订阅
Rootkit技术之内核钩子原理
进程防注
内核钩子实例
作者:admin 日期:2009-09-28
#include <ntddk.h>
#include <ntimage.h>
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
#define SDT SYSTEMSERVICE
#define KSDT KeServiceDescriptorTable
//---------------------------------------------------------------------------
//
// Defines
//
//---------------------------------------------------------------------------
#define FILE_DEVICE_UNKNOWN 0x00000022
#define IOCTL_UNKNOWN_BASE FILE_DEVICE_UNKNOWN
#define IOCTL_INIT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
/********************************************************************************
补充定义数据及结构
********************************************************************************/
typedef struct _INITIAL_TEB {
PVOID StackBase;
PVOID StackLimit;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserved;
} INITIAL_TEB, *PINITIAL_TEB;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
/*************************************************************************************************
私有变量
*************************************************************************************************/
typedef struct _DEVICE_EXTENSION
{
PDEVICE_OBJECT DeviceObject;
PKEVENT Event;
BOOLEAN bPCreate;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
// 全局设备对象
PDEVICE_OBJECT g_pDeviceObject;
UNICODE_STRING g_RegPath;
/********************************************************************************
补充定义函数
********************************************************************************/
NTKERNELAPI NTSTATUS ObQueryNameString (
IN PVOID Object,
IN OUT PUNICODE_STRING Name,
IN ULONG MaximumLength,
OUT PULONG ActualLength
);
NTKERNELAPI NTSTATUS ZwSetSecurityObject(
IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
NTKERNELAPI NTSTATUS ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus );
NTKERNELAPI NTSTATUS ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTKERNELAPI NTSTATUS ZwOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTKERNELAPI NTSTATUS ZwLoadDriver(
IN PUNICODE_STRING DriverServiceName );
NTKERNELAPI NTSTATUS ZwSetSystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength );
NTKERNELAPI NTSTATUS ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
/***********************************************************************************
函数声明
***********************************************************************************/
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
void UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS DispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
void StartHook(void);
void RemoveHook(void);
NTSTATUS Hook_ZwWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
NTSTATUS Hook_ZwReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
NTSTATUS Hook_ZwSetSystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength );
NTSTATUS Hook_ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
NTSTATUS Hook_ZwLoadDriver(
IN PUNICODE_STRING DriverServiceName );
NTSTATUS Hook_ZwSetSecurityObject(
IN HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformationClass,
IN PSECURITY_DESCRIPTOR DescriptorBuffer);
NTSTATUS Hook_ZwOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
NTSTATUS Hook_ZwCreateKey (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL);
NTSTATUS Hook_ZwSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize);
NTSTATUS Hook_ZwDeleteKey(
IN HANDLE KeyHandle);
NTSTATUS Hook_ZwDeleteValueKey(
IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName);
NTSTATUS Hook_ZwOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUS Hook_ZwCreateSection(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );
NTSTATUS Hook_ZwCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL );
NTSTATUS Hook_ZwCreateProcessEx(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE UnknownHandle );
NTSTATUS Hook_ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus );
NTSTATUS Hook_ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTSTATUS Hook_ZwCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended );
NTSTATUS Hook_ZwTerminateThread(
IN HANDLE ThreadHandle,
IN NTSTATUS ExitStatus );
NTSTATUS Hook_ZwOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTSTATUS Hook_ZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength );
NTSTATUS Hook_ZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions );
NTSTATUS Hook_ZwClose(
IN HANDLE ObjectHandle );
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(INIT, StartHook)
#pragma alloc_text(PAGE, DispatchCreate)
#pragma alloc_text(PAGE, DispatchClose)
#pragma alloc_text(PAGE, DispatchIoCtrl)
#pragma alloc_text(PAGE, RemoveHook)
#pragma alloc_text(PAGE, UnloadDriver)
#pragma alloc_text(PAGE, Hook_ZwOpenKey)
#pragma alloc_text(PAGE, Hook_ZwSetSecurityObject)
#pragma alloc_text(PAGE, Hook_ZwCreateKey)
#pragma alloc_text(PAGE, Hook_ZwSetValueKey)
#pragma alloc_text(PAGE, Hook_ZwDeleteKey)
#pragma alloc_text(PAGE, Hook_ZwDeleteValueKey)
#pragma alloc_text(PAGE, Hook_ZwOpenSection)
#pragma alloc_text(PAGE, Hook_ZwCreateSection)
#pragma alloc_text(PAGE, Hook_ZwOpenProcess)
#pragma alloc_text(PAGE, Hook_ZwTerminateProcess)
#pragma alloc_text(PAGE, Hook_ZwOpenThread)
#pragma alloc_text(PAGE, Hook_ZwCreateFile)
#pragma alloc_text(PAGE, Hook_ZwOpenFile)
#pragma alloc_text(PAGE, Hook_ZwClose)
#pragma alloc_text(PAGE, Hook_ZwLoadDriver)
#pragma alloc_text(PAGE, Hook_ZwSetSystemInformation)
#pragma alloc_text(PAGE, Hook_ZwQuerySystemInformation)
#pragma alloc_text(PAGE, Hook_ZwReadFile)
