//头文件:
//SSDTHOOK.h
#pragma once
#ifdef __cplusplus
extern "C" {
#endif
#include <ntddk.h>
#include <string.h>
#ifdef __cplusplus
};// extern "C"
#endif
typedef struct _SDT_ENTRY
{
PVOID *ServiceTableBase;
PULONG ServiceCounterTableBase; //Used only in checked build
ULONG NumberOfServices;
PUCHAR ParamTableBase;
} SDT_ENTRY, *PSDT_ENTRY;
EXTERN_C SDT_ENTRY *KeServiceDescriptorTable;
ULONG GetSDDTAddr(ULONG uIndex);
//BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);
//BOOLEAN unHookSSDT(ULONG uIndex, PULONG uOldAddr);
//void DisableWP();
//void EnableWP();
BOOLEAN HookSSDTByMdl(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);
BOOLEAN UnHookSSDTByMdl(ULONG uIndex, ULONG uOldAddr);
//头文件
//mini_ddk.h
//#include <ntddk.h>
//#define INITCODE code_seg("INIT")
//#define PAGECODE code_seg("PAGE") /*表示内存不足时,可以被置换到硬盘*/
//#pragma INITCODE /*指的代码运行后 就从内存释放掉*/
//NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject)
//{
// NTSTATUS status;
// PDEVICE_OBJECT pDevObj;/*用来返回创建设备*/
//
// //创建设备名称
// UNICODE_STRING devName;
// UNICODE_STRING symLinkName; //
// RtlInitUnicodeString(&devName, L"\\Device\\yjxDDK_Device");/*对devName初始化字串为 "\\Device\\yjxDDK_Device"*/
//
// //创建设备
// status = IoCreateDevice(pDriverObject, \
// 0, \
// &devName, \
// FILE_DEVICE_UNKNOWN, \
// 0, TRUE, \
// &pDevObj);
// if (!NT_SUCCESS(status))
// {
// if (status == STATUS_INSUFFICIENT_RESOURCES)
// {
// KdPrint(("资源不足 STATUS_INSUFFICIENT_RESOURCES"));
// }
// if (status == STATUS_OBJECT_NAME_EXISTS)
// {
// KdPrint(("指定对象名存在"));
// }
// if (status == STATUS_OBJECT_NAME_COLLISION)
// {
// KdPrint(("//对象名有冲突"));
// }
// KdPrint(("设备创建失败...++++++++"));
// return status;
// }
// KdPrint(("设备创建成功...++++++++"));
//
// pDevObj->Flags |= DO_BUFFERED_IO;
// //创建符号链接
//
// RtlInitUnicodeString(&symLinkName, L"\\??\\yjx888");
// status = IoCreateSymbolicLink(&symLinkName, &devName);
// if (!NT_SUCCESS(status)) /*status等于0*/
// {
// IoDeleteDevice(pDevObj);
// return status;
// }
// return STATUS_SUCCESS;
//}
//
//VOID DDK_Unload(IN PDRIVER_OBJECT pDriverObject); //前置说明 卸载例程
//NTSTATUS ddk_DispatchRoutine_CONTROL(IN PDEVICE_OBJECT pDevobj, IN PIRP pIrp);//派遣函数
//typedef struct _ServiceDescriptorTable {
// PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
// PVOID ServiceCounterTable;
// //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
// unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。
// PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
//}*PServiceDescriptorTable;
//extern PServiceDescriptorTable KeServiceDescriptorTable;
//mini_ddk.h
#include <ntddk.h>
void UnloadDriver(PDRIVER_OBJECT pDriver);
NTSTATUS rlNtCreateFile(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_ PVOID EaBuffer,
_In_ ULONG EaLength
);
typedef NTSTATUS (*PFNNTCREATEFILE)(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_ PVOID EaBuffer,
_In_ ULONG EaLength
);
//源文件
//SSDTHOOK.cpp
#include "SSDTHOOK.h"
ULONG GetSDDTAddr(ULONG uIndex)
{
ULONG uAddr = *(PULONG)((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
return uAddr;
}
BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr)
{
if (uNewAddr == 0 || puOldAddr == NULL)
{
return FALSE;
}
ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
*puOldAddr = *(PULONG)uAddr;
//DisableWP();
*(PULONG)uAddr=uNewAddr;
//EnableWP();
return TRUE;
}
BOOLEAN unHookSSDT(ULONG uIndex, PULONG uOldAddr)
{
if (uOldAddr == 0)
{
return FALSE;
}
ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
//DisableWP();
*(PULONG)uAddr = uOldAddr;
//EnableWP();
return TRUE;
}
void DisableWP()
{
_asm
{
cli//不要切换到其他CPU
push eax
mov eax,cr0
and eax,0xfffeffff
mov cr0,eax
pop eax
}
}
void EnableWP()
{
_asm
{
push eax
mov eax,cr0
or eax,0x10000
mov cr0,eax
pop eax
sti
}
}
BOOLEAN HookSSDTByMdl(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr)
{
if (uNewAddr == 0 || puOldAddr == NULL)
{
return FALSE;
}
PMDL pSSDTMdl= MmCreateMdl(NULL, (*KeServiceDescriptorTable).ServiceTableBase, sizeof(ULONG)* (*KeServiceDescriptorTable).NumberOfServices);
if (pSSDTMdl == NULL)
{
return FALSE;
}
MmBuildMdlForNonPagedPool(pSSDTMdl);
pSSDTMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
PVOID pServiceTableBase = MmMapLockedPages(pSSDTMdl, KernelMode);
if (pServiceTableBase == NULL)
{
return FALSE;
}
ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex);
*puOldAddr = *(PULONG)uAddr;
*(PULONG)uAddr = uNewAddr;
IoFreeMdl(pSSDTMdl);
return TRUE;
}
BOOLEAN UnHookSSDTByMdl(ULONG uIndex, ULONG uOldAddr)
{
if ( uOldAddr == NULL)
{
return FALSE;
}
PMDL pSSDTMdl = MmCreateMdl(NULL, (*KeServiceDescriptorTable).ServiceTableBase, sizeof(ULONG)* (*KeServiceDescriptorTable).NumberOfServices);
if (pSSDTMdl == NULL)
{
return FALSE;
}
MmBuildMdlForNonPagedPool(pSSDTMdl);
pSSDTMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
PVOID pServiceTableBase = MmMapLockedPages(pSSDTMdl, KernelMode);
if (pServiceTableBase == NULL)
{
return FALSE;
}
ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex);
*(PULONG)uAddr = uOldAddr;
IoFreeMdl(pSSDTMdl);
return TRUE;
}
//源文件
//源.cpp
#include <ntddk.h>
void UnloadDriver(PDRIVER_OBJECT pDriver);
//VOID LinkListTest();
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{
//驱动 ->驱动卸载=卸载驱动
pDriver->DriverUnload = UnloadDriver;//相当于易语言当中结构的定义,运用pDriver结构当中的DriverUnload
//调试输出
DbgPrint("Loading my Driver...\n\r");
KEY_VALUE_PARTIAL_INFORMATION
//初始化UnicodeString1
UNICODE_STRING UnicodeString1;
RtlInitUnicodeString(&UnicodeString1, L"Hello World");
//初始化UnicodeString2
UNICODE_STRING UnicodeString2;
RtlInitUnicodeString(&UnicodeString1, L"Hello");
//判断字符串是否相等
if (RtlEqualUnicodeString(&UnicodeString1, &UnicodeString2, TRUE))
{
KdPrint(("UnicodeString1 and UnicodeString2 are equal\n"));
}
else
{
KdPrint(("UnicodeString1 and UnicodeString2 are NOT equal\n"));
}
//LinkListTest();
//TODO
return 1;
}
void UnloadDriver(PDRIVER_OBJECT pDriver)
{
//调试输出
DbgPrint("unLoading my Driver...\n\r");
}
//typedef struct _MYDATASTRUCT
//{
// ULONG number;
// LIST_ENTRY ListEntry;
//} MYDATASTRUCT, *PMYDATASTRUCT;
//
//VOID LinkListTest()
//{
// LIST_ENTRY linkListHead;
// //初始化链表
// InitializeListHead(&linkListHead);
//
// PMYDATASTRUCT pData;
// ULONG i = 0;
// //在链表中插入10个元素
// KdPrint(("Begin insert to link list"));
// for (i = 0; i<10; i++)
// {
// pData = (PMYDATASTRUCT)
// ExAllocatePool(PagedPool, sizeof(MYDATASTRUCT));
// pData->number = i;
// InsertHeadList(&linkListHead, &pData->ListEntry);
// }
//
// //从链表中取出,并显示
// KdPrint(("Begin remove from link list\n"));
// while (!IsListEmpty(&linkListHead))
// {
// PLIST_ENTRY pEntry = RemoveTailList(&linkListHead);
// pData = CONTAINING_RECORD(pEntry,
// MYDATASTRUCT,
// ListEntry);
// KdPrint(("%d\n", pData->number));
// ExFreePool(pData);
// }
//
//}
_stdcall
#include <ntddk.h>
//#include "mini_ddk.h"
//#pragma INITCODE
//NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING B) //TYPEDEF LONG NTSTATUS
//{
// LONG *SSDT_Adr, SSDT_NtOpenProcess_Cur_Addr, t_addr;
// KdPrint(("驱动成功被加载中.............................\n"));
// //读取SSDT表中索引值为0x7A的函数
// //poi(poi(KeServiceDescriptorTable)+0x7a*4)
// t_addr = (LONG)KeServiceDescriptorTable->ServiceTableBase;
// KdPrint(("当前ServiceTableBase地址为%x \n", t_addr));
// SSDT_Adr = (PLONG)(t_addr + 0x7A * 4);
// KdPrint(("当前t_addr+0x7A*4=%x \n", SSDT_Adr));
// SSDT_NtOpenProcess_Cur_Addr = *SSDT_Adr;
// KdPrint(("当前SSDT_NtOpenProcess_Cur_Addr地址为%x \n", SSDT_NtOpenProcess_Cur_Addr));
// /* ULONG SSDT_NtOpenProcess_Cur_Addr;
// KdPrint(("驱动成功被加载...OK++++++++\n\n"));
// //读取SSDT表中 NtOpenProcess当前地址 KeServiceDescriptorTable
// // [[KeServiceDescriptorTable]+0x7A*4]
//
// __asm
// { int 3
// push ebx
// push eax
// mov ebx,KeServiceDescriptorTable
// mov ebx,[ebx] //表的基地址
// mov eax,0x7a
// shl eax,2//0x7A*4 //imul eax,eax,4//shl eax,2
// add ebx,eax//[KeServiceDescriptorTable]+0x7A*4
// mov ebx,[ebx]
// mov SSDT_NtOpenProcess_Cur_Addr,ebx
// pop eax
// pop ebx
// }
// KdPrint(("SSDT_NtOpenProcess_Cur_Addr=%x\n\n",SSDT_NtOpenProcess_Cur_Addr));*/
// //注册派遣函数
// pDriverObject->MajorFunction[IRP_MJ_CREATE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
// pDriverObject->MajorFunction[IRP_MJ_CLOSE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
// pDriverObject->MajorFunction[IRP_MJ_READ] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
// pDriverObject->MajorFunction[IRP_MJ_CLOSE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
// pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
// CreateMyDevice(pDriverObject);//创建相应的设备
// pDriverObject->DriverUnload = DDK_Unload;
// return (1);
//}
#pragma code_seg("PAGE")
//#pragma PAGECODE
//VOID DDK_Unload(IN PDRIVER_OBJECT pDriverObject)
//{
// PDEVICE_OBJECT pDev;//用来取得要删除设备对象
// UNICODE_STRING symLinkName; //
//
// pDev = pDriverObject->DeviceObject;
// IoDeleteDevice(pDev); //删除设备
//
// //取符号链接名字
// RtlInitUnicodeString(&symLinkName, L"\\??\\yjx888");
// //删除符号链接
// IoDeleteSymbolicLink(&symLinkName);
// KdPrint(("驱动成功被卸载...OK-----------")); //sprintf,printf
// //取得要删除设备对象
// //删掉所有设备
// DbgPrint("卸载成功");
//}
//#pragma PAGECODE
//NTSTATUS ddk_DispatchRoutine_CONTROL(IN PDEVICE_OBJECT pDevobj, IN PIRP pIrp)
//{
// //对相应的IPR进行处理
// pIrp->IoStatus.Information = 0;//设置操作的字节数为0,这里无实际意义
// pIrp->IoStatus.Status = STATUS_SUCCESS;//返回成功
// IoCompleteRequest(pIrp, IO_NO_INCREMENT);//指示完成此IRP
// KdPrint(("离开派遣函数\n"));//调试信息
// return STATUS_SUCCESS; //返回成功
//}
//源文件
#include "mini_ddk.h"
#include "SSDTHOOK.h"
ULONG g_uOldNtCreateFileAddr = 0;
PFNNTCREATEFILE g_pfnNtCreateFile = NULL;
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{
//#if DBG
// _asm int 3
//#endif
//驱动 ->驱动卸载=卸载驱动
pDriver->DriverUnload = UnloadDriver;
//调试输出
DbgPrint("Loading MyDriver...\r");//有一个换行的空格
ULONG uAddr = GetSDDTAddr(0x42);
if (uAddr)
{
g_pfnNtCreateFile = (PFNNTCREATEFILE)uAddr;
HookSSDTByMdl(0x42, (ULONG)rlNtCreateFile, &g_uOldNtCreateFileAddr);
KdPrint(("NtCreateFile:0x%08x\r", uAddr));
}
return 1;
}
void UnloadDriver(PDRIVER_OBJECT pDriver)
{
UnHookSSDTByMdl(0x42, g_uOldNtCreateFileAddr);
//调试输出
DbgPrint("unLoading MyDriver...\r");
}
NTSTATUS rlNtCreateFile(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_ PVOID EaBuffer,
_In_ ULONG EaLength
)
{
if (ObjectAttributes && ObjectAttributes->ObjectName)
{
if (wcsstr(ObjectAttributes->ObjectName->Buffer, L"1.txt") != 0)
{
KdPrint(("NtCreateFile %wZ\r"), ObjectAttributes->ObjectName);
return STATUS_UNSUCCESSFUL;
}
}
return g_pfnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes,
ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
}