.386
.model flat, stdcall
option casemap:none
;**************************************************************************************************
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib c:\radasm\masm32\lib\w2k\ntoskrnl.lib
includelib d:\ntoskrnl.lib
include c:\radasm\masm32\Macros\Strings.mac
;**************************************************************************************************
m2m MACRO M1, M2
push M2
pop M1
ENDM
.data
;保存地址
dwoldIoCreateSymbolicLink dd ?
rfnaddr dd ?
buffer db 256 dup(?)
.const
CCOUNTED_UNICODE_STRING "\\Device\\devHookApi2", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHookApi2", g_usSymbolicLinkName, 4
; 要还原的函数
; NtOpenProcess
; NtProtectVirtualMemory
; NtReadVirtualMemory
; NtWriteVirtualMemory
; NtUserSendInput
; KeStackAttachProcess
.code
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;**************************************************************************************************
DriverUnload proc pDriverObject:PDRIVER_OBJECT
;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad
invoke DbgPrint, $CTA0("驱动被卸载")
mov ecx,dwoldIoCreateSymbolicLink
cli
mov byte ptr[ecx],08bh
inc ecx
mov byte ptr[ecx],0ffh
inc ecx
mov byte ptr[ecx],055h
inc ecx
mov byte ptr[ecx],08bh
inc ecx
mov byte ptr[ecx],0ech
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret
DriverUnload endp
printhex proc dataaddr:dword,datalen:dword
pushad
mov ecx,datalen
lea edx,buffer
mov eax,dataaddr
myloop:
xor ebx,ebx
mov bl,byte ptr[eax]
shr ebx,4
.if ebx<0ah
add ebx,30h
.else
add ebx,37h
.endif
mov byte ptr[edx],bl
inc edx
mov bl,byte ptr[eax]
shl ebx,01ch
shr ebx,01ch
.if ebx<0ah
add ebx,30h
.else
add ebx,37h
.endif
mov byte ptr[edx],bl
inc edx
mov byte ptr[edx],20h
inc edx
inc eax
loop myloop
invoke DbgPrint,addr buffer
popad
ret
printhex endp
pathsysfunction proc pathaddr:dword,pathdata:dword
;修改地址。改为jmp我的函数newIoCreateSymbolicLink
pushad
mov eax,pathaddr
mov ecx,pathdata
cli
mov byte ptr[eax],0e9h ;写入长跳转指令
inc eax
sub ecx,eax ;计算跳转长度
sub ecx,4 ;减去指令长度
mov dword ptr[eax],ecx ;写入地址
sti
popad
ret
pathsysfunction endp
newIoCreateSymbolicLink proc
int 3
mov eax,[esp+4]
add eax,4
mov eax,[eax]
invoke printhex,eax,50
;打印第一个参数的数据
mov eax,[esp]
mov rfnaddr,eax
mov [esp],$+22
mov edi,edi
push ebp
mov ebp,esp
mov eax,dwoldIoCreateSymbolicLink
add eax,5
jmp eax
mov eax,rfnaddr
mov [esp],eax
ret
newIoCreateSymbolicLink endp
;**************************************************************************************************
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
assume eax:nothing
invoke DbgPrint, $CTA0("加载驱动")
;取IoCreateSymbolicLink的地址
mov eax, IoCreateSymbolicLink
add eax,2
mov eax,[eax]
mov eax,[eax]
mov dwoldIoCreateSymbolicLink,eax
invoke printhex,dwoldIoCreateSymbolicLink,16
;打印hook前的代码
invoke pathsysfunction,eax,offset newIoCreateSymbolicLink
invoke printhex,dwoldIoCreateSymbolicLink,16
;打印hook后的代码
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
end DriverEntry
[课程]FART 脱壳王!加量不加价!FART作者讲授!
