change of plans, going to use wmic

3 years ago · 41fc53e62e
parent e8ca1c6fd0
commit 41fc53e62e
2 changed files with 46 additions and 6 deletions
--- a/src/defender-control/dcontrol.cpp
+++ b/src/defender-control/dcontrol.cpp
@ -161,6 +161,35 @@ namespace REG

 namespace DCONTROL
 {
+  // Sets the programs debug priviliges
+  bool Setprivilege(LPCSTR privilege, BOOL enable)
+  {
+    TOKEN_PRIVILEGES priv = { 0,0,0,0 };
+    HANDLE token = nullptr;
+    LUID luid = { 0,0 };
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) {
+      if (token)
+        CloseHandle(token);
+      return false;
+    }
+    if (!LookupPrivilegeValueA(nullptr, privilege, &luid)) {
+      if (token)
+        CloseHandle(token);
+      return false;
+    }
+    priv.PrivilegeCount = 1;
+    priv.Privileges[0].Luid = luid;
+    priv.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
+    if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr)) {
+      if (token)
+        CloseHandle(token);
+      return false;
+    }
+    if (token)
+      CloseHandle(token);
+    return true;
+  }
+
  char sub_43604B()
  {
    char v0; // bl
@ -197,6 +226,8 @@ namespace DCONTROL
      return false;
    }

+    Setprivilege(SE_DEBUG_NAME, TRUE);
+
    HKEY hkey;

    // DisableAntiSpyware
@ -276,8 +307,8 @@ namespace DCONTROL
      {
        std::cout << "failed to disable DisableRealtimeMonitoring" << std::endl;
        return false;
-      }
-    }
+  }
+}
 #endif

    return true;
--- a/src/dumper/dumper.cpp
+++ b/src/dumper/dumper.cpp
@ -136,7 +136,11 @@ namespace RegHooks
    std::cout << "dwType: " << dwType << std::endl;
    std::cout << "cbData: " << cbData << std::endl;

-    return (reinterpret_cast<regsetkeyvalueexw_t>(regsetvalue_addr))(hKey, lpValueName, Reserved, dwType, lpData, cbData);
+    auto ret = (reinterpret_cast<regsetkeyvalueexw_t>(regsetvalue_addr))(hKey, lpValueName, Reserved, dwType, lpData, cbData);
+
+    std::cout << "Ret: " << ret << std::endl;
+
+    return ret;
  }

  // RegCreateKeyExW
@ -158,6 +162,7 @@ namespace RegHooks
    LPDWORD                     lpdwDisposition
  )
  {
+
    std::cout << "[RegCreateKeyExW]" << std::endl;
    std::cout << "hKey: " << hKey << std::endl;
    std::cout << "lpSubKey: " << wide_to_string(lpSubKey).c_str() << std::endl;
@ -168,8 +173,12 @@ namespace RegHooks
    std::cout << "dwOptions: " << dwOptions << std::endl;
    std::cout << "lpdwDisposition: " << lpdwDisposition << std::endl;

-    return (reinterpret_cast<RegCreateKeyExW_t>(RegCreateKeyExW_addr))
+    auto ret = (reinterpret_cast<RegCreateKeyExW_t>(RegCreateKeyExW_addr))
      (hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);
+
+    std::cout << "Ret: " << ret << std::endl;
+
+    return ret;
  }

  // RegConnectRegistryW
@ -337,8 +346,8 @@ void thread_main()
  //DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletekeyw_addr, RegHooks::hk_RegDeleteKeyW);
  //DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletevaluew_addr, RegHooks::hk_RegDeleteValueW);
  //DetourHelper::perf_hook((PVOID*)&RegHooks::regenumvaluew_addr, RegHooks::hk_RegEnumValueW);
-  //DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW);
-  //DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW);
+  DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW);
+  DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW);
  //DetourHelper::perf_hook((PVOID*)&RegHooks::RegConnectRegistryW_addr, RegHooks::hk_RegConnectRegistryW);
  //DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW);
  //DetourHelper::perf_hook((PVOID*)&RegHooks::RegQueryValueExW_addr, RegHooks::hk_RegQueryValueExW);