Technofyed - Hijack Repair (s)

Pages: 1 2

Unlike my last 2 topics about software ( Tongue

) I actually am writing this one. In fact, I have already gotten it started.

Often when I'm cleaning machines that come in for virus removal, a lot of the scare ware (rouge software) will deactivate active desktop items. I often find myself thumbing through documentation, time & time again to fix these, & they are really simple but I often spend about 5 to 10 minutes just resetting policies like active desktop, wallpaper, screen saver, & so on.

I'll gladly provide the source code, & a working binary for everyone here to use, but I would like to see a group effort out of anyone willing to help out. Ever wanted to be a part of a security software project?

Really, all I need is simple shit too, like a name, layout, menu items, & so on. Right now it's just called "quick fix".

So... ideas?

I'm not exactly sure what you're talking about with "security software project". Do you want to create an anti-virus program? If so, I'm in, although I don't know much programming other than web design languages.

Or are you talking more along the lines of a program to reset settings such as the ones you mentioned in your post back to normal?

The 2nd option. It's just going to check for silly things like when a hijack program alters registry values like setting the wallpaper, start->run, regedit, & other things that are tedious & time consuming to manually repair.

I'm in no way interested in starting an AntiVirus software Smile

What language are you planning on programming it in? C? It sounds like something that could easily be done in AHK.

Why use AHK though if you know C? I don't know C very well at all... Sad

I'll post the code in the next few hours. It's written in C.

I know enough about C to confuse me when I can't get it to work. Undecided

Writing it isn't the problem, I'm just curious about layout, menu items, I don't know... bells & whistles Smile

I was thinking we could make it a Technofyed release or something. *shrug* I was going to offer it for download on my website.

Here is the source code for the program :

Code:

#define _WIN32_WINNT    0x0500

#include <stdio.h>

#include <stdlib.h>

#include <windows.h>

#include <ctype.h>

#include <string.h>

#include <time.h>

#include <dirent.h> 

#include <shlobj.h>

#include "qf.h"

/* TO DO */

/*

1.) Use C code to open Windows registry & check for comon hijacks

2.) Change icon during processing

3.) Logging is not yet implimented

4.) About Us

5.) Menu structure?  Layout?

*/

// Global Variables

HWND g_hwnd; // main

HWND c_hwnd = NULL; //child

HANDLE hf;

HINSTANCE hInstance;

OPENFILENAME ofn;

LPITEMIDLIST pidl;

BROWSEINFO bi;

char dr_array[MAX][MAX]={0};

char source_path[MAX],dest_path[MAX];

int  selected_s_chk=0,selected_d_chk=0,DriveSelect;

// Function Definitions

BOOL CALLBACK DlgProc(HWND dlg, UINT msg, WPARAM wParam, LPARAM lParam);

LRESULT CALLBACK WndProc(HWND hwnd, UINT message, WPARAM wparam, LPARAM lparam);

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR szCmdLine, int iCmdShow);

int copy_file(char * FName,char * __Source,char * __Dest);

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR szCmdLine, int iCmdShow) {

    #pragma region part 1 - use a WNDCLASSEX structure to create a window!!

    WNDCLASSEX wcx;

    MSG msg;

    wcx.cbClsExtra=0;

    wcx.cbSize=sizeof(WNDCLASSEX);

    wcx.cbWndExtra=0;

    wcx.hbrBackground=(HBRUSH)GetStockObject(WHITE_BRUSH); // Change Background with NULL & WM_PAINT/WM_ERASEBKGND

    wcx.hCursor=LoadCursor(NULL, IDC_ARROW); //IDC_WAIT

    wcx.hIcon=LoadIcon( NULL, IDI_APPLICATION );

    wcx.hIconSm=NULL;

    wcx.hInstance=hInstance;

    wcx.lpfnWndProc=WndProc;

    wcx.lpszClassName=TEXT(STR_STR);

    wcx.lpszMenuName=MAKEINTRESOURCE(IDR_MYMENU);

    wcx.style=CS_HREDRAW | CS_VREDRAW;

    RegisterClassEx(&wcx);

    g_hwnd=CreateWindowEx(WS_EX_LAYERED,TEXT(STR_STR),TEXT(STR_VER) TEXT(WRITTEN) TEXT(WRITTEN_YEAR),WS_OVERLAPPEDWINDOW,10, 10,400, 400, NULL, NULL, hInstance, NULL);

    /*

    SetLayeredWindowAttributes( g_hwnd,     // handle to window to modify

                                0,          // color key (not used when using LWA_ALPHA)

                                85,         // "amount of solidness" = 0=transparent, 255=completely solid

                                LWA_ALPHA );// use my alpha value (prev arg)

                                            // to tell how see 'solid' window is.

