📄 pnp.c
字号:
//////////////////////////////////////////////////////////////////////////
// 文件:360safe驱动部分源码
// 作者:doskey
// Email:doskey_lee(at)sohu.com
// 日期:2006-08-30
// 免责声明:此文件是由逆向分析取得,只可用于学习研究之用途。本人
// 对他人使用本文件中的代码所引起的后果概不负责。
//////////////////////////////////////////////////////////////////////////
#include "precomp.h"
#pragma hdrstop
//////////////////////////////////////////////////////////////////////////
// 全局变量
//////////////////////////////////////////////////////////////////////////
static DWORD g_dwVersion;
static BOOL g_bFlag;
//////////////////////////////////////////////////////////////////////////
// 函数声明
//////////////////////////////////////////////////////////////////////////
NTSYSAPI
NTSTATUS
ZwDeleteFile(
POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
ZwDeleteValueKey(
HANDLE KeyHandle,
PUNICODE_STRING ValueName
);
VOID PnpGetVersion();
VOID PnpDelHoodlumKey();
NTSTATUS
PnpDispatch(
PDEVICE_OBJECT pDeviceObject,
PIRP pIrp
);
VOID
PnpDriverReinitialize(
PDRIVER_OBJECT pDriverObject,
PVOID pContext,
ULONG nCount
);
VOID PnpDelKey(PCWSTR pwszRegistry);
VOID
PnpDelValue(
PCWSTR pwszRegistryPath,
PCWSTR pwszValueName
);
VOID PnpDelSubKey(PCWSTR pwszRegistryPath);
NTSTATUS PnpDelAll(PCWSTR pwszRegistryPath);
BOOLEAN TestSystemRoot();
//////////////////////////////////////////////////////////////////////////
// 函数定义
//////////////////////////////////////////////////////////////////////////
NTSTATUS
DriverEntry(
PDRIVER_OBJECT pDriverObject,
PUNICODE_STRING pRegistryPath
)
// 00011228
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING ustrDeviceName;
UNICODE_STRING ustrSymbolicLinkName;
PDEVICE_OBJECT pDeviceObject = NULL;
PDEVICE_OBJECT pTargetDeviceObject = NULL;
PFILE_OBJECT pFileObject = NULL;
UNREFERENCED_PARAMETER(pRegistryPath);
PnpGetVersion();
PnpDelHoodlumKey();
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\Bdguard");
ntStatus = IoGetDeviceObjectPointer(
&ustrDeviceName,
1,
&pFileObject,
&pTargetDeviceObject
);
if(NT_SUCCESS(ntStatus))
{
ObfDereferenceObject(pFileObject);
ntStatus = STATUS_UNSUCCESSFUL;
return ntStatus;
}
// loc_11277
pDriverObject->MajorFunction[IRP_MJ_CREATE] =
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = PnpDispatch;
// Bdguard
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\Bdguard");
IoCreateDevice(
pDriverObject,
0,
&ustrDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pDeviceObject
);
RtlInitUnicodeString(&ustrSymbolicLinkName, L"\\DosDevices\\Bdguard");
IoCreateSymbolicLink(
&ustrSymbolicLinkName,
&ustrDeviceName
);
// adsrsvc
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\adsrsvc");
IoCreateDevice(
pDriverObject,
0,
&ustrDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pDeviceObject
);
RtlInitUnicodeString(&ustrSymbolicLinkName, L"\\DosDevices\\adsrsvc");
IoCreateSymbolicLink(
&ustrSymbolicLinkName,
&ustrDeviceName
);
// CnsMinKP
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\CnsMinKP");
IoCreateDevice(
pDriverObject,
0,
&ustrDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pDeviceObject
);
RtlInitUnicodeString(&ustrSymbolicLinkName, L"\\DosDevices\\CnsMinKP");
IoCreateSymbolicLink(
&ustrSymbolicLinkName,
&ustrDeviceName
);
// Anfad
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\Anfad");
IoCreateDevice(
pDriverObject,
0,
&ustrDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pDeviceObject
);
