我在程序中,测试一个朋友的驱动,发现'__asm' keyword not supported。
//
// 这个版本暂定采用TDL3的APC插入方式,从内核注入DLL到进程空间
//
//
//
//
//
extern "C"
{
#include <ntddk.h>
#include <windef.h>
#include <wdm.h>
};
#include <stdio.h>
#include <stdlib.h>
#include "SSDT.h"
PVOID g_pReadVirtualMemory = NULL;
ULONG_PTR g_pNtKernelBaseAddr = NULL;
ULONG g_nNtKernelSizeOfImage = 0;
PVOID GetDriverModuleBaseAddr(PSYSTEM_MODULE_INFORMATION pModuleInfo,const char* szDriverName,ULONG *pModSize) {
PVOID pBaseAddr = NULL;
ULONG nDriverNameLen = strlen(szDriverName);
for (ULONG index = 0 ; index < pModuleInfo->Count; ++index) {
if (0 == _strnicmp(szDriverName,pModuleInfo->Module[index].ImageName + pModuleInfo->Module[index].NameOffset,nDriverNameLen) ) {
pBaseAddr = pModuleInfo->Module[index].Base;
*pModSize = pModuleInfo->Module[index].Size;
break;
}
}
return pBaseAddr;
}
PVOID GetSystemModuleInfo(const char* szDriverName,ULONG *pModSize) {
ULONG nNeedLen = 0;
ULONG nSize = 0;
*pModSize = 0;
PVOID pBaseAddr = NULL;
NTSTATUS status = ZwQuerySystemInformation(0xB,NULL,0,&nNeedLen);
if ((STATUS_INFO_LENGTH_MISMATCH == status) && (nNeedLen > 0)) {
nSize = nNeedLen;
PVOID pBuffer = ExAllocatePool(NonPagedPool,nSize);
if (pBuffer != NULL) {
status = ZwQuerySystemInformation(0xB,pBuffer,nSize,&nNeedLen);
if (NT_SUCCESS(status)) {
pBaseAddr = GetDriverModuleBaseAddr((PSYSTEM_MODULE_INFORMATION)pBuffer,szDriverName,pModSize);
}
ExFreePool(pBuffer);
}
}
return pBaseAddr;
}
ULONG_PTR FindKernelBaseAddr(ULONG* pULSizeOfImage)
{
ULONG_PTR NtKernelBaseAddr=NULL;
NtKernelBaseAddr = (ULONG_PTR)GetSystemModuleInfo("ntkrnlpa.exe",pULSizeOfImage);
if (NULL == NtKernelBaseAddr) {
NtKernelBaseAddr = (ULONG_PTR)GetSystemModuleInfo("ntoskrnl.exe",pULSizeOfImage);
if (NULL == NtKernelBaseAddr) {
NtKernelBaseAddr = (ULONG_PTR)GetSystemModuleInfo("ntkrpamp.exe",pULSizeOfImage);
if (NULL == NtKernelBaseAddr) {
NtKernelBaseAddr = (ULONG_PTR)GetSystemModuleInfo("ntkrnlmp.exe",pULSizeOfImage);
}
}
}
return NtKernelBaseAddr;
}
NTSTATUS MyNtReadVirtualMemory (
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferSize,
OUT PULONG NumberOfBytesRead
)
{
NTSTATUS ret=((NTREADVIRTUALMEMORY)g_pReadVirtualMemory)(ProcessHandle,BaseAddress,Buffer,BufferSize,NumberOfBytesRead);
if(ret==STATUS_SUCCESS)
{
PEPROCESS Process;
ret=ObReferenceObjectByHandle(ProcessHandle,EVENT_MODIFY_STATE,*PsProcessType,KernelMode,(PVOID*)&Process,NULL);
if(ret==STATUS_SUCCESS && Process!=NULL)
{
PEPROCESS curProcess=IoGetCurrentProcess();
if (_stricmp((char*)((char*)Process+0x174), "target.exe") == 0 )
{
if(_stricmp((char*)((char*)curProcess+0x174), "test.exe") == 0 )
{
*((CHAR*)Buffer)=77;
}
}
ObDereferenceObject(Process);
}
}
return ret;
}
extern "C"
NTSTATUS DriverEntry(void* pModudleBase,int nNothing) {
g_pNtKernelBaseAddr = FindKernelBaseAddr(&g_nNtKernelSizeOfImage);
if (NULL == g_pNtKernelBaseAddr) {
return -1;
}
ULONG nNetIoSizeOfImage = 0;
DWORD nServicesTableRVA=FindAPIRVAByName((PVOID)g_pNtKernelBaseAddr,"KeServiceDescriptorTable");
if (NULL == nServicesTableRVA) {
return FALSE;
}
PSERVICE_DESCRIPTOR_TABLE pServicesTable=(PSERVICE_DESCRIPTOR_TABLE)((PUCHAR)g_pNtKernelBaseAddr + nServicesTableRVA);
PUCHAR pnSSDTVA = (PUCHAR)(pServicesTable->ServiceTableBase);
//
//SSDT Hook
//
PVOID* pReadVirtualMemory=(PVOID*)(pnSSDTVA+(0xBA*4));
__asm{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
g_pReadVirtualMemory=*pReadVirtualMemory;
*pReadVirtualMemory=(PVOID*)(DWORD)MyNtReadVirtualMemory;
__asm{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
return STATUS_SUCCESS;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
