hook ObOpenObjectByPointer\ReadMem\writemem\kiattach,debugport!->0
Posted on 2010-06-18 22:03 Jesses 阅读(1830) 评论(1) 编辑 收藏 举报#include "getSSDTfun.h"
//#include "HookShadowSSDT.h"
VOID InitCallNumber();
VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject);
NTSTATUS HideProcess_Create(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS HideProcess_Close(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS HideProcess_IoControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
///////////////声明Native API///////////////////////////////////////
typedef HDC (*NTUSERGETDC)(HWND hWnd );
typedef HDC (*NTUSERGETDCEX)(HWND hWnd OPTIONAL, HANDLE ClipRegion, ULONG Flags);
typedef NTSTATUS (*NTUSERFINDWINDOWEX)(
IN HWND hwndParent,
IN HWND hwndChild,
IN PUNICODE_STRING pstrClassName OPTIONAL,
IN PUNICODE_STRING pstrWindowName OPTIONAL,
IN DWORD dwType);
typedef NTSTATUS (*NTUSERBUILDHWNDLIST)(
IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG *pcHwndNeeded);
typedef UINT_PTR (*NTUSERQUERYWINDOW)(
IN ULONG WindowHandle,
IN ULONG TypeInformation);
typedef ULONG (*NTUSERGETFOREGROUNDWINDOW)(VOID);
typedef HWND (*NTUSERWINDOWFROMPOINT)(LONG, LONG);
HDC
MyNtUserGetDC(
HWND hWnd
);
HDC MyNtUserGetDCEx(HWND hWnd OPTIONAL, HANDLE ClipRegion, ULONG Flags);
NTSTATUS MyNtUserFindWindowEx(
IN HWND hwndParent,
IN HWND hwndChild,
IN PUNICODE_STRING pstrClassName OPTIONAL,
IN PUNICODE_STRING pstrWindowName OPTIONAL,
IN DWORD dwType);
NTSTATUS MyNtUserBuildHwndList(
IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG* pcHwndNeeded);
UINT_PTR MyNtUserQueryWindow(
IN ULONG WindowHandle,
IN ULONG TypeInformation);
ULONG MyNtUserGetForegroundWindow(VOID);
HWND MyNtUserWindowFromPoint(LONG x, LONG y);
unsigned long OldCr0;
UNICODE_STRING DeviceNameString;
UNICODE_STRING LinkDeviceNameString;
NTUSERGETDC g_OriginalNtUserGetDC;
NTUSERGETDCEX g_OriginalNtUserGetDCEx;
NTUSERFINDWINDOWEX g_OriginalNtUserFindWindowEx;
NTUSERBUILDHWNDLIST g_OriginalNtUserBuildHwndList;
NTUSERQUERYWINDOW g_OriginalNtUserQueryWindow;
NTUSERGETFOREGROUNDWINDOW g_OriginalNtUserGetForegroundWindow;
NTUSERWINDOWFROMPOINT g_OriginalNtUserWindowFromPoint;
PEPROCESS crsEProc;
CCHAR outBuf[1024]; //输入缓冲区大小
PVOID gpEventObject = NULL; //事件句柄
HANDLE ProcessIdToProtect = (HANDLE)0; //保护的句柄
ULONG NtUserGetDC_callnumber = 0;
ULONG NtUserGetDCEx_callnumber = 0;
ULONG NtUserFindWindowEx_callnumber = 0; //NtUserFindWindowEx的服号
ULONG NtUserGetForegroundWindow_callnumber = 0;
ULONG NtUserQueryWindow_callnumber = 0;
ULONG NtUserBuildHwndList_callnumber = 0;
ULONG NtUserWindowFromPoint_callnumber = 0;
ULONG LastForegroundWindow;
//--------------inline openprocess openthread call obbypoint-----------//
NTKERNELAPI PEPROCESS IoThreadToProcess (IN PETHREAD Thread);
NTKERNELAPI NTSTATUS ObOpenObjectByPointer(
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
ULONG ObOpenObjectByPointeradd;
ULONG OldCallThreadCode,OldCallProcessCode;
ULONG OldThread,OldProcess,AddrRead,AddrWrite,OldWriteMemory,OldReadMemory,AddrGet,AddrSet;
ULONG readMemI,writeMemI,NtOpenProcessI,NtOpenThreadI;
BYTE JmpAddressReadM[5]={0xe9,0,0,0,0},JmpAddressWriteM[5]={0xe9,0,0,0,0};
PUCHAR pNtOpenThread=NULL;
PUCHAR pNtOpenProcess=NULL;
BYTE OriginalReadMemBytes[7]={0}, OriginalWriteMemBytes[7]={0};
BYTE OldKiAttachBytes[7]={0};
ULONG KiAttachAddr;
char* ProtectName = "notepad.exe";
ULONG g_NtGetThreadContext = 0;
ULONG g_NtSetThreadContext = 0;
//ULONG g_PsCreateSystemThread=0;
// ULONG g_Jmp_PsCreateSystemThread = 0;
// ULONG g_PsCreateSystemThread_fn = 0;
//ULONG g_StartRoutine = 0;
//BYTE g_PsCreateSystemThread_Head[5] = {0};
//--------------------------------------------------------------------------//
//爲NtOpenThread準備的
NTSTATUS MyObOpenObjectByPointer_forThread(IN PVOID Object,IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,OUT PHANDLE Handle)
{
//if (IoThreadToProcess(Object)==MyProcess)
if( _stricmp((char *)((ULONG)IoThreadToProcess(Object)+0x174),ProtectName)==0)
{
return STATUS_ACCESS_DENIED;
}
else
{
return ObOpenObjectByPointer (Object, HandleAttributes,PassedAccessState,
DesiredAccess,ObjectType,AccessMode,Handle);
}
}
//NtOpenProcess
NTSTATUS MyObOpenObjectByPointer_forProcess(IN PVOID Object,IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,OUT PHANDLE Handle)
{
if( _stricmp((char *)((ULONG)(Object)+0x174),ProtectName)==0)
// if (Object==MyProcess)
{
return STATUS_ACCESS_DENIED;
}
else
{
return ObOpenObjectByPointer (Object, HandleAttributes,PassedAccessState,
DesiredAccess,ObjectType,AccessMode,Handle);
}
}
__declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG NumberOfBytesToRead,
PULONG NumberOfBytesReaded)
{
__asm
{
push 0x1c
push 804daef0h //共7个字节
jmp [OldReadMemory+7] //跳转到原函数7字节后 过INLINE hook头7字节
}
}
__declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG NumberOfBytesToWrite,
PULONG NumberOfBytesReaded)
{
__asm
{
push 0x1c
push 804eb560h
jmp [OldWriteMemory+7]
}
}
// 從StartAddr地址 開始找OldAddr 替換爲NewAddr地址 長度是 SIZE
PUCHAR CallAddrHook( ULONG StartAddr,ULONG OldAddr,ULONG Size,PVOID NewAddr)//
{
PUCHAR cPtr, pOpcode;
ULONG Length,Tmp;
for (cPtr=(PUCHAR)StartAddr;(ULONG)cPtr<(ULONG)StartAddr+Size;cPtr += Length)
{
Length = SizeOfCode(cPtr, &pOpcode);//計算當前指令長度
if (!Length) break;
if (Length ==5 && *cPtr==0xE8)// 當前長度5 且第一字節爲E8
{//因爲CALL用的是相對偏移 所以我們還需要進行計算相對偏移
if ( OldAddr-(ULONG)cPtr-5 == *(PULONG)(cPtr+1)) //判斷當前是否爲OldAddr的CALL相對地址
{
KIRQL Irql;
Tmp=(ULONG)NewAddr-(ULONG)cPtr-5;//我們的CALL地址相對偏移
MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
*(PULONG)(cPtr+1)=Tmp;//直接替換爲我們的FAKE函數地址 (微點在這裏不是直接替換它的FAKE地址 還加了一層跳闆)
KeLowerIrql(Irql);
MemClose();
return cPtr;
}
}
}
return (PUCHAR)1;
}
__declspec(naked) NTSTATUS _MyNtGetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
__asm
{
jmp dword ptr[g_NtGetThreadContext]
}
}
__declspec(naked) NTSTATUS _MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
__asm
{
jmp dword ptr[g_NtSetThreadContext]
}
}
NTSTATUS MyNtGetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
if ( _stricmp((const char*)PsGetProcessImageFileName(PsGetCurrentProcess()),"dnf.exe") )
{
return _MyNtGetThreadContext(hThread, pContext);
}
/*
if ( NT_SUCCESS(st) )
{
if ( !_stricmp(PsGetProcessImageFileName(PsGetCurrentProcess()),
"dnf.exe") )
{
if ( MmIsAddressValid(pContext) )
{
pContext->Dr0 = 0;
pContext->Dr1 = 0;
pContext->Dr2 = 0;
pContext->Dr3 = 0;
pContext->Dr7 = 0;
dprintf("清除Drx\n");
}
}
}
*/
return STATUS_UNSUCCESSFUL;
}
NTSTATUS MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
if ( _stricmp((const char*)PsGetProcessImageFileName(PsGetCurrentProcess()),"dnf.exe") )
{
return _MyNtSetThreadContext(hThread, pContext);
}
//DbgPrint("Dr7:%08X\n", pContext->Dr7);
if ( pContext->Dr7 == 0x101 )
{
return _MyNtSetThreadContext(hThread, pContext);
}
return STATUS_UNSUCCESSFUL;
}
void Rstore_fn()
{
KIRQL Irql;
PBYTE pBase;
PDWORD pdebug;
/*KeAttachProcess(crsEProc);
//////////////////////UnHook ZwQuerySystemInformation/////////////////////////////////////////////////
__try
{
MemOpen();
if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserQueryWindow_callnumber!=0))
{
(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber]) = g_OriginalNtUserFindWindowEx;
(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserQueryWindow_callnumber] = g_OriginalNtUserQueryWindow;
(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserBuildHwndList_callnumber] = g_OriginalNtUserBuildHwndList;
(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetForegroundWindow_callnumber] = g_OriginalNtUserGetForegroundWindow;
(NTUSERWINDOWFROMPOINT)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserWindowFromPoint_callnumber] = g_OriginalNtUserWindowFromPoint;
(NTUSERGETDC)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDC_callnumber]=g_OriginalNtUserGetDC;
(NTUSERGETDCEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDCEx_callnumber]=g_OriginalNtUserGetDCEx;
}
MemClose();
}
__finally
{
KeDetachProcess();
Sleep(50);
}*/
//修改dnf dbgport偏移 清零线程中内存值bc为70
pBase =(PBYTE)KernelGetModuleBase("TesSafe.sys");
if ( pBase )
{
//DbgPrint("发现模块 TesSafe.sys\n");
if ( MmIsAddressValid(pBase) )//判断TesSafe是否有效
{
pBase=pBase+0x1590;
do
{
pBase++;
}while(*(PDWORD)pBase != 0xC0330a03);
//特征码
if ( *(PDWORD)pBase == 0xC0330a03 )
{
//DbgPrint("debugportfind地址 %08X",(*(PDWORD)(*(PDWORD)(pBase -10))+0x4));
pdebug=(PDWORD) (*(PDWORD)(*(PDWORD)(pBase -10))+0x4);
//DbgPrint("debugport:地址 %08X", (ULONG)pdebug);
MemOpen();
*pdebug= 0x70;
MemClose(); // 修改debugport的偏移
}
//下面不明 但在上面过程下面一过程开头
do
{
pBase++;
}while(*(PDWORD)pBase != 0x3D80CCCC);
if (*(PDWORD)pBase == 0x3D80CCCC){
DbgPrint("modify 0x3D80CCCC!\n");
pdebug=(PDWORD)(*(PDWORD)(pBase +0x4));
//DbgPrint("debugport:地址 %08X", (ULONG)pdebug);
MemOpen(); *pdebug= 0x0;MemClose(); }
}
}
//恢复kiattach
Irql=KeRaiseIrqlToDpcLevel();
MemOpen();
RtlCopyMemory((BYTE *)KiAttachAddr,OldKiAttachBytes,7);
KeLowerIrql(Irql);
MemClose();
}
/*
