Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- //#include <ntddk.h>
- #include <ntifs.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- #pragma pack(1)
- typedef struct ServiceDescriptorEntry {
- unsigned int *ServiceTableBase;
- unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
- unsigned int NumberOfServices;
- unsigned char *ParamTableBase;
- } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
- #pragma pack()
- extern "C" PServiceDescriptorTableEntry_t KeServiceDescriptorTable;
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- EXTERN_C NTKERNELAPI BOOLEAN KeAddSystemServiceTable (
- IN PULONG_PTR Base,
- IN PULONG Count OPTIONAL,
- IN ULONG Limit,
- IN PUCHAR Number,
- IN ULONG Index
- );
- typedef enum _SYSTEM_INFORMATION_CLASS {
- SystemBasicInformation,
- SystemProcessorInformation, // obsolete...delete
- SystemPerformanceInformation,
- SystemTimeOfDayInformation,
- SystemPathInformation,
- SystemProcessInformation,
- SystemCallCountInformation,
- SystemDeviceInformation,
- SystemProcessorPerformanceInformation,
- SystemFlagsInformation,
- SystemCallTimeInformation,
- SystemModuleInformation,
- SystemLocksInformation,
- SystemStackTraceInformation,
- SystemPagedPoolInformation,
- SystemNonPagedPoolInformation,
- SystemHandleInformation,
- SystemObjectInformation,
- SystemPageFileInformation,
- SystemVdmInstemulInformation,
- SystemVdmBopInformation,
- SystemFileCacheInformation,
- SystemPoolTagInformation,
- SystemInterruptInformation,
- SystemDpcBehaviorInformation,
- SystemFullMemoryInformation,
- SystemLoadGdiDriverInformation,
- SystemUnloadGdiDriverInformation,
- SystemTimeAdjustmentInformation,
- SystemSummaryMemoryInformation,
- SystemMirrorMemoryInformation,
- SystemPerformanceTraceInformation,
- SystemObsolete0,
- SystemExceptionInformation,
- SystemCrashDumpStateInformation,
- SystemKernelDebuggerInformation,
- SystemContextSwitchInformation,
- SystemRegistryQuotaInformation,
- SystemExtendServiceTableInformation,
- SystemPrioritySeperation,
- SystemVerifierAddDriverInformation,
- SystemVerifierRemoveDriverInformation,
- SystemProcessorIdleInformation,
- SystemLegacyDriverInformation,
- SystemCurrentTimeZoneInformation,
- SystemLookasideInformation,
- SystemTimeSlipNotification,
- SystemSessionCreate,
- SystemSessionDetach,
- SystemSessionInformation,
- SystemRangeStartInformation,
- SystemVerifierInformation,
- SystemVerifierThunkExtend,
- SystemSessionProcessInformation,
- SystemLoadGdiDriverInSystemSpace,
- SystemNumaProcessorMap,
- SystemPrefetcherInformation,
- SystemExtendedProcessInformation,
- SystemRecommendedSharedDataAlignment,
- SystemComPlusPackage,
- SystemNumaAvailableMemory,
- SystemProcessorPowerInformation,
- SystemEmulationBasicInformation,
- SystemEmulationProcessorInformation,
- SystemExtendedHandleInformation,
- SystemLostDelayedWriteInformation,
- SystemBigPoolInformation,
- SystemSessionPoolTagInformation,
- SystemSessionMappedViewInformation,
- SystemHotpatchInformation,
- SystemObjectSecurityMode,
- SystemWatchdogTimerHandler,
- SystemWatchdogTimerInformation,
- SystemLogicalProcessorInformation,
- SystemWow64SharedInformation,
- SystemRegisterFirmwareTableInformationHandler,
- SystemFirmwareTableInformation,
- SystemModuleInformationEx,
- SystemVerifierTriageInformation,
- SystemSuperfetchInformation,
- SystemMemoryListInformation,
- SystemFileCacheInformationEx,
- MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
- } SYSTEM_INFORMATION_CLASS;
- //
- EXTERN_C NTSYSAPI NTSTATUS ZwQuerySystemInformation (
- __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
- __out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
- __in ULONG SystemInformationLength,
- __out_opt PULONG ReturnLength
- );
- EXTERN_C NTKERNELAPI NTSTATUS NtOpenProcess (
- __out PHANDLE ProcessHandle,
- __in ACCESS_MASK DesiredAccess,
- __in POBJECT_ATTRIBUTES ObjectAttributes,
- __in_opt PCLIENT_ID ClientId
- );
- typedef struct _SYSTEM_THREADS {
- LARGE_INTEGER KernelTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER CreateTime;
- ULONG WaitTime;
- PVOID StartAddress;
- CLIENT_ID ClientIs;
- KPRIORITY Priority;
- KPRIORITY BasePriority;
- ULONG ContextSwitchCount;
- ULONG ThreadState;
- KWAIT_REASON WaitReason;
- }SYSTEM_THREADS;
- typedef struct _SYSTEM_PROCESSES {
- ULONG NextEntryDelta;
- ULONG ThreadCount;
- ULONG Reserved[6];
- LARGE_INTEGER CreateTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER KernelTime;
- UNICODE_STRING ProcessName;
- KPRIORITY BasePriority;
- ULONG ProcessId;
- ULONG InheritedFromProcessId;
- ULONG HandleCount;
- ULONG Reserved2[2];
- VM_COUNTERS VmCounters;
- IO_COUNTERS IoCounters; //windows 2000 only
- struct _SYSTEM_THREADS Threads[1];
- }SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
- PVOID GetShadowTable();
- PKAPC_STATE AttachToCsrss();
- typedef HANDLE HWND;
- typedef HWND (*pNtUserFindWindowEx)(
- IN HWND hwndParent,
- IN HWND hwndChild,
- IN PUNICODE_STRING pstrClassName,
- IN PUNICODE_STRING pstrWindowName);
- HWND MyNtUserFindWindowEx(
- IN HWND hwndParent,
- IN HWND hwndChild,
- IN PUNICODE_STRING pstrClassName,
- IN PUNICODE_STRING pstrWindowName);
- #define ProbeAndReadUnicodeString(Source) \
- (((Source) >= (UNICODE_STRING * const)MM_USER_PROBE_ADDRESS) ? \
- (*( UNICODE_STRING * const)MM_USER_PROBE_ADDRESS) : (*( UNICODE_STRING *)(Source)))
复制代码 Driver.cpp- #include "Driver.h"
- pNtUserFindWindowEx g_pfnNtUserFindWindowEx = NULL;
- PServiceDescriptorTableEntry_t KeServiceDescriptorTableShadow = NULL;
- PKAPC_STATE g_pKapcState;
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- PVOID GetShadowTable()
- {
-
- PUCHAR pKeAddSystemAddr = (PUCHAR)KeAddSystemServiceTable;
- for (ULONG i = 0; i < 4096; i++, pKeAddSystemAddr++)
- {
- PUCHAR p = (PUCHAR)*(PULONG)pKeAddSystemAddr;
- if (MmIsAddressValid(p))
- {
- __try
- {
- if (p == (PUCHAR)KeServiceDescriptorTable)
- {
- continue;
- }
- else
- {
- return p;
- }
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- return NULL;
- }
- }
- }
- return NULL;
- }
- #pragma PAGEDCODE
- PKAPC_STATE AttachToCsrss()
- {
- PVOID pBuffer = NULL;
- ULONG uBufferSize = 1000 * sizeof(SYSTEM_PROCESSES);
- ULONG uRetLength = 0;
- NTSTATUS status;
- UNICODE_STRING usstrCsrss;
- PKAPC_STATE pApcState = NULL;
- RtlInitUnicodeString(&usstrCsrss, L"csrss.exe");
- do
- {
- if (pBuffer != NULL)
- {
- ExFreePool(pBuffer);
- pBuffer = NULL;
- }
- pBuffer = ExAllocatePoolWithTag(PagedPool, uBufferSize, '0123');
- if (pBuffer == NULL)
- {
- return NULL;
- }
- status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uBufferSize, &uRetLength);
- if (status != STATUS_SUCCESS && status != STATUS_INFO_LENGTH_MISMATCH)
- {
- break;
- }
-
- uBufferSize = uBufferSize * 2;
- } while (status != STATUS_SUCCESS && uBufferSize < 1000000);
-
- if (status == STATUS_SUCCESS)
- {
- PSYSTEM_PROCESSES pSyeInfo = (PSYSTEM_PROCESSES)pBuffer;
- do
- {
