#include <ntddk.h> #include <ntifs.h>#include <windef.h>ULONG g_KiInsertQueueApc;ULONG g_uCr0; BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 };BYTE g_OrigCode[5] = { 0 }; // Ô­º¯&E ...
#include <ntddk.h>
#include <ntifs.h>
#include <windef.h>
ULONG g_KiInsertQueueApc;
ULONG g_uCr0;
BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 };
BYTE g_OrigCode[5] = { 0 }; // Ô­º¯ÊýµÄÇ°×Ö½ÚÄÚÈÝ
BYTE jmp_orig_code[7] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00 }; //ÒòΪÊdz¤×ªÒÆ£¬ËùÒÔÓиö 0x08
BOOL g_bHooked = FALSE;
VOID
fake_KiInsertQueueApc (
PKAPC Apc,
KPRIORITY Increment
);
VOID
Proxy_KiInsertQueueApc (
PKAPC Apc,
KPRIORITY Increment
);
void WPOFF()
{
ULONG uAttr;
_asm
{
push eax;
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax;
cli
};
g_uCr0 = uAttr; //±£´æÔ­ÓÐµÄ CRO ŒÙÐÔ
}
VOID WPON()
{
_asm
{
sti
push eax;
mov eax, g_uCr0; //»ÖÍÔ­ÓÐ CR0 ŒÙÐÔ
mov cr0, eax;
pop eax;
};
}
//
// ֹͣinline hook
//
VOID UnHookKiInsertQueueApc ()
{
KIRQL oldIrql;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory ( (BYTE*)g_KiInsertQueueApc, g_OrigCode, 5 );
KeLowerIrql(oldIrql);
WPON();
g_bHooked = FALSE;
}
//
// ¿ªÊ¼inline hook -- KiInsertQueueApc
//
VOID HookKiInsertQueueApc ()
{
KIRQL oldIrql;
if (g_KiInsertQueueApc == 0) {
DbgPrint("KiInsertQueueApc == NULL/n");
return;
}
//DbgPrint("¿ªÊ¼inline hook -- KiInsertQueueApc/n");
DbgPrint( "KiInsertQueueApcµÄµØÖ·t0x%08x/n", (ULONG)g_KiInsertQueueApc );
// ±£´æÔ­º¯ÊýµÄÇ°×Ö½ÚÄÚÈÝ
RtlCopyMemory (g_OrigCode, (BYTE*)g_KiInsertQueueApc, 5);//¡ï
*( (ULONG*)(g_HookCode + 1) ) = (ULONG)fake_KiInsertQueueApc - (ULONG)g_KiInsertQueueApc - 5;//¡ï
// ½ûֹϵͳд±£»¤£¬ÌáÉýIRQLµ½DPC
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory ( (BYTE*)g_KiInsertQueueApc, g_HookCode, 5 );
*( (ULONG*)(jmp_orig_code + 1) ) = (ULONG) ( (BYTE*)g_KiInsertQueueApc + 5 );//¡ï
RtlCopyMemory ( (BYTE*)Proxy_KiInsertQueueApc, g_OrigCode, 5);//ÐÞ¸ÄProxy_KiInsertQueueApcº¯ÊýÍ·
RtlCopyMemory ( (BYTE*)Proxy_KiInsertQueueApc + 5, jmp_orig_code, 7);
// »Ö¸´Ð´±£»¤£¬½µµÍIRQL
KeLowerIrql(oldIrql);
WPON();
g_bHooked = TRUE;
}
//
// Ìøתµ½ÎÒÃǵĺ¯ÊýÀïÃæ½øÐÐÔ¤´¦Àí
//
__declspec (naked)
VOID
fake_KiInsertQueueApc (
PKAPC Apc,
KPRIORITY Increment
)
{
// È¥µôDbgPrint,²»È»Õâ¸öhook»á²úÉúµÝ¹é
//DbgPrint("inline hook -- KiInsertQueueApc ³É¹¦/n");
__asm
{
jmp Proxy_KiInsertQueueApc //¡ïÔÚÕâһϵÁÐJMPÖУ¬Ã»ÓÐÒ»´¦Ê¹ÓÃCALL£¬¼ò»¯ÁË´úÂ룬ÔöÇ¿ÁËÎȶ¨ÐÔ
}
}
//
// ´úÀíº¯Êý£¬¸ºÔðÌøתµ½Ô­º¯ÊýÖмÌÐøÖ´ÐÐ
//
__declspec (naked)
VOID
Proxy_KiInsertQueueApc (
PKAPC Apc,
KPRIORITY Increment
)
{
__asm { // ¹²×Ö½Ú
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90 // Ç°×Ö½ÚʵÏÖÔ­º¯ÊýµÄÍ·×Ö½Ú¹¦ÄÜ
_emit 0x90 // Õâ¸öÌî³äjmp
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90 // Õâ×Ö½Ú±£´æÔ­º¯Êý+5´¦µÄµØÖ·
_emit 0x90
_emit 0x90 // ÒòΪÊdz¤×ªÒÆ,ËùÒÔ±ØÐëÊÇ0x0080
}
}
ULONG GetFunctionAddr( IN PCWSTR FunctionName)
{
UNICODE_STRING UniCodeFunctionName;
RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );
}
//¸ù¾ÝÌØÕ÷Öµ£¬´ÓKeInsertQueueApcËÑË÷ÖÐËÑË÷KiInsertQueueApc
ULONG FindKiInsertQueueApcAddress()
{
char * Addr_KeInsertQueueApc = 0;
int i = 0;
char Findcode[] = { 0xE8, 0xcc, 0x29, 0x00, 0x00 };
ULONG Addr_KiInsertQueueApc = 0;
Addr_KeInsertQueueApc = (char *) GetFunctionAddr(L"KeInsertQueueApc");
for(i = 0; i < 100; i ++)
{
if( Addr_KeInsertQueueApc[i] == Findcode[0] &&
Addr_KeInsertQueueApc[i + 1] == Findcode[1] &&
Addr_KeInsertQueueApc[i + 2] == Findcode[2] &&
Addr_KeInsertQueueApc[i + 3] == Findcode[3] &&
Addr_KeInsertQueueApc[i + 4] == Findcode[4]
)
{
Addr_KiInsertQueueApc = (ULONG)&Addr_KeInsertQueueApc[i] + 0x29cc + 5;
break;
}
}
return Addr_KiInsertQueueApc;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("My Driver Unloaded!");
UnHookKiInsertQueueApc();
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
DbgPrint("My Driver Loaded!");
theDriverObject->DriverUnload = OnUnload;
g_KiInsertQueueApc = FindKiInsertQueueApcAddress();
HookKiInsertQueueApc();
return STATUS_SUCCESS;
}
扫一扫
8288
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
