORD processID_; 41 | }; 42 | 43 | // handle error 44 | class ProcessHandleException : public std::runtime_error 45 | { 46 | public: 47 | ProcessHandleException::ProcessHandleException(const std::string& msg) : std::runtime_error(msg) {}; 48 | }; 49 | 50 | // anything with memory 51 | class ProcessMemoryException : public std::runtime_error 52 | { 53 | public: 54 | ProcessMemoryException::ProcessMemoryException(const std::string& msg, LPVOID address) : std::runtime_error(msg), address_(address) {}; 55 | LPVOID getAddress() { return address_; }; 56 | private: 57 | LPVOID address_; 58 | }; 59 | 60 | // access memory 61 | class MemoryAccessException : public std::runtime_error 62 | { 63 | public: 64 | MemoryAccessException::MemoryAccessException(const std::string& msg) : std::runtime_error(msg) {}; 65 | }; 66 | 67 | // allocate 68 | class MemoryAllocationException : public std::runtime_error 69 | { 70 | public: 71 | MemoryAllocationException::MemoryAllocationException(const std::string& msg) : std::runtime_error(msg) {}; 72 | }; 73 | 74 | // query memory 75 | class MemoryQueryException : public std::runtime_error 76 | { 77 | public: 78 | MemoryQueryException::MemoryQueryException(const std::string& msg) : std::runtime_error(msg) {}; 79 | }; 80 | 81 | // protect memory 82 | class MemoryProtectException : public ProcessMemoryException 83 | { 84 | public: 85 | MemoryProtectException::MemoryProtectException(const std::string& msg, LPVOID address) : ProcessMemoryException(msg, address) {}; 86 | }; -------------------------------------------------------------------------------- /src/HideDebugger/ObjectTextSerialization.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // provides text serialization of arbitrary objects to be sent 4 | // across the network, process boundaries, etc. 5 | 6 | #pragma warning(disable : 4512) 7 | #include 8 | #include 9 | #pragma warning(default : 4512) 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | namespace RemoteEvent 17 | { 18 | const int HeaderLength = 8; 19 | 20 | template 21 | void deserialize(structT& item, recvHandlerT recv) 22 | { 23 | using namespace std; 24 | 25 | // first read header 26 | char inboundHeader[HeaderLength]; 27 | // read header length 28 | //boost::asio::read(socket_, boost::asio::buffer(inboundHeader)); 29 | recv(boost::asio::buffer(inboundHeader)); 30 | 31 | istringstream is(std::string(inboundHeader, HeaderLength)); 32 | size_t inboundDataSize = 0; 33 | if (!(is >> hex >> inboundDataSize)) 34 | throw runtime_error("Error while processing inbound data: invalid header received"); 35 | 36 | // header is correct, so read data 37 | vector inboundData(inboundDataSize); 38 | // read given length 39 | //boost::asio::read(socket_, boost::asio::buffer(inboundData)); 40 | recv(boost::asio::buffer(inboundData)); 41 | try 42 | { 43 | string archiveString(&inboundData[0], inboundData.size()); 44 | istringstream archiveStream(archiveString); 45 | boost::archive::text_iarchive archive(archiveStream); 46 | archive >> item; 47 | } 48 | catch (const exception&) 49 | { 50 | throw runtime_error("Error while processing inbound data: unable to deserialize protocol buffer"); 51 | } 52 | } 53 | 54 | template 55 | void serialize(const structT& item, typename transportT) 56 | { 57 | using namespace std; 58 | 59 | // serialize data 60 | ostringstream archiveStream; 61 | boost::archive::text_oarchive archive(archiveStream); 62 | archive << item; 63 | string outboundData = archiveStream.str(); 64 | 65 | // create header 66 | ostringstream headerStream; 67 | headerStream << setw(HeaderLength) << hex << outboundData.size(); 68 | if (!headerStream || headerStream.str().size() != HeaderLength) 69 | throw runtime_error("Error while processing outbound data: unable to serialize protocol buffer"); 70 | 71 | // gather buffers and write at once 72 | vector buffers; 73 | string headerString = headerStream.str(); 74 | buffers.push_back(boost::asio::buffer(headerString)); 75 | buffers.push_back(boost::asio::buffer(outboundData)); 76 | // write data to socket/whatever 77 | //boost::asio::write(socket_, buffers); 78 | //send(buffers); 79 | } 80 | } -------------------------------------------------------------------------------- /src/IDAStealthRemote/RemoteStealthConnection.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // provides serialization of arbitrary objects over boost asio sockets 4 | 5 | #pragma warning(disable : 4512) 6 | #include 7 | #include 8 | #pragma warning(default : 4512) 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | namespace RemoteStealth 15 | { 16 | // provides a mechanism to send/receive our protocol item over a socket 17 | class RemoteStealthConnection 18 | { 19 | public: 20 | 21 | RemoteStealthConnection(boost::asio::io_service& ioService) : 22 | socket_(ioService) {} 23 | ~RemoteStealthConnection() {} 24 | 25 | boost::asio::ip::tcp::socket& socket() { return socket_; } 26 | 27 | template 28 | void syncRead(structT& item) 29 | { 30 | using namespace std; 31 | 32 | // first read header 33 | char inboundHeader[HeaderLength]; 34 | boost::asio::read(socket_, boost::asio::buffer(inboundHeader)); 35 | 36 | istringstream is(std::string(inboundHeader, HeaderLength)); 37 | size_t inboundDataSize = 0; 38 | if (!(is >> hex >> inboundDataSize)) 39 | throw runtime_error("Error while processing inbound data: invalid header received"); 40 | 41 | // header is correct, so read data 42 | vector inboundData(inboundDataSize); 43 | boost::asio::read(socket_, boost::asio::buffer(inboundData)); 44 | try 45 | { 46 | string archiveString(&inboundData[0], inboundData.size()); 47 | istringstream archiveStream(archiveString); 48 | boost::archive::text_iarchive archive(archiveStream); 49 | archive >> item; 50 | } 51 | catch (const exception&) 52 | { 53 | throw runtime_error("Error while processing inbound data: unable to deserialize protocol buffer"); 54 | } 55 | } 56 | 57 | template 58 | void syncWrite(const structT& item) 59 | { 60 | using namespace std; 61 | 62 | // serialize data 63 | ostringstream archiveStream; 64 | boost::archive::text_oarchive archive(archiveStream); 65 | archive << item; 66 | string outboundData = archiveStream.str(); 67 | 68 | // create header 69 | ostringstream headerStream; 70 | headerStream << setw(HeaderLength) << hex << outboundData.size(); 71 | if (!headerStream || headerStream.str().size() != HeaderLength) 72 | throw runtime_error("Error while processing outbound data: unable to serialize protocol buffer"); 73 | 74 | // gather buffers and write at once 75 | vector buffers; 76 | string headerString = headerStream.str(); 77 | buffers.push_back(boost::asio::buffer(headerString)); 78 | buffers.push_back(boost::asio::buffer(outboundData)); 79 | boost::asio::write(socket_, buffers); 80 | } 81 | 82 | private: 83 | 84 | boost::asio::ip::tcp::socket socket_; 85 | static const int HeaderLength = 8; 86 | }; 87 | 88 | typedef boost::shared_ptr RemoteStealthConnectionPtr; 89 | } -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthPage1.cpp: -------------------------------------------------------------------------------- 1 | #include "IDAStealthPage1.h" 2 | #include "IDAStealthOptionsDialog.h" 3 | 4 | LRESULT CIDAStealthPage1::OnDbgEnableClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 5 | { 6 | bool newState = IsDlgButtonChecked(IDC_DBGSTART) || IsDlgButtonChecked(IDC_DBGATTACH); 7 | if (newState != oldState_) 8 | { 9 | parentDlg_->updateGlobalEnableState(newState); 