[分享]小菜鸟学习驱动练手作品 SSDT HOOK-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (9)
caierhuan 雪币： 279 活跃值： (60) 能力值： ( LV3，RANK：20 ) 在线值：发帖 20 回帖 80 粉丝 0 关注私信	caierhuan 2 楼 #include <ntddk.h> #include "ssdt.h" ////////////////////////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////////////////////////// HANDLE Appevent=0; PETHREAD Sysevent=0; HANDLE PPID=0; HANDLE R3PPID=0; HANDLE R3Control=0; HANDLE R3Text=0; ULONG R3buff=0; HANDLE R3HANDLE=0; char SafePatch[512]; OBJECT_ATTRIBUTES ObjectAttributes; CLIENT_ID ClientId; HANDLE hThread; ULONG ISRun=FALSE; ULONG CreateFileISRun; BOOLEAN g_bExit=FALSE; KEVENT Myevent; /////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ULONG NtCreateMutantAddress; ULONG NtResumeThreadAddress; ULONG NtCreateFileAddress; ULONG NtProtectVirtualMemoryAddress; //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ULONG HOOKNtCreateMutant; ULONG HOOKNtCreateFile; ////////////////////////////////////////////////////////////////////////////////////////////////////////////////// VOID FFCON() { __asm{//去掉内存保护 cli mov eax,cr0 and eax,not 10000h mov cr0,eax } } VOID FFCoff() { __asm{//恢复内存保护 mov eax,cr0 or eax,10000h mov cr0,eax sti } } ULONG MyReadMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid ,OUT PVOID buffer ) { PEPROCESS EProcess; KAPC_STATE ApcState; PVOID readbuffer; NTSTATUS status; status = PsLookupProcessByProcessId((ULONG)pid,&EProcess); if(!NT_SUCCESS(status)) { DbgPrint("failed to get the EPROCESS!!\n"); return 0; } readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys'); if(readbuffer==NULL) { DbgPrint("failed to alloc memory!\n"); return 0; } (ULONG)readbuffer=(ULONG)0x1; KeStackAttachProcess ((PKPROCESS)EProcess, &ApcState); __try { ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR)); RtlCopyMemory (readbuffer, BaseAddress, BufferSize); KeUnstackDetachProcess (&ApcState); } __except(EXCEPTION_EXECUTE_HANDLER) { KeUnstackDetachProcess (&ApcState); } memmove((VOID)buffer,(VOID)readbuffer,4); ExFreePool (readbuffer); return 1; } ULONG MyWriteProcessMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid ,IN PVOID buffer ) { PEPROCESS EProcess; KAPC_STATE ApcState; PVOID readbuffer; NTSTATUS status; status = PsLookupProcessByProcessId((ULONG)pid,&EProcess); if(!NT_SUCCESS(status)) { DbgPrint("failed to get the EPROCESS!!\n"); return 0; } readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys'); if(readbuffer==NULL) { DbgPrint("failed to alloc memory!\n"); return 0; } (ULONG)readbuffer=(ULONG)0x1; KeStackAttachProcess ((PKPROCESS)EProcess, &ApcState); __try { ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR)); RtlCopyMemory (BaseAddress, buffer, BufferSize); KeUnstackDetachProcess (&ApcState); } __except(EXCEPTION_EXECUTE_HANDLER) { KeUnstackDetachProcess (&ApcState); } ExFreePool (readbuffer); return 1; } LONG check(HANDLE hand ) { PFILE_OBJECT file=0; NTSTATUS status; UNICODE_STRING ufilename; ANSI_STRING filefullname_a; char filefullname_c[512]; PFILE_OBJECT relatedfile=0; int relatedfilelength; RtlInitUnicodeString(&ufilename,dosName); status =ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,NULL); if(!NT_SUCCESS(status)) { DbgPrint("failed to get the EPROCESS!!\n"); return 0; } if (file == NULL) { DbgPrint("failed to get the EPROCESS!!\n"); return 0; } status =RtlVolumeDeviceToDosName(file->DeviceObject,&ufilename);//得到盘符 if(!NT_SUCCESS(status)) { DbgPrint("failed to get the EPROCESS!!\n"); return 0; } status =RtlUnicodeStringToAnsiString(&filefullname_a,&ufilename,1); if(!NT_SUCCESS(status)) { DbgPrint("failed to get the EPROCESS!!\n"); return 0; } strncpy(filefullname_c,filefullname_a.Buffer,filefullname_a.Length); filefullname_c[filefullname_a.Length]='\0'; relatedfilelength=filefullname_a.Length; relatedfile=file->RelatedFileObject; status =RtlUnicodeStringToAnsiString(&filefullname_a,&file->FileName,1);//相对路径+文件名 if(!NT_SUCCESS(status)) { DbgPrint("failed to get the EPROCESS!!\n"); return 0; } strncat(filefullname_c,filefullname_a.Buffer,filefullname_a.Length); filefullname_c[relatedfilelength+filefullname_a.Length]='\0'; relatedfilelength+=filefullname_a.Length; strcpy((char)SafePatch, (char)filefullname_c); //RtlCopyUnicodeString(&filefullname_c,&ename);// //DbgPrint("LL : %s \n",filefullname_c); return 1 ; } /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// VOID MyThread(IN PVOID pContext)//线程函数 { LARGE_INTEGER DelayTime; DelayTime = RtlConvertLongToLargeInteger(- 10 * 1000 * 5000); while (g_bExit) { if (((ULONG)HOOKNtCreateMutant) != (ULONG)MYNtCreateMutant \|\| ((ULONG)HOOKNtCreateFile) != (ULONG)MYNtCreateFile) { DbgPrint("HOOK被恢复…\r\n"); FFCON(); ((ULONG)HOOKNtCreateMutant) = (ULONG)MYNtCreateMutant; ((ULONG)HOOKNtCreateFile) = (ULONG)MYNtCreateFile; FFCoff(); } //DbgPrint("线程工作中…\r\n"); KeDelayExecutionThread(KernelMode,0,&DelayTime); } DbgPrint("线程终止…\r\n"); KeSetEvent(&Myevent,FALSE,TRUE); PsTerminateSystemThread(STATUS_SUCCESS); } ///////////////////////////////////////////////////////////////////////////////////////// VOID DriverUnload(PDRIVER_OBJECT driver) { g_bExit=FALSE; KeWaitForSingleObject(&Myevent,Executive,KernelMode,0,0); ObDereferenceObject(driver); DbgPrint("first: Our driver is unloading…\r\n"); Unhook(); } NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)// DriverEntry，入口函数 { HANDLE myhandle; g_bExit = TRUE; DbgPrint("first: Hello, my wdk dirver!…\r\n"); ObReferenceObject(driver); PsCreateSystemThread(&myhandle,0,NULL,NULL,NULL,MyThread,NULL); ZwClose(myhandle); KeInitializeEvent(&Myevent,SynchronizationEvent,FALSE); InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); ObjectAttributes.Attributes = OBJ_INHERIT; driver->DriverUnload = DriverUnload; hook(); return STATUS_SUCCESS; } ///////////////////////////////////////////////////////////////////////////////////////////////////////// VOID hook() { ULONG Address; Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0xce * 4; NtResumeThreadAddress = (ULONG)Address; DbgPrint("NtResumeThread :0x%08X",NtResumeThreadAddress); ////////////////////////////////////////////////////////////////////////////////////////////////////////////// HOOKNtCreateMutant = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x2b * 4;//0x7A为服务ID 获取 SSDT表中的地址 NtCreateMutantAddress = (ULONG)HOOKNtCreateMutant; DbgPrint("NtCreateMutant :0x%08X",NtCreateMutantAddress); HOOKNtCreateFile = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x25 * 4; NtCreateFileAddress = (ULONG)HOOKNtCreateFile; DbgPrint("NtCreateFile :0x%08X",NtCreateFileAddress); ///////////////////////////////////////////////////////// FFCON(); ((ULONG)HOOKNtCreateMutant) = (ULONG)MYNtCreateMutant; ((ULONG)HOOKNtCreateFile) = (ULONG)MYNtCreateFile; FFCoff(); ////////////////////////////////////////////////////////// } ////////////////////////////////////////////////////// VOID Unhook() { FFCON(); ((ULONG)HOOKNtCreateMutant) = (ULONG)NtCreateMutantAddress; ((ULONG)HOOKNtCreateFile) = (ULONG)NtCreateFileAddress; FFCoff(); DbgPrint("Unhook"); } /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// LONG