免費論壇 繁體 | 簡體
Sclub交友聊天~加入聊天室當版主
分享
返回列表 发帖

通用ssdt hook的详解以及代码的编写

Driver.h
  1. #ifdef __cplusplus
  2. extern "C"
  3. {
  4. #endif
  5. #include <ntddk.h>
  6. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);

  7. #ifdef __cplusplus
  8. }
  9. #endif

  10. #define PAGEDCODE code_seg("PAGE")
  11. #define LOCKEDCODE code_seg()
  12. #define INITCODE code_seg("INIT")

  13. #define PAGEDDATA data_seg("PAGE")
  14. #define LOCKEDDATA data_seg()
  15. #define INITDATA data_seg("INIT")

  16. #define arraysize(p) (sizeof(p)/sizeof((p)[0]))

  17. VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);

  18. #pragma pack(1)
  19. typedef struct ServiceDescriptorEntry {
  20.         unsigned int *ServiceTableBase;
  21.         unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
  22.         unsigned int NumberOfServices;
  23.         unsigned char *ParamTableBase;
  24. } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
  25. #pragma pack()

  26. extern "C" PServiceDescriptorTableEntry_t KeServiceDescriptorTable;

  27. ULONG GetSDDTAddr(ULONG uIndex);
  28. BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr);
  29. BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr);
  30. NTSTATUS MyNtCreateFile (
  31.     __out PHANDLE FileHandle,
  32.     __in ACCESS_MASK DesiredAccess,
  33.     __in POBJECT_ATTRIBUTES ObjectAttributes,
  34.     __out PIO_STATUS_BLOCK IoStatusBlock,
  35.     __in_opt PLARGE_INTEGER AllocationSize,
  36.     __in ULONG FileAttributes,
  37.     __in ULONG ShareAccess,
  38.     __in ULONG CreateDisposition,
  39.     __in ULONG CreateOptions,
  40.     __in_bcount_opt(EaLength) PVOID EaBuffer,
  41.     __in ULONG EaLength);

  42. typedef NTSTATUS (*PFNNtCreateFile) (
  43.     __out PHANDLE FileHandle,
  44.     __in ACCESS_MASK DesiredAccess,
  45.     __in POBJECT_ATTRIBUTES ObjectAttributes,
  46.     __out PIO_STATUS_BLOCK IoStatusBlock,
  47.     __in_opt PLARGE_INTEGER AllocationSize,
  48.     __in ULONG FileAttributes,
  49.     __in ULONG ShareAccess,
  50.     __in ULONG CreateDisposition,
  51.     __in ULONG CreateOptions,
  52.     __in_bcount_opt(EaLength) PVOID EaBuffer,
  53.     __in ULONG EaLength);
复制代码
Driver.cpp
  1. #include "Driver.h"

  2. PFNNtCreateFile g_pfnNtCreateFile = NULL;

  3. void PageProtectOn()
  4. {
  5.         //恢复内存保护
  6.         __asm
  7.         {
  8.                 mov eax, cr0
  9.                 or eax, 10000h
  10.                 mov cr0, eax
  11.                 sti
  12.         }
  13. }

  14. void PageProtectOff()
  15. {
  16.         //去掉内存保护
  17.         __asm
  18.         {
  19.                 cli
  20.                 mov eax, cr0
  21.                 and eax, not 10000h
  22.                 mov cr0, eax
  23.         }
  24. }

  25. NTSTATUS MyNtCreateFile (
  26.     __out PHANDLE FileHandle,
  27.     __in ACCESS_MASK DesiredAccess,
  28.     __in POBJECT_ATTRIBUTES ObjectAttributes,
  29.     __out PIO_STATUS_BLOCK IoStatusBlock,
  30.     __in_opt PLARGE_INTEGER AllocationSize,
  31.     __in ULONG FileAttributes,
  32.     __in ULONG ShareAccess,
  33.     __in ULONG CreateDisposition,
  34.     __in ULONG CreateOptions,
  35.     __in_bcount_opt(EaLength) PVOID EaBuffer,
  36.     __in ULONG EaLength
  37.     )
  38. {
  39.         if (ObjectAttributes && ObjectAttributes->ObjectName)
  40.         {
  41.                 if (wcsstr(ObjectAttributes->ObjectName->Buffer, L"1.txt"))
  42.                 {
  43.                         KdPrint(("NtCreateFile %wZ\n", ObjectAttributes->ObjectName));
  44.                         return STATUS_UNSUCCESSFUL;
  45.                 }
  46.         }

  47.         return g_pfnNtCreateFile(
  48.                 FileHandle,
  49.                 DesiredAccess,
  50.                 ObjectAttributes,
  51.                 IoStatusBlock,
  52.                 AllocationSize,
  53.                 FileAttributes,
  54.                 ShareAccess,
  55.                 CreateDisposition,
  56.                 CreateOptions,
  57.                 EaBuffer,
  58.                 EaLength);
  59. }



  60. #pragma PAGEDCODE
  61. ULONG GetSDDTAddr(ULONG uIndex)
  62. {
  63.         //ULONG u_index;

  64.         //for (u_index = 0; u_index < KeServiceDescriptorTable->NumberOfServices; u_index++)
  65.         //{
  66.         //        KdPrint(("ServiceTableBase[%d]:%X\n", u_index, KeServiceDescriptorTable->ServiceTableBase[u_index]));
  67.         //}

  68.         ULONG uAddr = (ULONG)KeServiceDescriptorTable->ServiceTableBase[uIndex];

  69.         return uAddr;
  70. }


  71. BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr)
  72. {
  73.         if (uNewAddr == 0)
  74.         {
  75.                 return FALSE;
  76.         }
  77.        
  78.         PageProtectOff();
  79.         KeServiceDescriptorTable->ServiceTableBase[uIndex] = uNewAddr;
  80.         PageProtectOn();

  81.         return TRUE;
  82. }


  83. BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr)
  84. {
  85.         if (uOldAddr == 0)
  86.         {
  87.                 return FALSE;
  88.         }
  89.        
  90.         PageProtectOff();
  91.         KeServiceDescriptorTable->ServiceTableBase[uIndex] = uOldAddr;
  92.         PageProtectOn();

  93.         return TRUE;
  94. }

  95. #pragma INITCODE
  96. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
  97. {
  98.   NTSTATUS status = STATUS_SUCCESS;

  99.   ULONG uAddr = GetSDDTAddr(37);
  100.   if (uAddr)
  101.   {
  102.           g_pfnNtCreateFile = (PFNNtCreateFile)uAddr;
  103.           KdPrint(("NtCreateFile: 0x%08X\n", uAddr));
  104.           HookSSDT(37, (ULONG)MyNtCreateFile);
  105.   }

  106.   DriverObject->DriverUnload = DriverUnload;
  107.   return status;
  108. }

  109. #pragma PAGEDCODE
  110. VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
  111. {
  112.   
  113.   UnHookSSDT(37, (ULONG)g_pfnNtCreateFile);
  114.   KdPrint(("DriverEntry unLoading...\n"));
  115.   
  116. }
复制代码

返回列表