(驱动学习笔记)(过时的)恢复SSDTShadow
发表于:
2009-10-23 03:43
5625
(驱动学习笔记)(过时的)恢复SSDTShadow
先说好.这是驱动学习笔记,我也知道这个很过时了.所以不要打击我.
今天够倒霉了.被人骂来骂去,我是一个新手,怎么可能去写个高级的代码
希望刚学驱动的朋友,能从中学到东西
驱动主程序
586 .model flat, stdcall option casemap:none include d:\masm32\include\w2k\ntstatus.inc include D:\masm32\include\w2k\ntddk.inc include D:\masm32\include\w2k\ntoskrnl.inc include D:\masm32\include\w2k\w2kundoc.inc includelib D:\masm32\lib\w2k\ntoskrnl.lib include D:\masm32\Macros\Strings.mac include HookSSDT.asm IOCTL_SSDT_HOOK EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 800h,METHOD_NEITHER,FILE_ANY_ACCESS) IOCTL_SSDT_UNHOOK EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 801h,METHOD_NEITHER,FILE_ANY_ACCESS) IOCTL_SSDT_SHADOW EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 802h,METHOD_NEITHER,FILE_ANY_ACCESS) IOCTL_SSDT_BEIFEN EQU CTL_CODE(FILE_DEVICE_UNKNOWN, 803h,METHOD_NEITHER,FILE_ANY_ACCESS);保存命令 .const CCOUNTED_UNICODE_STRING "\\Device\\eGirlAsm",MyDeviceName, 4 CCOUNTED_UNICODE_STRING "\\??\\eGirlAsm",MyLinkDevice,4 .data NtUserBuildHwndList dd ? ;312 NtUserFindWindowEx dd ? ;378 NtUserGetDc dd ? ;401 NtUserGetDCEx dd ? ;402 NtUserGetForegroundWindow dd ? ;404 NtUserWindowFromPoint dd ? ;592 .code ;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ; 通讯派遣例程 ;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ IOControlRountiune Proc dev:PDEVICE_OBJECT,pirp:PIRP mov esi,pirp assume esi:ptr _IRP mov [esi].IoStatus.Status, STATUS_UNSUCCESSFUL and [esi].IoStatus.Information, 0 assume esi:nothing IoGetCurrentIrpStackLocation esi mov edi, eax assume edi:ptr IO_STACK_LOCATION mov eax,[edi].Parameters.DeviceIoControl.IoControlCode ;通讯编号送入局部变量 .IF eax == IOCTL_SSDT_HOOK invoke SetSSDThook .ELSEIF eax == IOCTL_SSDT_UNHOOK invoke _ResumeSSDT .ELSEIF eax == IOCTL_SSDT_SHADOW ;开始还原 invoke HuiFuSSDTShadowAddress,312,NtUserBuildHwndList invoke HuiFuSSDTShadowAddress,378,NtUserFindWindowEx invoke HuiFuSSDTShadowAddress,401,NtUserGetDc invoke HuiFuSSDTShadowAddress,402,NtUserGetDCEx invoke HuiFuSSDTShadowAddress,404,NtUserGetForegroundWindow invoke HuiFuSSDTShadowAddress,592,NtUserWindowFromPoint .ELSEIF EAX == IOCTL_SSDT_BEIFEN ;开始备份 invoke BeifenSSDTShadowAddress,312,addr NtUserBuildHwndList invoke BeifenSSDTShadowAddress,378,addr NtUserFindWindowEx invoke BeifenSSDTShadowAddress,401,addr NtUserGetDc invoke BeifenSSDTShadowAddress,402,addr NtUserGetDCEx invoke BeifenSSDTShadowAddress,404,addr NtUserGetForegroundWindow invoke BeifenSSDTShadowAddress,592,addr NtUserWindowFromPoint .ENDIF assume edi:nothing mov eax,pirp assume eax:ptr _IRP mov [eax].IoStatus.Status,STATUS_SUCCESS mov [eax].IoStatus.Information,0 assume eax:nothing fastcall IofCompleteRequest,pirp,IO_NO_INCREMENT mov eax,STATUS_SUCCESS ret IOControlRountiune Endp ;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ; 默认派遣例程 ;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ DisPatchRountine Proc pDevObj:PDEVICE_OBJECT,pIrp:PIRP INVOKE DbgPrint,$CTA0("IRP SUCCESS THIS IS DISPATCHRUONTINE") mov eax,pIrp assume eax:ptr _IRP mov [eax].IoStatus.Status,STATUS_SUCCESS mov [eax].IoStatus.Information,0 assume eax:nothing fastcall IofCompleteRequest,pIrp,IO_NO_INCREMENT mov eax,STATUS_SUCCESS ret DisPatchRountine Endp ;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ; 卸载驱动例程 ;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ DriverUnload Proc pDriverObject:PDRIVER_OBJECT invoke IoDeleteSymbolicLink, addr MyLinkDevice mov eax, pDriverObject invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject invoke DbgPrint,$CTA0("Unload Driver OK") ret DriverUnload ENdp ;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ; 驱动入口函数 ;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local status:NTSTATUS local pDeviceObject:PVOID local MaxImumFuck:DWORD mov status,STATUS_DEVICE_CONFIGURATION_ERROR invoke IoCreateDevice,pDriverObject,0,addr MyDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject .IF EAX == STATUS_SUCCESS INVOKE DbgPrint,$CTA0("IoCreateDevice Ok") invoke IoCreateSymbolicLink,addr MyLinkDevice,addr MyDeviceName .IF EAX == STATUS_SUCCESS INVOKE DbgPrint,$CTA0("IcoCreateSymbolicLick Ok") mov eax,pDriverObject assume eax:ptr DRIVER_OBJECT mov [eax].DriverUnload,offset DriverUnload mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offset DisPatchRountine mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offset DisPatchRountine mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)],offset IOControlRountiune assume eax:nothing mov status,eax .ELSE invoke IoDeleteDevice,pDeviceObject .ENDIF .ENDIF mov eax,STATUS_SUCCESS ret DriverEntry endp end DriverEntry .DATA OldAddress dd ? NewAddress dd ? .CODE _MyHook Proc ; mov eax,dword ptr [esp + 04h] ; mov eax,[eax+04h] ; invoke DbgPrint,$CTA0("ImagePath = %ws"),eax ; jmp OldAddress mov eax,STATUS_SUCCESS ret _MyHook Endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 恢复SSDT ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _ResumeSSDT Proc cli mov eax,cr0 and eax,not 10000h mov cr0,eax mov eax,DWORD ptr [KeServiceDescriptorTable] mov ecx,dword ptr [eax] add ecx,0184h ;Get NtLoadDriver(base × 4) mov dword ptr NewAddress,ecx ; mov eax,OldAddress mov dword ptr [ecx],eax mov eax,cr0 or eax,10000h mov cr0,eax sti invoke DbgPrint,$CTA0("ResumeSSDT Ok") ret _ResumeSSDT Endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; SSDTHOOK ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> SetSSDThook Proc mov eax,DWORD ptr [KeServiceDescriptorTable] mov ecx,dword ptr [eax];System service DisPatch table add ecx,0184h ;offset mov dword ptr NewAddress,ecx ; 指向Nt函数的指针;保存一下 mov edx,dword ptr [ecx] mov dword ptr OldAddress,edx ;这里就是原函数的地址了.保存一下恢复的时候用 push eax mov eax,cr0 and eax,0FFFEFFFFh mov cr0,eax pop eax mov edx,offset _MyHook mov eax,NewAddress mov DWORD ptr [eax],edx push eax mov eax,cr0 or eax,not 0FFFEFFFFh mov cr0,eax pop eax invoke DbgPrint,$CTA0("SetSSDT Ok") ret SetSSDThook Endp BeifenSSDTShadowAddress proc uses esi edi ebx _Index,_Address mov eax,dword ptr [KeServiceDescriptorTable] lea eax,[eax-40h] ;Get KeServiceDescriptorTable mov eax,[eax+10h] ;Get KeServiceDescriptorTable + 0x10 mov ebx,[eax] ;Get KeServiceDescriptorTableShadow EntryPoint push eax mov eax,cr0 and eax,0FFFEFFFFh mov cr0,eax pop eax mov esi,_Index lea esi,[esi*4] mov eax,[eax+esi] mov ebx,_Address mov [ebx],eax push eax mov eax,cr0 or eax,not 0FFFEFFFFh mov cr0,eax pop eax invoke DbgPrint,$CTA0("Table Base %X"),_Address ret BeifenSSDTShadowAddress endp HuiFuSSDTShadowAddress proc uses esi edi ebx _Index,_Address mov eax,dword ptr [KeServiceDescriptorTable] lea eax,[eax-40h] ;Get KeServiceDescriptorTable mov eax,[eax+10h] ;Get KeServiceDescriptorTable + 0x10 mov ebx,[eax] ;Get KeServiceDescriptorTableShadow EntryPoint push eax mov eax,cr0 and eax,0FFFEFFFFh mov cr0,eax pop eax mov esi,_Index lea esi,[esi*4] push eax push esi invoke DbgPrint,$CTA0("%X"),_Address pop esi pop eax mov edx,_Address mov DWORD ptr [eax+esi],edx push eax mov eax,cr0 or eax,not 0FFFEFFFFh mov cr0,eax pop eax ret HuiFuSSDTShadowAddress endp ;_Shutdown Proc ;; out al,64h ;; ret ;_Shutdown Endp
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件: