HOOK了ZwSetInformationFile保护c:\\wenbo.txt文件不被删除
HOOK了NtOpenProcess保护PID大于1000的进程不被结束
//头文件源代码 *.h
#pragma once
#ifdef __cplusplus
extern "C"
{
#endif
#include <ntddk.h>
#ifdef __cplusplus
}
#endif
#define PageCode code_seg("PAGE")
#define InitCode code_seg("INIT")
typedef struct _SYSTEM_SERVICE_TABLE
{
PVOID ServiceTableBase; // SSDT (System Service Dispatch Table)的基地址
PULONG ServiceCounterTableBase; // 用于checked builds, 包含SSDT中每个服务被调用的次数
ULONG NumberOfService; // 服务函数的个数, NumberOfService*4 就是整个地址表的大小
ULONG ParamTableBase; // SSPT (System Service Parameter Table)的基地址
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE;
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
SYSTEM_SERVICE_TABLE ntoskrnl; // ntoskrnl.exe的服务函数
SYSTEM_SERVICE_TABLE win32k; // win32k.sys的服务函数,(gdi.dll/user.dll的内核支持)
SYSTEM_SERVICE_TABLE NotUsed1;
SYSTEM_SERVICE_TABLE NotUsed2;
} SYSTEM_DESCRIPTOR_TABLE, *PSYSTEM_DESCRIPTOR_TABLE;
extern "C" extern PSYSTEM_DESCRIPTOR_TABLE KeServiceDescriptorTable;
// 根据 Zw_function 获取服务ID
#define SERVICE_ID(_function) (*(PULONG)((PUCHAR)_function + 1))
// 根据 Zw_function 获取 Nt_function的地址
#define SERVICE_FUNCTION(_function) ((ULONG)KeServiceDescriptorTable->ntoskrnl.ServiceTableBase + 4*SERVICE_ID(_function))
/*
lkd> u ZwOpenProcess
nt!ZwOpenProcess:
80501694 b87a000000 mov eax,7Ah ---> ZwOpenProcess+1 = ID
*/
// ------------------------------------------------------
void InitServicesTable();
NTSTATUS HookService(ULONG OldService, ULONG NewService);
NTSTATUS UnHookService(ULONG OldService);
void UnLoad(PDRIVER_OBJECT pDriver);
// ------------------------------------------------------
ULONG OldServiceAddressTable[1024];
bool g_Init=false;
//ULONG NewServiceAddressTable[1024]; // 用户自定义的服务函数地址
//cpp源代码
#include "Rootkits.h"
#pragma PageCode
NTSTATUS CreateMyDriver(PDRIVER_OBJECT pDriver)
{
UNICODE_STRING DriverName;
PDEVICE_OBJECT pDev;
NTSTATUS status;
RtlInitUnicodeString(&DriverName,L"\\Device\\MyDriver");
status=IoCreateDevice(pDriver,0,&DriverName,FILE_DEVICE_UNKNOWN,0,true,&pDev);
if (!NT_SUCCESS(status))
{
DbgPrint("创建设备失败");
}
UNICODE_STRING SymBoliLinkName;
RtlInitUnicodeString(&SymBoliLinkName,L"\\??\\SymBoliLinkDevice");
status=IoCreateSymbolicLink(&SymBoliLinkName,&DriverName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDriver->DeviceObject);
DbgPrint("创建符号连接失败");
}
DbgPrint("创建驱动设备和符号连接成功");
return STATUS_SUCCESS;
}
void InitServicesTable()
{
g_Init=true;
for (ULONG i=0;i<KeServiceDescriptorTable->ntoskrnl.NumberOfService;i++)
{
OldServiceAddressTable[i] = *(PULONG)((ULONG)KeServiceDescriptorTable->ntoskrnl.ServiceTableBase + 4*i);
// KdPrint(("0x%04X : %08X\n", i, OldServiceAddressTable[i]));
}
}
VOID WPOFF()
{
__asm
{
cli
push eax
mov eax, cr0
and eax, not 10000H
mov cr0, eax
pop eax
}
}
// 恢复内存写保护
VOID WPON()
{
__asm
{
push eax
mov eax, cr0
or eax,10000H
mov cr0,eax
pop eax
sti
}
}
NTSTATUS HookService(ULONG OldService, ULONG NewService)
{
if (!g_Init)
{
KdPrint(("ServiceTalbe Not Init.\n"));
}
WPOFF();
KdPrint(("New Service Address: %08X\n", NewService));
*(PULONG)SERVICE_FUNCTION(OldService)=NewService;
WPON();
return STATUS_SUCCESS;
}
NTSTATUS UnHookService(ULONG OldService)
{
if (!g_Init)
{
return STATUS_UNSUCCESSFUL;
}
WPOFF();
*(PULONG)SERVICE_FUNCTION(OldService)=OldServiceAddressTable[SERVICE_ID(OldService)];
WPON();
return STATUS_SUCCESS;
}
////////////////////////////////////////////////HOOK /////////////////////////////////////////////////////////////
extern "C" typedef NTSTATUS (__stdcall *ZWSETINFOMATIONFILE)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass
);
extern "C" typedef NTSTATUS (__stdcall *NTOPENPROCESS) (
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
);
extern "C" NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId);
extern "C" NTSTATUS MyZwSetInformationFile(HANDLE FileHandle,PIO_STATUS_BLOCK IoStatusBlock,PVOID FileInformation,ULONG Length,FILE_INFORMATION_CLASS FileInformationClass)
{
PFILE_OBJECT pFileObject;
ZWSETINFOMATIONFILE OldZwSetInfomationFile=(ZWSETINFOMATIONFILE)OldServiceAddressTable[SERVICE_ID(ZwSetInformationFile)];
NTSTATUS ret=ObReferenceObjectByHandle(FileHandle,GENERIC_READ,*IoFileObjectType,KernelMode,(PVOID*)&pFileObject,0);
if (NT_SUCCESS(ret))
{
UNICODE_STRING uDosName;
ret=IoVolumeDeviceToDosName(pFileObject->DeviceObject,&uDosName);
if (NT_SUCCESS(ret))
{
if (wcsstr(pFileObject->FileName.Buffer,L"wenbo.txt") && wcsstr(uDosName.Buffer,L"C:"))
{
return STATUS_ACCESS_DENIED;
}
}
}
ObDereferenceObject(pFileObject);
return OldZwSetInfomationFile(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
}
extern "C" NTSTATUS MyNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId)
{
// __asm int 3;
ULONG PID;
NTOPENPROCESS OldNtOpenProcess=(NTOPENPROCESS)OldServiceAddressTable[SERVICE_ID(ZwOpenProcess)];
// DbgPrint("NtOpenProcess地址是%x",OldNtOpenProcess);
if (ClientId!=NULL)
{
PID=(ULONG)(ClientId->UniqueProcess);
if (PID>1000)
{
return STATUS_ACCESS_DENIED;
}
}
return OldNtOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
void UnLoad(PDRIVER_OBJECT pDriver)
{
PDEVICE_OBJECT pDev;
pDev=pDriver->DeviceObject;
IoDeleteDevice(pDev);
UNICODE_STRING SymBoliLinkName;
RtlInitUnicodeString(&SymBoliLinkName,L"\\??\\SymBoliLinkDevice");
IoDeleteSymbolicLink(&SymBoliLinkName);
DbgPrint("删除设备和符号连接成功");
UnHookService((ULONG)ZwSetInformationFile);
UnHookService((ULONG)NtOpenProcess);
}
#pragma PageCode
#pragma InitCode
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver,PUNICODE_STRING p)
{
CreateMyDriver(pDriver);
pDriver->DriverUnload=UnLoad;
InitServicesTable();
HookService((ULONG)ZwSetInformationFile,(ULONG)MyZwSetInformationFile);
HookService((ULONG)ZwOpenProcess,(ULONG)MyNtOpenProcess);
return STATUS_SUCCESS;
}
在VM XP虚拟机下测试成功.....
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)