public void OpenDrv()
{
NTAPI.OBJECT_ATTRIBUTES objectAttributes = new NTAPI.OBJECT_ATTRIBUTES();
NTAPI.UNICODE_STRING deviceName = new NTAPI.UNICODE_STRING(DriverDeviceName);
NTAPI.IO_STATUS_BLOCK ioStatus;
objectAttributes.Length = Marshal.SizeOf(typeof(NTAPI.OBJECT_ATTRIBUTES));
objectAttributes.ObjectName = new IntPtr(&deviceName);
uint status = 0;
IntPtr deviceHandle;
do
{
status = NTAPI.NtOpenFile(
&deviceHandle,
(uint)(NTAPI.ACCESS_MASK.GENERIC_READ | NTAPI.ACCESS_MASK.GENERIC_WRITE | NTAPI.ACCESS_MASK.SYNCHRONIZE),
&objectAttributes, &ioStatus, 0, 3 /*OPEN_EXISTING*/);
if (status != 0 /*NT_SUCCESS*/)
{
//Console.WriteLine($"[!] NtOpenFile failed! - {status:X}");
Console.WriteLine($"[!] Error @ NOF - {status:X}");
Thread.Sleep(250);
}
} while (status != 0 /*NT_SUCCESS*/);
drvHandle = deviceHandle;
Console.WriteLine($"[+] hDevice: {drvHandle:X2}");
}
public static bool CreateService(
ref IntPtr hService,
string ServiceName,
string DisplayName,
string BinPath,
uint DesiredAccess,
uint ServiceType,
uint StartType,
uint ErrorControl)
{
IntPtr hSCManager = NTAPI.OpenSCManager(0, 0, 0x0002 /*SC_MANAGER_CREATE_SERVICE*/);
if (hSCManager == IntPtr.Zero)
{
return(false);
}
hService = NTAPI.CreateServiceW(
hSCManager,
ServiceName, DisplayName,
DesiredAccess,
ServiceType, StartType,
ErrorControl, BinPath,
0, 0, 0, 0, 0, 0);
NTAPI.CloseServiceHandle(hSCManager);
return(hService != IntPtr.Zero);
}
public DaemonHost(LauncherModel launcher, bool forceDaemon)
{
Controller = forceDaemon ? null : ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName);
Daemon = Controller == null;
Launcher = launcher;
ServicePath = Path.GetFullPath(Consts.ServiceExecutable);
AsyncManager = new AsyncManager(Run);
if (!Daemon)
{
try
{
using (var searcher = new ManagementObjectSearcher("SELECT * FROM Win32_Service WHERE Name = '" + Consts.ServiceName + "'"))
using (var collection = searcher.Get())
{
var service = collection.OfType <ManagementObject>().FirstOrDefault();
if (service != null)
{
var oldPath = Path.GetFullPath((service.GetPropertyValue("PathName") as string).Trim('"'));
var newPath = Path.GetFullPath(Consts.ServiceExecutable);
if (oldPath != newPath)
{
NTAPI.MessageBox(0, "系统服务状态异常, 启动器可能无法正常运行\n请不要在安装系统服务后挪动启动器文件或在其他路径运行启动器\n\n如果无法正常连接到守护进程请点击 \"卸载服务\"\n如果无法正常连接到守护进程请点击 \"卸载服务\"\n如果无法正常连接到守护进程请点击 \"卸载服务\"\n\n服务路径:\n" + oldPath + "\n当前路径:\n" + newPath, "错误", 0x10);
}
}
}
}
catch (Exception e)
{
NTAPI.MessageBox(0, "出现了一个神秘的错误, 建议截图此错误并联系管理员:\n" + e, "错误", 0x10);
}
}
}
public uint RWMemory(uint mode, uint pid, IntPtr targetaddr, IntPtr sourceaddr, uint buffersize)
{
//mode = 0 : source=selected pid, target=self
//mode = 1 : source=self, target=selected pid
RWMemory req = new RWMemory();
req.mode = mode;
req.TargetProcessID = pid;
req.TargetProcessAddress = targetaddr;
req.SourceProcessAddress = sourceaddr;
req.BufferSize = buffersize;
//req.padding3 = 0x7ffb;
byte[] reqdata = MhyEnCrypt(StructureToByte(req), 0x233333333333);
IntPtr lpinBuffer = ByteToPtr(reqdata);
IntPtr ret = Marshal.AllocHGlobal(12);
ulong outlen = 0;
bool res = NTAPI.DeviceIoControl(drvHandle, (uint)MhyProt2Ctl.RWMemory, lpinBuffer, (uint)reqdata.Length, ret, 12, &outlen, 0);
if (!res)
{
throw new Exception("RWMemory failed on pid: " + pid.ToString());
}
byte[] retdata = MhyCrypt(PtrToByte(ret, (uint)outlen));
return(BitConverter.ToUInt32(retdata, 0));
}
public List <MhyProtEnumModule> EnumProcessModule(uint pid)
{
EnumModule req = new EnumModule();
req.pid = pid;
req.maxnum = 300;
byte[] reqdata = MhyEnCrypt(StructureToByte(req), 0x233333333333);
IntPtr lpinBuffer = ByteToPtr(reqdata);
IntPtr ret = Marshal.AllocHGlobal(301 * 792);
ulong outlen = 0;
bool res = NTAPI.DeviceIoControl(drvHandle, (uint)MhyProt2Ctl.ListProcessModule, lpinBuffer, (uint)reqdata.Length, ret, 301 * 792, &outlen, 0);
if (!res)
{
throw new Exception("EnumProcessModule failed on pid: " + pid.ToString());
}
byte[] retdata = MhyCrypt(PtrToByte(ret, (uint)outlen));
uint count = BitConverter.ToUInt32(retdata, 0);
Console.WriteLine("Count: " + count.ToString());
List <MhyProtEnumModule> modules = new List <MhyProtEnumModule>();
for (int i = 0; i < count; i++)
{
byte[] singlemodule = new byte[792];
Array.Copy(retdata, 4 + (i * 792), singlemodule, 0, 792);
modules.Add(ByteToStructure <MhyProtEnumModule>(singlemodule));
}
return(modules);
}
