- #include "ntddk.h"
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define WORD USHORT
- #define DWORD ULONG
- #define MAKELONG(a, b) ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) | ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff))) << 16))
- #pragma pack(push)
- #pragma pack(1) // 1字节对齐
- typedef struct _IDTR //IDT基址
- {
- USHORT IDT_limit; //范围占位
- USHORT IDT_LOWbase;//基地址占位_IDT_ENTRY类型指针
- USHORT IDT_HIGbase;
- }IDTR,*PIDTR;
- typedef struct _IDT_ENTRY
- {
- USHORT LowOffset; //中断处理函数地址低位
- USHORT selector;
- UCHAR reserved;
- UCHAR type:4; //4位
- UCHAR always0:1; //1位
- UCHAR dpl:2; //2位
- UCHAR present:1; //1位
- USHORT HigOffset;//中断处理函数地址高位
- }IDTENTRY,*PIDTENTRY;//获取基址实际上是这个类型
- typedef struct _KGDTENTRY
- {
- USHORT LimitLow;
- USHORT BaseLow;
- union {
- struct {
- UCHAR BaseMid;
- UCHAR Flags1; // Declare as bytes to avoid alignment
- UCHAR Flags2; // Problems.
- UCHAR BaseHi;
- } Bytes;
- struct {
- ULONG BaseMid : 8;
- ULONG Type : 5;
- ULONG Dpl : 2;
- ULONG Pres : 1;
- ULONG LimitHi : 4;
- ULONG Sys : 1;
- ULONG Reserved_0 : 1;
- ULONG Default_Big : 1;
- ULONG Granularity : 1;
- ULONG BaseHi : 8;
- } Bits;
- } HighWord;
- } KGDTENTRY, *PKGDTENTRY;
- #pragma pack(pop)
- typedef KAFFINITY (*KESETAFFINITYTHREAD)(
- __inout PKTHREAD Thread,
- __in KAFFINITY Affinity
- );
- //global
- USHORT g_FilterJmp[3];
- ULONG g_OrigInterruptFunc3;
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- VOID __stdcall FilterInterruptFunc3()
- {
- KdPrint(("CurrentProcess:%s\n", (char*)PsGetCurrentProcess() + 0x174));
- }
- __declspec(naked)void NewInterrupt3OfOrigBase()
- {
- __asm
- {
- pushad
- pushfd
- push fs
- push 0x30
- pop fs
- mov ax, 0x23
- mov ds, ax
- mov es, ax
- call FilterInterruptFunc3
- pop fs
- popfd
- popad
- jmp g_OrigInterruptFunc3
- }
- }
- __declspec(naked) void NewInterrupt3()
- {
- __asm
- {
- jmp fword ptr [g_FilterJmp]
- }
- }
- #pragma PAGEDCODE
- ULONG GetInterruptFuncAddress(ULONG InterruptIndex)
- {
- IDTR idtr;
- PIDTENTRY pIdtEntry;
- __asm SIDT idtr;
- pIdtEntry = (PIDTENTRY)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);
- return MAKELONG(pIdtEntry[InterruptIndex].LowOffset, pIdtEntry[InterruptIndex].HigOffset);
- }
- #pragma PAGEDCODE
- void SetInterrupt(ULONG InterruptIndex, ULONG uNewBase, BOOLEAN bIsNew)
- {
- ULONG Index, Affinity, CurrentAffinity;
- ULONG fnKeSetAffinityThread;
- ULONG *pKiProcessorBlock;
- UNICODE_STRING usFuncName;
- ULONG kPrcb;
- PIDTENTRY pIdtEntry;
- PKGDTENTRY pGdt;
- RtlInitUnicodeString(&usFuncName,L"KeSetAffinityThread");
- fnKeSetAffinityThread = (ULONG)MmGetSystemRoutineAddress(&usFuncName);
- if (!MmIsAddressValid((PVOID)fnKeSetAffinityThread))
- {
- return;
- }
- Affinity = KeQueryActiveProcessors();
- CurrentAffinity = 1;
- Index = 0;
- while(Affinity)
- {
- Affinity &= ~CurrentAffinity;
- ((KESETAFFINITYTHREAD)fnKeSetAffinityThread)((PKTHREAD)PsGetCurrentThread(),(KAFFINITY)CurrentAffinity);
- CurrentAffinity <<= 1;
- __asm
- {
- push eax
- mov eax,fs:[0x20]
- mov kPrcb,eax
- pop eax
- }
-
- pKiProcessorBlock = &kPrcb;
-
-
- //KdPrint(("pKiProcessorBlock[%d]:%X\n", Index, *(ULONG*)(pKiProcessorBlock[Index] - 0xe8)));
- //KdPrint(("pKiProcessorBlock[%d]:%X\n", Index, *(ULONG*)(pKiProcessorBlock[Index] - 0xe4)));
-
-
-
- pIdtEntry = *(PIDTENTRY*)(pKiProcessorBlock[Index] - 0xe8);
- KdPrint(("pIdtEntry:%X\n", pIdtEntry));
- pGdt = *(PKGDTENTRY*)(pKiProcessorBlock[Index] - 0xe4);
- KdPrint(("pGdt:%X--%X--%X--%X\n", pGdt, pGdt[1].BaseLow, pGdt[1].HighWord.Bits.BaseMid, pGdt[1].HighWord.Bits.BaseHi));
- PageProtectOff();
- if (bIsNew)
- {
- pIdtEntry[InterruptIndex].selector = 168;
- RtlCopyMemory(&pGdt[21], &pGdt[1], sizeof(KGDTENTRY));
- pGdt[21].BaseLow = (USHORT) (uNewBase & 0xffff);
- pGdt[21].HighWord.Bytes.BaseMid = (UCHAR)((uNewBase >> 16) & 0xff);
- pGdt[21].HighWord.Bytes.BaseHi = (UCHAR)(uNewBase >> 24);
- }
- else
- {
- pIdtEntry[InterruptIndex].selector = 8;
- memset(&pGdt[21], 0, sizeof(KGDTENTRY));
- }
- PageProtectOn();
-
- Index++;
- }
- KdPrint(("Index:%d\n", Index));
- return;
- }
- #pragma PAGEDCODE
- void HookInterruptFunc(ULONG InterruptIndex, ULONG NewInterruptFunc)
- {
- ULONG uNewBase;
- g_OrigInterruptFunc3 = GetInterruptFuncAddress(InterruptIndex);
- uNewBase = NewInterruptFunc - g_OrigInterruptFunc3;
- *(ULONG*)g_FilterJmp = (ULONG)NewInterrupt3OfOrigBase;
- g_FilterJmp[2] = 0x8;
- SetInterrupt(InterruptIndex, uNewBase, TRUE);
- }
- #pragma PAGEDCODE
- void UnHookInterruptFunc(ULONG InterruptIndex)
- {
- SetInterrupt(InterruptIndex, 0, FALSE);
- }
- #pragma PAGEDCODE
- VOID MyDriverUnload(IN PDRIVER_OBJECT pDriverObject)
- {
- UnHookInterruptFunc(3);
- KdPrint(("DriverEntry unLoading...\n"));
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- HookInterruptFunc(3, (ULONG)NewInterrupt3);
- pDriverObject->DriverUnload = MyDriverUnload;
- return status;
- }
复制代码 |