求助....急....

楼主^#

更多发布于：2005-07-13 08:11

  #include <string.h>
#include <stdio.h>
#include <ntddk.h>

NTSTATUS DrvDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
VOID DrvUnload(IN PDRIVER_OBJECT DriverObject);

#define NT_DEVICE_NAME L"\\Device\\TESTHOOK"
#define DOS_DEVICE_NAME L"\\DosDevices\\TESTHOOK"

#define FILE_DEVICE_TEST 0x00654422

typedef enum _SYSTEM_INFORMATION_CLASS
{
   SystemBasicInformation,
   SystemProcessorInformation,
   SystemPerformanceInformation,
   SystemTimeOfDayInformation,
   SystemNotImplemented1,
   SystemProcessesAndThreadsInformation,
   SystemCallCounts,
   SystemConfigurationInformation,
   SystemProcessorTimes,
   SystemGlobalFlag,
   SystemNotImplemented2,
   SystemModuleInformation,
   SystemLockInformation,
   SystemNotImplemented3,
   SystemNotImplemented4,
   SystemNotImplemented5,
   SystemHandleInformation,
   SystemObjectInformation,
   SystemPagefileInformation,
   SystemInstructionEmulationCounts,
   SystemInvalidInfoClass1,
   SystemCacheInformation,
   SystemPoolTagInformation,
   SystemProcessorStatistics,
   SystemDpcInformation,
   SystemNotImplemented6,
   SystemLoadImage,
   SystemUnloadImage,
   SystemTimeAdjustment,
   SystemNotImplemented7,
   SystemNotImplemented8,
   SystemNotImplemented9,
   SystemCrashDumpInformation,
   SystemExceptionInformation,
   SystemCrashDumpStateInformation,
   SystemKernelDebuggerInformation,
   SystemContextSwitchInformation,
   SystemRegistryQuotaInformation,
   SystemLoadAndCallImage,
   SystemPrioritySeparation,
   SystemNotImplemented10,
   SystemNotImplemented11,
   SystemInvalidInfoClass2,
   SystemInvalidInfoClass3,
   SystemTimeZoneInformation,
   SystemLookasideInformation,
   SystemSetTimeSlipEvent,
   SystemCreateSession,
   SystemDeleteSession,
   SystemInvalidInfoClass4,
   SystemRangeStartInformation,
   SystemVerifierInformation,
   SystemAddVerifier,
   SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;

typedef enum _THREAD_STATE
{
   StateInitialized,
   StateReady,
   StateRunning,
   StateStandby,
   StateTerminated,
   StateWait,
   StateTransition,
   StateUnknown
}THREAD_STATE;

typedef struct _SYSTEM_THREADS
{
   LARGE_INTEGER KernelTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER CreateTime;
   ULONG WaitTime;
   PVOID StartAddress;
   CLIENT_ID ClientId;
   KPRIORITY Priority;
   KPRIORITY BasePriority;
   ULONG ContextSwitchCount;
   THREAD_STATE State;
   KWAIT_REASON WaitReason;
} SYSTEM_THREADS, *PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESSES
{
   ULONG NextEntryDelta;
   ULONG ThreadCount;
   ULONG Reserved1[6];
   LARGE_INTEGER CreateTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER KernelTime;
   UNICODE_STRING ProcessName;
   KPRIORITY BasePriority;
   ULONG ProcessId;
   ULONG InheritedFromProcessId;
   ULONG HandleCount;
   ULONG Reserved2[2];
   VM_COUNTERS VmCounters;
   IO_COUNTERS IoCounters;
   SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
   unsigned int *ServiceTableBase;
   unsigned int *ServiceCounterTableBase; //Used only in checked build
   unsigned int NumberOfServices;
   unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,
   PVOID SystemInformation,
   ULONG SystemInformationLength,
   PULONG ReturnLength);

typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
   SYSTEM_INFORMATION_CLASS SystemInformationClass,
   PVOID SystemInformation,
   ULONG SystemInformationLength,
   PULONG ReturnLength);

