2016-08-29 03:02:47 +00:00
|
|
|
|
|
|
|
|
|
|
#ifndef CXX_FILEPROTECTX86_H
|
2018-08-14 13:58:47 +00:00
|
|
|
|
# include "FileProtectX86.h"
|
2016-08-29 03:02:47 +00:00
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
ULONG gC2pKeyCount = 0;
|
|
|
|
|
|
PDRIVER_OBJECT gDriverObject = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
BOOLEAN bOk = FALSE;
|
|
|
|
|
|
|
|
|
|
|
|
ULONG_PTR IndexOffsetOfFunction = 0;
|
|
|
|
|
|
ULONG_PTR SSDTDescriptor = 0;
|
|
|
|
|
|
KIRQL Irql;
|
|
|
|
|
|
ULONG_PTR ulIndex = 0;
|
|
|
|
|
|
ULONG_PTR ulIndex1 = 0;
|
|
|
|
|
|
ULONG_PTR ulIndex2 = 0;
|
|
|
|
|
|
pfnNtSetInformationFile Old_NtSetInformationFileWinXP = NULL;
|
|
|
|
|
|
pfnNtDeleteFile Old_NtDeleteFileWinXP = NULL;
|
|
|
|
|
|
//pfnNtCreateFile Old_NtCreateFileWinXP = NULL;
|
|
|
|
|
|
pfnNtWriteFile Old_NtWriteFileWinXP = NULL;
|
2018-08-14 13:58:47 +00:00
|
|
|
|
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
ULONG i;
|
|
|
|
|
|
NTSTATUS status;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
// <20><>д<EFBFBD><D0B4><EFBFBD>еķַ<C4B7><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><D6B8>
|
|
|
|
|
|
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
|
|
|
|
|
|
{
|
|
|
|
|
|
DriverObject->MajorFunction[i] = c2pDispatchGeneral;
|
|
|
|
|
|
}
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>дһ<D0B4><D2BB>Read<61>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ΪҪ<CEAA>Ĺ<EFBFBD><C4B9>˾<EFBFBD><CBBE>Ƕ<EFBFBD>ȡ<EFBFBD><C8A1><EFBFBD>İ<EFBFBD><C4B0><EFBFBD><EFBFBD><EFBFBD>Ϣ
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD>Ķ<EFBFBD><C4B6><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><D2AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>д<EFBFBD><D0B4>
|
|
|
|
|
|
DriverObject->MajorFunction[IRP_MJ_READ] = c2pDispatchRead;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>дһ<D0B4><D2BB>IRP_MJ_POWER<45><52><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><CEAA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>м<EFBFBD>Ҫ<EFBFBD><D2AA><EFBFBD><EFBFBD>
|
|
|
|
|
|
// һ<><D2BB>PoCallDriver<65><72>һ<EFBFBD><D2BB>PoStartNextPowerIrp<72><70><EFBFBD>Ƚ<EFBFBD><C8BD><EFBFBD><EFBFBD>⡣
|
|
|
|
|
|
DriverObject->MajorFunction [IRP_MJ_POWER] = c2pPower;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֪<EFBFBD><D6AA>ʲôʱ<C3B4><CAB1>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD>ǰ<C7B0><F3B6A8B9><EFBFBD><EFBFBD>豸<EFBFBD><E8B1B8>ж<EFBFBD><D0B6><EFBFBD>ˣ<EFBFBD><CBA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ӻ<EFBFBD><D3BB><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
// <20><><EFBFBD>ε<EFBFBD><CEB5>ˣ<EFBFBD><CBA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ר<EFBFBD><D7A8>дһ<D0B4><D2BB>PNP<4E><50><EFBFBD><EFBFBD><EFBFBD>弴<EFBFBD>ã<EFBFBD><C3A3>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
DriverObject->MajorFunction [IRP_MJ_PNP] = c2pPnP;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
// ж<>غ<EFBFBD><D8BA><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
DriverObject->DriverUnload = c2pUnload;
|
|
|
|
|
|
gDriverObject = DriverObject;