RtlInitUnicodeString(&ustrSymbolicLinkName, L"\\DosDevices\\Anfad");
IoCreateSymbolicLink(
&ustrSymbolicLinkName,
&ustrDeviceName
);
// abhcop
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\abhcop");
IoCreateDevice(
pDriverObject,
0,
&ustrDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pDeviceObject
);
RtlInitUnicodeString(&ustrSymbolicLinkName, L"\\DosDevices\\abhcop");
IoCreateSymbolicLink(
&ustrSymbolicLinkName,
&ustrDeviceName
);
// Albus
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\Albus");
IoCreateDevice(
pDriverObject,
0,
&ustrDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pDeviceObject
);
RtlInitUnicodeString(&ustrSymbolicLinkName, L"\\DosDevices\\Albus");
IoCreateSymbolicLink(
&ustrSymbolicLinkName,
&ustrDeviceName
);
// asehoest
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\asehoest");
IoCreateDevice(
pDriverObject,
0,
&ustrDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pDeviceObject
);
RtlInitUnicodeString(&ustrSymbolicLinkName, L"\\DosDevices\\asehoest");
IoCreateSymbolicLink(
&ustrSymbolicLinkName,
&ustrDeviceName
);
// 00011419
IoRegisterDriverReinitialization(
pDriverObject,
PnpDriverReinitialize,
NULL
);
ntStatus = STATUS_SUCCESS;
return ntStatus;
}
VOID PnpGetVersion()
// 000104A6
{
DWORD dwMajorVersion;
DWORD dwMinorVersion;
DWORD dwBuildNumber;
PsGetVersion(
&dwMajorVersion,
&dwMinorVersion,
&dwBuildNumber,
NULL
);
if(dwMajorVersion == 5)
{
if(dwMinorVersion == 0)
{
g_dwVersion = 1;
}
// loc_104D9
if(dwMinorVersion == 1)
{
g_dwVersion = 2;
}
// locret_104E9
}
// locret_104E9
}
VOID PnpDelHoodlumKey()
// 00010D62
{
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Cdnprot");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\cnsminkp");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Bdguard");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Albus");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\asehoest");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\CDNTRAN");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\adsrsvc");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Anfad");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\abhcop");
PnpDelKey(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\rfsafe");
}
NTSTATUS
PnpDispatch(
PDEVICE_OBJECT pDeviceObject,
PIRP pIrp
)
// 00010486
{
UNREFERENCED_PARAMETER(pDeviceObject);
pIrp->IoStatus.Status = STATUS_SUCCESS;
IofCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID PnpDriverReinitialize(
PDRIVER_OBJECT pDriverObject,
PVOID pContext,
ULONG nCount
)
// 00010F0C
{
UNICODE_STRING ustrPathName;
OBJECT_ATTRIBUTES ObjAttribute;
if(!TestSystemRoot())
{
IoRegisterDriverReinitialization(
pDriverObject,
PnpDriverReinitialize,
NULL
);
return;
}
// loc_10F32
g_bFlag = TRUE;
PnpDelHoodlumKey();
RtlInitUnicodeString(&ustrPathName, L"\\SystemRoot\\system32\\drivers\\fad.sys");
InitializeObjectAttributes(&ObjAttribute, &ustrPathName, 0x240, 0, 0);
ZwDeleteFile(&ObjAttribute);
RtlInitUnicodeString(&ustrPathName, L"\\SystemRoot\\system32\\drivers\\anfad.sys");
InitializeObjectAttributes(&ObjAttribute, &ustrPathName, 0x240, 0, 0);
ZwDeleteFile(&ObjAttribute);
RtlInitUnicodeString(&ustrPathName, L"\\SystemRoot\\system32\\drivers\\abhcop.sys");
InitializeObjectAttributes(&ObjAttribute, &ustrPathName, 0x240, 0, 0);
ZwDeleteFile(&ObjAttribute);
RtlInitUnicodeString(&ustrPathName, L"\\SystemRoot\\system32\\drivers\\Albus.sys");
