//Ring0恢复SSDTShadow主要源码 By VirusWizard
//主要思路和恢复SSDT是一样的。不多说了
NTSTATUS GetOrigShadowTable(
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hFile = 0;
OBJECT_ATTRIBUTES ObjAttr = {0};
UNICODE_STRING ustrWin32k = {0};
IO_STATUS_BLOCK ioStatus = {0};
FILE_POSITION_INFORMATION fpi = {0};
ULONG ulOffsetOfShadow = 0;
PIMAGE_NT_HEADERS pNtHdr = NULL;
LARGE_INTEGER Offset = {0};
if (!KeServiceDescriptorTableShadow)
{
return STATUS_UNSUCCESSFUL;
}
dprintf("CountOfSSDTShadow : %d\n", KeServiceDescriptorTableShadow[1].Limit + 1);
g_pOrigSSDTShadow = ExAllocatePool(
PagedPool,
(KeServiceDescriptorTableShadow[1].Limit + 1) * sizeof(ULONG));
if ( !g_pOrigSSDTShadow )
{
dprintf("[GetOrigShadowTable] AllocateMemory Error.\n");
return STATUS_UNSUCCESSFUL;
}
RtlInitUnicodeString(&ustrWin32k, L"\\SystemRoot\\System32\\win32k.sys");
dprintf("ustrWin32k : %S.\n", ustrWin32k.Buffer);
InitializeObjectAttributes(
&ObjAttr,
&ustrWin32k,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
status = ZwCreateFile(
&hFile,
GENERIC_READ,
&ObjAttr,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if ( !NT_SUCCESS(status) )
{
dprintf("ZwCreateFile Error.status = 0x%08X.\n", status);
goto __exit;
}
pNtHdr = RtlImageNtHeader(g_pWin32kBase);
ulOffsetOfShadow = RvaToOffset(pNtHdr, (ULONG)KeServiceDescriptorTableShadow[1].Base - (ULONG)g_pWin32kBase);
dprintf("ulOffsetOfSSDT : 0x%08X.\n", ulOffsetOfShadow);
if (ulOffsetOfShadow)
{
Offset.LowPart = ulOffsetOfShadow;
Offset.HighPart = 0;
status = ZwReadFile (
hFile,
NULL,
NULL,
NULL,
&ioStatus,
g_pOrigSSDTShadow,
KeServiceDescriptorTableShadow[1].Limit * sizeof(ULONG),
&Offset,
NULL
);
if ( NT_SUCCESS(status) )
{
ULONG i;
dprintf("ReadOrigShadowSuccess.\n");
for (i = 0;i < KeServiceDescriptorTableShadow[1].Limit;i++)
{
dprintf("Index : 0x%03X,ShadowRoutineAddr : 0x%08X\n", i,((ULONG *)g_pOrigSSDTShadow) );
}
}
}
__exit:
if (hFile)
{
ZwClose(hFile);
}
return status;
}
//主要思路和恢复SSDT是一样的。不多说了
NTSTATUS GetOrigShadowTable(
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hFile = 0;
OBJECT_ATTRIBUTES ObjAttr = {0};
UNICODE_STRING ustrWin32k = {0};
IO_STATUS_BLOCK ioStatus = {0};
FILE_POSITION_INFORMATION fpi = {0};
ULONG ulOffsetOfShadow = 0;
PIMAGE_NT_HEADERS pNtHdr = NULL;
LARGE_INTEGER Offset = {0};
if (!KeServiceDescriptorTableShadow)
{
return STATUS_UNSUCCESSFUL;
}
dprintf("CountOfSSDTShadow : %d\n", KeServiceDescriptorTableShadow[1].Limit + 1);
g_pOrigSSDTShadow = ExAllocatePool(
PagedPool,
(KeServiceDescriptorTableShadow[1].Limit + 1) * sizeof(ULONG));
if ( !g_pOrigSSDTShadow )
{
dprintf("[GetOrigShadowTable] AllocateMemory Error.\n");
return STATUS_UNSUCCESSFUL;
}
RtlInitUnicodeString(&ustrWin32k, L"\\SystemRoot\\System32\\win32k.sys");
dprintf("ustrWin32k : %S.\n", ustrWin32k.Buffer);
InitializeObjectAttributes(
&ObjAttr,
&ustrWin32k,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
status = ZwCreateFile(
&hFile,
GENERIC_READ,
&ObjAttr,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if ( !NT_SUCCESS(status) )
{
dprintf("ZwCreateFile Error.status = 0x%08X.\n", status);
goto __exit;
}
pNtHdr = RtlImageNtHeader(g_pWin32kBase);
ulOffsetOfShadow = RvaToOffset(pNtHdr, (ULONG)KeServiceDescriptorTableShadow[1].Base - (ULONG)g_pWin32kBase);
dprintf("ulOffsetOfSSDT : 0x%08X.\n", ulOffsetOfShadow);
if (ulOffsetOfShadow)
{
Offset.LowPart = ulOffsetOfShadow;
Offset.HighPart = 0;
status = ZwReadFile (
hFile,
NULL,
NULL,
NULL,
&ioStatus,
g_pOrigSSDTShadow,
KeServiceDescriptorTableShadow[1].Limit * sizeof(ULONG),
&Offset,
NULL
);
if ( NT_SUCCESS(status) )
{
ULONG i;
dprintf("ReadOrigShadowSuccess.\n");
for (i = 0;i < KeServiceDescriptorTableShadow[1].Limit;i++)
{
dprintf("Index : 0x%03X,ShadowRoutineAddr : 0x%08X\n", i,((ULONG *)g_pOrigSSDTShadow) );
}
}
}
__exit:
if (hFile)
{
ZwClose(hFile);
}
return status;
}