-
-
(驱动学习笔记)(过时的)恢复SSDTShadow
-
发表于: 2009-10-23 03:43
-
先说好.这是驱动学习笔记,我也知道这个很过时了.所以不要打击我.
今天够倒霉了.被人骂来骂去,我是一个新手,怎么可能去写个高级的代码
希望刚学驱动的朋友,能从中学到东西
驱动主程序
今天够倒霉了.被人骂来骂去,我是一个新手,怎么可能去写个高级的代码
希望刚学驱动的朋友,能从中学到东西
驱动主程序
586
.model flat, stdcall
option casemap:none
include d:\masm32\include\w2k\ntstatus.inc
include D:\masm32\include\w2k\ntddk.inc
include D:\masm32\include\w2k\ntoskrnl.inc
include D:\masm32\include\w2k\w2kundoc.inc
includelib D:\masm32\lib\w2k\ntoskrnl.lib
include D:\masm32\Macros\Strings.mac
include HookSSDT.asm
IOCTL_SSDT_HOOK EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 800h,METHOD_NEITHER,FILE_ANY_ACCESS)
IOCTL_SSDT_UNHOOK EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 801h,METHOD_NEITHER,FILE_ANY_ACCESS)
IOCTL_SSDT_SHADOW EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 802h,METHOD_NEITHER,FILE_ANY_ACCESS)
IOCTL_SSDT_BEIFEN EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 803h,METHOD_NEITHER,FILE_ANY_ACCESS);保存命令
.const
CCOUNTED_UNICODE_STRING "\\Device\\eGirlAsm",MyDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\eGirlAsm",MyLinkDevice,4
.data
NtUserBuildHwndList dd ? ;312
NtUserFindWindowEx dd ? ;378
NtUserGetDc dd ? ;401
NtUserGetDCEx dd ? ;402
NtUserGetForegroundWindow dd ? ;404
NtUserWindowFromPoint dd ? ;592
.code
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; 通讯派遣例程
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
IOControlRountiune Proc dev:PDEVICE_OBJECT,pirp:PIRP
mov esi,pirp
assume esi:ptr _IRP
mov [esi].IoStatus.Status, STATUS_UNSUCCESSFUL
and [esi].IoStatus.Information, 0
assume esi:nothing
IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi:ptr IO_STACK_LOCATION
mov eax,[edi].Parameters.DeviceIoControl.IoControlCode ;通讯编号送入局部变量
.IF eax == IOCTL_SSDT_HOOK
invoke SetSSDThook
.ELSEIF eax == IOCTL_SSDT_UNHOOK
invoke _ResumeSSDT
.ELSEIF eax == IOCTL_SSDT_SHADOW
;开始还原
invoke HuiFuSSDTShadowAddress,312,NtUserBuildHwndList
invoke HuiFuSSDTShadowAddress,378,NtUserFindWindowEx
invoke HuiFuSSDTShadowAddress,401,NtUserGetDc
invoke HuiFuSSDTShadowAddress,402,NtUserGetDCEx
invoke HuiFuSSDTShadowAddress,404,NtUserGetForegroundWindow
invoke HuiFuSSDTShadowAddress,592,NtUserWindowFromPoint
.ELSEIF EAX == IOCTL_SSDT_BEIFEN
;开始备份
invoke BeifenSSDTShadowAddress,312,addr NtUserBuildHwndList
invoke BeifenSSDTShadowAddress,378,addr NtUserFindWindowEx
invoke BeifenSSDTShadowAddress,401,addr NtUserGetDc
invoke BeifenSSDTShadowAddress,402,addr NtUserGetDCEx
invoke BeifenSSDTShadowAddress,404,addr NtUserGetForegroundWindow
invoke BeifenSSDTShadowAddress,592,addr NtUserWindowFromPoint
.ENDIF
assume edi:nothing
mov eax,pirp
assume eax:ptr _IRP
mov [eax].IoStatus.Status,STATUS_SUCCESS
mov [eax].IoStatus.Information,0
assume eax:nothing
fastcall IofCompleteRequest,pirp,IO_NO_INCREMENT
mov eax,STATUS_SUCCESS
ret
IOControlRountiune Endp
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; 默认派遣例程
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
DisPatchRountine Proc pDevObj:PDEVICE_OBJECT,pIrp:PIRP
INVOKE DbgPrint,$CTA0("IRP SUCCESS THIS IS DISPATCHRUONTINE")
mov eax,pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status,STATUS_SUCCESS
mov [eax].IoStatus.Information,0
assume eax:nothing
fastcall IofCompleteRequest,pIrp,IO_NO_INCREMENT
mov eax,STATUS_SUCCESS
ret
DisPatchRountine Endp
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; 卸载驱动例程
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
DriverUnload Proc pDriverObject:PDRIVER_OBJECT
invoke IoDeleteSymbolicLink, addr MyLinkDevice
mov eax, pDriverObject
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject
invoke DbgPrint,$CTA0("Unload Driver OK")
ret
DriverUnload ENdp
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; 驱动入口函数
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PVOID
local MaxImumFuck:DWORD
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice,pDriverObject,0,addr MyDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject
.IF EAX == STATUS_SUCCESS
INVOKE DbgPrint,$CTA0("IoCreateDevice Ok")
invoke IoCreateSymbolicLink,addr MyLinkDevice,addr MyDeviceName
.IF EAX == STATUS_SUCCESS
INVOKE DbgPrint,$CTA0("IcoCreateSymbolicLick Ok")
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset DriverUnload
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offset DisPatchRountine
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offset DisPatchRountine
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)],offset IOControlRountiune
assume eax:nothing
mov status,eax
.ELSE
invoke IoDeleteDevice,pDeviceObject
.ENDIF
.ENDIF
mov eax,STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry
.DATA
OldAddress dd ?
NewAddress dd ?
.CODE
_MyHook Proc
; mov eax,dword ptr [esp + 04h]
; mov eax,[eax+04h]
; invoke DbgPrint,$CTA0("ImagePath = %ws"),eax
; jmp OldAddress
mov eax,STATUS_SUCCESS
ret
_MyHook Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 恢复SSDT
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ResumeSSDT Proc
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
mov eax,DWORD ptr [KeServiceDescriptorTable]
mov ecx,dword ptr [eax]
add ecx,0184h ;Get NtLoadDriver(base × 4)
mov dword ptr NewAddress,ecx ;
mov eax,OldAddress
mov dword ptr [ecx],eax
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
invoke DbgPrint,$CTA0("ResumeSSDT Ok")
ret
_ResumeSSDT Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; SSDTHOOK
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
SetSSDThook Proc
mov eax,DWORD ptr [KeServiceDescriptorTable]
mov ecx,dword ptr [eax];System service DisPatch table
add ecx,0184h ;offset
mov dword ptr NewAddress,ecx ; 指向Nt函数的指针;保存一下
mov edx,dword ptr [ecx]
mov dword ptr OldAddress,edx ;这里就是原函数的地址了.保存一下恢复的时候用
push eax
mov eax,cr0
and eax,0FFFEFFFFh
mov cr0,eax
pop eax
mov edx,offset _MyHook
mov eax,NewAddress
mov DWORD ptr [eax],edx
push eax
mov eax,cr0
or eax,not 0FFFEFFFFh
mov cr0,eax
pop eax
invoke DbgPrint,$CTA0("SetSSDT Ok")
ret
SetSSDThook Endp
BeifenSSDTShadowAddress proc uses esi edi ebx _Index,_Address
mov eax,dword ptr [KeServiceDescriptorTable]
lea eax,[eax-40h] ;Get KeServiceDescriptorTable
mov eax,[eax+10h] ;Get KeServiceDescriptorTable + 0x10
mov ebx,[eax] ;Get KeServiceDescriptorTableShadow EntryPoint
push eax
mov eax,cr0
and eax,0FFFEFFFFh
mov cr0,eax
pop eax
mov esi,_Index
lea esi,[esi*4]
mov eax,[eax+esi]
mov ebx,_Address
mov [ebx],eax
push eax
mov eax,cr0
or eax,not 0FFFEFFFFh
mov cr0,eax
pop eax
invoke DbgPrint,$CTA0("Table Base %X"),_Address
ret
BeifenSSDTShadowAddress endp
HuiFuSSDTShadowAddress proc uses esi edi ebx _Index,_Address
mov eax,dword ptr [KeServiceDescriptorTable]
lea eax,[eax-40h] ;Get KeServiceDescriptorTable
mov eax,[eax+10h] ;Get KeServiceDescriptorTable + 0x10
mov ebx,[eax] ;Get KeServiceDescriptorTableShadow EntryPoint
push eax
mov eax,cr0
and eax,0FFFEFFFFh
mov cr0,eax
pop eax
mov esi,_Index
lea esi,[esi*4]
push eax
push esi
invoke DbgPrint,$CTA0("%X"),_Address
pop esi
pop eax
mov edx,_Address
mov DWORD ptr [eax+esi],edx
push eax
mov eax,cr0
or eax,not 0FFFEFFFFh
mov cr0,eax
pop eax
ret
HuiFuSSDTShadowAddress endp
;_Shutdown Proc
;; out al,64h
;; ret
;_Shutdown Endp
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
 感谢下!
|
|
|
|