GoOrNot() { ULONG tt=0; LARGE_INTEGER li;li.QuadPart= - 10 * 1000 * 500; ////延迟0.5秒钟运行; while (ISRun) //防止多线程同步执行 { KeDelayExecutionThread(KernelMode,0,&li); } ISRun=TRUE; PPID=PsGetCurrentProcessId(); MyWriteProcessMemory((PVOID)R3buff,0x4,R3PPID,&PPID); MyWriteProcessMemory((PVOID)R3Text,512,R3PPID,&SafePatch); ZwOpenThread((PHANDLE)&hThread,THREAD_SUSPEND_RESUME,&ObjectAttributes,(PCLIENT_ID)&ClientId); __asm{ push 0 push hThread call NtResumeThreadAddress } ZwClose(hThread); //DbgPrint("开始等待"); KeWaitForSingleObject(Sysevent,Executive,KernelMode,0,0); //DbgPrint("等待完成"); MyReadMemory((PVOID)R3Control,0x4,R3PPID,&tt);//读取 //DbgPrint("tt : %08X \n",tt); ISRun=FALSE; return tt; } //////////////////////////////////////////////////////////////////////////////////////////////////////////////// HANDLE sysee; ULONG Mutant; NTSTATUS MYNtCreateMutant(IN ULONG L1,IN ULONG L2,IN ULONG L3,IN ULONG L4) { if (L4 == 100) { sysee=(HANDLE)L2;//驱动监视事件 Appevent=(HANDLE)L1;//r3 工作事件 R3buff=L3; PsLookupThreadByThreadId(sysee,&Sysevent); ClientId.UniqueProcess=NULL; ClientId.UniqueThread=Appevent; return 8081; } if (L4 == 101) { R3PPID=(HANDLE)L1; R3Control=(HANDLE)L2; R3Text=(HANDLE)L3; return 88082; } __asm{ push L4 push L3 push L2 push L1 call NtCreateMutantAddress mov Mutant,eax } return Mutant; } /////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ULONG NtCreateFileret; ULONG lsFileHandle; NTSTATUS MYNtCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ) { __asm{ push EaLength push EaBuffer OPTIONAL push CreateOptions push CreateDisposition push ShareAccess push FileAttributes push AllocationSize OPTIONAL push IoStatusBlock push ObjectAttributes push DesiredAccess push FileHandle call NtCreateFileAddress mov NtCreateFileret,eax } if (FileAttributes != 0 && DesiredAccess == 0xC0100080) { if (ShareAccess == 1 && CreateDisposition == 1) { return NtCreateFileret; } ////////////////建立文件请求拦截//////////////// PPID=PsGetCurrentProcessId(); if (PPID != R3PPID) { if (FileHandle != NULL) { lsFileHandle=(ULONG)FileHandle; if (lsFileHandle != 0) { if (check((HANDLE)lsFileHandle) != 0) { if (GoOrNot() == 4444) //拦截操作 { ZwClose((HANDLE)lsFileHandle); FileHandle=0; return 0xc0000005; } } } } } } return NtCreateFileret; } 2010-1-21 05:45 0
hacknet 雪币： 80 活跃值： (45) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 49 粉丝 1 关注私信	hacknet 3 楼驱动加载不上呢？应用层代码没有噻~~~~~~~~~~~~ 2010-1-21 08:29 0
caierhuan 雪币： 279 活跃值： (60) 能力值： ( LV3，RANK：20 ) 在线值：发帖 20 回帖 80 粉丝 0 关注私信	caierhuan 4 楼主要代码在驱动引用层非常简单调用 NtCreateMutant 传入 R3 的变量指证供驱动返回驱动中我们已经拦截了 NtCreateMutant 根据约定当参数4为 100 分别保存指证并返回状态信号 8081 初步完成并等待 R3 再次上传其他的参数 R3 建立2条线程 1条是工作线程用来检测规则有驱动控制一条什么都不做有R3 控制供驱动等待建立的线程是立刻挂起的其他没什么了驱动代码中一目了然了 2010-1-21 08:44 0
kagayaki 雪币： 189 活跃值： (4810) 能力值： ( LV3，RANK：20 ) 在线值：发帖 172 回帖 1232 粉丝 24 关注私信	kagayaki 5 楼一直对驱动无什么兴趣(因为不会), 不过是分享就支持!!!!!!! 2010-1-21 08:56 0
jerrynpc 雪币： 284 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 695 粉丝 0 关注私信	jerrynpc 6 楼有码就要顶，同样是菜鸟的我。下来看看，一起学习 2010-1-22 09:47 0
zouxuehai 雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	zouxuehai 7 楼最近在学习windows驱动，可以借鉴一下 2010-1-23 22:07 0
雪妖雪币： 266 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 168 粉丝 0 关注私信	雪妖 8 楼顶顶更健康 2010-1-26 09:45 0
fhurricane 雪币： 492 活跃值： (53) 能力值： ( LV6，RANK：80 ) 在线值：发帖 36 回帖 270 粉丝 2 关注私信	fhurricane 1 9 楼非常不错，有开一个系统线程，恢复HOOK的代码，多谢了～～～ 2010-2-1 13:30 0
plzq 雪币： 209 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 7 粉丝 0 关注私信	plzq 10 楼学习了不错 2010-2-1 15:11 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

