一网吧计费软件,以独占模式访问NetbarDB.mdb(在资源管理器中也无法复制该文件),现在另一程序需要获取该数据库内数据,但由于已被计费软件独点无法访问,需要解除其独占访问,由于没好的方式,猜想ADO在独占模式打开数据库时时的ShareAccess可能为0,尝试改变ShareAccess 虽然成功让另一程序可以访问该数据库,但会有不明原因的蓝屏出现.发生时间也不确定。
有兴趣的朋友可以测试下,加载该驱动,以独占模式打开一数据库,尝试通过改变ShareAccess让另一程序获得访问权.
或者有更好的办法可以解决独占数据库访问问题,也欢迎提出.
代码是普通的SSDT HOOK 通过改变Share Access 的确能够实现让独占失效,就是蓝屏挺郁闷
#include <ntddk.h>
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
_Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
#define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
NTSTATUS
FilterZwCreateFile (
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength);
typedef NTSTATUS
(*_ZwCreateFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
_ZwCreateFile RealZwCreateFile;
NTSTATUS
FilterZwCreateFile (
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
)
{
if(ObjectAttributes->ObjectName->Length >0)
{
if(_wcsicmp(ObjectAttributes->ObjectName->Buffer,L"\\??\\D:\\TDDownload\\KingStone\\Server\\NetBarDb.mdb")==0)
{
DbgPrint("[IDDrv] IsChuangYuanDB %d\n",CreateDisposition);
return RealZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,CreateDisposition,CreateOptions,EaBuffer,EaLength);
return IoCreateFile( FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength,
CreateFileTypeNone,
(PVOID)NULL,
0 );
}
}
return RealZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
return IoCreateFile( FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength,
CreateFileTypeNone,
(PVOID)NULL,
0 );
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("[IDDRv]OnUnload\n");
UNHOOK_SYSCALL( ZwCreateFile, RealZwCreateFile, FilterZwCreateFile );
if(g_pmdlSystemCall)
{
MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
IoFreeMdl(g_pmdlSystemCall);
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
IN PUNICODE_STRING theRegistryPath)
{
theDriverObject->DriverUnload = OnUnload;
RealZwCreateFile =(_ZwCreateFile)(SYSTEMSERVICE(ZwCreateFile));
DbgPrint("[IDDrv]EnterDriverEntry\n");
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
DbgPrint("[IDDrv]MDLERROR\n");
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
HOOK_SYSCALL( ZwCreateFile, FilterZwCreateFile, RealZwCreateFile );
return STATUS_SUCCESS;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课