    */

    SetLayeredWindowAttributes(g_hwnd, 0, 255, LWA_ALPHA );

    ShowWindow(g_hwnd, iCmdShow);

    UpdateWindow(g_hwnd);

    #pragma endregion

    #pragma region part 2 - enter message loop    

    while(GetMessage(&msg, NULL, 0, 0)) {

        TranslateMessage(&msg);

        DispatchMessage(&msg);

    }

    #pragma endregion

    return msg.wParam;

}

LRESULT CALLBACK WndProc(HWND hwnd, UINT message, WPARAM wparam, LPARAM lparam) {

    /* Drive types */

    char BUFFER[BUFF]={0};

    HMENU hMenu, hSubMenu;

    HICON hIcon, hIconSm;

    FILE * TRG;

    FILE * LOG;

    DIR *d;

    struct dirent *dir;

    char FILE_TRG[7]="qf.trg", FILE_LOG[7]="qf.log",date_buffer[9];

    time_t rawtime;

    struct tm * timeinfo;

    char current_user[MAX];

    /* Registry values */

    HKEY hKey_LM; // Local Machine

    HKEY hKey_CU; // Current User

    char RegBuffer[1024]={0};

    LPCTSTR regPath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";

    LPCTSTR regReqWallPaper = "Wallpaper";

    LPCTSTR regReqTaskMGR = "DisableTaskMgr";

    DWORD size1 = sizeof(RegBuffer);

    DWORD Type;

    int i=0, RegFault=0;    // By default, we're doing fine :)

    DWORD dwData=0;

    const char* subkey="Software\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon";

    switch(message) {

        case WM_CREATE:

            Beep(50,10);

            hMenu = CreateMenu();

            hSubMenu = CreatePopupMenu();

            /* Create Menu */

            AppendMenu(hSubMenu, MF_STRING, ID_PROCESS_BEGN, "&Begin");

            AppendMenu(hSubMenu, MF_GRAYED|MF_STRING, ID_PROCESS_STOP, "&Cancle");

            AppendMenu(hSubMenu, MF_SEPARATOR, 0, NULL);

            AppendMenu(hSubMenu, MF_STRING, ID_FILE_EXIT, "E&xit");

            AppendMenu(hMenu, MF_STRING | MF_POPUP, (UINT)hSubMenu, "&File");

            hSubMenu = CreatePopupMenu();

            AppendMenu(hSubMenu, MF_STRING, ID_HELP_TOPICS, "&Help");

            AppendMenu(hSubMenu, MF_SEPARATOR, 0, NULL);

            AppendMenu(hSubMenu, MF_STRING, ID_HELP_ABOUTUS, "&About...");

            AppendMenu(hMenu, MF_STRING | MF_POPUP, (UINT)hSubMenu, "&Help");

            SetMenu(hwnd, hMenu);

            /*

            hIcon = LoadImage(NULL, "menu_two.ico", IMAGE_ICON, 32, 32, LR_LOADFROMFILE);

            if(hIcon)

                SendMessage(hwnd, WM_SETICON, ICON_BIG, (LPARAM)hIcon);

            else

                MessageBox(hwnd, "Could not load large icon!", "Error", MB_OK | MB_ICONERROR);

            hIconSm = LoadImage(NULL, "menu_two.ico", IMAGE_ICON, 16, 16, LR_LOADFROMFILE);

            if(hIconSm)

                SendMessage(hwnd, WM_SETICON, ICON_SMALL, (LPARAM)hIconSm);

            else

                MessageBox(hwnd, "Could not load small icon!", "Error", MB_OK | MB_ICONERROR);

            */

            //return 0;

        break;

        case WM_CHAR:

            switch(toupper(wparam)) {

                case 'G':   // make ghostly

                // maintain old style, turn on WS_EX_LAYERED bits on.

