/ *
Some rootkits hide the process by changing the PSACTIVEPROCESS linked list or related Native API. This program is read directly
KiwaitinListhead and KiwaitoutListhead (kernel chain table used by Windows) to list hidden processes.
For technical details, please refer to Jan K. Rutkowski's original text
Http://www.blackhat.com/pesentations/bh-usa-03/bh-us-03-rutkowski/rutkowski-antirootkit.zip.
The original sample code is implemented using the driver. This use / device / physicalMemory. The code is very chaotic, barely work. Here I thank the PJF code.
If there is a wrong place, please, if you have better idea, share with me? Thank you!
* /
/ * Code token from Jan K. RUTKOWSKI (JKRUTKOWSKI Elka.pw.edu.pl) * /
/ * And PJF (jfpan20000@sina.com) 's article * /
/ * Compile under cygwin> gcc -o kps kps.c -i / usr / include / w32api / ddk -lntdll -lntoskrnl * /
/ * See Jan K. Rutkowski's Article for more info. * /
/ * THIS TOOL WILL LIST All the procs include those hiden by some rootkit. 2003/10, fantas1a * /
#include
#include
#include
#include
Typedef struct _klister_procinfo {
int PI;
Char Name [18];
} Klister_Procinfo, * pklister_procinfo;
PLIST_ENTRY PKIWAITINLISTHEAD;
PLIST_ENTRY PKIWAITLISTHEAD;
PLIST_ENTRY PKIDISPATCHERREADYLISTHEAD;
#define waitlist_offset 0x5c // in _kthread
PVOID G_PMAPPHYSICALMORY = NULL;
Handle g_hmpm = NULL;
#define max_procs 1000
Klister_Procinfo Procs [MAX_PROCS];
INT nprocs = 0;
Pvoid LineArtophys (Pulong Baseaddress, Pvoid Addr)
{
Ulong Vaddr = (Ulong) Addr, PGDE, PTE, PADDR
PGDE = BaseAddress [VADDR >> 22];
IF ((pgde & 1)! = 0)
{
Ulong TMP = PGDE & 0x00000080;
IF (TMP! = 0)
{
Paddr = (PGDE & 0xFFC00000) (VADDR & 0x003FFFF);
}
Else
{
PGDE = (ulong) MapViewOffile (g_hmpm, 4, 0, pgde & 0xffff000, 0x1000);
PTE = ((pulong) PGDE [(VADDR & 0x003FF000) >> 12];
IF ((PTE & 1)! = 0) {
PADDR = (PTE & 0xFfffff000) (VADDR & 0x00000FFF);
UNMAPVIEWOFFILE ((pvoid) PGDE;
}
Else {
// fprintf (stderr, "lineartophys return 0, page not in / r / n");
Return 0;
}
}
} else {
// fprintf (stderr, "lineartophys return 0, page Table not in / r / n");
Return 0;
}
// fprintf (stderr, "lineartophys return% 08x / r / n", PADDR);
Return (PVOID) PADDR;
}
Ulong getData (PVOID ADDR)
{
Ulong phys = (ulong) lineartophys ((pulong) g_pmapphysicalmemory, (pvoid) addr;
IF (phys == 0) Return 0;
Pulong TMP = (pulong) MapViewOffile (g_hmpm, 4, 0, phys & 0xffff000, 0x1000);
IF (TMP == 0) {
EXIT (-1);
}
Ulong Ret = TMP [(Phys & 0xFFF) >> 2];
UnmapViewoffile (TMP);
Return Ret;
}
Handle OpenPhysicalMemory ()
{
NTSTATUS STATUS;
Unicode_string physmemstring;
Object_attributes attributes;
RTLinitunicodeString (& PhysmemString, L "// device // physicalmemory);
Attributes.Length = sizeof (Object_attributes);
Attributes.rootdirectory = NULL;
Attributes.Objectname = & physmemstring;
Attributes.attributes = 0;
Attributes.securityDescriptor = null;
Attributes.securityqualityofservice = null;
Status = zwopensection (& g_hmpm, section_map_read, & attributes);
IF (! NT_Success (status))
{
Return NULL;
}
g_pmapphysicalmemory = mappviewoffile
g_hmpm,
4,
0,
0x30000,
0x1000);
IF (g_pmapphysicalmemory == null)
{
Return NULL;
}
Return G_HMPM;
}
Void InsertProc (int PID, Char * name) {
INT I;
For (i = 0; i IF (Procs [i] .pid == pid) return; Procs [nprocs] .pid = PID; Strncpy (procs [nprocs] .Name, Name, 16); // fprintf (stderr, "% D% S / R / N", PID, NAME) NPROCS ; } PeProcess ProcessObject (Pthread Ethread) { Ulong P; P = (ulong) Ethread; //(Peprocess) (PpeProcess) (Teeth, Screen); P = getData ((pvoid) (P 0x0 0x34 0x10)); Return (PEProcess) (P); } Char * ProcessName (peprocess eProcess, char * buf) { // & eprocess-> imagefilename [0] Ulong phys = (ulong) lineartophys ((pulong) g_pmapphysicalmemory, (pvoid) ((Ulong) EPROCESS 0x01FC); IF (phys == 0) Return 0; PuChar TMP = (puchar) MapViewoffile (g_hmpm, 4, 0, phys & 0xffff000, 0x1000); IF (TMP == 0) { Return 0; } STRNCPY (BUF, & TMP [(PHYS & 0xFFF)], 16); UnmapViewoffile (TMP); Return BUF; } void listproc () { INT I; Printf ("----% D Process ---- / R / N", NPROCS; For (i = 0; i Printf ("[ ]% 4D% S / R / N", procs [i] .pid, procs [i] .name); } } Void createProClist () { INT I, J; Char BUF1 [18]; PVOID OBJ, P, Q, TMP; Pethread pethread = null; Ulong PID; CHAR * PN; // fprintf (stderr, "pkiwaitinlisthead / r / n"); For (Obj = (pvoid) getData (pkiwaitinlisthead); Obj && (Obj! = pkiwaitinlisthead; obj = (pvoid) getData (obj)) { Pethread = (Pthread) (PVOID OBJ) - Waitlist_offset; P = processObject (pethread); PID = GetData ((Ulong) (Ulong) Pethread 0x01e0)); //petread, score, @/petread, score IF (PID == 0) { // fprintf (stderr, "pid IS 0 / r / n"); Break; } Pn = processname (p, buf1); IF (pn == 0) Break; INSERTPROC (PID, PN); } // fprintf (stderr, "pkiwaitoutlisthead / r / n"); For (Obj = (pvoid) getData (pkiwaitoutlisthead); Obj && (Obj! = pkiwaitoutListhead; obj = (pvoid) getData (obj)) {pethread = (Pthread) (pvoid) - Waitlist_offset; P = processObject (pethread); PID = GetData ((PVOID) (Ulong) Pthread 0x01e0))))); IF (PID == 0) { // fprintf (stderr, "pid IS 0 / r / n"); Break; } Pn = processname (p, buf1); IF (pn == 0) Break; INSERTPROC (PID, PN); } / * FPrintf (stderr, "pkidispatcherreadylisthead / r / n"); For (i = 0; i <32; i ) For (Obj = (pvoid) getData (PVOID) (& pkidispatcherreadylisthead [i])); Obj && (Obj! = & pkidispatcherreadylisthead [i]); Obj = (pvoid) getData (obj)) { Pethread = (Pthread) (PVOID OBJ) - Waitlist_offset; P = processObject (pethread); PID = GetData ((PVOID) (Ulong) Pthread 0x01e0))))); IF (PID == 0) { FPRINTF (stderr, "pid is 0 / r / n"); Break; } Pn = processname (p, buf1); IF (pn == 0) Break; INSERTPROC (PID, PN); } * / } INT main (int Argc, char ** argv) { Openphysicalmemory () == 0) { Printf ("OpenPhysicalMemory Failed / R / N"); Return -1; } PKIWAITINLISTHEAD = (PLIST_ENTRY) 0X80482258; // Under Win2k SP4EN PKIWAITOUTLISTHEAD = (PLIST_ENTRY) 0X80482808; Pkidispatcherreadylisthead = (plist_entry) 0x804822E0; // fprintf (stderr, "0x% 08x, 0x% 08X / R / N", (Ulong) pkiwaitinlisthead, (ulong) pkiwaitoutListhead; CreateProClist (); ListProc (); UNMAPVIEWOFFILE (g_pmapphysicalmemory); CloseHandle (G_HMPM); Return (0); }
