#pragma once
#ifdef __cplusplus
extern "C"
{
#endif
#include "NTDDK.h"
#ifdef __cplusplus
}
#endif
#include "ssdt hook.h"
#define INITCODE code_seg("INIT")
#define PAGECODE code_seg("PAGE")
VOID DDK_Unload (IN PDRIVER_OBJECT pDriverObject);
NTSTATUS CreateMyDevice (IN PDRIVER_OBJECT pDriverObject);
ULONG GetNt_OldAddr()
{
UNICODE_STRING Old_PsCreateSystemThread;
ULONG Old_Addrress;
RtlInitUnicodeString(&Old_PsCreateSystemThread,L"PsCreateSystemThread");
Old_Addrress=(ULONG)MmGetSystemRoutineAddress(&Old_PsCreateSystemThread);
return Old_Addrress;
}
extern "C" typedef NTSTATUS __stdcall PSCREATESYSTEMTHREAD
(
OUT PHANDLE ThreadHandle, //用于输出,这个参数得到新创建的线程句柄
IN ULONG DesiredAccess, //是创建的权限
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, //是该线程的属性,一般设为NULL
IN HANDLE ProcessHandle OPTIONAL, //指定是创建用户线程还是系统进程。如果该值为NULL,则为创系统线程。如果该值是一个进程句柄,则新创建的线程属于这个指定的进程。DDK提供的宏NtCurrentProcess可以得到当前进程的句柄。
OUT PCLIENT_ID ClientId OPTIONAL, //为新线程的运行地址
IN PKSTART_ROUTINE StartRoutine, //为新线程接收的参数
IN PVOID StartContext
);
PSCREATESYSTEMTHREAD *RealPsCreateSystemThread;
extern "C" NTSTATUS __stdcall MyPsCreateSystemThread
(
OUT PHANDLE ThreadHandle, //用于输出,这个参数得到新创建的线程句柄
IN ULONG DesiredAccess, //是创建的权限
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, //是该线程的属性,一般设为NULL
IN HANDLE ProcessHandle OPTIONAL, //指定是创建用户线程还是系统进程。如果该值为NULL,则为创系统线程。如果该值是一个进程句柄,则新创建的线程属于这个指定的进程。DDK提供的宏NtCurrentProcess可以得到当前进程的句柄。
OUT PCLIENT_ID ClientId OPTIONAL, //为新线程的运行地址
IN PKSTART_ROUTINE StartRoutine, //为新线程接收的参数
IN PVOID StartContext
)
{
NTSTATUS rc;
rc = RealPsCreateSystemThread(ThreadHandle,DesiredAccess,ObjectAttributes ,ProcessHandle,ClientId ,
StartRoutine,StartContext);
return rc;
}
VOID Hook()
{
ULONG ADDRESS;
ADDRESS = GetNt_OldAddr();
__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
*((ULONG*)ADDRESS)= (ULONG)MyPsCreateSystemThread;
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
}
VOID UnHook()
{
ULONG ADDRESS;
ADDRESS = GetNt_OldAddr();
__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
*((ULONG*)ADDRESS) = (ULONG)RealPsCreateSystemThread;
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
return;
}
#pragma INITCODE
NTSTATUS DriverEntry (PDRIVER_OBJECT pDriverObject, PUNICODE_STRING reg)
{
ULONG ADDRESS;
ADDRESS = GetNt_OldAddr();
DbgPrint("PsCreateSystemThread %X\n", ADDRESS);
DbgPrint("MyPsCreateSystemThread %X", MyPsCreateSystemThread);
Hook();
CreateMyDevice(pDriverObject);
pDriverObject->DriverUnload=DDK_Unload;
return (STATUS_SUCCESS);
}
#pragma PAGECODE
NTSTATUS CreateMyDevice (IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
UNICODE_STRING devName;
UNICODE_STRING symLinkName;
RtlInitUnicodeString(&devName,L"\\Device\\yjxDDK_Device");
status = IoCreateDevice( pDriverObject,\
0,\
&devName,\
FILE_DEVICE_UNKNOWN,\
0, TRUE,\
&pDevObj);
if (!NT_SUCCESS(status))
{
return status;
}
pDevObj->Flags |= DO_BUFFERED_IO;
RtlInitUnicodeString(&symLinkName,L"\\??\\My_DriverLinkName");
status = IoCreateSymbolicLink( &symLinkName,&devName );
if (!NT_SUCCESS(status))
{
IoDeleteDevice( pDevObj );
return status;
}
return STATUS_SUCCESS;
}
#pragma PAGECODE
VOID DDK_Unload (IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDev;
UNICODE_STRING symLinkName;
pDev=pDriverObject->DeviceObject;
IoDeleteDevice(pDev);
RtlInitUnicodeString(&symLinkName,L"\\??\\My_DriverLinkName");
IoDeleteSymbolicLink(&symLinkName);
DbgPrint("卸载成功\n");
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
