void
ncp_Init(struct ncp *ncp, struct bundle *bundle)
{
ncp->afq = AF_INET;
ncp->route = NULL;
ncp->cfg.urgent.tcp.port = (u_short *)malloc(NDEFTCPPORTS * sizeof(u_short));
if (ncp->cfg.urgent.tcp.port == NULL) {
log_Printf(LogERROR, "ncp_Init: Out of memory allocating urgent ports\n");
ncp->cfg.urgent.tcp.nports = ncp->cfg.urgent.tcp.maxports = 0;
} else {
ncp->cfg.urgent.tcp.nports = ncp->cfg.urgent.tcp.maxports = NDEFTCPPORTS;
memcpy(ncp->cfg.urgent.tcp.port, default_urgent_tcp_ports,
NDEFTCPPORTS * sizeof(u_short));
}
ncp->cfg.urgent.tos = 1;
ncp->cfg.urgent.udp.nports = ncp->cfg.urgent.udp.maxports = 0;
ncp->cfg.urgent.udp.port = NULL;
mp_Init(&ncp->mp, bundle);
/* Send over the first physical link by default */
ipcp_Init(&ncp->ipcp, bundle, &bundle->links->physical->link,
&bundle->fsm);
#ifndef NOINET6
ipv6cp_Init(&ncp->ipv6cp, bundle, &bundle->links->physical->link,
&bundle->fsm);
#endif
}
void
ncp_Init(struct ncp *ncp, struct bundle *bundle)
{
ncp->afq = AF_INET;
ncp->route = NULL;
ncp->cfg.urgent.tcp.nports = ncp->cfg.urgent.tcp.maxports = NDEFTCPPORTS;
ncp->cfg.urgent.tcp.port = (u_short *)malloc(NDEFTCPPORTS * sizeof(u_short));
memcpy(ncp->cfg.urgent.tcp.port, default_urgent_tcp_ports,
NDEFTCPPORTS * sizeof(u_short));
ncp->cfg.urgent.tos = 1;
ncp->cfg.urgent.udp.nports = ncp->cfg.urgent.udp.maxports = 0;
ncp->cfg.urgent.udp.port = NULL;
mp_Init(&ncp->mp, bundle);
/* Send over the first physical link by default */
ipcp_Init(&ncp->ipcp, bundle, &bundle->links->physical->link,
&bundle->fsm);
#ifndef NOINET6
ipv6cp_Init(&ncp->ipv6cp, bundle, &bundle->links->physical->link,
&bundle->fsm);
#endif
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
NTSTATUS Status;
BOOLEAN bInt0EHooked;
DriverObject->DriverUnload=DriverUnload;
// start to check from the first kernelmode page
g_PageToCheck=(ULONG)*MmSystemRangeStart;
// initialize multiprocessor module
mp_Init();
KeInitializeEvent(&g_ShutdownEvent,NotificationEvent,0);
InitializeListHead(&g_HiddenPages);
if (!NT_SUCCESS(Status=GetNtoskrnlRegion(&g_NtoskrnlStart,&g_NtoskrnlEnd))) {
DbgPrint("GetNtoskrnlRegion(): status %08X\n",Status);
return STATUS_UNSUCCESSFUL;
}
if (!NT_SUCCESS(Status=IsInterruptHooked(0x0e,0,&bInt0EHooked,&g_RealInt0EHandler))) {
DbgPrint("IsInterruptHooked(): status %08X\n",Status);
return STATUS_UNSUCCESSFUL;
}
// get int 0x0e handler from the first idt
g_Int0EHandler=GetInterruptHandler(0x0e,0);
if (g_RealInt0EHandler)
DbgPrint("Real ntoskrnl int 0x0E handler: 0x%08X, current: 0x%08X\n",g_RealInt0EHandler,g_Int0EHandler);
else
// we were not able to find real handler
DbgPrint("Real ntoskrnl int 0x0E handler was not found: Shadow Walker removing is not possible\n");
if (!bInt0EHooked) {
DbgPrint("Looks like interrupt 0x0E is not hooked\n");
return STATUS_UNSUCCESSFUL;
}
Status=AnalyzeBranches(g_Int0EHandler,&g_KnownBranches);
if (!NT_SUCCESS(Status)) {
DbgPrint("AnalyzeBranches(): status %08X\n",Status);
return STATUS_UNSUCCESSFUL;
}
// for debug purposes
DumpKnownBranches();
// begin bruteforcing the int 0x0e handler
StartTracer();
return STATUS_SUCCESS;
}
