Всем доброго времени суток!
Я нашел на одном форуме скрипт для выгрузки rootkit!
Сижу над ним уже 2 дня и не могу понять в чем ошибка!
Может вы лягните свежим взглядом и чем то поможете!
Сам скрипт:
Я нашел на одном форуме скрипт для выгрузки rootkit!
Сижу над ним уже 2 дня и не могу понять в чем ошибка!
Может вы лягните свежим взглядом и чем то поможете!
Сам скрипт:
Код:
#RequireAdmin
Opt("TrayOnEventMode", 1)
Opt("TrayMenuMode", 3)
TraySetToolTip("Frost Hack by SergAxt")
TrayCreateItem("О программе")
TrayItemSetOnEvent(-1, "AvtorTip")
TrayCreateItem("Выход")
TrayItemSetOnEvent(-1, "On_Exit")
TraySetState()
FileInstall("E:\Users\RPG-MARKET\Desktop\ProDLL\skeleton.sys", @ScriptDir & "\skeleton.sys", 1)
FileInstall("E:\Users\RPG-MARKET\Desktop\ProDLL\ProDLLer.dll", @ScriptDir & "\ProDLLer.dll", 1)
If FileExists(@ScriptDir & "\skeleton.sys") Then
Local $FAULT = "", $X = 0, $DRVPATH = @ScriptDir & "\"
While 1
If Not MY_SERVICE_CREATE("skeleton", "Skeleton Driver", $DRVPATH & "skeleton.sys", $SERVICE_KERNEL_DRIVER, $SERVICE_DEMAND_START, $SERVICE_ERROR_IGNORE, 0) Then
$FAULT = @LF & $X & " My_Service_Create: @error=" & @error
EndIf
If Not _SERVICE_START("skeleton") Then
$FAULT &= @LF & $X & " _Service_Start: @error=" & @error
If @error = 3 Then
If $X < 2 Then
MsgBox("0", "ERROR!", "_Service_Start: Driver-path not recognised. Will copy driver to tempdir. Anti-virus might complain about suspicious behaviour.")
_SERVICE_STOP("skeleton")
_SERVICE_DELETE("skeleton")
FileCopy(@ScriptDir & "\" & "skeleton.sys", @TempDir & "\", 1)
$DRVPATH = @TempDir & "\"
$X += 1
ContinueLoop
EndIf
EndIf
EndIf
_SERVICE_DELETE("skeleton")
$HCOLDBOOT = DllCall("kernel32.dll", "int", "CreateFile", "str", "\\.\skeleton", "dword", -1073741824, "dword", 0, "dword", 0, "dword", 3, "dword", 0, "dword", 0)
If $HCOLDBOOT[0] = 0 Or $HCOLDBOOT[0] = -1 Then
Local $RET = _SERVICE_QUERYSTATUS("skeleton")
If @error Or $RET[1] = $SERVICE_STOPPED Then
If $X < 3 Then
If $X = 0 Then
ElseIf $X = 1 Then
_SERVICE_DELETE("skeleton")
ElseIf $X = 2 Then
_SERVICE_DELETE("skeleton")
Else
RegDelete("HKLM\SYSTEM\ControlSet001\Services\Skeleton")
RegDel ete( "HKL M\SY STEM\ControlSet002\Services\Skeleton")
RegDelete("HKLM\SYSTEM\ControlSet003\Services\Skeleton")
RegDelete("HKLM\SYSTEM\C ur re nt ControlSet\Services\Skeleton")
EndIf
$X += 1
ContinueLoop
EndIf
MsgBox(0, "ERROR!", "Couldn't start skeleton.sys so I can not aquire DRIVER handle!" & $FAULT)
Exit
Else
MsgBox(0, "ERROR!", "Skeleton.sys is running but I can not aquire DRIVER handle!" & $FAULT)
Exit
EndIf
Else
$HCOLDBOOT = $HCOLDBOOT[0]
ExitLoop
EndIf
WEnd
Else
MsgBox(0, "ERROR!", "File does not exist: " & @ScriptDir & "\skeleton.sys")
Exit
EndIf
$HDLL = DllOpen(@ScriptDir & "\ProDLLer.dll")
DllCall($HDLL, "Int", "InitSSDT", "dword", $HCOLDBOOT)
Local $DWORD = DllStructCreate("uint;uint;uint;uint")
Local $RET = DllCall("kernel32.dll", "int", "DeviceIoControl", "dword", $HCOLDBOOT, "dword", 2252832, "ptr", DllStructGetPtr($DWORD), "dword", 16, "ptr", DllStructGetPtr($DWORD), "dword", 16, "dword*", 0, "ptr", 0)
Global $DRIVERS = _GETDRIVERS()
If StringLeft($DRIVERS[0][1], 2) = "nt" Then
$NTMEMBASE = $DRIVERS[0][0]
Else
MsgBox(0, "ERROR", "No ntoskrnl.exe, or similar???")
Exit
EndIf
$X = 1
While 1
If Not $HNTFILE Then
FileCopy($DRIVERS[0][8], @ScriptDir & "\ntos.exe", 1)
Global $HNTFILE = _WINAPI_CREATEFILE(@ScriptDir & "\ntos.exe", 2, 6, 2)
If Not $HNTFILE Then
While 1
FileCopy($DRIVERS[0][8], @ScriptDir & "\ntos" & $X & ".exe", 1)
Global $HNTFILE = _WINAPI_CREATEFILE(@ScriptDir & "\ntos" & $X & ".exe", 2, 6, 2)
If Not $HNTFILE Then
$X += 1
If $X = 9 Then ExitLoop
ContinueLoop
Else
$RET = DllCall("kernel32.dll", "int", "CreateFileMapping", "int", $HNTFILE, "int", 0, "int", 4 + 16777216, "int", 0, "int", 0, "int", 0)
Local $HNTMAP = $RET[0]
$RET = DllCall("kernel32.dll", "int", "MapViewOfFile", "int", $HNTMAP, "int", 6, "int", 0, "int", 0, "int", 0)
Global $NTMAPBASE = $RET[0]
$RET = DllCall($HDLL, "int", "GetImageBaseMem", "int", $NTMAPBASE)
Global $NTFILEBASE = $RET[0]
ExitLoop 2
EndIf
WEnd
MsgBox(0, "ERROR", "Could not open copy of " & $DRIVERS[0][1] & _WINAPI_GETLASTERRORMESSAGE())
Exit
EndIf
$RET = DllCall("kernel32.dll", "int", "CreateFileMapping", "int", $HNTFILE, "int", 0, "int", 4 + 16777216, "int", 0, "int", 0, "int", 0)
Local $HNTMAP = $RET[0]
$RET = DllCall("kernel32.dll", "int", "MapViewOfFile", "int", $HNTMAP, "int", 6, "int", 0, "int", 0, "int", 0)
Global $NTMAPBASE = $RET[0]
$RET = DllCall($HDLL, "int", "GetImageBaseMem", "int", $NTMAPBASE)
Global $NTFILEBASE = $RET[0]
ExitLoop
EndIf
ExitLoop
WEnd
If ProcessExists("PB.exe") = 0 Then
TrayTip("FrostHack", "Point Blank Не запущен, ожидаем запуска!", 5, 1)
ProcessWait("PB.exe")
TrayTip("FrostHack", "Ожидаем 80сек. до полной загрузки игры.", 5, 1)
Sleep(80000)
EndIf
TrayTip("FrostHack", "Point Blank обнаружен!", 5, 1)
_PROCSUSPENDRESUME("PB.exe")
Sleep(2000)
_GETSSDT()
Sleep(2000)
TrayTip("FrostHack", "Программа успешно выполнила все действия!", 5, 1)
Sleep(5000)
TrayTip("FrostHack", "Программа закроется через 5 секунд!", 5, 1)
Sleep(5000)
ON_EXIT()
Func _GETSSDT()
Local $I, $J, $K, $L, $M, $RET, $RET1, $TEMP, $TEMP1, $INT, $INT1
$SSDT = 0
Global $SSDT[$SSDTTABLE[1]][11]
For $I = 0 To $SSDTTABLE[1] - 1
DllStructSetData($DWORD, 1, $SSDTTABLE[0] + $I * 4)
$RET = DllCall("kernel32.dll", "int", "DeviceIoControl", "dword", $HCOLDBOOT, "dword", 2252848, "ptr", DllStructGetPtr($DWORD), "dword", 16, "ptr", DllStructGetPtr($DWORD), "dword", 16, "dword*", 0, "ptr", 0)
$SSDT[$I][0] = DllStructGetData($DWORD, 1)
Local $INT1 = DllStructCreate("int", $SSDTTABLE[0] + ($I * 4) - $NTMEMBASE + $NTMAPBASE)
$SSDT[$I][1] = DllStructGetData($INT1, 1) + $NTMEMBASE - $NTFILEBASE
For $J = 0 To UBound($DRIVERS, 1) - 1
$RET = DllCall($HDLL, "int", "AddressInRange", "int", PTR($SSDT[$I][0]), "int", PTR($DRIVERS[$J][0]), "int", PTR($DRIVERS[$J][2]))
If $RET[0] Then
$SSDT[$I][4] = $DRIVERS[$J][1]
ExitLoop
EndIf
Next
If $SSDT[$I][4] == "frost.sys" Then
$SSDT[$I][2] = " Yes!"
TrayTip("FrostHack", "Выгружаем драйвера Фроста!", 5, 1)
$DWORD1 = DllStructCreate("dword;dword")
DllStructSetData($DWORD1, 1, $SSDTTABLE[0] + $I * 4)
DllStructSetData($DWORD1, 2, $SSDT[$I][1])
$MLRET = DllCall("kernel32.dll", "int", "DeviceIoControl", "dword", $HCOLDBOOT, "dword", 2252864, "ptr", DllStructGetPtr($DWORD1), "dword", 8, "ptr", DllStructGetPtr($DWORD1), "dword", 8, "dword*", 0, "ptr", 0)
EndIf
Next
EndFunc
Func _GETDRIVERS()
Local $RET = DllCall("ntdll.dll", "int", "ZwQuerySystemInformation", "int", 11, "int*", 0, "int", 0, "int*", 0)
Local $MEM = DllStructCreate("byte[" & $RET[4] + 2000 & "]")
Local $RET = DllCall("ntdll.dll", "int", "ZwQuerySystemInformation", "int", 11, "ptr", DllStructGetPtr($MEM), "int", DllStructGetSize($MEM), "int*", 0)
Local $MOD_COUNT = DllStructGetData(DllStructCreate("dword", $RET[2]), 1)
Local $MOD = DllStructCreate($TAG_SYSTEM_MODULE_INFORMATION, $RET[2] + 4)
Local $MOD_PTR = $RET[2] + 4
Local $MOD_SIZE = DllStructGetSize($MOD)
Local $M, $I
Local $AVARRAY[$MOD_COUNT][12]
For $M = 0 To $MOD_COUNT - 1
$MOD = DllStructCreate($TAG_SYSTEM_MODULE_INFORMATION, $MOD_PTR + $MOD_SIZE * $M)
$AVARRAY[$M][0] = DllStructGetData($MOD, 2)
$AVARRAY[$M][2] = DllStructGetData($MOD, 3)
$AVARRAY[$M][8] = DllStructGetData($MOD, 9)
$AVARRAY[$M][1] = StringMid($AVARRAY[$M][8], DllStructGetData($MOD, 8) + 1)
While 1
If StringInStr($AVARRAY[$M][8], "\") Then
$AVARRAY[$M][8] = StringReplace($AVARRAY[$M][8], "\??\", "")
If @extended Then ExitLoop
$AVARRAY[$M][8] = StringReplace($AVARRAY[$M][8], "\SystemRoot", @WindowsDir)
If @extended Then ExitLoop
$AVARRAY[$M][8] = StringLeft(@WindowsDir, 2) & $AVARRAY[$M][8]
ExitLoop
Else
$AVARRAY[$M][8] = @SystemDir & "\drivers\" & $AVARRAY[$M][8]
ExitLoop
EndIf
WEnd
Next
$MOD = 0
$MEM = 0
$RET = 0
Return $AVARRAY
EndFunc
Func _PROCSUSPENDRESUME($PROCESS)
$PROCESSID = ProcessExists($PROCESS)
If $PROCESSID Then
If $FSUSPENDED Then
$AI_HANDLE = DllCall("kernel32.dll", "int", "OpenProcess", "int", 2035711, "int", False, "int", $PROCESSID)
$I_SUCESS = DllCall("ntdll.dll", "int", "NtResumeProcess", "int", $AI_HANDLE[0])
DllCall("kernel32.dll", "ptr", "CloseHandle", "ptr", $AI_HANDLE)
If IsArray($I_SUCESS) Then
$FSUSPENDED = 0
Return 1
Else
SetError(1)
Return 0
EndIf
Else