                    SetWindowLongPtr(hwnd,GWL_EXSTYLE,GetWindowLong(hwnd, GWL_EXSTYLE) | WS_EX_LAYERED);

                    SetLayeredWindowAttributes(hwnd,0,155,LWA_ALPHA);

                break;

                case 'S':

                    SetWindowLongPtr(hwnd,GWL_EXSTYLE,GetWindowLong(hwnd, GWL_EXSTYLE) &  // GET old style first

                        ~WS_EX_LAYERED);  // turn WS_EX_LAYERED bits off

            // Note:  Use SetWindowLongPtr (NOT SetWindowLong()!)

            // to write code that'll work

            // on both 32-bit and 64-bit windows!

            // http://msdn2.microsoft.com/en-us/library/ms644898(VS.85).aspx

                break;

                case 'Q':

                    sprintf(BUFFER,"%s : Exit?",STR_VER);

                    if(MessageBox(hwnd, "Are you sure you want to exit?", BUFFER, 4|MB_ICONQUESTION)==IDYES) PostMessage(hwnd, WM_CLOSE, 0, 0);

                    //return 0;

                break;

            }

            //return 0;

        break;

        case WM_COMMAND:

            switch(LOWORD(wparam)) {

                case ID_FILE_EXIT:

                    sprintf(BUFFER,"%s : Exit?",STR_VER);

                    if(MessageBox(hwnd, "Are you sure you want to exit?", BUFFER, 4|MB_ICONQUESTION)==IDYES) PostMessage(hwnd, WM_CLOSE, 0, 0);

                break;

                case ID_PROCESS_BEGN:

                    if(RegFault!=0) RegFault=0; // New instance?

                    /* Task Manager */

                    if(RegOpenKeyEx(HKEY_CURRENT_USER, regPath,0, KEY_ALL_ACCESS, &hKey_CU)==ERROR_SUCCESS) {

                        RegQueryValueEx(hKey_CU, regReqTaskMGR, NULL, &Type, (LPBYTE)RegBuffer,&size1); 

                        sprintf(BUFFER,"Returned value : %i ",RegBuffer[0]);

                        if(RegBuffer[0]==0) RegFault=0;

                        if(RegBuffer[0]==1) RegFault=1;

                    }

                    else {

                        sprintf(BUFFER,"Failed");

                        MessageBox(hwnd, "Failed to gather Value!", BUFFER, MB_OK);

                    }

                    if(RegFault==0) MessageBox(hwnd, "TaskManager is not locked.", BUFFER, MB_OK);

                    else {

                        MessageBox(hwnd, "TaskManager is locked.\nWould you like to unlock it?", BUFFER, MB_YESNO|MB_ICONWARNING);

                        if(RegFault!=0) {

                            if(RegSetValueEx(hKey_CU, regReqTaskMGR, 0, REG_DWORD, (PBYTE)&dwData, sizeof(dwData))==ERROR_SUCCESS) {

                                RegFault=0;

                            }

                            else MessageBox(hwnd, "Failed to unlock TaskManager!", BUFFER, MB_OK|MB_ICONWARNING);

                        }

                        if(RegFault==0) MessageBox(hwnd, "TaskManager has been unlocked.", BUFFER, MB_OK);

                    }

                    if(hKey_CU) RegCloseKey(hKey_CU);

                    /* WallPaper */

                    if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, regPath,0, KEY_ALL_ACCESS, &hKey_LM)==ERROR_SUCCESS) {

                        RegQueryValueEx(hKey_LM, regReqWallPaper, NULL, &Type, (LPBYTE)RegBuffer,&size1); 

                        sprintf(BUFFER,"Returned value : %i ",RegBuffer[0]);

                        if(RegBuffer[0]==0) {

                            if(RegOpenKeyEx(HKEY_CURRENT_USER, regPath,0, KEY_ALL_ACCESS, &hKey_CU)==ERROR_SUCCESS) {

                                RegQueryValueEx(hKey_CU, regReqWallPaper, NULL, &Type, (LPBYTE)RegBuffer,&size1); 

