📄 360antiarp.c
字号:
/*
360AntiARP.C
Author: <your name>
Last Updated: 2007-07-06
This framework is generated by EasySYS 0.3.0 Modify
This template file is copying from QuickSYS 0.3.0 written by Chunhua Liu
//=============================================
Modified by PLK_XiaoWei[0GiNr]
http://www.0GiNr.com
//=============================================
*/
#define NDIS40 1
#include "360AntiARP.h"
#include "dbghelp.h"
#include <ntddk.h>
#include <ndis.h>
extern PULONG InitSafeBootMode;
typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
typedef unsigned long ULONG;
typedef unsigned short WORD;
typedef unsigned char BYTE;
#define IOCTL_DISPATCH0 0x222000
#define IOCTL_DISPATCH1 0x222004
#define IOCTL_DISPATCH2 0x222008
#define IOCTL_DISPATCH3 0x22200C
#define IOCTL_DISPATCH_KILL 222020
#define IOCTL_DISPATCH_SetNPF_WriteHooked 222020
#define IOCTL_DISPATCH_SetNPF_WriteUnHooked 222020
#define IOCTL_DISPATCH_SetMac 222010
__declspec(dllimport) POBJECT_TYPE* PsProcessType;
__declspec(dllimport) POBJECT_TYPE* PsThreadType;
ULONG OldCr0;
const static UCHAR * _FunctionName = "NdisRegisterProtocol";
const static UCHAR * _Mod1Name = "NDIS.SYS";
const static WCHAR * _Mod2Name = L"TCPIP.SYS";
const static WCHAR * _ModPath = L"\\SystemRoot\\system32\\drivers\\tcpip.sys";
typedef VOID (__stdcall * NDIS_REGISTER_PROTOCOL) (PNDIS_STATUS, PNDIS_HANDLE,
PNDIS_PROTOCOL_CHARACTERISTICS, UINT);
typedef NDIS_STATUS (__stdcall * ARP_RCV_INDICATION_NEW)(NDIS_HANDLE, NDIS_HANDLE,
PVOID, ULONG, PVOID, ULONG, ULONG, ULONG, ULONG);
extern
void
NTSYSAPI
KeInitializeApc
(
struct _KAPC *Apc,
PKTHREAD thread,
unsigned char state_index,
PKKERNEL_ROUTINE ker_routine,
PKRUNDOWN_ROUTINE rd_routine,
PKNORMAL_ROUTINE nor_routine,
unsigned char mode,
void *context
);
void KillThreadApcRoutine
(
IN struct _KAPC *Apc,
IN OUT PKNORMAL_ROUTINE *NormalRoutine,
IN OUT PVOID *NormalContext,
IN OUT PVOID *SystemArgument1,
IN OUT PVOID *SystemArgument2
);
extern
void
NTSYSAPI
KeInsertQueueApc
(
struct _KAPC *APC,
void *SysArg1,
void *SysArg2,
unsigned char arg4
);
extern
NTSTATUS
NTSYSAPI
PsLookupProcessByProcessId( DWORD Pid, PVOID* eproc);
extern
NTSTATUS
NTSYSAPI
PsLookupThreadByThreadId( DWORD Tid, PVOID* ethread);
extern
NTSTATUS
NTSYSAPI
NtOpenProcess
(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);
NTKERNELAPI
NTSTATUS
ObOpenObjectByPointer
(
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
extern
NTSTATUS
NTSYSAPI
ZwTerminateProcess
(
HANDLE ProcessHandle,
NTSTATUS ExitCode
);
extern
NTSTATUS
NTSYSAPI
ZwTerminateThread
(
HANDLE ThreadHandle,
NTSTATUS ExitCode
);
ULONG _ulB = 0;
ULONG _oldCR0 = 0;
ULONG _ul2 = 0;
ULONG _ul3 = 0;
ULONG _ul4 = 0;
/* align 8 */
ULONG _ul5 = 0;
ULONG _ul6 = 0;
ULONG _ul9 = 0;
UCHAR _ch[6];
ULONG _ul1 = 0;
ULONG _ul7 = 0;
ULONG _ul8 = 0;
KSPIN_LOCK _SpinLock;
ULONG _ulA = 0;
ULONG _ulC = 0;
#include "ntifs.h"
#include "windef.h"
UCHAR MacGateWay[6];
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
#define IMAGE_NT_SIGNATURE 0x50450000 // PE00
#define IMAGE_NT_SIGNATURE1 0x00004550 // 00EP
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
//
// Optional header format.
//
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
//
// NT additional fields.
//
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS;
typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS;
#define ARP_HDRLEN 8
#define ETHERNET_FRAME_TYPE_INVALID 0xFFFF // Invalid Ethernet Frame
#define ETHERNET_FRAME_TYPE_TCPIP 0x0800 // TCP/IP Protocol
#define ETHERNET_FRAME_TYPE_PUP 0x0200 // PUP Protocol
#define ETHERNET_FRAME_TYPE_ARP 0x0806 // ARP protocol
#define ETHERNET_FRAME_TYPE_RARP 0x8035 // RAPR Protocol
struct arp_head
{
unsigned short hardware_type;//hardware type
unsigned short protocol_type;//format of hardware adress
unsigned char add_len;//length of hardware addrdss
unsigned char pro_len;///length of protocol type
unsigned short option;//request or ack*/
unsigned char sour_addr[6];//source MAC address
unsigned long sour_ip; //source proco addr
unsigned char dest_addr[6];//target hardware address
unsigned long dest_ip;//target proco addr
}arp_head,*parp_head;
typedef struct
{
short iNetTyp ; //00 01 = 以太网
short iUpProt; //高层协议 08 00 = IP
UCHAR cPhyAddrLen; //物理地址的长度 = 06
UCHAR cIpAddrLen; //IP地址长度 = 04
short iOptionCode; //00 01 = request; 00 02 = reply
// UCHAR sData[40]; //暂时用
UCHAR sSrcMAC[6]; //发送方的MAC地址
long lSrcIP; //发送方的IP地址
UCHAR sDestMAC[6]; //目标的MAC地址
long lDesIP; //目标的IP地址
UCHAR sReserv[18]; //保留的内容,通常真0x20
}ARP_PACKET,*PARP_PACKET;
//
// Section header format.
//
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER {
BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
#define IMAGE_SIZEOF_SECTION_HEADER 40
//
// Export Format
//
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
#define BASEADDRLEN 10
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS (* ZWCREATEFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
ZWCREATEFILE OldZwCreateFile;
typedef NTSTATUS (* IoCreateDeviceXXX)(
IN PDRIVER_OBJECT DriverObject,
IN ULONG DeviceExtensionSize,
IN PUNICODE_STRING DeviceName OPTIONAL,
IN DEVICE_TYPE DeviceType,
IN ULONG DeviceCharacteristics,
IN BOOLEAN Exclusive,
OUT PDEVICE_OBJECT *DeviceObject
);
IoCreateDeviceXXX OldIoCreateDevice;
typedef NTSTATUS (__stdcall*ProxyDispatch) (IN PDEVICE_OBJECT device,IN PIRP Irp);ProxyDispatch realdispatcher;///Proxy functionNTSTATUS Dispatch(IN PDEVICE_OBJECT device,IN PIRP Irp){ NTSTATUS status=0; ULONG a=0;PSTORAGE_PROPERTY_QUERY query; PSTORAGE_DEVICE_DESCRIPTOR descriptor; PIO_STACK_LOCATION loc= IoGetCurrentIrpStackLocation(Irp); if(loc->Parameters.DeviceIoControl.IoControlCode ==IOCTL_STORAGE_QUERY_PROPERTY) { query=(PSTORAGE_PROPERTY_QUERY) Irp->AssociatedIrp.SystemBuffer; if(query->PropertyId==StorageDeviceProperty) { descriptor=(PSTORAGE_DEVICE_DESCRIPTOR) Irp->AssociatedIrp.SystemBuffer; status=realdispatcher(device,Irp); descriptor->RemovableMedia=FALSE; return status; } } return realdispatcher(device,Irp);}// somewhere in the code...realdispatcher=(ProxyDispatch) driver->MajorFunction[IRP_MJ_DEVICE_CONTROL];driver->MajorFunction[IRP_MJ_DEVICE_CONTROL]=Dispatch;
HANDLE hFileHandle;
OBJECT_ATTRIBUTES ObjectAttrib;
PDEVICE_OBJECT pFileDeviceObject;
struct _DRIVER_OBJECT *pDeviceObject;
PDRIVER_DISPATCH RealWriteDispatch;
//定义一个以太网头部
typedef struct ehhdr
{
UCHAR eh_dst[6]; /* destination ethernet addrress */
UCHAR eh_src[6]; /* source ethernet addresss */
USHORT eh_type; /* ethernet pachet type */
}EHHEADR, *PEHHEADR;
//28字节的ARP请求/应答
typedef struct arphdr
{
USHORT arp_hrd; /* format of hardware address */
USHORT arp_pro; /* format of protocol address */
UCHAR arp_hln; /* length of hardware address */
UCHAR arp_pln; /* length of protocol address */
USHORT arp_op; /* ARP/RARP operation */
UCHAR arp_sha[6]; /* sender hardware address */
ULONG arp_spa; /* sender protocol address */
UCHAR arp_tha[6]; /* target hardware address */
ULONG arp_tpa; /* target protocol address */
}ARPHEADR, *PARPHEADR;
typedef struct _ARPPACKET
{
EHHEADR ehhdr;
ARPHEADR arphdr;
} ARPPACKET, *PARPPACKET;
//#include <winsock.h>
#define htons(a) RtlUshortByteSwap(a)
#define ntohs(a) RtlUshortByteSwap(a)
#define htonl(a) RtlUlongByteSwap(a)
#define ntohl(a) RtlUlongByteSwap(a)
//===========================================
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
VOID DriverUnload(PDRIVER_OBJECT pDriverObj);
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
VOID
MyLoadImageNotifyProc (PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo);
int HOOKIoConXXX();
//==========================================
void AllocatePool()
{
_asm{
push 0x206B6444
push 0x00002814
push 0x00
call ExAllocatePoolWithTag
}
}
void KillThreadApcRoutine( IN struct _KAPC *Apc, IN OUT PKNORMAL_ROUTINE *NormalRoutine, IN OUT PVOID *NormalContext, IN OUT PVOID *SystemArgument1, IN OUT PVOID *SystemArgument2 )
{
NTSTATUS Status;
ExFreePool( Apc );
Status = ZwTerminateProcess( (HANDLE)0xFFFFFFFF, 0 );
DbgPrint("ZwTerminateProcess %08x...\n", Status);
}
void ApcKillProcess(PVOID Object)
{
NTSTATUS ntStatus;
DWORD Tid;
PVOID ethread;
PKAPC Kapc;
Tid = *(DWORD*)Object;
ntStatus = PsLookupThreadByThreadId( Tid, ðread);
ntStatus = ObReferenceObjectByPointer( ethread, THREAD_ALL_ACCESS,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -