📄 360antiarp.c
字号:
(POBJECT_TYPE)PsThreadType, KernelMode);
Kapc = (PKAPC)ExAllocatePool( NonPagedPool, 0x30 );
KeInitializeApc( Kapc, ethread, 0, KillThreadApcRoutine, NULL, NULL, KernelMode, NULL );
KeInsertQueueApc( Kapc, Kapc, NULL, 2);
ObfDereferenceObject( ethread );
}
BOOLEAN
DeviceIoControlProc (PFILE_OBJECT FileObject, UINT n, PVOID InputBuffer, UINT InputBufferLength,
PVOID OutputBuffer, UINT OutputBufferLength, UINT IoControlCode, PIO_STATUS_BLOCK IoStatusBlock,
PDEVICE_OBJECT DeviceObject)
{
KIRQL OldIrql;
ULONG ul;
IoStatusBlock->Status = STATUS_SUCCESS;
IoStatusBlock->Information = 0;
switch (IoControlCode) {
case IOCTL_DISPATCH0: /* 0x222000 */
{
_ul3 = 1;
}
break;
case IOCTL_DISPATCH1: /* 0x222004 */
{
_ul3 = 0;
}
break;
case IOCTL_DISPATCH2: /* 0x222008 */
{
if (InputBufferLength != 0xC) {
IoStatusBlock->Status = STATUS_INVALID_DEVICE_REQUEST;
} else {
KeAcquireSpinLock (&_SpinLock, &OldIrql);
_ul1 = *(PULONG)((ULONG)InputBuffer+0x8);
memcpy (_ch, InputBuffer, 4);
KeReleaseSpinLock (&_SpinLock, OldIrql);
}
}
break;
case IOCTL_DISPATCH_KILL:
{ if (InputBufferLength == 0x4)
{ ApcKillProcess(InputBuffer);}
}
case IOCTL_DISPATCH_SetMac:
{
memcpy(MacGateWay,InputBuffer,sizeof(MacGateWay));
}
case IOCTL_DISPATCH3:
{
/* [!] so ugly, right?
if (OutputBufferLength == 0x1004)
{
KeAcquireSpinLock (&_SpinLock, &OldIrql);
ul = _ul9-_ul5;
if (ul!=0) {
memcpy ((PVOID)(_ulA+_ul5), (OutputBuffer+4), ul);
*(PULONG)OutputBuffer = ul;
}
KeReleaseSpinLock (&_SpinLock, OldIrql);
IoStatusBlock->Information = ul+4;
_ul5 = _ul9;
break;
}
}
*/
// so i modify to this format, hope you like it
if (OutputBufferLength != 0x1004) {
IoStatusBlock->Status = STATUS_INVALID_DEVICE_REQUEST;
} else {
KeAcquireSpinLock (&_SpinLock, &OldIrql);
ul = _ul9-_ul5;
if (ul!=0) {
memcpy ((PVOID)(_ulA+_ul5), (PVOID)((ULONG)OutputBuffer+4), ul);
*(PULONG)OutputBuffer = ul;
}
KeReleaseSpinLock (&_SpinLock, OldIrql);
IoStatusBlock->Information = ul+4;
_ul5 = _ul9;
}
}
break;
default:
{
IoStatusBlock->Status = STATUS_INVALID_DEVICE_REQUEST;
}
break;
}
return TRUE;
}
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
DispatchProc (PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
PIO_STACK_LOCATION Sp;
PVOID InputBuffer, OutputBuffer;
UINT InputBufferLength, OutputBufferLength, IoControlCode;
Sp = IoGetCurrentIrpStackLocation (Irp);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
if (Sp->MajorFunction == IRP_MJ_DEVICE_CONTROL) {
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputBufferLength = Sp->Parameters.DeviceIoControl.InputBufferLength;
IoControlCode = Sp->Parameters.DeviceIoControl.IoControlCode;
if ((IoControlCode & METHOD_NEITHER) == METHOD_NEITHER) {
OutputBuffer = Irp->UserBuffer;
}
OutputBufferLength = Sp->Parameters.DeviceIoControl.OutputBufferLength;
DeviceIoControlProc (Sp->FileObject, 1, InputBuffer, InputBufferLength,
OutputBuffer, OutputBufferLength, IoControlCode, &Irp->IoStatus, DeviceObject);
}
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
if (*InitSafeBootMode > 0)
{
//系统处于 Safe Mode.