public static bool OpenService(out IntPtr hService, string szServiceName, uint DesiredAccess)
{
IntPtr hSCManager = NTAPI.OpenSCManager(0, 0, DesiredAccess);
hService = NTAPI.OpenService(hSCManager, szServiceName, DesiredAccess);
NTAPI.CloseServiceHandle(hSCManager);
return(hService != IntPtr.Zero);
}
private static string InstallService()
{
// Install service
var dir = new DirectoryInfo(Path.GetDirectoryName(Utils.ExecutablePath));
var acl = dir.GetAccessControl(AccessControlSections.Access);
acl.SetAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow));
dir.SetAccessControl(acl);
ManagedInstallerClass.InstallHelper(new string[] { Utils.ExecutablePath });
// Set permission
var sc = ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName);
if (sc == null)
{
return("Service installation failure");
}
var buffer = new byte[0];
if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, 0, out uint size))
{
int err = Marshal.GetLastWin32Error();
if (err != 122 && err != 0) // ERROR_INSUFFICIENT_BUFFER
{
return("QueryServiceObjectSecurity[1] error: " + err);
}
buffer = new byte[size];
if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, size, out size))
{
return("QueryServiceObjectSecurity[2] error: " + Marshal.GetLastWin32Error());
}
}
var rsd = new RawSecurityDescriptor(buffer, 0);
var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);
dacl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)(ServiceAccessRights.SERVICE_QUERY_STATUS | ServiceAccessRights.SERVICE_START | ServiceAccessRights.SERVICE_STOP | ServiceAccessRights.SERVICE_INTERROGATE), InheritanceFlags.None, PropagationFlags.None);
buffer = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(buffer, 0);
rsd.DiscretionaryAcl = new RawAcl(buffer, 0);
buffer = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(buffer, 0);
if (!NTAPI.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer))
{
return("SetServiceObjectSecurity error: " + Marshal.GetLastWin32Error());
}
return(null);
}
public bool KillProcess(uint pid)
{
byte[] reqdata = MhyEnCrypt(BitConverter.GetBytes(pid), 0x233333333333);
IntPtr lpinBuffer = ByteToPtr(reqdata);
IntPtr ret = Marshal.AllocHGlobal(12);
ulong outlen = 0;
bool res = NTAPI.DeviceIoControl(drvHandle, (uint)MhyProt2Ctl.KillProcess, lpinBuffer, (uint)reqdata.Length, ret, 12, &outlen, 0);
if (!res)
{
throw new Exception("KillProcess failed on pid: " + pid.ToString());
}
byte[] retdata = MhyCrypt(PtrToByte(ret, (uint)outlen));
return(BitConverter.ToUInt32(retdata, 0) == 0);
}
public RemoteManager(MainService main)
{
Main = main;
AsyncManager = new AsyncManager(Run);
try
{
var sodium = RuntimeInformation.ProcessArchitecture.ToString().ToLower() + "\\libsodium.dll";
if (!File.Exists(sodium))
{
Main.LogManager.Log(LogManager.CATEGORY_SERVICE_ERROR, Tag, "未找到架构匹配的 libsodium, 当前系统可能不支持远程管理");
}
else if (NTAPI.LoadLibraryEx(Path.GetFullPath(sodium), IntPtr.Zero, 0) == IntPtr.Zero)
{
Main.LogManager.Log(LogManager.CATEGORY_SERVICE_ERROR, Tag, "libsodium 加载失败, 远程管理无法正常工作");
}
}
catch (Exception e)
{
Main.LogManager.Log(LogManager.CATEGORY_SERVICE_ERROR, Tag, "libsodium 加载失败, 远程管理无法正常工作: " + e.ToString());
}
}
public bool InitDrv(ulong pid)
{
if (drvHandle == IntPtr.Zero)
{
throw new Exception("[!] Driver handle has not been opened");
}
ulong seed = 0x233333333333;
byte[] initdata = GenInitData(pid, seed);
IntPtr lpinBuffer = ByteToPtr(initdata);
IntPtr ret = Marshal.AllocHGlobal(8);
ulong outlen = 0;
bool res = NTAPI.DeviceIoControl(drvHandle, (uint)MhyProt2Ctl.DrvInit, lpinBuffer, (uint)initdata.Length, ret, 8, &outlen, 0);
if (!res)
{
return(res);
}
ulong retmt64 = Marshal.PtrToStructure <ulong>(ret);
return(retmt64 == mt64res);
}
private void Window_MouseDown(object sender, MouseButtonEventArgs e)
{
NTAPI.ReleaseCapture();
NTAPI.SendMessage(new WindowInteropHelper(this).Handle, 0xA1, new IntPtr(0x2), IntPtr.Zero);
}
public static void CloseServiceHandle(IntPtr hService) => NTAPI.CloseServiceHandle(hService);
public static bool DeleteService(IntPtr hService) => NTAPI.DeleteService(hService);
public static bool StartService(IntPtr hService) => NTAPI.StartService(hService, 0, null);
public static bool StopService(IntPtr hService)
{
NTAPI.SERVICE_STATUS ServiceStatus = new NTAPI.SERVICE_STATUS();
return(NTAPI.ControlService(hService, NTAPI.SERVICE_CONTROL.STOP, ref ServiceStatus));
}
public bool CloseHandle()
{
return(NTAPI.CloseHandle(drvHandle));
}
