- #include "ntddk.h"
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define WORD USHORT
- #define DWORD ULONG
- #define MAKELONG(a, b) ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) | ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff))) << 16))
- #pragma pack(push)
- #pragma pack(1) // 1字节对齐
- typedef struct _IDTR //IDT基址
- {
- USHORT IDT_limit; //范围占位
- USHORT IDT_LOWbase;//基地址占位_IDT_ENTRY类型指针
- USHORT IDT_HIGbase;
- }IDTR,*PIDTR;
- typedef struct _IDT_ENTRY
- {
- USHORT LowOffset; //中断处理函数地址低位
- USHORT selector;
- UCHAR reserved;
- UCHAR type:4; //4位
- UCHAR always0:1; //1位
- UCHAR dpl:2; //2位
- UCHAR present:1; //1位
- USHORT HigOffset;//中断处理函数地址高位
- }IDTENTRY,*PIDTENTRY;//获取基址实际上是这个类型
- #pragma pack(pop)
- typedef KAFFINITY (*KESETAFFINITYTHREAD)(
- __inout PKTHREAD Thread,
- __in KAFFINITY Affinity
- );
- //Global
- ULONG g_InterruptFunc3;
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- #pragma PAGEDCODE
- VOID GetIdt()
- {
- IDTR idtr;
- ULONG uIndex;
- PIDTENTRY pIdt_Entry;
- __asm
- {
- SIDT idtr;
- }
- KdPrint(("%d\n", idtr.IDT_limit));
- pIdt_Entry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
- KdPrint(("%X\n", pIdt_Entry));
- for (uIndex = 0; uIndex <= idtr.IDT_limit / sizeof(IDTENTRY); uIndex++)
- {
- KdPrint(("pIdt_Entry[%d]:%X", uIndex, MAKELONG(pIdt_Entry[uIndex].LowOffset, pIdt_Entry[uIndex].HigOffset)));
- }
- }
- #pragma PAGEDCODE
- ULONG GetInterruptFuncAddress(ULONG InterruptIndex)
- {
- IDTR idtr;
- PIDTENTRY pIdtEntry;
- __asm SIDT idtr;
- pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
- return MAKELONG(pIdtEntry[InterruptIndex].LowOffset, pIdtEntry[InterruptIndex].HigOffset);
- }
- VOID __stdcall FilterInterruptFunc3()
- {
- KdPrint(("CurrentProcess:%s\n", (char*)PsGetCurrentProcess() + 0x174));
- }
- __declspec(naked) void NewInterruptFun3()
- {
- __asm
- {
- pushad
- pushfd
- push fs
- push 0x30
- pop fs
- mov ax, 0x23
- mov ds, ax
- mov es, ax
- call FilterInterruptFunc3
- pop fs
- popfd
- popad
- jmp g_InterruptFunc3
- }
- }
- #pragma PAGEDCODE
- void HookInterrupt(ULONG InterruptIndex, ULONG NewInterruptFunc)
- {
- ULONG Index, Affinity, CurrentAffinity;
- ULONG fnKeSetAffinityThread;
- ULONG * pKiProcessorBlock;
- UNICODE_STRING usFuncName;
- ULONG kPrcb;
- PIDTENTRY pIdtEntry;
- RtlInitUnicodeString(&usFuncName,L"KeSetAffinityThread");
- fnKeSetAffinityThread = (ULONG)MmGetSystemRoutineAddress(&usFuncName);
- if (!MmIsAddressValid((PVOID)fnKeSetAffinityThread))
- {
- return;
- }
- Affinity = KeQueryActiveProcessors();
- CurrentAffinity = 1;
- Index = 0;
- while(Affinity)
- {
- Affinity &= ~CurrentAffinity;
- ((KESETAFFINITYTHREAD)fnKeSetAffinityThread)((PKTHREAD)PsGetCurrentThread(),(KAFFINITY)CurrentAffinity);
- CurrentAffinity <<= 1;
- __asm
- {
- push eax
- mov eax,fs:[0x20]
- mov kPrcb,eax
- pop eax
- }
- pKiProcessorBlock = &kPrcb;
- pIdtEntry = *(PIDTENTRY*)(pKiProcessorBlock[Index] - 0xe8);
- KdPrint(("pIdtEntry:%X\n", pIdtEntry));
- PageProtectOff();
-
- pIdtEntry[InterruptIndex].LowOffset =(USHORT)((ULONG)NewInterruptFunc & 0xffff);
- pIdtEntry[InterruptIndex].HigOffset = (USHORT)((ULONG)NewInterruptFunc >> 16);
- PageProtectOn();
- Index++;
- }
- KdPrint(("Index:%d\n", Index));
- return;
- }
- #pragma PAGEDCODE
- VOID MyDriverUnload(IN PDRIVER_OBJECT pDriverObject)
- {
- HookInterrupt(3, g_InterruptFunc3);
- KdPrint(("DriverEntry unLoading...\n"));
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
-
- g_InterruptFunc3 = GetInterruptFuncAddress(3);
- HookInterrupt(3, (ULONG)NewInterruptFun3);
-
- pDriverObject->DriverUnload = MyDriverUnload;
- return status;
- }
复制代码 |