Mirrors/Windows-Rootkits
6
0
Fork 0
mirror of https://github.com/ciyze0101/Windows-Rootkits synced 2024-07-03 00:33:22 +00:00
Code Issues Projects Releases Wiki Activity
6da6053c34
Windows-Rootkits/KiFastCallEntry/HookKiFastCallEntry.h
Alifcccccc 4388f77e5d Add files via upload
2016-08-28 22:37:33 +08:00

506 lines
13 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#pragma once
#include "Monitor.h"
#include <ntimage.h>
typedef unsigned char BYTE, *PBYTE;
#define LOBYTE(w) ((BYTE)(SHORT)(w))
#define HIBYTE(w) ((BYTE)((SHORT)(w)>>8))
#define HIWORD(w) ((SHORT)((ULONG)(w))>>16)
#define HIDWORD(w) ((ULONG)(((LONGLONG)(w)>>32)&0xFFFFFFFF))
typedef HANDLE HWND;
typedef struct _KSERVICE_TABLE_DESCRIPTOR {
PULONG_PTR Base;
PULONG Count;
ULONG Limit;
PUCHAR Number;
} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
int (__stdcall *OriZwDisplayStringAddress)(int);
NTSTATUS _KisInstallKiFastCallEntryHook();
NTSTATUS _HookZwDisplayString();
ULONG __stdcall _FakeZwDisplayString(PCUNICODE_STRING StringTest);
ULONG __stdcall _GetKiFastCallEntryRetuanAddress(PVOID VirtualAddress);
NTSTATUS __stdcall _KisGetKiFastCallEntryMoveEbxAddress(ULONG StartAddress, ULONG Size, ULONG *MoveEbxAddress);
ULONG __stdcall _KisGetKiFastCallEntryHookAddress(ULONG StartAddress, ULONG Length, ULONG *MmUserProbeAddress1);
NTSTATUS __stdcall _KisHookKiFastCallEntryPoint(ULONG HookAddress);
VOID _KifakeFastCallEntry();
ULONG __stdcall HookKiFastCallEntry(signed __int64 *a1, signed __int64 a2);
NTSTATUS _KisHookKiFastCallEntry();
ULONG __stdcall _KisSyscallFilter(ULONG FuncAddress,ULONG edx ,ULONG Index ,ULONG Argc, PVOID SSDTBase);
//VOID __stdcall Filter(ULONG ServiceId, ULONG TableBase, ULONG Argc, ULONG StackAddr)
VOID SetFakeFunction();
NTSYSAPI
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(PVOID Base);
NTSTATUS FuncMonitorDeviceControl(ULONG_PTR uIoControlCode,PVOID InputBuffer,ULONG_PTR uInSize,PVOID OutputBuffer,ULONG_PTR uOutSize);
PVOID
GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName);
PVOID GetKeShadowServiceDescriptorTable32();
PVOID GetKeShadowServiceDescriptorTable64();
typedef struct _XBoxData_ {
ULONG pid;
ULONG tid;
ULONG sid;
UCHAR argc;
UCHAR bFromUser;
UCHAR bFromSSDT;
ULONG args[16];
LARGE_INTEGER time;
LIST_ENTRY ListEntry;
} XBoxData, *PXBoxData, **PPXBoxData;
NTSTATUS FuncEventToKernelEvent(PULONG_PTR InputBuffer,ULONG_PTR InSize);
#define SDOW_MAX_NUM 850
#define SSDT_MAX_NUM 500
#define FSD_MAX_NUM 56
#define KBD_MAX_NUM 28
#define IDT_MAX_NUM 256
#define MAX_REASON 350
#define OPCODE_LEN 10
#define SYSMODULE_MAX 256
#define SSDT_MAX_HOOK_INDEX 30
enum _SSDT_HOOK_INDEX
{
SSDT_NTOPENPROCESS_INDEX = 0,
SSDT_NTCREATETHREAD_INDEX = 1,
SSDT_NTOPENTHREAD_INDEX = 2,
SSDT_NTWRITEVIRTUALMEMORY_INDEX = 3,
SSDT_NTDUPLICATEOBJECT_INDEX = 4,
SSDT_NTSETSYSTEMINFORMATION_INDEX = 5,
SSDT_NTQUEUEAPCTHREAD_INDEX = 6 ,
SSDT_NTDEBUGACTIVEPROCESS_INDEX = 7,
SSDT_NTREMOVEPROCESSDEBUG_INDEX = 8
}SSDT_HOOK_INDEX;
enum _SHADOW_SSDT_HOOK_INDEX
{
