.386
.model flat, stdcall
option casemap:none
;**************************************************************************************************
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib ntoskrnl.lib
include Strings.mac
;**************************************************************************************************
.data?
dwOldSetInformationFile dd ?
dwAddr dd ?
dwFileName ANSI_STRING <?>
.const
CCOUNTED_UNICODE_STRING "\\Device\\Asm", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\AsmFile", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "ZwSetInformationFile", g_ApiAddr, 4 ;wSetInformationFile
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;这个新函数打印出当前操作的文件名,但是却是乱码,不知道为啥
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
NewSetInformationFile proc hfile:HANDLE,iosb:IO_STATUS_BLOCK,psi:FILE_NAME_INFORMATION,FileInformationLength,FileInformationClass
pushad
invoke RtlUnicodeStringToAnsiString, addr dwFileName,addr psi.FileName,TRUE
invoke DbgPrint, $CTA0("\nFileName: %s\n"),addr dwFileName.Buffer ;打印出来的文件名是乱码
popad
ret
NewSetInformationFile endp
;**************************************************************************************************
_SetSSDT proc
pushad
mov eax, KeServiceDescriptorTable ;导出符号获得数组的基地址
mov esi, [eax]
mov esi, [esi]
invoke MmGetSystemRoutineAddress,addr g_ApiAddr ;取ZwSetInformationFile地址
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2 ;取ZwSetInformationFile服务ID号
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
mov dwOldSetInformationFile,edi
mov edi,offset NewSetInformationFile ;获得新函数地址
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS
ret
_SetSSDT endp
;**************************************************************************************************
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;**************************************************************************************************
;此分派过程在ControlService调用时调用
;**************************************************************************************************
DriverUnload proc pDriverObject:PDRIVER_OBJECT
pushad
mov esi,dwAddr
mov eax,dwOldSetInformationFile ;正常的ZwSetInformationFile函数地址保存到eax。
cli
mov dword ptr[esi],eax ;恢复SSDT
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret
DriverUnload endp
;**************************************************************************************************
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset DriverUnload ;分派过程,ring3下调用ControlService时此过程被调用,恢复SSDT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offset DispatchCreateClose
assume eax:nothing
invoke _SetSSDT
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
end DriverEntry
调式了好多遍的,但是psi.FileName老显示不出正确的文件名来
[课程]Android-CTF解题方法汇总!