注册 登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

InhookIopLoadDriver  

2012-03-20 14:54:26|  分类: window驱动学习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
inlineIopLoadDriver.h

#ifndef _INLINE_IOPLOADDRIVER_H_
#define _INLINE_IOPLOADDRIVER_H_

VOID RsInlineHookIopLoadDriver();

#endif

inlineIopLoadDriver.c

#include <ntddk.h>
#include <windef.h>
#include "comm.h"
#include "inlineIopLoadDriver.h"
#include "util.h"


#define DEFEND_LOAD_DRIVER  1
#define PERMIT_LOAD_DRVIER 0
ULONG IopLoadDriver;


NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation (
 __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
 __out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
 __in ULONG SystemInformationLength,
 __out_opt PULONG ReturnLength
 );


PVOID GetUndocumentFunctionAdress()
{

ULONG size,index;
PULONG buf;
ULONG i;
PSYSTEM_MODULE_INFORMATION module;
PVOID driverAddress=0;
ULONG ntosknlBase;
ULONG ntosknlEndAddr;
ULONG curAddr;
NTSTATUS status;
ULONG retAddr;

//ULONG code1_sp2=0x8b55ff8b,code2_sp2=0xa16456ec,code3_sp2=0x00000124,code4_sp2=0x3b08758b;
ULONG code1_sp2=0x8b55ff8b,code2_sp2=0xb4ec81ec,code3_sp2=0xa1000000,code4_sp2=0x8054be40 ;

ZwQuerySystemInformation(SystemModuleInformation,&size, 0, &size);

if(NULL==(buf = (PULONG)ExAllocatePool(PagedPool, size)))
{
DbgPrint("failed alloc memory failed  \n");
return 0;
}

status=ZwQuerySystemInformation(SystemModuleInformation,buf, size , 0);
if(!NT_SUCCESS( status ))
{
DbgPrint("failed  query\n");
return 0;
}

module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);

ntosknlEndAddr=(ULONG)module->ImageBase+(ULONG)module->Size;
ntosknlBase=(ULONG)module->ImageBase;
curAddr=ntosknlBase;
ExFreePool(buf);

for (i=curAddr;i<=ntosknlEndAddr;i++)
{
if ((*((ULONG *)i)==code1_sp2)&&(*((ULONG *)(i+4))==code2_sp2)&&(*((ULONG *)(i+8))==code3_sp2)&&(*((ULONG *)(i+12))==code4_sp2)) 

{

retAddr=i;
DbgPrint("adress is:%x",retAddr);
return retAddr;

}

}

}


NTSTATUS CheckIopLoadDriverIsHook()
{
int i=0;
char *addr = (char *)IopLoadDriver;

char code[] = { 0x8b, 0xff, 0x55, 0x8b, 0xec};

while(i<5)
{
DbgPrint(" - 0x%02X ", (unsigned char)addr[i]);
if(addr[i] != code[i])
{
return STATUS_UNSUCCESSFUL; 
}
i++;
}
return STATUS_SUCCESS;
}




NTSTATUS
HOOK_IopLoadDriver(
IN  HANDLE      KeyHandle,
IN  BOOLEAN     CheckForSafeBoot,
IN  BOOLEAN     IsFilter,
OUT NTSTATUS   *DriverEntryStatus
)
{

ULONG ResultLength;
PKEY_BASIC_INFORMATION kbi;
NTSTATUS status;
WCHAR servicename[128]=L"";
BOOLEAN b;
if (KeyHandle=NULL)
{
return PERMIT_LOAD_DRVIER;
*DriverEntryStatus = STATUS_SUCCESS;
}

ZwQueryKey(KeyHandle, KeyBasicInformation,NULL,0,&ResultLength);

kbi = (PKEY_BASIC_INFORMATION)ExAllocatePool(NonPagedPool,ResultLength);
if (kbi)
{
status = ZwQueryKey(KeyHandle,KeyBasicInformation,kbi,ResultLength,&ResultLength);
if (NT_SUCCESS(status))
{
RtlCopyMemory(servicename,kbi->Name,kbi->NameLength);
b = RsIsItemInServiceNameList(servicename);
if (b)
{
return DEFEND_LOAD_DRIVER;
*DriverEntryStatus = STATUS_ACCESS_DENIED;
}
}
}

ZwClose(KeyHandle);

*DriverEntryStatus = STATUS_SUCCESS;
return PERMIT_LOAD_DRVIER;

}

_declspec(naked)  T_IopLoadDriver(
 IN  HANDLE      KeyHandle,
 IN  BOOLEAN     CheckForSafeBoot,
 IN  BOOLEAN     IsFilter,
 OUT NTSTATUS   *DriverEntryStatus
 )
{


_asm
{
mov   edi, edi
push ebp
mov   ebp ,esp
push  [ebp+14]
push  [ebp+10]
push   [ebp+0ch]
push   [ebp+8]

call   HOOK_IopLoadDriver   
cmp   eax,DEFEND_LOAD_DRIVER   
jz     end           
mov   eax,IopLoadDriver     

add   eax,5           
jmp   eax             

end:  
pop   ebp
retn 8

}

}


VOID InlineHookIopLoadDriver()


int JmpOffSet;
unsigned char JmpCode[5] = { 0xe9, 0x00, 0x00, 0x00, 0x00 };

KIRQL  oldIrql;

if (IopLoadDriver == 0) 
{
DbgPrint("IopLoadDriver NOT FOUND\n");
return;
}

DbgPrint( "IopLoadDriver is found at:0x%08x\n", (ULONG)IopLoadDriver );

DbgPrint("T_IopLoadDriver is:%x\n",T_IopLoadDriver);
JmpOffSet= (char*)T_IopLoadDriver - (char*)IopLoadDriver - 5;
DbgPrint("JmpOffSet is:%x\n",JmpOffSet);
RtlCopyMemory ( JmpCode+1, &JmpOffSet, 4 );

_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H 
MOV CR0, EAX
}
oldIrql = KeRaiseIrqlToDpcLevel();

RtlCopyMemory ( IopLoadDriver, JmpCode, 5 );

DbgPrint("IopLoadDriver is hook now \n");


KeLowerIrql(oldIrql);
_asm 
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}

}


VOID RsInlineHookIopLoadDriver()
{

IopLoadDriver = GetUndocumentFunctionAdress();

if(STATUS_SUCCESS != CheckIopLoadDriverIsHook())
{
DbgPrint("PspTerminateThreadByPointer Match Failed !");
return STATUS_UNSUCCESSFUL;
}

InlineHookIopLoadDriver();
}

  评论这张
 
阅读(130)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018