蹂躏D&F学习之重复NtCreateFile之二

最新推荐文章于 2022-07-31 03:58:33 发布

EXPENF

最新推荐文章于 2022-07-31 03:58:33 发布

阅读量722

点赞数

本文链接：https://blog.csdn.net/EXPENF/article/details/42747983

版权

//rlTenD.cpp
#include <ntddk.h>
#include "SSDTHOOK.h"
#include "rlTenD.h"

ULONG g_uOldNtCreateFileAddr = 0;
PFNNTCREATEFILE g_pfnNtCreateFile = NULL;
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{
	//驱动 ->驱动卸载=卸载驱动
	pDriver->DriverUnload = UnloadDriver;
	//调试输出
	DbgPrint("Loading MyDriver...\r");


	ULONG uAddr = GetSSDTAddr(0x42);
	if (uAddr)
	{
		g_pfnNtCreateFile = (PFNNTCREATEFILE)uAddr;
		HookSSDT(0x42, (ULONG)rlNtCreateFile, &g_uOldNtCreateFileAddr);
		KdPrint(("NtCreateFile: 0x%08x\r", uAddr));
	}
	return STATUS_SUCCESS;
}

void UnloadDriver(PDRIVER_OBJECT pDriver)
{
	UnHookSSDT(0x42, g_pfnNtCreateFile);
	//调试输出
	DbgPrint("unLoading MyDriver...\r");

}

NTSTATUS rlNtCreateFile(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	)
{
	if (ObjectAttributes && ObjectAttributes->ObjectName)
	{

		KdPrint(("NtCreateFile: %wZ\r", ObjectAttributes->ObjectName));

	}
	return g_pfnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
		AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);

}

//rlTenD.h


void UnloadDriver(PDRIVER_OBJECT pDriver);
NTSTATUS rlNtCreateFile(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	);

typedef NTSTATUS (*PFNNTCREATEFILE)(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	);

//SSDTHOOK.cpp
#include "SSDTHOOK.h"

ULONG GetSSDTAddr(ULONG uIndex)
{
	ULONG uAddr = *(PULONG)((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
	return uAddr;
 }

BOOLEAN HookSSDT(ULONG uIndex,ULONG uNewAddr,PULONG puOldAddr)
{
	if (uNewAddr ==0 || puOldAddr == NULL)
	{
		return FALSE;
	}

	ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
	*puOldAddr = *(PULONG)uAddr;

	*(PULONG)uAddr = uNewAddr;
		
	return TRUE;

}


BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr)
{
	if (uOldAddr = 0)
	{
		return FALSE;
	}
	ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));


	*(PULONG)uAddr = uOldAddr;
	return TRUE;

}

//SSDTHOOK.h
#pragma once

#ifdef __cplusplus
exern "C"
#endif
#include <ntddk.h>
#include <string.h>
#ifdef __cplusplus
};
#endif

typedef struct _SDT_ENTRY
{
	PVOID *ServiceTableBase;
	PULONG ServiceCounterTableBase; //Used only in checked build
	ULONG NumberOfServices;
	PUCHAR ParamTableBase;
} SDT_ENTRY, *PSDT_ENTRY;


EXTERN_C SDT_ENTRY *KeServiceDescriptorTable;

ULONG GetSSDTAddr(ULONG uIndex);
BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);
BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr);

EXPENF

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
蹂躏D&F学习之重复NtCreateFile之二

//rlTenD.cpp#include #include "SSDTHOOK.h"#include "rlTenD.h"ULONG g_uOldNtCreateFileAddr = 0;PFNNTCREATEFILE g_pfnNtCreateFile = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRI
复制链接

扫一扫