extern "C"{#include <ntddk.h>} //#define dprintf if (DBG) DbgPrint#define dprintf DbgPrint #define DWORD unsigned long#define WORD unsigned short#define BOOL unsigned long#define BYTE unsigned char extern "C"{//声明内核函数NTKERNELAPIUCHAR *PsGetProcessImageFileName( PEPROCESS Process ); NTKERNELAPINTSTATUSPsLookupProcessByProcessId ( IN PVOID ProcessId, OUT PEPROCESS *Process ); NTKERNELAPIHANDLEPsGetProcessId( PEPROCESS Process ); NTKERNELAPI NTSTATUS ZwCreateProcessEx( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcess, ULONG Flags, HANDLE SectionHandle, HANDLE DebugPort, HANDLE ExceptionPort, ULONG JobMemberLevel ); //////////////////////////////////////////////////////////////////////////////////////////////////// //SSDT表结构声明typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase;} SSDT_Entry, *ServiceDescriptorTableEntry_t;__declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;}//////////////////////////////////////////////////////////////////////////////////////////////////// //一些宏定义和MDL表#define HOOK_SYSCALL(_ServiceId, _Hook, _Orig ) / _Orig = (PVOID) InterlockedExchange( (PLONG) / &MappedSystemCallTable[_ServiceId], (LONG) _Hook)#define UNHOOK_SYSCALL(_ServiceId, _Hook, _Orig ) / InterlockedExchange((PLONG) / &MappedSystemCallTable[_ServiceId], (LONG) _Hook)#define SYSTEMSERVICE(_ServiceId) KeServiceDescriptorTable.ServiceTableBase[ _ServiceId ]PMDL g_pmdlSystemCall;PVOID *MappedSystemCallTable;//////////////////////////////////////////////////////////////////////////////////////////////////// //声明函数NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);VOID DriverUnload(PDRIVER_OBJECT pDriverObj);//////////////////////////////////////////////////////////////////////////////////////////////////// //设定ZwCreateProcessEx的索引,可用冰刃查看,也可利用函数自行查找ULONG ServiceId_ZwCreateProcessEx=0x30;//////////////////////////////////////////////////////////////////////////////////////////////////// //定义一些相关变量CHAR CreatingProcessImagePath[256]={0};//进程路径HANDLE CreatorProcessId=NULL;//父进程PidBOOLEAN CreateAllowed=TRUE;//标志,是否允许运行BOOLEAN CreateIsProgressing=FALSE;//标志,防止以后网络延迟造成的混乱,是否正在处理信息KEVENT event ; char *output;//////////////////////////////////////////////////////////////////////////////////////////////////// //定义一个ZwCreateProcessEx的结构体指针typedefNTSTATUS(*pfnZwCreateProcessEx) ( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcess, ULONG Flags, HANDLE SectionHandle, HANDLE DebugPort, HANDLE ExceptionPort, ULONG JobMemberLevel );//声明Old_ZwCreateProcessEx为pfnZwCreateProcessEx的结构(用来保存原函数地址)pfnZwCreateProcessEx Old_ZwCreateProcessEx=NULL;PVOID Old_ZwCreateProcessExAddr=NULL;//////////////////////////////////////////////////////////////////////////////////////////////////// // 返回类似于C:/WINDOWS/Explorer.exe (ANSI)NTSTATUS GetProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName) { PVOID SectionObject; PFILE_OBJECT FileObject; UNICODE_STRING FilePath; UNICODE_STRING DosName; NTSTATUS Status; STRING AnsiString; SectionObject = NULL; FileObject = NULL; FilePath.Buffer = NULL; FilePath.Length = 0; *ProcessImageName = 0; Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL); if ( NT_SUCCESS(Status) ) { FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200); FilePath.MaximumLength = 0x200; FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); RtlCopyUnicodeString(&FilePath, &DosName); RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); KdPrint(("Current Process Full Path Name 000: %ws/n", FileObject->FileName.Buffer)); ObDereferenceObject(FileObject); ObDereferenceObject(SectionObject); RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); if ( AnsiString.Length >= 256 ) { memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); *(ProcessImageName + 255) = 0; } else { memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); ProcessImageName[AnsiString.Length] = 0; } RtlFreeAnsiString(&AnsiString); ExFreePool(DosName.Buffer); ExFreePool(FilePath.Buffer); Status = STATUS_SUCCESS; } return Status; } NTSTATUS ModifyProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName) { PVOID SectionObject; PFILE_OBJECT FileObject; UNICODE_STRING FilePath; UNICODE_STRING DosName; NTSTATUS