r0下FSD inline hook防删除
来源:互联网 发布:山西知满天教育怎么样 编辑:程序博客网 时间:2024/06/05 17:44
只拦截了Ntfs.sys上的,FastFat同Ntfs。
感觉更像是一个inline hook的例子 呵呵 :)
感觉更像是一个inline hook的例子 呵呵 :)
引用:
/*
By 炉子[0GiNr]
http://hi.baidu.com/breakinglove_
http://0ginr.com
*/
typedef NTSTATUS (*pfnDrvDispath)(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
#define ProxyJmpCodeLength 7 //sizeof(0xEA,0,0,0,0 0x08,0x00) = 7
/////////////////////////////////////
typedef struct _HookData
{
PVOID pOriginalData;
ULONG JmpDataLength;
} HookData,*pHookData;
/////////////////////////////////////
//code info:
//ObreferenceObjectByHandle 1
#define hkn_NtfsDispatch 1
#define NtfsDispatch 0xfa8f3618 //Ntfs!NtfsFsdSetInformation
/////////////////////////////////////
HookData ProcProtectHkDt[10];
/////////////////////////////////////
VOID DisableWriteProtect(PULONG pOldAttr);
VOID EnableWriteProtect(ULONG uOldAttr);
VOID FuncRestore(PVOID FuncAddr,PVOID pOriginalCode,ULONG RestoreLength);
BOOLEAN FuncModify(PVOID FuncAddr,PVOID FuncNewAddr,PVOID *JmpCodeAddr,ULONG *JmpCodeLength);
/////////////////////////////////////
NTSTATUS
DrvDispath(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS st=STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpStack;
pIrpStack=IoGetCurrentIrpStackLocation(Irp);
dprintf("[LzStDrv] DrvDispath called!");
if (pIrpStack->Parameters.SetFile.FileInformationClass == FileDispositionInformation)
{
dprintf("[LzStDrv] delete file called!");
return STATUS_ACCESS_DENIED;
}
st=((pfnDrvDispath)ProcProtectHkDt[hkn_NtfsDispatch].pOriginalData)(DeviceObject,Irp);
return st;
}
BOOLEAN EnableFileProtect()
{
PVOID pOgn;
ULONG jdl;
FuncModify((PVOID)NtfsDispatch,DrvDispath,&pOgn,&jdl);
ProcProtectHkDt[1].pOriginalData=pOgn;
ProcProtectHkDt[1].JmpDataLength=jdl;
dprintf("[LzStDrv] NtfsDispatch hooked!");
return TRUE;
}
BOOLEAN DisableFileProtect()
{
FuncRestore((PVOID)NtfsDispatch,ProcProtectHkDt[1].pOriginalData,ProcProtectHkDt[1].JmpDataLength-ProxyJmpCodeLength);
ExFreePool(ProcProtectHkDt[1].pOriginalData);
dprintf("[LzStDrv] NtfsDispatch unhooked!");
return TRUE;
}
VOID
FuncRestore(
PVOID FuncAddr,
PVOID pOriginalCode,
ULONG RestoreLength
)
{
ULONG ulAttr;
DisableWriteProtect(&ulAttr);
memcpy(FuncAddr,pOriginalCode,RestoreLength);
EnableWriteProtect(ulAttr);
}
BOOLEAN
FuncModify(
PVOID FuncAddr,
PVOID FuncNewAddr,
PVOID *JmpCodeAddr,
ULONG *JmpCodeLength
)
{
ULONG ulAttr;
ULONG BackupLength=0;
UCHAR *cPtr,*pOpcode;
ULONG Length;
PVOID pJmpCodeBuf;
char jmp_code[ProxyJmpCodeLength]={'/xea','/0','/0','/0','/0','/x08','/0'};
char hk_code[5]={'/xe9','/0','/0','/0','/0'};
dprintf("[LzStDrv] FuncAddr=0x%X, FuncNewAddr=0x%X, JmpCodeAddr=0x%X, JmpCodeLength=0x%X./n",
FuncAddr,FuncNewAddr,JmpCodeAddr,JmpCodeLength);
///////////////////////////////
dprintf("[LzStDrv] start calcing BackupLength/n");
for (cPtr = (UCHAR *)FuncAddr; cPtr < (UCHAR *)FuncAddr + PAGE_SIZE; cPtr += Length)
{
Length = SizeOfCode(cPtr, &pOpcode);
BackupLength+=Length;
if (BackupLength>=5) break;
}
dprintf("[LzStDrv] BackupLength=%d (Dec.)/n",BackupLength);
///////////////////////////////
DisableWriteProtect(&ulAttr);
///////////////////////////////
dprintf("[LzStDrv] ExAllocatePooling pJmpCodeBuf/n");
pJmpCodeBuf=ExAllocatePool(PagedPool,BackupLength+ProxyJmpCodeLength);
if (!pJmpCodeBuf)
{
dprintf("[LzStDrv] ExAllocatePool pJmpCodeBuf faild!/n");
return FALSE;
}
dprintf("[LzStDrv] ExAllocatePool pJmpCodeBuf O.K./n");
///////////////////////////////
*JmpCodeAddr=pJmpCodeBuf;
*JmpCodeLength=BackupLength+ProxyJmpCodeLength;
///////////////////////////////
dprintf("[LzStDrv] Backing up original code/n");
memcpy(pJmpCodeBuf,FuncAddr,BackupLength);
dprintf("[LzStDrv] Back up original code O.K./n");
///////////////////////////////
dprintf("[LzStDrv] Adding up jmp code/n");
*((ULONG*)(jmp_code+1))=(ULONG)FuncAddr+BackupLength;
memcpy((VOID *)((ULONG)pJmpCodeBuf+BackupLength),jmp_code,ProxyJmpCodeLength);
dprintf("[LzStDrv] Add up jmp code O.K./n");
///////////////////////////////
dprintf("[LzStDrv] Hooking API./n");
*((ULONG *)(hk_code+1))=(ULONG)FuncNewAddr-(ULONG)FuncAddr-5;//sizeof(jmp xxxxxxxx)=5
memcpy((VOID *)FuncAddr, hk_code, 5);
dprintf("[LzStDrv] Hook API O.K./n");
///////////////////////////////
EnableWriteProtect(ulAttr);
return TRUE;
}
VOID DisableWriteProtect( PULONG pOldAttr)
{
ULONG uAttr;
_asm
{
push eax;
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax;
cli;
};
*pOldAttr = uAttr;
}
VOID EnableWriteProtect( ULONG uOldAttr )
{
_asm
{
push eax;
mov eax, uOldAttr;
mov cr0, eax;
pop eax;
sti;
};
}
- r0下FSD inline hook防删除
- R0 下 FSD inline Hook 防删除
- R0下Inline Hook模板
- fsd inline hook
- 对付kernel / fsd inline hook/ssdt hook
- FSD's Inline Hook & EAT modify check Completed
- NTFS FSD HOOK
- Windows下Hook API技术 inline hook
- Windows下Hook API技术 inline hook
- Ring3下Inline Hook MessageBox
- Ring3下Inline Hook API
- Ring3下Inline Hook API
- 内核无HOOK文件防删除
- 简单HOOK SSDT实现文件防删除
- 内核无HOOK文件防删除
- NT内核下的inline hook
- x64 windows下的inline hook
- 多CPU下安全inline hook
- 深入浅出secdrv.sys本地提权0day Poc
- 吃相暴露你性格秘密
- WINDOWS 2003 IIS 启动失败的原因
- Shift键的十一个妙用
- linux套接字编程常用函数
- r0下FSD inline hook防删除
- hibernate+oracle实现图片上传
- 预防病毒的八点注意事项
- 在绝境中千万不能绝望--《迷雾》(The Mist)观后感
- XP加速常用
- 使用CASE表达式替换动态SQL
- 标准库:Allocator能做什么?
- 把纯XML文档由字符载入解析器(原)
- 五大措施阻止病毒木马侵害您的电脑
