最近看了别人写的hook SSDT函数的例子,自己练习一下,写了hook ZwDeleteFile这个函数的代码,代码如下,icesword显示SSDT中的ZwDeleteFile函数已经被我的驱动HOOK,但是我删除文件的时候,为什么文件还会被我删除掉?
代码如下:
#include "ntddk.h"
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
_Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
#define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteFile(IN POBJECT_ATTRIBUTES ObjectAttributes);
//定义ZwDeleteFile的原型
typedef NTSTATUS (*REALZWDELETEFILE)(IN POBJECT_ATTRIBUTES ObjectAttributes);
//定义一个原函数指针
REALZWDELETEFILE RealZwDeleteFile;
NTSTATUS HookZwDeleteFile(IN POBJECT_ATTRIBUTES ObjectAttributes)
{
NTSTATUS rc=1;
ANSI_STRING ansiFileName,ansiDirName,HideDirFile;
UNICODE_STRING uniFileName;
//初始化要防删除的文件名,这里是HIDEFILE.EXEe
RtlInitAnsiString(&HideDirFile,"HIDEFILE.EXE");
RtlInitUnicodeString(&uniFileName,(PCWSTR)ObjectAttributes->ObjectName);
RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);
RtlUpperString(&ansiFileName,&ansiDirName);
if(RtlCompareMemory(ansiFileName.Buffer,HideDirFile.Buffer,HideDirFile.Length ) == HideDirFile.Length)
{
}
else
{
// 执行真正的ZwDeleteFile函数
//rc = ((REALZWDELETEFILE)(RealZwDeleteFile))(ObjectAttributes);
}
RtlFreeAnsiString(&ansiDirName);
RtlFreeAnsiString(&ansiFileName);
return(rc);
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
UNHOOK_SYSCALL( ZwDeleteFile, RealZwDeleteFile, HookZwDeleteFile );
// Unlock and Free MDL
if(g_pmdlSystemCall)
{
MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
IoFreeMdl(g_pmdlSystemCall);
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,IN PUNICODE_STRING theRegistryPath)
{
theDriverObject->DriverUnload = OnUnload;
//保存真正的ZwDeleteFile函数地址
RealZwDeleteFile=(REALZWDELETEFILE)(SYSTEMSERVICE(ZwDeleteFile));
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
// Change the flags of the MDL
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
// hook system calls
HOOK_SYSCALL( ZwDeleteFile, HookZwDeleteFile, RealZwDeleteFile );
return STATUS_SUCCESS;
}
[课程]Android-CTF解题方法汇总!