Status; UNICODE_STRING newName; STRING AnsiString; SectionObject = NULL; FileObject = NULL; FilePath.Buffer = NULL; FilePath.Length = 0; *ProcessImageName = 0; Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL); if ( NT_SUCCESS(Status) ) { //FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200); //FilePath.MaximumLength = 0x200; FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); RtlInitUnicodeString(&newName,L"zhang.txt"); //RtlCopyUnicodeString(&FileObject->FileName, &newName); ObDereferenceObject(FileObject); ObDereferenceObject(SectionObject); /*RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); RtlCopyUnicodeString(&FilePath, &DosName); RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); KdPrint(("Current Process Full Path Name 000: %ws/n", FileObject->FileName.Buffer)); RtlCopyUnicodeString(&FileObject->FileName, &newName); RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); */ /*if ( AnsiString.Length >= 256 ) { memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); *(ProcessImageName + 255) = 0; } else { memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); ProcessImageName[AnsiString.Length] = 0; } */ /*RtlFreeAnsiString(&AnsiString); ExFreePool(DosName.Buffer); ExFreePool(FilePath.Buffer); */ RtlFreeUnicodeString(&newName); Status = STATUS_SUCCESS; } return Status; } /////////////////////////////////////////////////////////////////////////////////////////////////// //定义我们的新函数及其功能,禁止程序运行和允许的,其中一个注释掉了NTSTATUS New_ZwCreateProcessEx ( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcess, ULONG Flags, HANDLE SectionHandle, HANDLE DebugPort, HANDLE ExceptionPort, ULONG JobMemberLevel ){ if (CreateIsProgressing) return STATUS_ACCESS_DENIED; CreateIsProgressing=TRUE; GetProcessImageName(SectionHandle,CreatingProcessImagePath); CreatorProcessId=PsGetProcessId(PsGetCurrentProcess()); dprintf("调用了ZwCreateProcessEx函数. /n进程路径 = %s /n父进程 = %s /n",CreatingProcessImagePath,PsGetProcessImageFileName(PsGetCurrentProcess())); dprintf("父进程Pid = %ld/n",CreatorProcessId); CreateIsProgressing=FALSE; // return STATUS_ACCESS_DENIED;//返回失败,也就是禁止运行 NTSTATUS hr= Old_ZwCreateProcessEx(ProcessHandle,DesiredAccess,ObjectAttributes,ParentProcess,Flags,SectionHandle,DebugPort,ExceptionPort,JobMemberLevel); PEPROCESS EProcess,PProcess; NTSTATUS status; HANDLE TId; /*status = PsLookupProcessByProcessId((PVOID)ProcessHandle, &EProcess); char * pEpb=(char*)EProcess; if (NT_SUCCESS( status )) { DbgPrint( "jincheng:%18s/n",(char *)(pEpb+0x174)); char ch[16]={"zhang.exe"}; memcpy((char*)(pEpb+0x174), ch, 0x10); }*/ //ModifyProcessImageName(SectionHandle,CreatingProcessImagePath); return hr;}///////////////////////////////////////////////////////////////////////////////////////////////////// //开始HOOK函数BOOLEAN EnableDriver(){ HOOK_SYSCALL(ServiceId_ZwCreateProcessEx,New_ZwCreateProcessEx,Old_ZwCreateProcessExAddr); Old_ZwCreateProcessEx=(pfnZwCreateProcessEx)Old_ZwCreateProcessExAddr; dprintf("已经开始HOOK./n"); return TRUE;}///////////////////////////////////////////////////////////////////////////////////////////////////// //解除HOOK函数BOOLEAN DisableDriver(){ UNHOOK_SYSCALL(ServiceId_ZwCreateProcessEx,Old_ZwCreateProcessExAddr,New_ZwCreateProcessEx); dprintf("已经解除HOOK./n"); return TRUE;}///////////////////////////////////////////////////////////////////////////////////////////////////// //驱动入口点NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString){ dprintf("注册到注册表: %S/n",pRegistryString->Buffer); //开始修改MDL表 g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4); if(!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(g_pmdlSystemCall); g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;//可写 MappedSystemCallTable =(PVOID*) MmMapLockedPages(g_pmdlSystemCall, KernelMode); //声明卸载函数 pDriverObj->DriverUnload = DriverUnload; //开始HOOK EnableDriver(); return STATUS_SUCCESS;}///////////////////////////////////////////////////////////////////////////////////////////////////////驱动卸载时所调用的函数VOID DriverUnload(PDRIVER_OBJECT pDriverObj){ DisableDriver(); dprintf("驱动已经卸载./n");}/////////////////////////////////////////////////////////////////////////////////////////////////////