10 | } 11 | oldState_ = newState; 12 | return 0; 13 | } 14 | 15 | void CIDAStealthPage1::OnDataExchangeError(UINT nCtrlID, BOOL /*bSave*/) 16 | { 17 | if (nCtrlID == IDC_TICK_DELTA) 18 | { 19 | MessageBox("Please enter a valid tick count delta!", "IDAStealth", MB_ICONWARNING); 20 | ::SetFocus(GetDlgItem(IDC_TICK_DELTA)); 21 | } 22 | } 23 | 24 | void CIDAStealthPage1::updateGlobalEnableState(bool newState) 25 | { 26 | BOOL state = newState ? TRUE : FALSE; 27 | ::EnableWindow(GetDlgItem(IDC_NTQO), state); 28 | ::EnableWindow(GetDlgItem(IDC_RTLNTGF), state); 29 | ::EnableWindow(GetDlgItem(IDC_NTQSI), state); 30 | ::EnableWindow(GetDlgItem(IDC_NTQIP), state); 31 | ::EnableWindow(GetDlgItem(IDC_GETTICKCOUNT), state); 32 | ::EnableWindow(GetDlgItem(IDC_PROTECTDRS), state); 33 | ::EnableWindow(GetDlgItem(IDC_GETVERSION), state); 34 | ::EnableWindow(GetDlgItem(IDC_NTCLOSE), state); 35 | ::EnableWindow(GetDlgItem(IDC_DBGPRESENT), state); 36 | ::EnableWindow(GetDlgItem(IDC_NTGF), state); 37 | ::EnableWindow(GetDlgItem(IDC_NTHF), state); 38 | ::EnableWindow(GetDlgItem(IDC_TICK_DELTA), state); 39 | } 40 | 41 | void CIDAStealthPage1::loadPageConfig() 42 | { 43 | const HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 44 | ntQueryObj_ = config.getNtQueryObject(); 45 | rtlGetFlags_ = config.getRtlGetNtGlobalFlags(); 46 | ntQuerySysInfo_ = config.getNtQuerySystemInfo(); 47 | ntQueryInfoProc_ = config.getNtQueryInfoProcess(); 48 | getTickCount_ = config.getGetTickCount(); 49 | protectDRs_ = config.getProtectDRs(); 50 | getVersion_ = config.getGetVersion(); 51 | ntClose_ = config.getNtClose(); 52 | dbgPresent_ = config.getPEBIsDebugged(); 53 | ntGF_ = config.getNtGlobalFlag(); 54 | ntHF_ = config.getHeapFlags(); 55 | tickDelta_ = config.getGetTickCountDelta(); 56 | dbgAttach_ = config.getEnableDbgAttach(); 57 | dbgStart_ = config.getEnableDbgStart(); 58 | oldState_ = dbgStart_ || dbgAttach_; 59 | DoDataExchange(FALSE); 60 | parentDlg_->updateGlobalEnableState(dbgStart_ || dbgAttach_); 61 | } 62 | 63 | bool CIDAStealthPage1::savePageConfig() 64 | { 65 | if (DoDataExchange(TRUE)) 66 | { 67 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 68 | config.setNtQueryObject(ntQueryObj_); 69 | config.setRtlGetNtGlobalFlags(rtlGetFlags_); 70 | config.setNtQuerySystemInfo(ntQuerySysInfo_); 71 | config.setNtQueryInfoProcess(ntQueryInfoProc_); 72 | config.setGetTickCount(getTickCount_); 73 | config.setProtectDRs(protectDRs_); 74 | config.setGetVersion(getVersion_); 75 | config.setNtClose(ntClose_); 76 | config.setPEBIsDebugged(dbgPresent_); 77 | config.setNtGlobalFlag(ntGF_); 78 | config.setHeapFlags(ntHF_); 79 | config.setGetTickCountDelta(tickDelta_); 80 | config.setEnableDbgAttach(dbgAttach_); 81 | config.setEnableDbgStart(dbgStart_); 82 | return true; 83 | } 84 | else return false; 85 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /src/HideDebugger/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /src/IDAStealth/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /src/IDAStealthRemote/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /src/RDTSCEmu/driver/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /src/StealthDriver/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /src/HideDebugger/IPCConfigExchange.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCConfigExchange.h" 2 | #include 3 | #include 4 | 5 | namespace ipc = boost::interprocess; 6 | using namespace std; 7 | 8 | namespace 9 | { 10 | const size_t SegmentSize = 2048; 11 | const char* ConfigFileDataStr = "HideDebuggerPathStrData212"; 12 | const char* ConfigFileProfileStr = "ProfileName"; 13 | const char* IDAProcessIDStr = "IDAProcessID"; 14 | const char* PEHeaderDataStr = "PEHeaderData"; 15 | const size_t ConfigDataSegmentSize = 512; 16 | const size_t ConfigProfileSegmentSize = 64; 17 | 18 | std::string getSegmentName(unsigned int processID) 19 | { 20 | ostringstream oss; 21 | oss << "HideDebugger" << processID; 22 | return oss.str(); 23 | } 24 | 25 | std::string getSegmentName() 26 | { 27 | return getSegmentName(GetCurrentProcessId()); 28 | } 29 | } 30 | 31 | // IPC writer 32 | IPCConfigExchangeWriter::IPCConfigExchangeWriter(unsigned int processID) : 33 | processID_(processID) 34 | { 35 | using namespace boost::interprocess; 36 | string name = getSegmentName(processID); 37 | try 38 | { 39 | ipc::shared_memory_object::remove(name.c_str()); 40 | segment_ = ipc::managed_shared_memory(ipc::create_only, name.c_str(), SegmentSize); 41 | segment_.construct(ConfigFileDataStr)[ConfigDataSegmentSize](0); 42 | segment_.construct(ConfigFileProfileStr)[ConfigProfileSegmentSize](0); 43 | segment_.construct(IDAProcessIDStr)[1](0); 44 | segment_.construct(PEHeaderDataStr)[1](); 45 | } 46 | catch (...) 47 | { 48 | ipc::shared_memory_object::remove(name.c_str()); 49 | throw; 50 | } 51 | } 52 | 53 | IPCConfigExchangeWriter::~IPCConfigExchangeWriter() 54 | { 55 | ipc::shared_memory_object::remove(getSegmentName(processID_).c_str()); 56 | } 57 | 58 | void IPCConfigExchangeWriter::setConfigFile(const std::string& configFile) 59 | { 60 | std::pair segmentData = segment_.find(ConfigFileDataStr); 61 | strcpy_s(segmentData.first, segmentData.second, configFile.c_str()); 62 | } 63 | 64 | void IPCConfigExchangeWriter::setIDAProcessID(unsigned int processID) 65 | { 66 | std::pair segmentData = segment_.find(IDAProcessIDStr); 67 | *(segmentData.first) = processID; 68 | } 69 | 70 | void IPCConfigExchangeWriter::setProfile(const std::string& profile) 71 | { 72 | std::pair segmentData = segment_.find(ConfigFileProfileStr); 73 | strcpy_s(segmentData.first, segmentData.second, profile.c_str()); 74 | } 75 | 76 | void IPCConfigExchangeWriter::setIPCPEHeaderData(const IPCPEHeaderData& headerData) 77 | { 78 | std::pair segmentData = segment_.find(PEHeaderDataStr); 79 | *segmentData.first = headerData; 80 | } 81 | 82 | // IPC reader 83 | IPCConfigExchangeReader::IPCConfigExchangeReader() 84 | { 85 | segment_ = ipc::managed_shared_memory(ipc::open_read_only, getSegmentName().c_str()); 86 | } 87 | 88 | std::string IPCConfigExchangeReader::getConfigFile() 89 | { 90 | std::pair dataPtr = segment_.find(ConfigFileDataStr); 91 | return string(dataPtr.first); 92 | } 93 | 94 | unsigned int IPCConfigExchangeReader::getIDAProcessID() 95 | { 96 | std::pair dataPtr = segment_.find(IDAProcessIDStr); 97 | return *(dataPtr.first); 98 | } 99 | 100 | std::string IPCConfigExchangeReader::getProfile() 101 | { 102 | std::pair dataPtr = segment_.find(ConfigFileProfileStr); 103 | return string(dataPtr.first); 104 | } 105 | 106 | IPCPEHeaderData IPCConfigExchangeReader::getIPCPEHeaderData() 107 | { 108 | std::pair dataPtr = segment_.find(PEHeaderDataStr); 109 | return *dataPtr.first; 110 | } -------------------------------------------------------------------------------- /src/IDAStealth/IDAStealthPageMisc.