-
-
[旧帖] [求助] 0.00雪花
-
发表于: 2013-10-12 11:55
-
下面是一个简单的inline hook NtCreateFile程序,就是实现对创建文件的控制。但是现在只要加载驱动它就会无限hook NtCreateFile,我想只有当创建文件,也就是调用NtCreateFile函数的时候才对其进行hook,求解应该怎么办?
#include <ntddk.h>
#include <windef.h>
ULONG CR0VALUE;
BYTE OriginalBytes[5]={0}; //保存原始函数前五个字节
BYTE JmpAddress[5]={0xE9,0,0,0,0}; //跳转到HOOK函数的地址
NTKERNELAPI NTSTATUS NtCreateFile(__out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in PVOID EaBuffer OPTIONAL, __in ULONG EaLength);
NTSTATUS MyNtCreateFile(__out PHANDLE FileHand, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in PVOID EaBuffer OPTIONAL, __in ULONG EaLength);
void HookNtCreateFile()
{
KIRQL Irql;
//KdPrint(("[NtWriteFile111] :0x%x",NtWriteFile)); //地址验证
//KdPrint(("[MyNtWriteFile111] :0x%x",MyNtWriteFile)); //地址验证
//保存函数前五个字节内容
RtlCopyMemory(OriginalBytes,(BYTE *)NtCreateFile,5); //将原函数前5个字节拷贝到OriginalByte中
//保存新函数五个字节之后偏移
*(ULONG *)(JmpAddress+1)=(ULONG)MyNtCreateFile-((ULONG)NtCreateFile+5);
//开始inline hook
//关闭内存写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
Irql=KeRaiseIrqlToDpcLevel(); //提升IRQL中断级到APC_LEVEL级别
RtlCopyMemory((BYTE *)NtCreateFile,JmpAddress,5);//函数开头五个字节写JMP
//KdPrint(("JmpAddress :0x%x",JmpAddress));
//KdPrint(("[MyNtCreateFile] :0x%x",MyNtCreateFile));
KeLowerIrql(Irql); //恢复Irql
//开启内存写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
}
}
__declspec(naked) NTSTATUS /*__stdcall*/ OriginalNtCreateFile(__out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in PVOID EaBuffer OPTIONAL, __in ULONG EaLength)
{
_asm
{
mov edi, edi
push ebp
mov ebp, esp
mov eax, NtCreateFile
add eax, 5
jmp eax
}
}
NTSTATUS MyNtCreateFile(__out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in PVOID EaBuffer OPTIONAL, __in ULONG EaLength)
{
NTSTATUS status;
DbgPrint(( "This is my function!!!\n" ));
status = (NTSTATUS)OriginalNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes,IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer,EaLength);
return status;
}
void UnHookNtCreateFile()
{
KIRQL Irql;
//关闭写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
Irql=KeRaiseIrqlToDpcLevel(); //提升IRQL到Dpc
RtlCopyMemory((BYTE *)NtCreateFile,OriginalBytes,5); //把五个字节再写回到原函数
KeLowerIrql(Irql);
//开启写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
}
}
VOID Unload(IN PDRIVER_OBJECT pDriverObj)
{
UnHookNtCreateFile();
KdPrint(("[UnHookNtcREATEFile] Unloaded\n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING pRegistryString)
{
pDriverObj->DriverUnload = Unload;
HookNtCreateFile();
return STATUS_SUCCESS;
}
#include <ntddk.h>
#include <windef.h>
ULONG CR0VALUE;
BYTE OriginalBytes[5]={0}; //保存原始函数前五个字节
BYTE JmpAddress[5]={0xE9,0,0,0,0}; //跳转到HOOK函数的地址
NTKERNELAPI NTSTATUS NtCreateFile(__out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in PVOID EaBuffer OPTIONAL, __in ULONG EaLength);
NTSTATUS MyNtCreateFile(__out PHANDLE FileHand, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in PVOID EaBuffer OPTIONAL, __in ULONG EaLength);
void HookNtCreateFile()
{
KIRQL Irql;
//KdPrint(("[NtWriteFile111] :0x%x",NtWriteFile)); //地址验证
//KdPrint(("[MyNtWriteFile111] :0x%x",MyNtWriteFile)); //地址验证
//保存函数前五个字节内容
RtlCopyMemory(OriginalBytes,(BYTE *)NtCreateFile,5); //将原函数前5个字节拷贝到OriginalByte中
//保存新函数五个字节之后偏移
*(ULONG *)(JmpAddress+1)=(ULONG)MyNtCreateFile-((ULONG)NtCreateFile+5);
//开始inline hook
//关闭内存写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
Irql=KeRaiseIrqlToDpcLevel(); //提升IRQL中断级到APC_LEVEL级别
RtlCopyMemory((BYTE *)NtCreateFile,JmpAddress,5);//函数开头五个字节写JMP
//KdPrint(("JmpAddress :0x%x",JmpAddress));
//KdPrint(("[MyNtCreateFile] :0x%x",MyNtCreateFile));
KeLowerIrql(Irql); //恢复Irql
//开启内存写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
}
}
__declspec(naked) NTSTATUS /*__stdcall*/ OriginalNtCreateFile(__out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in PVOID EaBuffer OPTIONAL, __in ULONG EaLength)
{
_asm
{
mov edi, edi
push ebp
mov ebp, esp
mov eax, NtCreateFile
add eax, 5
jmp eax
}
}
NTSTATUS MyNtCreateFile(__out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in PVOID EaBuffer OPTIONAL, __in ULONG EaLength)
{
NTSTATUS status;
DbgPrint(( "This is my function!!!\n" ));
status = (NTSTATUS)OriginalNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes,IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer,EaLength);
return status;
}
void UnHookNtCreateFile()
{
KIRQL Irql;
//关闭写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
Irql=KeRaiseIrqlToDpcLevel(); //提升IRQL到Dpc
RtlCopyMemory((BYTE *)NtCreateFile,OriginalBytes,5); //把五个字节再写回到原函数
KeLowerIrql(Irql);
//开启写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
}
}
VOID Unload(IN PDRIVER_OBJECT pDriverObj)
{
UnHookNtCreateFile();
KdPrint(("[UnHookNtcREATEFile] Unloaded\n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING pRegistryString)
{
pDriverObj->DriverUnload = Unload;
HookNtCreateFile();
return STATUS_SUCCESS;
}
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
|
|
|---|---|
