蹂躏D&F学习之备份

//头文件:
//SSDTHOOK.h
#pragma once

#ifdef  __cplusplus
extern "C" {
#endif
#include <ntddk.h>
#include <string.h>
#ifdef  __cplusplus
};// extern "C"
#endif


typedef struct _SDT_ENTRY
{
	PVOID *ServiceTableBase;
	PULONG ServiceCounterTableBase; //Used only in checked build
	ULONG NumberOfServices;
	PUCHAR ParamTableBase;
} SDT_ENTRY, *PSDT_ENTRY;

EXTERN_C SDT_ENTRY *KeServiceDescriptorTable;

ULONG GetSDDTAddr(ULONG uIndex);
//BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);
//BOOLEAN unHookSSDT(ULONG uIndex, PULONG uOldAddr);

//void DisableWP();
//void EnableWP();
BOOLEAN HookSSDTByMdl(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);
BOOLEAN UnHookSSDTByMdl(ULONG uIndex, ULONG uOldAddr);
//头文件
//mini_ddk.h
//#include <ntddk.h>
//#define INITCODE code_seg("INIT") 
//#define PAGECODE code_seg("PAGE") /*表示内存不足时,可以被置换到硬盘*/
//#pragma INITCODE /*指的代码运行后 就从内存释放掉*/
//NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject)
//{
//	NTSTATUS status;
//	PDEVICE_OBJECT pDevObj;/*用来返回创建设备*/
//
//	//创建设备名称
//	UNICODE_STRING devName;
//	UNICODE_STRING symLinkName; // 
//	RtlInitUnicodeString(&devName, L"\\Device\\yjxDDK_Device");/*对devName初始化字串为 "\\Device\\yjxDDK_Device"*/
//
//	//创建设备
//	status = IoCreateDevice(pDriverObject, \
//		0, \
//		&devName, \
//		FILE_DEVICE_UNKNOWN, \
//		0, TRUE, \
//		&pDevObj);
//	if (!NT_SUCCESS(status))
//	{
//		if (status == STATUS_INSUFFICIENT_RESOURCES)
//		{
//			KdPrint(("资源不足 STATUS_INSUFFICIENT_RESOURCES"));
//		}
//		if (status == STATUS_OBJECT_NAME_EXISTS)
//		{
//			KdPrint(("指定对象名存在"));
//		}
//		if (status == STATUS_OBJECT_NAME_COLLISION)
//		{
//			KdPrint(("//对象名有冲突"));
//		}
//		KdPrint(("设备创建失败...++++++++"));
//		return status;
//	}
//	KdPrint(("设备创建成功...++++++++"));
//
//	pDevObj->Flags |= DO_BUFFERED_IO;
//	//创建符号链接
//
//	RtlInitUnicodeString(&symLinkName, L"\\??\\yjx888");
//	status = IoCreateSymbolicLink(&symLinkName, &devName);
//	if (!NT_SUCCESS(status)) /*status等于0*/
//	{
//		IoDeleteDevice(pDevObj);
//		return status;
//	}
//	return STATUS_SUCCESS;
//}
//
//VOID DDK_Unload(IN PDRIVER_OBJECT pDriverObject); //前置说明 卸载例程
//NTSTATUS ddk_DispatchRoutine_CONTROL(IN PDEVICE_OBJECT pDevobj, IN PIRP pIrp);//派遣函数
//typedef struct _ServiceDescriptorTable {
//	PVOID ServiceTableBase; //System Service Dispatch Table 的基地址  
//	PVOID ServiceCounterTable;
//	//包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。 
//	unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。  
//	PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表 
//}*PServiceDescriptorTable;
//extern PServiceDescriptorTable KeServiceDescriptorTable;

//mini_ddk.h
#include <ntddk.h>


void UnloadDriver(PDRIVER_OBJECT pDriver);
NTSTATUS rlNtCreateFile(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	);
typedef NTSTATUS (*PFNNTCREATEFILE)(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	);

//源文件
//SSDTHOOK.cpp
#include "SSDTHOOK.h"

ULONG GetSDDTAddr(ULONG uIndex)
{
	ULONG uAddr = *(PULONG)((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
	return uAddr;
}

BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr)

{
	if (uNewAddr == 0 || puOldAddr == NULL)
	{
		return FALSE;
	}
	ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));

*puOldAddr = *(PULONG)uAddr;

	//DisableWP();
	*(PULONG)uAddr=uNewAddr;
	//EnableWP();
	return TRUE;
}

BOOLEAN unHookSSDT(ULONG uIndex, PULONG uOldAddr)
{
	if (uOldAddr == 0)
	{
		return FALSE;
	}

	ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));

	//DisableWP();
	*(PULONG)uAddr = uOldAddr;
	//EnableWP();

	return TRUE;

}



void DisableWP()
{
	_asm
	{
		cli//不要切换到其他CPU
			push eax
			mov eax,cr0
			and eax,0xfffeffff
			mov cr0,eax
			pop eax


	}
}

void EnableWP()
{
	_asm
	{
		push eax
			mov eax,cr0
			or eax,0x10000
			mov cr0,eax
			pop eax
			sti
	}
}


