cetc.c

一个用于按键模拟的驱动 利用 port I/O

#ifndef CETC
ALLERT! DO NOT PUT THIS FILE IN THE STANDARD CE DISTRIBUTION
#endif

#include "ntifs.h"
#include "extraimports.h"
#include "memscan.h"
#include "tdiwrapper.h"
#include <windef.h>
#include "rootkit.h"

VOID CETC_CORE(IN PVOID StartContext)
{
	KLOCK_QUEUE_HANDLE lqh;
	PEPROCESS ActivePEPROCESS=NULL;

	InitServer();


	if (FileObjectConnection!=NULL)
	{
		StopListener=FALSE;

		while (!StopListener)
		{
			AddressListEntries=0;

			//DbgPrint("Start listening\n");
			if (Listen())
			{
				ULONG DataSent=0;
				BOOLEAN PasswordCorrect=FALSE;
				int i;
				unsigned char command;
				char a;				
				char *buffer;
				char defaultpass[9]="defaultpw";
				//DbgPrint("Listen=success\n");

				connected=TRUE;

				//DbgPrint("Waiting for password\n");				

				while ((!PasswordCorrect) && (connected))
				{
					if (Receive(&command,1))
					{		


						if (command==CS_PASSWORD) //only one possible so use a if
						{							
							if (Receive(&a,1)) //length
							{
								if (a!=0)
								{
									buffer=ExAllocatePoolWithTag(NonPagedPool,(ULONG)a,0);
									
									//DbgPrint("received passsize=%d\n",a);
									//allocate a buffer big enough to receive the password
									if (Receive(buffer,a))
									{
										if (a<=9)
										{
		                                    for (i=0; i<a; i++)
												if (buffer[i]!=defaultpass[i])
													break;
		
											PasswordCorrect=(i==9);
										}								
		
										if (PasswordCorrect)
											//DbgPrint("Password correct\n");
										else
											//DbgPrint("Password incorrect\n");
									}							
		
									ExFreePool(buffer);
								}						
							}
						}
					}
				}

				if (!connected)
					continue;

						
				DataSent=0;

				while (connected)
				{
					//DbgPrint("Going to read a new command\n");
					if (Receive(&command,1))
					{
						//DbgPrint("command=%d\n",command);
						switch (command)
						{

							case CS_SetTimerSpeed: //(freezeinterval:word)
							{
								WORD fi;
								//DbgPrint("Set Timer Speed\n");
                                Receive(&fi,2);

								FreezeInterval.QuadPart=fi*-10000;

								//-50000000=5 seconds=5000 ms
								//-5000000=500 ms
								break;
							}

							case CS_KERNELDATA:
							{
								//DbgPrint("Kerneldata received\n");
								Receive(&ActiveLinkOffset,4);
								Receive(&ProcessNameOffset,4);
								Receive(&DebugportOffset,4);
								Receive(&PIDOffset,4);
								break;
							}

							case CS_SetConfig:
							{
								//UseDebugRegs:byte;UseDBKQueryMemoryRegion:byte;UseDBKReadWriteMemory:byte;UseDBKOpenProcess:byte)
								//DbgPrint("SetConfig\n");
								
								Receive(&MemscanOptions.ShowAsSigned,1);
								Receive(&MemscanOptions.BinariesAsDecimal,1);
								Receive(&MemscanOptions.max,2);
								Receive(&MemscanOptions.buffersize,4);
								Receive(&MemscanOptions.skip_page_no_cache,1);
								Receive(&MemscanOptions.UseDebugRegs,1);
								Receive(&MemscanOptions.UseDBKQueryMemoryRegion,1);
								Receive(&MemscanOptions.UseDBKReadWriteMemory,1);
								Receive(&MemscanOptions.UseDBKOpenProcess,1);
								break;

							}



							case CS_PROCESSLIST:
							{
								BOOLEAN First;
								PEPROCESS pf,p;
								KAPC_STATE apc_state;
								int pos=0;
	
								char *processname;
								char EndList[1]={SC_ENDPROCESSLIST};	
								char* TempBuffer=ExAllocatePoolWithTag(NonPagedPool,512,0);

								__try
								{
								//DbgPrint("ProcessList\n");
								
								RtlZeroMemory(&apc_state,sizeof(apc_state));


								pf=PsGetCurrentProcess();
								p=pf;


								First=TRUE;
								while (((p!=NULL) && (p!=pf)) || (First))
								{									
									
									
								
									First=FALSE;
									processname=(PVOID)p;
									processname=&processname[ProcessNameOffset];
									//DbgPrint("peprocess=%p processname=%s\n",p,processname);
									
									//get size of processname (less than 32 bytes)
									for (i=0; (i<32)&&(processname[i]!=0) ; i++) ;
								
									//(processid:dword;stringlength:byte;processname:array of char)
									if ((pos+6+i)<512)
									{
										//add it to the buffer
										TempBuffer[pos]=SC_PROCESSLISTITEM;
										pos++;

										*(PULONG)(&TempBuffer[pos])=(ULONG)p;
										pos+=4;

										TempBuffer[pos]=(UCHAR)i;
										pos++;

										RtlCopyMemory(&TempBuffer[pos],processname,i);
										pos+=i;
									}
									else
									{										
										//buffer is too full, so send it, and start filling again
										Send(TempBuffer,pos);	
										pos=0;
									}
								
									
									p=(PEPROCESS)(*(PULONG)((ULONG)p+ActiveLinkOffset)-ActiveLinkOffset);
									
								}

								if (pos>0)
									Send(TempBuffer,pos);
								
								ExFreePool(TempBuffer);
	
								
								Send(EndList,1);
								}
								__except(1)
								{
									//DbgPrint("Error in processlist\n");

								}
								

								break;
								
							}

							case CS_OPENPROCESS:
							{
								unsigned char openedprocess=SC_OPENPROCESSSUCCESS;
								

								//DbgPrint("Open Process\n");
								

							    if (Receive(&ActivePEPROCESS,4))
                                    //DbgPrint("ActivePEPROCESS=%p\n",ActivePEPROCESS);
								else
									//DbgPrint("OpenProcess failed");

								Send(&openedprocess,1);
								break;
							}


							case CS_CancelScan:
							{
                                CurrentScan.scanning=FALSE;
								addressfile=0;
								valuefile=0;

							}

							case CS_FirstScan:
							{
								//start,stop:dword;vartype:byte;Scantype:byte;scanvaluelength:byte;scanvalue:array of bytes;scanoptions:byte
								DWORD start;
								DWORD stop;								
								BYTE VarType;
								BYTE Scantype;
								BYTE ScanvalueSize;
								char *scanvalue;
								BYTE ScanOptions;

								Receive(&start,4);
								Receive(&stop,4);
								Receive(&VarType,1);
								Receive(&Scantype,1);								
								Receive(&ScanvalueSize,1);

								scanvalue=ExAllocatePoolWithTag(NonPagedPool,ScanvalueSize,0);
								if (scanvalue!=NULL)
								{
									__try
									{
										Receive(scanvalue,ScanvalueSize);
										Receive(&ScanOptions,1);

										//all parameters received, start the scan....
										//DbgPrint("start=%x  stop=%x  vartype=%d  scantype=%d  scanvaluesize=%d  scanoptions=%d\n",start,stop,VarType,Scantype,ScanvalueSize);
										FirstScan(ActivePEPROCESS,start,stop,VarType,Scantype,ScanvalueSize,scanvalue,ScanOptions);	
									}
									__finally
									{	
										ExFreePool(scanvalue);
									}
								}

                                break;								
							}

							case CS_ReadProcessMemory:
							{
								//ReadProcessMemory(address:dword; length: word);
								
								BOOLEAN ok=FALSE;
								ULONG address;
								WORD size;
								WORD bytesread=0;
								char* outputbuffer;								

								//DbgPrint("ReadProcessMemory\n");
								Receive(&address,4);
								Receive(&size,2);

								//DbgPrint("address=%x size=%d\n",address,size);
                                //output SC_ReadProcessMemoryResult(successboolean: byte; actualread: word; bytesread: array of byte)
								//allocate memory to hold the data								
								outputbuffer=ExAllocatePoolWithTag(NonPagedPool,(ULONG)size+4,0);
								if (outputbuffer!=NULL)
								{
									//DbgPrint("Allocated memory\n");
									
									//DbgPrint("ActivePEPROCESS=%p\n",ActivePEPROCESS);
									ok=ReadProcessMemory(0,ActivePEPROCESS,(PVOID)address,size,(PVOID)&outputbuffer[4]);
									if (ok) 
										//DbgPrint("ReadProcessMemory successful\n");
									else
										//DbgPrint("ReadProcessMemory failed\n");

									bytesread=ok ? (WORD)size : 0;
									outputbuffer[0]=SC_ReadProcessMemoryResult;
									outputbuffer[1]=ok ? 1:0;
									*(PWORD)(&outputbuffer[2])=bytesread;

									Send(outputbuffer,bytesread+4);

									ExFreePool(outputbuffer);
								}								
								break;

							}

							case CS_WriteProcessMemory:
							{
								//WriteProcessMemory(address:dword; length: word; bytes: array of byte);
								BOOLEAN ok=FALSE;
								ULONG address;
								WORD size;
								WORD bytesread=0;
								char* inputbuffer;								

								//DbgPrint("WriteProcessMemory\n");
								Receive(&address,4);
								Receive(&size,2);

								//DbgPrint("address=%x size=%d\n",address,size);

								inputbuffer=ExAllocatePoolWithTag(NonPagedPool, (size<=4) ? 4 : (ULONG)size,0);
								if (inputbuffer!=NULL)
								{
									Receive(inputbuffer,size);
									ok=WriteProcessMemory(0,ActivePEPROCESS,(PVOID)address,size,inputbuffer);
									if (ok) 
										//DbgPrint("WriteProcessMemory successful\n");
									else
										//DbgPrint("WriteProcessMemory failed\n");

									inputbuffer[0]=SC_WriteProcessMemoryResult;
									inputbuffer[1]=ok ? 1:0;
									*(PWORD)(&inputbuffer[2])=ok ? (WORD)size: 0;

									Send(inputbuffer,4);

									ExFreePool(inputbuffer);
								}

								

								break;
							}