首页
社区
课程
招聘
(驱动学习笔记)(过时的)恢复SSDTShadow
发表于: 2009-10-23 03:43 5644

(驱动学习笔记)(过时的)恢复SSDTShadow

2009-10-23 03:43
5644
先说好.这是驱动学习笔记,我也知道这个很过时了.所以不要打击我.

今天够倒霉了.被人骂来骂去,我是一个新手,怎么可能去写个高级的代码

希望刚学驱动的朋友,能从中学到东西

驱动主程序
586
.model flat, stdcall
option casemap:none

include d:\masm32\include\w2k\ntstatus.inc
include D:\masm32\include\w2k\ntddk.inc
include D:\masm32\include\w2k\ntoskrnl.inc
include D:\masm32\include\w2k\w2kundoc.inc
includelib D:\masm32\lib\w2k\ntoskrnl.lib
include D:\masm32\Macros\Strings.mac
include HookSSDT.asm

IOCTL_SSDT_HOOK EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 800h,METHOD_NEITHER,FILE_ANY_ACCESS)
IOCTL_SSDT_UNHOOK EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 801h,METHOD_NEITHER,FILE_ANY_ACCESS)
IOCTL_SSDT_SHADOW EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 802h,METHOD_NEITHER,FILE_ANY_ACCESS)
IOCTL_SSDT_BEIFEN EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 803h,METHOD_NEITHER,FILE_ANY_ACCESS);保存命令
.const
CCOUNTED_UNICODE_STRING "\\Device\\eGirlAsm",MyDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\eGirlAsm",MyLinkDevice,4
.data
NtUserBuildHwndList dd ? ;312
NtUserFindWindowEx dd ? ;378
NtUserGetDc dd ? ;401
NtUserGetDCEx dd ? ;402
NtUserGetForegroundWindow dd ? ;404
NtUserWindowFromPoint dd ? ;592


.code
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; 通讯派遣例程
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
IOControlRountiune Proc dev:PDEVICE_OBJECT,pirp:PIRP

mov esi,pirp
assume esi:ptr _IRP
mov [esi].IoStatus.Status, STATUS_UNSUCCESSFUL
and [esi].IoStatus.Information, 0
assume esi:nothing

IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi:ptr IO_STACK_LOCATION
mov eax,[edi].Parameters.DeviceIoControl.IoControlCode ;通讯编号送入局部变量

.IF eax == IOCTL_SSDT_HOOK
invoke SetSSDThook
.ELSEIF eax == IOCTL_SSDT_UNHOOK
invoke _ResumeSSDT
.ELSEIF eax == IOCTL_SSDT_SHADOW
;开始还原
invoke HuiFuSSDTShadowAddress,312,NtUserBuildHwndList
invoke HuiFuSSDTShadowAddress,378,NtUserFindWindowEx
invoke HuiFuSSDTShadowAddress,401,NtUserGetDc
invoke HuiFuSSDTShadowAddress,402,NtUserGetDCEx
invoke HuiFuSSDTShadowAddress,404,NtUserGetForegroundWindow
invoke HuiFuSSDTShadowAddress,592,NtUserWindowFromPoint

.ELSEIF EAX == IOCTL_SSDT_BEIFEN
;开始备份
invoke BeifenSSDTShadowAddress,312,addr NtUserBuildHwndList
invoke BeifenSSDTShadowAddress,378,addr NtUserFindWindowEx
invoke BeifenSSDTShadowAddress,401,addr NtUserGetDc
invoke BeifenSSDTShadowAddress,402,addr NtUserGetDCEx
invoke BeifenSSDTShadowAddress,404,addr NtUserGetForegroundWindow
invoke BeifenSSDTShadowAddress,592,addr NtUserWindowFromPoint
.ENDIF
assume edi:nothing

mov eax,pirp
assume eax:ptr _IRP
mov [eax].IoStatus.Status,STATUS_SUCCESS
mov [eax].IoStatus.Information,0
assume eax:nothing
fastcall IofCompleteRequest,pirp,IO_NO_INCREMENT

mov eax,STATUS_SUCCESS
ret
IOControlRountiune Endp
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; 默认派遣例程
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
DisPatchRountine Proc pDevObj:PDEVICE_OBJECT,pIrp:PIRP
INVOKE DbgPrint,$CTA0("IRP SUCCESS THIS IS DISPATCHRUONTINE")
mov eax,pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status,STATUS_SUCCESS
mov [eax].IoStatus.Information,0
assume eax:nothing
fastcall IofCompleteRequest,pIrp,IO_NO_INCREMENT
mov eax,STATUS_SUCCESS
ret
DisPatchRountine Endp
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; 卸载驱动例程
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
DriverUnload Proc pDriverObject:PDRIVER_OBJECT
invoke IoDeleteSymbolicLink, addr MyLinkDevice
mov eax, pDriverObject
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject
invoke DbgPrint,$CTA0("Unload Driver OK")
ret
DriverUnload ENdp
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; 驱动入口函数
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PVOID
local MaxImumFuck:DWORD
mov status,STATUS_DEVICE_CONFIGURATION_ERROR

invoke IoCreateDevice,pDriverObject,0,addr MyDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject

.IF EAX == STATUS_SUCCESS
INVOKE DbgPrint,$CTA0("IoCreateDevice Ok")
invoke IoCreateSymbolicLink,addr MyLinkDevice,addr MyDeviceName
.IF EAX == STATUS_SUCCESS
INVOKE DbgPrint,$CTA0("IcoCreateSymbolicLick Ok")

mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset DriverUnload
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offset DisPatchRountine
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offset DisPatchRountine
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)],offset IOControlRountiune
assume eax:nothing
mov status,eax
.ELSE
invoke IoDeleteDevice,pDeviceObject
.ENDIF
.ENDIF
mov eax,STATUS_SUCCESS
ret

DriverEntry endp

end DriverEntry


.DATA
OldAddress dd ?
NewAddress dd ?
.CODE
_MyHook Proc
; mov eax,dword ptr [esp + 04h]
; mov eax,[eax+04h]
; invoke DbgPrint,$CTA0("ImagePath = %ws"),eax
; jmp OldAddress
mov eax,STATUS_SUCCESS
ret
_MyHook Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 恢复SSDT
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ResumeSSDT Proc
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax

mov eax,DWORD ptr [KeServiceDescriptorTable]
mov ecx,dword ptr [eax]
add ecx,0184h ;Get NtLoadDriver(base × 4)
mov dword ptr NewAddress,ecx ;
mov eax,OldAddress
mov dword ptr [ecx],eax


mov eax,cr0
or eax,10000h
mov cr0,eax
sti

invoke DbgPrint,$CTA0("ResumeSSDT Ok")
ret
_ResumeSSDT Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; SSDTHOOK
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
SetSSDThook Proc
mov eax,DWORD ptr [KeServiceDescriptorTable]
mov ecx,dword ptr [eax];System service DisPatch table
add ecx,0184h ;offset
mov dword ptr NewAddress,ecx ; 指向Nt函数的指针;保存一下
mov edx,dword ptr [ecx]
mov dword ptr OldAddress,edx ;这里就是原函数的地址了.保存一下恢复的时候用

push eax
mov eax,cr0
and eax,0FFFEFFFFh
mov cr0,eax
pop eax

mov edx,offset _MyHook
mov eax,NewAddress
mov DWORD ptr [eax],edx

push eax
mov eax,cr0
or eax,not 0FFFEFFFFh
mov cr0,eax
pop eax

invoke DbgPrint,$CTA0("SetSSDT Ok")
ret

SetSSDThook Endp

BeifenSSDTShadowAddress proc uses esi edi ebx _Index,_Address

mov eax,dword ptr [KeServiceDescriptorTable]
lea eax,[eax-40h] ;Get KeServiceDescriptorTable
mov eax,[eax+10h] ;Get KeServiceDescriptorTable + 0x10
mov ebx,[eax] ;Get KeServiceDescriptorTableShadow EntryPoint

push eax
mov eax,cr0
and eax,0FFFEFFFFh
mov cr0,eax
pop eax

mov esi,_Index
lea esi,[esi*4]
mov eax,[eax+esi]
mov ebx,_Address
mov [ebx],eax

push eax
mov eax,cr0
or eax,not 0FFFEFFFFh
mov cr0,eax
pop eax
invoke DbgPrint,$CTA0("Table Base %X"),_Address
ret

BeifenSSDTShadowAddress endp

HuiFuSSDTShadowAddress proc uses esi edi ebx _Index,_Address

mov eax,dword ptr [KeServiceDescriptorTable]
lea eax,[eax-40h] ;Get KeServiceDescriptorTable
mov eax,[eax+10h] ;Get KeServiceDescriptorTable + 0x10
mov ebx,[eax] ;Get KeServiceDescriptorTableShadow EntryPoint

push eax
mov eax,cr0
and eax,0FFFEFFFFh
mov cr0,eax
pop eax

mov esi,_Index
lea esi,[esi*4]

push eax
push esi
invoke DbgPrint,$CTA0("%X"),_Address
pop esi
pop eax
mov edx,_Address
mov DWORD ptr [eax+esi],edx

push eax
mov eax,cr0
or eax,not 0FFFEFFFFh
mov cr0,eax
pop eax

ret

HuiFuSSDTShadowAddress endp

;_Shutdown Proc
;; out al,64h
;; ret
;_Shutdown Endp

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 170
活跃值: (90)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
2
DM上是你吧
2009-10-23 20:43
0
雪    币: 267
活跃值: (24)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
3
感谢下!
2009-10-24 23:56
0
雪    币: 71
活跃值: (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
4
以后用vc来写吧。越来越感觉MASM来写东西 逻辑上太难掌握了 很容易就出错 写写自定位或短小精悍的代码还不错
2009-10-26 15:07
0
游客
登录 | 注册 方可回帖
返回
//