18,356
社区成员
发帖
与我相关
我的任务
分享root分析之一:HOOK磁盘驱动
这是一个简单的分析,原代码请大家自己去找
BOOLEAN cmdHookDrive( IN char Drive, IN PDRIVER_OBJECT DriverObject )
{
IO_STATUS_BLOCK ioStatus;
HANDLE ntFileHandle;
OBJECT_ATTRIBUTES objectAttributes;
PDEVICE_OBJECT fileSysDevice;
PDEVICE_OBJECT hookDevice;
UNICODE_STRING fileNameUnicodeString;
WCHAR filename[] = L"\\DosDevices\\A:\\";
NTSTATUS ntStatus;
ULONG i;
PFILE_OBJECT fileObject;
PHOOK_EXTENSION hookExtension;
DbgPrint(("cmdHookDrive called\n"));
//
// Translate the drive letter to a 0-based integer
//
if ( Drive >= 'a' && Drive <= 'z' ) {
Drive -= 'a';
} else {
Drive -= 'A';
}
//
// Is it a legal drive letter?
//
if ( (unsigned char) Drive >= 26 ) {
return FALSE;
}
//
// Has this drive already been hooked?
//
//上面的都是很好理解的,看看盘符是否有问题
if ( gDriveDevices[Drive] == NULL ) {
//
// Frob the name to make it refer to the drive specified in the input
// parameter.
//
filename[12] = 'A'+Drive;
//
// We have to figure out what device to hook - first open the volume's
// root directory
//
RtlInitUnicodeString( &fileNameUnicodeString, filename );
InitializeObjectAttributes( &objectAttributes, &fileNameUnicodeString,
OBJ_CASE_INSENSITIVE, NULL, NULL );
//调用ZwCreateFile来创建一个文件句柄(当然,我们平时在用户态接触的是CreateFile函数,这是他的内核版本,有可能你还会碰到NtCreateFile那跟这个是一样的。fopen也是间接的调用他。这个文件句柄对应的内核对象应该就是这个盘的内核对象。在驱动里面他表现为一个用IoCreateDevice出来的东东
ntStatus = ZwCreateFile( &ntFileHandle, SYNCHRONIZE|FILE_ANY_ACCESS,
&objectAttributes, &ioStatus, NULL, 0, FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE,
NULL, 0 );
if( !NT_SUCCESS( ntStatus ) ) {
DbgPrint(("Filemon: Could not open drive %c: %x\n", 'A'+Drive, ntStatus ));
return FALSE;
}
DbgPrint(("Filemon: opened the root directory!!! handle: %x\n", ntFileHandle));
//
// Got the file handle, so now look-up the file-object it refers to
//
从文件句柄获得文件的内核对象,有关句柄和内核对象的关系,不妨参看鄙人小作http://blog.vckbase.com/BastEt/archive/2005/03/31/4244.html和http://blog.vckbase.com/bastet/archive/2005/03/24/3952.html
ntStatus = ObReferenceObjectByHandle( ntFileHandle, FILE_READ_DATA,
NULL, KernelMode, &fileObject, NULL );
if( !NT_SUCCESS( ntStatus )) {
DbgPrint(("Filemon: Could not get fileobject from handle: %c\n", 'A'+Drive ));
ZwClose( ntFileHandle );
return FALSE;
}
//
// Next, find out what device is associated with the file object by getting its related
// device object
//
然后调用这个函数,也是DDK中的函数,获得对应的内核对象,
fileSysDevice = IoGetRelatedDeviceObject( fileObject );
if ( ! fileSysDevice ) {
DbgPrint(("Filemon: Could not get related device object: %c\n", 'A'+Drive ));
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
return FALSE;
}
//
// Check the device list to see if we've already attached to this particular device.
// This can happen when more than one drive letter is being handled by the same network
// redirecter
//
for( i = 0; i < 26; i++ ) {
//如果已经被HOOK过了。
if( gDriveDevices[i] == fileSysDevice ) {
//
// If we're already watching it, associate this drive letter
// with the others that are handled by the same network driver. This
// enables us to intelligently update the hooking menus when the user
// specifies that one of the group should not be watched -we mark all
// of the related drives as unwatched as well
//
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
gDriveMap[ Drive ] = gDriveMap[i];
gDriveDevices[ Drive ] = fileSysDevice;
return TRUE;
}
}
//下面是经典的IoAttachDeviceByPointer方法,一些防火墙(TDI)防火墙就是用的这些办法做的。
//
// The file system's device hasn't been hooked already, so make a hooking device
// object that will be attached to it.