__declspec(naked) NTSTATUS NTAPI Inline_PsCreateSystemThread(//蓝屏
OUT PHANDLE ThreadHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle OPTIONAL,
OUT PCLIENT_ID ClientId OPTIONAL,
IN PKSTART_ROUTINE StartRoutine,
IN PVOID StartContext
)
{
KIRQL Irql;
ULONG CMPs;
//11000
__asm
{
pushad
}
g_StartRoutine = (ULONG)StartRoutine;
if( *(PCHAR)(g_StartRoutine-1) == 0xCC )
{
if(*(PCHAR)(g_StartRoutine) == 0xE9 )
{MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
do
{
g_StartRoutine--;
CMPs=*(ULONG *)(g_StartRoutine);
}while(( CMPs!= 0x0187C033)&&(((ULONG)StartRoutine-g_StartRoutine)<0x15a9));
KeLowerIrql(Irql);
MemClose();
if (CMPs == 0x0187C033)
{
MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
*(ULONG *)(*(ULONG *)(*(ULONG *)(g_StartRoutine-0x0C)) + 0x04) = 0x70;
KeLowerIrql(Irql);
MemClose();
}
MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
do
{
g_StartRoutine++;CMPs=*(ULONG *)(g_StartRoutine);
}while(( CMPs!= 0x3D80CCCC));
KeLowerIrql(Irql);
MemClose();
if (CMPs == 0x3D80CCCC)
{
MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
*(ULONG *)(*(ULONG *)(g_StartRoutine+0x04)) = 0;
KeLowerIrql(Irql);
MemClose();
}//ki
Rstore_fn();
}
}
__asm
{
popad
mov edi, edi
push ebp
mov ebp, esp
jmp g_Jmp_PsCreateSystemThread
}
}*/
//保存原函数内容
void Save_fn()
{// 跳转头7字节
ULONG ke;
KIRQL Irql;
MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
//保存原函数
if ((ULONG)pNtOpenProcess!=1)//1表示没搜索到
{
OldCallProcessCode=ObOpenObjectByPointeradd-(ULONG)pNtOpenProcess-5 ;
// DbgPrint("OldNtOpenProcess callTc:%08X\n",OldCallProcessCode);
}
if ((ULONG)pNtOpenThread!=1)
{
OldCallThreadCode=ObOpenObjectByPointeradd-(ULONG)pNtOpenThread-5 ;
// DbgPrint("OldNtOpenThread callTc:%08X\n",OldCallThreadCode);
}
// RtlCopyMemory(g_PsCreateSystemThread_Head,(BYTE *)(g_PsCreateSystemThread_fn),5);
RtlCopyMemory(OldKiAttachBytes,(BYTE *)(KiAttachAddr),7);
RtlCopyMemory(OriginalReadMemBytes,(BYTE *)OldReadMemory,7);
RtlCopyMemory(OriginalWriteMemBytes,(BYTE *)OldWriteMemory,7);
*(ULONG *)(JmpAddressReadM+1)=(OldReadMemory)-(ULONG)MyNtReadVirtualMemory-5;
*(ULONG *)(JmpAddressWriteM+1)=(OldWriteMemory)-(ULONG)MyNtWriteVirtualMemory-5;
// g_Jmp_PsCreateSystemThread = g_PsCreateSystemThread_fn + 5;
//memset((PULONG)OldProcess, 0x90, 10);
//拷贝原函数7字节到自己的函数
RtlCopyMemory((BYTE *)((ULONG)MyNtReadVirtualMemory),OriginalReadMemBytes,7);
RtlCopyMemory((BYTE *)((ULONG)MyNtWriteVirtualMemory),OriginalWriteMemBytes,7);
//自己函数的第7字节后一句为跳转到原函数7字节后
RtlCopyMemory((BYTE *)((ULONG)MyNtReadVirtualMemory+7),JmpAddressReadM,5);
RtlCopyMemory((BYTE *)((ULONG)MyNtWriteVirtualMemory+7),JmpAddressWriteM,5);
//hook ssdt
*(PULONG)AddrRead = (ULONG)MyNtReadVirtualMemory;
*(PULONG)AddrWrite = (ULONG)MyNtWriteVirtualMemory;
*((ULONG*)AddrGet) = (ULONG)MyNtGetThreadContext;
*((ULONG*)AddrSet) = (ULONG)MyNtSetThreadContext;
/* DbgPrint("g_PsCreateSystemThread_fn callTc:%08X\n",g_PsCreateSystemThread_fn);
*(UCHAR *)(g_PsCreateSystemThread_fn) = 0xE9;
*(ULONG *)(g_PsCreateSystemThread_fn + 1) = (ULONG)Inline_PsCreateSystemThread - g_PsCreateSystemThread_fn - 5;*/