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "IDAStealthOptionsDialog.h" 3 | #include "IDAStealthPageMisc.h" 4 | #include 5 | #include "WTLInputBox.h" 6 | 7 | LRESULT CIDAStealthPageMisc::OnAddProfileClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 8 | { 9 | CWTLInputBox inputBox; 10 | inputBox.DoModal(parentDlg_->m_hWnd); 11 | std::string input = inputBox.getInput(); 12 | if (input.length()) 13 | { 14 | int item = cboProfiles_.AddString(input.c_str()); 15 | cboProfiles_.SetCurSel(item); 16 | parentDlg_->flushConfig(); 17 | 18 | // switch profile and save current dialogs to the new profile - leave dialog settings intact 19 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 20 | config.switchToProfile(input); 21 | parentDlg_->flushConfig(); 22 | } 23 | return 0; 24 | } 25 | 26 | LRESULT CIDAStealthPageMisc::OnDelProfileClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 27 | { 28 | int itemID = cboProfiles_.GetCurSel(); 29 | if (itemID != CB_ERR) 30 | { 31 | WTL::CString itemText; 32 | cboProfiles_.GetLBText(itemID, itemText); 33 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 34 | if (config.delProfile((const char*)itemText)) 35 | { 36 | cboProfiles_.DeleteString(itemID); 37 | itemID = itemID > 0 ? --itemID : 0; 38 | cboProfiles_.SetCurSel(itemID); 39 | switchProfile(); 40 | } 41 | } 42 | return 0; 43 | } 44 | 45 | LRESULT CIDAStealthPageMisc::OnProfilesSelChange(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 46 | { 47 | parentDlg_->flushConfig(); 48 | switchProfile(); 49 | return 0; 50 | } 51 | 52 | void CIDAStealthPageMisc::updateGlobalEnableState(bool newState) 53 | { 54 | BOOL state = newState ? TRUE : FALSE; 55 | ::EnableWindow(GetDlgItem(IDC_PASS_EXCEPTIONS), state); 56 | ::EnableWindow(GetDlgItem(IDC_AUTO_SELECTION), state); 57 | ::EnableWindow(GetDlgItem(IDC_FORCE_ABS), state); 58 | ::EnableWindow(GetDlgItem(IDC_TCP_PORT), state); 59 | ::EnableWindow(GetDlgItem(IDC_HALT_IN_SEH), state); 60 | ::EnableWindow(GetDlgItem(IDC_HALT_AFTER_SEH), state); 61 | ::EnableWindow(GetDlgItem(IDC_LOG_SEH), state); 62 | } 63 | 64 | void CIDAStealthPageMisc::loadPageConfig() 65 | { 66 | const HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 67 | rdbPatchingMethod_ = config.getInlinePatching(); 68 | passExceptions_ = config.getPassExceptions(); 69 | tcpPort_ = config.getRemoteTCPPort(); 70 | haltInSEH_ = config.getHaltInSEH(); 71 | haltAfterSEH_ = config.getHaltAfterSEH(); 72 | logSEH_ = config.getLogSEH(); 73 | DoDataExchange(FALSE); 74 | } 75 | 76 | bool CIDAStealthPageMisc::savePageConfig() 77 | { 78 | if (DoDataExchange(TRUE)) 79 | { 80 | HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 81 | config.setPassExceptions(passExceptions_); 82 | config.setInlinePatching((InlinePatching)rdbPatchingMethod_); 83 | config.setRemoteTCPPort(tcpPort_); 84 | config.setHaltInSEH(haltInSEH_); 85 | config.setHaltAfterSEH(haltAfterSEH_); 86 | config.setLogSEH(logSEH_); 87 | return true; 88 | } 89 | else return false; 90 | } 91 | 92 | // needed to bind and populate CComboBox 93 | BOOL CIDAStealthPageMisc::OnInitDialog(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& bHandled) 94 | { 95 | DoDataExchange(FALSE); 96 | initComboBox(); 97 | bHandled = FALSE; 98 | return TRUE; 99 | } 100 | 101 | // get currently selected profile and propagate new profile 102 | void CIDAStealthPageMisc::switchProfile() 103 | { 104 | int itemID = cboProfiles_.GetCurSel(); 105 | if (itemID != CB_ERR) 106 | { 107 | WTL::CString itemText; 108 | cboProfiles_.GetLBText(itemID, itemText); 109 | std::string profile = (const char*)itemText; 110 | parentDlg_->loadNewProfile(profile); 111 | } 112 | } 113 | 114 | void CIDAStealthPageMisc::initComboBox() 115 | { 116 | const HideDebuggerConfig& config = HideDebuggerConfig::getInstance(); 117 | BOOST_FOREACH(const std::string& profile, config.getProfiles()) 118 | { 119 | int itemID = cboProfiles_.AddString(profile.c_str()); 120 | if (profile == config.getCurrentProfile()) cboProfiles_.SetCurSel(itemID); 121 | } 122 | } -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver/StealthDriver.cpp: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Original filename: StealthDriver.cpp 6 | /// Project : StealthDriver 7 | /// Date of creation : 2009-11-27 8 | /// Author(s) : Jan Newger 9 | /// 10 | /// Purpose : 11 | /// 12 | /// Revisions: 13 | /// 0000 [2009-11-27] Initial revision. 14 | /// 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | // $Id$ 18 | 19 | #include 20 | #include "StealthDriver.h" 21 | #include "StealthImplementation.h" 22 | #include 23 | 24 | namespace 25 | { 26 | PDRIVER_OBJECT pdoGlobalDrvObj = 0; 27 | PRESET_UNICODE_STRING(usDeviceName, STEALTH_DEVICE_NAME); 28 | PRESET_UNICODE_STRING(usSymlinkName, STEALTH_SYMLINK_NAME); 29 | } 30 | 31 | NTSTATUS STEALTHDRIVER_DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) 32 | { 33 | NTSTATUS status = STATUS_SUCCESS; 34 | Irp->IoStatus.Status = status; 35 | Irp->IoStatus.Information = 0; 36 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 37 | return status; 38 | } 39 | 40 | NTSTATUS handleHook(PIRP Irp, PIO_STACK_LOCATION irpSp) 41 | { 42 | __try 43 | { 44 | if (irpSp->Parameters.DeviceIoControl.InputBufferLength == sizeof(int)) 45 | { 46 | StealthHook hookType = *(StealthHook*)Irp->AssociatedIrp.SystemBuffer; 47 | hookSysCall(hookType); 48 | } 49 | } 50 | __except(EXCEPTION_EXECUTE_HANDLER) 51 | { 52 | return STATUS_INVALID_PARAMETER; 53 | } 54 | return STATUS_SUCCESS; 55 | } 56 | 57 | NTSTATUS STEALTHDRIVER_DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) 58 | { 59 | NTSTATUS status = STATUS_SUCCESS; 60 | PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp); 61 | 62 | switch(irpSp->Parameters.DeviceIoControl.IoControlCode) 63 | { 64 | case IOCTL_STEALTHDRIVER_ENABLE_HOOKS: 65 | status = handleHook(Irp, irpSp); 66 | break; 67 | 68 | default: 69 | Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; 70 | Irp->IoStatus.Information = 0; 71 | break; 72 | } 73 | 74 | status = Irp->IoStatus.Status; 75 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 76 | return status; 77 | } 78 | 79 | VOID STEALTHDRIVER_DriverUnload(IN PDRIVER_OBJECT DriverObject) 80 | { 81 | PDEVICE_OBJECT pdoNextDeviceObj = pdoGlobalDrvObj->DeviceObject; 82 | IoDeleteSymbolicLink(&usSymlinkName); 83 | 84 | // Delete all the device objects 85 | while(pdoNextDeviceObj) 86 | { 87 | PDEVICE_OBJECT pdoThisDeviceObj = pdoNextDeviceObj; 88 | pdoNextDeviceObj = pdoThisDeviceObj->NextDevice; 89 | IoDeleteDevice(pdoThisDeviceObj); 90 | } 91 | 92 | // remove hooks 93 | unhookSysCall(SH_NtSetInformationThread); 94 | unhookSysCall(SH_NtQueryInformationProcess); 95 | } 96 | 97 | #ifdef __cplusplus 98 | extern "C" { 99 | #endif 100 | NTSTATUS DriverEntry(IN OUT PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) 101 | { 102 | PDEVICE_OBJECT pdoDeviceObj = 0; 103 | NTSTATUS status = STATUS_UNSUCCESSFUL; 104 | pdoGlobalDrvObj = DriverObject; 105 | 106 | // Create the device object. 107 | if(!NT_SUCCESS(status = IoCreateDevice(DriverObject, 0, &usDeviceName, 108 | FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pdoDeviceObj))) 109 | { 110 | // Bail out (implicitly forces the driver to unload). 111 | return status; 112 | } 113 | 114 | // Now create the respective symbolic link object 115 | if(!NT_SUCCESS(status = IoCreateSymbolicLink(&usSymlinkName, &usDeviceName))) 116 | { 117 | IoDeleteDevice(pdoDeviceObj); 118 | return status; 119 | } 120 | 121 | if (!initSysCallHooking()) return STATUS_UNSUCCESSFUL; 122 | 123 | // NOTE: You need not provide your own implementation for any major function that 124 | // you do not want to handle. I have seen code using DDKWizard that left the 125 | // *empty* dispatch routines intact. This is not necessary at all! 126 | DriverObject->MajorFunction[IRP_MJ_CREATE] = 127 | DriverObject->MajorFunction[IRP_MJ_CLOSE] = STEALTHDRIVER_DispatchCreateClose; 128 | DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = STEALTHDRIVER_DispatchDeviceControl; 129 | DriverObject->DriverUnload = STEALTHDRIVER_DriverUnload; 130 | 131 | return STATUS_SUCCESS; 132 | } 133 | #ifdef __cplusplus 134 | }; // extern "C" 135 | #endif -------------------------------------------------------------------------------- /src/NInjectLib/RemoteLibCall.