BOOLEAN HookSSDTByMdl(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr)

{
	if (uNewAddr == 0 || puOldAddr == NULL)
	{
		return FALSE;
	}

	PMDL pSSDTMdl= MmCreateMdl(NULL, (*KeServiceDescriptorTable).ServiceTableBase, sizeof(ULONG)* (*KeServiceDescriptorTable).NumberOfServices);
if (pSSDTMdl == NULL)
	{
		return FALSE;

	}
	MmBuildMdlForNonPagedPool(pSSDTMdl);

	pSSDTMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;

	PVOID pServiceTableBase = MmMapLockedPages(pSSDTMdl, KernelMode);


	if (pServiceTableBase == NULL)
	{
		return FALSE;
	}

	ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex);

	*puOldAddr = *(PULONG)uAddr;
	
	*(PULONG)uAddr = uNewAddr;

	IoFreeMdl(pSSDTMdl);
	return TRUE;
}

BOOLEAN UnHookSSDTByMdl(ULONG uIndex, ULONG uOldAddr)

{
	if ( uOldAddr == NULL)
	{
		return FALSE;
	}

	PMDL pSSDTMdl = MmCreateMdl(NULL, (*KeServiceDescriptorTable).ServiceTableBase, sizeof(ULONG)* (*KeServiceDescriptorTable).NumberOfServices);
	if (pSSDTMdl == NULL)
	{
		return FALSE;

	}
	MmBuildMdlForNonPagedPool(pSSDTMdl);

	pSSDTMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;

	PVOID pServiceTableBase = MmMapLockedPages(pSSDTMdl, KernelMode);


	if (pServiceTableBase == NULL)
	{
		return FALSE;
	}

	ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex);


	*(PULONG)uAddr = uOldAddr;

	IoFreeMdl(pSSDTMdl);
	return TRUE;
}

//源文件
//源.cpp
#include <ntddk.h>
void UnloadDriver(PDRIVER_OBJECT pDriver);

//VOID LinkListTest();
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{
	//驱动 ->驱动卸载=卸载驱动
	pDriver->DriverUnload = UnloadDriver;//相当于易语言当中结构的定义,运用pDriver结构当中的DriverUnload
	//调试输出
	DbgPrint("Loading my Driver...\n\r");
	KEY_VALUE_PARTIAL_INFORMATION

	//初始化UnicodeString1
	UNICODE_STRING UnicodeString1;
	RtlInitUnicodeString(&UnicodeString1, L"Hello World");

	//初始化UnicodeString2
	UNICODE_STRING UnicodeString2;
	RtlInitUnicodeString(&UnicodeString1, L"Hello");
	//判断字符串是否相等
	if (RtlEqualUnicodeString(&UnicodeString1, &UnicodeString2, TRUE))
	{
		KdPrint(("UnicodeString1 and UnicodeString2 are equal\n"));
	}
	else
	{
		KdPrint(("UnicodeString1 and UnicodeString2 are NOT equal\n"));
	}

	//LinkListTest();
	//TODO
	return 1;
}

void UnloadDriver(PDRIVER_OBJECT pDriver)
{
	//调试输出
	DbgPrint("unLoading my Driver...\n\r");

