Transfer from Jiakang
???? Implementing the kernel level hook For interception, analysis, tracking system cores, the need to deal with the important role. The method of implementing is different means that the application side focus is different. If you want to intercept Native API, it is possible to use the Hook Service Table method. If you want to analyze some system calls, you might think of using the Hook Int 2E interrupt. If you want to intercept or track the call of other kernel Driver, you should use the Hook PE method to implement. Here we pay more attention to achieving, many masters have been published in the Internet. Everyone can combine it. The following is aware of several instance programs I have explained the implementation of various methods. In the wrong point, I also hope that you are correct.
1, Hook Service Table method:
This method is more useful for intercepting the Native API. The principle is through the replacement system guide
The address of the corresponding Native API in a Service Table is to achieve the purpose of interception.
Because this method is simple, there are many information on the Internet. So this will not give an example program. The structure of Service Table is as follows:
Typedef struct service {
???? Unsigned int * service;
??????? Unsigned Int * ServiceCounTertableBase;
???????? Unsigned int numberofServices;
???? Unsigned char * paramtablebase;
} ServicesDescriptAblentry_t, * pserviceDescriptableentRY_T;
??
2, Hook Int 2e method:
?? This method is more useful for tracking and analyzing system calls. The principle is to replace IDT
The int 2e interrupt in the table is implemented to our own interrupt service processing routine. grasp
This method requires that you have a certain basis for the protection mode. The following program demonstrates this process.
/ ************************************************** *****************
File name ????????: wsshookint2e.c
Description ??????????: system call tracking
Author ???????????: sinister
Last modified date ??: 2002-11-02
*********************************************************** *************** /
#include "ntddk.h"
#include "string.h"
#define dword unsigned __INT32
#define word unsigned __INT16
#define byte unsigned __INT8
#define bool __int32
#DEFINE LOWORD (L) ?????????? ((Word) (L))
#DEFINE HIWORD (L) ?????????? ((Word) ((DWORD) >> 16) & 0xFFF))
#define lobyte (w) ?????????? ((Byte) (w))
#define hibyte (w) ?????????? ((Byte) ((Word) >> 8) & 0xFF))
#define Makelong (A, B) ((Word) ((Word)) | ((DWORD) ((Word))) << 16))
#define systemcall 0x2e
#define sysname "system"
#define processnamelen 16
#pragma pack (1)
// Define IDTR
TYPEDEF STRUCT TAGIDTR {???????? Word IDTLIMIT
???????? Word lowidtbase;
???????? Word HiIDTBase;
} IDTR, * PIDTR;
// Define IDT
Typedef struct tagidtenTry {
????????
???? words selector
???? Byte unused_lo;
???? Unsigned char unused_hi: 5;
???? Unsigned char dpl: 2;
???? Unsigned char p: 1;
???? Word offsethigh;
} IDTENTRY, * PIDTENTRY
#pragma pack ()
DWORD ???? oldint2erevice;
Ulong ???? processnameoffset;
TCHAR ?? processname [processnamelen];
Static NTSTATUS ?? MyDrvdispatch (in PDevice_Object DeviceObject, in PIRP IRP);
Void Driverunload (in PDRIVER_Object PDRIVEROBJECT);
Ulong getProcessNameOffset ();
Void getProcessName (Pchar Name);
Void InstallNewint2e ();
Void uninstallnewint2e ();
Void __fastcall nativeApical ()
{
???? kirql oldirql;
????
???? DWord serviceID;
???? dword processid;
???? __ ASM MOV ServiceID, EAX;
???? processid = (dword) psgetcurrentprocessid ();
???? getProcessName (ProcessName);
???? keraiseirql (high_level, & oldirql); / / to enhance the current IRQL level to prevent interruption
???? Switch (ServiceID)
???? {
???????????? case 0x20:
???????????????? DBGPRINT ("newint2e: processname:% s; processid:% D; Native API: ntcreatefile () / n", processname, processid;
???????????????? breaf
???????????? case 0x2b:
???????????????? DBGPRINT ("newint2e: processname:% s; processid:% D; Native API: ntcreateesection () / n", processname, processid; ???? ????????????
???????????????? breaf
???????????? case 0x30:
????????????????????????? DBGPRINT ("newint2e: processname:% s; processid:% D; Native API: NTCReateToken () / n", processname, processid; ???? ????????????
???????????????? breaf
????????????????
????}
???? KelowerIrql (Oldirql); // Restore the original IRQL
}
__Declspec (naked) newint2ervice ()
{
???? __ASM {
???????? pushad
???????? pushfd ???????? push fs
???????? MOV BX, 0x30
???????? MOV FS, BX
???????? push ds
???????? push es
???????? STI
???????? call nativeApical; // call record functions
????????? CLI
???????? POP ES
???????? POP DS
???????? POP FS
???????? POPFD
???????? popad
???????? jmp ???? oldint2eervice; ?? // jump to the original INT 2E to continue working
????}
}
Void InstallNewint2e ()
{
???? idtr ???????? IDTR;
???? pidtenTry ???? oidt;
???? pidtenTry ???? NIDT;
???? // Get the length of the segment and base address in idtr
???? __ASM {
???????? sIDT IDTR;
????}
???? // Get the IDT base address
???? oidt = (pidTentry) makelong (idtr.lowidtbase, idtr.hiidtbase);
???? // Save the original INT 2E service routine
????? Oldint2eervice = makelong (OIDT [SystemCall] .Offsetlow, Oidt [SystemCall] .offSethiGH);
????
???? Nidt = & (OIDT [SystemCall]);
???? __ASM {
????????? CLI
???????? lea eax, newint2service; ?? // Get a new INT 2E service routine offset
???????? MOV EBX, NIDT;
???????? MOV [EBX], AX; ?? // int 2e service routine low 16 bits
???????? SHR EAX, 16 ?????? // int 2e service routine high 16 digits
???????? MOV [EBX 6], AX;
???????? LIDT IDTR ?? // loaded with new IDT
???????? STI
????}
}
Void UninstallNewint2e ()
{
???? idtr ???????? IDTR;
???? pidtenTry ???? oidt;
???? pidtenTry ???? NIDT;
???? __ASM {
???????? sIDT IDTR;
????}
???? oidt = (pidTentry) makelong (idtr.lowidtbase, idtr.hiidtbase);
???? Nidt = & (OIDT [SystemCall]);
???? _ asm {
????????? CLI
???????? lea eax, oldint2ervice;
???????? MOV EBX, NIDT;
???????? MOV [EBX], AX;
???????? SHR EAX, 16
???????? MOV [EBX 6], AX;
???????? LIDT IDTR
???????? STI
????}
}
// Drive inlet
NTSTATUS ?? DriveREntry (in pdriver_object driverObject, ?? in powderode_string registrypath)
{
????
???? unicode_string ?? NameString, LinkString
???? pdevice_object ?? deviceObject;
???? ntstatus ???????? status;
???????????????????????????????????????
???? int ???????????????? I;
????
???? // Uninstall drive
???? driverObject-> driverunload = driverunload; ???? // established device
???? rtlinitunicodeString (& nameString, L "// device // wsshookint2e");
????
???? status = ocreateDevice (DriverObject,
?????????????????????????????
???????????????????????????? & nameString,
????????????????????????????? file_device_unknown,
?????????????????????????????
???????????????????????????? True,
???????????????????????????? & deviceObject
??????????????????????????);
??????????????????????????
???? if (! nt_success (status))
??????? rturn status;
????
???? RTLinitunicodeString (& linkstring, l "// dosdevices // wsshookint2e");
???? status = IocreateSymbolicLink (& linkstring, & namestring);
???? if (! nt_success (status))
???? {
???????? odeletedevice (driverObject-> deviceObject);
??????? rturn status;
????} ????
????
???? for (i = 0; I ?????????? driverObject-> majorfunction [i] = mydrvdispatch; ????} ?????? driverObject-> driverunload = driverunload; ???? processnameoffset = getProcessNameOffset (); ???? installnewint2e (); ?? Return status_suCcess; } // Processing device object operation Static NTSTATUS MYDRVDISPATCH (in PDevice_Object DeviceObject, in PIRP IRP) { ???? IRP-> iostatus.status = status_success; ???? Irp-> iostatus.information = 0L; ???? IocompleteRequest (IRP, 0); ???? Return IRP-> iostatus.status; ???? } Void Driverunload (in pdriver_object ???? PDRIVEROBJECT) { ???? unicode_string ?? namestring; ???? uninstallnewint2e (); ???? rtlinitunicodeString (& namestring, l "// dosdevices // wsshookint2e"); ???? ???? odoretessymboliclink (& namestring); ???? odeletedevice (pdriverObject-> deviceObject); ???? Return;} Ulong getProcessNameOffset () { ???????? peprocess curproc; ???????? INT I; ???????? ???????? curproc = psgetcurrentprocess (); ????????? // ???????? // scan for 12kb, hopping the kpeb never grows thing big! ????????? // ???????? for (i = 0; i <3 * Page_size; i ) { ???????????? IF (! STRNCMP (SysNAMP (PCHAR) Curproc I, Strlen (sysname))) { ???????????????? RETURN I; ????????????} ????????} ????????? // ???????? // name not found - OH, Well ????????? // ???????? Return 0; } Void getProcessName (Pchar Name) { ???????? peprocess curproc; ???????? char * nameptr; ???????? ulong i; ???????? if (processnameoffset) { ???????????? curproc = psgetcurrentprocess (); ???????????? Nameptr = (PCHAR) CURPROC ProcessNameOffset ???????????? STRNCPY (Name, Nameptr, 16); ????????} else { ???????????? STRCPY (Name, "???"); ????????} } 3, HOOK PE method ???? This method is to intercept and analyze more other kernel-driven function calls. principle It is achieved according to the replacement of the corresponding function in the table exported in the PE format. Some small skill. If the kernel mode does not directly provide a function of getModuleHandl (), getProcAddress (), and getProcAddress () and other functions to get the address of the module. Then we need yourself to write, this An unprecedented function and structure are used. ZwQuerySystemInformation and System_Module_information are enabled to get the base address of the module. This way we can The PE format is enumerated to guide the functions in the table. But this has taken a problem, that is The page properties of kernel data after Windows 2000 are read-only and cannot be changed. Nothing Provide a function of VirtualProtectex () such as an application layer to modify page properties. So Let's write it yourself. Because we are in kernel mode, we can modify the CR0 register The write protection bit is to achieve our goal. This way we expect to intercept the kernel mode function Implement. This method requires you to have a certain basis for the PE format. The following program demonstrates this process. / ************************************************** ***************** File name ????????: wsshookpe.c Description ??????????: intercept the kernel function Author ???????????: sinister Last modified date ??: 2002-11-02 *********************************************************** *************** / #include "ntddk.h" #include "windef.h" Typedef enorm _system_information_class {???? systembasicinformation, ???? SystemProcessorInformation, ???? SystemPerformanceInformation, ???? systemTIMEOFDAYINFORMATION, ???? systemnotimplement1, ???? SystemProcesSandthReadsinformation, ???? systemcallcounts, ???? SystemconfigurationInformation, ???? systemprocessortimes, ???? systemglobalflag, ???? systemnotimplemented2, ???? SystemModuleInformation, ???? systemlockinformation, ???? systemnotimplement3, ???? systemnotimplement4, ???? systemnotimplement5, ???? systemhandleinformation, ???? systemObjectInformation, ???? systempagefileinformation, ???? systeminstructionemulationcounts, ???? systeminvalidInfoclass1, ???? systemcacheinformation, ???? SystemPoolTagInformation, ???? SystemProcessorstatistics, ???? systemdpcinformation, ???? systemnotimplement6, ???? systemloadImage, ???? systemunloadImage, ???? systemtimeadjustment, ???? systemnotimplement7, ???? systemnotimplement8, ???? systemnotimplement9, ???? systemcrasedumpinformation, ???? systemexceptioninformation, ???? SystemcrashdumpStateInformation, ???? systemkerneldebuggerinformation, ???? systemcontextswitchionformation, ???? systemregistryQuotainFormation, ???? systemloadandCallImage, ???? systempriorityseparation, ???? systemnotimplement10, ???? systemnotimplement11, ???? systeminvalidinfoclass2, ???? systeminvalidInfoclass3, ???? SystemTIMEZONEInformation, ???? systemlookasideinformation, ???? SystemSetTimeSlipEvent, ???? systemcreatesis, ???? systemdeletession, ???? systeminvalidinfoclass4, ???? systemRangeStartInformation, ???? systemverifierInformation, ???? systemaddverifier, ???? SystemSessionProcessesSinformation } System_information_class; TYPEDEF STRUCT Tagsystem_Module_information {???? ulong reserved [2]; ???? pvoid base; ???? ulong size; ???? ulong flags; ???? ushort index; ???? ushort unknown; ???? ushort loading; ???? ushort modulenameoffset; ???? char imagename [256]; } System_module_information, * psystem_module_information; #define image_dos_signature ???????? 0x5a4D ?????? // MZ #DEFINE image_NT_SIGNATURE ?????? 0x50450000 ?? // pe00 #define image_nt_signature1 ???????? 0x00004550 ???? =/00EP TYPEDEF STRUCT _IMAGE_DOS_HEADER {?????? // DOS .Exe Header ???? words ?? e_magic; ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???? Word ?? e_cblp; ??????????????????????? b t on on on on 电子 ???? words ?? e_cp; ???????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???? words ?? e_crlc; ????????????????????? ???? words ?? e_cparhdr; ??????????????????? // size of header in paragraphs ???? words ?? e_minalloc; ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???? words ?? e_maxalloc; ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Maximum Extra Paragraphs Needed ???? WORD ?? e_ss; ???????????????????????? // Initial (relative) SS value ???? word ?? e_sp; ?????????????????????????? ???? word ?? e_csum; ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???? words ?? e_ip; ???????????????????????????????????????????? ???? WORD ?? e_cs; ???????????????????????? // Initial (relative) CS value ???? word ?? e_lfarlc; ????????????????????? File Address of Relocation Table ???? words ?? e_ovno; ?????????????????????? / Overlay Number ???? words ?? e_res [4]; ?????????????????????? r reserved Words ???? words ?? e_oemid; ????????????????????? // OEM Identifier (for e_oeminfo) ???? word ?? e_oeminfo; ??????????????????? // Oem Information; E_OEMID SPECIC ???? words ?? e_res2 [10]; ??????????????????? // Reserved Words ???? long ?? e_lfaNew; ????????????????????????????????} image_dos_header, * pimage_dos_header; TypedEf struct _image_file_header { ???? Word ???? Machine; ???? Word ???? Numberofsections ???? dword ?? TimedateStamp; ???? DWORD ?? Pointertosymboltable; ???? DWORD ?? Numberofsymbols; ???? Word ???? sizeofoptionalheader; ???? Word ???? characteristics; } Image_file_header, * pimage_file_header; Typedef struct _image_data_directory { ???? DWORD ?? VirtualAddress; ???? dword ?? size; } Image_data_directory, * pimage_data_directory; #define image_numberof_directory_entries ???? 16 // // Optional Header Format. // TypedEf struct _image_optional_header { ???? // ???? // standard field. ???? // ???? Word ???? magic; ???? byte ???? majorlinkerversion; ???? byte ???? minorlinkerversion; ???? DWORD ?? SizeOfcode; ???? dword ?? sizeofinitializeddata; ???? dword ?? sizeofuninitializeddata; ???? dword ?? addressofentrypoint; ???? dword ?? baseofcode; ???? dword ?? baseofdata; ???? // ???? // NT Additional fields. ???? // ???? DWORD ?? ImageBase; ???? dword ?? sectionAlignment ???? dword ?? filealignment; ???? Word ???? MAJorOperatingsystemversion; ???? Word ???? minoropratingsystemversion; ???? Word ????orseimimageversion; ???? Word ???? minorimageversion; ???? Word ???? MAJORSUBSYSTEMVERSION; ???? Word ???? minorsubsystemversion; ???? DWORD ?? Win32VersionValue; ???? DWORD ?? SizeOfImage ???? dword ?? sizeofheaders; ???? dword ?? checksum ???? Word ???? subsystem; ???? Word ???? dllcharacteristics; ???? dword ?? sizeofstackreserve; ???? DWORD ?? SizeOfstackCommit; ???? dword ?? sizeofheapreserve; ???? dword ?? sizeofheapcommit; ???? DWORD?? Loaderflags; ???? DWORD ?? Numberofrvaandsizes; ???? Image_data_directory dataDirectory [image_numberof_directory_entries];} image_optional_header32, * pimage_optional_header32; Typedef struct _image_nt_headers { ???? DWord Signature; ???? Image_file_header fileheader; ???? Image_optional_header32 optional; } Image_nt_headers32, * pimage_nt_headers32; TYPEDEF image_NT_HEPEDEF image_NT_HEPERS32 ?????????????????????????????????????????????????????????????????????????????????????????? = TYPEDEF PIMAGE_NT_HEADERS32 ??????????????piMage_NT_Headers; // // section header format. // #define image_sizeof_short_name ?????????????? 8 Typedef struct _image_section_header { ???? Byte ???? name [image_sizeof_short_name]; ???? union { ???????????? dword ?? physicaladdress; ???????????? dword ?? virtualsize; ????} MISC; ???? DWORD ?? VirtualAddress; ???? dword ?? sizeofrawdata; ???? DWORD ?? PointertorawData; ???? DWORD ?? Pointertorelocations; ???? DWORD ?? PointertolinenumBers; ???? Word ???? Numberofrelocations ???? Word ???? Numberoflinenumbers; ???? dword ?? characteristics; Image_section_header, * pimage_section_header; #define image_sizeof_section_Header ?????????? 40 // // Export Format // Typedef struct_image_export_directory { ???? dword ?? characteristics; ???? dword ?? TimedateStamp; ???? words ???? majorversion; ???? Word ???? minorversion; ???? DWORD?? Name; ???? dword ?? base; ???? DWORD ?? Numberoffunctions ???? dword ?? NumberOfnames ???? dword ?? addressoffunctions; ???? // rva from base of image ???? dword ?? addressofnames; ???????? // rva from base of Image ???? dword ?? addressofnameordinals; ?? // rva from base of Image } Image_export_directory, * pimage_export_directory; #define baseaddrlen 10 NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation ???? in system_information_class systeminformationclass, ???? in out pvoid systemInformation, ????? in ulong systeminformationLENGTH, ???? Out Polong ReturnLength Optional ????); Typedef NTSTATUS (* ZwcreateFile) ?? Out phaldle filehandle, ?? in access_mask desiredAccess, ?? in pobject_attributes Objectttributes, ?? out pio_status_block iostatusblock, ?? in place_integer allocationsize ?? Optional, ?? in Ulong FileAttributes, ?? in ulong shapeaccess, ?? in ulong createDisposition, ?? in Ulong CreateOptions, ?? in pvoid eabuffer ?? Optional, ?? in ulong elangth ??); ZWCREATEFILE ???? oldzwcreatefile; Static NTSTATUS ?? MyDrvdispatch (in PDevice_Object DeviceObject, in PIRP IRP); Void Driverunload (in PDRIVER_Object PDRIVEROBJECT); Void disablewriteprotect (pulong paindattr); Void enableWriteProtect (Ulong Uloldattr); FarProc Hookfunction (???? Pchar PModulebase, Pchar PhookName, FarProc Phookfunc); NTSTATUS?? Hookntcreatefile ?? Out phaldle filehandle, ?? in access_mask desiredAccess, ?? in pobject_attributes Objectttributes, ?? out pio_status_block iostatusblock, ?? in place_integer allocationsize ?? Optional, ?? in Ulong FileAttributes, ?? in ulong shapeaccess, ?? in ulong createDisposition, ?? in Ulong CreateOptions, ?? in pvoid eabuffer ?? Optional, ?? in ulong elangth ??); Pchar MygetModuleBaseAddress (Pchar PModulenAme) { ???? psystem_module_information ???? psysmodule; ???? ???? ulong ???????????? ureturn ???? ulong ???????????? ucount; ???? pchar ???????????? pbuffer = NULL; ???? pchar ???????????? PNAME ???? = NULL ???? ntstatus ???????? status; ???? uint ???????????? ui; ???? char ???????????? szbuffer [baseaddrlen]; ???? pchar ???????????? PBaseAddress ???? ???? status = zwQuerySystemInformation (SystemModuleinformation, Szbuffer, Baseaddrlen, & Ureturn); ???? pBuffer = (pchar) ExallocatePool (NonpagedPool, Ureturn); ???? ing (PBuffer) ???? { ???????? status = zwQuerySystemInformation (SystemModuleInformation, PBuffer, Ureturn, & Ureturn); ???????? ing (status == status_success) ???????? { ???????????? ucount = (ulong) * (ulong *) pBuffer; ???????????? psysmodule = (pster sizeof (ulong)); ???????????? for (ui = 0; ui ???????????? { ???????????????? PNAME = mystrchr (psysmodule-> imagename, '//'); ?????????????????????????? f (! PNAME) ???????????????? { ???????????????????? pname = psysmodule; ?????????????????} ????????????????? ELSE { ???????????????????? PNAME ; ?????????????????} ???????????????? IF (! _striCMP (PNAME, PMODULENAME)) ???????????????? { ???????????????????? pBaseaddress = (PCHAR) PSYSModule-> base; ???????????????????? EXFREEPOOL (PBUFFER); ???????????????????? Return PBaseAddress; ?????????????????} ???????????????? psysmodule ; ????????????} ????????} ???????? EXFREEPOOL (PBUFFER); ????} ???? Return NULL; } FarProc Hookfunction (Pchar Pmodulebase, Pchar Hookfunname, FarProc Hookfun) { ??????????????????? PDOSHDR; ???? pimage_nt_headers ???????? pnthdr; ???? pimage_section_header ???? psechdr; ???? pimage_export_directory ?? pextdir; ???? uint ????????????????????? ui, uj; ???? pchar ????????????????????unname ???? dword ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? * dwaddRName ???? dword ????????????????????? * dwaddrfun; ???? farproc ???????????????????? PoldFun ???? ulong ????????????????????? uattrib; ???? pdoshdr = (pimage_dos_header) PMODULEBASE; ???? i (image_dos_signature == pdoshdr-> e_magic) ???? { ???????? pnthdr = (pimagebase pdoshdr-> e_lfaNew); ???????? f (image_nt_signature ?? == PNTHDR-> SIGNATURE || ???? image_nt_signature1 == PNTHDR-> SIGNATURE) ???????? { ???????????? psechdr = (PIMAGE_SECTION_HEADER) (PMODULEBASE PDOSHDR-> E_LFANEW SIZEOF (Image_NT_HEADERS)); ???????????? for (ui = 0; ui <(uint) PNTHDR-> FileHeader.Numberofsections; UI ) ???????????? { ???????????????? ing (! strCMP (psechdr-> name, ".edata"))) ????????????????? {???????????????? ???????????????????? pextdir = (Pimage_Export_directory) (PModuleBase PsechDr-> VirtualAddress); ???????????????????? DWADDRNAME = (PDWORD) (PMODULEBASE pextdir-> addressofnames); ???????????????????? dwaddrfun = (PDWORD) (PModuleBase Pextdir-> Addressoffunctions); ????????????????????? for (uj = 0; uj <(uint) pextdir-> numberoffunctions; uj ) ???????????????????? { ?????????????????????????Unname = PMODULEBASE * dwaddRName ???????????????????????? f (! strcmp (funname, hookfunname) ???????????????????????? { ???????????????????????????? DBGPRINT ("hook ??% s () / n", funname); ???????????????????? DisableWriteProtect (& UATTRIB); ???????????????????????????? PoldFun = (FARPROC) (PModuleBase * dwaddrfun); ?????????????????????????????? * dwaddrfun = (pChar) hookfun - pmodulebase; ????????????????????? enableWriteProtect (UttribRIB); ???????????????????? RETURN POLDFUN ?????????????????????????} ?????????????????????? dwaddRName ; ??????????????????????? dwaddrfun ; ????????????????????} ?????????????????} ????????????????? psechdr ; ????????????} ????????} ????} ???? Return NULL; } // Drive inlet NTSTATUS ?? DriveREntry (in pdriver_object driverObject, ?? in powderode_string registrypath) { ???? ???? unicode_string ?? NameString, LinkString ???? pdevice_object ?? deviceObject; ???? ntstatus ???????? status; ??????????????????????????????????????? ???? pchar ???????????? pmoduleaddress; ???? int ???????????????? I; ???? ???? // Uninstall drive ???? driverObject-> driverunload = driverunload; ???? // Establish a device ???? rtlinitunicodeString (& namestring, l "// device // wsshookpe"); ???? ???? status = ocreateDevice (DriverObject, ????????????????????????????? ???????????????????????????? & nameString, ????????????????????????????? file_device_unknown, ????????????????????????????? ???????????????????????????? True, ???????????????????????????? & deviceObject ??????????????????????????); ?????????????????????????? ???? if (! nt_success (status)) ??????? rturn status; ???? ???? rtlinitunicodeString (& linkstring, l "// dosdevices // wsshookpe"); ???? status = IocreateSymbolicLink (& linkstring, & namestring); ???? if (! nt_success (status)) ???? { ???????? odeletedevice (driverObject-> deviceObject); ??????? rturn status; ????} ???? ???? ???? pmoduleaddress = MygetModuleBaseAddress ("ntoskrnl.exe"); ???? if (PModuleAddress == NULL) ???? { ???????? dbgprint ("MygetModuleBaseAddress () / n"); ???????? Return 0; ????} ????? Oldzwcreatefile = (zwcreatefile) hookfunction (PModuleAddress, "zwcreatefile", (zwcreatefile) hookntcreatefile; ???? if (OldzwcreateFile == null) ???? { ???????? DBGPRINT ("Hook FaileD / N"); ???????? Return 0; ????} ???? DBGPrint ("hook succeed / n"); ???? for (i = 0; I ?????????? driverObject-> majorfunction [i] = mydrvdispatch; ????} ?????? driverObject-> driverunload = driverunload; ???? ?? Return status_suCcess; } // Processing device object operation Static NTSTATUS MYDRVDISPATCH (in PDevice_Object DeviceObject, in PIRP IRP) { ???? IRP-> iostatus.status = status_success; ???? Irp-> iostatus.information = 0L; ???? IocompleteRequest (IRP, 0); ???? Return IRP-> iostatus.status; ???? } Void Driverunload (in pdriver_object ???? PDRIVEROBJECT) { ???? unicode_string ?? namestring; ???? pchar ???????????? pmoduleaddress; ???? pmoduleaddress = MygetModuleBaseAddress ("ntoskrnl.exe"); ???? if (PModuleAddress == NULL) ???? { ???????? dbgprint ("MygetModuleBaseAddress () / n"); ???????? Return; ????} ???? oldzwcreatefile = (zwcreatefile) hookfunction (pmoduleaddress, "zwcreatefile", (zwcreatefile) OldzwcreateFile; ???? if (OldzwcreateFile == null) ???? { ???????? DBGPRINT ("Unhook Failed! / N"); ???????? Return; ????} ???? DBGPrint ("unhook succeed / n"); ???? rtlinitunicodeString (& namestring, l "// dosdevices // wsshookpe"); ???? ???? odoretessymboliclink (& namestring); ???? odeletedevice (pdriverObject-> deviceObject); ???? Return; } NTSTATUS?? Hookntcreatefile ?? Out phaldle filehandle, ?? in access_mask desiredAccess, ?? in pobject_attributes Objectttributes, ?? out pio_status_block iostatusblock, ?? in place_integer allocationsize ?? Optional, ?? in Ulong FileAttributes, ?? in ulong shapeaccess, ?? in ulong createDisposition, ?? in Ulong CreateOptions, ?? in pvoid eabuffer ?? optional, ?? in ulong elangth ??) { ???? ntstatus ???? status; ???? DBGPrint ("Hook ZwcreateFile () / N"); ???? status = ((zwcreatefile) (OldzwcreateFile)) ?????????????? fileHandle, ?????????????? desiredAccess, ?????????????? Objectattributes, ?????????????? ostatusblock, ?????????????? allocationsize, ?????????????? FileAttributes, ?????????????? ShareAccess, ?????????????? CreatedIndisPosition, ?????????????? CreateOptions, ?????????????? eabuffer, ?????????????? ealength ??????????????); ???? Return Status; } Void DisableWriteProtect (Pulong Poldattr) { ???? ulong uttr; ???? _ASM ???? { ?????????? push eax; ?????????? mov ?? Eax, CR0; ?????????? MOV ?? uattr, EAX; ??????????id ?? eax, 0ffeffffh; // CR0 16 bit = 0 ?????????? MOV ?? CR0, EAX; ?????????? pop ?? eax; ????}; ???? * Poldattr = uattr; // Save the original CRO attribute } Void EnableWriteProtect (ulong uoldattr) { ?? _ asm ?? { ?????? push eax; ?????? MOV ?? eax, uoldattr; // Restore the original CR0 attribute ?????? MOV ?? CR0, EAX; ?????? pop ?? eax; ? }
