阅读:3380回复:19
快过年了,放段irpHook的代码~
NTSTATUS FASTCALL
NewpIofCallDriver( IN PDEVICE_OBJECT DeviceObject, IN OUT PIRP Irp ) { NTSTATUS stat; DbgPrint("Hacked Great!"); //Code Deleted __asm { mov ecx,DeviceObject mov edx,Irp Call old_piofcalldriver mov stat,eax } return stat; } NTSTATUS DriverIoControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { PIO_STACK_LOCATION pisl; NTSTATUS ns = STATUS_UNSUCCESSFUL; ULONG BuffSize, DataSize; PVOID pBuff, pData,pInout; KIRQL OldIrql; ULONG i; pisl = IoGetCurrentIrpStackLocation (Irp); BuffSize = pisl->Parameters.DeviceIoControl.OutputBufferLength; pBuff = Irp->AssociatedIrp.SystemBuffer; Irp->IoStatus.Information = 0; switch(pisl->Parameters.DeviceIoControl.IoControlCode) { case IOCTL_DISABLE: { //Code Deleted ns = STATUS_SUCCESS; break; } case IOCTL_ENABLE: { //Code Deleted ns = STATUS_SUCCESS; break; } } Irp->IoStatus.Status = ns; IoCompleteRequest(Irp, IO_NO_INCREMENT); return ns; } NTSTATUS DriverCreateClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { Irp->IoStatus.Information = 0; Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS; } VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) { IoDeleteSymbolicLink(&SymbolicLinkName); IoDeleteDevice(deviceObject); } NTSTATUS DriverClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { return DriverCreateClose(DeviceObject,Irp); } NTSTATUS IoComplete( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { IoCompleteRequest(Irp,IO_NO_INCREMENT); return STATUS_SUCCESS; } void HookpIofCallDriver() { KIRQL oldIrql; ULONG addr = (ULONG)IofCallDriver; __asm { mov eax,addr mov esi,[eax+2] mov eax,[esi] mov old_piofcalldriver,eax } oldIrql = KeRaiseIrqlToDpcLevel(); __asm{ mov eax,cr0 mov oData,eax and eax,0xffffffff mov cr0,eax mov eax,addr mov esi,[eax+2] mov dword ptr [esi],offset NewpIofCallDriver mov eax,oData mov cr0,eax } KeLowerIrql(oldIrql); return ; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { NTSTATUS status; PDRIVER_DISPATCH *ppdd; ULONG i; PCWSTR dDeviceName = L"\\Device\\irphook"; PCWSTR dSymbolicLinkName = L"\\DosDevices\\irphook"; RtlInitUnicodeString(&DeviceName, dDeviceName); RtlInitUnicodeString(&SymbolicLinkName, dSymbolicLinkName); status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject); if (!NT_SUCCESS(status)) return status; status = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName); #ifdef DEBUG DriverObject->DriverUnload = DriverUnload; #endif DriverObject->DriverUnload =0; ppdd = DriverObject->MajorFunction; for(i =0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++) ppdd = IoComplete; ppdd [IRP_MJ_CREATE] = DriverCreateClose; ppdd [IRP_MJ_DEVICE_CONTROL ] = DriverIoControl; g_drvobj = DriverObject; HookpIofCallDriver(); return status; } |
|
最新喜欢:hljwb
|
沙发#
发布于:2007-02-13 18:47
完整代码就免了吧~哈哈,Bin更不放了~
|
|
|
板凳#
发布于:2007-02-13 20:07
2k/nt/xp上可以用~但是Windows 2003需要另外方法~
|
|
|
地板#
发布于:2007-02-13 23:36
引用第5楼xyzreg于2007-02-13 23:13发表的“”: 他那个hook太恶心~忍不住的恶心 |
|
|
地下室#
发布于:2007-02-14 11:58
引用第7楼wowocock于2007-02-14 09:32发表的“”: pIofCallDriver的位置不是那么容易取得的阿~ |
|
|
5楼#
发布于:2007-02-14 12:56
贴个正式通用版的代码:
void HookInWin2003() { kernelbase=(DWORD)getkmod("ntoskrnl.exe"); if(kernelbase==0) { kernelbase=(DWORD)getkmod("ntkrnlmp.exe"); if(kernelbase)DbgPrint("ntkrnlmp multi-processor type kernel detected.\n"); } if(kernelbase==0) { kernelbase=(DWORD)getkmod("ntkrnlpa.exe"); if(kernelbase)DbgPrint("ntkrnlpa PAE type kernel detected.\n"); } if(kernelbase==0) { kernelbase=(DWORD)getkmod("ntkrpamp.exe"); if(kernelbase)DbgPrint("ntkrpamp multi-processor & PAE type kernel detected.\n"); } if(kernelbase==0) return ; hkIoCallDriver = kdetourex((UCHAR*)searchkexport(kernelbase,(DWORD)&("IoCallDriver")),(UCHAR*)HackIoCallDriver); if(!hkIoCallDriver) return; hkPoCallDriver = kdetourex((UCHAR*)searchkexport(kernelbase,(DWORD)&("PoCallDriver")),(UCHAR*)HackPoCallDriver); if(!hkPoCallDriver) return; hkIofCallDriver = kdetourex_savreg((UCHAR*)searchkexport(kernelbase,(DWORD)&("IofCallDriver")),(UCHAR*)HackpIofCallDriver);//savreg不改变寄存器,嘿嘿~ return ; } //Bin也贴上来了,不过精简过了——这样子谁要想用,得自己逆向嘿嘿~ |
|
|
6楼#
发布于:2007-02-14 16:32
idapro和电视机差不多吧~
|
|
|
7楼#
发布于:2007-02-14 17:18
引用第13楼xikug于2007-02-14 17:07发表的“”: ....大邪恶~ |
|
|
8楼#
发布于:2007-02-16 08:58
准备好刀子,看准MJ,xyzreg,wowocock,cardmagic,doskey准备放血~
|
|
|