-
-
[旧帖]
[原创]XP下inline hook IofCallDriver源码
0.00雪花
-
发表于:
2011-10-31 15:27
2359
-
[旧帖] [原创]XP下inline hook IofCallDriver源码
0.00雪花
唉,原来还想加个一段隐藏有bug的代码的蓝屏分析的,其实那才是最让我高兴的事,但竟然发现自己没有保存当时的崩溃信息,所以还是直接上源码吧,虽然感觉有点遗憾,另外声明一下,这段程序参考了
详谈内核三步走Inline Hook实现 这篇帖子,感谢作者
//
//driver.cpp
//
NTSTATUS FASTCALL DetourMyIofCallDriver(IN PDEVICE_OBJECT,IN OUT PIRP);
NTSTATUS FASTCALL OriginalIofCallDriver(IN PDEVICE_OBJECT,IN OUT PIRP);
VOID HookIofCallDriver();
VOID UnHookIofCallDriver();
PUCHAR GetIofCallDriverAddress(); //获得IofCallDriver执行体的地址
VOID WPOFF();
VOID WPON();
ULONG g_uCR0;
PUCHAR g_IofCallDriver; //IofCallDriver执行体的地址
//从OriginalIofCallDriver跳转回IofCallDriver的jmp指令,相对寻址
UCHAR g_JmpOriginal[5]={0xE9,0,0,0,0};
//跳转到DetourMyIofCallDriver的jmp指令,相对寻址
UCHAR g_JmpAddress[6]={0xE9,0,0,0,0,0x90};
KSPIN_LOCK SDTSpinLock;
#pragma LOCKEDCODE
NTSTATUS FASTCALL DetourMyIofCallDriver(PDEVICE_OBJECT pDevObj,PIRP pIrp)
{
DbgPrint("HDM:This is MyIofCallDriver!You succeed!\n");
NTSTATUS status=OriginalIofCallDriver(pDevObj,pIrp);
return status;
}
#pragma LOCKEDCODE
_declspec (naked) NTSTATUS FASTCALL OriginalIofCallDriver(PDEVICE_OBJECT pDevObj,PIRP pIrp)
{
//在这里写入IofCallDriver开头的几条指令和我们跳转回IofCallDriver的指令
__asm{
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
}
}
#pragma PAGEDCODE
PUCHAR GetIofCallDriverAddress()
{
PUCHAR nativeIofCallDriver=NULL;
UNICODE_STRING ustrIofCallDriver;
RtlInitUnicodeString(&ustrIofCallDriver,L"IofCallDriver");
PUCHAR temp=(PUCHAR)MmGetSystemRoutineAddress(&ustrIofCallDriver);
nativeIofCallDriver=(PUCHAR)(*(PLONG)(*(PLONG)(temp+2)));
return nativeIofCallDriver;
}
VOID HookIofCallDriver()
{
g_IofCallDriver=GetIofCallDriverAddress();
ASSERT(g_IofCallDriver!=NULL);
//相对寻址
*(ULONG*)(g_JmpAddress+1)=(ULONG)DetourMyIofCallDriver-(ULONG)((ULONG)g_IofCallDriver+5);
*(ULONG*)(g_JmpOriginal+1)=(ULONG)((ULONG)g_IofCallDriver+6)-
(ULONG)((ULONG)(OriginalIofCallDriver)+11);
//开始修改内核
KIRQL OldIrql;
KeAcquireSpinLock(&SDTSpinLock,&OldIrql);
WPOFF();
RtlCopyMemory(OriginalIofCallDriver,g_IofCallDriver,6);
RtlCopyMemory(g_IofCallDriver,g_JmpAddress,6);
RtlCopyMemory(((PUCHAR)OriginalIofCallDriver+6),g_JmpOriginal,5);
WPON();
KeReleaseSpinLock(&SDTSpinLock,OldIrql);
}
ok,就是这样!终于能小小的松一口气了!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课