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteLibCall.h" 2 | #include 3 | 4 | #pragma pack(push, 1) 5 | 6 | // this struct holds all data needed to perform a remote call 7 | struct REMOTELIB_DATA 8 | { 9 | void* getProcAddress; 10 | HMODULE hDll; 11 | int functionNr; 12 | int errorFlag; 13 | char functionName[MaxFuncNameLength]; 14 | }; 15 | 16 | #pragma pack(pop) 17 | 18 | RemoteLibCall::RemoteLibCall(const InjectLibrary& library, const Process& process) 19 | : process_(process) 20 | { 21 | hDll_ = library.getDllHandle(); 22 | if (hDll_ == NULL) throw std::exception("Invalid dll handle"); 23 | } 24 | 25 | RemoteLibCall::~RemoteLibCall() 26 | { 27 | } 28 | 29 | // preform remote call by name 30 | bool RemoteLibCall::remoteCall(const std::string& functionName) 31 | { 32 | if (functionName.length() >= MaxFuncNameLength) throw std::exception("Function name too long!"); 33 | functionName_ = functionName; 34 | functionNumber_ = -1; 35 | return remoteCall(); 36 | } 37 | 38 | // perform remote call by ordinal 39 | bool RemoteLibCall::remoteCall(unsigned int exportNumber) 40 | { 41 | functionNumber_ = exportNumber; 42 | functionName_ = ""; 43 | return remoteCall(); 44 | } 45 | 46 | // create specific data/code payloads and use genericinjector to start the remote code 47 | // returns true if remote call succeeded otherwise false 48 | bool RemoteLibCall::remoteCall() 49 | { 50 | GenericInjector injector(process_); 51 | INJECT_DATAPAYLOAD data = createDataPayload(); 52 | INJECT_CODEPAYLOAD code = createCodePayload(); 53 | bool noError = false; 54 | injector.doInjection(data, code); 55 | unsigned int* errorFlagAddr = (unsigned int*)injector.getAddrOfData(); 56 | errorFlagAddr += 12; 57 | unsigned int errorFlag; 58 | process_.readMemory(errorFlagAddr, &errorFlag, sizeof(unsigned int)); 59 | noError = (errorFlag != 0); 60 | 61 | free(data.data); 62 | free(code.code); 63 | return noError; 64 | } 65 | 66 | INJECT_DATAPAYLOAD RemoteLibCall::createDataPayload() 67 | { 68 | REMOTELIB_DATA* tmpData = (REMOTELIB_DATA*)malloc(sizeof(REMOTELIB_DATA)); 69 | // set functionNr to -1 if we call by name 70 | if (functionNumber_ == -1) 71 | { 72 | strcpy_s(tmpData->functionName, MaxFuncNameLength, functionName_.c_str()); 73 | tmpData->functionNr = -1; 74 | } 75 | else tmpData->functionNr = functionNumber_; 76 | 77 | // the remote process needs the actual address of GetProcAddress and our dll handle 78 | HMODULE hKernel32 = LoadLibrary(_T("kernel32.dll")); 79 | tmpData->getProcAddress = GetProcAddress(hKernel32, "GetProcAddress"); 80 | // save handle of the dll we want to call 81 | tmpData->hDll = hDll_; 82 | 83 | INJECT_DATAPAYLOAD injectData; 84 | injectData.data = tmpData; 85 | injectData.size = sizeof(REMOTELIB_DATA); 86 | return injectData; 87 | } 88 | 89 | #pragma warning(disable : 4731 4740) 90 | 91 | //create code to perform remote call 92 | INJECT_CODEPAYLOAD RemoteLibCall::createCodePayload() 93 | { 94 | size_t s, e; 95 | void* source; 96 | 97 | __asm 98 | { 99 | mov s, offset start 100 | mov e, offset end 101 | mov source, offset start 102 | jmp end // we only want to copy this code - not execute it so jump over it 103 | start: 104 | // create standard stack frame 105 | push ebp 106 | mov ebp, esp 107 | push ebx 108 | push esi 109 | push edi 110 | 111 | mov esi, [ebp+8] // get first param, ESI now points to strcut 112 | mov edi, [esi] // get getprocaddress pointer 113 | mov ebx, [esi+8] // get functionNr 114 | mov ecx, [esi+4] // get module handle 115 | cmp ebx, 0xFFFFFFFF 116 | jnz byOrdinal 117 | lea ebx, [esi+16] // get pointer to function name 118 | 119 | byOrdinal: 120 | push ebx 121 | push ecx 122 | call edi // call getprocaddress 123 | test eax, eax // could we resolve the funtion? 124 | jz error 125 | call eax // call exported function 126 | mov eax, 1 127 | jmp finished 128 | 129 | error: 130 | xor eax, eax 131 | 132 | finished: 133 | mov [esi+12], eax // save error flag 134 | pop edi 135 | pop esi 136 | pop ebx 137 | pop ebp 138 | //pop ebx 139 | //pop esi 140 | //pop edi 141 | //pop ebp 142 | ret 143 | end: 144 | } 145 | 146 | INJECT_CODEPAYLOAD tmpPayload; 147 | tmpPayload.size = e - s; 148 | tmpPayload.code = malloc(tmpPayload.size); 149 | // copying code from code section should always work 150 | memcpy(tmpPayload.code, source, tmpPayload.size); 151 | return tmpPayload; 152 | } 153 | 154 | #pragma warning(default: 4731 4740) -------------------------------------------------------------------------------- /src/RDTSCEmu/distorm/config.h: -------------------------------------------------------------------------------- 1 | /* 2 | config.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef CONFIG_H 10 | #define CONFIG_H 11 | 12 | /* diStorm version number. */ 13 | #define DISTORM_VER 0x01071e 14 | 15 | #include /* strlen, memset, memcpy - can be easily self implemented for libc independency. */ 16 | 17 | /* 18 | * 64 bit offsets support: 19 | * This macro should be defined from compiler command line flags, e.g: -DSUPPORT_64BIT_OFFSET 20 | * #define SUPPORT_64BIT_OFFSET 21 | * Note: make sure that the caller (library user) defines it too! 22 | */ 23 | 24 | /* 25 | * If you compile diStorm as a .DLL file, make sure you uncomment the next line. 26 | * So the interface functions will be exported, otherwise they are useable only as a library. 27 | * For example, the Python extension module defines this macro in its configuration. 28 | */ 29 | /* #define _DLL */ 30 | 31 | /* 32 | * diStorm now supports little/big endian CPU's. 33 | * It should detect the endianness according to predefined macro's of the compiler. 34 | * If you don't use GCC/MSVC you will have to define it on your own. 35 | */ 36 | 37 | /* These macros are used in order to make the code portable. */ 38 | #ifdef __GNUC__ 39 | 40 | #include 41 | 42 | #define _PACKED_ __attribute__((__packed__)) 43 | #define _DLLEXPORT_ 44 | #define _FASTCALL_ 45 | #define _INLINE_ static __inline__ 46 | /* GCC ignores this directive... */ 47 | /*#define _FASTCALL_ __attribute__((__fastcall__)) */ 48 | 49 | /* Set endianity (supposed to be LE though): */ 50 | #ifdef __BIG_ENDIAN__ 51 | #define BE_SYSTEM 52 | #endif 53 | 54 | /* End of __GCC__ */ 55 | 56 | #elif __WATCOMC__ 57 | 58 | #include 59 | 60 | #define _PACKED_ 61 | #define _DLLEXPORT_ 62 | #define _FASTCALL_ 63 | #define _INLINE_ __inline 64 | 65 | /* End of __WATCOMC__ */ 66 | 67 | #elif __DMC__ 68 | 69 | #include 70 | 71 | #define _PACKED_ 72 | #define _DLLEXPORT_ 73 | #define _FASTCALL_ 74 | #define _INLINE_ static __inline 75 | 76 | /* End of __DMC__ */ 77 | 78 | #elif __TINYC__ 79 | 80 | #include 81 | 82 | #define _PACKED_ 83 | #define _DLLEXPORT_ 84 | #define _FASTCALL_ 85 | #define _INLINE_ static 86 | 87 | /* End of __TINYC__ */ 88 | 89 | #elif _MSC_VER 90 | 91 | /* Since MSVC isn't shipped with stdint.h, we will have our own: */ 92 | typedef signed __int64 int64_t; 93 | typedef unsigned __int64 uint64_t; 94 | typedef signed __int32 int32_t; 95 | typedef unsigned __int32 uint32_t; 96 | typedef signed __int16 int16_t; 97 | typedef unsigned __int16 uint16_t; 98 | typedef signed __int8 int8_t; 99 | typedef unsigned __int8 uint8_t; 100 | 101 | #define _PACKED_ 102 | #define _DLLEXPORT_ __declspec(dllexport) 103 | #define _FASTCALL_ __fastcall 104 | #define _INLINE_ static __inline 105 | 106 | /* Set endianity (supposed to be LE though): */ 107 | #ifndef _M_IX86 108 | #define BE_SYSTEM 109 | #endif 110 | 111 | #endif /* #elif _MSC_VER */ 112 | 113 | /* 32 or 64 bits integer for instruction offset. */ 114 | #ifdef SUPPORT_64BIT_OFFSET 115 | #define OFFSET_INTEGER uint64_t 116 | #else 117 | #define OFFSET_INTEGER uint32_t 118 | #endif 119 | 120 | #ifndef FALSE 121 | #define FALSE 0 122 | #endif 123 | #ifndef TRUE 124 | #define TRUE 1 125 | #endif 126 | 127 | /* If the library isn't compiled as a .DLL don't export functions. */ 128 | #ifndef _DLL 129 | #undef _DLLEXPORT_ 130 | #define _DLLEXPORT_ 131 | #endif 132 | 133 | /* Define stream read functions for big endian systems. */ 134 | #ifdef BE_SYSTEM 135 | /* 136 | * These functions can read from the stream safely! 