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>м<EFBFBD><D0BC><EFBFBD><EFBFBD>豸
|
|
|
|
|
|
status =c2pAttachDevices(DriverObject, RegisterPath);
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable");
|
|
|
|
|
|
IndexOffsetOfFunction = 1;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
ulIndex = GetSSDTApiFunctionIndexFromNtdll("NtSetInformationFile");
|
|
|
|
|
|
ulIndex1 = GetSSDTApiFunctionIndexFromNtdll("NtWriteFile");
|
|
|
|
|
|
ulIndex2 = GetSSDTApiFunctionIndexFromNtdll("NtDeleteFile");
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
HookSSDT(ulIndex);
|
|
|
|
|
|
HookWrite(ulIndex1);
|
|
|
|
|
|
HookDelete(ulIndex2);
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
return STATUS_SUCCESS;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
2018-08-14 13:58:47 +00:00
|
|
|
|
c2pDevExtInit(
|
|
|
|
|
|
IN PC2P_DEV_EXT devExt,
|
|
|
|
|
|
IN PDEVICE_OBJECT pFilterDeviceObject,
|
|
|
|
|
|
IN PDEVICE_OBJECT pTargetDeviceObject,
|
|
|
|
|
|
IN PDEVICE_OBJECT pLowerDeviceObject )
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
memset(devExt, 0, sizeof(C2P_DEV_EXT));
|
|
|
|
|
|
devExt->NodeSize = sizeof(C2P_DEV_EXT);
|
|
|
|
|
|
devExt->pFilterDeviceObject = pFilterDeviceObject;
|
|
|
|
|
|
KeInitializeSpinLock(&(devExt->IoRequestsSpinLock));
|
|
|
|
|
|
KeInitializeEvent(&(devExt->IoInProgressEvent), NotificationEvent, FALSE);
|
|
|
|
|
|
devExt->TargetDeviceObject = pTargetDeviceObject;
|
|
|
|
|
|
devExt->LowerDeviceObject = pLowerDeviceObject;
|
|
|
|
|
|
return( STATUS_SUCCESS );
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>졣<EFBFBD>ܴ<EFBFBD><DCB4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Kbdclass<73><73>Ȼ<EFBFBD><C8BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>е<EFBFBD><D0B5>豸<EFBFBD><E8B1B8>
|
|
|
|
|
|
NTSTATUS
|
2018-08-14 13:58:47 +00:00
|
|
|
|
c2pAttachDevices(
|
|
|
|
|
|
IN PDRIVER_OBJECT DriverObject,
|
|
|
|
|
|
IN PUNICODE_STRING RegistryPath
|
|
|
|
|
|
)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
NTSTATUS status = 0;
|
|
|
|
|
|
UNICODE_STRING uniNtNameString;
|
|
|
|
|
|
PC2P_DEV_EXT devExt;
|
|
|
|
|
|
PDEVICE_OBJECT pFilterDeviceObject = NULL;
|
|
|
|
|
|
PDEVICE_OBJECT pTargetDeviceObject = NULL;
|
|
|
|
|
|
PDEVICE_OBJECT pLowerDeviceObject = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
PDRIVER_OBJECT KbdDriverObject = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
KdPrint(("MyAttach\n"));
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>ʼ<EFBFBD><CABC>һ<EFBFBD><D2BB><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Kdbclass<73><73><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֡<EFBFBD>
|
|
|
|
|
|
RtlInitUnicodeString(&uniNtNameString, KBD_DRIVER_NAME);
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>豸<EFBFBD><E8B1B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ӡ<EFBFBD>ֻ<EFBFBD><D6BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><F2BFAAB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
status = ObReferenceObjectByName (
|
|
|
|
|
|
&uniNtNameString,
|
|
|
|
|
|
OBJ_CASE_INSENSITIVE,
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
0,
|
|
|
|
|
|
IoDriverObjectType,
|
|
|
|
|
|
KernelMode,
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
&KbdDriverObject
|
|
|
|
|
|
);
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD>ʧ<EFBFBD><CAA7><EFBFBD>˾<EFBFBD>ֱ<EFBFBD>ӷ<EFBFBD><D3B7><EFBFBD>
|
|
|
|
|
|
if(!NT_SUCCESS(status))
|
|
|
|
|
|
{
|
|
|
|
|
|
KdPrint(("MyAttach: Couldn't get the MyTest Device Object\n"));
|
|
|
|
|
|
return( status );
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><D2AA>Ӧ<EFBFBD>á<EFBFBD><C3A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֮<EFBFBD><D6AE><EFBFBD><EFBFBD><EFBFBD>ǡ<EFBFBD>
|
|
|
|
|
|
ObDereferenceObject(DriverObject);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD>豸<EFBFBD><E8B1B8><EFBFBD>еĵ<D0B5>һ<EFBFBD><D2BB><EFBFBD>豸
|
|
|
|
|
|
pTargetDeviceObject = KbdDriverObject->DeviceObject;
|
|
|
|
|
|
// <20><><EFBFBD>ڿ<EFBFBD>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>豸<EFBFBD><E8B1B8>
|
|
|
|
|
|
while (pTargetDeviceObject)
|
|
|
|
|
|
{
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>豸<EFBFBD><E8B1B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ѧϰ<D1A7><CFB0><EFBFBD>ġ<EFBFBD><C4A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>IN<49><4E><EFBFBD><EFBFBD>OUT<55>궼<EFBFBD><EAB6BC>
|
|
|
|
|
|
// <20>պֻ꣬<EAA3AC>б<EFBFBD>־<EFBFBD><D6BE><EFBFBD><EFBFBD><EFBFBD>壬<EFBFBD><E5A3AC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
status = IoCreateDevice(
|
|
|
|
|
|
IN DriverObject,
|
|
|
|
|
|
IN sizeof(C2P_DEV_EXT),
|
|
|
|
|
|
IN NULL,
|
|
|
|
|
|
IN pTargetDeviceObject->DeviceType,
|
|
|
|
|
|
IN pTargetDeviceObject->Characteristics,
|
|
|
|
|
|
IN FALSE,
|
|
|
|
|
|
OUT &pFilterDeviceObject
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD>ʧ<EFBFBD><CAA7><EFBFBD>˾<EFBFBD>ֱ<EFBFBD><D6B1><EFBFBD>˳<EFBFBD><CBB3><EFBFBD>
|
|
|
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
|
|
{
|
|
|
|
|
|
KdPrint(("MyAttach: Couldn't create the MyFilter Filter Device Object\n"));
|
|
|
|
|
|
return (status);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><EFBFBD>pLowerDeviceObject<63>ǰ<EFBFBD><C7B0><EFBFBD>֮<EFBFBD><D6AE><EFBFBD>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD>豸<EFBFBD><E8B1B8>Ҳ<EFBFBD><D2B2><EFBFBD><EFBFBD>
|
|
|
|
|
|
// ǰ<>泣<EFBFBD><E6B3A3>˵<EFBFBD><CBB5><EFBFBD><EFBFBD>ν<EFBFBD><CEBD>ʵ<EFBFBD>豸<EFBFBD><E8B1B8>
|
|
|
|
|
|
pLowerDeviceObject =
|
|
|
|
|
|
IoAttachDeviceToDeviceStack(pFilterDeviceObject, pTargetDeviceObject);
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD><CAA7><EFBFBD>ˣ<EFBFBD><CBA3><EFBFBD><EFBFBD><EFBFBD>֮ǰ<D6AE>IJ<EFBFBD><C4B2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˳<EFBFBD><CBB3><EFBFBD>
|
|
|
|
|
|
if(!pLowerDeviceObject)
|
|
|
|
|
|
{
|
|
|
|
|
|
KdPrint(("MyAttach: Couldn't attach to MyTest Device Object\n"));
|
|
|
|
|
|
IoDeleteDevice(pFilterDeviceObject);
|
|
|
|
|
|
pFilterDeviceObject = NULL;
|
|
|
|
|
|
return( status );
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20>豸<EFBFBD><E8B1B8>չ<EFBFBD><D5B9><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><D2AA>ϸ<EFBFBD><CFB8><EFBFBD><EFBFBD><EFBFBD>豸<EFBFBD><E8B1B8>չ<EFBFBD><D5B9>Ӧ<EFBFBD>á<EFBFBD>
|
|
|
|
|
|
devExt = (PC2P_DEV_EXT)(pFilterDeviceObject->DeviceExtension);
|
|
|
|
|
|
c2pDevExtInit(
|
|
|
|
|
|
devExt,
|
|
|
|
|
|
pFilterDeviceObject,
|
|
|
|
|
|
pTargetDeviceObject,
|
|
|
|
|
|
pLowerDeviceObject );
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD>IJ<EFBFBD><C4B2><EFBFBD><EFBFBD><EFBFBD>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD><EFBFBD>˴<EFBFBD><CBB4>ڵIJ<DAB5><C4B2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD>¡<EFBFBD><C2A1><EFBFBD><EFBFBD>ﲻ<EFBFBD>ٽ<EFBFBD><D9BD><EFBFBD><EFBFBD>ˡ<EFBFBD>
|
|
|
|
|
|
pFilterDeviceObject->DeviceType=pLowerDeviceObject->DeviceType;
|
|
|
|
|
|
pFilterDeviceObject->Characteristics=pLowerDeviceObject->Characteristics;
|
|
|
|
|
|
pFilterDeviceObject->StackSize=pLowerDeviceObject->StackSize+1;
|
|
|
|
|
|
pFilterDeviceObject->Flags |= pLowerDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO | DO_POWER_PAGABLE) ;
|
|
|
|
|
|
//next device
|
|
|
|
|
|
pTargetDeviceObject = pTargetDeviceObject->NextDevice;
|
|
|
|
|
|
}
|
|
|
|
|
|
return status;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VOID
|
2018-08-14 13:58:47 +00:00
|
|
|
|
c2pDetach(IN PDEVICE_OBJECT pDeviceObject)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PC2P_DEV_EXT devExt;
|
|
|
|
|
|
BOOLEAN NoRequestsOutstanding = FALSE;
|
|
|
|
|
|
devExt = (PC2P_DEV_EXT)pDeviceObject->DeviceExtension;
|
|
|
|
|
|
__try
|
|
|
|
|
|
{
|
|
|
|
|
|
__try
|
|
|
|
|
|
{
|
|
|
|
|
|
IoDetachDevice(devExt->TargetDeviceObject);
|
|
|
|
|
|
devExt->TargetDeviceObject = NULL;
|
|
|
|
|
|
IoDeleteDevice(pDeviceObject);
|
|
|
|
|
|
devExt->pFilterDeviceObject = NULL;
|
|
|
|
|
|
DbgPrint(("Detach Finished\n"));
|
|
|
|
|
|
}
|
|
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER){}
|
|
|
|
|
|
}
|
|
|
|
|
|
__finally{}
|
|
|
|
|
|
return;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VOID
|
2018-08-14 13:58:47 +00:00
|
|
|
|
c2pUnload(IN PDRIVER_OBJECT DriverObject)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PDEVICE_OBJECT DeviceObject;
|
|
|
|
|
|
PDEVICE_OBJECT OldDeviceObject;
|
|
|
|
|
|
PC2P_DEV_EXT devExt;
|
|
|
|
|
|
|
|
|
|
|
|
LARGE_INTEGER lDelay;
|
|
|
|
|
|
PRKTHREAD CurrentThread;
|
|
|
|
|
|
//delay some time
|
|
|
|
|
|
lDelay = RtlConvertLongToLargeInteger(100 * DELAY_ONE_MILLISECOND);
|
|
|
|
|
|
CurrentThread = KeGetCurrentThread();
|
|
|
|
|
|
// <20>ѵ<EFBFBD>ǰ<EFBFBD>߳<EFBFBD><DFB3><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><CEAA>ʵʱģʽ<C4A3><CABD><EFBFBD>Ա<EFBFBD><D4B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>о<EFBFBD><D0BE><EFBFBD><EFBFBD><EFBFBD>Ӱ<EFBFBD><D3B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
KeSetPriorityThread(CurrentThread, LOW_REALTIME_PRIORITY);
|
|
|
|
|
|
|
|
|
|
|
|
UNREFERENCED_PARAMETER(DriverObject);
|
|
|
|
|
|
KdPrint(("DriverEntry unLoading...\n"));
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>豸<EFBFBD><E8B1B8>һ<EFBFBD>ɽ<EFBFBD><C9BD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
DeviceObject = DriverObject->DeviceObject;
|
|
|
|
|
|
while (DeviceObject)
|
|
|
|
|
|
{