#pragma alloc_text(PAGE, Hook_ZwWriteFile)
#endif
/*******************************************************************************
函数原型定义
********************************************************************************/
typedef NTSTATUS (*ZWLOADDRIVER)(
IN PUNICODE_STRING DriverServiceName );
typedef NTSTATUS (*ZWCreateFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength );
typedef NTSTATUS (*ZWOPENFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions );
typedef NTSTATUS (*ZWCLOSE)(
IN HANDLE ObjectHandle );
typedef NTSTATUS (*ZWWRITEFILE)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
typedef NTSTATUS (*ZWREADFILE)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
typedef NTSTATUS (*ZWCreatePROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL);
typedef NTSTATUS (*ZWCreatePROCESSEX)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown );
typedef NTSTATUS (*ZWOPENPROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
typedef NTSTATUS (*ZWTERMINATEPROCESS)(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus );
typedef NTSTATUS (*ZWCreateTHREAD)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended );
typedef NTSTATUS (*ZWTERMINATETHREAD)(
IN HANDLE ThreadHandle,
IN NTSTATUS ExitStatus );
typedef NTSTATUS (*ZWOPENTHREAD)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
typedef NTSTATUS (*ZWCreateSECTION)(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );
typedef NTSTATUS (*ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes );
//注册表
typedef NTSTATUS (*ZWCreateKEY) (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
);
typedef NTSTATUS (*ZWOPENKEY) (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef NTSTATUS (*ZWSETVALUEKEY)(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
typedef NTSTATUS (*ZWSETSECURITYOBJECT)(
IN HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformationClass,
IN PSECURITY_DESCRIPTOR DescriptorBuffer);
typedef NTSTATUS (*ZWDeleteKEY)(
IN HANDLE KeyHandle);
typedef NTSTATUS (*ZWDeleteVALUEKEY)(
IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName);
typedef NTSTATUS (*ZWSETSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength );
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
/***********************************************************
// SDT 原函数地址
***********************************************************/
static ZWCreateFILE OldZwCreateFile;
static ZWOPENFILE OldZwOpenFile;
static ZWCLOSE OldZwClose;
static ZWWRITEFILE OldZwWriteFile;
static ZWREADFILE OldZwReadFile;
static ZWTERMINATEPROCESS OldZwTerminateProcess;
static ZWOPENPROCESS OldZwOpenProcess;
static ZWOPENTHREAD OldZwOpenThread;
static ZWCreateSECTION OldZwCreateSection;
static ZWOPENSECTION OldZwOpenSection;
static ZWCreateKEY OldZwCreateKey;
static ZWSETVALUEKEY OldZwSetValueKey;
static ZWDeleteKEY OldZwDeleteKey;
static ZWDeleteVALUEKEY OldZwDeleteValueKey;
static ZWSETSECURITYOBJECT OldZwSetSecurityObject;
static ZWOPENKEY OldZwOpenKey;
static ZWLOADDRIVER OldZwLoadDriver;
static ZWSETSYSTEMINFORMATION OldZwSetSystemInformation;
static ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
/***********************************************************************************
挂接函数执行体
***********************************************************************************/
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL )
{
NTSTATUS rc;
rc = OldZwWriteFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL )
{
NTSTATUS rc;
rc = OldZwReadFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwSetSystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength )
{
NTSTATUS rc;
rc = OldZwSetSystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL )
{
NTSTATUS rc;
rc = OldZwQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwLoadDriver(
IN PUNICODE_STRING DriverServiceName )
{
NTSTATUS rc;
rc = OldZwLoadDriver(DriverServiceName);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwSetSecurityObject(
IN HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformationClass,
IN PSECURITY_DESCRIPTOR DescriptorBuffer)
{
NTSTATUS rc;
rc = OldZwSetSecurityObject(ObjectHandle,SecurityInformationClass,DescriptorBuffer);
return rc;
}
/************************************************************************************************
ZwOpenKey
************************************************************************************************/
NTSTATUS Hook_ZwOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes)
{
NTSTATUS rc;
rc = OldZwOpenKey(KeyHandle,DesiredAccess,ObjectAttributes);
return rc;
}
/*************************************************************************************************
挂接函数 ZwCreateKey
***************************************************************************************************/
NTSTATUS Hook_ZwCreateKey (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
)
{
NTSTATUS rc;
rc = OldZwCreateKey(KeyHandle, DesiredAccess, ObjectAttributes,
TitleIndex, Class, CreateOptions, Disposition);
return rc;
}
/***************************************************************************************************
****************************************************************************************************/
NTSTATUS Hook_ZwSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
)
{
NTSTATUS rc;
rc = OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);
return rc;
}
/********************************************************************************************************
