|
阅读:5885回复:22
分享内核钩子实例(稳定)#include <ntddk.h> #include <ntimage.h> #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)] #define SDT SYSTEMSERVICE #define KSDT KeServiceDescriptorTable //--------------------------------------------------------------------------- // // Defines // //--------------------------------------------------------------------------- #define FILE_DEVICE_UNKNOWN 0x00000022 #define IOCTL_UNKNOWN_BASE FILE_DEVICE_UNKNOWN #define IOCTL_INIT CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) /******************************************************************************** 补充定义数据及结构 ********************************************************************************/ typedef struct _INITIAL_TEB { PVOID StackBase; PVOID StackLimit; PVOID StackCommit; PVOID StackCommitMax; PVOID StackReserved; } INITIAL_TEB, *PINITIAL_TEB; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemNotImplemented1, SystemProcessesAndThreadsInformation, SystemCallCounts, SystemConfigurationInformation, SystemProcessorTimes, SystemGlobalFlag, SystemNotImplemented2, SystemModuleInformation, SystemLockInformation, SystemNotImplemented3, SystemNotImplemented4, SystemNotImplemented5, SystemHandleInformation, SystemObjectInformation, SystemPagefileInformation, SystemInstructionEmulationCounts, SystemInvalidInfoClass1, SystemCacheInformation, SystemPoolTagInformation, SystemProcessorStatistics, SystemDpcInformation, SystemNotImplemented6, SystemLoadImage, SystemUnloadImage, SystemTimeAdjustment, SystemNotImplemented7, SystemNotImplemented8, SystemNotImplemented9, SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemLoadAndCallImage, SystemPrioritySeparation, SystemNotImplemented10, SystemNotImplemented11, SystemInvalidInfoClass2, SystemInvalidInfoClass3, SystemTimeZoneInformation, SystemLookasideInformation, SystemSetTimeSlipEvent, SystemCreateSession, SystemDeleteSession, SystemInvalidInfoClass4, SystemRangeStartInformation, SystemVerifierInformation, SystemAddVerifier, SystemSessionProcessesInformation } SYSTEM_INFORMATION_CLASS; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; /************************************************************************************************* 私有变量 *************************************************************************************************/ typedef struct _DEVICE_EXTENSION { PDEVICE_OBJECT DeviceObject; PKEVENT Event; BOOLEAN bPCreate; } DEVICE_EXTENSION, *PDEVICE_EXTENSION; // 全局设备对象 PDEVICE_OBJECT g_pDeviceObject; UNICODE_STRING g_RegPath; /******************************************************************************** 补充定义函数 ********************************************************************************/ NTKERNELAPI NTSTATUS ObQueryNameString ( IN PVOID Object, IN OUT PUNICODE_STRING Name, IN ULONG MaximumLength, OUT PULONG ActualLength ); NTKERNELAPI NTSTATUS ZwSetSecurityObject( IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR SecurityDescriptor ); NTKERNELAPI NTSTATUS ZwTerminateProcess( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus ); NTKERNELAPI NTSTATUS ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); NTKERNELAPI NTSTATUS ZwOpenThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); NTKERNELAPI NTSTATUS ZwLoadDriver( IN PUNICODE_STRING DriverServiceName ); NTKERNELAPI NTSTATUS ZwSetSystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength ); NTKERNELAPI NTSTATUS ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); /*********************************************************************************** 函数声明 ***********************************************************************************/ NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath); void UnloadDriver(PDRIVER_OBJECT DriverObject); NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); NTSTATUS DispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); void StartHook(void); void RemoveHook(void); NTSTATUS Hook_ZwWriteFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ); NTSTATUS Hook_ZwReadFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ); NTSTATUS