note : IRP hook on R0
来源:互联网 发布:ftp控制协议端口 编辑:程序博客网 时间:2024/05/18 00:38
IRP hook
以FSD Hook 为例, Hook和UnHook的操作, 在DeviceIoControl中响应.
Hook 处理
/// @file Fsd.h/// @brief FSD(\\FileSystem\\Ntfs) 处理#ifndef __FSD_H__#define __FSD_H__#include <ntddk.h>#include "constDefine.h"#include "r0ProcessHelper.h"/// @fn ProcessHookFsd/// @brief 处理FSDHook/// @param BOOLEAN bHook, TRUE = hook, FALSE = unHookNTSTATUSProcessHookFsd(BOOLEAN bHook);NTSTATUS ProcessShowFsd();NTSTATUSHookFsd();NTSTATUSUnHookFsd();#endif // #ifndef __FSD_H__
/// @file Fsd.c/// @brief ...#include "Fsd.h"PDRIVER_DISPATCH g_pDrvDispachIrpMjCreate_Ntfs_org = NULL;NTSTATUS DrvDispachIrpMjCreate_Ntfs_new( __in struct _DEVICE_OBJECT * pDeviceObject, __inout struct _IRP *pIrp );NTSTATUS ProcessHookFsd(BOOLEAN bHook){ if (bHook) return HookFsd(); else return UnHookFsd();}NTSTATUSHookFsd(){ NTSTATUS status = STATUS_UNSUCCESSFUL; PDRIVER_OBJECT pDrvObj = NULL; DBGPRT((">> HookFsd\n")); status = GetDriverObject(DRVOBJ_NAME_NTFS, &pDrvObj); if (!NT_SUCCESS(status)) goto _HookFsd_END; g_pDrvDispachIrpMjCreate_Ntfs_org = pDrvObj->MajorFunction[IRP_MJ_CREATE]; pDrvObj->MajorFunction[IRP_MJ_CREATE] = DrvDispachIrpMjCreate_Ntfs_new; DBGPRT(("ok : hook fsd IRP_MJ_CREATE\r\n"));_HookFsd_END: if (NULL != pDrvObj) ObDereferenceObject(pDrvObj); DBGPRT(("<< HookFsd\n")); return status;}NTSTATUSUnHookFsd(){ NTSTATUS status = STATUS_UNSUCCESSFUL; PDRIVER_OBJECT pDrvObj = NULL; DBGPRT((">> HookFsd\n")); status = GetDriverObject(DRVOBJ_NAME_NTFS, &pDrvObj); if (!NT_SUCCESS(status)) goto _HookFsd_END; /// 防止没有Hook, 就UnHook if (NULL != g_pDrvDispachIrpMjCreate_Ntfs_org) { pDrvObj->MajorFunction[IRP_MJ_CREATE] = g_pDrvDispachIrpMjCreate_Ntfs_org; DBGPRT(("ok : unHook fsd IRP_MJ_CREATE\r\n")); }_HookFsd_END: if (NULL != pDrvObj) ObDereferenceObject(pDrvObj); DBGPRT(("<< HookFsd\n")); return status;}NTSTATUS DrvDispachIrpMjCreate_Ntfs_new( __in struct _DEVICE_OBJECT * pDeviceObject, __inout struct _IRP *pIrp){ NTSTATUS status = STATUS_UNSUCCESSFUL; if (NULL == g_pDrvDispachIrpMjCreate_Ntfs_org) return status; status = g_pDrvDispachIrpMjCreate_Ntfs_org(pDeviceObject, pIrp); return status;}NTSTATUS ProcessShowFsd(){ NTSTATUS status = STATUS_UNSUCCESSFUL; NTSTATUS statusOwner = STATUS_UNSUCCESSFUL; PDRIVER_OBJECT pDrvObj = NULL; UINT uIndex = 0; char cModuleName[MAX_PATH]; ULONG_PTR ulAddr = 0; DBGPRT((">> ProcessShowFsd\n")); status = GetDriverObject(DRVOBJ_NAME_NTFS, &pDrvObj); if (!NT_SUCCESS(status)) goto _ProcessShowFsd_END; DBGPRT((\ "pDrvObj->DriverName = %wZ\n" \ "pDrvObj->HardwareDatabase = %wZ\r\n", &pDrvObj->DriverName, pDrvObj->HardwareDatabase)); for (uIndex = 0; uIndex < IRP_MJ_MAXIMUM_FUNCTION; uIndex++) { ulAddr = (ULONG_PTR)pDrvObj->MajorFunction[uIndex]; memset(cModuleName, 0, sizeof(cModuleName)); statusOwner = GetOwnerMoudleNameOfAddress( ulAddr, cModuleName, sizeof(cModuleName)); DBGPRT(( "pDrvObj->MajorFunction[%d] = 0x%X, " "in Module [%s]\n", uIndex, ulAddr, (NT_SUCCESS(statusOwner)) ? cModuleName : "no owner")); }_ProcessShowFsd_END: if (NULL != pDrvObj) ObDereferenceObject(pDrvObj); DBGPRT(("<< ProcessShowFsd\n")); return status;}Helper