$AI_HANDLE = DllCall("kernel32.dll", "int", "OpenProcess", "int", 2035711, "int", False, "int", $PROCESSID)
$I_SUCESS = DllCall("ntdll.dll", "int", "NtSuspendProcess", "int", $AI_HANDLE[0])
DllCall("kernel32.dll", "ptr", "CloseHandle", "ptr", $AI_HANDLE)
If IsArray($I_SUCESS) Then
$FSUSPENDED = 1
Return 1
Else
SetError(1)
Return 0
EndIf
EndIf
Else
SetError(2)
Return 0
EndIf
EndFunc
Func MY_SERVICE_CREATE($SSERVICENAME, $SDISPLAYNAME, $SBINARYPATH, $NSERVICETYPE = 16, $NSTARTTYPE = 2, $NERRORTYPE = 1, $NDESIREDACCESS = 983551)
Local $HADVAPI32
Local $HKERNEL32
Local $ARRET
Local $HSC
Local $LERROR = -1
$HADVAPI32 = DllOpen("advapi32.dll")
If $HADVAPI32 = -1 Then Return 0
$HKERNEL32 = DllOpen("kernel32.dll")
If $HKERNEL32 = -1 Then Return 0
$ARRET = DllCall($HADVAPI32, "long", "OpenSCManager", "str", ".", "str", "ServicesActive", "long", $SC_MANAGER_ALL_ACCESS)
If $ARRET[0] = 0 Then
$ARRET = DllCall($HKERNEL32, "long", "GetLastError")
$LERROR = $ARRET[0]
Else
$HSC = $ARRET[0]
$ARRET = DllCall($HADVAPI32, "long", "OpenService", "long", $HSC, "str", $SSERVICENAME, "long", $SERVICE_INTERROGATE)
If $ARRET[0] = 0 Then
$ARRET = DllCall($HADVAPI32, "long", "CreateService", "long", $HSC, "str", $SSERVICENAME, "str", $SDISPLAYNAME, "long", $NDESIREDACCESS, "long", $NSERVICETYPE, "long", $NSTARTTYPE, "long", $NERRORTYPE, "str", $SBINARYPATH, "int", 0, "ptr", 0, "int", 0, "int", 0, "int", 0)
If $ARRET[0] = 0 Then
$ARRET = DllCall($HKERNEL32, "long", "GetLastError")
$LERROR = $ARRET[0]
Else
DllCall($HADVAPI32, "int", "CloseServiceHandle", "long", $ARRET[0])
EndIf
Else
DllCall($HADVAPI32, "int", "CloseServiceHandle", "long", $ARRET[0])
EndIf
DllCall($HADVAPI32, "int", "CloseServiceHandle", "long", $HSC)
EndIf
DllClose($HADVAPI32)
DllClose($HKERNEL32)
If $LERROR <> -1 Then
SetError($LERROR)
Return 0
EndIf
Return 1
EndFunc
Func AVTORTIP()
MsgBox(64, "Автор", "Кнопка Author - читать там")
EndFunc
Func ON_EXIT()
DllClose($HDLL)
DllCall("kernel32.dll", "int", "DeviceIoControl", "dword", $HCOLDBOOT, "dword", 2253072, "int*", 0, "dword", 4, "int*", 0, "dword", 0, "dword*", 0, "ptr", 0)
_SERVICE_STOP("skeleton")
_SERVICE_DELETE("skeleton")
FileDelete(@TempDir & "\" & "skeleton.sys")
FileDelete(@ScriptDir & "\ProDLLer.dll")
FileDelete(@ScriptDir & "\skeleton.sys")
Exit
EndFunc