********************************************************************************************************/
NTSTATUS Hook_ZwDeleteKey(IN HANDLE KeyHandle)
{
NTSTATUS rc;
rc = OldZwDeleteKey(KeyHandle);
return rc;
}
/*********************************************************************************************************
*********************************************************************************************************/
NTSTATUS Hook_ZwDeleteValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName)
{
NTSTATUS rc;
rc = OldZwDeleteValueKey(KeyHandle,ValueName);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes )
{
NTSTATUS rc;
// DbgPrint("Hook_ZwOpenSection\n");
rc = OldZwOpenSection(SectionHandle,DesiredAccess,ObjectAttributes);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwCreateSection(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL )
{
NTSTATUS rc;
// DbgPrint("Hook_ZwCreateSection");
return OldZwCreateSection(SectionHandle,DesiredAccess,ObjectAttributes,
MaximumSize,PageAttributess,SectionAttributes,FileHandle);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus )
{
NTSTATUS rc;
rc = OldZwTerminateProcess(ProcessHandle,ExitStatus);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId )
{
NTSTATUS rc;
rc = OldZwOpenProcess(ProcessHandle,AccessMask,ObjectAttributes,ClientId);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId )
{
NTSTATUS rc;
rc = OldZwOpenThread(ThreadHandle,AccessMask,ObjectAttributes,ClientId);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength )
{
NTSTATUS rc;
rc = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
AllocationSize,FileAttributes,ShareAccess,CreateDisposition,
CreateOptions,EaBuffer,EaLength);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions )
{
NTSTATUS rc;
rc = OldZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,
OpenOptions);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwClose(
IN HANDLE ObjectHandle )
{
NTSTATUS rc;
//在这里执行扫描必须十分注意,否则容易蓝屏
rc = OldZwClose(ObjectHandle);
return rc;
}
/*************************************************************************************************
驱动函数入口
**************************************************************************************************/
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszDeviceString;
UNICODE_STRING uszEventString;
PDEVICE_OBJECT pDeviceObject;
PDEVICE_EXTENSION extension;
// 初始化设备对象名
RtlInitUnicodeString(&uszDriverString, L"\\Device\\ITSys");
// 创建并初始化对象
ntStatus = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION),
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject
);
if(ntStatus != STATUS_SUCCESS)
return ntStatus;
extension = pDeviceObject->DeviceExtension;
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ITSys");
// 创建用户可见连接名称
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
// 创建失败,删除对象并返回错误值
IoDeleteDevice(pDeviceObject);
return ntStatus;
}
// 赋值全局设备对象指针
// Assign global pointer to the device object for use by the callback functions
g_pDeviceObject = pDeviceObject;
// 设置所有可用的DeviceIoControl的处理IRP的函数
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_Create] = DispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoCtrl;
#if DBG
KdPrint(("RegistryPath : %ws\n",RegistryPath->Buffer));
#endif
//SDT挂接
StartHook();
return ntStatus;
}
/*************************************************************************************************
启用系统服务挂接
**************************************************************************************************/
void StartHook (void)
{
//获取未导出的服务函数索引号
HANDLE hFile;
PCHAR pDllFile;
ULONG ulSize;
ULONG ulByteReaded;
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
//挂接SDT函数
OldZwCreateFile = (ZWCreateFILE) InterlockedExchange((PLONG)
&SDT(ZwCreateFile),
(LONG)Hook_ZwCreateFile);
OldZwOpenFile = (ZWOPENFILE) InterlockedExchange((PLONG)
&SDT(ZwOpenFile),
(LONG)Hook_ZwOpenFile);
OldZwClose = (ZWCLOSE) InterlockedExchange((PLONG)
&SDT(ZwClose),
(LONG)Hook_ZwClose);
OldZwReadFile = (ZWREADFILE) InterlockedExchange((PLONG)
&SDT(ZwReadFile),
(LONG)Hook_ZwReadFile);
OldZwWriteFile = (ZWWRITEFILE) InterlockedExchange((PLONG)
&SDT(ZwWriteFile),
(LONG)Hook_ZwWriteFile);
OldZwTerminateProcess = (ZWTERMINATEPROCESS)InterlockedExchange((PLONG)
&SDT(ZwTerminateProcess),
(LONG)Hook_ZwTerminateProcess);
OldZwOpenProcess = (ZWOPENPROCESS)InterlockedExchange((PLONG)
&SDT(ZwOpenProcess),
(LONG)Hook_ZwOpenProcess);
OldZwOpenThread = (ZWOPENTHREAD)InterlockedExchange((PLONG)
&SDT(ZwOpenThread),
(LONG)Hook_ZwOpenThread);
OldZwCreateSection = (ZWCreateSECTION)InterlockedExchange((PLONG)
&SDT(ZwCreateSection),
(LONG)Hook_ZwCreateSection);
OldZwOpenSection = (ZWOPENSECTION)InterlockedExchange((PLONG)
&SDT(ZwOpenSection),
(LONG)Hook_ZwOpenSection);
OldZwOpenKey = (ZWOPENKEY) InterlockedExchange((PLONG)
&SDT(ZwOpenKey),
(LONG)Hook_ZwOpenKey);
OldZwCreateKey = (ZWCreateKEY) InterlockedExchange((PLONG)
&SDT(ZwCreateKey),
(LONG)Hook_ZwCreateKey);
OldZwSetValueKey = (ZWSETVALUEKEY) InterlockedExchange((PLONG)
&SDT(ZwSetValueKey),
(LONG)Hook_ZwSetValueKey);
OldZwDeleteKey = (ZWDeleteKEY) InterlockedExchange((PLONG)
&SDT(ZwDeleteKey),
(LONG)Hook_ZwDeleteKey);
OldZwDeleteValueKey = (ZWDeleteVALUEKEY) InterlockedExchange((PLONG)
&SDT(ZwDeleteValueKey),
(LONG)Hook_ZwDeleteValueKey);
OldZwSetSecurityObject = (ZWSETSECURITYOBJECT)InterlockedExchange((PLONG)
&SDT(ZwSetSecurityObject),
(LONG)Hook_ZwSetSecurityObject);
OldZwLoadDriver = (ZWLOADDRIVER)InterlockedExchange((PLONG)
&SDT(ZwLoadDriver),
(LONG)Hook_ZwLoadDriver);
OldZwSetSystemInformation = (ZWSETSYSTEMINFORMATION)InterlockedExchange((PLONG)
&SDT(ZwSetSystemInformation),
(LONG)Hook_ZwSetSystemInformation);
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange((PLONG)
&SDT(ZwQuerySystemInformation),
(LONG)Hook_ZwQuerySystemInformation);
//关闭
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
return ;
}
/*************************************************************************************************
移除系统服务挂接
**************************************************************************************************/
void RemoveHook (void)
{
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
InterlockedExchange( (PLONG) &SDT(ZwCreateFile) , (LONG) OldZwCreateFile );
InterlockedExchange( (PLONG) &SDT(ZwOpenFile) , (LONG) OldZwOpenFile );
InterlockedExchange( (PLONG) &SDT(ZwClose) , (LONG) OldZwClose );
InterlockedExchange( (PLONG) &SDT(ZwReadFile) , (LONG) OldZwReadFile );
InterlockedExchange( (PLONG) &SDT(ZwWriteFile) , (LONG) OldZwWriteFile );
InterlockedExchange( (PLONG) &SDT(ZwTerminateProcess) , (LONG) OldZwTerminateProcess );
InterlockedExchange( (PLONG) &SDT(ZwOpenProcess) , (LONG) OldZwOpenProcess );
InterlockedExchange( (PLONG) &SDT(ZwOpenThread) , (LONG) OldZwOpenThread );
InterlockedExchange( (PLONG) &SDT(ZwCreateSection) , (LONG) OldZwCreateSection );
InterlockedExchange( (PLONG) &SDT(ZwOpenSection) , (LONG) OldZwOpenSection );
InterlockedExchange( (PLONG) &SDT(ZwOpenKey) , (LONG) OldZwOpenKey );
InterlockedExchange( (PLONG) &SDT(ZwCreateKey) , (LONG) OldZwCreateKey );
InterlockedExchange( (PLONG) &SDT(ZwSetValueKey) , (LONG) OldZwSetValueKey );
InterlockedExchange( (PLONG) &SDT(ZwDeleteKey) , (LONG) OldZwDeleteKey );
InterlockedExchange( (PLONG) &SDT(ZwDeleteValueKey) , (LONG) OldZwDeleteValueKey );
InterlockedExchange( (PLONG) &SDT(ZwSetSecurityObject) , (LONG) OldZwSetSecurityObject );
InterlockedExchange( (PLONG) &SDT(ZwLoadDriver) , (LONG) OldZwLoadDriver );
InterlockedExchange( (PLONG) &SDT(ZwSetSystemInformation) , (LONG) OldZwSetSystemInformation );
InterlockedExchange( (PLONG) &SDT(ZwQuerySystemInformation) , (LONG) OldZwQuerySystemInformation );
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
}
void UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uszDeviceString;
NTSTATUS ntStatus;
//移除挂接
RemoveHook();
IoDeleteDevice(DriverObject->DeviceObject);
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ITSys");
IoDeleteSymbolicLink(&uszDeviceString);
}
/*************************************************************************************************
//
// 创建与关闭驱动处理历程
//
**************************************************************************************************/
NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS rc;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
rc = Irp->IoStatus.Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return rc;
}
/**************************************************************************************************
Win32 使用 DeviceIoControl 获取当前创建进程的信息的响应函数
***************************************************************************************************/
NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PDEVICE_EXTENSION extension = DeviceObject->DeviceExtension;
switch(irpStack->Parameters.DeviceIoControl.IoControlCode)
{
default:
break;
}
Irp->IoStatus.Status = ntStatus;
// 设置返回给用户层程序的数据的字节数
if(ntStatus == STATUS_SUCCESS)
Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
else
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return ntStatus;
}
Inf安装文件
;;; ITSys.inf
[Version]
signature = "$Windows NT$"
Class = "ActivityMonitor" ;This is determined by the work this filter driver does
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class
Provider = %Msft%
DriverVer = 08/28/2006,1.0.0.6
CatalogFile = ITSys.cat ; A CatalogFile entry is required for a WHQL signature.
; The actual catalog file will be provided by WHQL. The
; catalog file for this sample is not provided for use.
[DestinationDirs]
DefaultDestDir = 12
ITSys.DriverFiles = 12 ;%windir%\system32\drivers
[SourceDisksNames]
1 = %Disk1%
[SourceDisksFiles]
ITSys.sys = 1
;;
;; Default install sections
;;
[DefaultInstall]
OptionDesc = %ITSysServiceDesc%
CopyFiles = ITSys.DriverFiles
[DefaultInstall.Services]
AddService = %ITSysServiceName%,,ITSys.Service
AddReg = ITSys.AddRegistry
;;
;; Default uninstall sections
;;
[DefaultUninstall]
DelFiles = ITSys.DriverFiles
DelReg = ITSys.DelRegistry
[DefaultUninstall.Services]
DelService = ITSys
;
; Services Section
;
[ITSys.Service]
DisplayName = %ITSysServiceName%
Description = %ITSysServiceDesc%
ServiceBinary = %12%\ITSys.sys ;%windir%\system32\drivers\ITSys.sys
ServiceType = 1 ;SERVICE_SYSTEM_DRIVER
StartType = 1 ;SERVICE_SYSTEM_BOOT=1
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
AddReg = ITSys.AddRegistry
;
; Registry Modifications
;
[ITSys.AddRegistry]
HKLM,%ITSysRegistry%,%ITSysDebugFlags%,0x00010001 ,0
[ITSys.DelRegistry]
HKLM,%ITSysRegistry%,%ITSysDebugFlags%
;
; Copy Files
;
[ITSys.DriverFiles]
ITSys.sys
;;
;; String Section
;;
[Strings]
Msft = "ITSafe"
ITSysServiceDesc = "ITSafe Kernel Driver"
ITSysServiceName = "ITSys"
ITSysRegistry = "system\currentcontrolset\services\ITSys"
ITSysDebugFlags = "DebugFlags"
Disk1 = "ITSys Source Media"
编译文件
TARGETNAME=ITSys
TARGETPATH=obj
TARGETTYPE=DRIVER
TARGETLIBS=
SOURCES=ITSys.c \
ITSys.rc
#include <ntimage.h>
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
#define SDT SYSTEMSERVICE
#define KSDT KeServiceDescriptorTable
//---------------------------------------------------------------------------
//
// Defines
//
//---------------------------------------------------------------------------
#define FILE_DEVICE_UNKNOWN 0x00000022
#define IOCTL_UNKNOWN_BASE FILE_DEVICE_UNKNOWN
#define IOCTL_INIT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
/********************************************************************************
补充定义数据及结构
********************************************************************************/
typedef struct _INITIAL_TEB {
PVOID StackBase;
PVOID StackLimit;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserved;
} INITIAL_TEB, *PINITIAL_TEB;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
/*************************************************************************************************
私有变量
*************************************************************************************************/
typedef struct _DEVICE_EXTENSION
{
PDEVICE_OBJECT DeviceObject;
PKEVENT Event;
BOOLEAN bPCreate;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
// 全局设备对象
PDEVICE_OBJECT g_pDeviceObject;
UNICODE_STRING g_RegPath;
/********************************************************************************
补充定义函数
********************************************************************************/
NTKERNELAPI NTSTATUS ObQueryNameString (
IN PVOID Object,
IN OUT PUNICODE_STRING Name,
IN ULONG MaximumLength,
OUT PULONG ActualLength
);
NTKERNELAPI NTSTATUS ZwSetSecurityObject(
IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
NTKERNELAPI NTSTATUS ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus );
NTKERNELAPI NTSTATUS ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTKERNELAPI NTSTATUS ZwOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTKERNELAPI NTSTATUS ZwLoadDriver(
IN PUNICODE_STRING DriverServiceName );
NTKERNELAPI NTSTATUS ZwSetSystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength );
NTKERNELAPI NTSTATUS ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
/***********************************************************************************
函数声明
***********************************************************************************/
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
void UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS DispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
void StartHook(void);
void RemoveHook(void);
NTSTATUS Hook_ZwWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
NTSTATUS Hook_ZwReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
NTSTATUS Hook_ZwSetSystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength );
NTSTATUS Hook_ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
NTSTATUS Hook_ZwLoadDriver(
IN PUNICODE_STRING DriverServiceName );
NTSTATUS Hook_ZwSetSecurityObject(
IN HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformationClass,
IN PSECURITY_DESCRIPTOR DescriptorBuffer);
NTSTATUS Hook_ZwOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
NTSTATUS Hook_ZwCreateKey (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL);
NTSTATUS Hook_ZwSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize);
NTSTATUS Hook_ZwDeleteKey(
IN HANDLE KeyHandle);
NTSTATUS Hook_ZwDeleteValueKey(
IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName);
NTSTATUS Hook_ZwOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUS Hook_ZwCreateSection(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );
NTSTATUS Hook_ZwCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL );
NTSTATUS Hook_ZwCreateProcessEx(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE UnknownHandle );
NTSTATUS Hook_ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus );
NTSTATUS Hook_ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTSTATUS Hook_ZwCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended );
NTSTATUS Hook_ZwTerminateThread(
IN HANDLE ThreadHandle,
IN NTSTATUS ExitStatus );
NTSTATUS Hook_ZwOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTSTATUS Hook_ZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength );
NTSTATUS Hook_ZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions );
NTSTATUS Hook_ZwClose(
IN HANDLE ObjectHandle );
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(INIT, StartHook)
#pragma alloc_text(PAGE, DispatchCreate)
#pragma alloc_text(PAGE, DispatchClose)
#pragma alloc_text(PAGE, DispatchIoCtrl)
#pragma alloc_text(PAGE, RemoveHook)
#pragma alloc_text(PAGE, UnloadDriver)
#pragma alloc_text(PAGE, Hook_ZwOpenKey)
#pragma alloc_text(PAGE, Hook_ZwSetSecurityObject)
#pragma alloc_text(PAGE, Hook_ZwCreateKey)
#pragma alloc_text(PAGE, Hook_ZwSetValueKey)
#pragma alloc_text(PAGE, Hook_ZwDeleteKey)
#pragma alloc_text(PAGE, Hook_ZwDeleteValueKey)
#pragma alloc_text(PAGE, Hook_ZwOpenSection)
#pragma alloc_text(PAGE, Hook_ZwCreateSection)
#pragma alloc_text(PAGE, Hook_ZwOpenProcess)
#pragma alloc_text(PAGE, Hook_ZwTerminateProcess)
#pragma alloc_text(PAGE, Hook_ZwOpenThread)
#pragma alloc_text(PAGE, Hook_ZwCreateFile)
#pragma alloc_text(PAGE, Hook_ZwOpenFile)
#pragma alloc_text(PAGE, Hook_ZwClose)
#pragma alloc_text(PAGE, Hook_ZwLoadDriver)
#pragma alloc_text(PAGE, Hook_ZwSetSystemInformation)
#pragma alloc_text(PAGE, Hook_ZwQuerySystemInformation)
#pragma alloc_text(PAGE, Hook_ZwReadFile)
#pragma alloc_text(PAGE, Hook_ZwWriteFile)
#endif
/*******************************************************************************
函数原型定义
********************************************************************************/
typedef NTSTATUS (*ZWLOADDRIVER)(
