|
阅读:1961回复:0
【求助】SSDT HOOL zwCreateFile 系统崩溃
本人菜鸟,正在学习驱动开发,想hook zwCreateFile,一HOOK不要紧,c盘整个无法读取了,然后想卸载,就崩溃了
 ,求助是何原因?主要怀疑是文件目录匹配出错: UNICODE_STRING NEWU; RtlInitUnicodeString(&NEWU,L"C:\xch"); if (RtlCompareUnicodeString(&NEWU,ObjectAttributes->ObjectName,TRUE)) { } { IoStatusBlock->Information=FILE_DOES_NOT_EXIST; rc=OldZWCREATEFILE(0,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength); return rc; } rc=OldZWCREATEFILE(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength); return rc; } 还有卸载函数似乎也不对: VOID DRIVERHOOK_DriverUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("ROOTKIT: OnUnload called\n"); // 卸载hook UNHOOK_SYSCALL( ZwCreateFile, HookZwCreateFile, OldZWCREATEFILE ); // 解索并释放MDL if(g_pmdlSystemCall) { MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall); IoFreeMdl(g_pmdlSystemCall); } PDEVICE_OBJECT pdoNextDeviceObj = pdoGlobalDrvObj->DeviceObject; IoDeleteSymbolicLink(&usSymlinkName); // Delete all the device objects while(pdoNextDeviceObj) { PDEVICE_OBJECT pdoThisDeviceObj = pdoNextDeviceObj; pdoNextDeviceObj = pdoThisDeviceObj->NextDevice; IoDeleteDevice(pdoThisDeviceObj); } } #ifdef __cplusplus extern "C" { #endif #include <ntddk.h> #include <string.h> #ifdef __cplusplus }; // extern "C" #endif #include "DriverHOOK.h" extern "C" { //////////////// SSDT #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; } #ifdef __cplusplus namespace { // anonymous namespace to limit the scope of this global variable! #endif PDRIVER_OBJECT pdoGlobalDrvObj = 0; #ifdef __cplusplus }; // anonymous namespace #endif #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)] PMDL g_pmdlSystemCall; PVOID *MappedSystemCallTable; #define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1) #define HOOK_SYSCALL(_Function, _Hook, _Orig ) \ /*_Orig = (PVOID) */InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook) #define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \ InterlockedExchange( (PLONG) \ &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook) typedef NTSTATUS (*REALZWCREATEFILE)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength );REALZWCREATEFILE RealZwCreateFile; REALZWCREATEFILE OldZWCREATEFILE; NTSTATUS HookZwCreateFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) { //初始化此函数的返回值 NTSTATUS rc=0; // char Dir[7]={'\0'}; int Flag=0; // ANSI_STRING ansiDirName; PUNICODE_STRING uniFileName; PWSTR pTemp = (PWSTR)ExAllocatePool( NonPagedPool, 256); uniFileName = (PUNICODE_STRING)ExAllocatePool( NonPagedPool, sizeof( UNICODE_STRING)); uniFileName->Buffer = pTemp; //将用户操作的路径保存在变量ansiDirName中 //RtlUnicodeStringToAnsiString( &ansiDirName, ObjectAttributes->ObjectName, TRUE); //memset(Dir,0,7); //将用户操作的盘符保存在数组Dir中 //memcpy(Dir,ansiDirName.Buffer,6); //比较和我们保护的文件夹是否匹配 //if (strcmp(Dir,"C:\xch")==0) UNICODE_STRING NEWU; RtlInitUnicodeString(&NEWU,L"C:\xch"); if (RtlCompareUnicodeString(&NEWU,ObjectAttributes->ObjectName,TRUE)) { } { IoStatusBlock->Information=FILE_DOES_NOT_EXIST; rc=OldZWCREATEFILE(0,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength); return rc; } rc=OldZWCREATEFILE(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength); return rc; } NTSTATUS DRIVERHOOK_DispatchCreateClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; Irp->IoStatus.Status = status; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } NTSTATUS DRIVERHOOK_DispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp); switch(irpSp->Parameters.DeviceIoControl.IoControlCode) { case IOCTL_DRIVERHOOK_OPERATION: // status = SomeHandlerFunction(irpSp); break; default: Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; Irp->IoStatus.Information = 0; break; } status = Irp->IoStatus.Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } VOID DRIVERHOOK_DriverUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("ROOTKIT: OnUnload called\n"); // 卸载hook UNHOOK_SYSCALL( ZwCreateFile, HookZwCreateFile, OldZWCREATEFILE ); // 解索并释放MDL if(g_pmdlSystemCall) { MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall); IoFreeMdl(g_pmdlSystemCall); } PDEVICE_OBJECT pdoNextDeviceObj = pdoGlobalDrvObj->DeviceObject; IoDeleteSymbolicLink(&usSymlinkName); // Delete all the device objects while(pdoNextDeviceObj) { PDEVICE_OBJECT pdoThisDeviceObj = pdoNextDeviceObj; pdoNextDeviceObj = pdoThisDeviceObj->NextDevice; IoDeleteDevice(pdoThisDeviceObj); } } #ifdef __cplusplus extern "C" { #endif NTSTATUS DriverEntry( IN OUT PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { PDEVICE_OBJECT pdoDeviceObj = 0; NTSTATUS status = STATUS_UNSUCCESSFUL; pdoGlobalDrvObj = DriverObject; // Create the device object. if(!NT_SUCCESS(status = IoCreateDevice( DriverObject, 0, &usDeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pdoDeviceObj ))) { // Bail out (implicitly forces the driver to unload). return status; }; // Now create the respective symbolic link object if(!NT_SUCCESS(status = IoCreateSymbolicLink( &usSymlinkName, &usDeviceName ))) { IoDeleteDevice(pdoDeviceObj); return status; } // NOTE: You need not provide your own implementation for any major function that // you do not want to handle. I have seen code using DDKWizard that left the // *empty* dispatch routines intact. This is not necessary at all! DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverObject->MajorFunction[IRP_MJ_CLOSE] = DRIVERHOOK_DispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DRIVERHOOK_DispatchDeviceControl; DriverObject->DriverUnload = DRIVERHOOK_DriverUnload; OldZWCREATEFILE =(REALZWCREATEFILE)(SYSTEMSERVICE(ZwCreateFile)); // Map the memory into our domain so we can change the permissions on the MDL g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4); if(!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(g_pmdlSystemCall); // Change the flags of the MDL g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; MappedSystemCallTable =(PVOID*) MmMapLockedPages(g_pmdlSystemCall, KernelMode); HOOK_SYSCALL( ZwCreateFile, HookZwCreateFile, OldZWCREATEFILE ); return STATUS_SUCCESS; } #ifdef __cplusplus }; // extern "C" #endif |
|
