蹂躏D&F学习之备份

来源：互联网发布：微信营销系统java源码编辑：程序博客网时间：2024/05/17 11:58

//头文件：//SSDTHOOK.h#pragma once#ifdef  __cplusplusextern "C" {#endif#include <ntddk.h>#include <string.h>#ifdef  __cplusplus};// extern "C"#endiftypedef struct _SDT_ENTRY{PVOID *ServiceTableBase;PULONG ServiceCounterTableBase; //Used only in checked buildULONG NumberOfServices;PUCHAR ParamTableBase;} SDT_ENTRY, *PSDT_ENTRY;EXTERN_C SDT_ENTRY *KeServiceDescriptorTable;ULONG GetSDDTAddr(ULONG uIndex);//BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);//BOOLEAN unHookSSDT(ULONG uIndex, PULONG uOldAddr);//void DisableWP();//void EnableWP();BOOLEAN HookSSDTByMdl(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);BOOLEAN UnHookSSDTByMdl(ULONG uIndex, ULONG uOldAddr);

//头文件//mini_ddk.h//#include <ntddk.h>//#define INITCODE code_seg("INIT") //#define PAGECODE code_seg("PAGE") /*表示内存不足时，可以被置换到硬盘*///#pragma INITCODE /*指的代码运行后 就从内存释放掉*///NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject)//{//NTSTATUS status;//PDEVICE_OBJECT pDevObj;/*用来返回创建设备*///////创建设备名称//UNICODE_STRING devName;//UNICODE_STRING symLinkName; // //RtlInitUnicodeString(&devName, L"\\Device\\yjxDDK_Device");/*对devName初始化字串为 "\\Device\\yjxDDK_Device"*///////创建设备//status = IoCreateDevice(pDriverObject, \//0, \//&devName, \//FILE_DEVICE_UNKNOWN, \//0, TRUE, \//&pDevObj);//if (!NT_SUCCESS(status))//{//if (status == STATUS_INSUFFICIENT_RESOURCES)//{//KdPrint(("资源不足 STATUS_INSUFFICIENT_RESOURCES"));//}//if (status == STATUS_OBJECT_NAME_EXISTS)//{//KdPrint(("指定对象名存在"));//}//if (status == STATUS_OBJECT_NAME_COLLISION)//{//KdPrint(("//对象名有冲突"));//}//KdPrint(("设备创建失败...++++++++"));//return status;//}//KdPrint(("设备创建成功...++++++++"));////pDevObj->Flags |= DO_BUFFERED_IO;////创建符号链接////RtlInitUnicodeString(&symLinkName, L"\\??\\yjx888");//status = IoCreateSymbolicLink(&symLinkName, &devName);//if (!NT_SUCCESS(status)) /*status等于0*///{//IoDeleteDevice(pDevObj);//return status;//}//return STATUS_SUCCESS;//}////VOID DDK_Unload(IN PDRIVER_OBJECT pDriverObject); //前置说明 卸载例程//NTSTATUS ddk_DispatchRoutine_CONTROL(IN PDEVICE_OBJECT pDevobj, IN PIRP pIrp);//派遣函数//typedef struct _ServiceDescriptorTable {//PVOID ServiceTableBase; //System Service Dispatch Table 的基地址  //PVOID ServiceCounterTable;////包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。 //unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。  //PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表 //}*PServiceDescriptorTable;//extern PServiceDescriptorTable KeServiceDescriptorTable;//mini_ddk.h#include <ntddk.h>void UnloadDriver(PDRIVER_OBJECT pDriver);NTSTATUS rlNtCreateFile(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength);typedef NTSTATUS (*PFNNTCREATEFILE)(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength);

