Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- #define WORD USHORT
- #define DWORD ULONG
- #define MAKELONG(a, b) ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) | ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff))) << 16))
- #pragma pack(push)
- #pragma pack(1) // 1字节对齐
- typedef struct _IDTR //IDT基址
- {
- USHORT IDT_limit; //范围占位
- USHORT IDT_LOWbase;//基地址占位_IDT_ENTRY类型指针
- USHORT IDT_HIGbase;
- }IDTR,*PIDTR;
- typedef struct _IDT_ENTRY
- {
- USHORT LowOffset; //中断处理函数地址低位
- USHORT selector; //选择符
- UCHAR reserved;
- UCHAR type:4; //4位
- UCHAR always0:1; //1位
- UCHAR dpl:2; //2位
- UCHAR present:1; //1位
- USHORT HigOffset;//中断处理函数地址高位
- }IDTENTRY,*PIDTENTRY;//获取基址实际上是这个类型
- #pragma pack(pop)
- EXTERN_C NTKERNELAPI UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);
复制代码 Driver.cpp- #include "Driver.h"
- //global
- KEVENT g_Event ;
- ULONG g_CurrentCpuAffinity = 0;
- ULONG g_OrgInterruptFunc3;
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- void GetIdt(ULONG uCPU)
- {
- IDTR idtr;
- __asm SIDT idtr
- PIDTENTRY pIdtEntry = NULL;
- pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
- KdPrint(("pIdtEntry: %X\n", pIdtEntry));
- for (ULONG uIndex = 0; uIndex <= idtr.IDT_limit / sizeof(IDTENTRY); uIndex++)
- {
- KdPrint(("uCPU:%d---pIdtEntry[%d]: %X\n", uCPU, uIndex, MAKELONG(pIdtEntry[uIndex].LowOffset, pIdtEntry[uIndex].HigOffset)));
- }
- }
- ULONG GetInterruptFuncAddress(ULONG InterruptIndex)
- {
- IDTR idtr;
- PIDTENTRY pIdtEntry;
- __asm SIDT idtr;
- pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
- return MAKELONG(pIdtEntry[InterruptIndex].LowOffset, pIdtEntry[InterruptIndex].HigOffset);
- }
- VOID __stdcall FilterInterruptFunc3()
- {
- KdPrint(("CurrentProcess:%s\n", PsGetProcessImageFileName(IoGetCurrentProcess())));
- }
- __declspec(naked) void NewInterruptFun3()
- {
- __asm
- {
- pushad
- pushfd
- push fs
- push 0x30
- pop fs
- mov ax, 0x23
- mov ds, ax
- mov es, ax
- call FilterInterruptFunc3
- pop fs
- popfd
- popad
- jmp g_OrgInterruptFunc3
- }
- }
- void HookInterrupt(ULONG uCPU, ULONG InterruptIndex, ULONG NewInterruptFunc)
- {
- IDTR idtr;
- __asm SIDT idtr
- PIDTENTRY pIdtEntry = NULL;
- pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
- KdPrint(("uCPU:%d---pIdtEntry: %X\n", uCPU, pIdtEntry));
- PageProtectOff();
- pIdtEntry[InterruptIndex].LowOffset =(USHORT)((ULONG)NewInterruptFunc & 0xffff);
- pIdtEntry[InterruptIndex].HigOffset = (USHORT)((ULONG)NewInterruptFunc >> 16);
- PageProtectOn();
- }
- VOID HookIdtDpc(
- IN struct _KDPC *Dpc,
- IN PVOID DeferredContext,
- IN PVOID SystemArgument1,
- IN PVOID SystemArgument2
- )
- {
- HookInterrupt(g_CurrentCpuAffinity, (ULONG)SystemArgument1, (ULONG)SystemArgument2);
- KeSetEvent(&g_Event, IO_NO_INCREMENT, FALSE);
- }
-
- void HandleIdtByDpc(ULONG InterruptIndex, ULONG NewInterruptFunc)
- {
- KAFFINITY CpuAffinity;
- ULONG uCpuCount = 0;
- ULONG i = 0;
- KDPC Dpc;
- CpuAffinity = KeQueryActiveProcessors();
- for (i = 0; i < sizeof(KAFFINITY); i++)
- {
- if ((CpuAffinity >> i) & 1)
- {
- uCpuCount++;
- }
- }
- if (uCpuCount == 1)
- {
- KIRQL OldIrql = KeRaiseIrqlToDpcLevel();
- HookInterrupt(0, InterruptIndex, NewInterruptFunc);
- KeLowerIrql(OldIrql);
- }
- else
- {
- for (i = 0; i < sizeof(KAFFINITY); i++)
- {
- if ((CpuAffinity >> i) & 1)
- {
- g_CurrentCpuAffinity = i;
- KeInitializeEvent(&g_Event, NotificationEvent, FALSE);
- KeInitializeDpc(&Dpc, HookIdtDpc, NULL);
- KeSetTargetProcessorDpc(&Dpc, (CCHAR)i);
- KeSetImportanceDpc(&Dpc, HighImportance);
- KeInsertQueueDpc(&Dpc, (PVOID)InterruptIndex, (PVOID)NewInterruptFunc);
- if (KeWaitForSingleObject(&g_Event, (KWAIT_REASON)0, 0, 0, 0) == STATUS_SUCCESS)
- {
- continue;
- }
- }
- }
- }
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- g_OrgInterruptFunc3 = GetInterruptFuncAddress(3);
-
- HandleIdtByDpc(3, (ULONG)NewInterruptFun3);
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- HandleIdtByDpc(3, g_OrgInterruptFunc3);
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |