/*

 windows2003 x86/x64 window7 x86 windows2008 R2 x64测试通过

 */

 #include <ntddk.h>

 #include "nt_help.h"

 DRIVER_INITIALIZE DriverEntry;

 typedef struct _OBJECT_TYPE_INITIALIZER {

     USHORT Length;

     BOOLEAN UseDefaultObject;

     BOOLEAN CaseInsensitive;

 #if WINVER>=0x0600

     ULONG ObjectTypeCode;

 #endif

     ULONG InvalidAttributes;

     GENERIC_MAPPING GenericMapping;

     ULONG ValidAccessMask;

     BOOLEAN SecurityRequired;

     BOOLEAN MaintainHandleCount;

     BOOLEAN MaintainTypeList;

     POOL_TYPE PoolType;

     ULONG DefaultPagedPoolCharge;

     ULONG DefaultNonPagedPoolCharge;

     PVOID DumpProcedure;

     PVOID OpenProcedure;

     PVOID CloseProcedure;

     PVOID DeleteProcedure;

     PVOID ParseProcedure;

     PVOID SecurityProcedure;

     PVOID QueryNameProcedure;

     PVOID OkayToCloseProcedure;

 } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

 typedef struct _OBJECT_TYPE {

 #if WINVER<0x0600

     ERESOURCE Mutex;

 #endif

     LIST_ENTRY TypeList;

     UNICODE_STRING Name;            // Copy from object header for convenience

     PVOID DefaultObject;

     ULONG Index;

     ULONG TotalNumberOfObjects;

     ULONG TotalNumberOfHandles;

     ULONG HighWaterNumberOfObjects;

     ULONG HighWaterNumberOfHandles;

     OBJECT_TYPE_INITIALIZER TypeInfo;

 } OBJECT_TYPE, *POBJECT_TYPE;

 extern POBJECT_TYPE* MmSectionObjectType;

 PVOID pNtCreateSection = NULL;

 SYSTEM_MODULE_INFORMATION ntModInfo = {};

 #pragma alloc_text(INIT, DriverEntry)

 NTSTATUS DevicePassthrough(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

 {

         NTSTATUS status = STATUS_SUCCESS;

         PIO_STACK_LOCATION  irpSp;

         irpSp = IoGetCurrentIrpStackLocation(Irp);

         Irp->IoStatus.Status = status;

         IoCompleteRequest(Irp, IO_NO_INCREMENT);

         return status;

 }

 VOID DriverUnload (IN PDRIVER_OBJECT DriverObject)

 {

         (*MmSectionObjectType)->TypeInfo.OpenProcedure = NULL;

         KdPrint(("DriverUnload Done!\n"));

 }

 #if WINVER>=0x0600

 NTSTATUS HookSectionOpen(

     IN ULONG OpenReason,

     IN ULONG AccessMode,

     IN PEPROCESS Process OPTIONAL,

     IN PVOID Object,

     IN ACCESS_MASK* GrantedAccess,

     IN ULONG HandleCount

     )

 #else

 NTSTATUS HookSectionOpen(

     IN ULONG OpenReason,

     IN PEPROCESS Process OPTIONAL,

     IN PVOID Object,

     IN ACCESS_MASK GrantedAccess,

     IN ULONG HandleCount

     )

 #endif

 {

         PVOID* esp = (PVOID*)&esp;

         PVOID* esp_end = (PVOID*)((((DWORD64)esp>>) + )<<);        //4k round up

         PVOID* p = esp;

         ULONG SectionPageProtection, AllocationAttributes;

         HANDLE FileHandle;

         NTSTATUS Status;

         /*

          * do stack walk back to NtCreateSection function

          */

         while (p < esp_end &&

                 (*p < pNtCreateSection ||

                  *p > (PVOID)((PBYTE)pNtCreateSection + 0x300)))

                 p++;

         if (p >= esp_end){

                 //KdPrint(("no found NtCreateSection %p -> %p\n", esp, esp_end));

                 return STATUS_SUCCESS;

         }

         //KdPrint(("%p HookSectionOpen-Object:%p esp:%p %p\n", pNtCreateSection, Object, esp, *p));

 #ifdef _WIN64

         /*

          * esp layout look likes[2003 X64 DUMP]:

          fffff800`0104113d nt!KiSystemServiceCopyEnd+0x3 retaddr <-------call nt!NtCreateSection

          fffffadf`f662ec00  00000000`00000000 param1

          fffffadf`f662ec08  00000000`000f001f param2 DesiredAccess

          fffffadf`f662ec10  00000000`00000000

          fffffadf`f662ec18  00000000`00000000

          fffffadf`f662ec20  00000100`00000010 SectionPageProtection

          fffffadf`f662ec28  00000000`01000000 AllocationAttributes

          fffffadf`f662ec30  00000000`0000054c FileHandle

          * - ...

