Preface

The “Dive into kernel” series, literally translated as “Deep into the kernel” series, but I prefer its other name: “Diving series”, after all, it fully shows the author’s years of diving skills;) Getting off the point, let’s get back to the point. The original intention of writing this series is to see that the network is full of analysis reports of various hot events (of course, there is nothing wrong with this). However, as a security researcher, there are not many in-depth analysis articles on system mechanisms in recent years. So the author plans to do a reverse operation and write some in-depth analysis reports at the kernel level. This series does not pursue the analysis of the hottest and latest events, on the contrary, the samples that may be started are old samples that appeared many years ago. This article pursues the deeper mechanism of the system through the means used by these samples. The positioning of this series is hardcore science popularization, suitable for readers with a certain foundation who need to further improve their technical capabilities. As for how many articles this series can write, it depends on whether you audience masters buy it or not, so please like, collect and forward more, I believe your support will make this series go further Orz.

Purple Fox Trojan Family

The family can be traced back to 2018 at the earliest, and we have also found the shadow of this family Trojan on customer machines many times during the recent emergency handling process. There are quite a few analysis reports on this family on the Internet, so this article only briefly explains the key points, and the details can refer to the analysis report from Tencent Security Team cited at the end of this article.

First of all, the means used by the Trojan to persist, from the behavior monitoring tool, we found its path as follows:

Installation package —> Write to the PendingFileRenameOperations registry entry —> Replace system service —> Release Trojan components —> Hide key services and files

Let’s take a look at the content of the PendingFileRenameOperations registry key value written:

The format of this registry key value is:

Source file 1

Destination file 1

Source file 2

Destination file 2

…

If the destination file is empty (0x00), it means to delete the source file. Therefore, the virus actually achieves the startup purpose by replacing the system file sens.dll, and this DLL corresponds to the service:

Due to the Windows file system regulations: files in use cannot be deleted, and the dll files corresponding to the system service must be in use, so the virus uses such a “troublesome” method to delete system files. So the question is, why can this key value be used to delete files?

Take a deep breath, we start the first dive.

Windows boot process

First of all, start with a picture:

You can see that the first process in R3 with a physical file is smss.exe, which means that the service has not started at this moment, so there must be no situation where the service DLL file mentioned above is occupied and cannot be deleted.

It is also because most of the system processes have not started at this moment, the system has a chance to delete any files. During the initialization phase of smss.exe, through the PendingFileRenameOperations key value, the system can know which files to operate on. Through the search of WRK, we found the following code related to this key value:

By querying the function prototype of RtlQueryRegistryValues, we know that this function will call the callback function in SmpRegistryConfigurationTable: SmpConfigureFileRenames. When calling, it will pass SmpFileRenameList as the last parameter to the SmpConfigureFileRenames callback function. By reading the source code of SmpConfigureFileRenames, we found that this function only initializes the SmpFileRenameList linked list based on the value in PendingFileRenameOperations. Therefore, we still need to see who used the SmpFileRenameList linked list, and through the search of cross-references, we got the following call path:

This SmpProcessFileRenames function is the function that performs the delete function:

You can see that when it is judged to be a delete action, you can delete the file by calling NtSetInformationFile and setting SetInfoClass to FileDispositionInformation.

And through the analysis of the call path of the SmpProcessFileRenames function in the above figure, we know that the SmpInit function in the smss.c source file was executed very early in the main function. At this time, most of the windows subsystem has not started working, so naturally there is no problem that the file is occupied and cannot be deleted.

By the way, the MoveFileEx function supports a MOVEFILE_DELAY_UNTIL_REBOOT parameter. This parameter also deletes files during the restart process through the registry entry mentioned in this section:

Registry callback monitoring

After understanding how the virus uses PendingFileRenameOperations to obtain persistence capabilities, let’s take a look at a few points that the virus buried in order to fight against killing.

Through the PCHunter tool to view the “Kernel” tab “System Callback” tab, found a red CmpCallback callback item.

Switch to the “FileSystem” tab, in the “Minifilters”, there are two pre and post hooks for DIRECTORY_CONTROL.

Experienced friends may be able to guess what it is when they see these two hooks. For those who are not familiar with it, this is the moment to witness the miracle——remove these three hooks, we will be “surprised” to find that there is an additional service in the "Service" tab, and an additional file in the system32 directory:

Before these two hooks were removed, the service and files could not be seen in PCHunter, so we currently have sufficient reason to believe that the function of these three hooks is to hide the service items and corresponding files.

But what happened under the hood? It seems that it is time for the second dive.

First of all, we need to understand what CmpCallback is. Use dual-machine kernel debugging, set a breakpoint at the CmpCallback function address (0x95DF64F0) in the above figure, resume running and immediately interrupt, the stack traceback at this time is as follows (because the callback was removed in the above text, restarted once, the callback address changed to 0x961D64F0):

Actually seeing these Cm-starting functions, the meaning of CmpCallback in PCHunter is already very clear. But we still have to take care of friends who are not familiar with the kernel, after all, the positioning of this article is hardcore science popularization;)

From the stack traceback in the above figure, we can know that the most recent system call is CmpCallCallBacks, which is similar to CmpCallback in PCHunter, but it is still “unknown” what it is used for. At this time, we open IDA and look at the disassembly function and cross-reference of this function.

First take a look at the cross-reference:

It seems that all registry operations will eventually call this function, is CmpCallCallBacks used for registry monitoring? All the clues currently point to this answer, but we don’t have a smoking gun evidence yet.

Next, let’s take a look at the disassembly code of CmpCallCallBacks, use the F5 magic of IDA: (This code loads Microsoft’s public symbols, and the key data structure has been adjusted)

The return point after the WinDBG interrupt in the above text is the v8->callback line in line 55 of the above figure. Looking at the above code, it mainly traverses the callback function in the v8 double-linked list and calls it in turn (registry callback suspicion++). v8 comes from the CallbackListHead global variable. If we can find who is adding data to this global linked list, maybe we can dig out the function of CmpCallCallBacks. First, let’s see which functions are using this global variable:

Anyway, for me, I will choose CmpInsertCallbackInListByAltitude, look at the call path of this function, and see who is calling him:

I saw CmRegisterCallbackEx, and then the upper layer of ETW. We dug a big pit for ETW, and we will talk about it later. Here we focus on CmRegisterCallbackEx, the following is MSDN’s explanation

Okay, the case is solved, our guess is correct, this thing is indeed used to monitor registry operations.

After digging out the key data structure (CallbackListHead), let’s take a look at what this structure looks like:

typedef struct _CM_CALLBACK_LIST_INFO {
LIST_ENTRY list;
#ifdef _WIN64
UHALF_PTR counter;
UHALF_PTR unknown;
#else
ULONG_PTR counter;
PULONG_PTR unknown
#endif
LARGE_INTEGER cookie;
PVOID context;
PEX_CALLBACK_FUNCTION callback;
UNICODE_STRING attidude;
} CM_CALLBACK_LIST_INFO, *PCM_CALLBACK_LIST_INFO;

With the key data structure in hand, you can naturally traverse all the registry callback functions in this linked list. Write a program to verify whether the above data structure is problematic. For teaching purposes, the address of CallbackListHead is hardcoded. This address is obtained from WinDBG and is different every time you restart:

#include
typedef struct _CM_CALLBACK_LIST_INFO
{
LIST_ENTRY list;
#ifdef _WIN64
UHALF_PTR counter;
UHALF_PTR unknown;
#else
ULONG_PTR counter;
PULONG_PTR unknown;
#endif
LARGE_INTEGER cookie;
ULONG_PTR context;
ULONG_PTR callback;
PUNICODE_STRING attidude;
} CM_CALLBACK_LIST_INFO, *PCM_CALLBACK_LIST_INFO;
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) {
LIST_ENTRY *CallbackListHead = 0x83d5f570;
LIST_ENTRY *i = CallbackListHead;
DbgPrint("[IterateSys] start\n");
DbgPrint("[IterateSys] i: %x\n", i);
do {
if (i) {
DbgPrint("[IterateSys] address: %x\n", ((PCM_CALLBACK_LIST_INFO)i)->callback);
i = i->Flink;
} else DbgPrint("[IterateSys] i is NULL\n");
} while(i->Flink != CallbackListHead->Blink);
DbgPrint("[IterateSys] end\n");
return STATUS_SUCCESS;
}

Then cross-verify with the data in PCHunter, it is known that the address obtained above is correct:

Windows function call path and service hiding

The above mentioned that the CmpCallCallBacks function can monitor all registry operations. So how does the virus use this monitoring ability to achieve service hiding? To explain this question, we need to first figure out: how to get the current system service list? it is usually like the following program:

#include
#include
int main() {
HKEY hKey;
LSTATUS status = RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services",
0,
KEY_ALL_ACCESS,
&hKey
);
printf("OpenKey status:%x\n", status);
if(status == ERROR_SUCCESS) {
printf("success\n");
DWORD numSubKey = 0;
RegQueryInfoKey(
hKey,
NULL, NULL, NULL,
&numSubKey,
NULL,NULL,NULL,NULL,NULL,NULL,NULL
);
printf("NumSubKey: %d\n", numSubKey);
getch();
for(int i = 0; i < numSubKey; ++i) {
TCHAR subKey[MAX_PATH] = {0};
DWORD sizeSubKey = MAX_PATH;
status = RegEnumKey(
hKey, i,
subKey, &sizeSubKey
);
printf("Index:%d \t Status: %x \t SubKey: %s\n", i, status, subKey);
}
}
}

You can see that it is obtained by using the RegEnumKey function to traverse the HKLM\SYSTEM\CurrentControlSet\Services registry key value to get all the services of the current system. We look at the call stack traceback of this behavior under R0:

You can see that the call path from R3 to R0 is like the following figure:

As can be seen from the above figure, R3’s RegEnumKey will call the kernel’s NtEnumerateKey, and NtEnumerateKey will notify the CmpCallCallBacks function of the query result. If we want to hide services, we only need to modify the return data of NtEnumerateKey after being notified, right? In fact, the PurpleFox family uses this to hide their service items. First, the virus hooks the RegNtPostEnumerateKey action through the CmCallCallBacks function:

In the Hook function, by re-calling the ZwEnumerateKey function to skip the current query index, and then modify the return value. This operation makes some items is skipped in return data, thereby achieving the purpose of hiding these services:

If we search for EnumerateKey in ntoskrnl.exe, we will find four functions:

After combing, we find that the call relationship of these four functions is as follows:

NtEnumearteKey —> CmEnumerateKey

VfZwEnumerateKey ---> ZwEnumerateKey

But the function body of ZwEnumerateKey is a bit “strange”:

This is actually the well-known SSDT table call, which involves the KiServiceTable symbol. The 74h in the above figure is the service number of ZwEnumerateKey call in the SSDT table.

The position of the SSDT table in my IDA is as follows:

Take a look at the 74h call, first calculate the address:

0x45c5f4 + 74h * 4 = 0x45c7c4

Turn to this address in IDA to see which function it is:

So we can improve the call chain of the above functions:

VfZwEnumerateKey ---> ZwEnumerateKey -(SSDT)-> NtEnumearteKey ---> CmEnumerateKey

Interlude

In the process of reverse engineering, by searching for the Tag used by the virus driver to allocate memory function ExAllocatePoolWithTag on github, I found the open source code corresponding to this driver:

By comparing the disassembled code in IDA and the source code on github, it is found that the logic is consistent, and it is further determined that the underlying code used by PurpleFox is the code of this project on github (I don’t know if the virus author is in the star list of this project).

File hiding

After finding the source code, the steps of file hiding are clear: register the minifilter filter, filter the results of traversing the file, if it is found to be a file to be hidden, then return the information of the next file. The information of the virus registered filter is as follows, the left side of the following figure is the stack call when the filter is hit, it can be seen that

The core C code corresponding to the logic of hiding files is as follows:

NTSTATUS CleanFileFullDirectoryInformation(PFILE_FULL_DIR_INFORMATION info, PFLT_FILE_NAME_INFORMATION fltName)
{
PFILE_FULL_DIR_INFORMATION nextInfo, prevInfo = NULL;
UNICODE_STRING fileName;
UINT32 offset, moveLength;
BOOLEAN matched, search;
NTSTATUS status = STATUS_SUCCESS;
offset = 0;
search = TRUE;
do
{
fileName.Buffer = info->FileName;
fileName.Length = (USHORT)info->FileNameLength;
fileName.MaximumLength = (USHORT)info->FileNameLength;
if (info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
matched = CheckExcludeListDirFile(g_excludeDirectoryContext, &fltName->Name, &fileName);
else
matched = CheckExcludeListDirFile(g_excludeFileContext, &fltName->Name, &fileName);
if (matched)
{
BOOLEAN retn = FALSE;
if (prevInfo != NULL)
{
if (info->NextEntryOffset != 0)
{
prevInfo->NextEntryOffset += info->NextEntryOffset;
offset = info->NextEntryOffset;
}
else
{
prevInfo->NextEntryOffset = 0;
status = STATUS_SUCCESS;
retn = TRUE;
}
RtlFillMemory(info, sizeof(FILE_FULL_DIR_INFORMATION), 0);
}
else
{
if (info->NextEntryOffset != 0)
{
nextInfo = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)info + info->NextEntryOffset);
moveLength = 0;
while (nextInfo->NextEntryOffset != 0)
{
moveLength += nextInfo->NextEntryOffset;
nextInfo = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)nextInfo + nextInfo->NextEntryOffset);
}
moveLength += FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName) + nextInfo->FileNameLength;
RtlMoveMemory(info, (PUCHAR)info + info->NextEntryOffset, moveLength);//continue
}
else
{
status = STATUS_NO_MORE_ENTRIES;
retn = TRUE;
}
}
LogTrace("Removed from query: %wZ\\%wZ", &fltName->Name, &fileName);
if (retn)
return status;
info = (PFILE_FULL_DIR_INFORMATION)((PCHAR)info + offset);
continue;
}
offset = info->NextEntryOffset;
prevInfo = info;
info = (PFILE_FULL_DIR_INFORMATION)((PCHAR)info + offset);
if (offset == 0)
search = FALSE;
} while (search);
return STATUS_SUCCESS;
}

We can see in PCHunter that the address of the filter set by the virus is: 0x88F8A3D8, and it also prompts that the module does not exist. This address is actually the address of a structure in the second parameter of the callback function registered by the virus:

From the above figure, we know that this address is the _FLT_FILTER structure. In fact, based on this structure, we can get the module name. This is an improvement point of PCHunter:

Knowing this address, we can call the function to cancel this callback to remove the file protection of the virus:

VOID FLTAPI FltUnregisterFilter(
PFLT_FILTER Filter
);

Traverse the filter

In fact, Microsoft’s minifilter itself provides a series of functions that allow developers to have the ability to traverse various filters. These functions are exported by flgmgr.sys, which is very suitable for our manual traversal research objects. Many important data structures in the Windows kernel are stored in the form of linked lists in global variables. When needed, you only need to find the beginning of the linked list from the global variables, and you can traverse the entire list to find the objects you need to use. Take a look at the functions exported by fltmgr.sys, combined with the _FLT_FILTER structure displayed by PCHunter in the above text, you can “guess” that FltEnumerateFilters is a more suitable entry point:

This function obtains a LIST_ENTRY structure from the global variable g_listFltpFrame_4, and then traverses the entire _FLTP_FRMAE frame through the Flink pointer of this structure, and finally puts the completed pointer into the passed in FilterList array. But there is a pit here, let’s first take a look at where the global variable g_listFltpFrame_4 is assigned:

Through the study of the context of the assignment, it is known that the type of v4 is _FLTP_FRAME *, and g_listFltpFrame_4 is assigned to the address! address!! address!!! (important things say three times) of the Links member domain of this data structure. Next, let’s take a look at what this data structure looks like through windbg:

kd> dt -b fltmgr!_FLTP_FRAME

+0x000 Type : _FLT_TYPE

+0x004 Links : _LIST_ENTRY

+0x000 Flink : Ptr32

+0x004 Blink : Ptr32

+0x00c FrameID : Uint4B

+0x010 AltitudeIntervalLow : _UNICODE_STRING

+0x018 AltitudeIntervalHigh : _UNICODE_STRING

+0x020 LargeIrpCtrlStackSize : UChar

+0x021 SmallIrpCtrlStackSize : UChar

+0x024 RegisteredFilters : _FLT_RESOURCE_LIST_HEAD

+0x000 rLock : _ERESOURCE

+0x038 rList : _LIST_ENTRY

…………省略…………

The Flink member is at the offset +0x4 position, so g_listFltpFrame_4 needs to subtract 4 to be the address of the first _FLTP_FRAME structure, and according to the context of FltEnumerateFilters, we can reasonably speculate that the double-linked list at _FLTP_FRAME+0x4 stores the _FLT_FILTER structure. This trick has a lot of applications in the kernel, such as the code for getting _FLT_INSTANCE from _FLT_FILTER in the following figure:

You can see that the pseudo C code decompiled by IDA’s Hexray is actually problematic. Combined with the assembly code, you can see that the real operation is actually to subtract the pointer size by 0x34. So what is the position of 0x34? Let’s talk about it with the data results:

kd> dt -b fltmgr!_FLT_FILTER

+0x000 Base : _FLT_OBJECT

+0x000 Flags :

+0x004 PointerCount : Uint4B

+0x008 RundownRef : _EX_RUNDOWN_REF

+0x00c PrimaryLink : _LIST_ENTRY

+0x000 Flink : Ptr32

+0x004 Blink : Ptr32

+0x014 Frame : Ptr32

+0x018 Name : _UNICODE_STRING

+0x020 DefaultAltitude : _UNICODE_STRING

+0x028 Flags :

+0x02c DriverObject : Ptr32

+0x030 InstanceList : _FLT_RESOURCE_LIST_HEAD

+0x000 rLock : _ERESOURCE

+0x038 rList : _LIST_ENTRY

+0x000 Flink : Ptr32

+0x004 Blink : Ptr32

+0x040 rCount : Uint4B

First, take out an address from _FLT_FILTER->InstanceList->rList->Flink, and then subtract this address by 0x34. What is InstanceList? Look at the name, guess it is a _FLT_INSTANCE *, and then take a look at the _FLT_INSTACNE structure:

kd> dt -b fltmgr!_FLT_INSTANCE

+0x000 Base : _FLT_OBJECT

+0x014 OperationRundownRef : Ptr32

+0x018 Volume : Ptr32

+0x01c Filter : Ptr32

+0x020 Flags :

+0x024 Altitude : _UNICODE_STRING

+0x02c Name : _UNICODE_STRING

+0x034 FilterLink : _LIST_ENTRY

+0x000 Flink : Ptr32

+0x004 Blink : Ptr32

…………省略…………

After subtracting 0x34, it is exactly the first address of the _FLT_INSTANCE object. After research, we can draw the relationship between _FLTP_FRAME, _FLT_FILTER, and _FLT_INSTANCE structures as shown in the following figure (note that this structure is different on different versions of the system):