KeLowerIrql(Irql);
MemClose();
/* DbgPrint("JmpAddressReadM:%08X\n",(ULONG)JmpAddressReadM+1);
DbgPrint("JmpAddressWriteM:%08X\n",(ULONG)JmpAddressWriteM+1);
DbgPrint("MyNtReadVirtualMemory:%08X\n",(ULONG)MyNtReadVirtualMemory);
DbgPrint("MyNtWriteVirtualMemory:%08X\n",(ULONG)MyNtWriteVirtualMemory);*/
}
VOID UnSSDTNtMemory()
{
KIRQL Irql;
MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
//恢复 SSDT
*(PULONG)AddrRead = OldReadMemory;
*(PULONG)AddrWrite = OldWriteMemory;
*((ULONG*)AddrSet) = (ULONG)g_NtSetThreadContext;//还原SSDT= *(ULONG*)g_NtSetThreadContext;
*((ULONG*)AddrGet) = (ULONG)g_NtGetThreadContext;
/*
*(ULONG *)(g_PsCreateSystemThread_fn) = *(ULONG *)g_PsCreateSystemThread_Head;
*(UCHAR *)(g_PsCreateSystemThread_fn + 0x04) = g_PsCreateSystemThread_Head[4];*/
KeLowerIrql(Irql);
MemClose();
}
VOID UnHookCallAndMemory()
{
KIRQL Irql;
if ((ULONG)pNtOpenThread!=1)
{
MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
*(PULONG)(pNtOpenThread+1)=OldCallThreadCode;//直接替換爲我們的FAKE函數地址 (微點在這裏不是直接替換它的FAKE地址 還加了一層跳闆)
KeLowerIrql(Irql);
MemClose();
}
if ((ULONG)pNtOpenProcess!=1)
{
MemOpen();
Irql=KeRaiseIrqlToDpcLevel();
*(PULONG)(pNtOpenProcess+1)=OldCallProcessCode;
KeLowerIrql(Irql);
MemClose();
}
UnSSDTNtMemory();
DbgPrint("Unhooked!\n");
}
//初始化地址
VOID Init_fn()
{
UNICODE_STRING uniPsLookup;
ObOpenObjectByPointeradd = GetFuncAddr(L"ObOpenObjectByPointer");
OldThread = GetFuncAddr(L"NtOpenThread");
OldProcess = GetFuncAddr(L"NtOpenProcess");
// DbgPrint("NtOpenProcess:%08X\n",OldProcess);
// DbgPrint("ObOpenObjectByPointeradd:%08X\n",ObOpenObjectByPointeradd);
//DbgPrint("MyObOpenObjectByPointer_forThread:%08X\n",MyObOpenObjectByPointer_forThread);
// HOOK call ObOpenObjectByPointer
pNtOpenThread= CallAddrHook(OldThread,ObOpenObjectByPointeradd,600,MyObOpenObjectByPointer_forThread);
pNtOpenProcess=CallAddrHook(OldProcess,ObOpenObjectByPointeradd,600,MyObOpenObjectByPointer_forProcess);
AddrRead = (ULONG)KeServiceDescriptorTable->ServiceTableBase +GetFunctionIndex("ZwReadVirtualMemory") * 4;
AddrWrite = (ULONG)KeServiceDescriptorTable->ServiceTableBase + GetFunctionIndex("ZwWriteVirtualMemory") * 4;
OldReadMemory = *(PULONG)AddrRead;
OldWriteMemory = *(PULONG)AddrWrite;
AddrSet = (ULONG)KeServiceDescriptorTable->ServiceTableBase+0xD5 * 4;
AddrGet = (ULONG)KeServiceDescriptorTable->ServiceTableBase+0x55 * 4;
g_NtGetThreadContext = *(ULONG*)AddrGet ;
g_NtSetThreadContext = *(ULONG*)AddrSet ;
//DbgPrint("ZwSetThreadContext:%08X\n",(ULONG)AddrSet);
//g_PsCreateSystemThread_fn = GetFuncAddr(L"PsCreateSystemThread");
// DbgPrint("NtOpenThread call:%08X\n",(ULONG)pNtOpenThread);
// DbgPrint("NtOpenProcess call:%08X\n",(ULONG)pNtOpenProcess);
//保存原CALL地址
KiAttachAddr=GetFuncAddr(L"KeAttachProcess");
do
{
//定位KiAttachProcess
KiAttachAddr++;
}while(*(UCHAR *)(KiAttachAddr) != 0xE8);
KiAttachAddr=*(ULONG *)(KiAttachAddr+1) + KiAttachAddr + 5;
Save_fn();
}
