Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- #pragma pack(1)
- typedef struct ServiceDescriptorEntry {
- unsigned int *ServiceTableBase;
- unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
- unsigned int NumberOfServices;
- unsigned char *ParamTableBase;
- } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
- #pragma pack()
- extern "C" PServiceDescriptorTableEntry_t KeServiceDescriptorTable;
- ULONG GetSDDTAddr(ULONG uIndex);
- BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr);
- BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr);
- NTSTATUS MyNtCreateFile (
- __out PHANDLE FileHandle,
- __in ACCESS_MASK DesiredAccess,
- __in POBJECT_ATTRIBUTES ObjectAttributes,
- __out PIO_STATUS_BLOCK IoStatusBlock,
- __in_opt PLARGE_INTEGER AllocationSize,
- __in ULONG FileAttributes,
- __in ULONG ShareAccess,
- __in ULONG CreateDisposition,
- __in ULONG CreateOptions,
- __in_bcount_opt(EaLength) PVOID EaBuffer,
- __in ULONG EaLength);
- typedef NTSTATUS (*PFNNtCreateFile) (
- __out PHANDLE FileHandle,
- __in ACCESS_MASK DesiredAccess,
- __in POBJECT_ATTRIBUTES ObjectAttributes,
- __out PIO_STATUS_BLOCK IoStatusBlock,
- __in_opt PLARGE_INTEGER AllocationSize,
- __in ULONG FileAttributes,
- __in ULONG ShareAccess,
- __in ULONG CreateDisposition,
- __in ULONG CreateOptions,
- __in_bcount_opt(EaLength) PVOID EaBuffer,
- __in ULONG EaLength);
复制代码 Driver.cpp- #include "Driver.h"
- PFNNtCreateFile g_pfnNtCreateFile = NULL;
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- NTSTATUS MyNtCreateFile (
- __out PHANDLE FileHandle,
- __in ACCESS_MASK DesiredAccess,
- __in POBJECT_ATTRIBUTES ObjectAttributes,
- __out PIO_STATUS_BLOCK IoStatusBlock,
- __in_opt PLARGE_INTEGER AllocationSize,
- __in ULONG FileAttributes,
- __in ULONG ShareAccess,
- __in ULONG CreateDisposition,
- __in ULONG CreateOptions,
- __in_bcount_opt(EaLength) PVOID EaBuffer,
- __in ULONG EaLength
- )
- {
- if (ObjectAttributes && ObjectAttributes->ObjectName)
- {
- if (wcsstr(ObjectAttributes->ObjectName->Buffer, L"1.txt"))
- {
- KdPrint(("NtCreateFile %wZ\n", ObjectAttributes->ObjectName));
- return STATUS_UNSUCCESSFUL;
- }
- }
- return g_pfnNtCreateFile(
- FileHandle,
- DesiredAccess,
- ObjectAttributes,
- IoStatusBlock,
- AllocationSize,
- FileAttributes,
- ShareAccess,
- CreateDisposition,
- CreateOptions,
- EaBuffer,
- EaLength);
- }
- #pragma PAGEDCODE
- ULONG GetSDDTAddr(ULONG uIndex)
- {
- //ULONG u_index;
- //for (u_index = 0; u_index < KeServiceDescriptorTable->NumberOfServices; u_index++)
- //{
- // KdPrint(("ServiceTableBase[%d]:%X\n", u_index, KeServiceDescriptorTable->ServiceTableBase[u_index]));
- //}
- ULONG uAddr = (ULONG)KeServiceDescriptorTable->ServiceTableBase[uIndex];
- return uAddr;
- }
- BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr)
- {
- if (uNewAddr == 0)
- {
- return FALSE;
- }
-
- PageProtectOff();
- KeServiceDescriptorTable->ServiceTableBase[uIndex] = uNewAddr;
- PageProtectOn();
- return TRUE;
- }
- BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr)
- {
- if (uOldAddr == 0)
- {
- return FALSE;
- }
-
- PageProtectOff();
- KeServiceDescriptorTable->ServiceTableBase[uIndex] = uOldAddr;
- PageProtectOn();
- return TRUE;
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- ULONG uAddr = GetSDDTAddr(37);
- if (uAddr)
- {
- g_pfnNtCreateFile = (PFNNtCreateFile)uAddr;
- KdPrint(("NtCreateFile: 0x%08X\n", uAddr));
- HookSSDT(37, (ULONG)MyNtCreateFile);
- }
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- UnHookSSDT(37, (ULONG)g_pfnNtCreateFile);
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |