- 注册时间
- 2011-8-8
- 最后登录
- 1970-1-1
该用户从未签到
|
源码如下:
#pragma once
#ifndef DUOKAI_H
#define DUOKAI_H
#ifndef __cplusplus
extern "C"
{
#endif
#include <ntddk.h>
#include <windef.h>
#include <string.h>
#ifndef __cplusplus
};
#endif
#define _device_name L"\\device\\device_name"
#define _symbol_name L"\\??\\symbol_name"
#define PAGEDCODE code_seg("PAGED")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")
#define PAGEDDATA data_seg("PAGED")
#define LOCKEDDATA data_seg()
#define INITDATA data_seg("INIT")
typedef struct _DEVICE_EXTENSION
{
UNICODE_STRING device_name;
UNICODE_STRING symbol_name;
PDEVICE_OBJECT device_object;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;
VOID DriverUnLoad(PDRIVER_OBJECT driver);
NTSTATUS DispatchIrp(PDEVICE_OBJECT driver,PIRP irp);
VOID Get_Version(PDRIVER_OBJECT driver);
VOID GetCall_addr();
VOID GetKiFastCallEntry();
VOID Hook_KiFastCallEntry();
VOID My_KiFastCallEntry();
VOID Un_KiFastCallEntry();
extern "C"
typedef
NTSYSCALLAPI NTSTATUS NTAPI typedef_NtOpenProcess ( __out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
) ;
typedef_NtOpenProcess* t_NtOpenProcess;
extern "C"
typedef
NTSYSCALLAPI NTSTATUS NTAPI typedef_NtReadVirtualMemory ( __in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__out_bcount(BufferSize) PVOID Buffer,
__in SIZE_T BufferSize,
__out_opt PSIZE_T NumberOfBytesRead
) ;
typedef_NtReadVirtualMemory* t_NtReadVirtualMemory;
extern "C"
typedef
NTSYSCALLAPI NTSTATUS NTAPI typedef_NtWriteVirtualMemory ( __in HANDLE ProcessHandle,
__in_opt PVOID BaseAddress,
__in_bcount(BufferSize) CONST VOID * Buffer,
__in SIZE_T BufferSize,
__out_opt PSIZE_T NumberOfBytesWritten
) ;
typedef_NtWriteVirtualMemory* t_NtWriteVirtualMemory;
#endif
//-------------------------------------------------------------
#include "duokai.h"
#include "hook.h"
#include "KiFastCallEntry.h"
#pragma PAGEDCODE
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING un_string)
{
//////////////////////////////////////////////////////////////////////////
Get_Version(driver);
hook_NtCreateMutant();
hook_NtOpenMutant();
//------------------注入支持
// GetCall_addr();
// GetKiFastCallEntry();
// Hook_KiFastCallEntry();
//-----------------------------
NTSTATUS status=STATUS_SUCCESS;
driver->MajorFunction[IRP_MJ_CREATE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_CLOSE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_READ]=DispatchIrp;
driver->MajorFunction[IRP_MJ_WRITE]=DispatchIrp;
driver->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchIrp;
driver->DriverUnload=DriverUnLoad;
PDEVICE_EXTENSION deviceextension;
UNICODE_STRING device_name;
RtlInitUnicodeString(&device_name,_device_name);
PDEVICE_OBJECT device_object;
status=IoCreateDevice(driver,sizeof(deviceextension),&device_name,FILE_DEVICE_UNKNOWN,NULL,FALSE,&device_object);
if(!NT_SUCCESS(status))
{
KdPrint(("创建设备失败!\n"));
return status;
}
KdPrint(("创建设备成功!\n"));
device_object->Type |= DO_BUFFERED_IO;
deviceextension=(PDEVICE_EXTENSION)device_object->DeviceExtension;
deviceextension->device_name=device_name;
deviceextension->device_object=device_object;
UNICODE_STRING symbol_object;
RtlInitUnicodeString(&symbol_object,_symbol_name);
deviceextension->symbol_name=symbol_object;
status=IoCreateSymbolicLink(&symbol_object,&device_name);
if(!NT_SUCCESS(status))
{
KdPrint(("创建符号链接失败!\n"));
IoDeleteDevice(device_object);
return status;
}
KdPrint(("创建符号链接成功!\n"));
return STATUS_SUCCESS;
}
#pragma PAGEDCODE
VOID DriverUnLoad(PDRIVER_OBJECT driver)
{
PDEVICE_OBJECT driver_object;
driver_object=driver->DeviceObject;
while(driver_object!=NULL)
{
PDEVICE_EXTENSION deviceextension=(PDEVICE_EXTENSION)driver_object->DeviceExtension;
UNICODE_STRING symbol_name=deviceextension->symbol_name;
IoDeleteSymbolicLink(&symbol_name);
driver_object=driver_object->NextDevice;
IoDeleteDevice(deviceextension->device_object);
}
//------------------------
UNhook_NtCreateMutant();
Unhook_NtOpenMutant();
// Un_KiFastCallEntry();
KdPrint(("删除设备成功!\n"));
}
#pragma PAGEDCODE
NTSTATUS DispatchIrp(PDEVICE_OBJECT driver,PIRP irp)
{
irp->IoStatus.Status=STATUS_SUCCESS;
irp->IoStatus.Information=0;
IoCompleteRequest(irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//---------------------------------------------------------------------
#pragma once
#ifndef HOOK_H
#define HOOK_H
#define Version_win7 61
#define Version_2008 60
#define Version_xp 51
//---------------------------------
ULONG u_NtCreateMutant; //保存CreateMutant的地址
ULONG u_NtOpenMutant; //保存NtOpenMutant的地址
int in_NtOpenThread; //保存NtOpenThread的序号
int in_NtOpenProcess; //保存NtOpenprocess的序号
int in_NtReadVirtualMemory; //保存NtReadVirtualMemory的序号
int in_NtWriteVirtualMemory; //保存NtWriteVirtualMemory的序号
//-------------------------------
ULONG addr_NtOpenThread;
ULONG push0_addr_NtOpenProcess;
ULONG push_addr_NtOpenProecss;
ULONG call_addr_NtOpenProecss; //保存NtOpenProcess的call地址
ULONG addr_NtOpenProecss;
BYTE push0_addr_NtReadVirtualMemory;
ULONG push_addr_NtReadVirtualMemory;
ULONG call_addr_NtReadVirtualMemory;
ULONG addr_NtReadVirtualMemory;
BYTE push0_addr_NtWriteVirtualMemory;
ULONG push_addr_NtWriteVirtualMemory;
ULONG call_addr_NtWriteVirtualMemory;
ULONG addr_NtWriteVirtualMemory;
typedef struct _ServiceDescriptorTable {
PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
PVOID ServiceCounterTable;
//包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。
PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
}*PServiceDescriptorTable;
extern "C" extern PServiceDescriptorTable KeServiceDescriptorTable;
#pragma pack(1)
typedef struct jmp_code
{
BYTE e9;
ULONG jmpaddr;
}_jmpcode,*pjmpcode;
#pragma pack()
#pragma PAGEDCODE
ULONG* Getssdt_this(int index)
{
ULONG* Get_Funaddr,GetFun;
GetFun=(ULONG)KeServiceDescriptorTable->ServiceTableBase;
KdPrint(("SSDT表的地址为:%x\n",GetFun));
Get_Funaddr=(PULONG)(GetFun+index*4);
KdPrint(("---序号=%d,地址=%x",index,Get_Funaddr));
return Get_Funaddr;
}
#pragma PAGEDCODE
ULONG Getssdt_addr(int index)
{
ULONG* Get_Funaddr,GetFun,addr_GetFun;
GetFun=(ULONG)KeServiceDescriptorTable->ServiceTableBase;
KdPrint(("SSDT表的地址为:%x\n",GetFun));
Get_Funaddr=(PULONG)(GetFun+index*4);
KdPrint(("---序号=%d,地址=%x",index,Get_Funaddr));
addr_GetFun=*Get_Funaddr;
KdPrint(("地址为:%x",addr_GetFun));
return addr_GetFun;
}
KIRQL kirql;
#pragma PAGEDCODE
VOID PAGED_Open()
{
__asm
{
cli
push eax
mov eax,cr0
and eax,not 10000h
mov cr0,eax
pop eax
}
kirql=KeRaiseIrqlToDpcLevel();
}
#pragma PAGEDCODE
VOID PAGED_Exit()
{
KeLowerIrql(kirql);
__asm
{
push eax
mov eax,cr0
or eax,10000h
mov cr0,eax
pop eax
sti
}
}
#pragma PAGEDCODE
VOID Get_Version(PDRIVER_OBJECT driver)
{
ULONG MajorVersion,MinorVersion,BuildVersion;
PsGetVersion(&MajorVersion,&MinorVersion,&BuildVersion,NULL);
DWORD dw_version=MajorVersion*10+MinorVersion;
switch(dw_version)
{
case Version_xp:
KdPrint(("当前操作系统windows xp......\n"));
in_NtOpenThread=0x80;
in_NtOpenProcess=0x7A;
in_NtReadVirtualMemory=0xBA;
in_NtWriteVirtualMemory=0x115;
break;
default:
driver->DriverUnload=DriverUnLoad;
break;
}
}
//////////////////////////////////////////////////////////////////////////
extern "C"
typedef
NTSYSAPI
NTSTATUS
(__stdcall *Nt_CreateMutant)(
OUT PHANDLE MutantHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN BOOLEAN InitialOwner
);
Nt_CreateMutant* nt_CreateMutant;
|
|
发表于 2011-11-19 19:53:28
