设为首页收藏本站
开启辅助访问 切换到宽版

看流星社区

 找回密码
 注册账号
看流星社区»看流星社区 » 【编程技术】 驱动开发技术 过GPK驱动代码,看懂的带走,看不懂的留下。
返回列表 发新帖
查看: 4033|回复: 2

过GPK驱动代码,看懂的带走,看不懂的留下。

[复制链接]
八月的樱花

该用户从未签到
发表于 2012-10-18 20:29:55 | 显示全部楼层 |阅读模式
  1. #include "Shadow_hook.h"

  3. #pragma INITCODE
  4. extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object,PUNICODE_STRING u_string)
  5. {
  6.   _GetVersion(driver_object);
  7.   Hook_NtCreateMutant();
  8.   NTSTATUS status=STATUS_SUCCESS;
  9.   driver_object->MajorFunction[IRP_MJ_CREATE]=DispatchIrp;
  10.   driver_object->MajorFunction[IRP_MJ_READ]=DispatchIrp;
  11.   driver_object->MajorFunction[IRP_MJ_WRITE]=DispatchIrp;
  12.   driver_object->MajorFunction[IRP_MJ_CLOSE]=DispatchIrp;
  13.   driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchIrp;
  14.   driver_object->DriverUnload=DrvierUnLoad;

  16.   PDEVICEEXTENSION pdevex;
  17.   UNICODE_STRING device_string;
  18.   RtlInitUnicodeString(&device_string,_device_name);
  19.   PDEVICE_OBJECT device_object;
  20.   status=IoCreateDevice(driver_object,sizeof(pdevex),&device_string,FILE_DEVICE_UNKNOWN,0,FALSE,&device_object);
  21.   if(!NT_SUCCESS(status))
  22.   {
  23.     KdPrint(("创建设备失败!\n"));
  24.     return status;
  25.   }
  26.   KdPrint(("创建设备成功!\n"));
  27.   device_object->Flags |= DO_BUFFERED_IO;
  28.   pdevex=(PDEVICEEXTENSION)device_object->DeviceExtension;
  29.   pdevex->device_name=device_string;
  30.   pdevex->device_object=device_object;
  31.   
  32.   UNICODE_STRING symbol_name;
  33.   RtlInitUnicodeString(&symbol_name,_symbolic_name);
  34.   pdevex->device_symbolic=symbol_name;
  35.   status=IoCreateSymbolicLink(&symbol_name,&device_string);
  36.   if(!NT_SUCCESS(status))
  37.   {
  38.     KdPrint(("创建符号链接失败!\n"));
  39.     IoDeleteDevice(device_object);
  40.     return status;
  41.   }
  42.   KdPrint(("创建符号链接成功!\n"));
  43.   return STATUS_SUCCESS;
  44. }

  46. #pragma PAGEDCODE
  47. VOID DrvierUnLoad(PDRIVER_OBJECT driver)
  48. {

  50.   PDEVICE_OBJECT deviceobject;
  51.   UNICODE_STRING symbolname;
  52.   RtlInitUnicodeString(&symbolname,_symbolic_name);
  53.   IoDeleteSymbolicLink(&symbolname);
  54.   IoDeleteDevice(driver->DeviceObject);
  55. //  deviceobject=driver->DeviceObject;
  56. //  while(deviceobject!=NULL)
  57. //  {
  58. //    PDEVICEEXTENSION deviceex=(PDEVICEEXTENSION)deviceobject->DeviceExtension;
  59. //    UNICODE_STRING symbolname=deviceex->device_symbolic;
  60. //    IoDeleteSymbolicLink(&symbolname);
  61. //    deviceobject=deviceobject->NextDevice;
  62. //    IoDeleteDevice(deviceex->device_object);
  63. //  }
  64.   KdPrint(("删除设备成功!\n"));
  65.   UnHook_NtCreateMutant();
  66. }