                                sprintf(BUFFER,"Returned value : %i ",RegBuffer[0]);

                                if(RegBuffer[0]==0) RegFault=0;

                                if(RegBuffer[0]==1) RegFault=1;

                            }

                            else {

                                sprintf(BUFFER,"Failed");

                                MessageBox(hwnd, "Failed to gather Value!", BUFFER, MB_OK);

                            }

                        }

                        if(RegBuffer[0]==1) RegFault=2;

                    }

                    else {

                        sprintf(BUFFER,"Failed");

                        MessageBox(hwnd, "Failed to gather Value!", BUFFER, MB_OK);

                    }

                    if(RegFault==0) MessageBox(hwnd, "WallPaper is not locked.", BUFFER, MB_OK);

                    else {

                        MessageBox(hwnd, "WallPaper is locked.\nWould you like to fix it?", BUFFER, MB_YESNO|MB_ICONWARNING);

                        if(RegFault==1) {

                            /*

                            if(RegSetValueEx(hKey_CU, regReq, 0, REG_DWORD, (PBYTE)&dwData, sizeof(dwData))==ERROR_SUCCESS) {

                                RegFault=0;

                            }

                            */

                            if(RegDeleteKey(hKey_CU, "wallpaper")) RegFault=0;

                            else MessageBox(hwnd, "Failed to unlock WallPaper!", BUFFER, MB_OK|MB_ICONWARNING);

                        }

                        if(RegFault==2) {

                            if(RegSetValueEx(hKey_LM, regReqWallPaper, 0, REG_DWORD, (PBYTE)&dwData, sizeof(dwData))==ERROR_SUCCESS) {

                                RegFault=0;

                            }

                            else MessageBox(hwnd, "Failed to unlock WallPaper!", BUFFER, MB_OK|MB_ICONWARNING);

                        }

                        if(RegFault==0) MessageBox(hwnd, "WallPaper has been unlocked.", BUFFER, MB_OK);

                    }

                    if(hKey_LM) RegCloseKey(hKey_LM);

                    if(hKey_CU) RegCloseKey(hKey_CU);

                    break;

                case ID_PROCESS_STOP:

                /*

                    process_step=0;

                    if(remove(FILE_TRG)!=0) {

                        sprintf(BUFFER,"There was an error removing the trigger file");

                        MessageBox(hwnd, "Unable to remove the trigger file.", BUFFER, MB_OK|MB_ICONERROR);

                        // Log

                    }

                    if(process_step==0) {

                        SetWindowLongPtr(hwnd,GWL_EXSTYLE,GetWindowLong(hwnd, GWL_EXSTYLE) | WS_EX_LAYERED);

                        SetLayeredWindowAttributes(hwnd,0,255,LWA_ALPHA);

                    }

                */

                    sprintf(BUFFER,"%s : Archive Canceled",STR_VER);

                    SendMessage(g_hwnd, WM_SETTEXT, 0, (LPARAM)(LPCTSTR)BUFFER);

                break;

                case ID_HELP_ABOUTUS:

                    SendMessage(hwnd, WM_CHAR, 0, 'A');

                break;

            }

        break;

        case WM_PAINT: {

            PAINTSTRUCT ps;

            EndPaint(hwnd, &ps);

        }

        break;

        case WM_MOVE:

            SetWindowLongPtr(hwnd,GWL_EXSTYLE,GetWindowLong(hwnd, GWL_EXSTYLE) | WS_EX_LAYERED);

            SetLayeredWindowAttributes(hwnd,0,255,LWA_ALPHA);

            break;

        case WM_MOVING:

            //SetWindowLongPtr(hwnd,GWL_EXSTYLE,GetWindowLong(hwnd, GWL_EXSTYLE) | WS_EX_LAYERED);

            //SetLayeredWindowAttributes(hwnd,0,155,LWA_ALPHA);

            break;

        case WM_KEYDOWN:

            switch(wparam) {

            case VK_ESCAPE:

                sprintf(BUFFER,"%s : Exit?",STR_VER);

                if(MessageBox(hwnd, "Are you sure you want to exit?", BUFFER, 4|MB_ICONQUESTION)==IDYES) PostQuitMessage(0);

            break;

        default:

            break;

