21,597
社区成员
发帖
与我相关
我的任务
分享
#include "stdafx.h"
#include <ntddk.h>
#include "sys_ceshi_1.h"
void sys_();
void sys_ceshi_1Unload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS sys_ceshi_1CreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS sys_ceshi_1DefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
typedef struct _ServiceDescriptorTable {
PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
PVOID ServiceCounterTable;
//包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。
PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
}*PServiceDescriptorTable;
extern PServiceDescriptorTable KeServiceDescriptorTable;
#ifdef __cplusplus
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#endif
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
UNICODE_STRING DeviceName,Win32Device;
PDEVICE_OBJECT DeviceObject = NULL;
NTSTATUS status;
unsigned i;
__asm int 3;
RtlInitUnicodeString(&DeviceName,L"\\Device\\sys_ceshi_10");
RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\sys_ceshi_10");
DbgPrint("驱动已加载");
sys_();
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
DriverObject->MajorFunction[i] = sys_ceshi_1DefaultHandler;
DriverObject->MajorFunction[IRP_MJ_CREATE] = sys_ceshi_1CreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = sys_ceshi_1CreateClose;
DriverObject->DriverUnload = sys_ceshi_1Unload;
status = IoCreateDevice(DriverObject,
0,
&DeviceName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&DeviceObject);
if (!NT_SUCCESS(status))
{
if (status==STATUS_INSUFFICIENT_NVRAM_RESOURCES)
{
DbgPrint("资源不足 STATUS_INSUFFICIENT_NVRAM_RESOURCES");
}
if (status==STATUS_OBJECT_NAME_EXISTS)
{
DbgPrint("指定对象名已存在 STATUS_OBJECT_NAME_EXISTS");
}
if (status==STATUS_OBJECT_NAME_COLLISION)
{
DbgPrint("对象名冲突 STATUS_OBJECT_NAME_COLLISION");
}
DbgPrint("设备创建失败! NT_SUCCESS");
}
if (!NT_SUCCESS(status))
return status;
if (!DeviceObject)
return STATUS_UNEXPECTED_IO_ERROR;
DeviceObject->Flags |= DO_DIRECT_IO;
DeviceObject->AlignmentRequirement = FILE_WORD_ALIGNMENT;
status = IoCreateSymbolicLink(&Win32Device, &DeviceName);
DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
return STATUS_SUCCESS;
}
void sys_ceshi_1Unload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("驱动已卸载");
UNICODE_STRING Win32Device;
RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\sys_ceshi_10");
IoDeleteSymbolicLink(&Win32Device);
IoDeleteDevice(DriverObject->DeviceObject);
}
NTSTATUS sys_ceshi_1CreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS sys_ceshi_1DefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
//extern PSSDT KeServiceDescriptorTable;
void sys_()
{
//UNICODE_STRING string;
//RtlInitUnicodeString(&string,L"KeServiceDescriptorTable");
//KeServiceDescriptorTable=(long)MmGetSystemRoutineAddress(&string);
//if (KeServiceDescriptorTable<1)
//{
// KdPrint(("获取系统导出符号:KeServiceDescriptorTable 失败!",KeServiceDescriptorTable));
// return ;
//}
int SSDT_NtOpenProcess_Cur_Addr=0x0;
__asm
{ int 3
push ebx
push eax
mov ebx,KeServiceDescriptorTable
mov ebx,[ebx] //表的基地址
mov eax,0x7a
shl eax,2//0x7A*4 //imul eax,eax,4//shl eax,2
add ebx,eax//[KeServiceDescriptorTable]+0x7A*4
mov ebx,[ebx]
mov SSDT_NtOpenProcess_Cur_Addr,ebx
pop eax
pop ebx
}
KdPrint(("SSDT_NtOpenProcess_Cur_Addr=%x\n\n",SSDT_NtOpenProcess_Cur_Addr));
/*
ULONG SSDT_NtPenProcess_Cur_Addr;
__asm
{
push ebx
push eax
mov ebx,KeServiceDescriptorTable
mov ebx,[ebx]
mov eax,0x7a
imul eax,eax,4//0x7a*4
add ebx,eax
mov ebx,[ebx]
mov SSDT_NtPenProcess_Cur_Addr,ebx
pop eax
pop ebx
}*/
//KdPrint(("SSDT_NtPenProcess_Cur_Addr=0x\n\n",SSDT_NtPenProcess_Cur_Addr));
}