通过hook KiFastCallEntry来过滤SSDT 或者 Shadow SSDT
Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
复制代码 Driver.cpp- #include "Driver.h"
- ULONG g_KiFastCallEntry_hookpointer;
- ULONG g_goto_origfunc;
- UCHAR g_szBackupKiFastCallEntry[5];
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- ULONG GetKiFastCallEntryAddr()
- {
- ULONG uKiFastCallEntryAddr = 0;
- __asm
- {
- mov ecx, 0x176
- rdmsr
- mov uKiFastCallEntryAddr, eax
- }
- if (uKiFastCallEntryAddr == 0)
- {
- return 0;
- }
- return uKiFastCallEntryAddr;
- }
- ULONG SearchHookPointer(ULONG StartAddress)
- {
- PUCHAR p = (PUCHAR)StartAddress;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x200)
- {
- if (*p == 0x2b
- && *(p + 1) == 0xe1
- && *(p + 2) == 0xc1
- && *(p + 3) == 0xe9
- && *(p + 4) == 0x02
- && *(p - 1) == 0x87
- && *(p - 2) == 0x1c)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find SearchHookPointer faile!\n"));
- return 0;
- }
- ULONG uFindAddr = (ULONG)p;
- return uFindAddr;
- }
- ULONG FilterKiFastCallEntry(ULONG uServiceTableBaseAddr, ULONG uIndex, ULONG uOrigFuncAddr)
- {
-
- return uOrigFuncAddr;
- }
- __declspec(naked) void NewKiFastCallEntry()
- {
- __asm
- {
- pushad
- pushfd
- push ebx
- push eax
- push edi
- call FilterKiFastCallEntry
- mov [esp + 0x14], eax
- popfd
- popad
- sub esp,ecx
- shr ecx,2
- jmp g_goto_origfunc
- }
- }
- void UnHookKiFastCallEntry()
- {
- PageProtectOff();
- RtlCopyMemory((PVOID)g_KiFastCallEntry_hookpointer, g_szBackupKiFastCallEntry, 5);
- PageProtectOn();
- }
- VOID HookKiFastCallEntry()
- {
- ULONG uKiFastCallEntryAddr = GetKiFastCallEntryAddr();
- g_KiFastCallEntry_hookpointer = SearchHookPointer(uKiFastCallEntryAddr);
- g_goto_origfunc = g_KiFastCallEntry_hookpointer + 5;
- ULONG utemp;
- UCHAR jmp_code[5];
- jmp_code[0] = 0xE9;
- utemp = (ULONG)NewKiFastCallEntry - g_KiFastCallEntry_hookpointer - 5;
- *(ULONG*)&jmp_code[1] = utemp;
- PageProtectOff();
- RtlCopyMemory(g_szBackupKiFastCallEntry, (PVOID)g_KiFastCallEntry_hookpointer, 5);
- RtlCopyMemory((PVOID)g_KiFastCallEntry_hookpointer, jmp_code, 5);
- PageProtectOn();
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- HookKiFastCallEntry();
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- UnHookKiFastCallEntry();
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |