枚举进程、线程创建回调,枚举映像加载回调,枚举DPC时钟
Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- VOID MyCreateProcessNotifyRoutine(
- IN HANDLE ParentId,
- IN HANDLE ProcessId,
- IN BOOLEAN Create
- );
- VOID MyCreateThreadNotifyRoutine(
- IN HANDLE ProcessId,
- IN HANDLE ThreadId,
- IN BOOLEAN Create
- );
- VOID MyLoadImageNotifyRoutine(
- IN PUNICODE_STRING FullImageName,
- IN HANDLE ProcessId, // where image is mapped
- IN PIMAGE_INFO ImageInfo
- );
- typedef PVOID (*pExReferenceCallBackBlock) (PVOID CallBack);
- typedef PVOID (*pExGetCallBackBlockRoutine) (PVOID CallBackBlock);
- typedef VOID (*pExDereferenceCallBackBlock) (PVOID CallBack, PVOID CallBackBlock);
- BOOLEAN GetNotifyRoutineAddr();
- void EnumNotifyRoutine(ULONG uNotifyRoutineAddr);
- ULONG GetKiTimerTableListHeadAddr();
- void EnumDpcTimer();
复制代码 Driver.cpp- #include "Driver.h"
- ULONG g_uPspCreateProcessNotifyRoutineAddr = 0;
- ULONG g_uPspCreateThreadNotifyRoutineAddr = 0;
- ULONG g_uPspLoadImageNotifyRoutineAddr = 0;
- ULONG g_uKiTimerTableListHeadAddr = 0;
- pExReferenceCallBackBlock g_pfnExReferenceCallBackBlock = NULL;
- pExGetCallBackBlockRoutine g_pfnExGetCallBackBlockRoutine = NULL;
- pExDereferenceCallBackBlock g_pfnExDereferenceCallBackBlock = NULL;
- BOOLEAN GetNotifyRoutineAddr()
- {
- ULONG uAddr = (ULONG)PsSetCreateProcessNotifyRoutine;
-
- PUCHAR p = (PUCHAR)uAddr;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x50)
- {
- if (*p == 0xbf
- && *(p + 5) == 0x57
- && *(p + 6) == 0xe8
- && *(p - 2) == 0x74)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
-
- if (!bFind)
- {
- KdPrint(("Find g_uPspCreateProcessNotifyRoutineAddr faile!\n"));
- return FALSE;
- }
- g_uPspCreateProcessNotifyRoutineAddr = *(PULONG)(p + 1);
-
- p = (PUCHAR)uAddr;
- i = 0;
- bFind = FALSE;
- while(i < 0x100)
- {
- if (*p == 0xe8
- && *(p + 5) == 0x8b
- && *(p + 6) == 0xf0
- && *(p - 1) == 0x57)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find uExReferenceCallBackBlockAddr faile!\n"));
- return FALSE;
- }
-
- ULONG uExReferenceCallBackBlockAddr = (ULONG)(*(PULONG)(p + 1) + p + 5);
- p = (PUCHAR)uAddr;
- i = 0;
- bFind = FALSE;
- while(i < 0x100)
- {
- if (*p == 0xe8
- && *(p + 5) == 0x3b
- && *(p + 6) == 0x45
- && *(p - 1) == 0x56)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find uExGetCallBackBlockRoutineAddr faile!\n"));
- return FALSE;
- }
- ULONG uExGetCallBackBlockRoutineAddr = (ULONG)(*(PULONG)(p + 1) + p + 5);
- p = (PUCHAR)uAddr;
- i = 0;
- bFind = FALSE;
- while(i < 0x100)
- {
- if (*p == 0xe8
- && *(p + 5) == 0x43
- && *(p + 6) == 0x83
- && *(p - 1) == 0x57)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find uExDereferenceCallBackBlockAddr faile!\n"));
- return FALSE;
- }
- ULONG uExDereferenceCallBackBlockAddr = (ULONG)(*(PULONG)(p + 1) + p + 5);
- g_pfnExReferenceCallBackBlock = (pExReferenceCallBackBlock)uExReferenceCallBackBlockAddr;
- g_pfnExGetCallBackBlockRoutine = (pExGetCallBackBlockRoutine)uExGetCallBackBlockRoutineAddr;
- g_pfnExDereferenceCallBackBlock = (pExDereferenceCallBackBlock)uExDereferenceCallBackBlockAddr;
- uAddr = (ULONG)PsRemoveCreateThreadNotifyRoutine;
- p = (PUCHAR)uAddr;
- i = 0;
- bFind = FALSE;
- while(i < 0x50)
- {
- if (*p == 0xbf
- && *(p + 5) == 0x57
- && *(p + 6) == 0xe8
- && *(p - 2) == 0x33)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find g_uPspCreateThreadNotifyRoutineAddr faile!\n"));
- return FALSE;
- }
-
- g_uPspCreateThreadNotifyRoutineAddr = *(PULONG)(p + 1);
- uAddr = (ULONG)PsRemoveLoadImageNotifyRoutine;
- p = (PUCHAR)uAddr;
- i = 0;
- bFind = FALSE;
- while(i < 0x50)
- {
- if (*p == 0xbf
- && *(p + 5) == 0x57
- && *(p + 6) == 0xe8
- && *(p - 2) == 0x33)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find g_uPspLoadImageNotifyRoutineAddr faile!\n"));
