能力值:
( LV3,RANK:20 )
2 楼
#include <ntddk.h>
#include "ssdt.h" //////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////// HANDLE Appevent=0;
PETHREAD Sysevent=0;
HANDLE PPID=0;
HANDLE R3PPID=0;
HANDLE R3Control=0;
HANDLE R3Text=0;
ULONG R3buff=0;
HANDLE R3HANDLE=0;
char SafePatch[512];
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
HANDLE hThread;
ULONG ISRun=FALSE;
ULONG CreateFileISRun;
BOOLEAN g_bExit=FALSE;
KEVENT Myevent;
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
ULONG NtCreateMutantAddress;
ULONG NtResumeThreadAddress;
ULONG NtCreateFileAddress;
ULONG NtProtectVirtualMemoryAddress;
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
ULONG HOOKNtCreateMutant;
ULONG HOOKNtCreateFile;
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
VOID FFCON()
{
__asm{//去掉内存保护
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
VOID FFCoff()
{
__asm{//恢复内存保护
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
ULONG MyReadMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid ,OUT PVOID buffer )
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer;
NTSTATUS status;
status = PsLookupProcessByProcessId((ULONG)pid,&EProcess);
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
DbgPrint("failed to alloc memory!\n");
return 0;
}
*(ULONG*)readbuffer=(ULONG)0x1;
KeStackAttachProcess ((PKPROCESS)EProcess, &ApcState);
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
KeUnstackDetachProcess (&ApcState);
} __except(EXCEPTION_EXECUTE_HANDLER)
{
KeUnstackDetachProcess (&ApcState);
}
memmove((VOID*)buffer,(VOID*)readbuffer,4);
ExFreePool (readbuffer);
return 1;
}
ULONG MyWriteProcessMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid ,IN PVOID buffer )
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer;
NTSTATUS status;
status = PsLookupProcessByProcessId((ULONG)pid,&EProcess);
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
DbgPrint("failed to alloc memory!\n");
return 0;
}
*(ULONG*)readbuffer=(ULONG)0x1;
KeStackAttachProcess ((PKPROCESS)EProcess, &ApcState);
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress, buffer, BufferSize);
KeUnstackDetachProcess (&ApcState);
} __except(EXCEPTION_EXECUTE_HANDLER)
{
KeUnstackDetachProcess (&ApcState);
}
ExFreePool (readbuffer);
return 1;
}
LONG check(HANDLE hand )
{
PFILE_OBJECT file=0;
NTSTATUS status;
UNICODE_STRING ufilename;
ANSI_STRING filefullname_a;
char filefullname_c[512];
PFILE_OBJECT relatedfile=0;
int relatedfilelength;
RtlInitUnicodeString(&ufilename,dosName);
status =ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,NULL);
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
if (file == NULL)
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
status =RtlVolumeDeviceToDosName(file->DeviceObject,&ufilename);//得到盘符
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
status =RtlUnicodeStringToAnsiString(&filefullname_a,&ufilename,1);
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
strncpy(filefullname_c,filefullname_a.Buffer,filefullname_a.Length);
filefullname_c[filefullname_a.Length]='\0';
relatedfilelength=filefullname_a.Length;
relatedfile=file->RelatedFileObject;
status =RtlUnicodeStringToAnsiString(&filefullname_a,&file->FileName,1);//相对路径+文件名
if(!NT_SUCCESS(status))
{
DbgPrint("failed to get the EPROCESS!!\n");
return 0;
}
strncat(filefullname_c,filefullname_a.Buffer,filefullname_a.Length);
filefullname_c[relatedfilelength+filefullname_a.Length]='\0';
relatedfilelength+=filefullname_a.Length;
strcpy((char*)SafePatch, (char*)filefullname_c);
//RtlCopyUnicodeString(&filefullname_c,&ename);//
//DbgPrint("LL : %s \n",filefullname_c);
return 1 ;
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
VOID MyThread(IN PVOID pContext)//线程函数
{
LARGE_INTEGER DelayTime;
DelayTime = RtlConvertLongToLargeInteger(- 10 * 1000 * 5000);
while (g_bExit)
{
if (*((ULONG*)HOOKNtCreateMutant) != (ULONG)MYNtCreateMutant || *((ULONG*)HOOKNtCreateFile) != (ULONG)MYNtCreateFile)
{
DbgPrint("HOOK被恢复…\r\n");
FFCON();
*((ULONG*)HOOKNtCreateMutant) = (ULONG)MYNtCreateMutant;
*((ULONG*)HOOKNtCreateFile) = (ULONG)MYNtCreateFile;
FFCoff();
}
//DbgPrint("线程工作中…\r\n");
KeDelayExecutionThread(KernelMode,0,&DelayTime);
}
DbgPrint("线程终止…\r\n");
KeSetEvent(&Myevent,FALSE,TRUE);
PsTerminateSystemThread(STATUS_SUCCESS);
}