Here, the reverse process from _FLTP_FRAME->RegisteredFilters->rList->Flink to _FLT_FILTER->PrimaryLink->Flink is omitted. You can go and see for yourself. Here, you only need to remember that you need to subtract the offset of 0xC. The negative offset in the above figure is too uncomfortable to look at. Introduce a small IDA trick to make the pseudo code after Hexray decompilation look better. In the figure of the negative array index above, we already know that the i variable is _FLT_INSTANCE type. Right-click on this variable, select Convert to struct *, and then find the _FLT_INSTANCE structure. Fill in the offset address we reversed in the Pointer shift value below, as shown in the following figure:

After regularization, the pseudo C code of the same function is much easier to read:

It can be seen that IDA uses ADJ to identify data structures that have been offset, and i itself is marked as the following type:

_LIST_ENTRY *__shifted(_FLT_INSTANCE, 0x34)

In fact, it is the CONTANING_RECORD macro. Everyone can take a look at the specific definition of this macro, and there are many tricks to use. All the way to this, I must write some code to reward myself ;) The following is the code for traversing various filters of minifilter. Because there are too many data structures involved, we have converted some unused members into pointer arrays of the same size (in fact, you can also refer to the corresponding header files in ReactOS):

#include
union u1
{
NTSTATUS (__stdcall *PreOperation)(int *, int *, void **);
int (__stdcall *GenerateFileName)(int *, int *, int *, unsigned int, unsigned __int8 *, int *);
int (__stdcall *NormalizeNameComponent) \
(int *, const UNICODE_STRING *, unsigned __int16, const UNICODE_STRING *, int *, unsigned int, unsigned int, void **);
int (__stdcall *NormalizeNameComponentEx) \
(int *, int *, const UNICODE_STRING *, unsigned __int16, const UNICODE_STRING *, int *, unsigned int, unsigned int, void **);
};
union u2
{
NTSTATUS (__stdcall *PostOperation)(int *, int *, void *, unsigned int);
void (__stdcall *NormalizeContextCleanup)(void **);
};
struct _FLT_RESOURCE_LIST_HEAD
{
unsigned int *rLock[14];
LIST_ENTRY rList;
unsigned int rCount;
};
struct _CALLBACK_NODE
{
LIST_ENTRY CallbackLinks;
struct _FLT_INSTANCE *Instance;
union u1 *_u1;
union u2 *_u2;
int *Flags;
};
struct _FLT_INSTANCE
{
unsigned int *Base[0x5];
int *OperationRundownRef;
int *Volume;
struct _FLT_FILTER *Filter;
int *Flags;
UNICODE_STRING Altitude;
UNICODE_STRING Name;
LIST_ENTRY FilterLink;
int *ContextLock;
int *Context;
int *TransactionContexts;
int *TrackCompletionNodes;
struct _CALLBACK_NODE *CallbackNodes[50];
};
struct _FLTP_FRAME
{
unsigned int* usless1;
LIST_ENTRY Links;
unsigned int FrameID;
UNICODE_STRING AltitudeIntervalLow;
UNICODE_STRING AltitudeIntervalHigh;
unsigned __int8 LargeIrpCtrlStackSize;
unsigned __int8 SmallIrpCtrlStackSize;
struct _FLT_RESOURCE_LIST_HEAD RegisteredFilters;
struct _FLT_RESOURCE_LIST_HEAD AttachedVolumes;
LIST_ENTRY MountingVolumes;
unsigned int *AttachedFileSystems[11];
unsigned int *ZombiedFltObjectContexts[11];
unsigned int *KtmResourceManagerHandle;
struct _KRESOURCEMANAGER *KtmResourceManager;