- return FALSE;
- }
- g_uPspLoadImageNotifyRoutineAddr = *(PULONG)(p + 1);
- return TRUE;
- }
- void EnumNotifyRoutine(ULONG uNotifyRoutineAddr)
- {
- if (uNotifyRoutineAddr == 0
- || g_pfnExReferenceCallBackBlock == NULL
- || g_pfnExGetCallBackBlockRoutine == NULL
- || g_pfnExDereferenceCallBackBlock == NULL)
- {
- return;
- }
- for (ULONG i = 0; i < 8; i++)
- {
- PVOID CallBack = g_pfnExReferenceCallBackBlock((PVOID)&((PULONG)uNotifyRoutineAddr)[i]);
- if (CallBack != NULL)
- {
- PVOID NotifyRoutine = g_pfnExGetCallBackBlockRoutine(CallBack);
- if (NotifyRoutine != NULL)
- {
- KdPrint(("NotifyRoutine : 0x%08x\n", NotifyRoutine));
- g_pfnExDereferenceCallBackBlock((PVOID)&((PULONG)uNotifyRoutineAddr)[i], CallBack);
- }
- }
- }
- }
- VOID MyCreateProcessNotifyRoutine(
- IN HANDLE ParentId,
- IN HANDLE ProcessId,
- IN BOOLEAN Create
- )
- {
- KdPrint(("MyCreateProcessNotifyRoutine\n"));
- return;
- }
- VOID MyCreateThreadNotifyRoutine(
- IN HANDLE ProcessId,
- IN HANDLE ThreadId,
- IN BOOLEAN Create
- )
- {
- KdPrint(("MyCreateThreadNotifyRoutine\n"));
- return;
- }
- VOID MyLoadImageNotifyRoutine(
- IN PUNICODE_STRING FullImageName,
- IN HANDLE ProcessId, // where image is mapped
- IN PIMAGE_INFO ImageInfo
- )
- {
- KdPrint(("MyLoadImageNotifyRoutine\n"));
- return;
- }
- ULONG GetKiTimerTableListHeadAddr()
- {
- UNICODE_STRING ustrFuncName;
- RtlInitUnicodeString(&ustrFuncName, L"KeUpdateSystemTime");
- PVOID pfn = MmGetSystemRoutineAddress(&ustrFuncName);
- if (pfn == NULL)
- {
- return 0;
- }
- ULONG uAddr = (ULONG)pfn;
- PUCHAR p = (PUCHAR)uAddr;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x200)
- {
- if (*p == 0x8d
- && *(p + 1) == 0x0c
- && *(p + 2) == 0xc5
- && *(p - 5) == 0x25)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find faile!\n"));
- return 0;
- }
- uAddr = *(PULONG)(p + 3);
- return uAddr;
- }
- void EnumDpcTimer()
- {
- PLIST_ENTRY ListHead;
- PLIST_ENTRY NextEntry;
- PKTIMER NextTimer;
- ULONG uDpcAddr;
- for (ULONG i = 0; i < 0x100; i++)
- {
- ListHead = (PLIST_ENTRY)(&((PLIST_ENTRY)g_uKiTimerTableListHeadAddr)[i]);
- if (!MmIsAddressValid(ListHead->Blink))
- {
- continue;
- }
- if (!MmIsAddressValid(ListHead->Flink))
- {
- continue;
- }
- NextEntry = ListHead->Blink;
- while (NextEntry != ListHead)
- {
- NextTimer = CONTAINING_RECORD(NextEntry, KTIMER, TimerListEntry);
- if (NextEntry->Blink == NextEntry->Flink)
- {
- break;
- }
- if (MmIsAddressValid(NextTimer)
- && MmIsAddressValid(NextTimer->Dpc)
- && MmIsAddressValid(NextTimer->Dpc->DeferredRoutine)
- && MmIsAddressValid(&NextTimer->Period))
- {
- uDpcAddr = (ULONG)NextTimer->Dpc->DeferredRoutine;
- ULONG uTimer = NextTimer->Period / 1000;
- KdPrint(("uDpcAddr : 0x%08x %d\n", uDpcAddr, uTimer));
- }
-
- if (!MmIsAddressValid(NextEntry->Blink))
- {
- break;
- }
- NextEntry = NextEntry->Blink;
- }
- }
-
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- PsSetCreateProcessNotifyRoutine(MyCreateProcessNotifyRoutine, FALSE);
- PsSetCreateThreadNotifyRoutine(MyCreateThreadNotifyRoutine);
- PsSetLoadImageNotifyRoutine(MyLoadImageNotifyRoutine);
- if (GetNotifyRoutineAddr())
- {
- EnumNotifyRoutine(g_uPspCreateProcessNotifyRoutineAddr);
- EnumNotifyRoutine(g_uPspCreateThreadNotifyRoutineAddr);
- EnumNotifyRoutine(g_uPspLoadImageNotifyRoutineAddr);
- }
- g_uKiTimerTableListHeadAddr = GetKiTimerTableListHeadAddr();
- if (g_uKiTimerTableListHeadAddr != 0)
- {
- EnumDpcTimer();
- }
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- PsSetCreateProcessNotifyRoutine(MyCreateProcessNotifyRoutine, TRUE);
- PsRemoveCreateThreadNotifyRoutine(MyCreateThreadNotifyRoutine);
- PsRemoveLoadImageNotifyRoutine(MyLoadImageNotifyRoutine);
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |