监控应用层通信_hook_kifastcallentry(系统服务调用)

#include"ntddk.h"#pragma pack(1) //写这个内存以一字节对齐 如果不写是以4字节的对齐的    typedef struct ServiceDescriptorEntry {//这个结构就是为了管理这个数组而来的 内核api所在的数组 才有这个结构的 这个是ssdt    unsigned int *ServiceTableBase;//就是ServiceTable ssdt数组    unsigned int *ServiceCounterTableBase; //仅适用于checked build版本 无用    unsigned int NumberOfServices;//(ServiceTableBase)数组中有多少个元素 有多少个项    unsigned char *ParamTableBase;//参数表基址 我们层传过来的api的参数 占用多少字节 多大    } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;#pragma pack(1)    _declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;//(名字不要写错)  //导入ssdt表  ULONG sosuohookdiandizhi();void yebaohuguanbi();void yebaohukaiqi();unsigned int lao_ntopenfile;//老的ntopenfile函数的地址ULONG dizhi1 = 0;//KiFasetCallEntry汇编代码中的 (call ntcreatefile)下一句的地址ULONG dizhi2 = 0;//KiFasetCallEntry汇编代码中要hook的地址typedef  NTSTATUS(*hanshuzhizhen1)(__out PHANDLE FileHandle,__in ACCESS_MASK DesiredAccess,__in POBJECT_ATTRIBUTES ObjectAttributes,__out PIO_STATUS_BLOCK IoStatusBlock,__in_opt PLARGE_INTEGER AllocationSize,__in ULONG FileAttributes,__in ULONG ShareAccess,__in ULONG CreateDisposition,__in ULONG CreateOptions,__in_bcount_opt(EaLength) PVOID EaBuffer,__in ULONG EaLength);VOID xiezai1(PDRIVER_OBJECT qudongduixiang){yebaohuguanbi();//页保护关闭    KeServiceDescriptorTable.ServiceTableBase[66] = (unsigned int)lao_ntopenfile;//还原ntcreatefileyebaohukaiqi();//页保护开启    UCHAR tezhengma[5] = { 0x2b, 0xe1, 0xc1, 0xe9, 0x02 };yebaohuguanbi();//页保护关闭    RtlCopyMemory((PVOID)dizhi2, tezhengma, 5);//还原kifastcallentry yebaohukaiqi();//页保护开启    KdPrint(("已经执行到驱动卸载历程\n"));}void yebaohuguanbi()//页保护关闭    {__asm{//去掉内存保护    climov  eax, cr0and  eax, not 10000hmov  cr0, eax}}void yebaohukaiqi()//页保护开启    {__asm{//恢复内存保护      mov  eax, cr0or   eax, 10000hmov  cr0, eaxsti}}void lisaisaide_guolvhanshu(ULONG ServiceTableBase, ULONG NumberOfServices)//李赛赛的过滤函数 注意不要在这里加 __declspec (naked)这个不是汇编代码 注意传过来的参数是ulong类型{//KdPrint(("进入到我的的过滤函数来了 欧耶 可以监控应用层传过来的请求(调用nt函数的信息)\n"));if (ServiceTableBase == (ULONG)KeServiceDescriptorTable.ServiceTableBase){if (NumberOfServices==190){KdPrint(("看那些进入KiFasetCallEntry调用ntopenkey进程名是%s\n", (char*)PsGetCurrentProcess() + 0x16c));}}}__declspec (naked)VOID lisaisaide_KiFasetCallEntry()//李赛赛的KiFasetCallEntry{__asm{pushad pushfdpush eaxpush edi call lisaisaide_guolvhanshu //调用我们的过滤函数popfdpopadpop eaxsub esp,ecx         //call lisaisaide_KiFasetCallEntry 替换掉的5个字节的代码shr ecx,2jmp eax}}VOID hook_KiFasetCallEntry()//inlinehookKiFasetCallEntry{ULONG  pianyi1 = 0;UCHAR tezhengma[5];pianyi1 = (ULONG)lisaisaide_KiFasetCallEntry - 5 - dizhi2;tezhengma[0] = 0xe8;*(ULONG*)&tezhengma[1] = pianyi1;//KdPrint(("李赛赛的KiFasetCallEntry地址%x  计算出来的 偏移%x\n", (ULONG)lisaisaide_KiFasetCallEntry, pianyi1));yebaohuguanbi();//页保护关闭   RtlCopyMemory((PVOID)dizhi2, tezhengma, 5);//inlinehook_KiFasetCallEntryyebaohukaiqi();//页保护开启  }NTSTATUS lisaisaide_NtCreateFile(    //李赛赛的_NtCreateFile函数__out PHANDLE FileHandle,__in ACCESS_MASK DesiredAccess,__in POBJECT_ATTRIBUTES ObjectAttributes,__out PIO_STATUS_BLOCK IoStatusBlock,__in_opt PLARGE_INTEGER AllocationSize,__in ULONG FileAttributes,__in ULONG ShareAccess,__in ULONG CreateDisposition,__in ULONG CreateOptions,__in_bcount_opt(EaLength) PVOID EaBuffer,__in ULONG EaLength){__asm{pushadmov eax, [ebp + 0x4]mov dizhi1, eaxpopad}//KdPrint(("通过内核栈得到地址call ebx下一句的地址%x\n", dizhi1));//得到地址正确sosuohookdiandizhi();//搜索hook KiFastCallEntry //yebaohuguanbi();//页保护关闭    //KeServiceDescriptorTable.ServiceTableBase[66] = (unsigned int)lao_ntopenfile;//还原ntcreatefile//yebaohukaiqi();//页保护开启    hook_KiFasetCallEntry(); //开始hookreturn   ((hanshuzhizhen1)lao_ntopenfile)(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);}ULONG sosuohookdiandizhi()//搜索hook KiFastCallEntry {UCHAR *p = (UCHAR *)dizhi1;for (ULONG i = 0; i < 300;i++){if (*p==0x2b&&*(p+1)==0xe1&&*(p+2)==0xc1&&*(p+3)==0xe9&&*(p+4)==0x02){//KdPrint(("找到地址kifastcallentry的hook点地址  %x\n",(ULONG)p));dizhi2 = (ULONG)p;return (ULONG)p;}p--;}//KdPrint(("没有找到hook点的地址%x 是错误的", (ULONG)p));return 0;}NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang,PUNICODE_STRING zhucebiao){lao_ntopenfile = KeServiceDescriptorTable.ServiceTableBase[66];//保存老的ntopenfile函数地址yebaohuguanbi();//页保护关闭    KeServiceDescriptorTable.ServiceTableBase[66] = (unsigned int)lisaisaide_NtCreateFile;//ssdthook_ntopenfile 属于ssdthookyebaohukaiqi();//页保护开启    qudongduixiang->DriverUnload = xiezai1;return STATUS_SUCCESS;}