//源文件//SSDTHOOK.cpp#include "SSDTHOOK.h"ULONG GetSDDTAddr(ULONG uIndex){ULONG uAddr = *(PULONG)((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));return uAddr;}BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr){if (uNewAddr == 0 || puOldAddr == NULL){return FALSE;}ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));*puOldAddr = *(PULONG)uAddr;//DisableWP();*(PULONG)uAddr=uNewAddr;//EnableWP();return TRUE;}BOOLEAN unHookSSDT(ULONG uIndex, PULONG uOldAddr){if (uOldAddr == 0){return FALSE;}ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));//DisableWP();*(PULONG)uAddr = uOldAddr;//EnableWP();return TRUE;}void DisableWP(){_asm{cli//不要切换到其他CPUpush eaxmov eax,cr0and eax,0xfffeffffmov cr0,eaxpop eax}}void EnableWP(){_asm{push eaxmov eax,cr0or eax,0x10000mov cr0,eaxpop eaxsti}}BOOLEAN HookSSDTByMdl(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr){if (uNewAddr == 0 || puOldAddr == NULL){return FALSE;}PMDL pSSDTMdl= MmCreateMdl(NULL, (*KeServiceDescriptorTable).ServiceTableBase, sizeof(ULONG)* (*KeServiceDescriptorTable).NumberOfServices);if (pSSDTMdl == NULL){return FALSE;}MmBuildMdlForNonPagedPool(pSSDTMdl);pSSDTMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;PVOID pServiceTableBase = MmMapLockedPages(pSSDTMdl, KernelMode);if (pServiceTableBase == NULL){return FALSE;}ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex);*puOldAddr = *(PULONG)uAddr;*(PULONG)uAddr = uNewAddr;IoFreeMdl(pSSDTMdl);return TRUE;}BOOLEAN UnHookSSDTByMdl(ULONG uIndex, ULONG uOldAddr){if ( uOldAddr == NULL){return FALSE;}PMDL pSSDTMdl = MmCreateMdl(NULL, (*KeServiceDescriptorTable).ServiceTableBase, sizeof(ULONG)* (*KeServiceDescriptorTable).NumberOfServices);if (pSSDTMdl == NULL){return FALSE;}MmBuildMdlForNonPagedPool(pSSDTMdl);pSSDTMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;PVOID pServiceTableBase = MmMapLockedPages(pSSDTMdl, KernelMode);if (pServiceTableBase == NULL){return FALSE;}ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex);*(PULONG)uAddr = uOldAddr;IoFreeMdl(pSSDTMdl);return TRUE;}

