public void OpenDrv() { NTAPI.OBJECT_ATTRIBUTES objectAttributes = new NTAPI.OBJECT_ATTRIBUTES(); NTAPI.UNICODE_STRING deviceName = new NTAPI.UNICODE_STRING(DriverDeviceName); NTAPI.IO_STATUS_BLOCK ioStatus; objectAttributes.Length = Marshal.SizeOf(typeof(NTAPI.OBJECT_ATTRIBUTES)); objectAttributes.ObjectName = new IntPtr(&deviceName); uint status = 0; IntPtr deviceHandle; do { status = NTAPI.NtOpenFile( &deviceHandle, (uint)(NTAPI.ACCESS_MASK.GENERIC_READ | NTAPI.ACCESS_MASK.GENERIC_WRITE | NTAPI.ACCESS_MASK.SYNCHRONIZE), &objectAttributes, &ioStatus, 0, 3 /*OPEN_EXISTING*/); if (status != 0 /*NT_SUCCESS*/) { //Console.WriteLine($"[!] NtOpenFile failed! - {status:X}"); Console.WriteLine($"[!] Error @ NOF - {status:X}"); Thread.Sleep(250); } } while (status != 0 /*NT_SUCCESS*/); drvHandle = deviceHandle; Console.WriteLine($"[+] hDevice: {drvHandle:X2}"); }
public static bool CreateService( ref IntPtr hService, string ServiceName, string DisplayName, string BinPath, uint DesiredAccess, uint ServiceType, uint StartType, uint ErrorControl) { IntPtr hSCManager = NTAPI.OpenSCManager(0, 0, 0x0002 /*SC_MANAGER_CREATE_SERVICE*/); if (hSCManager == IntPtr.Zero) { return(false); } hService = NTAPI.CreateServiceW( hSCManager, ServiceName, DisplayName, DesiredAccess, ServiceType, StartType, ErrorControl, BinPath, 0, 0, 0, 0, 0, 0); NTAPI.CloseServiceHandle(hSCManager); return(hService != IntPtr.Zero); }
public DaemonHost(LauncherModel launcher, bool forceDaemon) { Controller = forceDaemon ? null : ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName); Daemon = Controller == null; Launcher = launcher; ServicePath = Path.GetFullPath(Consts.ServiceExecutable); AsyncManager = new AsyncManager(Run); if (!Daemon) { try { using (var searcher = new ManagementObjectSearcher("SELECT * FROM Win32_Service WHERE Name = '" + Consts.ServiceName + "'")) using (var collection = searcher.Get()) { var service = collection.OfType <ManagementObject>().FirstOrDefault(); if (service != null) { var oldPath = Path.GetFullPath((service.GetPropertyValue("PathName") as string).Trim('"')); var newPath = Path.GetFullPath(Consts.ServiceExecutable); if (oldPath != newPath) { NTAPI.MessageBox(0, "系统服务状态异常, 启动器可能无法正常运行\n请不要在安装系统服务后挪动启动器文件或在其他路径运行启动器\n\n如果无法正常连接到守护进程请点击 \"卸载服务\"\n如果无法正常连接到守护进程请点击 \"卸载服务\"\n如果无法正常连接到守护进程请点击 \"卸载服务\"\n\n服务路径:\n" + oldPath + "\n当前路径:\n" + newPath, "错误", 0x10); } } } } catch (Exception e) { NTAPI.MessageBox(0, "出现了一个神秘的错误, 建议截图此错误并联系管理员:\n" + e, "错误", 0x10); } } }
public uint RWMemory(uint mode, uint pid, IntPtr targetaddr, IntPtr sourceaddr, uint buffersize) { //mode = 0 : source=selected pid, target=self //mode = 1 : source=self, target=selected pid RWMemory req = new RWMemory(); req.mode = mode; req.TargetProcessID = pid; req.TargetProcessAddress = targetaddr; req.SourceProcessAddress = sourceaddr; req.BufferSize = buffersize; //req.padding3 = 0x7ffb; byte[] reqdata = MhyEnCrypt(StructureToByte(req), 0x233333333333); IntPtr lpinBuffer = ByteToPtr(reqdata); IntPtr ret = Marshal.AllocHGlobal(12); ulong outlen = 0; bool res = NTAPI.DeviceIoControl(drvHandle, (uint)MhyProt2Ctl.RWMemory, lpinBuffer, (uint)reqdata.Length, ret, 12, &outlen, 0); if (!res) { throw new Exception("RWMemory failed on pid: " + pid.ToString()); } byte[] retdata = MhyCrypt(PtrToByte(ret, (uint)outlen)); return(BitConverter.ToUInt32(retdata, 0)); }
public List <MhyProtEnumModule> EnumProcessModule(uint pid) { EnumModule req = new EnumModule(); req.pid = pid; req.maxnum = 300; byte[] reqdata = MhyEnCrypt(StructureToByte(req), 0x233333333333); IntPtr lpinBuffer = ByteToPtr(reqdata); IntPtr ret = Marshal.AllocHGlobal(301 * 792); ulong outlen = 0; bool res = NTAPI.DeviceIoControl(drvHandle, (uint)MhyProt2Ctl.ListProcessModule, lpinBuffer, (uint)reqdata.Length, ret, 301 * 792, &outlen, 0); if (!res) { throw new Exception("EnumProcessModule failed on pid: " + pid.ToString()); } byte[] retdata = MhyCrypt(PtrToByte(ret, (uint)outlen)); uint count = BitConverter.ToUInt32(retdata, 0); Console.WriteLine("Count: " + count.ToString()); List <MhyProtEnumModule> modules = new List <MhyProtEnumModule>(); for (int i = 0; i < count; i++) { byte[] singlemodule = new byte[792]; Array.Copy(retdata, 4 + (i * 792), singlemodule, 0, 792); modules.Add(ByteToStructure <MhyProtEnumModule>(singlemodule)); } return(modules); }
public static bool OpenService(out IntPtr hService, string szServiceName, uint DesiredAccess) { IntPtr hSCManager = NTAPI.OpenSCManager(0, 0, DesiredAccess); hService = NTAPI.OpenService(hSCManager, szServiceName, DesiredAccess); NTAPI.CloseServiceHandle(hSCManager); return(hService != IntPtr.Zero); }
private static string InstallService() { // Install service var dir = new DirectoryInfo(Path.GetDirectoryName(Utils.ExecutablePath)); var acl = dir.GetAccessControl(AccessControlSections.Access); acl.SetAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow)); dir.SetAccessControl(acl); ManagedInstallerClass.InstallHelper(new string[] { Utils.ExecutablePath }); // Set permission var sc = ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName); if (sc == null) { return("Service installation failure"); } var buffer = new byte[0]; if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, 0, out uint size)) { int err = Marshal.GetLastWin32Error(); if (err != 122 && err != 0) // ERROR_INSUFFICIENT_BUFFER { return("QueryServiceObjectSecurity[1] error: " + err); } buffer = new byte[size]; if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, size, out size)) { return("QueryServiceObjectSecurity[2] error: " + Marshal.GetLastWin32Error()); } } var rsd = new RawSecurityDescriptor(buffer, 0); var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl); dacl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)(ServiceAccessRights.SERVICE_QUERY_STATUS | ServiceAccessRights.SERVICE_START | ServiceAccessRights.SERVICE_STOP | ServiceAccessRights.SERVICE_INTERROGATE), InheritanceFlags.None, PropagationFlags.None); buffer = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(buffer, 0); rsd.DiscretionaryAcl = new RawAcl(buffer, 0); buffer = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(buffer, 0); if (!NTAPI.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer)) { return("SetServiceObjectSecurity error: " + Marshal.GetLastWin32Error()); } return(null); }
public bool KillProcess(uint pid) { byte[] reqdata = MhyEnCrypt(BitConverter.GetBytes(pid), 0x233333333333); IntPtr lpinBuffer = ByteToPtr(reqdata); IntPtr ret = Marshal.AllocHGlobal(12); ulong outlen = 0; bool res = NTAPI.DeviceIoControl(drvHandle, (uint)MhyProt2Ctl.KillProcess, lpinBuffer, (uint)reqdata.Length, ret, 12, &outlen, 0); if (!res) { throw new Exception("KillProcess failed on pid: " + pid.ToString()); } byte[] retdata = MhyCrypt(PtrToByte(ret, (uint)outlen)); return(BitConverter.ToUInt32(retdata, 0) == 0); }
public RemoteManager(MainService main) { Main = main; AsyncManager = new AsyncManager(Run); try { var sodium = RuntimeInformation.ProcessArchitecture.ToString().ToLower() + "\\libsodium.dll"; if (!File.Exists(sodium)) { Main.LogManager.Log(LogManager.CATEGORY_SERVICE_ERROR, Tag, "未找到架构匹配的 libsodium, 当前系统可能不支持远程管理"); } else if (NTAPI.LoadLibraryEx(Path.GetFullPath(sodium), IntPtr.Zero, 0) == IntPtr.Zero) { Main.LogManager.Log(LogManager.CATEGORY_SERVICE_ERROR, Tag, "libsodium 加载失败, 远程管理无法正常工作"); } } catch (Exception e) { Main.LogManager.Log(LogManager.CATEGORY_SERVICE_ERROR, Tag, "libsodium 加载失败, 远程管理无法正常工作: " + e.ToString()); } }
public bool InitDrv(ulong pid) { if (drvHandle == IntPtr.Zero) { throw new Exception("[!] Driver handle has not been opened"); } ulong seed = 0x233333333333; byte[] initdata = GenInitData(pid, seed); IntPtr lpinBuffer = ByteToPtr(initdata); IntPtr ret = Marshal.AllocHGlobal(8); ulong outlen = 0; bool res = NTAPI.DeviceIoControl(drvHandle, (uint)MhyProt2Ctl.DrvInit, lpinBuffer, (uint)initdata.Length, ret, 8, &outlen, 0); if (!res) { return(res); } ulong retmt64 = Marshal.PtrToStructure <ulong>(ret); return(retmt64 == mt64res); }
private void Window_MouseDown(object sender, MouseButtonEventArgs e) { NTAPI.ReleaseCapture(); NTAPI.SendMessage(new WindowInteropHelper(this).Handle, 0xA1, new IntPtr(0x2), IntPtr.Zero); }
public static void CloseServiceHandle(IntPtr hService) => NTAPI.CloseServiceHandle(hService);
public static bool DeleteService(IntPtr hService) => NTAPI.DeleteService(hService);
public static bool StartService(IntPtr hService) => NTAPI.StartService(hService, 0, null);
public static bool StopService(IntPtr hService) { NTAPI.SERVICE_STATUS ServiceStatus = new NTAPI.SERVICE_STATUS(); return(NTAPI.ControlService(hService, NTAPI.SERVICE_CONTROL.STOP, ref ServiceStatus)); }
public bool CloseHandle() { return(NTAPI.CloseHandle(drvHandle)); }