          */

         p++;

         /*

          * search retaddr -> nt!KiSystemServiceCopyEnd

          */

         while (p < esp_end &&

                 (*p < ntModInfo.ImageBase ||

                  *p > (PVOID)((PBYTE)ntModInfo.ImageBase + ntModInfo.ImageSize)))

                 p++;

         if (p >= esp_end){

                 //KdPrint(("no found nt!KiSystemxxxx %p -> %p\n", esp, esp_end));

                 return STATUS_SUCCESS;

         }

 #else

         /* stack DUMP from 2003/x86

          * ebp = p - 1

          fa06f4d8  fa06f540

          fa06f4dc  80908715 nt!NtCreateSection+0x15c

          ...

          fa06f540  fa06f564

          fa06f544  808234cb nt!KiFastCallEntry+0xf8

          fa06f548  fa06f668 param1

          */

         p = (PVOID*)*(p - );

         p++;

 #endif

         SectionPageProtection = (ULONG)*(p + );

         AllocationAttributes = (ULONG)*(p + );

         FileHandle = *(p + );

         //KdPrint(("%x %x %p\n", SectionPageProtection, AllocationAttributes, FileHandle));

         if (FileHandle

                 && SectionPageProtection == PAGE_EXECUTE

                 && (AllocationAttributes == SEC_IMAGE || AllocationAttributes == 0x100000)){

                 /* windows7 AllocationAttributes = 0x100000 to LoadDriver */

                 PFILE_OBJECT File;

                 Status = ObReferenceObjectByHandle (FileHandle,

                                 ,

                                 NULL,

                                 KernelMode,

                                 (PVOID *)&File,

                                 NULL);

                 if (!NT_SUCCESS(Status)) {

                         return STATUS_SUCCESS;

                 }

                 KdPrint(("FileName:%wZ\n", &File->FileName));

                 ObDereferenceObject(File);

         }

         return STATUS_SUCCESS;

 }

 BOOL GetNtImgBase(PSYSTEM_MODULE_INFORMATION modInfo)

 {

         PSYSMODULELIST sysModuleList = NULL;

         ULONG size, i;

         NtQuerySystemInformation(SystemModuleInformation, &size, , &size);

         sysModuleList = ExAllocatePoolWithTag(PagedPool, size, 'hlpm');

         if (sysModuleList){

                 NtQuerySystemInformation(SystemModuleInformation, sysModuleList, size, NULL);

                 /* nt module should be the first one */

                 *modInfo = *sysModuleList->Modules;

                 ExFreePool(sysModuleList);

                 return TRUE;

         }

         return FALSE;

 }

 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)

 {

         DWORD i;

         UNICODE_STRING sFuncName;

         RtlInitUnicodeString(&sFuncName, L"NtCreateSection");

         pNtCreateSection = MmGetSystemRoutineAddress(&sFuncName);

         if (!GetNtImgBase(&ntModInfo)){

                 KdPrint(("EnumSysModule nt base failed!\n"));

                 return STATUS_UNSUCCESSFUL;

         }

         KdPrint(("nt:%p pNtCreateSection:%p\nMmSectionObjectType:%p %p %p\n",

                                 ntModInfo.ImageBase,

                                 pNtCreateSection,

                                 *MmSectionObjectType,

                                 (*MmSectionObjectType)->TypeInfo.OpenProcedure,

                                 (*MmSectionObjectType)->TypeInfo.DeleteProcedure));

         (*MmSectionObjectType)->TypeInfo.OpenProcedure = HookSectionOpen;

         for (i = ; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)

                 DriverObject->MajorFunction[i] = DevicePassthrough;

         DriverObject->DriverUnload = DriverUnload;

         return STATUS_SUCCESS;

 }

动态监控驱动、dll、exe加载的更多相关文章

  1. dll的加载方式主要分为两大类,显式和隐式链接

    之前简单写过如何创建lib和dll文件及简单的使用(http://blog.csdn.net/betabin/article/details/7239200).现在先再深入点写写dll的加载方式. d ...

  2. Windows7 安装vs2015 之后 调试Web项目IIS启动不了 aspnetcore.dll未能加载

    安装windows企业版,整整折腾了两天了,一个本身家里网络环境不好,时不时掉线,终于披荆斩棘,克服了所有困难,结果VS2015 EnterPrise 版本在调试Web环境的时候,始终在任务栏里找不到 ...

  3. 模块"xxxx.dll"已加载,但对DllRegisterServer的调用失败,错误代码为 XXXXXXXXX

    WIN7.WIN8  注册 卸载dll  报错: 模块"xxxx.dll"已加载,但对DllRegisterServer的调用失败,错误代码为 XXXXXXXXX 解决方法: 若为 ...

  4. [整理]DLL延时加载 && 设置进程私有环境变量

    DLL延时加载鉴于静态和动态加载之间,即无需在代码中显示加载但它内队依然是动态加载的方式只是系统帮处理了.这样做好处是: 1. 可以加快启动时间(因为它是动态加载在需要的时间加载), 2. 减小编写L ...

  5. 模块 DLL C:\WINDOWS\system32\inetsrv\aspnetcore.dll 未能加载。返回的数据为错误信息。

    更新了win10的版本后,就启动原来的iis发布的程序 程序池就自动关闭.后来 启动网站 iis程序池自动关闭. 在为应用程序池“.NET v4.5”提供服务的工作进程“21908”中,协议“http ...

  6. 固定dll的加载基址的方法

    调试dll的时候会有一件事情比较烦人,就是dll加载的地址不会很固定(默认设置下编译的dll基址总是0x10000000,多个同基址的dll加载时,后面的肯定会被重定位),这给前后多次调试时对比分析结 ...

  7. C#开发奇技淫巧二:根据dll文件加载C++或者Delphi插件

    原文:C#开发奇技淫巧二:根据dll文件加载C++或者Delphi插件 这两天忙着把框架改为支持加载C++和Delphi的插件,来不及更新blog了.      原来的写的框架只支持c#插件,这个好做 ...

  8. SAS.EnhancedEditor.dll 已加载,但找不到入口点DLLRegisterServer

    SAS.EnhancedEditor.dll 已加载,但找不到入口点DLLRegisterServer 重新安装EnhancedEditor 安装Microsoft.NET Framework 3.5 ...

  9. DLL内存加载

    动态加载dll 功能:      把一个处于内存里的dll直接加载并且使用. 用途:      免杀(静态文件查杀),外挂(防止游戏自己hook了loadlibrary等函数),以及其他. 原理:  ...

  10. DLL延时加载技术与资源释放

    DLL延时加载技术与资源释放 0x00 前言 诸如调用非Windows的第三方库,我们或许会使用到dll文件,而这个时候原本程序运行需要相应的dll文件才能加载启动.通过DLL延时加载技术,使用延时加 ...

随机推荐

  1. Gulp入门教程(转载)

    本人转载自: Gulp入门教程

  2. c#委托、事件、Observer

    委托和事件在.NET Framework[1] 中的应用非常广泛,然而,较好地理解委托和事件对很多接触C#时间不长的人来说并不容易. 中文名 委托 外文名 Delegate 编程语言 C# 作     ...

  3. How to locate a path? - Unix & Linux Stack Exchange

    How to locate a path? - Unix & Linux Stack Exchange http://unix.stackexchange.com/questions/2955 ...

  4. linux bash快捷键

    bash快捷键 CTRL+F 光标向前移动一个字母 CTRL+B 光标向后移动一个字母 CTRL+A HOME CTRL+E END

  5. LeetCode----326. Power of Three(Java)

    package isPowerOfThree326; /* Given an integer, write a function to determine if it is a power of th ...

  6. JFrame中setDefaultCloseOperation的参数含义

    实例1:一个空的java窗口 // JFrameDemo1.java import javax.swing.*;     //使用Swing类,必须引入Swing包 public class JFra ...

  7. python基本数据类型之集合set

    一.集合的定义 set集合,是一个无序且不重复的元素集合. 集合对象是一组无序排列的可哈希的值,集合成员可以做字典中的键.集合支持用in和not in操作符检查成员,由len()内建函数得到集合的基数 ...

  8. sql server中如何查看执行效率不高的语句

    sql server中,如果想知道有哪些语句是执行效率不高的,应该如何查看呢?下面就将为您介绍sql server中如何查看执行效率不高的语句,供您参考.   在测量功能时,先以下命令清除sql se ...

  9. python 学习笔记十一 SQLALchemy ORM(进阶篇)

    SqlAlchemy ORM SQLAlchemy是Python编程语言下的一款ORM框架,该框架建立在数据库API之上,使用关系对象映射进行数据库操作,简言之便是:将对象转换成SQL,然后使用数据A ...

  10. [转](一)unity4.6Ugui中文教程文档-------概要

    转载请注明出处:http://blog.csdn.net/u010019717更全的内容请看我的游戏蛮牛地址:http://www.unitymanual.com/forum.php?mod=guid ...