caierhuan

雪币： 279

活跃值： (60)

能力值：

( LV3，RANK：20 )

在线值：

发帖

20

回帖

80

粉丝

0

关注

私信

caierhuan: 2 楼

#include <ntddk.h>
#include "ssdt.h"

//////////////////////////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////////////////////////

HANDLE Appevent=0;
PETHREAD Sysevent=0;
HANDLE PPID=0;
HANDLE R3PPID=0;
HANDLE R3Control=0;
HANDLE R3Text=0;
ULONG  R3buff=0;
HANDLE R3HANDLE=0;

char SafePatch[512];

OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID          ClientId;

HANDLE hThread;
ULONG ISRun=FALSE;
ULONG CreateFileISRun;
BOOLEAN g_bExit=FALSE;

KEVENT Myevent;
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
ULONG NtCreateMutantAddress;
ULONG NtResumeThreadAddress;
ULONG NtCreateFileAddress;
ULONG NtProtectVirtualMemoryAddress;
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
ULONG  HOOKNtCreateMutant;
ULONG  HOOKNtCreateFile;
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
VOID FFCON()
{
__asm{//去掉内存保护
cli
mov  eax,cr0
and  eax,not 10000h
mov  cr0,eax
}
}

VOID FFCoff()
{
__asm{//恢复内存保护
mov  eax,cr0
or eax,10000h
mov  cr0,eax
sti
}
}

ULONG MyReadMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid ,OUT PVOID buffer )
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer;
NTSTATUS status;

status = PsLookupProcessByProcessId((ULONG)pid,&EProcess);
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}

readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
DbgPrint("failed to alloc memory!\n");
return 0;
}

*(ULONG*)readbuffer=(ULONG)0x1;

KeStackAttachProcess ((PKPROCESS)EProcess, &ApcState);

__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
KeUnstackDetachProcess (&ApcState);

} __except(EXCEPTION_EXECUTE_HANDLER)
{
KeUnstackDetachProcess (&ApcState);
}
memmove((VOID*)buffer,(VOID*)readbuffer,4);
ExFreePool (readbuffer);
return 1;

}

ULONG MyWriteProcessMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid ,IN PVOID buffer )
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer;
NTSTATUS status;

status = PsLookupProcessByProcessId((ULONG)pid,&EProcess);
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}

readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
DbgPrint("failed to alloc memory!\n");
return 0;
}

*(ULONG*)readbuffer=(ULONG)0x1;

KeStackAttachProcess ((PKPROCESS)EProcess, &ApcState);

__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress, buffer, BufferSize);
KeUnstackDetachProcess (&ApcState);

} __except(EXCEPTION_EXECUTE_HANDLER)
{
KeUnstackDetachProcess (&ApcState);
}

ExFreePool (readbuffer);
return 1;

}

LONG check(HANDLE hand )
{
PFILE_OBJECT file=0;
NTSTATUS status;
UNICODE_STRING ufilename;
ANSI_STRING filefullname_a;
char filefullname_c[512];
PFILE_OBJECT relatedfile=0;
int relatedfilelength;
RtlInitUnicodeString(&ufilename,dosName);
status =ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,NULL);
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
if (file == NULL)
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}

status =RtlVolumeDeviceToDosName(file->DeviceObject,&ufilename);//得到盘符
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
status =RtlUnicodeStringToAnsiString(&filefullname_a,&ufilename,1);
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
strncpy(filefullname_c,filefullname_a.Buffer,filefullname_a.Length);
filefullname_c[filefullname_a.Length]='\0';
relatedfilelength=filefullname_a.Length;

relatedfile=file->RelatedFileObject;
status =RtlUnicodeStringToAnsiString(&filefullname_a,&file->FileName,1);//相对路径+文件名
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
strncat(filefullname_c,filefullname_a.Buffer,filefullname_a.Length);
filefullname_c[relatedfilelength+filefullname_a.Length]='\0';
relatedfilelength+=filefullname_a.Length;

strcpy((char*)SafePatch, (char*)filefullname_c);
//RtlCopyUnicodeString(&filefullname_c,&ename);//
//DbgPrint("LL : %s \n",filefullname_c);
return 1 ;
}

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

VOID MyThread(IN PVOID pContext)//线程函数
{

LARGE_INTEGER  DelayTime;
DelayTime = RtlConvertLongToLargeInteger(- 10 * 1000 * 5000);
while (g_bExit)
{
if (*((ULONG*)HOOKNtCreateMutant) != (ULONG)MYNtCreateMutant || *((ULONG*)HOOKNtCreateFile) != (ULONG)MYNtCreateFile)
{
         DbgPrint("HOOK被恢复…\r\n");
FFCON();

*((ULONG*)HOOKNtCreateMutant) = (ULONG)MYNtCreateMutant;
*((ULONG*)HOOKNtCreateFile) = (ULONG)MYNtCreateFile;

FFCoff();
}

//DbgPrint("线程工作中…\r\n");
KeDelayExecutionThread(KernelMode,0,&DelayTime);

}
DbgPrint("线程终止…\r\n");

KeSetEvent(&Myevent,FALSE,TRUE);
PsTerminateSystemThread(STATUS_SUCCESS);
}

/////////////////////////////////////////////////////////////////////////////////////////

VOID DriverUnload(PDRIVER_OBJECT driver)
{
g_bExit=FALSE;
KeWaitForSingleObject(&Myevent,Executive,KernelMode,0,0);

ObDereferenceObject(driver);

DbgPrint("first: Our driver is unloading…\r\n");

Unhook();

}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)// DriverEntry，入口函数
{
HANDLE myhandle;
g_bExit = TRUE;
DbgPrint("first: Hello, my wdk dirver!…\r\n");
ObReferenceObject(driver);
PsCreateSystemThread(&myhandle,0,NULL,NULL,NULL,MyThread,NULL);
ZwClose(myhandle);

KeInitializeEvent(&Myevent,SynchronizationEvent,FALSE);
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
ObjectAttributes.Attributes = OBJ_INHERIT;

driver->DriverUnload = DriverUnload;
hook();

return STATUS_SUCCESS;
}

/////////////////////////////////////////////////////////////////////////////////////////////////////////

VOID hook()
{
ULONG  Address;

Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0xce * 4;
NtResumeThreadAddress = *(ULONG*)Address;
DbgPrint("NtResumeThread :0x%08X",NtResumeThreadAddress);
//////////////////////////////////////////////////////////////////////////////////////////////////////////////

HOOKNtCreateMutant = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x2b * 4;//0x7A为服务ID 获取 SSDT表中的地址
NtCreateMutantAddress = *(ULONG*)HOOKNtCreateMutant;
DbgPrint("NtCreateMutant :0x%08X",NtCreateMutantAddress);

HOOKNtCreateFile = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x25 * 4;
NtCreateFileAddress = *(ULONG*)HOOKNtCreateFile;
DbgPrint("NtCreateFile :0x%08X",NtCreateFileAddress);

/////////////////////////////////////////////////////////
FFCON();

*((ULONG*)HOOKNtCreateMutant) = (ULONG)MYNtCreateMutant;
*((ULONG*)HOOKNtCreateFile) = (ULONG)MYNtCreateFile;

FFCoff();

//////////////////////////////////////////////////////////

}

//////////////////////////////////////////////////////
VOID Unhook()
{
FFCON();

*((ULONG*)HOOKNtCreateMutant) = (ULONG)NtCreateMutantAddress;
*((ULONG*)HOOKNtCreateFile) = (ULONG)NtCreateFileAddress;

FFCoff();
DbgPrint("Unhook");
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

LONG GoOrNot()
{
ULONG tt=0;
LARGE_INTEGER li;li.QuadPart= - 10 * 1000 * 500; ////延迟0.5秒钟运行;

while (ISRun)    //防止多线程同步执行
{
KeDelayExecutionThread(KernelMode,0,&li);
}

ISRun=TRUE;
PPID=PsGetCurrentProcessId();

MyWriteProcessMemory((PVOID)R3buff,0x4,R3PPID,&PPID);
MyWriteProcessMemory((PVOID)R3Text,512,R3PPID,&SafePatch);
ZwOpenThread((PHANDLE)&hThread,THREAD_SUSPEND_RESUME,&ObjectAttributes,(PCLIENT_ID)&ClientId);
__asm{
push 0
push  hThread
call  NtResumeThreadAddress
}
ZwClose(hThread);

//DbgPrint("开始等待");
KeWaitForSingleObject(Sysevent,Executive,KernelMode,0,0);
//DbgPrint("等待完成");

MyReadMemory((PVOID)R3Control,0x4,R3PPID,&tt);//读取
//DbgPrint("tt : %08X \n",tt);
ISRun=FALSE;

return tt;
}

////////////////////////////////////////////////////////////////////////////////////////////////////////////////
HANDLE sysee;
ULONG  Mutant;
NTSTATUS MYNtCreateMutant(IN ULONG L1,IN ULONG L2,IN ULONG L3,IN ULONG L4)
{
if (L4 == 100)
{
sysee=(HANDLE)L2;//驱动监视事件
Appevent=(HANDLE)L1;//r3 工作事件
R3buff=L3;
PsLookupThreadByThreadId(sysee,&Sysevent);

ClientId.UniqueProcess=NULL;
ClientId.UniqueThread=Appevent;
return 8081;
}

if (L4 == 101)
{
R3PPID=(HANDLE)L1;
R3Control=(HANDLE)L2;
R3Text=(HANDLE)L3;

return 88082;
}

__asm{
push L4
push L3
push L2
push L1
call  NtCreateMutantAddress
mov Mutant,eax
}
return Mutant;
}

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
ULONG  NtCreateFileret;
ULONG  lsFileHandle;
NTSTATUS MYNtCreateFile(
OUT PHANDLE          FileHandle,
IN ACCESS_MASK       DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER    AllocationSize OPTIONAL,
IN ULONG             FileAttributes,
IN ULONG             ShareAccess,
IN ULONG             CreateDisposition,
IN ULONG             CreateOptions,
IN PVOID             EaBuffer OPTIONAL,
IN ULONG             EaLength )
{
__asm{
push EaLength
push EaBuffer OPTIONAL
push CreateOptions
push CreateDisposition
push ShareAccess
push FileAttributes
push AllocationSize OPTIONAL
push IoStatusBlock
push ObjectAttributes
push DesiredAccess
push FileHandle
call  NtCreateFileAddress
mov NtCreateFileret,eax
}
if (FileAttributes != 0 && DesiredAccess == 0xC0100080)
{
if (ShareAccess == 1 && CreateDisposition == 1)
{
return NtCreateFileret;
}

////////////////建立文件请求拦截////////////////
PPID=PsGetCurrentProcessId();
if (PPID != R3PPID)
{
if (FileHandle != NULL)
{
lsFileHandle=*(ULONG*)FileHandle;
if (lsFileHandle != 0)
{
if (check((HANDLE)lsFileHandle) != 0)
{
if (GoOrNot() == 4444) //拦截操作
{
ZwClose((HANDLE)lsFileHandle);
FileHandle=0;
return 0xc0000005;
}

}
}
}
}
}

return NtCreateFileret;
}

2010-1-21 05:45

0

hacknet

雪币： 80

活跃值： (45)

能力值：

( LV3，RANK：20 )

在线值：

发帖

5

回帖

49

粉丝

1

关注

私信

hacknet: 3 楼

驱动加载不上呢？

应用层代码没有噻~~~~~~~~~~~~

2010-1-21 08:29

0

caierhuan

雪币： 279

活跃值： (60)

能力值：

( LV3，RANK：20 )

在线值：

发帖

20

回帖

80

粉丝

0

关注

私信

caierhuan: 4 楼

主要代码在驱动引用层非常简单调用 NtCreateMutant  传入 R3  的变量指证供驱动返回

驱动中我们已经拦截了 NtCreateMutant  根据约定当参数4为 100 分别保存指证并返回

状态信号 8081 初步完成并等待 R3 再次上传其他的参数

R3 建立2条线程 1条是工作线程用来检测规则有驱动控制一条什么都不做有R3 控制供驱动

等待  建立的线程是立刻挂起的其他没什么了驱动代码中一目了然了