关闭

SSDT替换ZwSetInformationFile实现保护某文件不被删除

标签: objecthookstringclassfileinclude
1609人阅读 评论(1) 收藏 举报
分类:
#include <ntddk.h>
 
typedef struct _SDT
{
  PULONG ServiceTableBase;
  PULONG ServiceCounterTableBase;
  ULONG NumberOfService;
  PUCHAR ParamTableBase;
}SDT, *PSDT;
 
typedef
NTSTATUS
(__stdcall *ZWSETINFORMATIONFILE)(IN HANDLE FileHandle,
                  OUT PIO_STATUS_BLOCK IoStatusBlock,
                  IN PVOID FileInformation,
                  IN ULONG Length,
                  IN FILE_INFORMATION_CLASS FileInformationClass);
 
extern "C" PSDT KeServiceDescriptorTable;  //ntoskrnl.exe导出的
PULONG pFuncSDT;  //原函数地址在SSDT中的位置
ZWSETINFORMATIONFILE OriZwSetInformationFile;  //原函数地址
 
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject);
VOID Hook();
VOID UnHook();
NTSTATUS MyZwSetInformationFile(IN HANDLE FileHandle,
                OUT PIO_STATUS_BLOCK IoStatusBlock,
                IN PVOID FileInformation,
                IN ULONG Length,
                IN FILE_INFORMATION_CLASS FileInformationClass);
 
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,
                IN PUNICODE_STRING pRegPath)
{
  pDriverObject->DriverUnload = DriverUnload;
  Hook();
  return STATUS_SUCCESS;
}
 
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
  UnHook();
}
 
VOID Hook()
{
  UNICODE_STRING strFuncName;
  RtlInitUnicodeString(&strFuncName, L"ZwSetInformationFile");
  pFuncSDT = KeServiceDescriptorTable->ServiceTableBase +
    *PULONG((PUCHAR)MmGetSystemRoutineAddress(&strFuncName) + 1);
  OriZwSetInformationFile = ZWSETINFORMATIONFILE(*pFuncSDT);
  DbgPrint("OriZwSetInformationFile:%x\r\n", OriZwSetInformationFile);
  __asm
  {
    cli
    mov eax,cr0
    and eax,not 10000h  //清除cr0的WP位
    mov cr0,eax
  }
  *pFuncSDT = (ULONG)MyZwSetInformationFile;
  DbgPrint("---Hook---\r\n");
  __asm
  {
    mov eax,cr0
    or eax,10000h  //恢复cr0的WP位
    mov cr0,eax
    sti
  }
}
 
VOID UnHook()
{
  __asm
  {
    cli
    mov eax,cr0
    and eax,not 10000h
    mov cr0,eax
  }
  *pFuncSDT = (ULONG)OriZwSetInformationFile;
  DbgPrint("---UnHook---\r\n");
  __asm
  {
    mov eax,cr0
    or eax,10000h
    mov cr0,eax
    sti
  }
}
 
NTSTATUS MyZwSetInformationFile(IN HANDLE FileHandle,
                OUT PIO_STATUS_BLOCK IoStatusBlock,
                IN PVOID FileInformation,
                IN ULONG Length,
                IN FILE_INFORMATION_CLASS FileInformationClass)
{
  PFILE_OBJECT pFileObject;
  NTSTATUS ret = ObReferenceObjectByHandle(FileHandle, GENERIC_READ,
    *IoFileObjectType, KernelMode, (PVOID*)&pFileObject, 0);
  if (NT_SUCCESS(ret))
  {
    UNICODE_STRING uDosName;
    ret = IoVolumeDeviceToDosName(pFileObject->DeviceObject, &uDosName);  //XP and later
    if (NT_SUCCESS(ret))
    {
      if (!_wcsicmp(pFileObject->FileName.Buffer, L"\\test.txt") &&
        !_wcsicmp(uDosName.Buffer, L"C:"))       
      {
        ExFreePool(uDosName.Buffer);
        return STATUS_ACCESS_DENIED;
      }
      ExFreePool(uDosName.Buffer);
    }
  }
  return OriZwSetInformationFile(FileHandle, IoStatusBlock, FileInformation,
    Length, FileInformationClass);
}
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:45919次
    • 积分:542
    • 等级:
    • 排名:千里之外
    • 原创:8篇
    • 转载:15篇
    • 译文:0篇
    • 评论:3条