extern "C"
{
#include <ntddk.h>
}
//#define dprintf if (DBG) DbgPrint
#define dprintf DbgPrint
#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long
#define BYTE unsigned char
extern "C"
{
//声明内核函数
NTKERNELAPI
UCHAR *
PsGetProcessImageFileName(
PEPROCESS Process
);
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
IN PVOID ProcessId,
OUT PEPROCESS *Process
);
NTKERNELAPI
HANDLE
PsGetProcessId(
PEPROCESS Process
);
NTKERNELAPI NTSTATUS ZwCreateProcessEx(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort,
ULONG JobMemberLevel
);
//SSDT表结构声明
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} SSDT_Entry, *ServiceDescriptorTableEntry_t;
__declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;
}
//一些宏定义和MDL表
#define HOOK_SYSCALL(_ServiceId, _Hook, _Orig ) /
_Orig = (PVOID) InterlockedExchange( (PLONG) /
&MappedSystemCallTable[_ServiceId], (LONG) _Hook)
#define UNHOOK_SYSCALL(_ServiceId, _Hook, _Orig ) /
InterlockedExchange((PLONG) /
&MappedSystemCallTable[_ServiceId], (LONG) _Hook)
#define SYSTEMSERVICE(_ServiceId) KeServiceDescriptorTable.ServiceTableBase[ _ServiceId ]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
//声明函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
VOID DriverUnload(PDRIVER_OBJECT pDriverObj);
//设定ZwCreateProcessEx的索引,可用冰刃查看,也可利用函数自行查找
ULONG ServiceId_ZwCreateProcessEx=0x30;
//定义一些相关变量
CHAR CreatingProcessImagePath[256]={0};//进程路径
HANDLE CreatorProcessId=NULL;//父进程Pid
BOOLEAN CreateAllowed=TRUE;//标志,是否允许运行
BOOLEAN CreateIsProgressing=FALSE;//标志,防止以后网络延迟造成的混乱,是否正在处理信息
KEVENT event ;
char *output;
//定义一个ZwCreateProcessEx的结构体指针
typedef
NTSTATUS
(*pfnZwCreateProcessEx) (
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort,
ULONG JobMemberLevel
);
//声明Old_ZwCreateProcessEx为pfnZwCreateProcessEx的结构(用来保存原函数地址)
pfnZwCreateProcessEx Old_ZwCreateProcessEx=NULL;
PVOID Old_ZwCreateProcessExAddr=NULL;
// 返回类似于C:/WINDOWS/Explorer.exe (ANSI)
NTSTATUS GetProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName)
{
PVOID SectionObject;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
UNICODE_STRING DosName;
NTSTATUS Status;
STRING AnsiString;
SectionObject = NULL;
FileObject = NULL;
FilePath.Buffer = NULL;
FilePath.Length = 0;
*ProcessImageName = 0;
Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
if ( NT_SUCCESS(Status) )
{
FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200);
FilePath.MaximumLength = 0x200;
FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
KdPrint(("Current Process Full Path Name 000: %ws/n", FileObject->FileName.Buffer));
ObDereferenceObject(FileObject);
ObDereferenceObject(SectionObject);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
if ( AnsiString.Length >= 256 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 255) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
}
RtlFreeAnsiString(&AnsiString);
ExFreePool(DosName.Buffer);
ExFreePool(FilePath.Buffer);
Status = STATUS_SUCCESS;
}
return Status;
}
NTSTATUS ModifyProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName)
{
PVOID SectionObject;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
UNICODE_STRING DosName;
NTSTATUS Status;
UNICODE_STRING newName;
STRING AnsiString;
SectionObject = NULL;
FileObject = NULL;
FilePath.Buffer = NULL;
FilePath.Length = 0;
*ProcessImageName = 0;
Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
if ( NT_SUCCESS(Status) )
{
//FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200);
//FilePath.MaximumLength = 0x200;
FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
RtlInitUnicodeString(&newName,L"zhang.txt");
//RtlCopyUnicodeString(&FileObject->FileName, &newName);
ObDereferenceObject(FileObject);
ObDereferenceObject(SectionObject);
/*RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
KdPrint(("Current Process Full Path Name 000: %ws/n", FileObject->FileName.Buffer));
RtlCopyUnicodeString(&FileObject->FileName, &newName);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); */
/*if ( AnsiString.Length >= 256 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 255) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
} */
/*RtlFreeAnsiString(&AnsiString);
ExFreePool(DosName.Buffer);
ExFreePool(FilePath.Buffer); */
RtlFreeUnicodeString(&newName);
Status = STATUS_SUCCESS;
}
return Status;
}
///
//定义我们的新函数及其功能,禁止程序运行和允许的,其中一个注释掉了
NTSTATUS New_ZwCreateProcessEx (
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort,
ULONG JobMemberLevel
)
{
if (CreateIsProgressing) return STATUS_ACCESS_DENIED;
CreateIsProgressing=TRUE;
GetProcessImageName(SectionHandle,CreatingProcessImagePath);
CreatorProcessId=PsGetProcessId(PsGetCurrentProcess());
dprintf("调用了ZwCreateProcessEx函数. /n进程路径 = %s /n父进程 = %s /n",CreatingProcessImagePath,PsGetProcessImageFileName(PsGetCurrentProcess()));
dprintf("父进程Pid = %ld/n",CreatorProcessId);
CreateIsProgressing=FALSE;
// return STATUS_ACCESS_DENIED;//返回失败,也就是禁止运行
NTSTATUS hr= Old_ZwCreateProcessEx(ProcessHandle,DesiredAccess,ObjectAttributes,ParentProcess,Flags,SectionHandle,DebugPort,ExceptionPort,JobMemberLevel);
PEPROCESS EProcess,PProcess;
NTSTATUS status;
HANDLE TId;
/*status = PsLookupProcessByProcessId((PVOID)ProcessHandle, &EProcess);
char * pEpb=(char*)EProcess;
if (NT_SUCCESS( status ))
{
DbgPrint( "jincheng:%18s/n",(char *)(pEpb+0x174));
char ch[16]={"zhang.exe"};
memcpy((char*)(pEpb+0x174), ch, 0x10);
}*/
//ModifyProcessImageName(SectionHandle,CreatingProcessImagePath);
return hr;
}
/
//开始HOOK函数
BOOLEAN EnableDriver()
{
HOOK_SYSCALL(ServiceId_ZwCreateProcessEx,New_ZwCreateProcessEx,Old_ZwCreateProcessExAddr);
Old_ZwCreateProcessEx=(pfnZwCreateProcessEx)Old_ZwCreateProcessExAddr;
dprintf("已经开始HOOK./n");
return TRUE;
}
/
//解除HOOK函数
BOOLEAN DisableDriver()
{
UNHOOK_SYSCALL(ServiceId_ZwCreateProcessEx,Old_ZwCreateProcessExAddr,New_ZwCreateProcessEx);
dprintf("已经解除HOOK./n");
return TRUE;
}
/
//驱动入口点
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
dprintf("注册到注册表: %S/n",pRegistryString->Buffer);
//开始修改MDL表
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;//可写
MappedSystemCallTable =(PVOID*) MmMapLockedPages(g_pmdlSystemCall, KernelMode);
//声明卸载函数
pDriverObj->DriverUnload = DriverUnload;
//开始HOOK
EnableDriver();
return STATUS_SUCCESS;
}
/
//驱动卸载时所调用的函数
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
DisableDriver();
dprintf("驱动已经卸载./n");
}
/
2944
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