- if (RtlCompareUnicodeString(&pSyeInfo->ProcessName, &usstrCsrss, TRUE) == 0)
- {
- KdPrint(("find %wZ\n", &pSyeInfo->ProcessName));
- ULONG uPID = pSyeInfo->ProcessId;
- HANDLE hProcess = NULL;
- OBJECT_ATTRIBUTES ObjectAttributes;
- InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
- CLIENT_ID ClientId;
- ClientId.UniqueProcess = (HANDLE)uPID;
- ClientId.UniqueThread = 0;
- status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &ClientId);
-
- if (status == STATUS_SUCCESS)
- {
- PEPROCESS pEprocess = NULL;
- status = ObReferenceObjectByHandle(hProcess, PROCESS_ALL_ACCESS, NULL, KernelMode, (PVOID *)&pEprocess, NULL);
- if (status == STATUS_SUCCESS)
- {
- pApcState = (PKAPC_STATE)ExAllocatePoolWithTag(NonPagedPool, sizeof(KAPC_STATE), 'APC');
-
- if (pApcState)
- {
- KeStackAttachProcess(pEprocess, pApcState);
- }
- ObDereferenceObject(pEprocess);
- }
- ZwClose(hProcess);
- }
- }
- pSyeInfo = (PSYSTEM_PROCESSES) ((ULONG)pSyeInfo + pSyeInfo->NextEntryDelta);
- } while (pSyeInfo->NextEntryDelta && pApcState == NULL);
- }
- if (pBuffer != NULL)
- {
- ExFreePool(pBuffer);
- }
- return pApcState;
-
- }
- #pragma PAGEDCODE
- ULONG GetSSSDTAddr(ULONG uIndex)
- {
- //ULONG u_index;
- //for (u_index = 0; u_index < KeServiceDescriptorTableShadow->NumberOfServices; u_index++)
- //{
- // KdPrint(("KeServiceDescriptorTableShadow[%d]:%X\n", u_index, KeServiceDescriptorTableShadow->ServiceTableBase[u_index]));
- //}
- if (KeServiceDescriptorTableShadow == NULL)
- {
- return 0;
- }
- ULONG uAddr = (ULONG)KeServiceDescriptorTableShadow->ServiceTableBase[uIndex];
- return uAddr;
- }
- BOOLEAN HookSSSDT(ULONG uIndex, ULONG uNewAddr)
- {
- if (uNewAddr == 0)
- {
- return FALSE;
- }
- PageProtectOff();
- KeServiceDescriptorTableShadow->ServiceTableBase[uIndex] = uNewAddr;
- PageProtectOn();
- return TRUE;
- }
- BOOLEAN UnHookSSSDT(ULONG uIndex, ULONG uOldAddr)
- {
- if (uOldAddr == 0)
- {
- return FALSE;
- }
- PageProtectOff();
- KeServiceDescriptorTableShadow->ServiceTableBase[uIndex] = uOldAddr;
- PageProtectOn();
- return TRUE;
- }
- HWND MyNtUserFindWindowEx(
- IN HWND hwndParent,
- IN HWND hwndChild,
- IN PUNICODE_STRING pstrClassName,
- IN PUNICODE_STRING pstrWindowName)
- {
- UNICODE_STRING strClassName;
- UNICODE_STRING strWindowName;
- __try
- {
- strClassName = ProbeAndReadUnicodeString(pstrClassName);
- strWindowName = ProbeAndReadUnicodeString(pstrWindowName);
- ProbeForRead(strClassName.Buffer, strClassName.Length, sizeof(WCHAR));
- ProbeForRead(strWindowName.Buffer, strWindowName.Length, sizeof(WCHAR));
- KdPrint(("ClassName %wZ --- WindowName %wZ\n", &strClassName, &strWindowName));
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- }
- return g_pfnNtUserFindWindowEx(hwndParent, hwndChild, pstrClassName, pstrWindowName);
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- KeServiceDescriptorTableShadow = (PServiceDescriptorTableEntry_t)GetShadowTable();
- KeServiceDescriptorTableShadow += 1;
- g_pKapcState = AttachToCsrss();
- if (g_pKapcState != NULL)
- {
- ULONG uAddr = GetSSSDTAddr(378);
- if (uAddr)
- {
- g_pfnNtUserFindWindowEx = (pNtUserFindWindowEx)uAddr;
- KdPrint(("NtUserFindWindowEx: 0x%08X\n", uAddr));
- HookSSSDT(378, (ULONG)MyNtUserFindWindowEx);
- }
-
- }
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- UnHookSSSDT(378, (ULONG)g_pfnNtUserFindWindowEx);
- if (g_pKapcState != NULL)
- {
- KeUnstackDetachProcess(g_pKapcState);
- ExFreePool(g_pKapcState);
- }
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |