The file peFormat.h contains the data structures necessary to parse PE formatted files. These data structures are not conveniently located in Microsoft header files. The structures required by Ghost have been extracted from winnt.h, as this header file cannot be easily included in a DDK build. For developers using the XP DDK, the file ntimage.h can be used, but to keep this project as simple as possible, for as many build environments as possible, peFormat.h is used:

  // Copyright Ric Vieler, 2006 // Support header for hookManager.c // Contains required PE file format data structures used by GetIndex() #ifndef _PE_FORMAT_HEADER_ #define _PE_FORMAT_HEADER_ // // Image Format // #pragma pack(2) // 16 bit headers are 2 byte packed #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header     WORD   e_magic;  // Magic number     WORD   e_cblp; // Bytes on last page of file     WORD   e_cp;  // Pages in file     WORD   e_crlc;  // Relocations     WORD   e_cparhdr;  // Size of header in paragraphs     WORD   e_minalloc; // Minimum extra paragraphs needed     WORD   e_maxalloc; // Maximum extra paragraphs needed     WORD   e_ss; // Initial (relative) SS value     WORD   e_sp; // Initial SP value     WORD   e_csum; // Checksum     WORD   e_ip;  // Initial IP value     WORD   e_cs; // Initial (relative) CS value     WORD   e_lfarlc; // File address of relocation table     WORD   e_ovno; // Overlay number     WORD   e_res[4];  // Reserved words     WORD   e_oemid; // OEM identifier (for e_oeminfo)     WORD   e_oeminfo; // OEM information; e_oemid specific     WORD   e_res2[10]; // Reserved words     LONG   e_lfanew; // File address of new exe header   } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; #pragma pack(4) // Back to 4 byte packing // // File header format. // typedef struct _IMAGE_FILE_HEADER {     WORD    Machine;     WORD    NumberOfSections;     DWORD   TimeDateStamp;     DWORD   PointerToSymbolTable;     DWORD   NumberOfSymbols;     WORD    SizeOfOptionalHeader;     WORD    Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; // // Directory format. // typedef struct _IMAGE_DATA_DIRECTORY {  DWORD   VirtualAddress;  DWORD   Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16 // // Optional header format. // typedef struct _IMAGE_OPTIONAL_HEADER {  //  // Standard fields.  //  WORD    Magic;  BYTE    MajorLinkerVersion;  BYTE    MinorLinkerVersion;  DWORD   SizeOfCode;  DWORD   SizeOfInitializedData;  DWORD   SizeOfUninitializedData;  DWORD   AddressOfEntryPoint;  DWORD   BaseOfCode;  DWORD   BaseOfData;  //  // NT additional fields.  //  DWORD   ImageBase;  DWORD   SectionAlignment;  DWORD   FileAlignment;  WORD    MajorOperatingSystemVersion;  WORD    MinorOperatingSystemVersion;  WORD    MajorImageVersion;  WORD    MinorImageVersion;  WORD    MajorSubsystemVersion;  WORD    MinorSubsystemVersion;  DWORD   Win32VersionValue;  DWORD   SizeOfImage;  DWORD   SizeOfHeaders;  DWORD   CheckSum;  WORD    Subsystem;  WORD    DllCharacteristics;  DWORD   SizeOfStackReserve;  DWORD   SizeOfStackCommit;  DWORD   SizeOfHeapReserve;  DWORD   SizeOfHeapCommit;  DWORD   LoaderFlags;  DWORD   NumberOfRvaAndSizes;  IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER; // // Export Format // typedef struct _IMAGE_EXPORT_DIRECTORY {  DWORD   Characteristics;  DWORD   TimeDateStamp;  WORD    MajorVersion;  WORD    MinorVersion;  DWORD   Name;  DWORD   Base;  DWORD   NumberOfFunctions;  DWORD   NumberOfNames;  DWORD   AddressOfFunctions;     // RVA from base of image  DWORD   AddressOfNames;         // RVA from base of image  DWORD   AddressOfNameOrdinals;  // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; // Directory Entries #define IMAGE_DIRECTORY_ENTRY_EXPORT          0   // Export Directory #endif 

Once compiled and loaded, using the Checked DDK icon and SCMLoader.exe from Chapters 1 and 2, you should be able to start the service, using “net start MyDeviceDriver,” to filter data destined for PGP encryption.

Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code © 2008-2017.
If you may any questions please contact us: