內核態實現進程和端口關聯
//////////////////////////////////////////////////////////////////////////////////////////
// 作者 beiyu http://beiyu.bokee.com
// 內核態實現進程和端口關聯,在WINDOWS2000.xp,2003下可以用。
// 感謝Leven公布了他的代碼,增加了區分tcp,udp,增加了操作系統的兼容性
// 可以在Windows 2000, xp, 2003下面正常使用,編譯環境Win2000DDK
// 使用妳的sys loader加載,使用Dbgview查看
// 如果你有什么改進,請email我: beiyuly@gmail.com
//
//////////////////////////////////////////////////////////////////////////////////////////
#include <ntddk.h>
#include <string.h>
#define SystemHandleInformation 16
#define TCPUDP_FLAG 100
#define WIN2K_SOCKET_FLAG 0x1a //2k
#define WINXP_SOCKET_FLAG 0x1c //xp
#define WIN2K3_SOCKET_FLAG 0x1a //2k3
#define WIN2K_EPROCESS_NAMEOFFSET 0x1fc //2k
#define WINXP_EPROCESS_NAMEOFFSET 0x174 //xp
#define WIN2K3_EPROCESS_NAMEOFFSET 0x1fc //2k3
#define ObjectNameInformation 1
#define ObjectAllTypesInformation 3
/*
typedef struct _OBJECT_NAME_INFORMATION {
UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
typedef struct _OBJECT_TYPE_INFORMATION {
UNICODE_STRING Name;
ULONG ObjectCount;
ULONG HandleCount;
ULONG Reserved1[4];
ULONG PeakObjectCount;
ULONG PeakHandleCount;
ULONG Reserved2[4];
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccess;
UCHAR Unknown;
BOOLEAN MaintainHandleDatabase;
POOL_TYPE PoolType;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
typedef struct _OBJECT_ALL_TYPES_INFORMATION {
ULONG NumberOfTypes;
OBJECT_TYPE_INFORMATION TypeInformation;
} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;
*/
#define ntohs(s) \
( ( ((s) >> 8) & 0x00FF ) | \
( ((s) << 8) & 0xFF00 ) )
typedef struct _TDI_CONNECTION_INFO {
ULONG State;
ULONG Event;
ULONG TransmittedTsdus;
ULONG ReceivedTsdus;
ULONG TransmissionErrors;
ULONG ReceiveErrors;
LARGE_INTEGER Throughput;
LARGE_INTEGER Delay;
ULONG SendBufferSize;
ULONG ReceiveBufferSize;
BOOLEAN Unreliable;
} TDI_CONNECTION_INFO, *PTDI_CONNECTION_INFO;
typedef struct _TDI_CONNECTION_INFORMATION {
LONG UserDataLength;
PVOID UserData;
LONG OptionsLength;
PVOID Options;
LONG RemoteAddressLength;
PVOID RemoteAddress;
} TDI_CONNECTION_INFORMATION, *PTDI_CONNECTION_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessID; //進程的標識ID
UCHAR ObjectTypeNumber; //對象類型
UCHAR Flags; //0x01 = PROTECT_FROM_CLOSE,0x02 = INHERIT
USHORT Handle; //對象句柄的數值
PVOID Object; //對象句柄所指的內核對象地址 WinNT4/Windows2000是0x1A xp中是0x1c 2003中是
ACCESS_MASK GrantedAccess; //創建句柄時所準許的對象的訪問權
}SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtDeviceIoControlFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject(
IN HANDLE ObjectHandle,
IN ULONG ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI
BOOLEAN
NTAPI
NtDuplicateObject(
IN HANDLE hSourceProcessHandle,
IN HANDLE hSourceHandle,
IN HANDLE hTargetProcessHandle,
OUT HANDLE * lpTargetHandle,
IN ULONG dwDesiredAccess,
IN BOOLEAN bInheritHandle,
IN ULONG dwOptions
);
NTSYSAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId(
IN ULONG ulProcId,
OUT PEPROCESS * pEProcess
);
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath);
void DriverUnload(IN PDRIVER_OBJECT DriverObject);
