From 1ee67b96bec66dffd17ad4a2ee8e03c406c748de Mon Sep 17 00:00:00 2001 From: Mikhail Pilin Date: Mon, 27 Jan 2020 13:01:08 +0300 Subject: [PATCH] Redesign to user PID in .ini filename. --- AELoader/AELoader.vcxproj | 1 + AELoader/declarations.hpp | 4 +- AELoader/main.cpp | 45 +++++++++++++++------- AELoader/utility.hpp | 78 ++++++++++++++++++++++++++++++++++++++ README.md | 6 +-- Test/main.cpp | Bin 1482 -> 1486 bytes run.cmd | 3 -- run.ps1 | 23 +++++++++++ 8 files changed, 140 insertions(+), 20 deletions(-) create mode 100644 AELoader/utility.hpp delete mode 100644 run.cmd create mode 100644 run.ps1 diff --git a/AELoader/AELoader.vcxproj b/AELoader/AELoader.vcxproj index f74d764..a4f5276 100644 --- a/AELoader/AELoader.vcxproj +++ b/AELoader/AELoader.vcxproj @@ -144,6 +144,7 @@ + diff --git a/AELoader/declarations.hpp b/AELoader/declarations.hpp index 68c606c..5964e98 100644 --- a/AELoader/declarations.hpp +++ b/AELoader/declarations.hpp @@ -1,8 +1,10 @@ #pragma once +#include + namespace jbhack { -constexpr WCHAR ini_file_pattern[] = L"%ProgramData%\\AELoader.ini"; +constexpr WCHAR format_ini_file[] = L"\\AELoader.%u.ini"; constexpr WCHAR app_name[] = L"AELoader"; constexpr WCHAR dll_name[] = L"AELoader.dll"; diff --git a/AELoader/main.cpp b/AELoader/main.cpp index a722374..14ddf26 100644 --- a/AELoader/main.cpp +++ b/AELoader/main.cpp @@ -2,13 +2,15 @@ #include #include "declarations.hpp" +#include "utility.hpp" namespace jbhack { struct event_log_reporter final { - explicit event_log_reporter(bool const enable) noexcept : - handle_(enable ? RegisterEventSourceW(nullptr, app_name) : nullptr) + event_log_reporter() noexcept : + has_handle_(false), + handle_(nullptr) { } @@ -18,14 +20,16 @@ struct event_log_reporter final DeregisterEventSource(handle_); } - void report(WORD const type, DWORD const eventId) const noexcept + void report(WORD const type, DWORD const eventId) noexcept { + ensure_handle(); if (handle_) ReportEventW(handle_, type, 0, eventId, nullptr, 0, 0, nullptr, nullptr); } - void report(WORD const type, DWORD const eventId, WCHAR const * const text) const noexcept + void report(WORD const type, DWORD const eventId, WCHAR const * const text) noexcept { + ensure_handle(); if (handle_) { LPCWSTR strings[] = {text}; @@ -34,19 +38,31 @@ struct event_log_reporter final } private: - HANDLE const handle_; -}; + bool has_handle_; + HANDLE handle_; -template -constexpr DWORD elements_of(Type (&)[size]) noexcept { return size; } + void ensure_handle() noexcept + { + if (has_handle_) + return; + handle_ = RegisterEventSourceW(nullptr, app_name); + has_handle_ = true; + } +}; bool do_hack() noexcept { + event_log_reporter reporter; + WCHAR ini_file[1024]; - if (!ExpandEnvironmentStringsW(ini_file_pattern, ini_file, elements_of(ini_file))) + if (!get_ini_file(ini_file)) + { + reporter.report(EVENTLOG_ERROR_TYPE, 301); return false; + } + auto && on_exit = make_on_exit_scope([ini_file] { DeleteFileW(ini_file); }); - event_log_reporter const reporter(GetPrivateProfileIntW(app_name, key_enable_event_logs, 0, ini_file) != 0); + bool const full_reporting = GetPrivateProfileIntW(app_name, key_enable_event_logs, 0, ini_file) != 0; { WCHAR executable[1024]; @@ -58,10 +74,12 @@ bool do_hack() noexcept LPCWSTR ptr = wcsrchr(executable, L'\\'); if (!ptr || _wcsicmp(++ptr, L"recdisc.exe")) { - reporter.report(EVENTLOG_ERROR_TYPE, 102, executable); + if (full_reporting) + reporter.report(EVENTLOG_ERROR_TYPE, 102, executable); return false; } - reporter.report(EVENTLOG_INFORMATION_TYPE, 100, executable); + if (full_reporting) + reporter.report(EVENTLOG_INFORMATION_TYPE, 100, executable); } { @@ -81,7 +99,8 @@ bool do_hack() noexcept } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); - reporter.report(EVENTLOG_INFORMATION_TYPE, 200, command_line); + if (full_reporting) + reporter.report(EVENTLOG_INFORMATION_TYPE, 200, command_line); } return true; diff --git a/AELoader/utility.hpp b/AELoader/utility.hpp new file mode 100644 index 0000000..e92dd00 --- /dev/null +++ b/AELoader/utility.hpp @@ -0,0 +1,78 @@ +#pragma once + +#include +#include +#include + +#include + +namespace jbhack { + +template +struct on_exit_scope final +{ + template + on_exit_scope(Fn1 && fn) : + fn_(std::forward(fn)) + { + } + + on_exit_scope(on_exit_scope const &) = delete; + on_exit_scope & operator=(on_exit_scope const &) = delete; + + on_exit_scope(on_exit_scope &&) = delete; + on_exit_scope & operator=(on_exit_scope &&) = delete; + + ~on_exit_scope() + { + try + { + std::move(fn_)(); + } + catch (...) + { + } + } + +private: + Fn fn_; +}; + +template +on_exit_scope> make_on_exit_scope(Fn && fn) +{ + return{ std::forward(fn) }; +} + +template +constexpr DWORD elements_of(Type (&)[size]) noexcept { return size; } + +inline DWORD get_parent_process_id() noexcept +{ + HANDLE const handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (handle != INVALID_HANDLE_VALUE) + { + auto && on_exit = make_on_exit_scope([handle] { CloseHandle(handle); }); + PROCESSENTRY32 pe; + pe.dwSize = sizeof pe; + if (Process32First(handle, &pe)) + do + if (pe.th32ProcessID == GetCurrentProcessId()) + return pe.th32ParentProcessID; + while (Process32Next(handle, &pe)); + } + return 0xFFFFFFFFu; // Note: Zero is reserved for system process!!! +} + +template +bool get_ini_file(WCHAR (&ini_file)[size]) +{ + DWORD pos = GetEnvironmentVariableW(L"ProgramData", ini_file, elements_of(ini_file)); + if (pos == elements_of(ini_file)) + return false; + if (swprintf_s(ini_file + pos, size - pos, format_ini_file, get_parent_process_id()) < 0) + return false; + return true; +} + +} diff --git a/README.md b/README.md index 45b9519..a373cc6 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # Installation 1. Copy `\AELoader.dll` to `%WinDir%\System32` -2. Update or create `%ProgramData%\AELoader.ini`. -3. Run `AELoader.Enable.reg` to activate the injection. To deactivate run `AELoader.Disable.reg`. -4. Run `%WinDir%\System32\recdisc.exe` to execute the command line from `%ProgramData%\AELoader.ini`. +2. Run `AELoader.Enable.reg` to activate the injection. To deactivate run `AELoader.Disable.reg`. +3. Create `%ProgramData%\AELoader..ini`. Where pid is unsigned decimal value. The pid should be the parent of `%WinDir%\System32\recdisc.exe`. +4. Run `%WinDir%\System32\recdisc.exe` to execute the command line from `%ProgramData%\AELoader..ini`. `AELoader.ini` format: ``` diff --git a/Test/main.cpp b/Test/main.cpp index 8975fa549b0d02154961e34b16a74cedd017b9a2..3c7678e000a72b87bf2df908d8dcf488868999ea 100644 GIT binary patch delta 136 zcmX@beU5vA-bAgiiF!J`r3@tunG88VT*6Q}u~1l98OY3INCpa(GNdr1GAJ|{AAr(lLFa!f} z5l}RbA)TRkG9$BSHi(_c5YLbXBy)hO;=v}A0M(@eRpv41Ferf4BdY<46$3@9fNJuA hIx$r!Fz92b(VAS(ba=BLQwZbaIwp_Jf0!>Z0swIOER_HN diff --git a/run.cmd b/run.cmd deleted file mode 100644 index 386c951..0000000 --- a/run.cmd +++ /dev/null @@ -1,3 +0,0 @@ -@echo off -copy /b /y AELoader.ini "%ProgramData%" -recdisc.exe diff --git a/run.ps1 b/run.ps1 new file mode 100644 index 0000000..13b509a --- /dev/null +++ b/run.ps1 @@ -0,0 +1,23 @@ +if ($PSVersionTable.PSVersion.Major -lt 3) { + throw "PS Version $($PSVersionTable.PSVersion) is below 3.0." +} + +Set-StrictMode -Version Latest +$ErrorActionPreference = [System.Management.Automation.ActionPreference]::Stop +$script:VerbosePreference = "Continue" + +$_IniFile = "$env:ProgramData\AELoader.$([uint32]$pid).ini" +Write-Host "Configuration file: $_IniFile" +Copy-Item AELoader.ini -Destination $_IniFile + +& recdisc.exe + +Start-Sleep 1 +if (Test-Path $_IniFile -PathType Leaf) { + Remove-Item $_IniFile + Write-Host "Injection was failed" -ForegroundColor Red +} +else { + Write-Host "Success" -ForegroundColor Green +} +