}

//typedef struct _MYDATASTRUCT
//{
//	ULONG number;
//	LIST_ENTRY ListEntry;
//} MYDATASTRUCT, *PMYDATASTRUCT;
//
//VOID LinkListTest()
//{
//	LIST_ENTRY linkListHead;
//	//初始化链表
//	InitializeListHead(&linkListHead);
//
//	PMYDATASTRUCT pData;
//	ULONG i = 0;
//	//在链表中插入10个元素
//	KdPrint(("Begin insert to link list"));
//	for (i = 0; i<10; i++)
//	{
//		pData = (PMYDATASTRUCT)
//			ExAllocatePool(PagedPool, sizeof(MYDATASTRUCT));
//		pData->number = i;
//		InsertHeadList(&linkListHead, &pData->ListEntry);
//	}
//
//	//从链表中取出,并显示
//	KdPrint(("Begin remove from link list\n"));
//	while (!IsListEmpty(&linkListHead))
//	{
//		PLIST_ENTRY pEntry = RemoveTailList(&linkListHead);
//		pData = CONTAINING_RECORD(pEntry,
//			MYDATASTRUCT,
//			ListEntry);
//		KdPrint(("%d\n", pData->number));
//		ExFreePool(pData);
//	}
//
//}
_stdcall
#include <ntddk.h>
//#include "mini_ddk.h"
//#pragma  INITCODE
//NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING B) //TYPEDEF LONG NTSTATUS
//{
//	LONG *SSDT_Adr, SSDT_NtOpenProcess_Cur_Addr, t_addr;
//	KdPrint(("驱动成功被加载中.............................\n"));
//	//读取SSDT表中索引值为0x7A的函数
//	//poi(poi(KeServiceDescriptorTable)+0x7a*4)
//	t_addr = (LONG)KeServiceDescriptorTable->ServiceTableBase;
//	KdPrint(("当前ServiceTableBase地址为%x \n", t_addr));
//	SSDT_Adr = (PLONG)(t_addr + 0x7A * 4);
//	KdPrint(("当前t_addr+0x7A*4=%x \n", SSDT_Adr));
//	SSDT_NtOpenProcess_Cur_Addr = *SSDT_Adr;
//	KdPrint(("当前SSDT_NtOpenProcess_Cur_Addr地址为%x \n", SSDT_NtOpenProcess_Cur_Addr));
//	/* ULONG SSDT_NtOpenProcess_Cur_Addr;
//	KdPrint(("驱动成功被加载...OK++++++++\n\n"));
//	//读取SSDT表中 NtOpenProcess当前地址 KeServiceDescriptorTable
//	// [[KeServiceDescriptorTable]+0x7A*4]
//
//	__asm
//	{    int 3
//	push ebx
//	push eax
//	mov ebx,KeServiceDescriptorTable
//	mov ebx,[ebx] //表的基地址
//	mov eax,0x7a
//	shl eax,2//0x7A*4 //imul eax,eax,4//shl eax,2
//	add ebx,eax//[KeServiceDescriptorTable]+0x7A*4
//	mov ebx,[ebx]
//	mov SSDT_NtOpenProcess_Cur_Addr,ebx
//	pop  eax
//	pop  ebx
//	}
//	KdPrint(("SSDT_NtOpenProcess_Cur_Addr=%x\n\n",SSDT_NtOpenProcess_Cur_Addr));*/
//	//注册派遣函数
//	pDriverObject->MajorFunction[IRP_MJ_CREATE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
//	pDriverObject->MajorFunction[IRP_MJ_CLOSE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
//	pDriverObject->MajorFunction[IRP_MJ_READ] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
//	pDriverObject->MajorFunction[IRP_MJ_CLOSE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
//	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
//	CreateMyDevice(pDriverObject);//创建相应的设备
//	pDriverObject->DriverUnload = DDK_Unload;
//	return (1);
//}
#pragma code_seg("PAGE")
//#pragma PAGECODE
//VOID DDK_Unload(IN PDRIVER_OBJECT pDriverObject)
//{
//	PDEVICE_OBJECT pDev;//用来取得要删除设备对象
//	UNICODE_STRING symLinkName; // 
//
//	pDev = pDriverObject->DeviceObject;
//	IoDeleteDevice(pDev); //删除设备
//
//	//取符号链接名字
//	RtlInitUnicodeString(&symLinkName, L"\\??\\yjx888");
//	//删除符号链接
//	IoDeleteSymbolicLink(&symLinkName);
//	KdPrint(("驱动成功被卸载...OK-----------")); //sprintf,printf
//	//取得要删除设备对象
//	//删掉所有设备
//	DbgPrint("卸载成功");
//}
//#pragma PAGECODE
//NTSTATUS ddk_DispatchRoutine_CONTROL(IN PDEVICE_OBJECT pDevobj, IN PIRP pIrp)
//{
//	//对相应的IPR进行处理
//	pIrp->IoStatus.Information = 0;//设置操作的字节数为0,这里无实际意义
//	pIrp->IoStatus.Status = STATUS_SUCCESS;//返回成功
//	IoCompleteRequest(pIrp, IO_NO_INCREMENT);//指示完成此IRP
//	KdPrint(("离开派遣函数\n"));//调试信息
//	return STATUS_SUCCESS; //返回成功
//}
//源文件
#include "mini_ddk.h"
#include "SSDTHOOK.h"




ULONG g_uOldNtCreateFileAddr = 0;
PFNNTCREATEFILE g_pfnNtCreateFile = NULL;

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{
//#if DBG
//	_asm int 3
//#endif
	//驱动 ->驱动卸载=卸载驱动
	pDriver->DriverUnload = UnloadDriver;
	//调试输出
	DbgPrint("Loading MyDriver...\r");//有一个换行的空格
	ULONG uAddr = GetSDDTAddr(0x42);
	if (uAddr)
	{
		g_pfnNtCreateFile = (PFNNTCREATEFILE)uAddr;
		HookSSDTByMdl(0x42, (ULONG)rlNtCreateFile, &g_uOldNtCreateFileAddr);

		
		KdPrint(("NtCreateFile:0x%08x\r", uAddr));

	}
	return 1;
}

void UnloadDriver(PDRIVER_OBJECT pDriver)
{
	UnHookSSDTByMdl(0x42, g_uOldNtCreateFileAddr);
	//调试输出
	DbgPrint("unLoading MyDriver...\r");
}

NTSTATUS rlNtCreateFile(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	)
{
	if (ObjectAttributes  && ObjectAttributes->ObjectName)
	{
		if (wcsstr(ObjectAttributes->ObjectName->Buffer, L"1.txt") != 0)
		{
			KdPrint(("NtCreateFile %wZ\r"), ObjectAttributes->ObjectName);
			return STATUS_UNSUCCESSFUL;
		}

	}
	return g_pfnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes,

		ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);

}



  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值