/// @file r0ProcessHelper.h/// @brief R0层, 进程工具#ifndef __R0_PROCESS_HELPER_H__#define __R0_PROCESS_HELPER_H__#include <ntddk.h>#include "constDefine.h"/// 系统全局变量声明extern POBJECT_TYPE *IoDriverObjectType;/// 未文档化API声明NTSTATUS __stdcallObReferenceObjectByName(IN PUNICODE_STRING ObjectName,IN ULONG Attributes,IN PACCESS_STATE PassedAccessState OPTIONAL,IN ACCESS_MASK DesiredAccess OPTIONAL,IN POBJECT_TYPE ObjectType,IN KPROCESSOR_MODE AccessMode,IN OUT PVOID ParseContext OPTIONAL,OUT PVOID *Object);/// 常量#define DRVOBJ_NAME_NTFS L"\\FileSystem\\Ntfs"/// 内存池类型#define MEMORY_POOL_TYPE_AUX 'aux'/// 初始化AuxKLibNTSTATUS AuxKlibInitializeEx();NTSTATUSGetDriverObject( WCHAR * pcDriverObjectName, PDRIVER_OBJECT * ppDrvObj);/// @fn GetOwnerMoudleNameOfAddress/// @brief 判断一个地址所在的模块名称/// @param ULONG_PTR ulAddr, 地址/// @param char * cNameModule, 返回的模块名称缓冲区/// @param UINT uLenModule, 返回的模块名称缓冲区长度NTSTATUS GetOwnerMoudleNameOfAddress( ULONG_PTR ulAddr, char * cNameModule, UINT uLenModule);BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr);#endif // #ifndef __R0_PROCESS_HELPER_H__
/// @file r0ProcessHelper.c/// @brief ...#include <ntifs.h>#include <Aux_klib.h> ///< need ntifs.h#include "r0ProcessHelper.h"/// AUX库初始化状态NTSTATUS g_status_AuxKlibInit = STATUS_UNSUCCESSFUL;NTSTATUS AuxKlibInitializeEx(){ if (!NT_SUCCESS(g_status_AuxKlibInit)) g_status_AuxKlibInit = AuxKlibInitialize(); return g_status_AuxKlibInit;}NTSTATUS GetOwnerMoudleNameOfAddress( ULONG_PTR ulAddr, char * pcNameModule, UINT uLenModule){ NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG dwLenMoudleInfo = 0; ULONG dwMoudleCnt = 0; ULONG dwIndex = 0; UCHAR * pMoudleInfo = NULL; ULONG_PTR ulImageBase = 0; AUX_MODULE_EXTENDED_INFO * pAuxModuleExInfo = NULL; __try { PAGED_CODE(); if ((NULL == pcNameModule) && (uLenModule < AUX_KLIB_MODULE_PATH_LEN)) { __leave; } status = AuxKlibInitializeEx(); if (!NT_SUCCESS(status)) __leave; status = AuxKlibQueryModuleInformation( &dwLenMoudleInfo, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); if (!NT_SUCCESS(status)) __leave; dwMoudleCnt = dwLenMoudleInfo / sizeof(AUX_MODULE_EXTENDED_INFO); pMoudleInfo = ExAllocatePoolWithTag(PagedPool, dwLenMoudleInfo, MEMORY_POOL_TYPE_AUX); if (NULL == pMoudleInfo) leave; status = AuxKlibQueryModuleInformation( &dwLenMoudleInfo, sizeof(AUX_MODULE_EXTENDED_INFO), pMoudleInfo); if (!NT_SUCCESS(status)) __leave; pAuxModuleExInfo = (AUX_MODULE_EXTENDED_INFO *)pMoudleInfo; for (dwIndex = 0; dwIndex < dwMoudleCnt; dwIndex++) { if (NULL == pAuxModuleExInfo) break; ulImageBase = (ULONG_PTR)pAuxModuleExInfo->BasicInfo.ImageBase; if ((ulAddr >= ulImageBase) && (ulAddr < (ulImageBase + pAuxModuleExInfo->ImageSize))) { status = STATUS_SUCCESS; ///< match memcpy( pcNameModule, pAuxModuleExInfo->FullPathName, strlen((char *)pAuxModuleExInfo->FullPathName)); __leave; } pAuxModuleExInfo++; } } __finally { if (NULL != pMoudleInfo) ExFreePoolWithTag(pMoudleInfo, MEMORY_POOL_TYPE_AUX); } return status;}NTSTATUS GetDriverObject( WCHAR * pcDriverObjectName, PDRIVER_OBJECT * ppDrvObj){ NTSTATUS status = STATUS_UNSUCCESSFUL; UNICODE_STRING strDrvObjName; if (NULL == ppDrvObj) return status; /// 得到驱动对象 /// 参数2 参考 InitializeObjectAttributes.Attributes /// 内核句柄 |大小写不敏感 RtlInitUnicodeString(&strDrvObjName, pcDriverObjectName); status = ObReferenceObjectByName( &strDrvObjName, ///< IN PUNICODE_STRING ObjectName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, ///< IN ULONG Attributes, NULL, ///< IN PACCESS_STATE PassedAccessState OPTIONAL, 0, ///< IN ACCESS_MASK DesiredAccess OPTIONAL, *IoDriverObjectType, ///< IN POBJECT_TYPE ObjectType, KernelMode, ///< IN KPROCESSOR_MODE AccessMode, NULL, ///< IN OUT PVOID ParseContext OPTIONAL, ppDrvObj ///< OUT PVOID *Object ); return status;}BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr){ BOOLEAN bRc = FALSE; ULONG ulIndex = 0; __try { if (!MmIsAddressValid(pstr)) return FALSE; if ((NULL == pstr->Buffer) || (0 == pstr->Length)) return FALSE; for (ulIndex = 0; ulIndex < pstr->Length; ulIndex++) { if (!MmIsAddressValid((UCHAR *)pstr->Buffer + ulIndex)) return FALSE; } bRc = TRUE; } __except(EXCEPTION_EXECUTE_HANDLER) { bRc = FALSE; } return bRc;}实验数据
