#include "stdafx.h"
#include <tchar.h>
#include <io.h>
#define STATUS_SUCCESS      (0x00000000L)

typedef LONG NTSTATUS;
typedef struct _LSA_UNICODE_STRING {
 USHORT Length;
 USHORT MaximumLength;
 PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

typedef struct _IO_STATUS_BLOCK
{
 union {
  NTSTATUS Status;
  PVOID Pointer;
 }DUMMYUNIONNAME;
 ULONG_PTR Infomation;
}IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _OBJECT_ATTRIBUTES
{
 ULONG Length;
 HANDLE RootDirectory;
 PUNICODE_STRING ObjectName;
 ULONG Attributes;
 PVOID SecurityDescriptor;
 PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef
NTSTATUS
(NTAPI
 *PFZWCREATEFILE)(
  OUT PHANDLE FileHandle,
  IN ACCESS_MASK DesiredAccess,
  IN POBJECT_ATTRIBUTES ObjectAttributes,
  OUT PIO_STATUS_BLOCK IoStatusBlock,
  IN PLARGE_INTEGER AllocationSize OPTIONAL,
  IN ULONG FileAttributes,
  IN ULONG ShareAccess,
  IN ULONG CreateDisposition,
  IN ULONG CreateOptions,
  IN PVOID EaBuffer OPTIONAL,
  IN ULONG EaLength
  );

#define DEF_NTDLL                       ("ntdll.dll")
#define DEF_ZWCREATEFILE    ("NtCreateFile")

// global variable (in sharing memory)
#pragma comment(linker, "/SECTION:.SHARE,RWS")
#pragma data_seg(".SHARE")
TCHAR g_szProcName[MAX_PATH] = {0};
wchar_t suffix[MAXBYTE] = L"apeflacwavwvtakaac";
#pragma data_seg()

BYTE g_pOrgBytes[5] = { 0, };

BOOL hook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew, PBYTE pOrgBytes)
{
 FARPROC pfnOrg;
 DWORD dwOldProtect, dwAddress;
 BYTE pBuf[5] = { 0xE9, 0, };
 PBYTE pByte;

pfnOrg = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);
 pByte = (PBYTE)pfnOrg;

if (pByte[0] == 0xE9)
 {
  return FALSE;
 }
 VirtualProtect((LPVOID)pfnOrg, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);

memcpy(pOrgBytes, pfnOrg, 5);

dwAddress = (DWORD)pfnNew - (DWORD)pfnOrg - 5;
 memcpy(&pBuf[1], &dwAddress, 4);

memcpy(pfnOrg, pBuf, 5);
 
 VirtualProtect((LPVOID)pfnOrg, 5, dwOldProtect, &dwOldProtect);
 return TRUE;
}

BOOL unhook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PBYTE pOrgBytes)
{
 FARPROC pFunc;
 DWORD dwOldProtect;
 PBYTE pByte;

pFunc = GetProcAddress(GetModuleHandleA(szDllName), szFuncName);
 pByte = (PBYTE)pFunc;

if (pByte[0] != 0xE9)
  return FALSE;

VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);

memcpy(pFunc, pOrgBytes, 5);

VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);

return TRUE;
}

NTSTATUS WINAPI NewZwCreateFile(
 OUT PHANDLE FileHandle,
 IN ACCESS_MASK DesiredAccess,
 IN POBJECT_ATTRIBUTES ObjectAttributes,
 OUT PIO_STATUS_BLOCK IoStatusBlock,
 IN PLARGE_INTEGER AllocationSize OPTIONAL,
 IN ULONG FileAttributes,
 IN ULONG ShareAccess,
 IN ULONG CreateDisposition,
 IN ULONG CreateOptions,
 IN PVOID EaBuffer OPTIONAL,
 IN ULONG EaLength
 )
{
 NTSTATUS status;
 FARPROC pFunc;

wchar_t szProcName[MAX_PATH] = { 0, };
 unhook_by_code(DEF_NTDLL, DEF_ZWCREATEFILE, g_pOrgBytes);
 

if (ObjectAttributes&&ObjectAttributes->ObjectName&&ObjectAttributes->ObjectName->Length)
 {
  wcscpy_s(szProcName, ObjectAttributes->ObjectName->Length, ObjectAttributes->ObjectName->Buffer);
  wchar_t*p = wcsrchr(szProcName, ‘\\‘);
  if (p)
  {
   p = wcsrchr(p, ‘.‘);
   if (p)
   {
    if (wcscmp(p+1, L"cue") == 0)
    {
     wcscpy_s(g_szProcName, wcslen(szProcName)*sizeof(wchar_t), szProcName);
    }
    else if(wcsstr(suffix,p+1)!=NULL)
    {
     WIN32_FIND_DATA FindFileData;
     HANDLE hFind;

hFind = FindFirstFile(wcsrchr(szProcName, ‘:‘)-1, &FindFileData);
     
     if (hFind == INVALID_HANDLE_VALUE)
     {
      CloseHandle(hFind);
   
      if (wcslen(g_szProcName))
      {
       wchar_t *p2 = wcsrchr(g_szProcName, ‘.‘);
       if (p2)
       {
        wcscpy_s(p2 + 1, wcslen(p + 1)*sizeof(wchar_t), p + 1);
        p2[wcslen(p + 1) + 1] = 0;