/////////////////////////////////////////////////////////////////////////////////////////
VOID DriverUnload(PDRIVER_OBJECT driver)
{
g_bExit=FALSE;
KeWaitForSingleObject(&Myevent,Executive,KernelMode,0,0);
ObDereferenceObject(driver);
DbgPrint("first: Our driver is unloading…\r\n");
Unhook();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)// DriverEntry,入口函数
{
HANDLE myhandle;
g_bExit = TRUE;
DbgPrint("first: Hello, my wdk dirver!…\r\n");
ObReferenceObject(driver);
PsCreateSystemThread(&myhandle,0,NULL,NULL,NULL,MyThread,NULL);
ZwClose(myhandle);
KeInitializeEvent(&Myevent,SynchronizationEvent,FALSE);
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
ObjectAttributes.Attributes = OBJ_INHERIT;
driver->DriverUnload = DriverUnload;
hook();
return STATUS_SUCCESS;
}
///////////////////////////////////////////////////////////////////////////////////////////////////////// VOID hook()
{
ULONG Address;
Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0xce * 4;
NtResumeThreadAddress = *(ULONG*)Address;
DbgPrint("NtResumeThread :0x%08X",NtResumeThreadAddress);
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
HOOKNtCreateMutant = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x2b * 4;//0x7A为服务ID 获取 SSDT表 中的地址
NtCreateMutantAddress = *(ULONG*)HOOKNtCreateMutant;
DbgPrint("NtCreateMutant :0x%08X",NtCreateMutantAddress);
HOOKNtCreateFile = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x25 * 4;
NtCreateFileAddress = *(ULONG*)HOOKNtCreateFile;
DbgPrint("NtCreateFile :0x%08X",NtCreateFileAddress);
/////////////////////////////////////////////////////////
FFCON();
*((ULONG*)HOOKNtCreateMutant) = (ULONG)MYNtCreateMutant;
*((ULONG*)HOOKNtCreateFile) = (ULONG)MYNtCreateFile;
FFCoff();
//////////////////////////////////////////////////////////
}
//////////////////////////////////////////////////////
VOID Unhook()
{
FFCON();
*((ULONG*)HOOKNtCreateMutant) = (ULONG)NtCreateMutantAddress;
*((ULONG*)HOOKNtCreateFile) = (ULONG)NtCreateFileAddress;
FFCoff();
DbgPrint("Unhook");
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
LONG GoOrNot()
{
ULONG tt=0;
LARGE_INTEGER li;li.QuadPart= - 10 * 1000 * 500; ////延迟0.5秒钟运行;
while (ISRun) //防止多线程同步执行
{
KeDelayExecutionThread(KernelMode,0,&li);
}
ISRun=TRUE;
PPID=PsGetCurrentProcessId();
MyWriteProcessMemory((PVOID)R3buff,0x4,R3PPID,&PPID);
MyWriteProcessMemory((PVOID)R3Text,512,R3PPID,&SafePatch);
ZwOpenThread((PHANDLE)&hThread,THREAD_SUSPEND_RESUME,&ObjectAttributes,(PCLIENT_ID)&ClientId);
__asm{
push 0
push hThread
call NtResumeThreadAddress
}
ZwClose(hThread);
//DbgPrint("开始等待");
KeWaitForSingleObject(Sysevent,Executive,KernelMode,0,0);
//DbgPrint("等待完成");
MyReadMemory((PVOID)R3Control,0x4,R3PPID,&tt);//读取
//DbgPrint("tt : %08X \n",tt);
ISRun=FALSE;
return tt;
} ////////////////////////////////////////////////////////////////////////////////////////////////////////////////
HANDLE sysee;
ULONG Mutant;
NTSTATUS MYNtCreateMutant(IN ULONG L1,IN ULONG L2,IN ULONG L3,IN ULONG L4)
{
if (L4 == 100)
{
sysee=(HANDLE)L2;//驱动监视事件
Appevent=(HANDLE)L1;//r3 工作事件
R3buff=L3;
PsLookupThreadByThreadId(sysee,&Sysevent);
ClientId.UniqueProcess=NULL;
ClientId.UniqueThread=Appevent;
return 8081;
}
if (L4 == 101)
{
R3PPID=(HANDLE)L1;
R3Control=(HANDLE)L2;
R3Text=(HANDLE)L3;
return 88082;
}
__asm{
push L4
push L3
push L2
push L1
call NtCreateMutantAddress
mov Mutant,eax
}
return Mutant;
} ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
ULONG NtCreateFileret;
ULONG lsFileHandle;
NTSTATUS MYNtCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength )
{
__asm{
push EaLength
push EaBuffer OPTIONAL
push CreateOptions
push CreateDisposition
push ShareAccess
push FileAttributes
push AllocationSize OPTIONAL
push IoStatusBlock
push ObjectAttributes
push DesiredAccess
push FileHandle
call NtCreateFileAddress
mov NtCreateFileret,eax
}
if (FileAttributes != 0 && DesiredAccess == 0xC0100080)
{
if (ShareAccess == 1 && CreateDisposition == 1)
{
return NtCreateFileret;
}
////////////////建立文件请求拦截////////////////
PPID=PsGetCurrentProcessId();
if (PPID != R3PPID)
{
if (FileHandle != NULL)
{
lsFileHandle=*(ULONG*)FileHandle;
if (lsFileHandle != 0)
{
if (check((HANDLE)lsFileHandle) != 0)
{
if (GoOrNot() == 4444) //拦截操作
{
ZwClose((HANDLE)lsFileHandle);
FileHandle=0;
return 0xc0000005;
}
}
}
}
}
}
return NtCreateFileret;
}