Hook_ZwSetSystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength ); NTSTATUS Hook_ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); NTSTATUS Hook_ZwLoadDriver( IN PUNICODE_STRING DriverServiceName ); NTSTATUS Hook_ZwSetSecurityObject( IN HANDLE ObjectHandle, IN SECURITY_INFORMATION SecurityInformationClass, IN PSECURITY_DESCRIPTOR DescriptorBuffer); NTSTATUS Hook_ZwOpenKey( OUT PHANDLE KeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); NTSTATUS Hook_ZwCreateKey ( OUT PHANDLE KeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG TitleIndex, IN PUNICODE_STRING Class OPTIONAL, IN ULONG CreateOptions, OUT PULONG Disposition OPTIONAL); NTSTATUS Hook_ZwSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex OPTIONAL, IN ULONG Type, IN PVOID Data, IN ULONG DataSize); NTSTATUS Hook_ZwDeleteKey( IN HANDLE KeyHandle); NTSTATUS Hook_ZwDeleteValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName); NTSTATUS Hook_ZwOpenSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); NTSTATUS Hook_ZwCreateSection( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL ); NTSTATUS Hook_ZwCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL ); NTSTATUS Hook_ZwCreateProcessEx( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN HANDLE UnknownHandle ); NTSTATUS Hook_ZwTerminateProcess( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus ); NTSTATUS Hook_ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); NTSTATUS Hook_ZwCreateThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ProcessHandle, OUT PCLIENT_ID ClientId, IN PCONTEXT ThreadContext, IN PINITIAL_TEB InitialTeb, IN BOOLEAN CreateSuspended ); NTSTATUS Hook_ZwTerminateThread( IN HANDLE ThreadHandle, IN NTSTATUS ExitStatus ); NTSTATUS Hook_ZwOpenThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); NTSTATUS Hook_ZwCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ); NTSTATUS Hook_ZwOpenFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ); NTSTATUS Hook_ZwClose( IN HANDLE ObjectHandle ); #ifdef ALLOC_PRAGMA #pragma alloc_text(INIT, DriverEntry) #pragma alloc_text(INIT, StartHook) #pragma alloc_text(PAGE, DispatchCreate) #pragma alloc_text(PAGE, DispatchClose) #pragma alloc_text(PAGE, DispatchIoCtrl) #pragma alloc_text(PAGE, RemoveHook) #pragma alloc_text(PAGE, UnloadDriver) #pragma alloc_text(PAGE, Hook_ZwOpenKey) #pragma alloc_text(PAGE, Hook_ZwSetSecurityObject) #pragma alloc_text(PAGE, Hook_ZwCreateKey) #pragma alloc_text(PAGE, Hook_ZwSetValueKey) #pragma alloc_text(PAGE, Hook_ZwDeleteKey) #pragma alloc_text(PAGE, Hook_ZwDeleteValueKey) #pragma alloc_text(PAGE, Hook_ZwOpenSection) #pragma alloc_text(PAGE, Hook_ZwCreateSection) #pragma alloc_text(PAGE, Hook_ZwOpenProcess) #pragma alloc_text(PAGE, Hook_ZwTerminateProcess) #pragma alloc_text(PAGE, Hook_ZwOpenThread) #pragma alloc_text(PAGE, Hook_ZwCreateFile) #pragma alloc_text(PAGE, Hook_ZwOpenFile) #pragma alloc_text(PAGE, Hook_ZwClose) #pragma alloc_text(PAGE, Hook_ZwLoadDriver) #pragma alloc_text(PAGE, Hook_ZwSetSystemInformation) #pragma alloc_text(PAGE, Hook_ZwQuerySystemInformation) #pragma alloc_text(PAGE, Hook_ZwReadFile) #pragma alloc_text(PAGE, Hook_ZwWriteFile) #endif /******************************************************************************* 函数原型定义 ********************************************************************************/ typedef NTSTATUS (*ZWLOADDRIVER)( IN PUNICODE_STRING DriverServiceName ); typedef NTSTATUS (*ZWCREATEFILE)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ); typedef NTSTATUS (*ZWOPENFILE)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ); typedef NTSTATUS (*ZWCLOSE)( IN HANDLE ObjectHandle ); typedef NTSTATUS (*ZWWRITEFILE)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ); typedef NTSTATUS (*ZWREADFILE)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ); typedef NTSTATUS (*ZWCREATEPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL); typedef NTSTATUS (*ZWCREATEPROCESSEX)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN HANDLE Unknown ); typedef NTSTATUS (*ZWOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); typedef NTSTATUS (*ZWTERMINATEPROCESS)( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus ); typedef NTSTATUS (*ZWCREATETHREAD)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ProcessHandle, OUT PCLIENT_ID ClientId, IN PCONTEXT ThreadContext, IN PINITIAL_TEB InitialTeb, IN BOOLEAN CreateSuspended ); typedef NTSTATUS (*ZWTERMINATETHREAD)( IN HANDLE ThreadHandle, IN NTSTATUS ExitStatus ); typedef NTSTATUS (*ZWOPENTHREAD)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); typedef NTSTATUS (*ZWCREATESECTION)( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL ); typedef NTSTATUS (*ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); //注册表 typedef NTSTATUS (*ZWCREATEKEY) ( OUT PHANDLE KeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG TitleIndex, IN PUNICODE_STRING Class OPTIONAL, IN ULONG CreateOptions, OUT PULONG Disposition OPTIONAL ); typedef NTSTATUS (*ZWOPENKEY) ( OUT PHANDLE KeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); typedef NTSTATUS (*ZWSETVALUEKEY)( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex OPTIONAL, IN ULONG Type, IN PVOID Data, IN ULONG DataSize ); typedef NTSTATUS (*ZWSETSECURITYOBJECT)( IN HANDLE ObjectHandle, IN SECURITY_INFORMATION SecurityInformationClass, IN PSECURITY_DESCRIPTOR DescriptorBuffer); typedef NTSTATUS (*ZWDELETEKEY)( IN HANDLE KeyHandle); typedef NTSTATUS (*ZWDELETEVALUEKEY)( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName); typedef NTSTATUS (*ZWSETSYSTEMINFORMATION)( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength ); typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); /*********************************************************** // SDT 原函数地址 ***********************************************************/ static ZWCREATEFILE OldZwCreateFile; static ZWOPENFILE OldZwOpenFile; static ZWCLOSE OldZwClose; static ZWWRITEFILE OldZwWriteFile; static ZWREADFILE OldZwReadFile; static ZWTERMINATEPROCESS OldZwTerminateProcess; static ZWOPENPROCESS OldZwOpenProcess; static ZWOPENTHREAD OldZwOpenThread; static ZWCREATESECTION OldZwCreateSection; static ZWOPENSECTION OldZwOpenSection; static ZWCREATEKEY OldZwCreateKey; static ZWSETVALUEKEY OldZwSetValueKey; static ZWDELETEKEY OldZwDeleteKey; static ZWDELETEVALUEKEY OldZwDeleteValueKey; static ZWSETSECURITYOBJECT OldZwSetSecurityObject; static ZWOPENKEY OldZwOpenKey; static ZWLOADDRIVER OldZwLoadDriver; static ZWSETSYSTEMINFORMATION OldZwSetSystemInformation; static ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation; /*********************************************************************************** 挂接函数执行体 ***********************************************************************************/ /************************************************************************************************ ************************************************************************************************/ NTSTATUS Hook_ZwWriteFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ) { NTSTATUS rc; rc = OldZwWriteFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key); return rc; } /************************************************************************************************ ************************************************************************************************/ NTSTATUS Hook_ZwReadFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ) { NTSTATUS rc; rc = OldZwReadFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key); return rc; } /************************************************************************************************ ************************************************************************************************/ NTSTATUS Hook_ZwSetSystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength ) { NTSTATUS rc; rc = OldZwSetSystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength); return rc; } /************************************************************************************************ ************************************************************************************************/ NTSTATUS Hook_ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ) { NTSTATUS rc; rc = OldZwQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength); return rc; } /************************************************************************************************ ************************************************************************************************/ NTSTATUS Hook_ZwLoadDriver( IN PUNICODE_STRING DriverServiceName ) { NTSTATUS rc; rc = OldZwLoadDriver(DriverServiceName); return rc; } /************************************************************************************************ ************************************************************************************************/ NTSTATUS Hook_ZwSetSecurityObject( IN HANDLE ObjectHandle, IN SECURITY_INFORMATION SecurityInformationClass, IN PSECURITY_DESCRIPTOR DescriptorBuffer) { NTSTATUS rc; rc = OldZwSetSecurityObject(ObjectHandle,SecurityInformationClass,DescriptorBuffer); return rc; } /************************************************************************************************ ZwOpenKey ************************************************************************************************/ NTSTATUS Hook_ZwOpenKey( OUT PHANDLE KeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes) { NTSTATUS rc; rc = OldZwOpenKey(KeyHandle,DesiredAccess,ObjectAttributes); return rc; } /************************************************************************************************* 挂接函数 ZwCreateKey ***************************************************************************************************/ NTSTATUS Hook_ZwCreateKey ( OUT PHANDLE KeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG TitleIndex, IN PUNICODE_STRING Class OPTIONAL, IN ULONG CreateOptions, OUT PULONG Disposition OPTIONAL ) { NTSTATUS rc; rc = OldZwCreateKey(KeyHandle, DesiredAccess, ObjectAttributes, TitleIndex, Class, CreateOptions, Disposition); return rc; } /*************************************************************************************************** ****************************************************************************************************/ NTSTATUS Hook_ZwSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex OPTIONAL, IN ULONG Type, IN PVOID Data, IN ULONG DataSize ) { NTSTATUS rc; rc = OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize); return rc; } /******************************************************************************************************** ********************************************************************************************************/ NTSTATUS Hook_ZwDeleteKey(IN HANDLE KeyHandle) { NTSTATUS rc; rc = OldZwDeleteKey(KeyHandle); return rc; } /********************************************************************************************************* *********************************************************************************************************/ NTSTATUS Hook_ZwDeleteValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName) { NTSTATUS rc; rc = OldZwDeleteValueKey(KeyHandle,ValueName); return rc; } /************************************************************************************************* **************************************************************************************************/ NTSTATUS Hook_ZwOpenSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ) { NTSTATUS rc; // DbgPrint("Hook_ZwOpenSection\n"); rc = OldZwOpenSection(SectionHandle,DesiredAccess,ObjectAttributes); return rc; } /************************************************************************************************* **************************************************************************************************/ NTSTATUS Hook_ZwCreateSection( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL ) { NTSTATUS rc; // DbgPrint("Hook_ZwCreateSection"); return OldZwCreateSection(SectionHandle,DesiredAccess,ObjectAttributes, MaximumSize,PageAttributess,SectionAttributes,FileHandle); return rc; } /************************************************************************************************* **************************************************************************************************/ NTSTATUS Hook_ZwTerminateProcess( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus ) { NTSTATUS rc; rc = OldZwTerminateProcess(ProcessHandle,ExitStatus); return rc; } /************************************************************************************************* **************************************************************************************************/ NTSTATUS Hook_ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ) { NTSTATUS rc; rc = OldZwOpenProcess(ProcessHandle,AccessMask,ObjectAttributes,ClientId); return rc; } /************************************************************************************************* **************************************************************************************************/ NTSTATUS Hook_ZwOpenThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ) { NTSTATUS rc; rc = OldZwOpenThread(ThreadHandle,AccessMask,ObjectAttributes,ClientId); return rc; } /************************************************************************************************* **************************************************************************************************/ NTSTATUS Hook_ZwCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ) { NTSTATUS rc; rc = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock, AllocationSize,FileAttributes,ShareAccess,CreateDisposition, CreateOptions,EaBuffer,EaLength); return rc; } /************************************************************************************************* **************************************************************************************************/ NTSTATUS Hook_ZwOpenFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ) { NTSTATUS rc; rc = OldZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess, OpenOptions); return rc; } /************************************************************************************************* **************************************************************************************************/ NTSTATUS Hook_ZwClose( IN HANDLE ObjectHandle ) { NTSTATUS rc; //在这里执行扫描必须十分注意,否则容易蓝屏 rc = OldZwClose(ObjectHandle); return rc; } /************************************************************************************************* 驱动函数入口 **************************************************************************************************/ NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS ntStatus; UNICODE_STRING uszDriverString; UNICODE_STRING uszDeviceString; UNICODE_STRING uszEventString; PDEVICE_OBJECT pDeviceObject; PDEVICE_EXTENSION extension; // 初始化设备对象名 RtlInitUnicodeString(&uszDriverString, L"\\Device\\ITSys"); // 创建并初始化对象 ntStatus = IoCreateDevice( DriverObject, sizeof(DEVICE_EXTENSION), &uszDriverString, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject ); if(ntStatus != STATUS_SUCCESS) return ntStatus; extension = pDeviceObject->DeviceExtension; RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ITSys"); // 创建用户可见连接名称 ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString); if(ntStatus != STATUS_SUCCESS) { // 创建失败,删除对象并返回错误值 IoDeleteDevice(pDeviceObject); return ntStatus; } // 赋值全局设备对象指针 // Assign global pointer to the device object for use by the callback functions g_pDeviceObject = pDeviceObject; // 设置所有可用的DeviceIoControl的处理IRP的函数 DriverObject->DriverUnload = UnloadDriver; DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoCtrl; #if DBG KdPrint(("RegistryPath : %ws\n",RegistryPath->Buffer)); #endif //SDT挂接 StartHook(); return ntStatus; } /************************************************************************************************* 启用系统服务挂接 **************************************************************************************************/ void StartHook (void) { //获取未导出的服务函数索引号 HANDLE hFile; PCHAR pDllFile; ULONG ulSize; ULONG ulByteReaded; __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } //挂接SDT函数 OldZwCreateFile = (ZWCREATEFILE) InterlockedExchange((PLONG) &SDT(ZwCreateFile), (LONG)Hook_ZwCreateFile); OldZwOpenFile = (ZWOPENFILE) InterlockedExchange((PLONG) &SDT(ZwOpenFile), (LONG)Hook_ZwOpenFile); OldZwClose = (ZWCLOSE) InterlockedExchange((PLONG) &SDT(ZwClose), (LONG)Hook_ZwClose); OldZwReadFile = (ZWREADFILE) InterlockedExchange((PLONG) &SDT(ZwReadFile), (LONG)Hook_ZwReadFile); OldZwWriteFile = (ZWWRITEFILE) InterlockedExchange((PLONG) &SDT(ZwWriteFile), (LONG)Hook_ZwWriteFile); OldZwTerminateProcess = (ZWTERMINATEPROCESS)InterlockedExchange((PLONG) &SDT(ZwTerminateProcess), (LONG)Hook_ZwTerminateProcess); OldZwOpenProcess = (ZWOPENPROCESS)InterlockedExchange((PLONG) &SDT(ZwOpenProcess), (LONG)Hook_ZwOpenProcess); OldZwOpenThread = (ZWOPENTHREAD)InterlockedExchange((PLONG) &SDT(ZwOpenThread), (LONG)Hook_ZwOpenThread); OldZwCreateSection = (ZWCREATESECTION)InterlockedExchange((PLONG) &SDT(ZwCreateSection), (LONG)Hook_ZwCreateSection); OldZwOpenSection = (ZWOPENSECTION)InterlockedExchange((PLONG) &SDT(ZwOpenSection), (LONG)Hook_ZwOpenSection); OldZwOpenKey = (ZWOPENKEY) InterlockedExchange((PLONG) &SDT(ZwOpenKey), (LONG)Hook_ZwOpenKey); OldZwCreateKey = (ZWCREATEKEY) InterlockedExchange((PLONG) &SDT(ZwCreateKey), (LONG)Hook_ZwCreateKey); OldZwSetValueKey = (ZWSETVALUEKEY) InterlockedExchange((PLONG) &SDT(ZwSetValueKey), (LONG)Hook_ZwSetValueKey); OldZwDeleteKey = (ZWDELETEKEY) InterlockedExchange((PLONG) &SDT(ZwDeleteKey), (LONG)Hook_ZwDeleteKey); OldZwDeleteValueKey = (ZWDELETEVALUEKEY) InterlockedExchange((PLONG) &SDT(ZwDeleteValueKey), (LONG)Hook_ZwDeleteValueKey); OldZwSetSecurityObject = (ZWSETSECURITYOBJECT)InterlockedExchange((PLONG) &SDT(ZwSetSecurityObject), (LONG)Hook_ZwSetSecurityObject); OldZwLoadDriver = (ZWLOADDRIVER)InterlockedExchange((PLONG) &SDT(ZwLoadDriver), (LONG)Hook_ZwLoadDriver); OldZwSetSystemInformation = (ZWSETSYSTEMINFORMATION)InterlockedExchange((PLONG) &SDT(ZwSetSystemInformation), (LONG)Hook_ZwSetSystemInformation); OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange((PLONG) &SDT(ZwQuerySystemInformation), (LONG)Hook_ZwQuerySystemInformation); //关闭 __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } return ; } /************************************************************************************************* 移除系统服务挂接 **************************************************************************************************/ void RemoveHook (void) { __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } InterlockedExchange( (PLONG) &SDT(ZwCreateFile) , (LONG) OldZwCreateFile ); InterlockedExchange( (PLONG) &SDT(ZwOpenFile) , (LONG) OldZwOpenFile ); InterlockedExchange( (PLONG) &SDT(ZwClose) , (LONG) OldZwClose ); InterlockedExchange( (PLONG) &SDT(ZwReadFile) , (LONG) OldZwReadFile ); InterlockedExchange( (PLONG) &SDT(ZwWriteFile) , (LONG) OldZwWriteFile ); InterlockedExchange( (PLONG) &SDT(ZwTerminateProcess) , (LONG) OldZwTerminateProcess ); InterlockedExchange( (PLONG) &SDT(ZwOpenProcess) , (LONG) OldZwOpenProcess ); InterlockedExchange( (PLONG) &SDT(ZwOpenThread) , (LONG) OldZwOpenThread ); InterlockedExchange( (PLONG) &SDT(ZwCreateSection) , (LONG) OldZwCreateSection ); InterlockedExchange( (PLONG) &SDT(ZwOpenSection) , (LONG) OldZwOpenSection ); InterlockedExchange( (PLONG) &SDT(ZwOpenKey) , (LONG) OldZwOpenKey ); InterlockedExchange( (PLONG) &SDT(ZwCreateKey) , (LONG) OldZwCreateKey ); InterlockedExchange( (PLONG) &SDT(ZwSetValueKey) , (LONG) OldZwSetValueKey ); InterlockedExchange( (PLONG) &SDT(ZwDeleteKey) , (LONG) OldZwDeleteKey ); InterlockedExchange( (PLONG) &SDT(ZwDeleteValueKey) , (LONG) OldZwDeleteValueKey ); InterlockedExchange( (PLONG) &SDT(ZwSetSecurityObject) , (LONG) OldZwSetSecurityObject ); InterlockedExchange( (PLONG) &SDT(ZwLoadDriver) , (LONG) OldZwLoadDriver ); InterlockedExchange( (PLONG) &SDT(ZwSetSystemInformation) , (LONG) OldZwSetSystemInformation ); InterlockedExchange( (PLONG) &SDT(ZwQuerySystemInformation) , (LONG) OldZwQuerySystemInformation ); __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } } void UnloadDriver(IN PDRIVER_OBJECT DriverObject) { UNICODE_STRING uszDeviceString; NTSTATUS ntStatus; //移除挂接 RemoveHook(); IoDeleteDevice(DriverObject->DeviceObject); RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ITSys"); IoDeleteSymbolicLink(&uszDeviceString); } /************************************************************************************************* // // 创建与关闭驱动处理历程 // **************************************************************************************************/ NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information=0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS; } NTSTATUS DispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { NTSTATUS rc; Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information=0; rc = Irp->IoStatus.Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return rc; } /************************************************************************************************** Win32 使用 DeviceIoControl 获取当前创建进程的信息的响应函数 ***************************************************************************************************/ NTSTATUS DispatchIoCtrl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { NTSTATUS ntStatus = STATUS_UNSUCCESSFUL; PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp); PDEVICE_EXTENSION extension = DeviceObject->DeviceExtension; switch(irpStack->Parameters.DeviceIoControl.IoControlCode) { default: break; } Irp->IoStatus.Status = ntStatus; // 设置返回给用户层程序的数据的字节数 if(ntStatus == STATUS_SUCCESS) Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength; else Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return ntStatus; } |
|
|
沙发#
发布于:2007-10-08 21:39
Inf安装文件
;;;;;; ITSys.inf ;;; ;;; ;;; ;;; [Version] signature = "$Windows NT$" Class = "ActivityMonitor" ;This is determined by the work this filter driver does ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class Provider = %Msft% DriverVer = 08/28/2006,1.0.0.6 CatalogFile = ITSys.cat ; A CatalogFile entry is required for a WHQL signature. ; The actual catalog file will be provided by WHQL. The ; catalog file for this sample is not provided for use. [DestinationDirs] DefaultDestDir = 12 ITSys.DriverFiles = 12 ;%windir%\system32\drivers [SourceDisksNames] 1 = %Disk1% [SourceDisksFiles] ITSys.sys = 1 ;; ;; Default install sections ;; [DefaultInstall] OptionDesc = %ITSysServiceDesc% CopyFiles = ITSys.DriverFiles [DefaultInstall.Services] AddService = %ITSysServiceName%,,ITSys.Service AddReg = ITSys.AddRegistry ;; ;; Default uninstall sections ;; [DefaultUninstall] DelFiles = ITSys.DriverFiles DelReg = ITSys.DelRegistry [DefaultUninstall.Services] DelService = ITSys ; ; Services Section ; [ITSys.Service] DisplayName = %ITSysServiceName% Description = %ITSysServiceDesc% ServiceBinary = %12%\ITSys.sys ;%windir%\system32\drivers\ITSys.sys ServiceType = 1 ;SERVICE_SYSTEM_DRIVER StartType = 1 ;SERVICE_SYSTEM_BOOT=1 ErrorControl = 1 ;SERVICE_ERROR_NORMAL AddReg = ITSys.AddRegistry ; ; Registry Modifications ; [ITSys.AddRegistry] HKLM,%ITSysRegistry%,%ITSysDebugFlags%,0x00010001 ,0 [ITSys.DelRegistry] HKLM,%ITSysRegistry%,%ITSysDebugFlags% ; ; Copy Files ; [ITSys.DriverFiles] ITSys.sys ;; ;; String Section ;; [Strings] Msft = "ITSafe" ITSysServiceDesc = "ITSafe Kernel Driver" ITSysServiceName = "ITSys" ITSysRegistry = "system\currentcontrolset\services\ITSys" ITSysDebugFlags = "DebugFlags" Disk1 = "ITSys Source Media" |
|
|
板凳#
发布于:2007-10-08 21:41
编译文件
TARGETNAME=ITSysTARGETPATH=obj TARGETTYPE=DRIVER TARGETLIBS= SOURCES=ITSys.c \ ITSys.rc |
|
|
地板#
发布于:2007-10-08 21:45
这是一个规范的钩子样本,支持系统时启动挂接
话不多说,毕竟这是早期的技术了,希望能给有需要的朋友一个提示 |
|
|
地下室#
发布于:2007-10-08 21:50
 |
|
驱动小牛
|
5楼#
发布于:2007-10-09 08:25
很像NTROOTKIT中的源码.
|
|
6楼#
发布于:2007-10-09 11:21
5楼的兄弟说的NTROOTKIT中的源码经常蓝屏,原型的确是NTROOTKIT中的代码
|
|
|
7楼#
发布于:2007-10-09 11:23
5楼的兄弟说的NTROOTKIT中的源码经常蓝屏,
这份代码的原型的确是NTROOTKIT中的代码 有改动,仔细看看区别在哪 |
|
|
8楼#
发布于:2007-10-09 11:37
引用第7楼JaneAntime于2007-10-09 11:23发表的 : THX |
|
|
|
9楼#
发布于:2007-10-15 17:03
谢谢分享,这么完整的模板。
|
|
|
10楼#
发布于:2007-10-16 23:45
要SETUP才可以在系统启动的时候加载,这个不好
ROOTKIT的本意可不是这个样子 如果可以修改内核让系统启动的时候就加载 |
|
|
11楼#
发布于:2007-10-17 13:45
这个不过最是BASIC的SSDT HOOK的示例吧
什么事也没做,不稳定那才怪了 |
|
|
|
12楼#
发布于:2007-10-19 10:39
3X,
 |
|
|
|
13楼#
发布于:2007-10-20 18:07
老大,你真有耐心。。。
 |
|
|
14楼#
发布于:2007-11-29 09:05
楼主是好人啊!虽然技术老,但能给菜鸟很多提示了。
|
|
|
15楼#
发布于:2008-01-30 10:53
进来好好学习.....
|
|
|
16楼#
发布于:2008-02-16 08:17
鼓励下楼主 虽然技术比较老
|
|
|
17楼#
发布于:2008-02-18 15:21
中规中矩阿
|
|
|
18楼#
发布于:2008-05-01 21:38
学习,谢谢分享!
|
|
|
19楼#
发布于:2008-05-01 23:17
ms ssdt很容易就被检测了吧?
|
|
上一页
下一页