IN PUNICODE_STRING DriverServiceName );
typedef NTSTATUS (*ZWCreateFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength );
typedef NTSTATUS (*ZWOPENFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions );
typedef NTSTATUS (*ZWCLOSE)(
IN HANDLE ObjectHandle );
typedef NTSTATUS (*ZWWRITEFILE)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
typedef NTSTATUS (*ZWREADFILE)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
typedef NTSTATUS (*ZWCreatePROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL);
typedef NTSTATUS (*ZWCreatePROCESSEX)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE Unknown );
typedef NTSTATUS (*ZWOPENPROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
typedef NTSTATUS (*ZWTERMINATEPROCESS)(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus );
typedef NTSTATUS (*ZWCreateTHREAD)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended );
typedef NTSTATUS (*ZWTERMINATETHREAD)(
IN HANDLE ThreadHandle,
IN NTSTATUS ExitStatus );
typedef NTSTATUS (*ZWOPENTHREAD)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
typedef NTSTATUS (*ZWCreateSECTION)(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );
typedef NTSTATUS (*ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes );
//注册表
typedef NTSTATUS (*ZWCreateKEY) (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
);
typedef NTSTATUS (*ZWOPENKEY) (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef NTSTATUS (*ZWSETVALUEKEY)(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
typedef NTSTATUS (*ZWSETSECURITYOBJECT)(
IN HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformationClass,
IN PSECURITY_DESCRIPTOR DescriptorBuffer);
typedef NTSTATUS (*ZWDeleteKEY)(
IN HANDLE KeyHandle);
typedef NTSTATUS (*ZWDeleteVALUEKEY)(
IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName);
typedef NTSTATUS (*ZWSETSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength );
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
/***********************************************************
// SDT 原函数地址
***********************************************************/
static ZWCreateFILE OldZwCreateFile;
static ZWOPENFILE OldZwOpenFile;
static ZWCLOSE OldZwClose;
static ZWWRITEFILE OldZwWriteFile;
static ZWREADFILE OldZwReadFile;
static ZWTERMINATEPROCESS OldZwTerminateProcess;
static ZWOPENPROCESS OldZwOpenProcess;
static ZWOPENTHREAD OldZwOpenThread;
static ZWCreateSECTION OldZwCreateSection;
static ZWOPENSECTION OldZwOpenSection;
static ZWCreateKEY OldZwCreateKey;
static ZWSETVALUEKEY OldZwSetValueKey;
static ZWDeleteKEY OldZwDeleteKey;
static ZWDeleteVALUEKEY OldZwDeleteValueKey;
static ZWSETSECURITYOBJECT OldZwSetSecurityObject;
static ZWOPENKEY OldZwOpenKey;
static ZWLOADDRIVER OldZwLoadDriver;
static ZWSETSYSTEMINFORMATION OldZwSetSystemInformation;
static ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
/***********************************************************************************
挂接函数执行体
***********************************************************************************/
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL )
{
NTSTATUS rc;
rc = OldZwWriteFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL )
{
NTSTATUS rc;
rc = OldZwReadFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwSetSystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength )
{
NTSTATUS rc;
rc = OldZwSetSystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL )
{
NTSTATUS rc;
rc = OldZwQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwLoadDriver(
IN PUNICODE_STRING DriverServiceName )
{
NTSTATUS rc;
rc = OldZwLoadDriver(DriverServiceName);
return rc;
}
/************************************************************************************************
************************************************************************************************/
NTSTATUS Hook_ZwSetSecurityObject(
IN HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformationClass,
IN PSECURITY_DESCRIPTOR DescriptorBuffer)
{
NTSTATUS rc;
rc = OldZwSetSecurityObject(ObjectHandle,SecurityInformationClass,DescriptorBuffer);
return rc;
}
/************************************************************************************************
ZwOpenKey
************************************************************************************************/
NTSTATUS Hook_ZwOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes)
{
NTSTATUS rc;
rc = OldZwOpenKey(KeyHandle,DesiredAccess,ObjectAttributes);
return rc;
}
/*************************************************************************************************
挂接函数 ZwCreateKey
***************************************************************************************************/
NTSTATUS Hook_ZwCreateKey (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
)
{
NTSTATUS rc;
rc = OldZwCreateKey(KeyHandle, DesiredAccess, ObjectAttributes,
TitleIndex, Class, CreateOptions, Disposition);
return rc;
}
/***************************************************************************************************
****************************************************************************************************/
NTSTATUS Hook_ZwSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
)
{
NTSTATUS rc;
rc = OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);
return rc;
}
/********************************************************************************************************
********************************************************************************************************/
NTSTATUS Hook_ZwDeleteKey(IN HANDLE KeyHandle)