#define IRP_MJ_CREATE 0x00
DisPatchDeviceControl IOCTL 0x22e000>> ProcessShowFsdpDrvObj->DriverName = \FileSystem\NtfspDrvObj->HardwareDatabase = \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM pDrvObj->MajorFunction[0] = 0xF7387E01, in Module [Ntfs.sys] ///< 原始地址pDrvObj->MajorFunction[1] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[2] = 0xF73872EA, in Module [Ntfs.sys]pDrvObj->MajorFunction[3] = 0xF7364F2F, in Module [Ntfs.sys]pDrvObj->MajorFunction[4] = 0xF7363B4B, in Module [Ntfs.sys]pDrvObj->MajorFunction[5] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[6] = 0xF7365ABB, in Module [Ntfs.sys]pDrvObj->MajorFunction[7] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[8] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[9] = 0xF73A20E5, in Module [Ntfs.sys]pDrvObj->MajorFunction[10] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[11] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[12] = 0xF738A1BD, in Module [Ntfs.sys]pDrvObj->MajorFunction[13] = 0xF738C958, in Module [Ntfs.sys]pDrvObj->MajorFunction[14] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[15] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[16] = 0xF73767F2, in Module [Ntfs.sys]pDrvObj->MajorFunction[17] = 0xF73DBCE9, in Module [Ntfs.sys]pDrvObj->MajorFunction[18] = 0xF7387CB8, in Module [Ntfs.sys]pDrvObj->MajorFunction[19] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[20] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[21] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[22] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[23] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[24] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[25] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[26] = 0xF73884B9, in Module [Ntfs.sys]<< ProcessShowFsdDisPatchDeviceControl IOCTL 0x22e000>> HookFsdok : hook fsd IRP_MJ_CREATE << HookFsdDisPatchDeviceControl IOCTL 0x22e000>> ProcessShowFsdpDrvObj->DriverName = \FileSystem\NtfspDrvObj->HardwareDatabase = \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM pDrvObj->MajorFunction[0] = 0xF78DE8C0, in Module [\??\C:\Documents and Settings\Administrator\桌面\bin\LsNtDrv.sys] ///< IRP HOOKpDrvObj->MajorFunction[1] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[2] = 0xF73872EA, in Module [Ntfs.sys]pDrvObj->MajorFunction[3] = 0xF7364F2F, in Module [Ntfs.sys]pDrvObj->MajorFunction[4] = 0xF7363B4B, in Module [Ntfs.sys]pDrvObj->MajorFunction[5] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[6] = 0xF7365ABB, in Module [Ntfs.sys]pDrvObj->MajorFunction[7] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[8] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[9] = 0xF73A20E5, in Module [Ntfs.sys]pDrvObj->MajorFunction[10] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[11] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[12] = 0xF738A1BD, in Module [Ntfs.sys]pDrvObj->MajorFunction[13] = 0xF738C958, in Module [Ntfs.sys]pDrvObj->MajorFunction[14] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[15] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[16] = 0xF73767F2, in Module [Ntfs.sys]pDrvObj->MajorFunction[17] = 0xF73DBCE9, in Module [Ntfs.sys]pDrvObj->MajorFunction[18] = 0xF7387CB8, in Module [Ntfs.sys]pDrvObj->MajorFunction[19] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[20] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[21] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[22] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[23] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[24] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[25] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[26] = 0xF73884B9, in Module [Ntfs.sys]<< ProcessShowFsdDisPatchDeviceControl IOCTL 0x22e000>> HookFsdok : unHook fsd IRP_MJ_CREATE << HookFsdDisPatchDeviceControl IOCTL 0x22e000>> ProcessShowFsdpDrvObj->DriverName = \FileSystem\NtfspDrvObj->HardwareDatabase = \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM pDrvObj->MajorFunction[0] = 0xF7387E01, in Module [Ntfs.sys] ///< UnHook 之后,恢复成原始值pDrvObj->MajorFunction[1] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[2] = 0xF73872EA, in Module [Ntfs.sys]pDrvObj->MajorFunction[3] = 0xF7364F2F, in Module [Ntfs.sys]pDrvObj->MajorFunction[4] = 0xF7363B4B, in Module [Ntfs.sys]pDrvObj->MajorFunction[5] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[6] = 0xF7365ABB, in Module [Ntfs.sys]pDrvObj->MajorFunction[7] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[8] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[9] = 0xF73A20E5, in Module [Ntfs.sys]pDrvObj->MajorFunction[10] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[11] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[12] = 0xF738A1BD, in Module [Ntfs.sys]pDrvObj->MajorFunction[13] = 0xF738C958, in Module [Ntfs.sys]pDrvObj->MajorFunction[14] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[15] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[16] = 0xF73767F2, in Module [Ntfs.sys]pDrvObj->MajorFunction[17] = 0xF73DBCE9, in Module [Ntfs.sys]pDrvObj->MajorFunction[18] = 0xF7387CB8, in Module [Ntfs.sys]pDrvObj->MajorFunction[19] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[20] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[21] = 0xF7388604, in Module [Ntfs.sys]pDrvObj->MajorFunction[22] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[23] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[24] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe]pDrvObj->MajorFunction[25] = 0xF73884B9, in Module [Ntfs.sys]pDrvObj->MajorFunction[26] = 0xF73884B9, in Module [Ntfs.sys]<< ProcessShowFsd
- note : IRP hook on R0
- note: KillProcess On R0
- IRP HOOK
- note: r0 LockOpt
- note : judge PE Image on R3/R0 by image address range
- IRP Hook 键盘Logger
- IRP Hook检测
- IRP Hook 键盘Logger
- x86 IRP HOOK
- R0下Inline Hook模板
- rootkit hook 之[五] -- IRP Hook全家福
- r0下FSD inline hook防删除
- R0 下 FSD inline Hook 防删除
- Inline Hook IofCallDriver 截获所有IRP
- Inline Hook IofCallDriver 截获所有IRP
- RootKit之[五] IRP Hook全家福
- Inline Hook IofCallDriver 截获所有IRP
- Inline Hook IofCallDriver 截获所有IRP
- Ubuntu 13.04 安装使用clang
- 命令行开启WIFI
- 泰克模拟示波器2465B维修
- C++构造函数详解及显式调用构造函数
- 【树形DP】wikioi 1163 访问艺术馆
- note : IRP hook on R0
- Android Service被系统回收的解决方法
- PropertyUtils.getProperty和PropertyUtils.setProperty的用法详解
- 编写断点续传和多线程下载模块
- 关于 javascript event flow 的一个bug
- 用Winsock实现语音全双工通信
- eclipse设置编辑xml文件的智能提示
- Transition Effects
- android 技巧集锦