InitializeObjectAttributes(&ObjAttribute, &ustrPathName, 0x240, 0, 0);
ZwDeleteFile(&ObjAttribute);
}
VOID PnpDelKey(PCWSTR pwszRegistry)
// 000107C2
{
PWCHAR pBuff = NULL;
pBuff = (PWCHAR)ExAllocatePool(
NonPagedPool,
0x400 / sizeof(WCHAR)
);
if(pBuff == NULL)
return;
PnpDelValue(
pwszRegistry,
L"ImagePath"
);
PnpDelValue(
pwszRegistry,
L"Start"
);
RtlZeroMemory(pBuff, 0x400);
swprintf(pBuff, L"%s\\Enum", pwszRegistry);
PnpDelSubKey(pBuff);
RtlZeroMemory(pBuff, 0x400);
swprintf(pBuff, L"%s\\Security", pwszRegistry);
PnpDelSubKey(pBuff);
RtlZeroMemory(pBuff, 0x400);
swprintf(pBuff, L"%s\\modules", pwszRegistry);
PnpDelSubKey(pBuff);
ExFreePool(pBuff);
PnpDelSubKey(pwszRegistry);
if(g_dwVersion == 2)
{
PnpDelAll(pwszRegistry);
}
// loc_10899
}
VOID
PnpDelValue(
PCWSTR pwszRegistryPath,
PCWSTR pwszValueName
)
// 000106F0
{
NTSTATUS ntStatus;
UNICODE_STRING ustrRegistryPath;
UNICODE_STRING ustrValueName;
OBJECT_ATTRIBUTES ObjAttribute;
HANDLE hKey;
RtlInitUnicodeString(&ustrRegistryPath, pwszRegistryPath);
InitializeObjectAttributes(&ObjAttribute, &ustrRegistryPath, 0, 0, 0);
ntStatus = ZwOpenKey(
&hKey,
0x0F003F,
&ObjAttribute
);
if(NT_SUCCESS(ntStatus))
{
RtlInitUnicodeString(&ustrValueName, pwszValueName);
ZwDeleteValueKey(hKey, &ustrValueName);
ZwClose(hKey);
}
// loc_10759
}
VOID PnpDelSubKey(PCWSTR pwszRegistryPath)
// 0001068E
{
NTSTATUS ntStatus;
UNICODE_STRING ustrRegistryPath;
OBJECT_ATTRIBUTES ObjAttribute;
HANDLE hKey;
RtlInitUnicodeString(&ustrRegistryPath, pwszRegistryPath);
InitializeObjectAttributes(&ObjAttribute, &ustrRegistryPath, 0, 0, 0);
ntStatus = ZwOpenKey(
&hKey,
0x0F003F,
&ObjAttribute
);
if(NT_SUCCESS(ntStatus))
{
ZwDeleteKey(hKey);
ZwClose(hKey);
}
// locret_106E7
}
NTSTATUS PnpDelAll(PCWSTR pwszRegistryPath)
{
NTSTATUS ntStatus;
PBYTE pBuff;
DWORD dwIndex = 0;
DWORD dwResultLength;
UNICODE_STRING ustrRegistryPath;
OBJECT_ATTRIBUTES ObjAttribute;
HANDLE hKey;
pBuff = ExAllocatePool(
NonPagedPool,
0x800
);
if(pBuff == NULL)
{
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
return ntStatus;
}
// loc_105BB
RtlZeroMemory(pBuff, 0x800);
RtlInitUnicodeString(&ustrRegistryPath, pwszRegistryPath);
InitializeObjectAttributes(&ObjAttribute, &ustrRegistryPath, 0, 0, 0);
ntStatus = ZwOpenKey(&hKey, 0x0F003F, &ObjAttribute);
if(NT_SUCCESS(ntStatus))
{
// loc_1060C
do
{
ntStatus = ZwEnumerateKey(hKey, dwIndex, 0, pBuff, 0x800, &dwResultLength);
if(ntStatus != STATUS_SUCCESS)
continue;
RtlZeroMemory(pBuff + 0x200, 0x80 * 4);
swprintf((PWCHAR)(pBuff + 0x200), L"%s\\%s", pwszRegistryPath, ((PKEY_BASIC_INFORMATION)pBuff)->Name);
PnpDelAll((PWCHAR)(pBuff + 0x200));
dwIndex++;
ntStatus = STATUS_SUCCESS;
} while(ntStatus >= STATUS_SUCCESS);
// 00010662
ntStatus = ZwDeleteKey(hKey);
ZwClose(hKey);
}
// loc_10677
ExFreePool(pBuff);
return ntStatus;
}
BOOLEAN TestSystemRoot()
{
BOOLEAN bResult = FALSE;
NTSTATUS ntStatus;
UNICODE_STRING ustrFileName;
OBJECT_ATTRIBUTES ObjAttribute;
IO_STATUS_BLOCK IoStatusBlock;
HANDLE hFile;
RtlInitUnicodeString(&ustrFileName, L"\\SystemRoot");
InitializeObjectAttributes(&ObjAttribute, &ustrFileName, 0x240, 0, 0);
ntStatus = ZwCreateFile(
&hFile,
0x100080,
&ObjAttribute,
&IoStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if(NT_SUCCESS(ntStatus))
{
ZwClose(hFile);
bResult = TRUE;
}
return bResult;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -