#ifndef CXX_IOTIMERINLINEHOOK_H
# include "IoTimerInlineHook.h"
#endif ULONG32 SSDT_NtOpenProcessIndex = ;
pfnNtOpenProcess Old_NtOpenProcess = NULL;
PULONG32 ServiceTableBase = NULL; ULONG32 Old_NtOpenProcessOffset = ; //针对Win7 x64 PVOID NtOpenProcessPassCode = NULL; //释放内存
PVOID Old_NtOpenProcessHeaderBytes = NULL; //释放内存 NTSTATUS
DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegisterPath)
{ NTSTATUS Status;
PDEVICE_OBJECT DeviceObject = NULL;
UNICODE_STRING uniDeviceName; #ifdef _WIN64
ULONG64 SSDTAddress = NULL;
ULONG32 ulVariable = ; CHAR szFindFunctionName[] = "ZwOpenProcess"; if (GetSSDTAddressInWin7_X64(&SSDTAddress)==FALSE)
{
return STATUS_UNSUCCESSFUL;
} DbgPrint("Win7_X64 SSDT:%p\r\n",SSDTAddress);
DbgPrint("Win7_X64 SSDTBase:%p\r\n",((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase); if (GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWin7_X64(szFindFunctionName,
&SSDT_NtOpenProcessIndex)==FALSE)
{
return STATUS_UNSUCCESSFUL;
} DbgPrint("Win7x64 SSDT_NtOpenProcessIndex:%d\r\n",SSDT_NtOpenProcessIndex); ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase;
Old_NtOpenProcessOffset = (ULONG32)(ServiceTableBase[SSDT_NtOpenProcessIndex]);
ulVariable = Old_NtOpenProcessOffset>>;
Old_NtOpenProcess = (ULONG64)((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase + ulVariable;
DbgPrint("Win7_X64 Old_NtOpenProcess:%p\r\n",ulVariable); #else
ULONG32 SSDTAddress = NULL;
CHAR szFindFunctionName[] = "ZwOpenProcess"; if (GetSSDTAddressInWinXP_X86(&SSDTAddress)==FALSE)
{
return STATUS_UNSUCCESSFUL;
}
DbgPrint("WinXP_X86 SSDT:%p\r\n",SSDTAddress);
DbgPrint("WinXP_X86 SSDTBase:%p\r\n",((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase); if (GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWinXP_X86(szFindFunctionName,
&SSDT_NtOpenProcessIndex)==FALSE)
{
return STATUS_UNSUCCESSFUL;
}
DbgPrint("WinXP_X86 SSDT_NtOpenProcessIndex:%d\r\n",SSDT_NtOpenProcessIndex); //先保存原先的函数地址
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase;
Old_NtOpenProcess = (pfnNtOpenProcess)(ServiceTableBase[SSDT_NtOpenProcessIndex]);
DbgPrint("WinXP_X86 Old_NtOpenProcess:%p\r\n",Old_NtOpenProcess); #endif RtlInitUnicodeString(&uniDeviceName,DEVICE_NAME); Status = IoCreateDevice(DriverObject,,&uniDeviceName,FILE_DEVICE_UNKNOWN,,FALSE,&DeviceObject); if (!NT_SUCCESS(Status))
{
return Status;
} IoInitializeTimer(DeviceObject,(PIO_TIMER_ROUTINE)CallBackProcedure,NULL);
IoStartTimer(DeviceObject); DriverObject->DriverUnload = UnloadDriver; return Status;
} VOID
CallBackProcedure(PDEVICE_OBJECT DeviceObject,PVOID Context)
{ #ifdef _WIN64
InlineHookSSDTWin7_X64((ULONG64)Old_NtOpenProcess,(ULONG64)Fake_NtOpenProcess,);
#else
InlineHookSSDTWinXP_X86((ULONG32)Old_NtOpenProcess,(ULONG32)Fake_NtOpenProcess,);
#endif } VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{ IoStopTimer(DriverObject->DeviceObject);
if (DriverObject->DeviceObject!=NULL)
{
IoDeleteDevice(DriverObject->DeviceObject);
} #ifdef _WIN64 UnInlineHookSSDTWin7_X64((ULONG64)Old_NtOpenProcess,(ULONG64)Old_NtOpenProcessHeaderBytes,); if (Old_NtOpenProcessHeaderBytes!=NULL)
{
ExFreePool(Old_NtOpenProcessHeaderBytes);
Old_NtOpenProcessHeaderBytes = NULL;
} if (NtOpenProcessPassCode!=NULL)
{
ExFreePool(NtOpenProcessPassCode);
NtOpenProcessPassCode = NULL;
}
#else UnInlineHookSSDTWinXP_X86((ULONG32)Old_NtOpenProcess,(ULONG32)Old_NtOpenProcessHeaderBytes,); if (Old_NtOpenProcessHeaderBytes!=NULL)
{
ExFreePool(Old_NtOpenProcessHeaderBytes);
Old_NtOpenProcessHeaderBytes = NULL;
} if (NtOpenProcessPassCode!=NULL)
{
ExFreePool(NtOpenProcessPassCode);
NtOpenProcessPassCode = NULL;
}
#endif } BOOLEAN GetSSDTAddressInWinXP_X86(ULONG32* SSDTAddress)
{
//从NtosKernel.exe 模块中的导出表获得该导出变量 KeServiceDescriptorTable /*
kd> dd KeServiceDescriptorTable
80563520 804e58a0 00000000 0000011c 805120bc
*/
*SSDTAddress = NULL;
*SSDTAddress = (ULONG32)GetExportVariableAddressFormNtosExportTableByVariableName(L"KeServiceDescriptorTable"); if (*SSDTAddress!=NULL)
{
return TRUE;
} return FALSE;
} PVOID
GetExportVariableAddressFormNtosExportTableByVariableName(WCHAR *wzVariableName)
{
UNICODE_STRING uniVariableName;
PVOID VariableAddress = NULL; if (wzVariableName && wcslen(wzVariableName) > )
{
RtlInitUnicodeString(&uniVariableName, wzVariableName); //从Ntos模块的导出表中获得一个导出变量的地址
VariableAddress = MmGetSystemRoutineAddress(&uniVariableName);
} return VariableAddress;
} VOID UnInlineHookSSDTWinXP_X86(ULONG32 ulCurrentVariable,ULONG32 ulOldVariable,ULONG32 ulPatchSize)
{
WPOFF();
memcpy((PVOID)ulCurrentVariable,(PVOID)ulOldVariable,ulPatchSize);
WPON();
} BOOLEAN InlineHookSSDTWinXP_X86(ULONG32 ulOldVariable,ULONG32 ulFakeVariable,ULONG32 ulPatchSize)
{
UCHAR v1[] = "\xe9\x00\x00\x00\x00";
UCHAR v2[] = "\xe9\x00\x00\x00\x00";
ULONG32 ulTemp = ; /*
kd> u 8058270A
nt!NtOpenProcess:
8058270a 68c4000000 push 0C4h
8058270f 68d8524f80 push offset nt!ObWatchHandles+0x25c (804f52d8)
80582714 e85a17f6ff call nt!_SEH_prolog (804e3e73)
80582719 33f6 xor esi,esi
8058271b 8975d4 mov dword ptr [ebp-2Ch],esi
8058271e 33c0 xor eax,eax
80582720 8d7dd8 lea edi,[ebp-28h]
80582723 ab stos dword ptr es:[edi]
*/ Old_NtOpenProcessHeaderBytes = ExAllocatePool(NonPagedPool,ulPatchSize); if (Old_NtOpenProcessHeaderBytes==NULL)
{
return FALSE;
} WPOFF();
memcpy(Old_NtOpenProcessHeaderBytes,(PVOID)ulOldVariable,ulPatchSize);
// Old_NtOpenProcessHeaderBytes[ 68c4000000 ]
WPON(); NtOpenProcessPassCode = ExAllocatePool(NonPagedPool,(ulPatchSize+));
if (NtOpenProcessPassCode==NULL)
{ if (Old_NtOpenProcessHeaderBytes!=NULL)
{
ExFreePool(Old_NtOpenProcessHeaderBytes);
Old_NtOpenProcessHeaderBytes = NULL;
}
return FALSE;
} RtlFillMemory(NtOpenProcessPassCode,ulPatchSize+,0x90); //NOP
//NtOpenProcessPassCode[0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90] memcpy((PUCHAR)NtOpenProcessPassCode,Old_NtOpenProcessHeaderBytes,ulPatchSize);
//NtOpenProcessPassCode[ 68c4000000 0x90 0x90 0x90 0x90 0x90] ulTemp=(ULONG32)ulOldVariable+ulPatchSize;
//8058270a + 5 = 8058270f = ulTemp *((ULONG32*)&v2[]) = (ULONG32)ulTemp - ((ULONG32)NtOpenProcessPassCode + + ); //第一个+5 是过前5个字节 第二个加 是 新 - (旧+5) memcpy((PUCHAR)NtOpenProcessPassCode+ulPatchSize,v2,); ulTemp = (ULONG32)ulFakeVariable; *((ULONG32*)&v1[]) = (ULONG32)ulTemp - ((ULONG32)ulOldVariable +); WPOFF();
RtlFillMemory((PVOID)ulOldVariable,ulPatchSize,0x90);
memcpy((PVOID)ulOldVariable,v1,);
WPON(); return TRUE;
} BOOLEAN GetSSDTAddressInWin7_X64(ULONG64* SSDTAddress)
{ /*
kd> rdmsr c0000082
msr[c0000082] = fffff800`03ecf640
kd> u fffff800`03ecf640 l 50
nt!KiSystemCall64:
fffff800`03ecf640 0f01f8 swapgs
fffff800`03ecf643 654889242510000000 mov qword ptr gs:[10h],rsp
fffff800`03ecf64c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff800`03ecf655 6a2b push 2Bh
fffff800`03ecf657 65ff342510000000 push qword ptr gs:[10h]
fffff800`03ecf65f 4153 push r11
fffff800`03ecf661 6a33 push 33h
fffff800`03ecf663 51 push rcx
fffff800`03ecf664 498bca mov rcx,r10
fffff800`03ecf667 4883ec08 sub rsp,8
fffff800`03ecf66b 55 push rbp
fffff800`03ecf66c 4881ec58010000 sub rsp,158h
fffff800`03ecf673 488dac2480000000 lea rbp,[rsp+80h]
fffff800`03ecf67b 48899dc0000000 mov qword ptr [rbp+0C0h],rbx
fffff800`03ecf682 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi
fffff800`03ecf689 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi
fffff800`03ecf690 c645ab02 mov byte ptr [rbp-55h],2
fffff800`03ecf694 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
fffff800`03ecf69d 0f0d8bd8010000 prefetchw [rbx+1D8h]
fffff800`03ecf6a4 0fae5dac stmxcsr dword ptr [rbp-54h]
fffff800`03ecf6a8 650fae142580010000 ldmxcsr dword ptr gs:[180h]
fffff800`03ecf6b1 807b0300 cmp byte ptr [rbx+3],0
fffff800`03ecf6b5 66c785800000000000 mov word ptr [rbp+80h],0
fffff800`03ecf6be 0f848c000000 je nt!KiSystemCall64+0x110 (fffff800`03ecf750)
fffff800`03ecf6c4 488945b0 mov qword ptr [rbp-50h],rax
fffff800`03ecf6c8 48894db8 mov qword ptr [rbp-48h],rcx
fffff800`03ecf6cc 488955c0 mov qword ptr [rbp-40h],rdx
fffff800`03ecf6d0 f6430303 test byte ptr [rbx+3],3
fffff800`03ecf6d4 4c8945c8 mov qword ptr [rbp-38h],r8
fffff800`03ecf6d8 4c894dd0 mov qword ptr [rbp-30h],r9
fffff800`03ecf6dc 7405 je nt!KiSystemCall64+0xa3 (fffff800`03ecf6e3)
fffff800`03ecf6de e80d140000 call nt!KiSaveDebugRegisterState (fffff800`03ed0af0)
fffff800`03ecf6e3 f6430380 test byte ptr [rbx+3],80h
fffff800`03ecf6e7 7442 je nt!KiSystemCall64+0xeb (fffff800`03ecf72b)
fffff800`03ecf6e9 b9020100c0 mov ecx,0C0000102h
fffff800`03ecf6ee 0f32 rdmsr
fffff800`03ecf6f0 48c1e220 shl rdx,20h
fffff800`03ecf6f4 480bc2 or rax,rdx
fffff800`03ecf6f7 483983b8000000 cmp qword ptr [rbx+0B8h],rax
fffff800`03ecf6fe 742b je nt!KiSystemCall64+0xeb (fffff800`03ecf72b)
fffff800`03ecf700 483983b0010000 cmp qword ptr [rbx+1B0h],rax
fffff800`03ecf707 7422 je nt!KiSystemCall64+0xeb (fffff800`03ecf72b)
fffff800`03ecf709 488b93b8010000 mov rdx,qword ptr [rbx+1B8h]
fffff800`03ecf710 0fba6b4c0b bts dword ptr [rbx+4Ch],0Bh
fffff800`03ecf715 66ff8bc4010000 dec word ptr [rbx+1C4h]
fffff800`03ecf71c 48898280000000 mov qword ptr [rdx+80h],rax
fffff800`03ecf723 fb sti
fffff800`03ecf724 e8170b0000 call nt!KiUmsCallEntry (fffff800`03ed0240)
fffff800`03ecf729 eb0f jmp nt!KiSystemCall64+0xfa (fffff800`03ecf73a)
fffff800`03ecf72b f6430340 test byte ptr [rbx+3],40h
fffff800`03ecf72f 7409 je nt!KiSystemCall64+0xfa (fffff800`03ecf73a)
fffff800`03ecf731 f00fbaab0001000008 lock bts dword ptr [rbx+100h],8
fffff800`03ecf73a 488b45b0 mov rax,qword ptr [rbp-50h]
fffff800`03ecf73e 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff800`03ecf742 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff800`03ecf746 4c8b45c8 mov r8,qword ptr [rbp-38h]
fffff800`03ecf74a 4c8b4dd0 mov r9,qword ptr [rbp-30h]
fffff800`03ecf74e 6690 xchg ax,ax
fffff800`03ecf750 fb sti
fffff800`03ecf751 48898be0010000 mov qword ptr [rbx+1E0h],rcx
fffff800`03ecf758 8983f8010000 mov dword ptr [rbx+1F8h],eax
nt!KiSystemServiceStart:
fffff800`03ecf75e 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp
fffff800`03ecf765 8bf8 mov edi,eax
fffff800`03ecf767 c1ef07 shr edi,7
fffff800`03ecf76a 83e720 and edi,20h
fffff800`03ecf76d 25ff0f0000 and eax,0FFFh
nt!KiSystemServiceRepeat:
fffff800`03ecf772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800`04101840)] fffff800`03ecf772 + 002320c7 + 7 = fffff800`04101840
*/ PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082); //fffff800`03ecf640
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
PUCHAR i = NULL;
UCHAR v1=,v2=,v3=;
INT64 iOffset = ; //002320c7
ULONG64 VariableAddress = ;
*SSDTAddress = NULL;
for(i=StartSearchAddress;i<EndSearchAddress;i++)
{
if( MmIsAddressValid(i) && MmIsAddressValid(i+) && MmIsAddressValid(i+) )
{
v1=*i;
v2=*(i+);
v3=*(i+);
if(v1==0x4c && v2==0x8d && v3==0x15 )
{
memcpy(&iOffset,i+,);
*SSDTAddress = iOffset + (ULONG64)i + ; break;
}
}
} if (*SSDTAddress==NULL)
{
return FALSE;
} /*
kd> dq fffff800`04101840
fffff800`04101840 fffff800`03ed1300 00000000`00000000
fffff800`04101850 00000000`00000191 fffff800`03ed1f8c */
return TRUE;
} BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWin7_X64(CHAR* szFindFunctionName,ULONG32* SSDTFunctionIndex)
{
/*
0:004> u zwopenprocess
ntdll!NtOpenProcess:
00000000`774ddc10 4c8bd1 mov r10,rcx
00000000`774ddc13 b823000000 mov eax,23h
00000000`774ddc18 0f05 syscall
00000000`774ddc1a c3 ret
00000000`774ddc1b 0f1f440000 nop dword ptr [rax+rax]
*/ ULONG32 ulOffset_SSDTFunctionIndex = ; ULONG i;
BOOLEAN bOk = FALSE;
WCHAR wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
SIZE_T MappingViewSize = ;
PVOID MappingBaseAddress = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
ULONG32* AddressOfFunctions = NULL;
ULONG32* AddressOfNames = NULL;
USHORT* AddressOfNameOrdinals = NULL;
CHAR* szFunctionName = NULL;
ULONG32 ulFunctionOrdinal = ;
ULONG64 ulFunctionAddress = ; *SSDTFunctionIndex = -; //将Ntdll.dll 当前的空间中
bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
if (bOk==FALSE)
{
return FALSE;
}
else
{
__try{
NtHeader = RtlImageNtHeader(MappingBaseAddress);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG64)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); AddressOfFunctions = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
AddressOfNames = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNames);
AddressOfNameOrdinals = (USHORT*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
for(i = ; i < ExportDirectory->NumberOfNames; i++)
{
szFunctionName = (char*)((ULONG64)MappingBaseAddress + AddressOfNames[i]); //获得函数名称
if (_stricmp(szFunctionName, szFindFunctionName) == )
{
ulFunctionOrdinal = AddressOfNameOrdinals[i];
ulFunctionAddress = (ULONG64)((ULONG64)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]); *SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
break;
}
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
} ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress); if (*SSDTFunctionIndex==-)
{
return FALSE;
} return TRUE;
} VOID UnInlineHookSSDTWin7_X64(ULONG64 ulCurrentVariable,ULONG64 ulOldVariable,ULONG32 ulPatchSize)
{
WPOFF();
memcpy((PVOID)ulCurrentVariable,(PVOID)ulOldVariable,ulPatchSize);
WPON();
} BOOLEAN InlineHookSSDTWin7_X64(ULONG64 ulOldVariable,ULONG64 ulFakeVariable,ULONG32 ulPatchSize)
{
UCHAR v1[]="\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
UCHAR v2[]="\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
ULONG64 ulTemp = ; //保存这14个字节的内容
Old_NtOpenProcessHeaderBytes = ExAllocatePool(NonPagedPool,ulPatchSize); if (Old_NtOpenProcessHeaderBytes==NULL)
{
return FALSE;
}
WPOFF();
memcpy(Old_NtOpenProcessHeaderBytes,(PVOID)ulOldVariable,ulPatchSize);
WPON(); //构建保存原先的前14个字节的内容和跳转到14个字节之后的指令的内容
NtOpenProcessPassCode = ExAllocatePool(NonPagedPool,(ulPatchSize+));
if (NtOpenProcessPassCode==NULL)
{
ExFreePool(Old_NtOpenProcessHeaderBytes);
Old_NtOpenProcessHeaderBytes = NULL;
return FALSE;
} RtlFillMemory(NtOpenProcessPassCode,ulPatchSize+,0x90);//NOP memcpy((PUCHAR)NtOpenProcessPassCode,Old_NtOpenProcessHeaderBytes,ulPatchSize); //保存原先的14个字节 ulTemp=(ULONG64)ulOldVariable+ulPatchSize; //原先函数14个字节之后的内容所在的地址 Temp = 0x12345678 memcpy(v2+,&ulTemp,); //构建跳转到该地址的Shell memcpy((PUCHAR)NtOpenProcessPassCode+ulPatchSize,v2,ulPatchSize); //保存 //构建跳转到我们Fake函数的Shell
ulTemp = (ULONG64)ulFakeVariable;
memcpy(v1+,&ulTemp,); //修改原先的14个字节为跳转到Fake的指令
WPOFF();
RtlFillMemory((PVOID)ulOldVariable,ulPatchSize,0x90);
memcpy((PVOID)ulOldVariable,v1,ulPatchSize);
WPON();
} VOID WPOFF()
{
//选择性编译,是给编译器看的
#if (defined(_M_AMD64) || defined(_M_IA64)) && !defined(_REALLY_GET_CALLERS_CALLER_)
_disable();
__writecr0(__readcr0() & (~(0x10000)));
#else
__asm
{
CLI ;
MOV EAX, CR0;
AND EAX, NOT 10000H;
MOV CR0, EAX;
}
#endif
}
VOID WPON()
{
#if (defined(_M_AMD64) || defined(_M_IA64)) && !defined(_REALLY_GET_CALLERS_CALLER_)
__writecr0(__readcr0() ^ 0x10000);
_enable();
#else
__asm
{
MOV EAX, CR0;
OR EAX, 10000H;
MOV CR0, EAX;
STI;
}
#endif
} BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWinXP_X86(CHAR* szFindFunctionName,
ULONG32* SSDTFunctionIndex)
{
/*
0:001> u zwopenprocess
ntdll!ZwOpenProcess:
7c92d5e0 b87a000000 mov eax,7Ah
7c92d5e5 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c92d5ea ff12 call dword ptr [edx]
7c92d5ec c21000 ret 10h
7c92d5ef 90 nop
*/ ULONG32 ulOffset_SSDTFunctionIndex = ; //从Ntdll模块的导出表中获得7c92d5e0
//使用内存映射将Ntdll模块映射到System进程的内存空间进行查找(Ntdll.dll模块的导出表中进行搜索)
ULONG i;
BOOLEAN bOk = FALSE;
WCHAR wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
SIZE_T MappingViewSize = ;
PVOID MappingBaseAddress = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
ULONG32* AddressOfFunctions = NULL;
ULONG32* AddressOfNames = NULL;
USHORT* AddressOfNameOrdinals = NULL;
CHAR* szFunctionName = NULL;
ULONG32 ulFunctionOrdinal = ;
ULONG32 ulFunctionAddress = ; *SSDTFunctionIndex = -; //将Ntdll.dll 当前的空间中
bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
if (bOk==FALSE)
{
return FALSE;
}
else
{
__try{
NtHeader = RtlImageNtHeader(MappingBaseAddress);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG32)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); AddressOfFunctions = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
AddressOfNames = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNames);
AddressOfNameOrdinals = (USHORT*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
for(i = ; i < ExportDirectory->NumberOfNames; i++)
{
szFunctionName = (char*)((ULONG32)MappingBaseAddress + AddressOfNames[i]); //获得函数名称
if (_stricmp(szFunctionName, szFindFunctionName) == )
{
ulFunctionOrdinal = AddressOfNameOrdinals[i];
ulFunctionAddress = (ULONG32)((ULONG32)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]); *SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
break;
}
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
} ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress); if (*SSDTFunctionIndex==-)
{
return FALSE;
} return TRUE;
} BOOLEAN
MappingPEFileInRing0Space(WCHAR* wzFileFullPath,OUT PVOID* MappingBaseAddress,PSIZE_T MappingViewSize)
{
UNICODE_STRING uniFileFullPath;
OBJECT_ATTRIBUTES oa;
NTSTATUS Status;
IO_STATUS_BLOCK Iosb; HANDLE hFile = NULL;
HANDLE hSection = NULL; if (!wzFileFullPath || !MappingBaseAddress){
return FALSE;
} RtlInitUnicodeString(&uniFileFullPath, wzFileFullPath);
InitializeObjectAttributes(&oa,
&uniFileFullPath,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
); //获得文件句柄
Status = IoCreateFile(&hFile,
GENERIC_READ | SYNCHRONIZE,
&oa, //文件绝对路径
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
,
CreateFileTypeNone,
NULL,
IO_NO_PARAMETER_CHECKING
);
if (!NT_SUCCESS(Status))
{ return FALSE;
} oa.ObjectName = NULL;
Status = ZwCreateSection(&hSection,
SECTION_QUERY | SECTION_MAP_READ,
&oa,
NULL,
PAGE_WRITECOPY,
SEC_IMAGE, //?? 指示内存对齐
hFile
);
ZwClose(hFile);
if (!NT_SUCCESS(Status))
{ return FALSE;
}
Status = ZwMapViewOfSection(hSection,
NtCurrentProcess(), //映射到当前进程的内存空间中
MappingBaseAddress,
,
,
,
MappingViewSize,
ViewUnmap,
,
PAGE_WRITECOPY
);
ZwClose(hSection);
if (!NT_SUCCESS(Status))
{
return FALSE;
} return TRUE;
} NTSTATUS Fake_NtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId)
{
PEPROCESS EProcess = PsGetCurrentProcess(); //进程上下背景文
if (EProcess!=NULL)
{
//通过EProcess 获得进程名称 char *szProcessImageName = PsGetProcessImageFileName(EProcess); if (strstr(szProcessImageName,"EnumProcess")!=)
{ return STATUS_ACCESS_DENIED;
}
} if (NtOpenProcessPassCode!=NULL)
{
((pfnNtOpenProcess)NtOpenProcessPassCode)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
}
}
 /***************************************************************************************
* AUTHOR :
* DATE : 2015-11-1
* MODULE : IoTimerInlineHook.H
*
* IOCTRL Sample Driver
*
* Description:
* Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 .
****************************************************************************************/ #ifndef CXX_IOTIMERINLINEHOOK_H
#define CXX_IOTIMERINLINEHOOK_H #include <ntifs.h> #include <ntimage.h>
#define DEVICE_NAME L"\\Device\\IoTimerInlineHookDeviceName" #define SEC_IMAGE 0x01000000 //定义SSDT表的结构
typedef struct _SYSTEM_SERVICE_TABLE_WIN7_X64{
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONG64 NumberOfServices; //SSDT表中的函数个数 0x191
PVOID ParamTableBase;
} SYSTEM_SERVICE_TABLE_WIN7_X64, *PSYSTEM_SERVICE_TABLE_WIN7_X64; typedef struct _SYSTEM_SERVICE_TABLE_WINXP_X86 {
PVOID ServiceTableBase;
PVOID ServiceCounterTableBase;
ULONG32 NumberOfServices; //SSDT表中的函数个数 0x11c
PVOID ParamTableBase;
} SYSTEM_SERVICE_TABLE_WINXP_X86, *PSYSTEM_SERVICE_TABLE_WINXP_X86; extern
char* PsGetProcessImageFileName(PEPROCESS EProcess); extern
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(PVOID BaseAddress); typedef
NTSTATUS
(*pfnNtOpenProcess)(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); NTSTATUS Fake_NtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); #ifdef _WIN64
#define PSYSTEM_SERVICE_TABLE PSYSTEM_SERVICE_TABLE_WIN7_X64
#else
#define PSYSTEM_SERVICE_TABLE PSYSTEM_SERVICE_TABLE_WINXP_X86
#endif VOID UnloadDriver(PDRIVER_OBJECT DriverObject); BOOLEAN GetSSDTAddressInWinXP_X86(ULONG32* SSDTAddress);
BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWinXP_X86(CHAR* szFindFunctionName,
ULONG32* SSDTFunctionIndex);
BOOLEAN InlineHookSSDTWinXP_X86(ULONG32 ulOldVariable,ULONG32 ulFakeVariable,ULONG32 ulPatchSize);
VOID UnInlineHookSSDTWinXP_X86(ULONG32 ulCurrentVariable,ULONG32 ulOldVariable,ULONG32 ulPatchSize); BOOLEAN GetSSDTAddressInWin7_X64(ULONG64* SSDTAddress);
BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWin7_X64(CHAR* szFindFunctionName,ULONG32* SSDTFunctionIndex);
BOOLEAN InlineHookSSDTWin7_X64(ULONG64 ulOldVariable,ULONG64 ulFakeVariable,ULONG32 ulPatchSize);
VOID UnInlineHookSSDTWin7_X64(ULONG64 ulCurrentVariable,ULONG64 ulOldVariable,ULONG32 ulPatchSize); PVOID
GetExportVariableAddressFormNtosExportTableByVariableName(WCHAR *wzVariableName); BOOLEAN
MappingPEFileInRing0Space(WCHAR* wzFileFullPath,OUT PVOID* MappingBaseAddress,PSIZE_T MappingViewSize); VOID WPOFF();
VOID WPON(); VOID
CallBackProcedure(PDEVICE_OBJECT DeviceObject,PVOID Context); #endif

