注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

手动实现SSDT HOOK NtOpenProcess  

2012-03-04 15:50:50|  分类: window驱动学习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
DriverTest.h
/***************************************************************************************
* AUTHOR : pandazheng
* DATE   : 2012-3-4
* MODULE : DriverTest.H
*
* IOCTRL Sample Driver
*
* Description:
* Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 pandazheng.
****************************************************************************************/

#include <ntddk.h>
#include <windef.h>

#define INITCODE code_seg("INIT")
#define PAGED_CODE code_seg("PAGE")

VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject);

NTSTATUS MyCreateDevice(IN PDRIVER_OBJECT);

NTSTATUS DriverDispatchRoutine(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp);

//extern long KeServiceDescriptorTable;
typedef struct _ServiceDescriptorTable{
PVOID ServiceTableBase; //System Service Dispatch Table基地址
PVOID ServiceCounterTable;
unsigned int NumberOfServices;
PVOID ParamTableBase;
}*pServiceDescriptorTable;
extern pServiceDescriptorTable KeServiceDescriptorTable;

#pragma pack(1)
typedef struct _JMPCODE
{
BYTE E9;
ULONG JMPADDR;
}JMPCODE,*PJMPCODE;
#pragma pack()

ULONG GetNt_CurAddr();
ULONG GetNt_OldAddr();

Driver.c
/***************************************************************************************
* AUTHOR : pandazheng
* DATE   : 2012-3-4
* MODULE : DriverTest.C
* Command: 
* Source of IOCTRL Sample Driver
*
* Description:
* Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 pandazheng.
****************************************************************************************/
#include "DriverTest.h"

JMPCODE OldJmpCode; //用来保存前五个字节,以便恢复

#pragma INITCODE
NTSTATUS MyCreateDevice(IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
UNICODE_STRING devName;
UNICODE_STRING symLinkName;
PDEVICE_OBJECT pDevObj;

RtlInitUnicodeString(&devName,L"\\Device\\DriverTest");

//创建设备
status = IoCreateDevice(pDriverObject,
0,
&devName,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&pDevObj);

if (!NT_SUCCESS(status))
{
if (status == STATUS_INSUFFICIENT_RESOURCES)
{
DbgPrint("资源不足STATUS_INSUFFICIENT_RESOURCES");
}
if (status == STATUS_OBJECT_NAME_EXISTS)
{
DbgPrint("指定对象名存在");
}
if (status == STATUS_OBJECT_NAME_COLLISION)
{
DbgPrint("对象名有冲突");
}

DbgPrint("IoCreateDevice Failed...\n");
return status;
}

DbgPrint("IoCreateDevice Successfully...\n");

pDevObj->Flags |= DO_BUFFERED_IO;

RtlInitUnicodeString(&symLinkName,L"\\??\\DriverTest");

status = IoCreateSymbolicLink(&symLinkName,&devName);

if (!NT_SUCCESS(status))
{
DbgPrint("IoCreateSymbolicLink Failed...\n");
IoDeleteDevice(pDevObj);

return status;
}

return STATUS_SUCCESS;
}

#pragma INITCODE
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PIRP pIrp)
{
ULONG NtOpenProcess_CurAddr,NtOpenProcess_OldAddr;
JMPCODE JmpCode;
PJMPCODE pcur;

DbgPrint("DriverEntry Successfully...\n");

NtOpenProcess_CurAddr = GetNt_CurAddr();
NtOpenProcess_OldAddr = GetNt_OldAddr();

DbgPrint("NtOpenProcess_CurAddr = %x\n",NtOpenProcess_CurAddr);
DbgPrint("NtOpenProcess_OldAddr = %x\n",NtOpenProcess_OldAddr);

if (NtOpenProcess_CurAddr != NtOpenProcess_OldAddr)
{
//保存前五字节
pcur = (PJMPCODE)(NtOpenProcess_CurAddr);
OldJmpCode.E9 = pcur->E9; //保存一字节
OldJmpCode.JMPADDR = pcur->JMPADDR; //保存四字节

JmpCode.E9 = 0xE9;
JmpCode.JMPADDR = NtOpenProcess_OldAddr - NtOpenProcess_CurAddr - 5;

__asm
{
cli
mov eax,cr0
and eax,not 10000h //and eax,0FFFEFFFFh
mov cr0,eax
}

pcur->E9 = 0xE9;
pcur->JMPADDR = JmpCode.JMPADDR; //要跳转的地址

__asm
{
mov eax,cr0
or eax,10000h //or eax,not 0FFFEFFFFh
mov cr0,eax
sti
}
DbgPrint("NtOpenProcess is SSDT Hook\n");
}
else
{
DbgPrint("NtOpenProcess is not SSDT Hook\n");
}


MyCreateDevice(pDriverObject);

pDriverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ] = DriverDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatchRoutine;

pDriverObject->DriverUnload = DriverUnload;

return STATUS_SUCCESS;
}

#pragma PAGED_CODE
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDevObj;
UNICODE_STRING symLinkName;
PJMPCODE pcur;
ULONG NtOpenProcess_CurAddr;




__asm
{
cli
mov eax,cr0
and eax,not 10000h //and eax,0FFFEFFFFh
mov cr0,eax
}

NtOpenProcess_CurAddr = GetNt_CurAddr();
pcur = (PJMPCODE)(NtOpenProcess_CurAddr);

pcur->E9 = OldJmpCode.E9;
pcur->JMPADDR = OldJmpCode.JMPADDR;


__asm
{
mov eax,cr0
or eax,10000h //or eax,not 0FFFEFFFFh
mov cr0,eax
sti
}

pDevObj = pDriverObject->DeviceObject;
IoDeleteDevice(pDevObj);

RtlInitUnicodeString(&symLinkName,L"\\??\\DriverTest");
IoDeleteSymbolicLink(&symLinkName);

DbgPrint("Driver Unload Successfully...\n");
}


NTSTATUS DriverDispatchRoutine(IN PDEVICE_OBJECT pDeviceObject,IN PIRP pIrp)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_SUCCESS;

IoCompleteRequest(pIrp,IO_NO_INCREMENT);

DbgPrint("DriverDispatchRoutine Successfully...\n");

return STATUS_SUCCESS;
}

//ULONG GetNt_CurAddr()
//{
// LONG *SSDT_Addr,SSDT_NtOpenProcess_Cur_Addr,t_addr;
// DbgPrint("驱动被成功加载...\n");
// t_addr = (LONG)KeServiceDescriptorTable->ServiceTableBase;
// DbgPrint("当前ServiceDescriptorTable的地址为:%x\n",t_addr);
// SSDT_Addr = (PLONG)(t_addr + 0x7A*4);
// DbgPrint("当前t_addr+0x7A*4=%x\n",SSDT_Addr);
// SSDT_NtOpenProcess_Cur_Addr = *SSDT_Addr;
// DbgPrint("当前SSDT_NtOpenProcess_Cur_Addr地址为%x\n",SSDT_NtOpenProcess_Cur_Addr);
//
// return (ULONG)SSDT_NtOpenProcess_Cur_Addr;
//}

ULONG GetNt_CurAddr()
{
ULONG SSDT_NtOpenProcess_Cur_Addr;

__asm
{
push ebx
push eax
mov ebx,KeServiceDescriptorTable
mov ebx,[ebx]
mov eax,0x7A
shl eax,2
add ebx,eax
mov ebx,[ebx]
mov SSDT_NtOpenProcess_Cur_Addr,ebx
pop eax
pop ebx
}


return SSDT_NtOpenProcess_Cur_Addr;
}


ULONG GetNt_OldAddr()
{
UNICODE_STRING Old_NtOpenProcess;
ULONG Old_Addr;

RtlInitUnicodeString(&Old_NtOpenProcess,L"NtOpenProcess");
Old_Addr = (ULONG)MmGetSystemRoutineAddress(&Old_NtOpenProcess);
DbgPrint("取得原函数NtOpenProcess的值为: %x\n",Old_Addr);
return Old_Addr;
}

  评论这张
 
阅读(124)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017