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
ZWQUERYSYSTEMINFORMATION Real_ZwQuerySystemInformation;

NTSTATUS Hook_ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,
   PVOID SystemInformation,
   ULONG SystemInformationLength,
   PULONG ReturnLength)
{
   NTSTATUS Status=Real_ZwQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
   DbgPrint("Hook ZwQuerySystemInformation");
   return Status;
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{

   PDEVICE_OBJECT deviceObject = NULL;
   NTSTATUS ntStatus;
   UNICODE_STRING deviceNameUnicodeString;
   UNICODE_STRING deviceLinkUnicodeString;

   RtlInitUnicodeString(&deviceNameUnicodeString, NT_DEVICE_NAME);
   ntStatus = IoCreateDevice(DriverObject, 0,&deviceNameUnicodeString, FILE_DEVICE_TEST,0,FALSE,&deviceObject);

   if ( NT_SUCCESS(ntStatus) )
   {
   RtlInitUnicodeString(&deviceLinkUnicodeString, DOS_DEVICE_NAME);

   ntStatus = IoCreateSymbolicLink(&deviceLinkUnicodeString, &deviceNameUnicodeString);


   Real_ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)(KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)ZwQuerySystemInformation+1)]);
   _asm
   {
   CLI
   MOV EAX, CR0
   AND EAX, NOT 10000H
   MOV CR0, EAX
   }

   (KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)ZwQuerySystemInformation+1)]) = (ULONG)Hook_ZwQuerySystemInformation;

   _asm
   {
   MOV EAX, CR0
   OR EAX, 10000H
   MOV CR0, EAX
   STI
   }


   DriverObject->MajorFunction[IRP_MJ_CREATE] =
   DriverObject->MajorFunction[IRP_MJ_CLOSE] =
   DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvDispatch;
   DriverObject->DriverUnload = DrvUnload;
   }

   if ( !NT_SUCCESS(ntStatus) )
   {
   DrvUnload(DriverObject);
   }

   return ntStatus;
}

NTSTATUS DrvDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{

   PIO_STACK_LOCATION irpStack;
   PVOID ioBuffer;
   ULONG inputBufferLength;
   ULONG outputBufferLength;
   NTSTATUS ntStatus;

   Irp->IoStatus.Status = STATUS_SUCCESS;
   Irp->IoStatus.Information = 0;

   irpStack = IoGetCurrentIrpStackLocation(Irp);

   ioBuffer = Irp->AssociatedIrp.SystemBuffer;
   inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
   outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;

   switch (irpStack->MajorFunction)
   {
   case IRP_MJ_CREATE:
   break;

   case IRP_MJ_CLOSE:
   break;

   case IRP_MJ_DEVICE_CONTROL:
   break;
   }
   ntStatus = Irp->IoStatus.Status;
   IoCompleteRequest(Irp, IO_NO_INCREMENT);
   return ntStatus;
}

VOID DrvUnload(IN PDRIVER_OBJECT DriverObject)
{
   UNICODE_STRING deviceLinkUnicodeString;


   _asm
   {
   CLI
   MOV EAX, CR0
   AND EAX, NOT 10000H
   MOV CR0, EAX
   }

   (KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)ZwQuerySystemInformation+1)]) = (ULONG)Real_ZwQuerySystemInformation;

   _asm
   {
   MOV EAX, CR0
   OR EAX, 10000H
   MOV CR0, EAX
   STI
   }

   RtlInitUnicodeString(&deviceLinkUnicodeString, DOS_DEVICE_NAME);
   IoDeleteSymbolicLink(&deviceLinkUnicodeString);

   IoDeleteDevice(DriverObject->DeviceObject);
}

蓝屏错误0x00000050，不知为何原因

喜欢0

发帖回复

« 返回列表

您需要登录后才可以回帖，登录或者注册

返回顶部

求助....急....

最新喜欢：