//
ntStatus = IoCreateDevice( DriverObject,
sizeof(HOOK_EXTENSION),
NULL,
fileSysDevice->DeviceType,
0,
FALSE,
&hookDevice );
if ( !NT_SUCCESS(ntStatus) ) {
DbgPrint(("Filemon: failed to create associated device: %c\n", 'A'+Drive ));
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
return FALSE;
}
//
// Clear the device's init flag as per NT DDK KB article on creating device
// objects from a dispatch routine
//
hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;
//
// Setup the device extensions. The drive letter and file system object are stored
// in the extension.
//
hookExtension = hookDevice->DeviceExtension;
hookExtension->LogicalDrive = 'A'+Drive;
hookExtension->FileSystem = fileSysDevice;
//
// Finally, attach to the device. The second we're successfully attached, we may
// start receiving IRPs targetted at the device we've hooked.
//
ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );
if ( !NT_SUCCESS(ntStatus) ) {
//
// Couldn' attach for some reason
//
DbgPrint(("Filemon: Connect with Filesystem failed: %c (%x) =>%x\n",
'A'+Drive, fileSysDevice, ntStatus ));
//
// Derefence the object and get out
//
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
return FALSE;
} else {
//
// Make a new drive group for the device,l if it does not have one
// already
//
DbgPrint(("Filemon: Successfully connected to Filesystem device %c\n", 'A'+Drive ));
if( !gDriveMap[ Drive ] ) {
gDriveMap[ Drive ] = ++gDriveGroup;
}
}
//清理工作。
//
// Close the file and update the hooked drive list by entering a
// pointer to the hook device object in it.
//
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
gDriveDevices[Drive] = hookDevice;
}
return TRUE;
}
BOOLEAN cmdHookDrive( IN char Drive, IN PDRIVER_OBJECT DriverObject )
{
IO_STATUS_BLOCK ioStatus;
HANDLE ntFileHandle;
OBJECT_ATTRIBUTES objectAttributes;
PDEVICE_OBJECT fileSysDevice;
PDEVICE_OBJECT hookDevice;
UNICODE_STRING fileNameUnicodeString;
WCHAR filename[] = L"\\DosDevices\\A:\\";
NTSTATUS ntStatus;
ULONG i;
PFILE_OBJECT fileObject;
PHOOK_EXTENSION hookExtension;
DbgPrint(("cmdHookDrive called\n"));
//
// Translate the drive letter to a 0-based integer
//
if ( Drive >= 'a' && Drive <= 'z' ) {
Drive -= 'a';
} else {
Drive -= 'A';
}
//
// Is it a legal drive letter?
//
if ( (unsigned char) Drive >= 26 ) {
return FALSE;
}
//
// Has this drive already been hooked?
//
//上面的都是很好理解的,看看盘符是否有问题
if ( gDriveDevices[Drive] == NULL ) {
//
// Frob the name to make it refer to the drive specified in the input
// parameter.
//
filename[12] = 'A'+Drive;
//
// We have to figure out what device to hook - first open the volume's
// root directory
//
RtlInitUnicodeString( &fileNameUnicodeString, filename );
InitializeObjectAttributes( &objectAttributes, &fileNameUnicodeString,
OBJ_CASE_INSENSITIVE, NULL, NULL );
//调用ZwCreateFile来创建一个文件句柄(当然,我们平时在用户态接触的是CreateFile函数,这是他的内核版本,有可能你还会碰到NtCreateFile那跟这个是一样的。fopen也是间接的调用他。这个文件句柄对应的内核对象应该就是这个盘的内核对象。在驱动里面他表现为一个用IoCreateDevice出来的东东
ntStatus = ZwCreateFile( &ntFileHandle, SYNCHRONIZE|FILE_ANY_ACCESS,
&objectAttributes, &ioStatus, NULL, 0, FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE,
NULL, 0 );
if( !NT_SUCCESS( ntStatus ) ) {
DbgPrint(("Filemon: Could not open drive %c: %x\n", 'A'+Drive, ntStatus ));
return FALSE;
}
DbgPrint(("Filemon: opened the root directory!!! handle: %x\n", ntFileHandle));
//
// Got the file handle, so now look-up the file-object it refers to
//
从文件句柄获得文件的内核对象,有关句柄和内核对象的关系,不妨参看鄙人小作http://blog.vckbase.com/BastEt/archive/2005/03/31/4244.html和http://blog.vckbase.com/bastet/archive/2005/03/24/3952.html
ntStatus = ObReferenceObjectByHandle( ntFileHandle, FILE_READ_DATA,
NULL, KernelMode, &fileObject, NULL );
if( !NT_SUCCESS( ntStatus )) {
DbgPrint(("Filemon: Could not get fileobject from handle: %c\n", 'A'+Drive ));
ZwClose( ntFileHandle );
return FALSE;
}
//
// Next, find out what device is associated with the file object by getting its related
// device object
//
然后调用这个函数,也是DDK中的函数,获得对应的内核对象,
fileSysDevice = IoGetRelatedDeviceObject( fileObject );
if ( ! fileSysDevice ) {
DbgPrint(("Filemon: Could not get related device object: %c\n", 'A'+Drive ));
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
return FALSE;
}
//
// Check the device list to see if we've already attached to this particular device.
// This can happen when more than one drive letter is being handled by the same network
// redirecter
//
for( i = 0; i < 26; i++ ) {
//如果已经被HOOK过了。
if( gDriveDevices[i] == fileSysDevice ) {
//
// If we're already watching it, associate this drive letter
// with the others that are handled by the same network driver. This
// enables us to intelligently update the hooking menus when the user
// specifies that one of the group should not be watched -we mark all
// of the related drives as unwatched as well
//
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
gDriveMap[ Drive ] = gDriveMap[i];
gDriveDevices[ Drive ] = fileSysDevice;
return TRUE;
}
}
//下面是经典的IoAttachDeviceByPointer方法,一些防火墙(TDI)防火墙就是用的这些办法做的。
//
// The file system's device hasn't been hooked already, so make a hooking device
// object that will be attached to it.
//
ntStatus = IoCreateDevice( DriverObject,
sizeof(HOOK_EXTENSION),
NULL,
fileSysDevice->DeviceType,
0,
FALSE,
&hookDevice );
if ( !NT_SUCCESS(ntStatus) ) {
DbgPrint(("Filemon: failed to create associated device: %c\n", 'A'+Drive ));
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
return FALSE;
}
//
// Clear the device's init flag as per NT DDK KB article on creating device
// objects from a dispatch routine
//
hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;
//
// Setup the device extensions. The drive letter and file system object are stored
// in the extension.
//
hookExtension = hookDevice->DeviceExtension;
hookExtension->LogicalDrive = 'A'+Drive;
hookExtension->FileSystem = fileSysDevice;
//
// Finally, attach to the device. The second we're successfully attached, we may
// start receiving IRPs targetted at the device we've hooked.
//
ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );
if ( !NT_SUCCESS(ntStatus) ) {
//
// Couldn' attach for some reason
//
DbgPrint(("Filemon: Connect with Filesystem failed: %c (%x) =>%x\n",
'A'+Drive, fileSysDevice, ntStatus ));
//
// Derefence the object and get out
//
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
return FALSE;
} else {
//
// Make a new drive group for the device,l if it does not have one
// already
//
DbgPrint(("Filemon: Successfully connected to Filesystem device %c\n", 'A'+Drive ));
if( !gDriveMap[ Drive ] ) {
gDriveMap[ Drive ] = ++gDriveGroup;
}
}
//清理工作。
//
// Close the file and update the hooked drive list by entering a
// pointer to the hook device object in it.
//
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
gDriveDevices[Drive] = hookDevice;
}
return TRUE;
}
...全文
请发表友善的回复…
发表回复
fisker0303 2005-07-16
- 打赏
- 举报
俺也来啦。
qrlvls 2005-07-15
- 打赏
- 举报
顶一枯
beipiao 2005-07-15
- 打赏
- 举报
你这个是从filemon里面摘出的代码吧,volume方式的
CrazyAzreal 2005-07-15
- 打赏
- 举报
学习啊```HOOK磁盘驱动是不是能检测到指定磁盘操作?`
shizhen 2005-07-15
- 打赏
- 举报
bookmark
whtech 2005-07-11
- 打赏
- 举报
看看
fisker0303 2005-07-11
- 打赏
- 举报
先顶,再看,呵呵。
会思考的草 2005-07-11
- 打赏
- 举报
rootkit044?
laolaoliu2002 2005-07-11
- 打赏
- 举报
mark!!
顶!!!!!
收藏!!!!
顶!!!!!
收藏!!!!
布学无数 2005-07-11
- 打赏
- 举报
Mark
Akitce 2005-07-11
- 打赏
- 举报
学习,帮顶.
月吻长河 2005-07-10
- 打赏
- 举报
非常好
dirdirdir3 2005-04-07
- 打赏
- 举报
学习。
goodheartppl 2005-04-07
- 打赏
- 举报
哇,太崇拜你了
你真是太好了
你真是太好了
goodheartppl 2005-04-01
- 打赏
- 举报
这个东西真是太好了
老夏Max 2005-04-01
- 打赏
- 举报
LOOK LOOK!
xuzheng318 2005-04-01
- 打赏
- 举报
帮猫顶!
rabo 2005-04-01
- 打赏
- 举报
猫王的要顶。
jiudon 2005-03-31
- 打赏
- 举报
好东西,收藏先!!
oyljerry 2005-03-31
- 打赏
- 举报
好东西
学习
学习
加载更多回复(3)