        }

        return 0;

           case WM_DESTROY:

            PostQuitMessage(0);

        break;

    }

    return DefWindowProc(hwnd, message, wparam, lparam);

}

int copy_file(char * FName,char * __Source,char * __Dest) {

    FILE *in, *out;

    char ch,BUFFER[BUFF],i_buff[MAX],o_buff[MAX];

    sprintf(i_buff,"%s\\%s",__Source,FName);

    sprintf(o_buff,"%s\\%s",__Dest,FName);

    in=fopen(i_buff, "rb");

    if(!in) {

        printf("Cannot open input file.\n");

        return 1;

    }

    out=fopen(o_buff, "wb");

    if(!out) {

        printf("Cannot open output file.\n");

        return 1;

    }

    while(!feof(in)) {

        ch = getc(in);

        if(ferror(in)) {

              sprintf(BUFFER,"%s : Read Error",FName);

              MessageBox(g_hwnd, "There was an error reading from the source file.", BUFFER, MB_OK | MB_ICONERROR);

              clearerr(in);

              break;

          } else {

              if(!feof(in)) putc(ch, out);

              if(ferror(out)) {

                  sprintf(BUFFER,"%s : Write Error",FName);

                  MessageBox(g_hwnd, "There was an error writing to the destination file.", BUFFER, MB_OK | MB_ICONERROR);

                clearerr(out);

                break;

            }

        }

    }

    fclose(in);

    fclose(out);

    return 0;

}

BOOL CALLBACK DlgProc(HWND dlg, UINT msg, WPARAM wParam, LPARAM lParam) {

    switch(msg) {

        case WM_INITDIALOG:

            return TRUE;

        case WM_COMMAND:

            switch(LOWORD(wParam)) {

                case IDC_BTN_SEL: {

                    char szBuff[100] = {0};

                    //if(GetDlgItem(dlg,IDC_LISTBOX),LB_ADDSTRING,0,(LPARAM)szBuff)

                    //if(GetDlgItemText(dlg, IDC_LISTBOX, (LPTSTR)dlgStr, 20))

                    MessageBox(dlg, szBuff, "Selected Storage Media", MB_OK);

                    return TRUE;

                }

                case IDOK:  {

                    char dlgStr[20];

                    if(GetDlgItemText(dlg, IDC_EDITBOX, (LPTSTR)dlgStr, 20)) 

                    MessageBox(dlg, dlgStr, "Text Message", MB_OK);

                    return TRUE; 

                 }

             } 

         return FALSE;            

        case WM_CLOSE:

            EndDialog(dlg, IDOK);

            return TRUE;

        }

    return FALSE;

}

Here is the customer header file :

Code:

#define VER             ".01"

#define STR_STR            "Quick Registry Fix"

#define STR_VER         "Version .01"

#define WRITTEN            " #2pencil : Computer Design & Repair "

#define WRITTEN_YEAR    "2009"

#define MAX             256

#define BUFF             2048

// Dialog Box

#define IDD_MAINDLG     1001

#define IDC_OUTLINE        1002

#define IDC_EDITBOX        1003

#define IDC_STATICENTER    1004

#define IDC_LISTBOX     1005

#define IDC_BTN_SEL        1006

#define IDC_BTN_CAN        1007

// Menu Items

#define IDR_MYMENU 101

#define IDI_MYICON 201

#define ID_FILE_EXIT     9000

#define ID_PROCESS_BEGN    9100

#define ID_PROCESS_STOP    9101

#define ID_HELP            9200

#define ID_HELP_ABOUTUS    9201

#define ID_HELP_TOPICS    9202

& here is the resource code file :

Code:

#include "qf.h"

IDD_MAINDLG DIALOG DISCARDABLE  0, 0, 153, 164

STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU

CAPTION "Simple Dialog Box"

FONT 8, "MS Sans Serif"

BEGIN

    DEFPUSHBUTTON   "OK",IDOK,65,114,50,14

    GROUPBOX        "",IDC_OUTLINE,3,5,146,81

    //EDITTEXT        IDC_EDITBOX,9,19,133,12,ES_AUTOHSCROLL

    LTEXT           "Please select source:",IDC_STATICENTER,9,9,89,9

END

IDR_MYMENU MENU

BEGIN

    POPUP "&File"

