VX Z0ne
病毒地带
VIRII,ROOTKIT,KERNEL
-
2007-06-21
人品测试(驱动版) - [病毒技术]
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
/*
http://romio64.blogbus.com/logs/6051205.html
Author: robinh00d
Last Updated: 2006-03-23
测试人品驱动版
*/
#include "GoodGuy.h"
#include "ntddk.h"
#define FILE_DEVICE_GOODGUY 0x8000
#define GOODGUY_IOCTL_BASE 0x800
#define CTL_CODE_GOODGUY(i) CTL_CODE(FILE_DEVICE_GOODGUY, GOODGUY_IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_GOODGUY_HELLO CTL_CODE_GOODGUY(0)
#define GOODGUY_WIN32_DEVICE_NAME_A "\\\\.\\GoodGuy"
#define GOODGUY_WIN32_DEVICE_NAME_W L"\\\\.\\GoodGuy"
#define GOODGUY_DEVICE_NAME_A "\\Device\\GoodGuy"
#define GOODGUY_DEVICE_NAME_W L"\\Device\\GoodGuy"
#define GOODGUY_DOS_DEVICE_NAME_A "\\DosDevices\\GoodGuy"
#define GOODGUY_DOS_DEVICE_NAME_W L"\\DosDevices\\GoodGuy"
#define MYNAME "robinh00d"
#ifdef _UNICODE
#define GOODGUY_WIN32_DEVICE_NAME GOODGUY_WIN32_DEVICE_NAME_W
#define GOODGUY_DEVICE_NAME GOODGUY_DEVICE_NAME_W
#define GOODGUY_DOS_DEVICE_NAME GOODGUY_DOS_DEVICE_NAME_W
#else
#define GOODGUY_WIN32_DEVICE_NAME GOODGUY_WIN32_DEVICE_NAME_A
#define GOODGUY_DEVICE_NAME GOODGUY_DEVICE_NAME_A
#define GOODGUY_DOS_DEVICE_NAME GOODGUY_DOS_DEVICE_NAME_A
#endif
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
NTSTATUS
GoodguyDispatchFunc(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
GoodguyDispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID
GoodguyUnload(
IN PDRIVER_OBJECT DriverObject
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, GoodguyDispatchFunc)
#pragma alloc_text(PAGE, GoodguyDispatchDeviceControl)
#pragma alloc_text(PAGE, GoodguyUnload)
#endif // ALLOC_PRAGMA
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
UNICODE_STRING dosDeviceName;
PDEVICE_OBJECT deviceObject = NULL;
BOOLEAN fSymbolicLink = FALSE;
RtlInitUnicodeString(&ntDeviceName, GOODGUY_DEVICE_NAME_W);
status = IoCreateDevice(
DriverObject,
0,
&ntDeviceName,
FILE_DEVICE_GOODGUY,
0,
TRUE,
&deviceObject
);
if (!NT_SUCCESS(status))
{
goto __failed;
}
RtlInitUnicodeString(&dosDeviceName, GOODGUY_DOS_DEVICE_NAME_W);
status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);
if (!NT_SUCCESS(status))
{
goto __failed;
}
fSymbolicLink = TRUE;
DriverObject->MajorFunction[IRP_MJ_CREATE] = GoodguyDispatchFunc;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = GoodguyDispatchFunc;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = GoodguyDispatchDeviceControl;
DriverObject->DriverUnload = GoodguyUnload;
if (NT_SUCCESS(status))
return status;
__failed:
if (fSymbolicLink)
IoDeleteSymbolicLink(&dosDeviceName);
if (deviceObject)
IoDeleteDevice(deviceObject);
return status;
}
NTSTATUS
GoodguyDispatchFunc(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
//需要设置Irp->IoStatus.Information和Irp->IoStatus.Status
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS
GoodguyDispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack;
PVOID ioBuf;
ULONG inBufLength, outBufLength;
ULONG ioControlCode;
ANSI_STRING inName ;
ANSI_STRING myName ;
char szGood[] = "is a good guy!" ;
char szBad[] = "is a bad guy!" ;
RtlInitAnsiString(&myName, MYNAME) ;
irpStack = IoGetCurrentIrpStackLocation(Irp);
ioBuf = Irp->AssociatedIrp.SystemBuffer;
inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
RtlInitAnsiString(&inName, ioBuf) ;
switch (ioControlCode)
{
case IOCTL_GOODGUY_HELLO:
{
if (inBufLength == 128 && outBufLength == 128)
{
if (!RtlCompareString(&myName, &inName ,TRUE))
{
DbgPrint("robih00d!") ;
RtlCopyMemory(ioBuf, szGood, sizeof szGood) ;
Irp->IoStatus.Information = sizeof szGood ;
}
else
{
DbgPrint("not robinh00d") ;
RtlCopyMemory(ioBuf, szBad, sizeof szBad) ;
Irp->IoStatus.Information = sizeof szBad;
}
}
break;
}
default:
status = STATUS_INVALID_PARAMETER;
IoGetFunctionCodeFromCtlCode(ioControlCode));
break;
}
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
VOID
GoodguyUnload(
IN PDRIVER_OBJECT DriverObject
)
{
UNICODE_STRING dosDeviceName;
RtlInitUnicodeString(&dosDeviceName, GOODGUY_DOS_DEVICE_NAME_W);
IoDeleteSymbolicLink(&dosDeviceName);
IoDeleteDevice(DriverObject->DeviceObject);
dprintf("[GoodGuy] unloaded\n");
}
//test.c
//ring3测试程序
#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#pragma comment(lib,"kernel32")
#define FILE_DEVICE_GOODGUY 0x8000
#define GOODGUY_IOCTL_BASE 0x800
#define CTL_CODE_GOODGUY(i) CTL_CODE(FILE_DEVICE_GOODGUY, GOODGUY_IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_GOODGUY_HELLO CTL_CODE_GOODGUY(0)
int main()
{
char szName[128] = {0} ;
char szResult[128] = {0} ;
HANDLE hFile ;
DWORD dwRet = 0 ;
scanf("%s", szName) ;
hFile = CreateFile("\\\\.\\GoodGuy", \
GENERIC_READ | GENERIC_WRITE, \
FILE_SHARE_READ | FILE_SHARE_WRITE, \
NULL, \
OPEN_EXISTING, \
FILE_ATTRIBUTE_NORMAL, \
NULL) ;
if (INVALID_HANDLE_VALUE == hFile)
{
printf("error!\n") ;
return -1 ;
}
if(0 == DeviceIoControl(hFile, IOCTL_GOODGUY_HELLO, szName, 128, szResult, 128, &dwRet, 0))
{
CloseHandle(hFile) ;
return -1 ;
}
printf("%s %s", szName, szResult) ;
return 0 ;
}历史上的今天:
Mein Herz Brennt巴黎现场 2007-06-21OllyDbg's fault 2007-06-21关于狙剑 2007-06-21HOOK SSDT实现进程隐藏 2007-06-21Win32.Poly.DarkRain[NOT COMPLATE] 2007-06-21随机文章:
Virus.Win32.Mock 2007-07-07修改PE的e_lfnew感染法 2007-06-25Virus.Win32.Downloader.c分析 2007-06-25OllyDbg's fault 2007-06-21Win32.Poly.DarkRain[NOT COMPLATE] 2007-06-21
收藏到:Del.icio.us
评论