//源文件//源.cpp////#include <ntddk.h>////void UnloadDriver(PDRIVER_OBJECT pDriver);//////////VOID LinkListTest();////NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)////{//////驱动 ->驱动卸载=卸载驱动////pDriver->DriverUnload = UnloadDriver;//相当于易语言当中结构的定义，运用pDriver结构当中的DriverUnload//////调试输出////DbgPrint("Loading my Driver...\n\r");////KEY_VALUE_PARTIAL_INFORMATION//////////初始化UnicodeString1////UNICODE_STRING UnicodeString1;////RtlInitUnicodeString(&UnicodeString1, L"Hello World");//////////初始化UnicodeString2////UNICODE_STRING UnicodeString2;////RtlInitUnicodeString(&UnicodeString1, L"Hello");//////判断字符串是否相等////if (RtlEqualUnicodeString(&UnicodeString1, &UnicodeString2, TRUE))////{////KdPrint(("UnicodeString1 and UnicodeString2 are equal\n"));////}////else////{////KdPrint(("UnicodeString1 and UnicodeString2 are NOT equal\n"));////}//////////LinkListTest();//////TODO////return 1;////}////////void UnloadDriver(PDRIVER_OBJECT pDriver)////{//////调试输出////DbgPrint("unLoading my Driver...\n\r");////////}//////////typedef struct _MYDATASTRUCT//////{//////ULONG number;//////LIST_ENTRY ListEntry;//////} MYDATASTRUCT, *PMYDATASTRUCT;////////////VOID LinkListTest()//////{//////LIST_ENTRY linkListHead;////////初始化链表//////InitializeListHead(&linkListHead);////////////PMYDATASTRUCT pData;//////ULONG i = 0;////////在链表中插入10个元素//////KdPrint(("Begin insert to link list"));//////for (i = 0; i<10; i++)//////{//////pData = (PMYDATASTRUCT)//////ExAllocatePool(PagedPool, sizeof(MYDATASTRUCT));//////pData->number = i;//////InsertHeadList(&linkListHead, &pData->ListEntry);//////}//////////////从链表中取出，并显示//////KdPrint(("Begin remove from link list\n"));//////while (!IsListEmpty(&linkListHead))//////{//////PLIST_ENTRY pEntry = RemoveTailList(&linkListHead);//////pData = CONTAINING_RECORD(pEntry,//////MYDATASTRUCT,//////ListEntry);//////KdPrint(("%d\n", pData->number));//////ExFreePool(pData);//////}////////////}////_stdcall////#include <ntddk.h>//#include "mini_ddk.h"//#pragma  INITCODE//NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING B) //TYPEDEF LONG NTSTATUS//{//LONG *SSDT_Adr, SSDT_NtOpenProcess_Cur_Addr, t_addr;//KdPrint(("驱动成功被加载中.............................\n"));////读取SSDT表中索引值为0x7A的函数////poi(poi(KeServiceDescriptorTable)+0x7a*4)//t_addr = (LONG)KeServiceDescriptorTable->ServiceTableBase;//KdPrint(("当前ServiceTableBase地址为%x \n", t_addr));//SSDT_Adr = (PLONG)(t_addr + 0x7A * 4);//KdPrint(("当前t_addr+0x7A*4=%x \n", SSDT_Adr));//SSDT_NtOpenProcess_Cur_Addr = *SSDT_Adr;//KdPrint(("当前SSDT_NtOpenProcess_Cur_Addr地址为%x \n", SSDT_NtOpenProcess_Cur_Addr));///* ULONG SSDT_NtOpenProcess_Cur_Addr;//KdPrint(("驱动成功被加载...OK++++++++\n\n"));////读取SSDT表中 NtOpenProcess当前地址 KeServiceDescriptorTable//// [[KeServiceDescriptorTable]+0x7A*4]////__asm//{    int 3//push ebx//push eax//mov ebx,KeServiceDescriptorTable//mov ebx,[ebx] //表的基地址//mov eax,0x7a//shl eax,2//0x7A*4 //imul eax,eax,4//shl eax,2//add ebx,eax//[KeServiceDescriptorTable]+0x7A*4//mov ebx,[ebx]//mov SSDT_NtOpenProcess_Cur_Addr,ebx//pop  eax//pop  ebx//}//KdPrint(("SSDT_NtOpenProcess_Cur_Addr=%x\n\n",SSDT_NtOpenProcess_Cur_Addr));*/////注册派遣函数//pDriverObject->MajorFunction[IRP_MJ_CREATE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数//pDriverObject->MajorFunction[IRP_MJ_CLOSE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数//pDriverObject->MajorFunction[IRP_MJ_READ] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数//pDriverObject->MajorFunction[IRP_MJ_CLOSE] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数//pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数//CreateMyDevice(pDriverObject);//创建相应的设备//pDriverObject->DriverUnload = DDK_Unload;//return (1);//}////#pragma code_seg("PAGE")//#pragma PAGECODE//VOID DDK_Unload(IN PDRIVER_OBJECT pDriverObject)//{//PDEVICE_OBJECT pDev;//用来取得要删除设备对象//UNICODE_STRING symLinkName; // ////pDev = pDriverObject->DeviceObject;//IoDeleteDevice(pDev); //删除设备//////取符号链接名字//RtlInitUnicodeString(&symLinkName, L"\\??\\yjx888");////删除符号链接//IoDeleteSymbolicLink(&symLinkName);//KdPrint(("驱动成功被卸载...OK-----------")); //sprintf,printf////取得要删除设备对象////删掉所有设备//DbgPrint("卸载成功");//}//#pragma PAGECODE//NTSTATUS ddk_DispatchRoutine_CONTROL(IN PDEVICE_OBJECT pDevobj, IN PIRP pIrp)//{////对相应的IPR进行处理//pIrp->IoStatus.Information = 0;//设置操作的字节数为0，这里无实际意义//pIrp->IoStatus.Status = STATUS_SUCCESS;//返回成功//IoCompleteRequest(pIrp, IO_NO_INCREMENT);//指示完成此IRP//KdPrint(("离开派遣函数\n"));//调试信息//return STATUS_SUCCESS; //返回成功//}//源文件#include "mini_ddk.h"#include "SSDTHOOK.h"ULONG g_uOldNtCreateFileAddr = 0;PFNNTCREATEFILE g_pfnNtCreateFile = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str){//#if DBG//_asm int 3//#endif//驱动 ->驱动卸载=卸载驱动pDriver->DriverUnload = UnloadDriver;//调试输出DbgPrint("Loading MyDriver...\r");//有一个换行的空格ULONG uAddr = GetSDDTAddr(0x42);if (uAddr){g_pfnNtCreateFile = (PFNNTCREATEFILE)uAddr;HookSSDTByMdl(0x42, (ULONG)rlNtCreateFile, &g_uOldNtCreateFileAddr);KdPrint(("NtCreateFile:0x%08x\r", uAddr));}return 1;}void UnloadDriver(PDRIVER_OBJECT pDriver){UnHookSSDTByMdl(0x42, g_uOldNtCreateFileAddr);//调试输出DbgPrint("unLoading MyDriver...\r");}NTSTATUS rlNtCreateFile(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength){if (ObjectAttributes  && ObjectAttributes->ObjectName){if (wcsstr(ObjectAttributes->ObjectName->Buffer, L"1.txt") != 0){KdPrint(("NtCreateFile %wZ\r"), ObjectAttributes->ObjectName);return STATUS_UNSUCCESSFUL;}}return g_pfnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes,ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);}

0 0