//幾個全局變量,記錄端口相關信息,最后列印出來
ULONG g_pid[1000];
ULONG g_port[1000];
ULONG g_handle[1000];
ULONG g_tcpudp[1000];
ULONG g_num =0 ;
ULONG g_tu[1000]; //g_tu=0 tcp, g_tu=1 udp
//獲得所有句柄
ULONG GetHandleList()
{
ULONG n;
ULONG pBuffer;
NTSTATUS status;
DbgPrint("GetHandleList\n");
pBuffer =(ULONG)ExAllocatePool(PagedPool,0x1000);
status = ZwQuerySystemInformation(SystemHandleInformation,(PVOID)pBuffer,0x1000,&n);
ExFreePool((PVOID)pBuffer);
if(STATUS_INFO_LENGTH_MISMATCH == status)
{
pBuffer =(ULONG)ExAllocatePool(NonPagedPool,n);
ZwQuerySystemInformation(SystemHandleInformation,(PVOID)pBuffer,n,NULL);
return pBuffer;
}
else
return 0;
}
//根據句柄得到端口信息
void GetOpenPort(ULONG dwProcessesID,ULONG Handle,int NoCache,ULONG tcpudp)
{
HANDLE hProc,DupHandle=NULL;
USHORT openport;
ULONG i=0;
NTSTATUS status;
TDI_CONNECTION_INFO TdiConnInfo={0};
TDI_CONNECTION_INFORMATION TdiConnInformation={0};
ULONG dwRetu=0;
IO_STATUS_BLOCK IoStatusBlock={0};
CLIENT_ID id;
OBJECT_ATTRIBUTES objatt = {0};
POBJECT_NAME_INFORMATION ObjectName;
char ObjectNameBuf[512];
// char ObjectNameMBS[261];
ULONG ReturnLen;
ObjectName = (POBJECT_NAME_INFORMATION)ObjectNameBuf;
ObjectName->Name.MaximumLength = 500;
//DbgPrint("GetOpenPort\n");
id.UniqueProcess = (HANDLE)dwProcessesID;
id.UniqueThread = 0;
//打開對方進程
NtOpenProcess(&hProc,PROCESS_DUP_HANDLE,&objatt,&id);
//復制句柄
NtDuplicateObject(hProc,
(HANDLE)Handle,
(HANDLE)0xffffffff,
&DupHandle,
0,
FALSE,
2);
//根據object的數據得到端口信息
if(NoCache==0x2)
{
//取得句柄關聯的對象的信息
ZwQueryObject(DupHandle, ObjectNameInformation, ObjectName, sizeof(ObjectNameBuf), &ReturnLen);
TdiConnInformation.RemoteAddressLength= 4;
status = NtDeviceIoControlFile((HANDLE)DupHandle,
NULL,
NULL,
NULL,
&IoStatusBlock,
0x210012, // Command code
&TdiConnInformation,
sizeof(TdiConnInformation),
&TdiConnInfo,
sizeof(TdiConnInfo));
//進行TDI查詢,得到連接的相關信息
if(status == 0)
{
openport = ntohs((USHORT)TdiConnInfo.ReceivedTsdus);
if(openport == 0)
return;
for(i=0;i {
if(g_pid == dwProcessesID && g_port == openport)
if(tcpudp >= TCPUDP_FLAG && g_tcpudp >= TCPUDP_FLAG || tcpudp < TCPUDP_FLAG && g_tcpudp < TCPUDP_FLAG)
return;
}
g_pid = dwProcessesID;
g_port = openport;
g_handle = Handle;
g_tcpudp = tcpudp;
g_num++;
if (wcscmp(ObjectName->Name.Buffer, L"\\Device\\Tcp") == 0)
{
g_tu = 0;
}
if (wcscmp(ObjectName->Name.Buffer, L"\\Device\\Udp") == 0)
{
g_tu = 1;
}
}
}
if(NoCache==0x1)
{
ZwQueryObject(DupHandle, ObjectNameInformation, ObjectName, sizeof(ObjectNameBuf), &ReturnLen);
TdiConnInformation.RemoteAddressLength= 3;
status = NtDeviceIoControlFile((HANDLE)DupHandle,
NULL,
NULL,
NULL,
&IoStatusBlock,
0x210012, // Command code
&TdiConnInformation,
sizeof(TdiConnInformation),
&TdiConnInfo,
sizeof(TdiConnInfo));
//進行TDI查詢,得到連接的相關信息
if(status == 0)
{
openport = ntohs((USHORT)TdiConnInfo.ReceivedTsdus);
if(openport == 0)
return;
for(i=0;i {
if(g_pid == dwProcessesID && g_port == openport)
if(tcpudp >= TCPUDP_FLAG && g_tcpudp >= TCPUDP_FLAG || tcpudp < TCPUDP_FLAG && g_tcpudp < TCPUDP_FLAG)
return;
}
g_pid = dwProcessesID;