{
NTSTATUS rc;
rc = OldZwDeleteKey(KeyHandle);
return rc;
}
/*********************************************************************************************************
*********************************************************************************************************/
NTSTATUS Hook_ZwDeleteValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName)
{
NTSTATUS rc;
rc = OldZwDeleteValueKey(KeyHandle,ValueName);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes )
{
NTSTATUS rc;
// DbgPrint("Hook_ZwOpenSection\n");
rc = OldZwOpenSection(SectionHandle,DesiredAccess,ObjectAttributes);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwCreateSection(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL )
{
NTSTATUS rc;
// DbgPrint("Hook_ZwCreateSection");
return OldZwCreateSection(SectionHandle,DesiredAccess,ObjectAttributes,
MaximumSize,PageAttributess,SectionAttributes,FileHandle);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus )
{
NTSTATUS rc;
rc = OldZwTerminateProcess(ProcessHandle,ExitStatus);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId )
{
NTSTATUS rc;
rc = OldZwOpenProcess(ProcessHandle,AccessMask,ObjectAttributes,ClientId);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId )
{
NTSTATUS rc;
rc = OldZwOpenThread(ThreadHandle,AccessMask,ObjectAttributes,ClientId);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength )
{
NTSTATUS rc;
rc = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
AllocationSize,FileAttributes,ShareAccess,CreateDisposition,
CreateOptions,EaBuffer,EaLength);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions )
{
NTSTATUS rc;
rc = OldZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,
OpenOptions);
return rc;
}
/*************************************************************************************************
**************************************************************************************************/
NTSTATUS Hook_ZwClose(
IN HANDLE ObjectHandle )
{
NTSTATUS rc;
//在这里执行扫描必须十分注意,否则容易蓝屏
rc = OldZwClose(ObjectHandle);
return rc;
}
/*************************************************************************************************
驱动函数入口
**************************************************************************************************/
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszDeviceString;
UNICODE_STRING uszEventString;
PDEVICE_OBJECT pDeviceObject;
PDEVICE_EXTENSION extension;
// 初始化设备对象名
RtlInitUnicodeString(&uszDriverString, L"\\Device\\ITSys");
// 创建并初始化对象
ntStatus = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION),
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject
);
if(ntStatus != STATUS_SUCCESS)
return ntStatus;
extension = pDeviceObject->DeviceExtension;
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ITSys");
// 创建用户可见连接名称
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
// 创建失败,删除对象并返回错误值
IoDeleteDevice(pDeviceObject);
return ntStatus;
}
// 赋值全局设备对象指针
// Assign global pointer to the device object for use by the callback functions
g_pDeviceObject = pDeviceObject;
// 设置所有可用的DeviceIoControl的处理IRP的函数
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_Create] = DispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoCtrl;
#if DBG
KdPrint(("RegistryPath : %ws\n",RegistryPath->Buffer));
#endif
//SDT挂接
StartHook();
return ntStatus;
}
/*************************************************************************************************
启用系统服务挂接
**************************************************************************************************/
void StartHook (void)
{
//获取未导出的服务函数索引号
HANDLE hFile;
PCHAR pDllFile;
ULONG ulSize;
ULONG ulByteReaded;
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
//挂接SDT函数
OldZwCreateFile = (ZWCreateFILE) InterlockedExchange((PLONG)
&SDT(ZwCreateFile),
(LONG)Hook_ZwCreateFile);
OldZwOpenFile = (ZWOPENFILE) InterlockedExchange((PLONG)
&SDT(ZwOpenFile),
(LONG)Hook_ZwOpenFile);
OldZwClose = (ZWCLOSE) InterlockedExchange((PLONG)
&SDT(ZwClose),
(LONG)Hook_ZwClose);
OldZwReadFile = (ZWREADFILE) InterlockedExchange((PLONG)
&SDT(ZwReadFile),
(LONG)Hook_ZwReadFile);
OldZwWriteFile = (ZWWRITEFILE) InterlockedExchange((PLONG)
&SDT(ZwWriteFile),
(LONG)Hook_ZwWriteFile);
OldZwTerminateProcess = (ZWTERMINATEPROCESS)InterlockedExchange((PLONG)
&SDT(ZwTerminateProcess),
(LONG)Hook_ZwTerminateProcess);
OldZwOpenProcess = (ZWOPENPROCESS)InterlockedExchange((PLONG)
&SDT(ZwOpenProcess),
(LONG)Hook_ZwOpenProcess);
OldZwOpenThread = (ZWOPENTHREAD)InterlockedExchange((PLONG)
&SDT(ZwOpenThread),
(LONG)Hook_ZwOpenThread);
OldZwCreateSection = (ZWCreateSECTION)InterlockedExchange((PLONG)
&SDT(ZwCreateSection),
(LONG)Hook_ZwCreateSection);
OldZwOpenSection = (ZWOPENSECTION)InterlockedExchange((PLONG)
&SDT(ZwOpenSection),
(LONG)Hook_ZwOpenSection);
OldZwOpenKey = (ZWOPENKEY) InterlockedExchange((PLONG)
&SDT(ZwOpenKey),
(LONG)Hook_ZwOpenKey);
OldZwCreateKey = (ZWCreateKEY) InterlockedExchange((PLONG)
&SDT(ZwCreateKey),
(LONG)Hook_ZwCreateKey);
OldZwSetValueKey = (ZWSETVALUEKEY) InterlockedExchange((PLONG)
&SDT(ZwSetValueKey),
(LONG)Hook_ZwSetValueKey);
OldZwDeleteKey = (ZWDeleteKEY) InterlockedExchange((PLONG)
&SDT(ZwDeleteKey),
(LONG)Hook_ZwDeleteKey);
OldZwDeleteValueKey = (ZWDeleteVALUEKEY) InterlockedExchange((PLONG)
&SDT(ZwDeleteValueKey),
(LONG)Hook_ZwDeleteValueKey);
OldZwSetSecurityObject = (ZWSETSECURITYOBJECT)InterlockedExchange((PLONG)
&SDT(ZwSetSecurityObject),
(LONG)Hook_ZwSetSecurityObject);
OldZwLoadDriver = (ZWLOADDRIVER)InterlockedExchange((PLONG)
&SDT(ZwLoadDriver),
(LONG)Hook_ZwLoadDriver);
OldZwSetSystemInformation = (ZWSETSYSTEMINFORMATION)InterlockedExchange((PLONG)
&SDT(ZwSetSystemInformation),
(LONG)Hook_ZwSetSystemInformation);
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange((PLONG)
&SDT(ZwQuerySystemInformation),
(LONG)Hook_ZwQuerySystemInformation);
//关闭
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
return ;
}
/*************************************************************************************************
移除系统服务挂接
**************************************************************************************************/
void RemoveHook (void)
{
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
InterlockedExchange( (PLONG) &SDT(ZwCreateFile) , (LONG) OldZwCreateFile );
InterlockedExchange( (PLONG) &SDT(ZwOpenFile) , (LONG) OldZwOpenFile );
InterlockedExchange( (PLONG) &SDT(ZwClose) , (LONG) OldZwClose );
InterlockedExchange( (PLONG) &SDT(ZwReadFile) , (LONG) OldZwReadFile );
InterlockedExchange( (PLONG) &SDT(ZwWriteFile) , (LONG) OldZwWriteFile );
InterlockedExchange( (PLONG) &SDT(ZwTerminateProcess) , (LONG) OldZwTerminateProcess );
InterlockedExchange( (PLONG) &SDT(ZwOpenProcess) , (LONG) OldZwOpenProcess );
InterlockedExchange( (PLONG) &SDT(ZwOpenThread) , (LONG) OldZwOpenThread );
InterlockedExchange( (PLONG) &SDT(ZwCreateSection) , (LONG) OldZwCreateSection );
InterlockedExchange( (PLONG) &SDT(ZwOpenSection) , (LONG) OldZwOpenSection );
InterlockedExchange( (PLONG) &SDT(ZwOpenKey) , (LONG) OldZwOpenKey );
InterlockedExchange( (PLONG) &SDT(ZwCreateKey) , (LONG) OldZwCreateKey );
InterlockedExchange( (PLONG) &SDT(ZwSetValueKey) , (LONG) OldZwSetValueKey );
InterlockedExchange( (PLONG) &SDT(ZwDeleteKey) , (LONG) OldZwDeleteKey );
InterlockedExchange( (PLONG) &SDT(ZwDeleteValueKey) , (LONG) OldZwDeleteValueKey );
InterlockedExchange( (PLONG) &SDT(ZwSetSecurityObject) , (LONG) OldZwSetSecurityObject );
InterlockedExchange( (PLONG) &SDT(ZwLoadDriver) , (LONG) OldZwLoadDriver );
InterlockedExchange( (PLONG) &SDT(ZwSetSystemInformation) , (LONG) OldZwSetSystemInformation );
InterlockedExchange( (PLONG) &SDT(ZwQuerySystemInformation) , (LONG) OldZwQuerySystemInformation );
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
}
void UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uszDeviceString;
NTSTATUS ntStatus;
//移除挂接
RemoveHook();
IoDeleteDevice(DriverObject->DeviceObject);
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ITSys");
IoDeleteSymbolicLink(&uszDeviceString);
}
/*************************************************************************************************
//
// 创建与关闭驱动处理历程
//
**************************************************************************************************/
NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS rc;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
rc = Irp->IoStatus.Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return rc;
}
/**************************************************************************************************
Win32 使用 DeviceIoControl 获取当前创建进程的信息的响应函数
***************************************************************************************************/
NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PDEVICE_EXTENSION extension = DeviceObject->DeviceExtension;
switch(irpStack->Parameters.DeviceIoControl.IoControlCode)
{
default:
break;
}
Irp->IoStatus.Status = ntStatus;
// 设置返回给用户层程序的数据的字节数
if(ntStatus == STATUS_SUCCESS)
Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
else
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return ntStatus;
}
Inf安装文件
;;; ITSys.inf
[Version]
signature = "$Windows NT$"
Class = "ActivityMonitor" ;This is determined by the work this filter driver does
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class
Provider = %Msft%
DriverVer = 08/28/2006,1.0.0.6
CatalogFile = ITSys.cat ; A CatalogFile entry is required for a WHQL signature.
; The actual catalog file will be provided by WHQL. The
; catalog file for this sample is not provided for use.
[DestinationDirs]
DefaultDestDir = 12
ITSys.DriverFiles = 12 ;%windir%\system32\drivers
[SourceDisksNames]
1 = %Disk1%
[SourceDisksFiles]
ITSys.sys = 1
;;
;; Default install sections
;;
[DefaultInstall]
OptionDesc = %ITSysServiceDesc%
CopyFiles = ITSys.DriverFiles
[DefaultInstall.Services]
AddService = %ITSysServiceName%,,ITSys.Service
AddReg = ITSys.AddRegistry
;;
;; Default uninstall sections
;;
[DefaultUninstall]
DelFiles = ITSys.DriverFiles
DelReg = ITSys.DelRegistry
[DefaultUninstall.Services]
DelService = ITSys
;
; Services Section
;
[ITSys.Service]
DisplayName = %ITSysServiceName%
Description = %ITSysServiceDesc%
ServiceBinary = %12%\ITSys.sys ;%windir%\system32\drivers\ITSys.sys
ServiceType = 1 ;SERVICE_SYSTEM_DRIVER
StartType = 1 ;SERVICE_SYSTEM_BOOT=1
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
AddReg = ITSys.AddRegistry
;
; Registry Modifications
;
[ITSys.AddRegistry]
HKLM,%ITSysRegistry%,%ITSysDebugFlags%,0x00010001 ,0
[ITSys.DelRegistry]
HKLM,%ITSysRegistry%,%ITSysDebugFlags%
;
; Copy Files
;
[ITSys.DriverFiles]
ITSys.sys
;;
;; String Section
;;
[Strings]
Msft = "ITSafe"
ITSysServiceDesc = "ITSafe Kernel Driver"
ITSysServiceName = "ITSys"
ITSysRegistry = "system\currentcontrolset\services\ITSys"
ITSysDebugFlags = "DebugFlags"
Disk1 = "ITSys Source Media"
编译文件
TARGETNAME=ITSys
TARGETPATH=obj
TARGETTYPE=DRIVER
TARGETLIBS=
SOURCES=ITSys.c \
ITSys.rc
文章来自: 
Tags: 评论: 0 | 查看次数: 11569