    BEGIN

        MENUITEM "&Begin", ID_PROCESS_BEGN

        MENUITEM "&Fix", ID_PROCESS_STOP, GRAYED 

        //ID_PROCESS_STOP

        MENUITEM "E&xit", ID_FILE_EXIT

    END

    POPUP "&Help"

    BEGIN

        MENUITEM "Help (HowTo)", ID_HELP_TOPICS

        MENUITEM "Abou&t US", ID_HELP_ABOUTUS

    END

END

This program compiles without error using the Borland 5.5 command line compiler, which is available for free. If you are using an IDE or a different compiler, I can't help you to get it to work Smile

Let me know if you have any questions, & I am open to constructive criticism & creative ideas.

Oh, & just for shits & grins, when the program is open, hit S or G for a fun effect Smile

Ghost & Solid.

** Edit **

There is a lot of 'garbage' code, as I used a previous project that did drive detection & backups. If anyone is interest in that code, let me know & I'll gladly post it. I ditched the project due to lack of interest from the customer whom requested it. So there are some directory & file "left overs", but I tried to weed out as much code that caused warnings with the compiler & posted it as is.

Currently it will correct task manager lock out & wallpaper. Though the wallpaper can be locked out in both hkey local machine & hkey current user, only one of them is working.

It may not be a bad idea to have an "option" or "settings" portion to the menu, & we could issue something like 'quiet mode' where it only tells you the things that are wrong, or 'full mode' where it lists "this is unlocked, this is locked".

(12-10-2009 08:14 PM)GT4AWD Wrote: [ -> ]Why use AHK though if you know C? I don't know C very well at all...

I wouldn't, I was just trying to say that it didn't sound like a very hard program to make.

(12-10-2009 11:41 PM)townsbg Wrote: [ -> ]I know enough about C to confuse me when I can't get it to work.

I don't know that much. Sad

I could understand what's going on in the code though since I am familiar with programming and have taken a look at a little C.

(12-10-2009 11:46 PM)no2pencil Wrote: [ -> ]I was thinking we could make it a Technofyed release or something. *shrug* I was going to offer it for download on my website.

I'll PM you about that.

(12-11-2009 03:20 AM)no2pencil Wrote: [ -> ]It may not be a bad idea to have an "option" or "settings" portion to the menu, & we could issue something like 'quiet mode' where it only tells you the things that are wrong, or 'full mode' where it lists "this is unlocked, this is locked".

I need to compile it and try it soon to try to come up with some suggestions. I will asap, although "asap" has been taking longer recently. Sad

Christmas break is coming up, so I should be able to get a lot done.

If you guys have any trouble compiling it, I can provide a link for downloading a current binary, as I make changes.

Sorry I never did anything with this. I've been pretty bad about following up on stuff. Did you do anything with this program?

I installed borland, but I couldn't figure out how to run it.

I've used it in shop here & there, but it's more of a "I know I need to run this as a fix" tool than a troubleshooting tool. Also the recent customers machines have not been hit with registry altering attacks as of lately.

(08-21-2010 04:54 PM)RWenger Wrote: [ -> ]I installed borland, but I couldn't figure out how to run it.

If I had a version number I could offer better assistance Wink

I followed the link you sent. 5.5

Assuming that you named the c file qf.c, put all the source code files into the same directory & issue :

Code:

bcc32 /tW qf.c

You may need to configure bcc32 to be global :

Just a note, we can add any Registry fixes to this project that you recommend, we could even have an .exe hosted for each fix, & just point the user at that program.

Thanks, I needed that link. Tongue

I've never done any programming to speak of other than AHK.

Do I need to name the source files anything in particular? I gather that I have to name the header file qf.h, but what about the resource code file? (You can tell I've never compiled C++ applications before. Always happy to learn though.)

The source code file name doesn't matter, except for when you compile it. The header files must have the same name & relative path as in the include statement.

I got these warnings when compiling. Is this normal, or am I doing something wrong? I named the third file resource.c.

[attachment=67]

Pages: 1 2