g_port = openport;
g_handle = Handle;
g_tcpudp = tcpudp;
g_num++;
if (wcscmp(ObjectName->Name.Buffer, L"\\Device\\Tcp") == 0)
{
g_tu = 0;
}
if (wcscmp(ObjectName->Name.Buffer, L"\\Device\\Udp") == 0)
{
g_tu = 1;
}
}
}
}
void Start(ULONG pBuffer)
{
ULONG i;
//頭4個字節是所有的句柄的數目UNONG 32位
//從第5個字節開始就是結構體了
PSYSTEM_HANDLE_INFORMATION pProcesses = (PSYSTEM_HANDLE_INFORMATION)(pBuffer+4);
ULONG nocache;
ULONG tcpudp;
PEPROCESS epro;
char *p;
ULONG uMajorVersion;
ULONG uMinorVersion;
ULONG uBuildNumber;
ULONG uOsVer;
DbgPrint("Start11\n");
PsGetVersion(&uMajorVersion, &uMinorVersion, &uBuildNumber, NULL);
if(uMajorVersion == 5)
{
if(uMinorVersion == 0)
{
DbgPrint("2k\n");
uOsVer = 0;//2k
}
else if(uMinorVersion == 1)
{
uOsVer = 1;//xp
DbgPrint("xp\n");
}
else if(uMinorVersion == 2)
{
uOsVer = 2;//2k3
DbgPrint("2k3\n");
}
else
{
uOsVer = 3;//nt
DbgPrint("NT\n");
}
}
else
{
uOsVer = 99;
DbgPrint("Unknow OS\n");
}
for (i=0;i<((ULONG)(*(ULONG*)pBuffer));i++)
{
//2000 xp 2003 三種操作系統
if(pProcesses.ObjectTypeNumber == WIN2K_SOCKET_FLAG
|| pProcesses.ObjectTypeNumber == WINXP_SOCKET_FLAG
|| pProcesses.ObjectTypeNumber == WIN2K3_SOCKET_FLAG)
{
//得到SYSTEM_HANDLE_INFORMATION.object的相關數據
//這里要密切注意內存情況,一不小心就藍屏。因為句柄經常變化,有些可能已經被銷毀了
nocache = (ULONG)pProcesses.Object;
if(!MmIsAddressValid((VOID*)nocache))
continue;
nocache = (ULONG)(*((ULONG*)(nocache)+4));
tcpudp = (ULONG)(*((ULONG*)(pProcesses.Object)+1));
if(!MmIsAddressValid((VOID*)tcpudp))
continue;
tcpudp = (ULONG)(*((ULONG*)(tcpudp)+1));
if(nocache == 2 || nocache == 1)
{
GetOpenPort(pProcesses.ProcessID,pProcesses.Handle,nocache,tcpudp);
}
}
}
for(i=0;i {
//根據PID得到進程名
PsLookupProcessByProcessId(g_pid,&epro);
if(uOsVer == 0)
{ //2k中進程名在EPROCESS結構中的位置
p = (char*)epro + WIN2K_EPROCESS_NAMEOFFSET;
//DbgPrint("2k\n");
}
if(uOsVer == 1)
{ //xp中進程名在EPROCESS結構中的位置
p = (char*)epro + WINXP_EPROCESS_NAMEOFFSET;
//DbgPrint("xp\n");
}
if(uOsVer == 2)
{ //2k3中進程名在EPROCESS結構中的位置
p = (char*)epro + WIN2K3_EPROCESS_NAMEOFFSET;
//DbgPrint("2k3\n");
}
if(uOsVer == 3)
{
p = (char*)epro + WIN2K_EPROCESS_NAMEOFFSET; //NT
//DbgPrint("nt\n");
}
if(uOsVer == 99)
{
//DbgPrint("Unknow OS\n");
break;
}
if(g_tu == 0)
DbgPrint("TCP:\tProcName=%s\tPID=%d\tport=%d\t%d\n",p,g_pid,g_port,g_tcpudp);
if(g_tu == 1)
DbgPrint("UDP:\tProcName=%s\tPID=%d\tport=%d\t%d\n",p,g_pid,g_port,g_tcpudp);
}
return;
}
//////////////////////////////////
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
{
ULONG pbuf;
DbgPrint("DriverEntry\n");
DriverObject->DriverUnload = DriverUnload;
pbuf = GetHandleList();
Start(pbuf);
return STATUS_SUCCESS;
}
void DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
//ResumeDestFunction();
if(pDriverObject->DeviceObject != NULL)
{
IoDeleteDevice( pDriverObject->DeviceObject );
}
DbgPrint("DriverUnload\n");
}
參考文獻:
1 Windows DDK
2 http://coffeeqiqi.blogchina.com
3 Leven-端口關聯進程-在核心態的實現方法
4 Msdn
5 port/connection hiding http://dev.csdn.net/Develop/article/28/84294.shtm
6 在NT系列操作系統里讓自己“消失”
7 http://www.rootkit.com
posted on 2007-08-24 09:23
margin 閱讀(420)
評論(0) 編輯 收藏 引用