- #include "ntddk.h"
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #pragma pack(1)
- typedef struct ServiceDescriptorEntry {
- unsigned int *ServiceTableBase;
- unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
- unsigned int NumberOfServices;
- unsigned char *ParamTableBase;
- } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
- #pragma pack()
- __declspec (dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- typedef NTSTATUS (*pNtCreateFile)(
- OUT PHANDLE FileHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- OUT PIO_STATUS_BLOCK IoStatusBlock,
- IN PLARGE_INTEGER AllocationSize,
- IN ULONG FileAttributes,
- IN ULONG ShareAccess,
- IN ULONG CreateDisposition,
- IN ULONG CreateOptions,
- IN PVOID EaBuffer,
- IN ULONG EaLength
- );
- //global
- ULONG g_ntCreateFile;
- ULONG g_kifastcall_hookpoint;
- ULONG g_goto_OrigFunc;
- #pragma PAGEDCODE
- ULONG SearchHookPointer(ULONG StartAddress)
- {
- ULONG u_index;
- UCHAR *p = (UCHAR*)StartAddress;
- for (u_index = 0; u_index < 200; u_index++)
- {
- if (*p == 0x2b &&
- *(p+1) == 0xe1 &&
- *(p+2) == 0xc1 &&
- *(p+3) == 0xe9 &&
- *(p+4) == 0x02)
- {
- return (ULONG)p;
- }
- p--;
- }
- return 0;
- }
- #pragma PAGEDCODE
- void __stdcall FilterKiFastCallEntry(ULONG ServiceTableBase, ULONG FuncIndex)
- {
- if (ServiceTableBase == (ULONG)KeServiceDescriptorTable.ServiceTableBase)
- {
- if (FuncIndex == 122)
- {
- KdPrint(("%s\n", (char*)PsGetCurrentProcess() + 0x174));
- }
- }
- }
- __declspec(naked) void NewKiFastCallEntry()
- {
- __asm
- {
- pushad
- pushfd
-
- push eax
- push edi
- call FilterKiFastCallEntry
- popfd
- popad
- sub esp,ecx
- shr ecx,2
- jmp g_goto_OrigFunc
- }
- }
- void UnHookKiFastCallEntry()
- {
- UCHAR str_origfuncode[5] = {0x2b, 0xe1, 0xc1, 0xe9, 0x02};
- if (g_kifastcall_hookpoint == 0)
- {
- return;
- }
- PageProtectOff();
- RtlCopyMemory((PVOID)g_kifastcall_hookpoint, str_origfuncode, 5);
- PageProtectOn();
- }
- void HookKiFastCallEntry(ULONG HookPointer)
- {
- ULONG u_temp;
- UCHAR u_jmp_code[5];
- u_jmp_code[0] = 0xe9;
-
- u_temp = (ULONG)NewKiFastCallEntry - HookPointer - 5;
- *(ULONG*)&u_jmp_code[1] = u_temp;
- PageProtectOff();
-
- RtlCopyMemory((PVOID)HookPointer, u_jmp_code, 5);
- PageProtectOn();
- }
- NTSTATUS NewNtCreateFile(
- OUT PHANDLE FileHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- OUT PIO_STATUS_BLOCK IoStatusBlock,
- IN PLARGE_INTEGER AllocationSize,
- IN ULONG FileAttributes,
- IN ULONG ShareAccess,
- IN ULONG CreateDisposition,
- IN ULONG CreateOptions,
- IN PVOID EaBuffer,
- IN ULONG EaLength
- )
- {
- ULONG u_call_retAddr;
- __asm
- {
- pushad
- mov eax, [ebp + 0x4]
- mov u_call_retAddr, eax
- popad
- }
- KdPrint(("u_call_retAddr: %x\n", u_call_retAddr));
- g_kifastcall_hookpoint = SearchHookPointer(u_call_retAddr);
-
- if (g_kifastcall_hookpoint == 0)
- {
- KdPrint(("search failed!\n"));
- }
- else
- {
- KdPrint(("search success %x\n", g_kifastcall_hookpoint));
- }
- g_goto_OrigFunc = g_kifastcall_hookpoint + 5;
- HookKiFastCallEntry(g_kifastcall_hookpoint);
- PageProtectOff();
-
- KeServiceDescriptorTable.ServiceTableBase[37] = (unsigned int)g_ntCreateFile;
-
- PageProtectOn();
- return ((pNtCreateFile)g_ntCreateFile)(
- FileHandle,
- DesiredAccess,
- ObjectAttributes,
- IoStatusBlock,
- AllocationSize,
- FileAttributes,
- ShareAccess,
- CreateDisposition,
- CreateOptions,
- EaBuffer,
- EaLength);
- }
- #pragma PAGEDCODE
- void SearchKiFastCallEntry()
- {
-
- PageProtectOff();
- g_ntCreateFile = KeServiceDescriptorTable.ServiceTableBase[37];
- KeServiceDescriptorTable.ServiceTableBase[37] = (unsigned int)NewNtCreateFile;
- PageProtectOn();
- }
- #pragma PAGEDCODE
- VOID MyDriverUnload(IN PDRIVER_OBJECT pDriverObject)
- {
- UnHookKiFastCallEntry();
- KdPrint(("DriverEntry unLoading...\n"));
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- SearchKiFastCallEntry();
- pDriverObject->DriverUnload = MyDriverUnload;
- return status;
- }
复制代码 |