  68. #pragma PAGEDCODE
  69. NTSTATUS DispatchIrp(PDEVICE_OBJECT device_object,PIRP irp)
  70. {
  71.   NTSTATUS status;
  72.   ULONG uin;
  73.   ULONG uout;
  74.   ULONG ucontrol;
  75.   PIO_STACK_LOCATION stirp=IoGetCurrentIrpStackLocation(irp);
  76.   ULONG irpindex=stirp->MajorFunction;
  77.   switch(irpindex)
  78.   {
  79.   case IRP_MJ_DEVICE_CONTROL:
  80.     status=STATUS_SUCCESS;
  81.     uin=stirp->Parameters.DeviceIoControl.InputBufferLength;
  82.     uout=stirp->Parameters.DeviceIoControl.OutputBufferLength;
  83.     ucontrol=stirp->Parameters.DeviceIoControl.IoControlCode;
  84.     switch(ucontrol)
  85.     {
  86.     case Un_hook:
  87.       Hook_NtUserSendInput();
  88.       KdPrint(("与应用程序通讯成功,所以地址已打印到调试器中……\n"));
  89.       break;
  90.     case function_unhook:
  91.       Get_NtCreateThread();
  92.       Get_NtProtectVirtualMemory();
  93.       Get_NtQueueAcpThread();
  94.       Get_NtTerminateProcess();
  95.       Get_NtWirteVirtualMemory();
  96.       Get_ObCheckObjectAccess();
  97.       break;
  98.     }
  99.     break;
  100.   case IRP_MJ_CREATE:
  101.     break;
  102.   case IRP_MJ_READ:
  103.     break;
  104.   case IRP_MJ_WRITE:
  105.     break;
  106.   case IRP_MJ_CLOSE:

  108.     break;
  109.   }
  110.   irp->IoStatus.Status=STATUS_SUCCESS;
  111.   irp->IoStatus.Information=0;
  112.   IoCompleteRequest(irp,IO_NO_INCREMENT);
  113.   return STATUS_SUCCESS;
  114. }
  115. //----------------------------------------------------------------------------------
  116. #pragma once
  117. #include "Shadow_.h"

  119. #define Version_2008   60
  120. DWORD KeServiceDescriptorTableShadow=0;

  122. //-----------------------------------
  123. int inxp_NtUserSendInput=0;
  124. int inxp_NtUserQuerySendMessage=0;
  125. int in_NtCreateThreadEx=0;
  126. int in_NtCreateThread=0;
  127. int in_NtProtectVirtualMemory=0;
  128. int in_NtQueueApcThread=0;
  129. int in_TerminateProcess=0;
  130. int in_NtWriteVirtualMemory=0;
  131. int in_NtCreateMutant=0;
  132. //--------------------------------
  133. ULONG push_NtCreateThread;
  134. ULONG push_NtProtectVirtualMemory;
  135. ULONG push_NtWriteVirtualMemory;
  136. ULONG addr_ObCheckObjectAccess;    //ObCheckObjectAccess的地址
  137. ULONG addr_NtCreateMutant;
  138. //--------------------------

  140. typedef struct _ServiceDescriptorTable
  141. {
  142.   PVOID ServiceTableBase; //System Service Dispatch Table 的基地址  
  143.   PVOID ServiceCounterTable;
  144.   //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
  145.   unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。  
  146.   PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
  147. }*PServiceDescriptorTable;  
  148. extern "C" extern PServiceDescriptorTable KeServiceDescriptorTable;

  150. #pragma pack(1)
  151. typedef struct _bycode
  152. {
  153.   BYTE data[3];
  154.   ULONG addr;
  155. }bycode,*pbycode;
  156. typedef struct _push_code
  157. {
  158.   BYTE push;
  159.   ULONG addr;
  160.   BYTE retn;
  161. }push_code,*ppush_code;
  162. typedef struct _bytecode
  163. {
  164.   BYTE push;
  165.   ULONG addr;
  166.   BYTE push1;
  167.   ULONG addr1;
  168. }bytecode,*pbytecode;
  169. typedef struct _bytecode1
  170. {
  171.   BYTE push;
  172.   BYTE pushaddr;
  173.   BYTE push1;
  174.   ULONG pushaddr1;
  175. }bytecode1,*pbytecode1;
  176. typedef struct _bytecode2
  177. {
  178.   BYTE mov[2];
  179.   BYTE push;
  180.   BYTE mov1[2];
  181.   BYTE push1;
  182. }bytecode2,*pbytecode2;
  183. #pragma pack()

  185. KIRQL kirql;
  186. #pragma PAGEDCODE
  187. VOID PAGED_Open()
  188. {
  189.   __asm
  190.   {
  191.     push eax
  192.     mov eax,cr0
  193.     and eax,not 10000h
  194.     mov cr0,eax
  195.     pop eax
  196.   }
  197.   kirql=KeRaiseIrqlToDpcLevel();
  198. }

  200. #pragma PAGEDCODE
  201. VOID PAGED_Exit()
  202. {
  203.   KeLowerIrql(kirql);
  204.   __asm
  205.   {
  206.     push eax
  207.     mov eax,cr0
  208.     or eax,10000h
  209.     mov cr0,eax
  210.     pop eax
  211.   }

  213. }

  215. #pragma PAGEDCODE
  216. VOID __stdcall _GetVersion(PDRIVER_OBJECT driver)
  217. {
  218.   ULONG MajorVerion,MinVersion,BulidViersion;
  219.   PsGetVersion(&MajorVerion,&MinVersion,&BulidViersion,NULL);
  220.   ULONG uas=MajorVerion*10+MinVersion;
  221.   switch(uas)
  222.   {
  223.   case Version_2008:
  224.     KdPrint(("当前操作系统是:Server 2008\n"));
  225.     KeServiceDescriptorTableShadow=(DWORD)KeServiceDescriptorTable+0x40;
  226.     inxp_NtUserSendInput=0x20D;
  227.     inxp_NtUserQuerySendMessage=0x1F7;
  228.     in_NtCreateThreadEx=0x17E;
  229.     in_NtCreateThread=0x4E;
  230.     in_NtProtectVirtualMemory=0xD2;
  231.     in_NtQueueApcThread=0xFF;
  232.     in_TerminateProcess=0x14E;
  233.     in_NtWriteVirtualMemory=0x166;
  234.     in_NtCreateMutant=0x43;
  235.     break;
  236.   default:
  237.     driver->DriverUnload=DrvierUnLoad;
  238.     break;
  239.   }
  240. }

  242. #pragma PAGEDCODE
  243. ULONG Get_KeServiceDescriptorTableShadow_addr(int index)
  244. {
  245.   KdPrint(("获取Shadow SSDT地址信息.\n"));
  246.   DWORD Shadow_addr=KeServiceDescriptorTableShadow;
  247.   Shadow_addr+=0x10;
  248.   DWORD Shadow_sl=Shadow_addr+8;  //shadow函数的数量

  250.   DWORD get_sl=*((PDWORD)Shadow_sl);
  251.   KdPrint(("Shadow表的地址为: addr=%x 数量=%x\n",Shadow_addr,get_sl));
  252.   PDWORD Fun_addr=PDWORD(Shadow_addr);
  253.   Fun_addr=PDWORD(*Fun_addr);
  254.   //for(DWORD i=0;i<get_sl;i++)
  255.   //{
  256.   //  KdPrint(("当前函数ID=%d,函数地址=%x\n",i,*Fun_addr));
  257.   //  Fun_addr++;
  258.   //}
  259.   Fun_addr+=index;
  260.   KdPrint(("当前ID=%d,函数地址=%x\n",index,*Fun_addr));
  261.   return *Fun_addr;
  262. }

  264. #pragma PAGEDCODE
  265. ULONG GetSsdt_addr(int index)
  266. {
  267.   ULONG* addr_funtion,getfuntion,funtion;
  268.   getfuntion=(ULONG)KeServiceDescriptorTable->ServiceTableBase;
  269.   KdPrint(("当前KeServiceDescriptorTable表的地址为:%x\n",getfuntion));
  270.   addr_funtion=(PULONG)(getfuntion+index*4);
  271.   funtion=*addr_funtion;
  272.   KdPrint(("当前函数序号index=%d  函数地址:%x\n",index,funtion));
  273.   return funtion;
  274. }

  276. #pragma PAGEDCODE
  277. ULONG* GetSSdt_this(int index)
  278. {
  279.   ULONG* addr_funtion,x_funtion;
  280.   x_funtion=(ULONG)KeServiceDescriptorTable->ServiceTableBase;
  281.   addr_funtion=(ULONG*)(x_funtion+index*4);
  282.   return addr_funtion;
  283. }

  285. pbycode _pbycode;
  286. #pragma PAGEDCODE
  287. void Hook_NtUserSendInput()
  288. {
  289.   ULONG addr_NtUserQuerSendMessage=Get_KeServiceDescriptorTableShadow_addr(inxp_NtUserQuerySendMessage);
  290.   __asm
  291.   {
  292.     push eax
  293.     mov eax,addr_NtUserQuerSendMessage
  294.     add eax,3
  295.     mov eax,[eax]
  296.     sub eax,0xbf8   ;__safe_se_handler_table的首地址
  297.     add eax,0xc18
  298.     mov addr_NtUserQuerSendMessage,eax
  299.     pop eax
  300.   }
  301.   KdPrint(("NtUserSendInput的第二个push地址为:%x\n",addr_NtUserQuerSendMessage));
  302.   ULONG addr_NtUserSendInput=Get_KeServiceDescriptorTableShadow_addr(inxp_NtUserSendInput);
  303.   _pbycode=(pbycode)addr_NtUserSendInput;
  304.   PAGED_Open();
  305.   _pbycode->data[0]=0x6A;
  306.   _pbycode->data[1]=0x18;
  307.   _pbycode->data[2]=0x68;
  308.   _pbycode->addr=addr_NtUserQuerSendMessage;
  309.   PAGED_Exit();
  310. }

  312. bytecode bytecode_NtCreateThread;
  313. pbytecode pbytecode_NtCreateThread;
  314. #pragma PAGEDCODE
  315. VOID Get_NtCreateThread()
  316. {
  317.   ULONG u_NtCreateThreadEx=GetSsdt_addr(in_NtCreateThreadEx);
  318.   __asm
  319.   {
  320.     push eax
  321.     mov eax,u_NtCreateThreadEx
  322.     add eax,5
  323.     mov eax,[eax+1]
  324.     mov push_NtCreateThread,eax
  325.     pop eax
  326.   }
  327.   push_NtCreateThread=push_NtCreateThread-0x5010+0x2A98;
  328.   KdPrint(("NtCreateThread的第二个push地址为:%x\n",push_NtCreateThread));
  329.   ULONG u_NtCreateThread=GetSsdt_addr(in_NtCreateThread);
  330.   pbytecode_NtCreateThread=(pbytecode)u_NtCreateThread;
  331.   bytecode_NtCreateThread.push=pbytecode_NtCreateThread->push;
  332.   bytecode_NtCreateThread.addr=pbytecode_NtCreateThread->addr;
  333.   bytecode_NtCreateThread.push1=pbytecode_NtCreateThread->push1;
  334.   bytecode_NtCreateThread.addr1=pbytecode_NtCreateThread->addr1;
  335.   PAGED_Open();
  336.   pbytecode_NtCreateThread->push=0x68;
  337.   pbytecode_NtCreateThread->addr=0x308;
  338.   pbytecode_NtCreateThread->push1=0x68;
  339.   pbytecode_NtCreateThread->addr1=push_NtCreateThread;
  340.   PAGED_Exit();
  341. }

  343. bytecode1 bytecode_NtProtectVirtualMemory;
  344. pbytecode1 pbytecode_NtProtectVirtualMemory;
  345. #pragma PAGEDCODE
  346. VOID Get_NtProtectVirtualMemory()
  347. {
  348.   push_NtProtectVirtualMemory=push_NtCreateThread-0x2a98+0x6758;
  349.   ULONG u_NtProtectVirtualMemory=GetSsdt_addr(in_NtProtectVirtualMemory);
  350.   pbytecode_NtProtectVirtualMemory=(pbytecode1)u_NtProtectVirtualMemory;
  351.   bytecode_NtProtectVirtualMemory.push=pbytecode_NtProtectVirtualMemory->push;
  352.   bytecode_NtProtectVirtualMemory.pushaddr=pbytecode_NtProtectVirtualMemory->pushaddr;
  353.   bytecode_NtProtectVirtualMemory.push1=pbytecode_NtProtectVirtualMemory->push1;
  354.   bytecode_NtProtectVirtualMemory.pushaddr1=pbytecode_NtProtectVirtualMemory->pushaddr1;
  355.   PAGED_Open();
  356.   pbytecode_NtProtectVirtualMemory->push=0x6a;
  357.   pbytecode_NtProtectVirtualMemory->pushaddr=0x38;
  358.   pbytecode_NtProtectVirtualMemory->push1=0x68;
  359.   pbytecode_NtProtectVirtualMemory->pushaddr1=push_NtProtectVirtualMemory;
  360.   PAGED_Exit();
  361. }

  363. bytecode2 bytecode_NtQueueApcThread;
  364. pbytecode2 pbytecode_NtQueueApcThread;
  365. #pragma PAGEDCODE
  366. VOID Get_NtQueueAcpThread()
  367. {
  368.   ULONG u_NtQueueApcThread=GetSsdt_addr(in_NtQueueApcThread);
  369.   pbytecode_NtQueueApcThread=(pbytecode2)u_NtQueueApcThread;
  370.   bytecode_NtQueueApcThread.mov[0]=pbytecode_NtQueueApcThread->mov[0];
  371.   bytecode_NtQueueApcThread.mov[1]=pbytecode_NtQueueApcThread->mov[1];
  372.   bytecode_NtQueueApcThread.push=pbytecode_NtQueueApcThread->push;
  373.   bytecode_NtQueueApcThread.mov1[0]=pbytecode_NtQueueApcThread->mov1[0];
  374.   bytecode_NtQueueApcThread.mov1[1]=pbytecode_NtQueueApcThread->mov1[1];
  375.   bytecode_NtQueueApcThread.push1=pbytecode_NtQueueApcThread->push1;
  376.   PAGED_Open();
  377.   pbytecode_NtQueueApcThread->mov[0]=0x8B;
  378.   pbytecode_NtQueueApcThread->mov[1]=0xff;
  379.   pbytecode_NtQueueApcThread->push=0x55;
  380.   pbytecode_NtQueueApcThread->mov1[0]=0x8B;
  381.   pbytecode_NtQueueApcThread->mov1[1]=0xEC;
  382.   pbytecode_NtQueueApcThread->push1=0x51;
  383.   PAGED_Exit();
  384. }

  386. bytecode2 bytecode_NtTerminateProcess;
  387. pbytecode2 pbytecode_NtTerminteProcess;
  388. #pragma PAGEDCODE
  389. VOID Get_NtTerminateProcess()
  390. {
  391.   ULONG u_NtTerminateProcess=GetSsdt_addr(in_TerminateProcess);
  392.   pbytecode_NtTerminteProcess=(pbytecode2)u_NtTerminateProcess;
  393.   bytecode_NtTerminateProcess.mov[0]=pbytecode_NtTerminteProcess->mov[0];
  394.   bytecode_NtTerminateProcess.mov[1]=pbytecode_NtTerminteProcess->mov[1];
  395.   bytecode_NtTerminateProcess.push=pbytecode_NtTerminteProcess->push;
  396.   bytecode_NtTerminateProcess.mov1[0]=pbytecode_NtTerminteProcess->mov1[0];
  397.   bytecode_NtTerminateProcess.mov1[1]=pbytecode_NtTerminteProcess->mov1[1];
  398.   bytecode_NtTerminateProcess.push1=pbytecode_NtTerminteProcess->push1;
  399.   PAGED_Open();
  400.   pbytecode_NtTerminteProcess->mov[0]=0x8B;
  401.   pbytecode_NtTerminteProcess->mov[1]=0xff;
  402.   pbytecode_NtTerminteProcess->push=0x55;
  403.   pbytecode_NtTerminteProcess->mov1[0]=0x8B;
  404.   pbytecode_NtTerminteProcess->mov1[1]=0xEC;
  405.   pbytecode_NtTerminteProcess->push1=0x83;
  406.   PAGED_Exit();
  407. }