SHADOWSSDT_NTUSERFINDWINDOWSEX_INDEX = 0,
SHADOWSSDT_NTUSERQUERYWINDOW_INDEX = 1 ,
SHADOWSSDT_NTUSERSETWINDOWSHOOKEX_INDEX = 2,
SHADOWSSDT_NTUSERBUILDHWNDLIST_INDEX = 3,
SHADOWSSDT_NTUSERWINDOWFROMPOINT_INDEX = 4,
SHADOWSSDT_NTUSERSETPARENT_INDEX = 5,
SHADOWSSDT_NTUSERPOSTMESSAGE_INDEX = 6,
SHADOWSSDT_NTUSERMESSAGECALL_INDEX = 7,
SHADOWSSDT_NTUSERDESTROYWINDOW_INDEX = 8,
SHADOWSSDT_NTUSERSHOWWINDOW_INDEX = 9,
SHADOWSSDT_NTUSERSETWINDOWLONG_INDEX = 10 ,
SHADOWSSDT_NTUSERINTERNALGETWINDOWTEXT_INDEX = 11,
SHADOWSSDT_NTUSERSETWINDOWPOS_INDEX = 12 ,
SHADOWSSDT_NTUSERGETCLASSNAME_INDEX = 13 ,
SHADOWSSDT_NTUSERGETWINDOWPLACEMENT_INDEX = 14,
SHADOWSSDT_NTUSERGETFOREGROUNDWINDOW_INDEX = 15
}SHADOW_SSDT_HOOK_INDEX;
#define SSDT_FILTER_NUM 500
#define SHADOWSSDT_FILTER_NUM 850
#define SECTIONOBJECT 0x138 //_EPROCESS<53><53>SectionObject<63><74>offset
#define SEGMENT 0x014 //_SECTION_OBJECT<43><54>Segment<6E><74>//
#define CONTROLAREA 0x000 //_SEGMENT<4E><54>ControlArea<65><61>offset
#define FILEPOINTER 0x024 //_CONTROL_AREA<45><41>FilePointer<65><72>offset
//TEB<45><42>ʼ<EFBFBD><CABC>
typedef struct _INITIAL_TEB {
struct {
PVOID OldStackBase;
PVOID OldStackLimit;
} OldInitialTeb;
PVOID StackBase;
PVOID StackLimit;
PVOID StackAllocationBase;
} INITIAL_TEB, *PINITIAL_TEB;
typedef struct _SYSCALL_FILTER_INFO_TABLE
{
ULONG ulKiFastCallEntry;
ULONG ulNewRetKiFastCallEntry;
UCHAR HookCode[13];
ULONG ulCopyLength;
ULONG ulSSDTAddr;
ULONG ulSHADOWSSDTAddr;
ULONG ulSSDTNum;
ULONG ulSHADOWSSDTNum;
ULONG FastCallType;
ULONG SavedSSDTTable[SSDT_FILTER_NUM]; //SSDTԭʼ<D4AD><CABC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7>
ULONG ProxySSDTTable[SSDT_FILTER_NUM]; //SSDT<44><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7>
ULONG SSDTServiceIndex[SSDT_MAX_HOOK_INDEX];
ULONG SSDTSwitchTable[SSDT_FILTER_NUM]; //SSDT Hook<6F><6B><EFBFBD>ر<EFBFBD>
ULONG SavedShadowSSDTTable[SHADOWSSDT_FILTER_NUM]; //ShadowSSDTԭʼ<D4AD><CABC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7>
ULONG ProxyShadowSSDTTable[SHADOWSSDT_FILTER_NUM]; //ShadowSSDT<44><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7>
ULONG ShadowSSDTServiceIndex[SSDT_MAX_HOOK_INDEX];
ULONG ShadowSSDTSwitchTable[SHADOWSSDT_FILTER_NUM]; //ShadowSSDT Hook<6F><6B><EFBFBD>ر<EFBFBD>
ULONG ulEPROCESSPidOffset;
}SYSCALL_FILTER_INFO_TABLE,*PSYSCALL_FILTER_INFO_TABLE;
typedef BOOL (*NTUSERPOSTTHREADMESSAGE)
(
DWORD idThread,
UINT Msg,
WPARAM wParam,
LPARAM lParam
);
typedef NTSTATUS (*NTDUPLICATEOBJECT)
(
IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options
);
typedef NTSTATUS (*NTCREATEDEBUGOBJECT)
(
OUT PHANDLE DebugObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG Flags
);
typedef NTSTATUS (*NTQUEUEAPCTHREAD)
(
IN HANDLE ThreadHandle,
IN PKNORMAL_ROUTINE ApcRoutine,
IN PVOID ApcContext OPTIONAL,
IN PVOID Argument1 OPTIONAL,
IN PVOID Argument2 OPTIONAL
);
typedef NTSTATUS (*NTSETTHREADCONTEXT)
(
IN HANDLE hThread,
IN PCONTEXT pContext
);
typedef NTSTATUS (*HOOKPROC)(int code, WPARAM wParam, LPARAM lParam);
typedef NTSTATUS (*NTSETSYSTEMINFORMATION)(
__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__inout PVOID SystemInformation,
__in ULONG SystemInformationLength);
NTSTATUS FakeNtSetSystemInformation(
__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__inout PVOID SystemInformation,
__in ULONG SystemInformationLength);
typedef NTSTATUS (*NTOPENPROCESS) (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId);
NTSTATUS FakeNtOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
);
NTSTATUS FakeNtCreateThread(
__out PHANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ProcessHandle,
__out PCLIENT_ID ClientId,
__in PCONTEXT ThreadContext,
__in PINITIAL_TEB InitialTeb,
__in BOOLEAN CreateSuspended
);
typedef NTSTATUS (*NTCREATETHREAD)(
__out PHANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ProcessHandle,
__out PCLIENT_ID ClientId,
__in PCONTEXT ThreadContext,
__in PINITIAL_TEB InitialTeb,
__in BOOLEAN CreateSuspended);
typedef NTSTATUS (*NTOPENTHREAD) (
__out PHANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId);
NTSTATUS FakeNtOpenThread (
__out PHANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
);
typedef NTSTATUS (*NTWRITEVIRTUALMEMORY)(
__in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__in_bcount(BufferSize) CONST VOID *Buffer,
__in SIZE_T BufferSize,
__out_opt PSIZE_T NumberOfBytesWritten);
NTSTATUS FakeNtWriteVirtualMemory(
__in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__in_bcount(BufferSize) CONST VOID *Buffer,
__in SIZE_T BufferSize,
__out_opt PSIZE_T NumberOfBytesWritten
);
typedef NTSTATUS (*NTDUPLICATEOBJECT)(
__in HANDLE SourceProcessHandle,
__in HANDLE SourceHandle,
__in_opt HANDLE TargetProcessHandle,
__out_opt PHANDLE TargetHandle,
__in ACCESS_MASK DesiredAccess,
__in ULONG HandleAttributes,
__in ULONG Options);
NTSTATUS FakeNtDuplicateObject (
__in HANDLE SourceProcessHandle,
__in HANDLE SourceHandle,
__in_opt HANDLE TargetProcessHandle,
__out_opt PHANDLE TargetHandle,
__in ACCESS_MASK DesiredAccess,
__in ULONG HandleAttributes,
__in ULONG Options);
typedef NTSTATUS (*NTDEBUGACTIVEPROCESS) ( IN HANDLE ProcessHandle,
IN HANDLE DebugObjectHandle
);
NTSTATUS FakeNtDebugActiveProcess (IN HANDLE ProcessHandle,
IN HANDLE DebugObjectHandle
);
typedef NTSTATUS (*NTREMOVEPROCESSDEBUG) ( IN HANDLE ProcessHandle,
IN HANDLE DebugObjectHandle
);
NTSTATUS FakeNtRemoveProcessDebug ( IN HANDLE ProcessHandle,
IN HANDLE DebugObjectHandle
) ;
/************************<2A><><EFBFBD>ڹ<EFBFBD><DAB9><EFBFBD><EFBFBD><EFBFBD><EFBFBD>غ<EFBFBD><D8BA><EFBFBD>********************************/
typedef HWND (*NTUSERFINDWINDOWEX)(
__in HWND hwndParent,
__in HWND hwndChild,
__in PUNICODE_STRING pstrClassName OPTIONAL,
__in PUNICODE_STRING pstrWindowName OPTIONAL,
__in DWORD dwType);
HWND FakeNtUserFindWindowEx(
__in HWND hwndParent,
__in HWND hwndChild,
__in PUNICODE_STRING pstrClassName OPTIONAL,
__in PUNICODE_STRING pstrWindowName OPTIONAL,
__in DWORD dwType);
typedef UINT_PTR (*NTUSERQUERYWINDOW)(
IN ULONG WindowHandle,
IN ULONG TypeInformation);
UINT_PTR FakeNtUserQueryWindow(
IN ULONG WindowHandle,
IN ULONG TypeInformation);
typedef
NTSTATUS (*NtQUEUEAPCTHREAD)(
IN HANDLE ThreadHandle,
IN PKNORMAL_ROUTINE ApcRoutine,
IN PVOID ApcContext OPTIONAL,
IN PVOID Argument1 OPTIONAL,
IN PVOID Argument2 OPTIONAL
);
NTSTATUS
NTAPI FakeNtQueueApcThread(
IN HANDLE ThreadHandle,
IN PKNORMAL_ROUTINE ApcRoutine,
IN PVOID ApcContext OPTIONAL,
IN PVOID Argument1 OPTIONAL,
IN PVOID Argument2 OPTIONAL
);
typedef HANDLE (*NTUSERSETWINDOWSHOOKEX)(IN HANDLE Mod,
IN PUNICODE_STRING UnsafeModuleName,
IN DWORD ThreadId,
IN INT HookId,
IN HOOKPROC HookProc,
IN BOOL Ansi);
HANDLE FakeNtUserSetWindowsHookEx(HANDLE Mod,
PUNICODE_STRING UnsafeModuleName,
DWORD ThreadId,
INT HookId,
HOOKPROC HookProc,
BOOL Ansi);
typedef NTSTATUS (*NTUSERBUILDHWNDLIST)(
IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG* pcHwndNeeded);
NTSTATUS FakeNtUserBuildHwndList(
IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG* pcHwndNeeded);
typedef ULONG (*NTUSERWINDOWFROMPOINT)(LONG x, LONG y);
ULONG FakeNtUserWindowFromPoint(LONG x, LONG y);
typedef HWND (*NTUSERSETPARENT)(HWND hWndChild,HWND hWndNewParent);
HWND FakeNtUserSetParent(HWND hWndChild,HWND hWndNewParent);
typedef BOOL (*NTUSERPOSTMESSAGE)(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam);
BOOL FakeNtUserPostMessage(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam);
typedef ULONG (*NTUSERMESSAGECALL)(
HWND hwnd,
UINT msg,
WPARAM wParam,
LPARAM lParam,
PULONG xParam,
ULONG xpfnProc,
BOOL bAnsi
);
ULONG FakeNtUserMessageCall(
HWND hwnd,
UINT msg,
WPARAM wParam,
LPARAM lParam,
PULONG xParam,
ULONG xpfnProc,
BOOL bAnsi
);
typedef BOOL (*NTUSERDESTROYWINDOW)(HWND hWnd);
BOOL FakeNtUserDestroyWindow( HWND hWnd );
typedef BOOL (*NTUSERSHOWWINDOW)(HWND hWnd,long nCmdShow);
BOOL FakeNtUserShowWindow(HWND hWnd,long nCmdShow);
typedef long (*NTUSERSETWINDOWLONG)(HWND hWnd, ULONG Index, long NewValue, BOOL Ansi);
long FakeNtUserSetWindowLong(HWND hWnd, ULONG Index, long NewValue, BOOL Ansi);
typedef INT (*NTUSERINTERNALGETWINDOWTEXT)(HWND hWnd, LPWSTR lpString, INT nMaxCount);
INT CALLBACK FakeNtUserInternalGetWindowText(HWND hWnd, LPWSTR lpString, INT nMaxCount);
typedef BOOL (*NTUSERSETWINDOWPOS)(
HWND hWnd,
HWND hWndInsertAfter,
int X,
int Y,
int cx,
int cy,
UINT uFlags);
BOOL CALLBACK
FakeNtUserSetWindowPos(
HWND hWnd,
HWND hWndInsertAfter,
int X,
int Y,
int cx,
int cy,
UINT uFlags);
typedef (*NTUSERGETCLASSNAME)(IN HWND hWnd,
OUT PUNICODE_STRING ClassName,
IN BOOL Ansi);
INT CALLBACK
FakeNtUserGetClassName (IN HWND hWnd,
OUT PUNICODE_STRING ClassName,
IN BOOL Ansi);
typedef BOOL (*NTUSERGETWINDOWPLACEMENT)(HWND hWnd,
void* lpwndpl);
BOOL CALLBACK
FakeNtUserGetWindowPlacement(HWND hWnd,
void* lpwndpl);
typedef ULONG (*NTUSERGETFOREGROUNDWINDOW)(VOID);
ULONG FakeNtUserGetForegroundWindow(VOID);
/*****************************************************************************************************/
Reference in New Issue View Git Blame Copy Permalink