unsigned int *FilterUnloadLock[14];
FAST_MUTEX DeviceObjectAttachLock;
unsigned int *Prcb;
unsigned int *PrcbPoolToFree;
unsigned int *LookasidePoolToFree;
unsigned int *IrpCtrlStackProfiler[32];
__declspec(align(16)) unsigned int *SmallIrpCtrlLookasideList[20];
__declspec(align(64)) unsigned int *LargeIrpCtrlLookasideList[20];
unsigned int *BackpocketIrpCtrls[21];
};
typedef struct _FLT_FILTER
{
unsigned int *Base[0x5];
struct _FLTP_FRAME *Frame;
UNICODE_STRING Name;
UNICODE_STRING DefaultAltitude;
unsigned int *Flags;
DRIVER_OBJECT *DriverObject;
struct _FLT_RESOURCE_LIST_HEAD InstanceList;
unsigned int *VerifierExtension;
LIST_ENTRY VerifiedFiltersLink;
int (__stdcall *FilterUnload)(unsigned int);
int (__stdcall *InstanceSetup)(const unsigned int *, unsigned int, unsigned int, unsigned int *);
int (__stdcall *InstanceQueryTeardown)(const unsigned int *, unsigned int);
unsigned int (__stdcall *InstanceTeardownStart)(const unsigned int *, unsigned int);
unsigned int (__stdcall *InstanceTeardownComplete)(const unsigned int *, unsigned int);
unsigned int *SupportedContextsListHead;
unsigned int *SupportedContexts[6];
NTSTATUS (__stdcall *PreVolumeMount)(unsigned int *, const unsigned int *, unsigned int **);
NTSTATUS (__stdcall *PostVolumeMount)(unsigned int *, const unsigned int *, unsigned int *, unsigned int);
int (__stdcall *GenerateFileName)(unsigned int *, unsigned int *, unsigned int *, unsigned int, unsigned __int8 *, unsigned int *);
int (__stdcall *NormalizeNameComponent) \
(unsigned int *, const UNICODE_STRING *, unsigned __int16, const UNICODE_STRING *, unsigned int *, unsigned int, unsigned int, unsigned int **);
int (__stdcall *NormalizeNameComponentEx) \
(unsigned int *, unsigned int *, UNICODE_STRING *, unsigned __int16, UNICODE_STRING *, unsigned int *, unsigned int, unsigned int, unsigned int **);
unsigned int (__stdcall *NormalizeContextCleanup)(unsigned int **);
int (__stdcall *KtmNotification)(const unsigned int *, unsigned int *, unsigned int);
unsigned int *Operations;
unsigned int (__stdcall *OldDriverUnload)(DRIVER_OBJECT *);
unsigned int *ActiveOpens[11];
unsigned int *ConnectionList[11];
unsigned int *PortList[11];
unsigned int *PortLock;
}*PFLT_FILTER, FLT_FILTER;
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) {
unsigned int *g_filterFrame = (unsigned int *)0x8db819f8;
struct _FLTP_FRAME *frame = (struct _FLTP_FRAME*)((char *)(*g_filterFrame) - 0x4);
for(LIST_ENTRY *i = frame->RegisteredFilters.rList.Flink; i->Flink != frame->RegisteredFilters.rList.Flink; i = i->Flink) {
struct _FLT_FILTER *filter = (struct _FLT_FILTER*)((char*)(i) - 0xC);
for(LIST_ENTRY *j = filter->InstanceList.rList.Flink; j->Flink != filter->InstanceList.rList.Flink; j = j->Flink) {
struct _FLT_INSTANCE *instance = (struct _FLT_INSTANCE *)((char*)j - 0x34);
for(int index = 0; index < 50; index += 1) {
if(instance->CallbackNodes != 0 && instance->CallbackNodes[index] != 0) {
DbgPrint("[IterateFilters] filter:%x\tname:%wZ\tinstance:%x\tindex:%d\tpre_cb:%x\tpost_cb:%x\n",
filter, &filter->Name, instance, index,
instance->CallbackNodes[index]->_u1, instance->CallbackNodes[index]->_u2);
}
}
}
}
return STATUS_SUCCESS;
}