监控系统加载模块-猥琐流
来源:互联网 发布:新媒体运营 知乎 编辑:程序博客网 时间:2024/04/29 04:17
代码:
#include <ntddk.h>#include "nt_help.h"DRIVER_INITIALIZE DriverEntry;typedef struct _OBJECT_TYPE_INITIALIZER { USHORT Length; BOOLEAN UseDefaultObject; BOOLEAN CaseInsensitive;#if WINVER>=0x0600 ULONG ObjectTypeCode;#endif ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ULONG ValidAccessMask; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; BOOLEAN MaintainTypeList; POOL_TYPE PoolType; ULONG DefaultPagedPoolCharge; ULONG DefaultNonPagedPoolCharge; PVOID DumpProcedure; PVOID OpenProcedure; PVOID CloseProcedure; PVOID DeleteProcedure; PVOID ParseProcedure; PVOID SecurityProcedure; PVOID QueryNameProcedure; PVOID OkayToCloseProcedure;} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;typedef struct _OBJECT_TYPE {#if WINVER<0x0600 ERESOURCE Mutex;#endif LIST_ENTRY TypeList; UNICODE_STRING Name; // Copy from object header for convenience PVOID DefaultObject; ULONG Index; ULONG TotalNumberOfObjects; ULONG TotalNumberOfHandles; ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfHandles; OBJECT_TYPE_INITIALIZER TypeInfo;} OBJECT_TYPE, *POBJECT_TYPE;extern POBJECT_TYPE* MmSectionObjectType;PVOID pNtCreateSection = NULL;SYSTEM_MODULE_INFORMATION ntModInfo = {0};#pragma alloc_text(INIT, DriverEntry)NTSTATUS DevicePassthrough(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){ NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION irpSp; irpSp = IoGetCurrentIrpStackLocation(Irp); Irp->IoStatus.Status = status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status;}VOID DriverUnload (IN PDRIVER_OBJECT DriverObject){ (*MmSectionObjectType)->TypeInfo.OpenProcedure = NULL; KdPrint(("DriverUnload Done!\n"));}#if WINVER>=0x0600NTSTATUS HookSectionOpen( IN ULONG OpenReason, IN ULONG AccessMode, IN PEPROCESS Process OPTIONAL, IN PVOID Object, IN ACCESS_MASK* GrantedAccess, IN ULONG HandleCount )#elseNTSTATUS HookSectionOpen( IN ULONG OpenReason, IN PEPROCESS Process OPTIONAL, IN PVOID Object, IN ACCESS_MASK GrantedAccess, IN ULONG HandleCount )#endif{ PVOID* esp = (PVOID*)&esp; PVOID* esp_end = (PVOID*)((((DWORD64)esp>>12) + 1)<<12); //4k round up PVOID* p = esp; ULONG SectionPageProtection, AllocationAttributes; HANDLE FileHandle; NTSTATUS Status; /* * do stack walk back to NtCreateSection function */ while (p < esp_end && (*p < pNtCreateSection || *p > (PVOID)((PBYTE)pNtCreateSection + 0x300))) p++; if (p >= esp_end){ //KdPrint(("no found NtCreateSection %p -> %p\n", esp, esp_end)); return STATUS_SUCCESS; } //KdPrint(("%p HookSectionOpen-Object:%p esp:%p %p\n", pNtCreateSection, Object, esp, *p));#ifdef _WIN64 /* * esp layout look likes[2003 X64 DUMP]: fffff800`0104113d nt!KiSystemServiceCopyEnd+0x3 retaddr <-------call nt!NtCreateSection fffffadf`f662ec00 00000000`00000000 param1 fffffadf`f662ec08 00000000`000f001f param2 DesiredAccess fffffadf`f662ec10 00000000`00000000 fffffadf`f662ec18 00000000`00000000 fffffadf`f662ec20 00000100`00000010 SectionPageProtection fffffadf`f662ec28 00000000`01000000 AllocationAttributes fffffadf`f662ec30 00000000`0000054c FileHandle * - ... */ p++; /* * search retaddr -> nt!KiSystemServiceCopyEnd */ while (p < esp_end && (*p < ntModInfo.ImageBase || *p > (PVOID)((PBYTE)ntModInfo.ImageBase + ntModInfo.ImageSize))) p++; if (p >= esp_end){ //KdPrint(("no found nt!KiSystemxxxx %p -> %p\n", esp, esp_end)); return STATUS_SUCCESS; }#else /* stack DUMP from 2003/x86 * ebp = p - 1 fa06f4d8 fa06f540 fa06f4dc 80908715 nt!NtCreateSection+0x15c ... fa06f540 fa06f564 fa06f544 808234cb nt!KiFastCallEntry+0xf8 fa06f548 fa06f668 param1 */ p = (PVOID*)*(p - 1); p++;#endif SectionPageProtection = (ULONG)*(p + 5); AllocationAttributes = (ULONG)*(p + 6); FileHandle = *(p + 7); //KdPrint(("%x %x %p\n", SectionPageProtection, AllocationAttributes, FileHandle)); if (FileHandle && SectionPageProtection == PAGE_EXECUTE && (AllocationAttributes == SEC_IMAGE || AllocationAttributes == 0x100000)){ /* windows7 AllocationAttributes = 0x100000 to LoadDriver */ PFILE_OBJECT File; Status = ObReferenceObjectByHandle (FileHandle, 0, NULL, KernelMode, (PVOID *)&File, NULL); if (!NT_SUCCESS(Status)) { return STATUS_SUCCESS; } KdPrint(("FileName:%wZ\n", &File->FileName)); ObDereferenceObject(File); } return STATUS_SUCCESS;}BOOL GetNtImgBase(PSYSTEM_MODULE_INFORMATION modInfo){ PSYSMODULELIST sysModuleList = NULL; ULONG size, i; NtQuerySystemInformation(SystemModuleInformation, &size, 0, &size); sysModuleList = ExAllocatePoolWithTag(PagedPool, size, 'hlpm'); if (sysModuleList){ NtQuerySystemInformation(SystemModuleInformation, sysModuleList, size, NULL); /* nt module should be the first one */ *modInfo = *sysModuleList->Modules; ExFreePool(sysModuleList); return TRUE; } return FALSE;}NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath){ DWORD i; UNICODE_STRING sFuncName; RtlInitUnicodeString(&sFuncName, L"NtCreateSection"); pNtCreateSection = MmGetSystemRoutineAddress(&sFuncName); if (!GetNtImgBase(&ntModInfo)){ KdPrint(("EnumSysModule nt base failed!\n")); return STATUS_UNSUCCESSFUL; } KdPrint(("nt:%p pNtCreateSection:%p\nMmSectionObjectType:%p %p %p\n", ntModInfo.ImageBase, pNtCreateSection, *MmSectionObjectType, (*MmSectionObjectType)->TypeInfo.OpenProcedure, (*MmSectionObjectType)->TypeInfo.DeleteProcedure)); (*MmSectionObjectType)->TypeInfo.OpenProcedure = HookSectionOpen; for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) DriverObject->MajorFunction[i] = DevicePassthrough; DriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS;}
可动态监控驱动、dll、exe加载,
- 监控系统加载模块-猥琐流
- psutil--系统监控模块
- 猥琐输入流。
- 模块加载系统(requirejs)
- Python 系统监控管理模块psutil学习
- @php一句话猥琐流搞法
- php一句话猥琐流搞法
- Win64 驱动内核编程-13.回调监控模块加载
- Android系统的ko模块加载
- 家庭视频监控系统Ⅱ--C#登录模块实现过程
- 云计算项目实战之系统监控模块
- 基于ZigBee和GSM模块的环境监控系统
- 监控系统-小米监控
- 模块加载
- 内核编程之SSDTHook(3)Hook NtCreateSection监控所有可执行模块加载
- Windows一般都用系统进程来加载内核模块
- 枚举当前系统进程以及进程加载模块
- linux之系统引导流程及模块加载卸载简述
- android上网用什么技术呀
- ssh工程的jsp中文乱码问题
- 第106章、二维码(从零开始学Android)
- 股票为什么会涨停?
- [Erlang 0023] 理解Erlang/OTP gen_server
- 监控系统加载模块-猥琐流
- CenteredTransformInitializer 确定 Transform 初始中心
- SY-SUBRC 的含义
- XML 学习
- Android TextView内容过长加省略号,点击显示全部内容
- 站内搜索如何做好用户体验 - A5站长
- 深度学习的一些教程
- C#winform中,MdiParent中每个子窗口都只能打开一个
- AOE