  409. bytecode1 bytecode_NtWriteVirtualMemory;
  410. pbytecode1 pbytecode_NtWriteVirtualMemory;
  411. #pragma PAGEDCODE
  412. VOID Get_NtWirteVirtualMemory()
  413. {
  414.   push_NtWriteVirtualMemory=push_NtProtectVirtualMemory-0x6758+0x5668;
  415.   ULONG u_NtWriteVirtualMemory=GetSsdt_addr(in_NtWriteVirtualMemory);
  416.   pbytecode_NtWriteVirtualMemory=(pbytecode1)u_NtWriteVirtualMemory;
  417.   bytecode_NtWriteVirtualMemory.push=pbytecode_NtWriteVirtualMemory->push;
  418.   bytecode_NtWriteVirtualMemory.pushaddr=pbytecode_NtWriteVirtualMemory->pushaddr;
  419.   bytecode_NtWriteVirtualMemory.push1=pbytecode_NtWriteVirtualMemory->push1;
  420.   bytecode_NtWriteVirtualMemory.pushaddr1=pbytecode_NtWriteVirtualMemory->pushaddr1;
  421.   PAGED_Open();
  422.   pbytecode_NtWriteVirtualMemory->push=0x6A;
  423.   pbytecode_NtWriteVirtualMemory->pushaddr=0x18;
  424.   pbytecode_NtWriteVirtualMemory->push1=0x68;
  425.   bytecode_NtWriteVirtualMemory.pushaddr1=push_NtWriteVirtualMemory;
  426.   PAGED_Exit();
  427. }

  429. bytecode2 bytecode_ObCheckObjectAccess;
  430. pbytecode2 pbytecode_ObCheckObjectAccess;
  431. #pragma PAGEDCODE
  432. VOID Get_ObCheckObjectAccess()
  433. {
  434.   ULONG u_NtWiteVirtualMemory=GetSsdt_addr(in_NtWriteVirtualMemory);
  435.   BYTE* _bp=(BYTE*)u_NtWiteVirtualMemory;
  436.   while(1)
  437.   {
  438.     if((*(_bp-11)==0xFF)&&(*(_bp-5)==0x6A)&&(*(_bp-3)==0xFF)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x89)&&(*(_bp+8)==0x85))
  439.     {
  440.       break;
  441.     }
  442.     _bp++;
  443.   }
  444.   ULONG u_temp=(ULONG)_bp;
  445.   ULONG call_addr;
  446.   __asm
  447.   {
  448.     push eax
  449.     push ebx
  450.     mov eax,u_temp
  451.     mov ebx,[eax+1]
  452.     add eax,ebx
  453.     add eax,5
  454.     mov call_addr,eax
  455.     pop ebx
  456.     pop eax
  457.   }
  458.   _bp=(BYTE*)call_addr;
  459.   while(1)
  460.   {
  461.     if((*(_bp-9)==0x89)&&(*(_bp-6)==0x89)&&(*(_bp-3)==0x89)&&(*(_bp)==0xE8)&&(*(_bp+5)==0x3B)&&(*(_bp+7)==0x7D))
  462.     {
  463.       break;
  464.     }
  465.     _bp++;
  466.   }
  467.   ULONG u_ObCheckObjectAccess=(ULONG)_bp-0x27;
  468.   pbytecode_ObCheckObjectAccess=(pbytecode2)u_ObCheckObjectAccess;
  469.   bytecode_ObCheckObjectAccess.mov[0]=pbytecode_ObCheckObjectAccess->mov[0];
  470.   bytecode_ObCheckObjectAccess.mov[1]=pbytecode_ObCheckObjectAccess->mov[1];
  471.   bytecode_ObCheckObjectAccess.push=pbytecode_ObCheckObjectAccess->push;
  472.   bytecode_ObCheckObjectAccess.mov1[0]=pbytecode_ObCheckObjectAccess->mov1[0];
  473.   bytecode_ObCheckObjectAccess.mov1[1]=pbytecode_ObCheckObjectAccess->mov1[1];
  474.   bytecode_ObCheckObjectAccess.push1=pbytecode_ObCheckObjectAccess->push1;
  475.   PAGED_Open();
  476.   pbytecode_ObCheckObjectAccess->mov[0]=0x8B;
  477.   pbytecode_ObCheckObjectAccess->mov[1]=0xFF;
  478.   pbytecode_ObCheckObjectAccess->push=0x55;
  479.   pbytecode_ObCheckObjectAccess->mov1[0]=0x8B;
  480.   pbytecode_ObCheckObjectAccess->mov1[1]=0xEC;
  481.   pbytecode_ObCheckObjectAccess->push1=0x83;
  482.   PAGED_Exit();
  483. }

  485. extern "C"
  486. typedef
  487. NTSYSAPI
  488. NTSTATUS
  489. (__stdcall* nt_NtCreateMutant)(
  490.          OUT PHANDLE MutantHandle,
  491.          IN ACCESS_MASK DesiredAccess,
  492.          IN POBJECT_ATTRIBUTES ObjectAttributes,
  493.          IN BOOLEAN InitialOwner
  494.    );
  495. nt_NtCreateMutant* ntNtCreateMutant;

  497. #pragma PAGEDCODE
  498. extern "C"
  499. NTSTATUS
  500. __stdcall My_NtCreateMutant(
  501.                  OUT PHANDLE MutantHandle,
  502.                  IN ACCESS_MASK DesiredAccess,
  503.                  IN POBJECT_ATTRIBUTES ObjectAttributes,
  504.                  IN BOOLEAN InitialOwner)
  505. {
  506.   if(ObjectAttributes!=NULL && ObjectAttributes->ObjectName!=NULL && ObjectAttributes->ObjectName->Buffer!=NULL)
  507.   {
  508.     KdPrint(("互斥体名为:%wZ\r\n",ObjectAttributes->ObjectName));
  509.     UNICODE_STRING Mutant_name_Create;
  510.     RtlInitUnicodeString(&Mutant_name_Create,L"Global\\MutexDragonNest");
  511.     if(ObjectAttributes && RtlEqualUnicodeString(&Mutant_name_Create,ObjectAttributes->ObjectName,FALSE))
  512.     {
  513.       return STATUS_SUCCESS;
  514.     }
  515.   }
  516.   return ((NTSTATUS(NTAPI*)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,BOOLEAN))ntNtCreateMutant)(MutantHandle,DesiredAccess,ObjectAttributes,InitialOwner);
  517. }

  519. #pragma PAGEDCODE
  520. VOID Hook_NtCreateMutant()
  521. {
  522.   ULONG* un_NtOpenMutant;
  523.   un_NtOpenMutant=GetSSdt_this(in_NtCreateMutant);
  524.   addr_NtCreateMutant=GetSsdt_addr(in_NtCreateMutant);
  525.   KdPrint(("当前系统NtOpenMutant的地址为:%x\n",addr_NtCreateMutant));
  526.   ntNtCreateMutant=(nt_NtCreateMutant*)addr_NtCreateMutant;
  527.   PAGED_Open();
  528.   *un_NtOpenMutant=(ULONG)My_NtCreateMutant;
  529.   PAGED_Exit();
  530. }

  532. #pragma PAGEDCODE
  533. void UnHook_NtCreateMutant()
  534. {
  535.   ULONG ntcreatemutant;
  536.   ntcreatemutant=(ULONG)KeServiceDescriptorTable->ServiceTableBase+in_NtCreateMutant*4;
  537.   PAGED_Open();
  538.   *((ULONG*)ntcreatemutant)=(ULONG)addr_NtCreateMutant;
  539.   PAGED_Exit();
  540. }
复制代码
回复

举报

网瘾犯了

该用户从未签到
发表于 2012-10-19 22:04:07 | 显示全部楼层
3Q 谢谢分享
回复 支持 反对

举报

cooby

该用户从未签到
发表于 2013-9-23 12:18:36 | 显示全部楼层
够邪恶..不过我喜欢.嘿嘿
回复 支持 反对

举报

返回列表 发新帖
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-4-19 20:40

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表