137 | * Swap endianity of input to little endian. 138 | */ 139 | _INLINE_ int16_t RSHORT(const uint8_t *s) 140 | { 141 | return s[0] | (s[1] << 8); 142 | } 143 | _INLINE_ uint16_t RUSHORT(const uint8_t *s) 144 | { 145 | return s[0] | (s[1] << 8); 146 | } 147 | _INLINE_ int32_t RLONG(const uint8_t *s) 148 | { 149 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24); 150 | } 151 | _INLINE_ uint32_t RULONG(const uint8_t *s) 152 | { 153 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24); 154 | } 155 | #else 156 | /* Little endian macro's will just make the cast. */ 157 | #define RSHORT(x) *(int16_t *)x 158 | #define RUSHORT(x) *(uint16_t *)x 159 | #define RLONG(x) *(int32_t *)x 160 | #define RULONG(x) *(uint32_t *)x 161 | #endif 162 | 163 | #endif /* CONFIG_H */ 164 | -------------------------------------------------------------------------------- /src/NCodeHook/NCodeHook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "NCodeHookItem.h" 7 | #include "distorm.h" 8 | 9 | class ArchitectureCommon 10 | { 11 | public: 12 | ArchitectureCommon() {}; 13 | ~ArchitectureCommon() {}; 14 | 15 | template 16 | int getMinOffset(const unsigned char* codePtr, unsigned int jumpPatchSize) 17 | { 18 | const unsigned int MaxInstructions = 20; 19 | _DecodeResult result; 20 | _DecodedInst instructions[MaxInstructions]; 21 | unsigned int instructionCount = 0; 22 | 23 | result = distorm_decode(0, codePtr, 20, ArchT::DisasmType, instructions, MaxInstructions, &instructionCount); 24 | if (result != DECRES_SUCCESS) return -1; 25 | 26 | int offset = 0; 27 | for (unsigned int i = 0; offset < jumpPatchSize && i < instructionCount; ++i) 28 | offset += instructions[i].size; 29 | // if we were unable to disassemble enough instructions we fail 30 | if (offset < ArchT::NearJumpPatchSize) return -1; 31 | 32 | return offset; 33 | } 34 | 35 | virtual bool requiresAbsJump(uintptr_t from, uintptr_t to) 36 | { 37 | uintptr_t jmpDistance = from > to ? from - to : to - from; 38 | return jmpDistance <= 0x7FFF0000 ? false : true; 39 | }; 40 | 41 | virtual void writeJump(uintptr_t from, uintptr_t to) 42 | { 43 | if (requiresAbsJump(from, to)) writeAbsJump(from, to); 44 | else writeNearJump(from, to); 45 | } 46 | 47 | virtual void writeNearJump(uintptr_t from, uintptr_t to) =0; 48 | virtual void writeAbsJump(uintptr_t from, uintptr_t to) =0; 49 | }; 50 | 51 | class ArchitectureIA32 : public ArchitectureCommon 52 | { 53 | public: 54 | ArchitectureIA32() {}; 55 | ~ArchitectureIA32() {}; 56 | 57 | static const _DecodeType DisasmType = Decode32Bits; 58 | static const unsigned int NearJumpPatchSize = sizeof(int) + 1; 59 | static const unsigned int AbsJumpPatchSize = sizeof(uintptr_t) * 2 + 2; 60 | // max trampoline size = longest instruction (6) starting 1 byte before jump patch boundary 61 | static const unsigned int MaxTrampolineSize = AbsJumpPatchSize - 1 + 6; 62 | 63 | void writeNearJump(uintptr_t from, uintptr_t to) 64 | { 65 | unsigned char opcodes[NearJumpPatchSize]; 66 | int offset = (int)(to - from - NearJumpPatchSize); 67 | opcodes[0] = 0xE9; 68 | *((int*)&opcodes[1]) = offset; 69 | memcpy((void*)from, opcodes, NearJumpPatchSize); 70 | } 71 | 72 | void writeAbsJump(uintptr_t from, uintptr_t to) 73 | { 74 | unsigned char opcodes[AbsJumpPatchSize]; 75 | opcodes[0] = 0xFF; 76 | opcodes[1] = 0x25; 77 | *((uintptr_t*)&opcodes[2]) = from + 6; 78 | *((uintptr_t*)&opcodes[6]) = to; 79 | memcpy((void*)from, opcodes, AbsJumpPatchSize); 80 | } 81 | }; 82 | 83 | class ArchitectureX64 : public ArchitectureIA32 84 | { 85 | public: 86 | ArchitectureX64() {}; 87 | ~ArchitectureX64() {}; 88 | 89 | static const _DecodeType DisasmType = Decode64Bits; 90 | static const unsigned int NearJumpPatchSize = sizeof(int) + 1; 91 | static const unsigned int AbsJumpPatchSize = 2 * sizeof(uintptr_t) + 2; 92 | static const unsigned int MaxTrampolineSize = AbsJumpPatchSize - 1 + 6; 93 | 94 | void writeAbsJump(uintptr_t from, uintptr_t to) 95 | { 96 | unsigned char opcodes[AbsJumpPatchSize]; 97 | opcodes[0] = 0xFF; 98 | opcodes[1] = 0x25; 99 | *((int*)&opcodes[2]) = 0; 100 | *((uintptr_t*)&opcodes[6]) = to; 101 | memcpy((void*)from, opcodes, AbsJumpPatchSize); 102 | }; 103 | }; 104 | 105 | template 106 | class NCodeHook 107 | { 108 | public: 109 | 110 | NCodeHook(bool cleanOnDestruct=true); 111 | ~NCodeHook(); 112 | 113 | template U createHook(U originalFunc, U hookFunc); 114 | template U createHookByName(const std::string& dll, const std::string& funcName, U newFunc); 115 | template bool removeHook(U address); 116 | 117 | void forceAbsoluteJumps(bool value) { forceAbsJmp_ = value; } 118 | 119 | private: 120 | // get rid of useless compiler warning C4512 by making operator= private 121 | NCodeHook& operator=(const NCodeHook&); 122 | 123 | uintptr_t getFreeTrampoline(); 124 | bool removeHook(NCodeHookItem item); 125 | int getMinOffset(const unsigned char* codePtr, unsigned int jumpPatchSize); 126 | bool isBranch(const char* instr); 127 | std::set freeTrampolines_; 128 | std::map hookedFunctions_; 129 | void* trampolineBuffer_; 130 | const unsigned int MaxTotalTrampolineSize; 131 | bool cleanOnDestruct_; 132 | ArchT architecture_; 133 | bool forceAbsJmp_; 134 | }; -------------------------------------------------------------------------------- /src/StealthDriver/StealthDriver.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "StealthDriver.W7", "StealthDriver\StealthDriver.W7.vcxproj", "{D42B8C42-9344-44E7-844C-524F13995981}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | W7 checked (PREfast)|Win32 = W7 checked (PREfast)|Win32 9 | W7 checked|Win32 = W7 checked|Win32 10 | W7 free|Win32 = W7 free|Win32 11 | W7LH checked (PREfast)|Win32 = W7LH checked (PREfast)|Win32 12 | W7LH checked|Win32 = W7LH checked|Win32 13 | W7LH free|Win32 = W7LH free|Win32 14 | W7NET checked (PREfast)|Win32 = W7NET checked (PREfast)|Win32 15 | W7NET checked|Win32 = W7NET checked|Win32 16 | W7NET free|Win32 = W7NET free|Win32 17 | W7XP checked (PREfast)|Win32 = W7XP checked (PREfast)|Win32 18 | W7XP checked|Win32 = W7XP checked|Win32 19 | W7XP free|Win32 = W7XP free|Win32 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked (PREfast)|Win32.ActiveCfg = W7 checked (PREfast)|Win32 23 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked (PREfast)|Win32.Build.0 = W7 checked (PREfast)|Win32 24 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked (PREfast)|Win32.Deploy.0 = W7 checked (PREfast)|Win32 25 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked|Win32.ActiveCfg = W7 checked|Win32 26 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked|Win32.Build.0 = W7 checked|Win32 27 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked|Win32.Deploy.0 = W7 checked|Win32 28 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 free|Win32.ActiveCfg = W7 free|Win32 29 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 free|Win32.Build.0 = W7 free|Win32 30 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 free|Win32.Deploy.0 = W7 free|Win32 31 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked (PREfast)|Win32.ActiveCfg = W7LH checked (PREfast)|Win32 32 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked (PREfast)|Win32.Build.0 = W7LH checked (PREfast)|Win32 33 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked (PREfast)|Win32.Deploy.0 = W7LH checked (PREfast)|Win32 34 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked|Win32.ActiveCfg = W7LH checked|Win32 35 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked|Win32.Build.0 = W7LH checked|Win32 36 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked|Win32.Deploy.0 = W7LH checked|Win32 37 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH free|Win32.ActiveCfg = W7LH free|Win32 38 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH free|Win32.Build.0 = W7LH free|Win32 39 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH free|Win32.Deploy.0 = W7LH free|Win32 40 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked (PREfast)|Win32.ActiveCfg = W7NET checked (PREfast)|Win32 41 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked (PREfast)|Win32.Build.0 = W7NET checked (PREfast)|Win32 42 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked (PREfast)|Win32.Deploy.0 = W7NET checked (PREfast)|Win32 43 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked|Win32.ActiveCfg = W7NET checked|Win32 44 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked|Win32.Build.0 = W7NET checked|Win32 45 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked|Win32.Deploy.0 = W7NET checked|Win32 46 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET free|Win32.ActiveCfg = W7NET free|Win32 47 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET free|Win32.Build.0 = W7NET free|Win32 48 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET free|Win32.Deploy.0 = W7NET free|Win32 49 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked (PREfast)|Win32.ActiveCfg = W7XP checked (PREfast)|Win32 50 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked (PREfast)|Win32.Build.0 = W7XP checked (PREfast)|Win32 51 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked (PREfast)|Win32.Deploy.0 = W7XP checked (PREfast)|Win32 52 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked|Win32.ActiveCfg = W7XP checked|Win32 53 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked|Win32.Build.0 = W7XP checked|Win32 54 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked|Win32.Deploy.0 = W7XP checked|Win32 55 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP free|Win32.ActiveCfg = W7XP free|Win32 56 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP free|Win32.Build.0 = W7XP free|Win32 57 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP free|Win32.Deploy.0 = W7XP free|Win32 58 | EndGlobalSection 59 | GlobalSection(SolutionProperties) = preSolution 60 | HideSolutionNode = FALSE 61 | EndGlobalSection 62 | EndGlobal 63 | -------------------------------------------------------------------------------- /src/IDAStealth/RDTSCDriver.cpp: -------------------------------------------------------------------------------- 1 | #include "RDTSCDriver.h" 2 | #include 3 | #include 4 | #include 5 | 6 | using namespace std; 7 | using namespace boost::filesystem; 8 | 9 | RDTSCDriver::RDTSCDriver() : 10 | running_(false) 11 | { 12 | } 13 | 14 | // the driver is NOT unloaded if the class is destroyed because the user might 15 | // want to use it although this controller class is gone out of scope 16 | RDTSCDriver::~RDTSCDriver() 17 | { 18 | } 19 | 20 | // start or stop given driver 21 | void RDTSCDriver::controlDriver(const std::string& driverPath, const std::string& driverName, bool load) const 22 | { 23 | DWORD lastError = 0; 24 | 25 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 26 | if (hSCManager == NULL) throwSysError(GetLastError(), "Unable to open service manager"); 27 | 28 | SC_HANDLE hService = CreateService(hSCManager, driverName.c_str(), driverName.c_str(), SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driverPath.c_str(), NULL, NULL, NULL, NULL, NULL); 29 | if (!hService) 30 | { 31 | lastError = GetLastError(); 32 | if (lastError == ERROR_SERVICE_EXISTS) 33 | { 34 | hService = OpenService(hSCManager, driverName.c_str(), SERVICE_ALL_ACCESS); 35 | } 36 | else 37 | { 38 | CloseServiceHandle(hSCManager); 39 | throwSysError(lastError, "Error while trying to create RDTSC driver service"); 40 | } 41 | } 42 | 43 | if (load) 44 | { 45 | if (!StartService(hService, 0, NULL)) 46 | { 47 | lastError = GetLastError(); 48 | if (lastError != ERROR_SERVICE_ALREADY_RUNNING) 49 | { 50 | CloseServiceHandle(hSCManager); 51 | CloseServiceHandle(hService); 52 | throwSysError(lastError, "Error while trying to start RDTSC driver service"); 53 | } 54 | } 55 | } 56 | else 57 | { 58 | SERVICE_STATUS ss; 59 | ControlService(hService, SERVICE_CONTROL_STOP, &ss); 60 | if (!DeleteService(hService)) 61 | { 62 | lastError = GetLastError(); 63 | CloseServiceHandle(hSCManager); 64 | CloseServiceHandle(hService); 65 | throwSysError(lastError, "Error while trying to stop RDTSC driver"); 66 | } 67 | } 68 | 69 | CloseServiceHandle(hSCManager); 70 | CloseServiceHandle(hService); 71 | } 72 | 73 | // extracts the driver file and starts it with the given name 74 | // if no name is given, a random name is generated 75 | void RDTSCDriver::startDriver(const ResourceItem& ri, const string& driverName) 76 | { 77 | if (running_) return; 78 | 79 | string drvName = driverName; 80 | if (drvName.empty()) 81 | { 82 | drvName = genRandomDrvName(); 83 | } 84 | 85 | char tmpPath[MAX_PATH]; 86 | GetTempPath(MAX_PATH, tmpPath); 87 | path p(tmpPath); 88 | p /= drvName + ".sys"; 89 | if (ri.saveDataToFile(p.string())) 90 | { 91 | driverPath_ = p.string(); 92 | driverName_ = drvName; 93 | controlDriver(driverPath_, driverName_, true); 94 | running_ = true; 95 | } 96 | else throw std::runtime_error("Error while trying to save RDTSC driver to file: " + p.string()); 97 | } 98 | 99 | void RDTSCDriver::stopDriver() 100 | { 101 | if (!running_) return; 102 | 103 | controlDriver(driverPath_, driverName_, false); 104 | DeleteFile(driverPath_.c_str()); 105 | running_ = false; 106 | } 107 | 108 | // set emulation mode for running driver 109 | bool RDTSCDriver::setMode(RDTSCMode mode, unsigned int param) const 110 | { 111 | bool retVal = false; 112 | string rdtscDevice = "\\\\.\\" + driverName_; 113 | HANDLE hDevice = CreateFile(rdtscDevice.c_str(), GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 114 | if (hDevice != INVALID_HANDLE_VALUE) 115 | { 116 | DWORD bytesReturned; 117 | DWORD ioctlCode = mode == constant ? (DWORD)IOCTL_RDTSCEMU_METHOD_ALWAYS_CONST : (DWORD)IOCTL_RDTSCEMU_METHOD_INCREASING; 118 | if (DeviceIoControl(hDevice, ioctlCode, ¶m, sizeof(unsigned int), NULL, 0, &bytesReturned, NULL)) 119 | { 120 | retVal = true; 121 | } 122 | CloseHandle(hDevice); 123 | } 124 | 125 | return retVal; 126 | } 127 | 128 | string RDTSCDriver::genRandomDrvName() const 129 | { 130 | ostringstream oss; 131 | LARGE_INTEGER seed; 132 | if (QueryPerformanceCounter(&seed)) 133 | { 134 | oss << hex << seed.HighPart << seed.LowPart; 135 | } 136 | else 137 | { 138 | // fallback 139 | oss << hex << GetTickCount(); 140 | } 141 | 142 | return oss.str(); 143 | } 144 | 145 | void RDTSCDriver::throwSysError(unsigned int lastError, const std::string& msg) const 146 | { 147 | ostringstream oss; 148 | oss << msg << ", system error code was: " << lastError; 149 | throw std::runtime_error(oss.str()); 150 | } -------------------------------------------------------------------------------- /src/HideDebugger/HookHelper.cpp: -------------------------------------------------------------------------------- 1 | #include "HookHelper.h" 2 | #include "IPCConfigExchangeReader.h" 3 | #include 4 | 5 | // global variables 6 | NtQueryInformationProcessFPtr origNtQueryInformationProcess = NULL; 7 | NtSetInformationThreadFPtr origNtSetInformationThread = NULL; 8 | NtQueryObjectFPtr origNtQueryObject = NULL; 9 | NtCloseFPtr origNtClose = NULL; 10 | NtQuerySystemInformationFPtr origNtQuerySystemInformation = NULL; 11 | OutputDebugStringAFPtr origOutputDebugStringA = NULL; 12 | OutputDebugStringWFPtr origOutputDebugStringW = NULL; 13 | OpenProcessFPtr origOpenProcess = NULL; 14 | KiUserExceptionDispatcherFPtr origKiUserExceptDisp = NULL; 15 | NtSetContextThreadFPtr origSetThreadContext = NULL; 16 | NtGetContextThreadFPtr origGetThreadContext = NULL; 17 | NtYieldExecutionFPtr origNtYieldExecution = NULL; 18 | FindWindowAFPtr origFindWindowA = NULL; 19 | FindWindowWFPtr origFindWindowW = NULL; 20 | FindWindowExAFPtr origFindWindowExA = NULL; 21 | FindWindowExWFPtr origFindWindowExW = NULL; 22 | EnumWindowsFPtr origEnumWindows = NULL; 23 | NCodeHookIA32 nCodeHook; 24 | const char* NTDLL = "ntdll.dll"; 25 | const char* K32DLL = "kernel32.dll"; 26 | const char* U32DLL = "user32.dll"; 27 | 28 | void dbgPrint(const std::string& msg) 29 | { 30 | std::string dbgStr = "HideDebugger.dll: " + msg; 31 | OutputDebugStringA(dbgStr.c_str()); 32 | } 33 | 34 | // convert given process handle to process ID 35 | DWORD handleToProcessID(HANDLE hProcess) 36 | { 37 | PROCESS_BASIC_INFORMATION pbi; 38 | ZeroMemory(&pbi, sizeof(PROCESS_BASIC_INFORMATION)); 39 | if (origNtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL) == STATUS_SUCCESS) 40 | return pbi.UniqueProcessId; 41 | else return (DWORD)-1; 42 | } 43 | 44 | // return name of current process 45 | std::wstring getProcessName() 46 | { 47 | wchar_t pathBuffer[MAX_PATH]; 48 | DWORD size = GetModuleFileNameW(NULL, pathBuffer, MAX_PATH - 1); 49 | if (!size) return std::wstring(L""); 50 | std::wstring exeName = std::wstring(pathBuffer); 51 | if (exeName[exeName.length()-1] == '\\') exeName.erase(exeName.length()-1); 52 | size_t index = exeName.find_last_of(L"\\") + 1; 53 | exeName.erase(exeName.begin(), exeName.begin() + index); 54 | return exeName; 55 | } 56 | 57 | // try to check if a given handle is valid 58 | bool isHandleValid(HANDLE handle) 59 | { 60 | // Note: we might produce false negatives here due to access restrictions of the debuggee (PROCESS_DUP_HANDLE) 61 | HANDLE duplicatedHandle; 62 | if (DuplicateHandle(GetCurrentProcess(), handle, GetCurrentProcess(), &duplicatedHandle, 0, FALSE, DUPLICATE_SAME_ACCESS)) 63 | { 64 | CloseHandle(duplicatedHandle); 65 | return true; 66 | } 67 | return false; 68 | } 69 | 70 | void restoreNTHeaders() 71 | { 72 | try 73 | { 74 | IPC::IPCConfigExchangeReader ipcReader; 75 | // we don't need to restore the PE headers when we attach to a process 76 | if (ipcReader.isPERestoreRequired()) 77 | { 78 | IPC::IPCPEHeaderData peData = ipcReader.getIPCPEHeaderData(); 79 | // read DOS header, advance to NT headers and restore them 80 | DWORD oldProtection; 81 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)peData.imageBase; 82 | VirtualProtect((LPVOID)pDosHeader, sizeof(IMAGE_DOS_HEADER), PAGE_EXECUTE_READWRITE, &oldProtection); 83 | PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)(pDosHeader->e_lfanew + peData.imageBase); 84 | VirtualProtect((LPVOID)pDosHeader, sizeof(IMAGE_DOS_HEADER), oldProtection, &oldProtection); 85 | 86 | VirtualProtect(pNtHeaders, sizeof(IMAGE_NT_HEADERS), PAGE_EXECUTE_READWRITE, &oldProtection); 87 | *pNtHeaders = peData.ntHeaders; 88 | VirtualProtect(pNtHeaders, sizeof(IMAGE_NT_HEADERS), oldProtection, &oldProtection); 89 | } 90 | } 91 | catch (const std::exception& e) 92 | { 93 | dbgPrint("Error while restoring NT headers: " + std::string(e.what())); 94 | } 95 | catch (...) 96 | { 97 | dbgPrint("SEH exception while trying to restore PE header"); 98 | } 99 | } 100 | 101 | DWORD handleToThreadID(HANDLE hThread) 102 | { 103 | typedef NTSTATUS (NTAPI *NtQIT)(HANDLE, THREAD_INFORMATION_CLASS, PVOID, ULONG, PULONG); 104 | HMODULE hNt = LoadLibrary(NTDLL); 105 | NtQIT pNtQueryInfThread = (NtQIT)GetProcAddress(hNt, "NtQueryInformationThread"); 106 | if (pNtQueryInfThread) 107 | { 108 | THREAD_BASIC_INFORMATION tbi = {0}; 109 | ULONG retLength; 110 | NTSTATUS status; 111 | status = pNtQueryInfThread(hThread, ThreadBasicInformation, &tbi, sizeof(THREAD_BASIC_INFORMATION), &retLength); 112 | if (status != STATUS_SUCCESS) 113 | { 114 | dbgPrint("Failed to translate thread handle to corresponding thread ID"); 115 | } 116 | 117 | FreeLibrary(hNt); 118 | return (DWORD)tbi.ClientId.UniqueThread; 119 | } 120 | 121 | FreeLibrary(hNt); 122 | return 0; 123 | } -------------------------------------------------------------------------------- /src/NCodeHook/distorm.h: -------------------------------------------------------------------------------- 1 | /* diStorm64 1.7.28 */ 2 | 3 | /* 4 | distorm.h 5 | 6 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 7 | This library is licensed under the BSD license. See the file COPYING. 8 | 9 | This file is used in win32proj and linuxproj. 10 | */ 11 | 12 | /* 13 | * 64 bit offsets support: 14 | * If the diStorm library you use was compiled with 64 bits offsets, 15 | * make sure you compile your own code with the following macro set: 16 | * SUPPORT_64BIT_OFFSET 17 | * Otherwise comment it out, or you will get a linker error of an unresolved symbol... 18 | */ 19 | // TINYC has a problem with some 64bits library functions, so pass. 20 | #ifndef __TINYC__ 21 | #define SUPPORT_64BIT_OFFSET 22 | #endif 23 | 24 | /* If your compiler doesn't support stdint.h, define your own 64 bits type. */ 25 | #ifdef SUPPORT_64BIT_OFFSET 26 | #ifdef _MSC_VER 27 | #define OFFSET_INTEGER unsigned __int64 28 | #else 29 | #include 30 | #define OFFSET_INTEGER uint64_t 31 | #endif 32 | #else 33 | /* 32 bit offsets are used. */ 34 | #define OFFSET_INTEGER unsigned long 35 | #endif 36 | 37 | 38 | /* Support C++ compilers */ 39 | #ifdef __cplusplus 40 | extern "C" { 41 | #endif 42 | 43 | /* Decodes modes of the disassembler, 16 bits or 32 bits or 64 bits for AMD64, x86-64. */ 44 | typedef enum {Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2} _DecodeType; 45 | 46 | typedef OFFSET_INTEGER _OffsetType; 47 | 48 | /* Static size of strings. Do not change this value. */ 49 | #define MAX_TEXT_SIZE (60) 50 | typedef struct { 51 | unsigned int length; 52 | unsigned char p[MAX_TEXT_SIZE]; /* p is a null terminated string. */ 53 | } _WString; 54 | 55 | /* This structure holds all information the disassembler generates per instruction. */ 56 | typedef struct { 57 | _WString mnemonic; /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */ 58 | _WString operands; /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */ 59 | _WString instructionHex; /* Hex dump - little endian, including prefixes. */ 60 | unsigned int size; /* Size of decoded instruction. */ 61 | _OffsetType offset; /* Start offset of the decoded instruction. */ 62 | } _DecodedInst; 63 | 64 | /* Return code of the decoding function. */ 65 | typedef enum {DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR} _DecodeResult; 66 | 67 | /* distorm_decode 68 | * Input: 69 | * offset - Origin of the given code (virtual address that is), NOT an offset in code. 70 | * code - Pointer to the code buffer to be disassembled. 71 | * length - Amount of bytes that should be decoded from the code buffer. 72 | * dt - Decoding mode, 16 bits (Decode16Bits), 32 bits (Decode32Bits) or AMD64 (Decode64Bits). 73 | * result - Array of type _DecodeInst which will be used by this function in order to return the disassembled instructions. 74 | * maxInstructions - The maximum number of entries in the result array that you pass to this function, so it won't exceed its bound. 75 | * usedInstructionsCount - Number of the instruction that successfully were disassembled and written to the result array. 76 | * Output: usedInstructionsCount will hold the number of entries used in the result array 77 | * and the result array itself will be filled with the disassembled instructions. 78 | * Return: DECRES_SUCCESS on success (no more to disassemble), DECRES_INPUTERR on input error (null code buffer, invalid decoding mode, etc...), 79 | * DECRES_MEMORYERR when there are not enough entries to use in the result array, BUT YOU STILL have to check for usedInstructionsCount! 80 | * Side-Effects: Even if the return code is DECRES_MEMORYERR, there might STILL be data in the 81 | * array you passed, this function will try to use as much entries as possible! 82 | * Notes: 1)The minimal size of maxInstructions is 15. 83 | * 2)You will have to synchronize the offset,code and length by yourself if you pass code fragments and not a complete code block! 84 | */ 85 | #ifdef SUPPORT_64BIT_OFFSET 86 | _DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount); 87 | #define distorm_decode distorm_decode64 88 | #else 89 | _DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount); 90 | #define distorm_decode distorm_decode32 91 | #endif 92 | 93 | /* 94 | * distorm_version 95 | * Input: 96 | * none 97 | * 98 | * Output: unsigned int - version of compiler library. 99 | */ 100 | unsigned int distorm_version(); 101 | 102 | #ifdef __cplusplus 103 | } /* End Of Extern */ 104 | #endif 105 | -------------------------------------------------------------------------------- /src/IDAStealth/DriverControl.cpp: -------------------------------------------------------------------------------- 1 | #include "DriverControl.h" 2 | #include 3 | #include 4 | #include 5 | 6 | using namespace std; 7 | using namespace boost::filesystem; 8 | 9 | DriverControl::DriverControl() : 10 | running_(false) 11 | { 12 | } 13 | 14 | // the driver is NOT unloaded if the class is destroyed because the user might 15 | // want to use it although this controller class has gone out of scope 16 | DriverControl::~DriverControl() 17 | { 18 | } 19 | 20 | // start or stop given driver 21 | void DriverControl::controlDriver(const std::string& driverPath, const std::string& driverName, bool load) const 22 | { 23 | DWORD lastError = 0; 24 | 25 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 26 | if (hSCManager == NULL) throwSysError(GetLastError(), "Unable to open service manager"); 27 | 28 | SC_HANDLE hService = CreateService(hSCManager, driverName.c_str(), driverName.c_str(), SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driverPath.c_str(), NULL, NULL, NULL, NULL, NULL); 29 | if (!hService) 30 | { 31 | lastError = GetLastError(); 32 | if (lastError == ERROR_SERVICE_EXISTS) 33 | { 34 | hService = OpenService(hSCManager, driverName.c_str(), SERVICE_ALL_ACCESS); 35 | } 36 | else 37 | { 38 | CloseServiceHandle(hSCManager); 39 | throwSysError(lastError, "Error while trying to create driver service with name: " + driverName); 40 | } 41 | } 42 | 43 | if (load) 44 | { 45 | if (!StartService(hService, 0, NULL)) 46 | { 47 | lastError = GetLastError(); 48 | if (lastError != ERROR_SERVICE_ALREADY_RUNNING) 49 | { 50 | CloseServiceHandle(hSCManager); 51 | CloseServiceHandle(hService); 52 | throwSysError(lastError, "Error while trying to start driver service"); 53 | } 54 | } 55 | } 56 | else 57 | { 58 | SERVICE_STATUS ss; 59 | ControlService(hService, SERVICE_CONTROL_STOP, &ss); 60 | if (!DeleteService(hService)) 61 | { 62 | lastError = GetLastError(); 63 | CloseServiceHandle(hSCManager); 64 | CloseServiceHandle(hService); 65 | throwSysError(lastError, "Error while trying to stop driver"); 66 | } 67 | } 68 | 69 | CloseServiceHandle(hSCManager); 70 | CloseServiceHandle(hService); 71 | } 72 | 73 | // extracts the driver file and starts it with the given name 74 | // if no name is given, a random name is generated 75 | void DriverControl::startDriver(const ResourceItem& ri, const string& driverName) 76 | { 77 | if (running_) return; 78 | 79 | string drvName = driverName; 80 | if (drvName.empty()) 81 | { 82 | drvName = genRandomDrvName(); 83 | } 84 | 85 | char tmpPath[MAX_PATH]; 86 | GetTempPath(MAX_PATH, tmpPath); 87 | path p(tmpPath); 88 | p /= drvName + ".sys"; 89 | if (ri.saveDataToFile(p.string())) 90 | { 91 | driverPath_ = p.string(); 92 | driverName_ = drvName; 93 | controlDriver(driverPath_, driverName_, true); 94 | running_ = true; 95 | } 96 | else throw std::runtime_error("Error while trying to save driver to file: " + p.string()); 97 | } 98 | 99 | void DriverControl::stopDriver() 100 | { 101 | if (!running_) return; 102 | controlDriver(driverPath_, driverName_, false); 103 | DeleteFile(driverPath_.c_str()); 104 | running_ = false; 105 | } 106 | 107 | // send IOCTL command to driver 108 | void DriverControl::setMode(unsigned int ioctlCode, void* param, size_t paramSize) const 109 | { 110 | string device = "\\\\.\\" + driverName_; 111 | HANDLE hDevice = CreateFile(device.c_str(), GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 112 | if (hDevice != INVALID_HANDLE_VALUE) 113 | { 114 | DWORD bytesReturned; 115 | // DeviceIoControl(hDevice, ioctlCode, ¶m, sizeof(unsigned int), NULL, 0, &bytesReturned, NULL)) 116 | if (!DeviceIoControl(hDevice, ioctlCode, param, paramSize, NULL, 0, &bytesReturned, NULL)) 117 | { 118 | DWORD lastErr = GetLastError(); 119 | CloseHandle(hDevice); 120 | throwSysError(lastErr, "Unable to send IOCTL command to driver: " + driverName_); 121 | } 122 | CloseHandle(hDevice); 123 | } 124 | else 125 | { 126 | DWORD lastErr = GetLastError(); 127 | throwSysError(lastErr, "Unable to open driver object: " + driverName_); 128 | } 129 | } 130 | 131 | string DriverControl::genRandomDrvName() const 132 | { 133 | ostringstream oss; 134 | LARGE_INTEGER seed; 135 | if (QueryPerformanceCounter(&seed)) 136 | { 137 | oss << hex << seed.HighPart << seed.LowPart; 138 | } 139 | else 140 | { 141 | // fallback 142 | oss << hex << GetTickCount(); 143 | } 144 | 145 | return oss.str(); 146 | } 147 | 148 | void DriverControl::throwSysError(unsigned int lastError, const std::string& msg) const 149 | { 150 | ostringstream oss; 151 | oss << msg << ", system error code was: " << lastError; 152 | throw std::runtime_error(oss.str()); 153 | } --------------------------------------------------------------------------------