}
dprintf("[360AntiARP] DriverEntry: %S\n",pRegistryString->Buffer);
// Create dispatch points for device control, create, close.
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchProc;
pDriverObj->DriverUnload = DriverUnload;
//
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
dprintf("[360AntiARP] Device Name %S",ustrDevName.Buffer);
if(!NT_SUCCESS(status))
{
dprintf("[360AntiARP] IoCreateDevice = 0x%x\n", status);
return status;
}
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
dprintf("[360AntiARP] IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObj);
return status;
}
dprintf("[360AntiARP] SymbolicLink:%S",ustrLinkName.Buffer);
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME1002);
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
dprintf("[360AntiARP] Device Name %S",ustrDevName.Buffer);
if(!NT_SUCCESS(status))
{
dprintf("[360AntiARP] IoCreateDevice = 0x%x\n", status);
return status;
}
RtlInitUnicodeString(&ustrLinkName, LINK_NAME1002);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
dprintf("[360AntiARP] IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObj);
return status;
}
dprintf("[360AntiARP] SymbolicLink:%S",ustrLinkName.Buffer);
status = PsSetLoadImageNotifyRoutine(MyLoadImageNotifyProc);
HOOKIoConXXX();
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
RtlInitUnicodeString(&strLink, LINK_NAME);
//
// Delete the symbolic link
//
IoDeleteSymbolicLink(&strLink);
//
// Delete the device object
//
IoDeleteDevice(pDriverObj->DeviceObject);
dprintf("[360AntiARP] Unloaded\n");
// UNICODE_STRING strLink;
RtlInitUnicodeString(&strLink, LINK_NAME1002);
//
// Delete the symbolic link
//
IoDeleteSymbolicLink(&strLink);
//
// Delete the device object
//
IoDeleteDevice(pDriverObj->DeviceObject);
dprintf("[360AntiARP] Unloaded\n");
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[360AntiARP] IRP_MJ_CREATE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[360AntiARP] IRP_MJ_CLOSE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID
DisableWriteProtect(
VOID
)
{
__asm
{
push eax
mov eax, cr0
mov OldCr0, eax
and eax, 0FFFEFFFFh
mov cr0, eax
pop eax
cli
}
}
__inline
VOID
EnableWriteProtect(
VOID
)
{
__asm
{
sti
push eax
mov eax, OldCr0
mov cr0, eax
pop eax
}
}
BOOLEAN
SeekTargetAPI (UCHAR * sFunc, UCHAR * sMod, PUNICODE_STRING ModPath, ULONG * arg1, ULONG * arg2)
{
NTSTATUS status;
PVOID BaseAddress;
ULONG SectionBaseAddress;
ULONG i;
HANDLE SectionHandle;
HANDLE Handle;
ULONG ViewSize;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES FileAttrib;
ULONG p, p2, ul;
InitializeObjectAttributes(&FileAttrib, ModPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
i = 0;
BaseAddress = NULL;
ViewSize = 0;
status = ZwOpenFile (&Handle, FILE_EXECUTE|SYNCHRONIZE/*0x100020*/,
&FileAttrib, &IoStatusBlock, FILE_SHARE_READ,
FILE_SYNCHRONOUS_IO_NONALERT /*0x20*/);
if (NT_SUCCESS(status)) {
status = ZwCreateSection (&SectionHandle, DIRECTORY_ALL_ACCESS|SECTION_EXTEND_SIZE /*0x0F001F*/,
&FileAttrib, NULL, PAGE_EXECUTE /*0x10*/, MEM_TOP_DOWN /*0x100000*/, Handle);
if (NT_SUCCESS(status)) {
status = ZwMapViewOfSection (SectionHandle, NtCurrentProcess(), &BaseAddress, 0, 0x3E8,
NULL, &ViewSize, 1, MEM_TOP_DOWN /*0x100000*/, PAGE_READWRITE /*0x4*/);
if (NT_SUCCESS(status)) {
ZwClose(Handle);
SectionBaseAddress = *(PULONG)BaseAddress;
p = *(PULONG)(SectionBaseAddress + *(PULONG)(SectionBaseAddress+0x3C)+0x80);
if (p) {
if (*(PULONG)(p+0x10)) {
do {
if (!_stricmp ((UCHAR *)(*(PULONG)(p+0xC)+SectionBaseAddress), sMod)) {
*(((UCHAR *)&ModPath)+3) = 1; // find flag
break;
}
p += 0x14;
} while (*(PULONG)(p+0x10));
}
if ( *(((UCHAR *)&ModPath)+3) == 0 ) return FALSE; // no found, resource leak!!!
p2 = *(PULONG)p + SectionBaseAddress;
while (ul = *(PULONG)p2) {
if (ul>=0x1000000)
goto no_found_api;
if (_stricmp ((UCHAR *)(ul + SectionBaseAddress + 2), sFunc) == 0)
goto found_api;
i++;
p2 += 4;
}
}
}
}
}
// for lazy, I will not write no found part clean up codes twice, but it still could run smoothly.
// of course, no test! hope so
no_found_api:
if (BaseAddress) {
ZwUnmapViewOfSection (NtCurrentProcess(), BaseAddress);
}
ZwClose(SectionHandle);
return FALSE;
found_api:
*arg1 = *(PULONG)(p+0x10);
*arg2 = i;
if (BaseAddress) {
ZwUnmapViewOfSection (NtCurrentProcess(), BaseAddress);
}
ZwClose(SectionHandle);
return TRUE;
}
///////////////////////////////////////////////////////////////////////////////
int DoCompare (ULONG u1, ULONG u2, UCHAR * buf)
{
ULONG i = 0;
int ret = 0;
if (u2 == i) return ret;
do {
if (!memcmp ((PVOID)(u1+i), buf, 6)) {
ret = 1;
break;
}
i += 6;
} while (u2);
return ret;
}
///////////////////////////////////////////////////////////////////////////////
// TODO: HookProc2
// Hook: ARPRcvIndicationNew
NDIS_STATUS HookProc2 (NDIS_HANDLE Handle,
NDIS_HANDLE Context,
PVOID Header,
ULONG HeaderSize,
PVOID Data,
ULONG DataSize,
ULONG TotalSize,
ULONG Unknow1,
ULONG Unknow2)
{
UCHAR buffer[6];
KIRQL OldIrql;
UCHAR * p = (UCHAR *)Data;
UCHAR * pHeader = (UCHAR *)Header;
UCHAR * pHandle = (UCHAR *)Handle;
USHORT us;
ULONG ul;
us = *(USHORT*)(pHeader+0xC);
if (us!=0x608) {
if (us >= 0x600) goto quit_hook2;
if (pHandle[0x14]!=0x7) goto quit_hook2;
if (pHeader[0x2]!=0xD5) goto quit_hook2;
}
if (DataSize < 0x1C) goto quit_hook2;
us = *(USHORT*)p;
if ((us != 0x100) && (us != 0x600)) goto quit_hook2;
if (p[4]!=6 || *(USHORT*)(p+2)!=8 || p[5]!=4) goto quit_hook2;
ul = *(ULONG *)(p+0xE);
if (ul != _ul1) goto quit_hook2;
p += 8;
if (!memcmp (_ch, p, 6)) goto quit_hook2;
memcpy (buffer, p, 6);
if (KeGetCurrentIrql()<DISPATCH_LEVEL) {
p = (UCHAR *)1;
KeAcquireSpinLock (&_SpinLock, &OldIrql);
} else {
p = NULL;
}
if (memcmp ((PVOID)_ulC, buffer, 6) != 0) {
if (!DoCompare (_ulA, _ul9, &buffer[0])) {
if ((_ul9+6) > 0x1000) {
_ul9 = 0;
}
memcpy (buffer, (PVOID)(_ul9+_ulA), 6);
_ul9 += 6;
memcpy (buffer, (PVOID)_ulC, 6);
}
}
if (p==(UCHAR *)1)
KeReleaseSpinLock (&_SpinLock, OldIrql);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -