//rlTenD.cpp
#include <ntddk.h>
#include "SSDTHOOK.h"
#include "rlTenD.h"
ULONG g_uOldNtCreateFileAddr = 0;
PFNNTCREATEFILE g_pfnNtCreateFile = NULL;
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{
//驱动 ->驱动卸载=卸载驱动
pDriver->DriverUnload = UnloadDriver;
//调试输出
DbgPrint("Loading MyDriver...\r");
ULONG uAddr = GetSSDTAddr(0x42);
if (uAddr)
{
g_pfnNtCreateFile = (PFNNTCREATEFILE)uAddr;
HookSSDT(0x42, (ULONG)rlNtCreateFile, &g_uOldNtCreateFileAddr);
KdPrint(("NtCreateFile: 0x%08x\r", uAddr));
}
return STATUS_SUCCESS;
}
void UnloadDriver(PDRIVER_OBJECT pDriver)
{
UnHookSSDT(0x42, g_pfnNtCreateFile);
//调试输出
DbgPrint("unLoading MyDriver...\r");
}
NTSTATUS rlNtCreateFile(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_ PVOID EaBuffer,
_In_ ULONG EaLength
)
{
if (ObjectAttributes && ObjectAttributes->ObjectName)
{
if (wcsstr(ObjectAttributes->ObjectName->Buffer, L"1.txt") != 0)
{
KdPrint(("NtCreateFile: %wZ\r", ObjectAttributes->ObjectName));
return STATUS_UNSUCCESSFUL;
}
}
return g_pfnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
}
//rlTenD.h
void UnloadDriver(PDRIVER_OBJECT pDriver);
NTSTATUS rlNtCreateFile(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_ PVOID EaBuffer,
_In_ ULONG EaLength
);
typedef NTSTATUS (*PFNNTCREATEFILE)(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_opt_ PLARGE_INTEGER AllocationSize,
_In_ ULONG FileAttributes,
_In_ ULONG ShareAccess,
_In_ ULONG CreateDisposition,
_In_ ULONG CreateOptions,
_In_ PVOID EaBuffer,
_In_ ULONG EaLength
);
void DisableWP();
void EnableWP();
//SSDTHOOK.cpp
#include "SSDTHOOK.h"
ULONG GetSSDTAddr(ULONG uIndex)
{
ULONG uAddr = *(PULONG)((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
return uAddr;
}
BOOLEAN HookSSDT(ULONG uIndex,ULONG uNewAddr,PULONG puOldAddr)
{
if (uNewAddr ==0 || puOldAddr == NULL)
{
return FALSE;
}
ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
*puOldAddr = *(PULONG)uAddr;
void DisableWP();
*(PULONG)uAddr = uNewAddr;
void EnableWP();
return TRUE;
}
BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr)
{
if (uOldAddr = 0)
{
return FALSE;
}
ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
void DisableWP();
*(PULONG)uAddr = uOldAddr;
void EnableWP();
return TRUE;
}
void DisableWP()
{
__asm
{
cli
push eax
mov eax,cr0
and eax,0xfffeffff
mov cr0,eax
pop eax
}
}
void EnableWP()
{
__asm
{
push eax
mov eax,cr0
or eax,0x10000
mov cr0,eax
pop eax
sti
}
}
//SSDTHOOK.h
#pragma once
#ifdef __cplusplus
exern "C"
#endif
#include <ntddk.h>
#include <string.h>
#ifdef __cplusplus
};
#endif
typedef struct _SDT_ENTRY
{
PVOID *ServiceTableBase;
PULONG ServiceCounterTableBase; //Used only in checked build
ULONG NumberOfServices;
PUCHAR ParamTableBase;
} SDT_ENTRY, *PSDT_ENTRY;
EXTERN_C SDT_ENTRY *KeServiceDescriptorTable;
ULONG GetSSDTAddr(ULONG uIndex);
BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);
BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr);
void DisableWP();
void EnableWP();