大哥们,我照着竹君的代码敲的!
蓝屏了,怎么搞的,大侠们帮我看看吧!谢谢了! 后面有源码和sys
http://bbs.pediy.com/showthread.php?t=98493
#include "Driver.h"
typedef UCHAR BYTE, *PBYTE;
ULONG CROVALUE;
BYTE OriginalBytes[5] = {0};
BYTE JmpAddress[5] = {0xE9,0,0,0,0};
POBJECT_TYPE *PsProcesType;
//extern POBJECT_TYPE *PsProcesType;
//VOID ObDereferenceObject( IN PVOID Object);
NTKERNELAPI NTSTATUS ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
NTSTATUS DetourMyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
VOID HookObReferenceObjectByHandle()
{
KIRQL Irql;
KdPrint(("ObReferenceObjectByHandle:0x%x\n",ObReferenceObjectByHandle));
RtlCopyMemory(OriginalBytes,(BYTE *)ObReferenceObjectByHandle,5);
*(ULONG *)(JmpAddress+1) = (ULONG)DetourMyObReferenceObjectByHandle-((ULONG)ObReferenceObjectByHandle+5);
__asm
{
push eax
mov eax,cr0
mov CROVALUE,eax
and eax,0fffeffffh
mov cr0,eax
pop eax
}
Irql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE*)ObReferenceObjectByHandle,JmpAddress,5);
KeLowerIrql(Irql);
__asm
{
push eax
mov eax,CROVALUE
mov cr0,eax
pop eax
}
}
__declspec(naked) NTSTATUS OriginalObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
mov eax,ObReferenceObjectByHandle
add eax,5
jmp eax
}
}
NTSTATUS DetourMyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{ NTSTATUS status;
status = OriginalObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
if((status == STATUS_SUCCESS) && (DesiredAccess ==1))
{
if(ObjectType == *PsProcesType)
{
if(_stricmp((char *)((ULONG)(*Object) + 0x174), "notepad.exe") == 0)
{
ObDereferenceObject(*Object);
return STATUS_INVALID_HANDLE;
}
}
}
return status;
}
VOID UnHookObReferenceObjectByHandle()
{
KIRQL Irql;
__asm
{
push eax
mov eax,cr0
mov CROVALUE,eax
and eax,0fffeffffh
mov cr0,eax
pop eax
}
Irql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE *)ObReferenceObjectByHandle,OriginalBytes,5);
KeLowerIrql(Irql);
__asm
{
push eax
mov eax,CROVALUE
mov cr0,eax
pop eax
}
}
#pragma INITCODE
extern "C" NTSTATUS DriverEntry (
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath )
{
NTSTATUS status;
KdPrint(("Enter DriverEntry\n"));
pDriverObject->DriverUnload = HelloDDKUnload;
pDriverObject->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = HelloDDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_WRITE] = HelloDDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ] = HelloDDKDispatchRoutine;
status = CreateDevice(pDriverObject);
HookObReferenceObjectByHandle();
KdPrint(("DriverEntry end\n"));
return status;
}
#pragma INITCODE
NTSTATUS CreateDevice (
IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING devName;
RtlInitUnicodeString(&devName,L"\\Device\\MyDDKDevice");
status = IoCreateDevice( pDriverObject,
sizeof(DEVICE_EXTENSION),
&(UNICODE_STRING)devName,
FILE_DEVICE_UNKNOWN,
0, TRUE,
&pDevObj );
if (!NT_SUCCESS(status))
return status;
pDevObj->Flags |= DO_BUFFERED_IO;
pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension;
pDevExt->pDevice = pDevObj;
pDevExt->ustrDeviceName = devName;
UNICODE_STRING symLinkName;
RtlInitUnicodeString(&symLinkName,L"\\??\\HelloDDK");
pDevExt->ustrSymLinkName = symLinkName;
status = IoCreateSymbolicLink( &symLinkName,&devName );
if (!NT_SUCCESS(status))
{
IoDeleteDevice( pDevObj );
return status;
}
return STATUS_SUCCESS;
}
#pragma PAGEDCODE
VOID HelloDDKUnload (IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pNextObj;
KdPrint(("Enter DriverUnload\n"));
pNextObj = pDriverObject->DeviceObject;
while (pNextObj != NULL)
{
PDEVICE_EXTENSION pDevExt = (PDEVICE_EXTENSION)
pNextObj->DeviceExtension;
UNICODE_STRING pLinkName = pDevExt->ustrSymLinkName;
IoDeleteSymbolicLink(&pLinkName);
pNextObj = pNextObj->NextDevice;
IoDeleteDevice( pDevExt->pDevice );
}
UnHookObReferenceObjectByHandle();
}
#pragma PAGEDCODE
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
KdPrint(("Enter HelloDDKDispatchRoutine\n"));
NTSTATUS status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
KdPrint(("Leave HelloDDKDispatchRoutine\n"));
return status;
}
inlinehook.rar
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法