//--------------------------------------------------------------------//
//根据操作系统来确定具体函数的服务号
VOID InitCallNumber()
{
ULONG majorVersion, minorVersion;
PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );
if ( majorVersion == 5 && minorVersion == 2 )
{
DbgPrint("comint32: Running on Windows 2003\n");
NtUserFindWindowEx_callnumber = 0x179;
NtUserGetForegroundWindow_callnumber = 0x193;
NtUserBuildHwndList_callnumber = 0x137;
NtUserQueryWindow_callnumber = 0x1E1;
NtUserWindowFromPoint_callnumber = 0x24C;
}
else if ( majorVersion == 5 && minorVersion == 1 )
{
DbgPrint("comint32: Running on Windows XP\n");
NtUserFindWindowEx_callnumber = 0x17A;
NtUserGetForegroundWindow_callnumber = 0x194;
NtUserBuildHwndList_callnumber = 0x138;
NtUserQueryWindow_callnumber = 0x1E3;
NtUserWindowFromPoint_callnumber = 0x250;
NtUserGetDC_callnumber =401;
NtUserGetDCEx_callnumber =402;
}
else if ( majorVersion == 5 && minorVersion == 0 )
{
DbgPrint("comint32: Running on Windows 2000\n");
NtUserFindWindowEx_callnumber = 0x170;
NtUserGetForegroundWindow_callnumber = 0x189;
NtUserBuildHwndList_callnumber = 0x12E;
NtUserQueryWindow_callnumber = 0x1D2;
NtUserWindowFromPoint_callnumber = 0x238;
}
}
VOID hookShadowSSDT()
{
KeAttachProcess(crsEProc);//嵌入csrss.exe
__try
{
MemOpen();
if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserQueryWindow_callnumber!=0))
{
(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber]) = MyNtUserFindWindowEx;
(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserQueryWindow_callnumber] = MyNtUserQueryWindow;
(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserBuildHwndList_callnumber] = MyNtUserBuildHwndList;
(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetForegroundWindow_callnumber] = MyNtUserGetForegroundWindow;
(NTUSERWINDOWFROMPOINT)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserWindowFromPoint_callnumber] = MyNtUserWindowFromPoint;
(NTUSERGETDC)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDC_callnumber] = MyNtUserGetDC;
(NTUSERGETDCEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDCEx_callnumber] = MyNtUserGetDCEx;
}
MemClose();
}
__finally
{
KeDetachProcess();
}
KdPrint(("Hook ZwQuerySystemInformation'status is Succeessfully "));
}
VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uniWin32NameString;
UNICODE_STRING LinkNameString;
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
status = PsLookupProcessByProcessId((ULONG)GetCsrPid(), &crsEProc);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId() error\n");
return ;
}
//unhookShadowSSDT();
Sleep(50);
//恢复call和内存读写函数
UnHookCallAndMemory();
deviceObject= DriverObject->DeviceObject;
IoDeleteSymbolicLink(&LinkDeviceNameString);
ASSERT(!deviceObject->AttachedDevice);
if ( deviceObject != NULL )
{
IoDeleteDevice( deviceObject );
}
}
NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
PDEVICE_OBJECT deviceObject;
RtlInitUnicodeString( &DeviceNameString, HIDE_PROCESS_WIN32_DEV_NAME );
RtlInitUnicodeString( &LinkDeviceNameString,HIDE_PROCESS_DEV_NAME );
KdPrint(("DriverEntry Enter............................\n"));
status = IoCreateDevice(
DriverObject,
0,
&DeviceNameString,
FILE_DEVICE_DISK_FILE_SYSTEM,
FILE_DEVICE_SECURE_OPEN,
FALSE,
& deviceObject );
if (!NT_SUCCESS( status ))
{
KdPrint(( "DriverEntry: Error creating control device object, status=%08x\n", status ));
return status;
}
status = IoCreateSymbolicLink(
(PUNICODE_STRING) &LinkDeviceNameString,
(PUNICODE_STRING) &DeviceNameString
);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(deviceObject);
return status;
}
//获得shadow的地址
// getShadowTable();
//根据不同的系统获得不同的函数服务号
// InitCallNumber();
DriverObject->MajorFunction[IRP_MJ_CREATE] = HideProcess_Create;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = HideProcess_Close;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HideProcess_IoControl;
DriverObject->DriverUnload=UnloadDriver;
/*//获取csrss.exe
status = PsLookupProcessByProcessId((ULONG)GetCsrPid(), &crsEProc);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId() error\n");
return status;
}
KeAttachProcess(crsEProc);//嵌入csrss.exe
__try
{//保存shadowssdt原始地址
if ((KeServiceDescriptorTableShadow!=NULL) \
&& (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0) \
&& (NtUserBuildHwndList_callnumber!=0) && (NtUserQueryWindow_callnumber!=0) \
&& (NtUserWindowFromPoint_callnumber!=0)
&&(NtUserGetDC_callnumber)!=0 )
{
g_OriginalNtUserGetDCEx= (NTUSERGETDCEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDCEx_callnumber];
g_OriginalNtUserGetDC= (NTUSERGETDC)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDC_callnumber];
g_OriginalNtUserFindWindowEx = (NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber];
g_OriginalNtUserQueryWindow=(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserQueryWindow_callnumber];
g_OriginalNtUserBuildHwndList=(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserBuildHwndList_callnumber];
g_OriginalNtUserGetForegroundWindow=(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetForegroundWindow_callnumber];
g_OriginalNtUserWindowFromPoint = (NTUSERWINDOWFROMPOINT)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserWindowFromPoint_callnumber];
}
else
KeServiceDescriptorTableShadow=NULL;
}
__finally
{
KeDetachProcess();
} */
//HOOK CALL 和内存两个函数SSDT+7字节
Init_fn();
return status ;
}
NTSTATUS HideProcess_Create(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
DbgPrint("HideProcess_Create\n");
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
NTSTATUS HideProcess_Close(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
DbgPrint("HideProcess_Close\n");
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
NTSTATUS HideProcess_IoControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG controlCode;
PIO_STACK_LOCATION irpStack;
HANDLE hEvent;
OBJECT_HANDLE_INFORMATION objHandleInfo;
ULONG outputLength, inputLength;
PVOID inputBuffer;
DWORD dd;
irpStack = IoGetCurrentIrpStackLocation(Irp);
outputLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
inputLength=irpStack->Parameters.DeviceIoControl.InputBufferLength;
controlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
DbgPrint("IN CONTROL\r\n");
switch(controlCode)
{
case IO_PROTECT:
ProcessIdToProtect = (HANDLE)irpStack->Parameters.DeviceIoControl.Type3InputBuffer;
DbgPrint("IO_PROTECT:%d", ProcessIdToProtect);
break;
case IO_REFERENCE_EVENT:
Rstore_fn();//hookShadowSSDT();
break;
case IO_DEREFERENCE_EVENT:
//unhookShadowSSDT();
break;
default:
break;
}
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS MyNtUserFindWindowEx(
IN HWND hwndParent,
IN HWND hwndChild,
IN PUNICODE_STRING pstrClassName OPTIONAL,
IN PUNICODE_STRING pstrWindowName OPTIONAL,
IN DWORD dwType)
{
ULONG result;
result = g_OriginalNtUserFindWindowEx(hwndParent, hwndChild, pstrClassName, pstrWindowName, dwType);
if (PsGetCurrentProcessId()!=ProcessIdToProtect)
{
ULONG ProcessID;
ProcessID = g_OriginalNtUserQueryWindow(result, 0);
DbgPrint("ProcessID:%d", ProcessID);
if (ProcessID==(ULONG)ProcessIdToProtect)
return 0;
}
return result;
}
NTSTATUS MyNtUserBuildHwndList(IN HDESK hdesk, IN HWND hwndNext, IN ULONG fEnumChildren, IN DWORD idThread, IN UINT cHwndMax, OUT HWND *phwndFirst, OUT ULONG* pcHwndNeeded)
{
NTSTATUS result;
if (PsGetCurrentProcessId()!=ProcessIdToProtect)
{
ULONG ProcessID;
if (fEnumChildren==1)
{
ProcessID = g_OriginalNtUserQueryWindow((ULONG)hwndNext, 0);
if (ProcessID==(ULONG)ProcessIdToProtect)
return STATUS_UNSUCCESSFUL;
}
result = g_OriginalNtUserBuildHwndList(hdesk,hwndNext,fEnumChildren,idThread,cHwndMax,phwndFirst,pcHwndNeeded);
if (result==STATUS_SUCCESS)
{
ULONG i=0;
ULONG j;
while (i<*pcHwndNeeded)
{
ProcessID=g_OriginalNtUserQueryWindow((ULONG)phwndFirst[i],0);
if (ProcessID==(ULONG)ProcessIdToProtect)
{
for (j=i; j<(*pcHwndNeeded)-1; j++)
phwndFirst[j]=phwndFirst[j+1];
phwndFirst[*pcHwndNeeded-1]=0;
(*pcHwndNeeded)--;
continue;
}
i++;
}
}
return result;
}
return g_OriginalNtUserBuildHwndList(hdesk,hwndNext,fEnumChildren,idThread,cHwndMax,phwndFirst,pcHwndNeeded);
}
ULONG MyNtUserGetForegroundWindow(VOID)
{
ULONG result;
result= g_OriginalNtUserGetForegroundWindow();
if (PsGetCurrentProcessId()!=ProcessIdToProtect)
{
ULONG ProcessID;
ProcessID=g_OriginalNtUserQueryWindow(result, 0);
if (ProcessID == (ULONG)ProcessIdToProtect)
result=LastForegroundWindow;
else
LastForegroundWindow=result;
}
return result;
}
UINT_PTR MyNtUserQueryWindow(IN ULONG WindowHandle,IN ULONG TypeInformation)
{
ULONG WindowHandleProcessID;
if (PsGetCurrentProcessId()!=ProcessIdToProtect)
{
WindowHandleProcessID = g_OriginalNtUserQueryWindow(WindowHandle,0);
if (WindowHandleProcessID==(ULONG)ProcessIdToProtect)
return 0;
}
return g_OriginalNtUserQueryWindow(WindowHandle,TypeInformation);
}
HWND MyNtUserWindowFromPoint(LONG x, LONG y)
{
return 0;
}
HDC MyNtUserGetDC(HWND hWnd)
{ return NULL;
}
HDC MyNtUserGetDCEx(HWND hWnd OPTIONAL, HANDLE ClipRegion, ULONG Flags)
{ return NULL;
}
不明白请联系群Q q 11698962