IoTimerInLineHook的更多相关文章

随机推荐

  1. c++ vector 简单实现。

    第二次修改: 1)熟悉基本的模板编程,头文件和定义必须放到一起. 2)熟悉内存管理模板类 allocator<T>. 1.使用标准库的内存管理类 allocator<T> 代替 ...

  2. equals()和hashcode()

    默认调用的情况: 1.集合在存放对象时,首先判断hashcode(),再判断equals如果都是true,认为是相同的两个元素不进行存储. 删除对象时,将从hashcode指定位置查找再删除 2.在h ...

  3. 触发器创建及Navicat中使用

    mysql中的触发器(trigger)使用 Trigger: 示例: mysql,)); Query OK, rows affected (0.03 sec) mysql> CREATE TRI ...

  4. MVC中Url请求与控制器的默认约定

    1.请求的url如:http://localhost:52481/Home/Browse?genre=1控制器方法:public string Browse(string genre) //这里返回值 ...

  5. Oracle一列的多行数据拼成一行显示字符

    Oracle一列的多行数据拼成一行显示字符   oracle 提供了两个函数WMSYS.WM_CONCAT 和 ListAgg函数.    www.2cto.com   先介绍:WMSYS.WM_CO ...

  6. openfire消息通知推送

    package cn.zsmy.utils.openfire; import java.io.BufferedReader; import java.io.InputStreamReader; imp ...

  7. tomcat字符,文档,数据库配置

    修改tomcat目录下conf目录下的server.xml tomcat容器的解码配置 URIEncoding="UTF-8" <Connector port="8 ...

  8. dbca建库时找不到ASM磁盘

    现象 dbca创建数据库时,找不到ASM磁盘组:而grid用户使用asmca却又能看到ASM磁盘组. 解决方法 1. 检查设备的权限,正确的权限为grid:asmadmin 2. 检查GRID_HOM ...

  9. hiho_1066_并查集

    题目大意 给出N个操作,每个操作可能为两种类型之一: 1. 认定两个人属于同一个组织 2. 查询两个人是否是同一个组织 要求对于每个操作类型2,给出结果,即查询的两个人是否属于同一个组织.其中,任何人 ...

  10. iOS开发 判断代理以及代理方法是否有人遵循

    if (self.delegate && [self.delegate respondsToSelector:@selector]) { return YES; }