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɾ<EFBFBD><C9BE><EFBFBD><EFBFBD><EFBFBD>е<EFBFBD><D0B5>豸
|
|
|
|
|
|
c2pDetach(DeviceObject);
|
|
|
|
|
|
DeviceObject = DeviceObject->NextDevice;
|
|
|
|
|
|
}
|
|
|
|
|
|
ASSERT(NULL == DriverObject->DeviceObject);
|
|
|
|
|
|
|
|
|
|
|
|
while (gC2pKeyCount)
|
|
|
|
|
|
{
|
|
|
|
|
|
KeDelayExecutionThread(KernelMode, FALSE, &lDelay);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
UnHookSSDT(ulIndex);
|
|
|
|
|
|
UnHookSSDTWrite(ulIndex1);
|
|
|
|
|
|
UnHookSSDTDelete(ulIndex2);
|
|
|
|
|
|
KdPrint(("DriverEntry unLoad OK!\n"));
|
|
|
|
|
|
//return;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Dz<EFBFBD><C7B2><EFBFBD><EFBFBD>ĵ<EFBFBD><C4B5><EFBFBD><EFBFBD><EFBFBD>IRP
|
|
|
|
|
|
NTSTATUS c2pDispatchGeneral(
|
2018-08-14 13:58:47 +00:00
|
|
|
|
IN PDEVICE_OBJECT DeviceObject,
|
|
|
|
|
|
IN PIRP Irp
|
|
|
|
|
|
)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD>ķַ<C4B7><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֱ<EFBFBD><D6B1>skipȻ<70><C8BB><EFBFBD><EFBFBD>IoCallDriver<65><72>IRP<52><50><EFBFBD>͵<EFBFBD><CDB5><EFBFBD>ʵ<EFBFBD>豸
|
|
|
|
|
|
// <20><><EFBFBD>豸<EFBFBD><E8B1B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
KdPrint(("Other Diapatch!"));
|
|
|
|
|
|
IoSkipCurrentIrpStackLocation(Irp);
|
|
|
|
|
|
return IoCallDriver(((PC2P_DEV_EXT)
|
|
|
|
|
|
DeviceObject->DeviceExtension)->LowerDeviceObject, Irp);
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
//ֻ<><D6BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ܺ<EFBFBD>ΪIRP_MJ_POWER<45><52>IRP
|
|
|
|
|
|
NTSTATUS c2pPower(
|
2018-08-14 13:58:47 +00:00
|
|
|
|
IN PDEVICE_OBJECT DeviceObject,
|
|
|
|
|
|
IN PIRP Irp
|
|
|
|
|
|
)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PC2P_DEV_EXT devExt;
|
|
|
|
|
|
devExt =
|
|
|
|
|
|
(PC2P_DEV_EXT)DeviceObject->DeviceExtension;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PoStartNextPowerIrp( Irp );
|
|
|
|
|
|
IoSkipCurrentIrpStackLocation( Irp );
|
|
|
|
|
|
return PoCallDriver(devExt->LowerDeviceObject, Irp );
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
//<2F>豸<EFBFBD><E8B1B8><EFBFBD>γ<EFBFBD>ʱ<EFBFBD><CAB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><F3B6A8A3><EFBFBD>ɾ<EFBFBD><C9BE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>豸
|
|
|
|
|
|
NTSTATUS c2pPnP(
|
2018-08-14 13:58:47 +00:00
|
|
|
|
IN PDEVICE_OBJECT DeviceObject,
|
|
|
|
|
|
IN PIRP Irp
|
|
|
|
|
|
)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PC2P_DEV_EXT devExt;
|
|
|
|
|
|
PIO_STACK_LOCATION irpStack;
|
|
|
|
|
|
NTSTATUS status = STATUS_SUCCESS;
|
|
|
|
|
|
KIRQL oldIrql;
|
|
|
|
|
|
KEVENT event;
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʵ<EFBFBD>豸<EFBFBD><E8B1B8>
|
|
|
|
|
|
devExt = (PC2P_DEV_EXT)(DeviceObject->DeviceExtension);
|
|
|
|
|
|
irpStack = IoGetCurrentIrpStackLocation(Irp);
|
|
|
|
|
|
|
|
|
|
|
|
switch (irpStack->MinorFunction)
|
|
|
|
|
|
{
|
|
|
|
|
|
case IRP_MN_REMOVE_DEVICE:
|
|
|
|
|
|
KdPrint(("IRP_MN_REMOVE_DEVICE\n"));
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD>Ȱ<EFBFBD><C8B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȥ
|
|
|
|
|
|
IoSkipCurrentIrpStackLocation(Irp);
|
|
|
|
|
|
IoCallDriver(devExt->LowerDeviceObject, Irp);
|
|
|
|
|
|
// Ȼ<><C8BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
IoDetachDevice(devExt->LowerDeviceObject);
|
|
|
|
|
|
// ɾ<><C9BE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Լ<EFBFBD><D4BC><EFBFBD><EFBFBD>ɵ<EFBFBD><C9B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD>豸<EFBFBD><E8B1B8>
|
|
|
|
|
|
IoDeleteDevice(DeviceObject);
|
|
|
|
|
|
status = STATUS_SUCCESS;
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>͵<EFBFBD>IRP<52><50>ȫ<EFBFBD><C8AB><EFBFBD><EFBFBD>ֱ<EFBFBD><D6B1><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD>ɡ<EFBFBD>
|
|
|
|
|
|
IoSkipCurrentIrpStackLocation(Irp);
|
|
|
|
|
|
status = IoCallDriver(devExt->LowerDeviceObject, Irp);
|
|
|
|
|
|
}
|
|
|
|
|
|
return status;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>IRP<52><50><EFBFBD>ɻص<C9BB><D8B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ԭ<EFBFBD><D4AD>
|
|
|
|
|
|
NTSTATUS c2pReadComplete(
|
2018-08-14 13:58:47 +00:00
|
|
|
|
IN PDEVICE_OBJECT DeviceObject,
|
|
|
|
|
|
IN PIRP Irp,
|
|
|
|
|
|
IN PVOID Context
|
|
|
|
|
|
)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
POBJECT_NAME_INFORMATION ObjetNameInfor;
|
|
|
|
|
|
ULONG* ulProcessNameLen;
|
|
|
|
|
|
PIO_STACK_LOCATION IrpSp;
|
|
|
|
|
|
ULONG buf_len = 0;
|
|
|
|
|
|
PUCHAR buf = NULL;
|
|
|
|
|
|
size_t i;
|
|
|
|
|
|
ULONG numKeys = 0;
|
|
|
|
|
|
IrpSp = IoGetCurrentIrpStackLocation( Irp );
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>dzɹ<C7B3><C9B9>ġ<EFBFBD><C4A1><EFBFBD><EFBFBD><EFBFBD>Ȼ<EFBFBD><C8BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD><CAA7><EFBFBD>ˣ<EFBFBD><CBA3><EFBFBD>ô<EFBFBD><C3B4>ȡ
|
|
|
|
|
|
// <20><>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ<EFBFBD><CFA2>û<EFBFBD><C3BB><EFBFBD><EFBFBD><EFBFBD>ġ<EFBFBD>
|
|
|
|
|
|
if( NT_SUCCESS( Irp->IoStatus.Status ) )
|
|
|
|
|
|
{
|
|
|
|
|
|
PKEYBOARD_INPUT_DATA pKeyData;
|
|
|
|
|
|
// <20><><EFBFBD>ö<EFBFBD><C3B6><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɺ<EFBFBD><C9BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ļ<EFBFBD><C4BB><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
buf = Irp->AssociatedIrp.SystemBuffer;
|
|
|
|
|
|
pKeyData = Irp->AssociatedIrp.SystemBuffer;
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ij<EFBFBD><C4B3>ȡ<EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD>˵<EFBFBD><CBB5><EFBFBD><EFBFBD>ֵ<EFBFBD>ж<D0B6><E0B3A4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
// Information<6F>С<EFBFBD>
|
|
|
|
|
|
|
|
|
|
|
|
buf_len = Irp->IoStatus.Information;
|
|
|
|
|
|
numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);
|
|
|
|
|
|
|
|
|
|
|
|
__try
|
|
|
|
|
|
{
|
|
|
|
|
|
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)IrpSp->FileObject, &ObjetNameInfor)))
|
|
|
|
|
|
{
|
|
|
|
|
|
if(wcsstr(ObjetNameInfor->Name.Buffer,L"Shine.txt")!=0)
|
|
|
|
|
|
{
|
|
|
|
|
|
DbgPrint("aaaaaaa");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
__except(1)
|
|
|
|
|
|
{
|
|
|
|
|
|
DbgPrint("Exception:%x",GetExceptionCode());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//ͨ<><CDA8>Process<73><73><EFBFBD>ý<EFBFBD><C3BD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
for(i = 0; i < numKeys; i++)
|
|
|
|
|
|
{
|
|
|
|
|
|
// DbgPrint("%02X %d\n",pKeyData[i].MakeCode,pKeyData[i].Flags);
|
|
|
|
|
|
|
|
|
|
|
|
if(pKeyData[i].MakeCode == 0x1d && pKeyData[i].Flags == KEY_MAKE)
|
|
|
|
|
|
{
|
|
|
|
|
|
//<2F><>Ctrl
|
|
|
|
|
|
bOk = TRUE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(pKeyData[i].MakeCode == 0x2e && pKeyData[i].Flags == KEY_MAKE && bOk == TRUE ) //<2F><><EFBFBD><EFBFBD>
|
|
|
|
|
|
{
|
|
|
|
|
|
pKeyData[i].MakeCode = 0x20;
|
|
|
|
|
|
bOk = FALSE;
|
|
|
|
|
|
DbgPrint("aaaaaaaaaaaaaa");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
//<2F><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD>Ĵ<EFBFBD><C4B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ܼĴ<F2B5A5B5>ӡ<EFBFBD><D3A1><EFBFBD><EFBFBD><EFBFBD>е<EFBFBD>ɨ
|
|
|
|
|
|
// <20><><EFBFBD>롣
|
|
|
|
|
|
|
|
|
|
|
|
// for(i=0;i<buf_len;++i)
|
|
|
|
|
|
// {
|
|
|
|
|
|
//DbgPrint("ctrl2cap: %2x\r\n", buf[i]);
|
|
|
|
|
|
// if(buf[i]==0x3a)
|
|
|
|
|
|
// {
|
|
|
|
|
|
// DbgPrint("SSSSSS");
|
|
|
|
|
|
// }
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
gC2pKeyCount--;
|
|
|
|
|
|
|
|
|
|
|
|
if( Irp->PendingReturned )
|
|
|
|
|
|
{
|
|
|
|
|
|
IoMarkIrpPending( Irp );
|
|
|
|
|
|
}
|
|
|
|
|
|
return Irp->IoStatus.Status;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS c2pDispatchRead(
|
2018-08-14 13:58:47 +00:00
|
|
|
|
IN PDEVICE_OBJECT DeviceObject,
|
|
|
|
|
|
IN PIRP Irp )
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
NTSTATUS status = STATUS_SUCCESS;
|
|
|
|
|
|
PC2P_DEV_EXT devExt;
|
|
|
|
|
|
PIO_STACK_LOCATION currentIrpStack;
|
|
|
|
|
|
KEVENT waitEvent;
|
|
|
|
|
|
KeInitializeEvent( &waitEvent, NotificationEvent, FALSE );
|
|
|
|
|
|
|
|
|
|
|
|
if (Irp->CurrentLocation == 1)
|
|
|
|
|
|
{
|
|
|
|
|
|
ULONG ReturnedInformation = 0;
|
|
|
|
|
|
KdPrint(("Dispatch encountered bogus current location\n"));
|
|
|
|
|
|
status = STATUS_INVALID_DEVICE_REQUEST;
|
|
|
|
|
|
Irp->IoStatus.Status = status;
|
|
|
|
|
|
Irp->IoStatus.Information = ReturnedInformation;
|
|
|
|
|
|
IoCompleteRequest(Irp, IO_NO_INCREMENT);
|
|
|
|
|
|
return(status);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ȫ<>ֱ<EFBFBD><D6B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>1
|
|
|
|
|
|
gC2pKeyCount++;
|
|
|
|
|
|
|
|
|
|
|
|
// <20>õ<EFBFBD><C3B5>豸<EFBFBD><E8B1B8>չ<EFBFBD><D5B9>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD>֮<EFBFBD><D6AE>Ϊ<EFBFBD>˻<EFBFBD><CBBB><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD>豸<EFBFBD><E8B1B8>ָ<EFBFBD>롣
|
|
|
|
|
|
devExt =
|
|
|
|
|
|
(PC2P_DEV_EXT)DeviceObject->DeviceExtension;
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD>ûص<C3BB><D8B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>IRP<52><50><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȥ<EFBFBD><C8A5> ֮<><D6AE><EFBFBD><EFBFBD><EFBFBD>Ĵ<EFBFBD><C4B4><EFBFBD>Ҳ<EFBFBD>ͽ<EFBFBD><CDBD><EFBFBD><EFBFBD>ˡ<EFBFBD>
|
|
|
|
|
|
// ʣ<>µ<EFBFBD><C2B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD>ȴ<EFBFBD><C8B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɡ<EFBFBD>
|
|
|
|
|
|
currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
|
|
|
|
|
|
IoCopyCurrentIrpStackLocationToNext(Irp);
|
|
|
|
|
|
IoSetCompletionRoutine( Irp, c2pReadComplete,
|
|
|
|
|
|
DeviceObject, TRUE, TRUE, TRUE );
|
|
|
|
|
|
return IoCallDriver( devExt->LowerDeviceObject, Irp );
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
VOID HookSSDT(ULONG_PTR ulIndex)
|
|
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PULONG32 ServiceTableBase = NULL;
|
|
|
|
|
|
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ
|
|
|
|
|
|
Old_NtSetInformationFileWinXP = (pfnNtSetInformationFile)ServiceTableBase[ulIndex]; //<2F>ȱ<EFBFBD><C8B1><EFBFBD>ԭ<EFBFBD>ȵĺ<C8B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
WPOFF();
|
|
|
|
|
|
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtSetInformationFileWinXP; //<2F><>KeBugCheckEx<45><78><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ƫ<EFBFBD>Ƶ<EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>SSDT<44><54><EFBFBD><EFBFBD>
|
|
|
|
|
|
WPON();
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
VOID HookWrite(ULONG_PTR ulIndex)
|
|
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PULONG32 ServiceTableBase = NULL;
|
|
|
|
|
|
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ
|
|
|
|
|
|
Old_NtWriteFileWinXP = (pfnNtWriteFile)ServiceTableBase[ulIndex]; //<2F>ȱ<EFBFBD><C8B1><EFBFBD>ԭ<EFBFBD>ȵĺ<C8B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
WPOFF();
|
|
|
|
|
|
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtWriteFileWinXP; //<2F><>KeBugCheckEx<45><78><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ƫ<EFBFBD>Ƶ<EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>SSDT<44><54><EFBFBD><EFBFBD>
|
|
|
|
|
|
WPON();
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
VOID HookDelete(ULONG_PTR ulIndex)
|
|
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PULONG32 ServiceTableBase = NULL;
|
|
|
|
|
|
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ
|
|
|
|
|
|
Old_NtDeleteFileWinXP = (pfnNtDeleteFile)ServiceTableBase[ulIndex]; //<2F>ȱ<EFBFBD><C8B1><EFBFBD>ԭ<EFBFBD>ȵĺ<C8B5><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
WPOFF();
|
|
|
|
|
|
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtDeleteFileWinXP; //<2F><>KeBugCheckEx<45><78><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ƫ<EFBFBD>Ƶ<EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD>SSDT<44><54><EFBFBD><EFBFBD>
|
|
|
|
|
|
WPON();
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VOID
|
2018-08-14 13:58:47 +00:00
|
|
|
|
UnHookSSDT(ULONG_PTR ulIndex)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PULONG32 ServiceTableBase = NULL;
|
|
|
|
|
|
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
WPOFF();
|
|
|
|
|
|
ServiceTableBase[ulIndex] = (ULONG32)Old_NtSetInformationFileWinXP;
|
|
|
|
|
|
WPON();
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
VOID
|
2018-08-14 13:58:47 +00:00
|
|
|
|
UnHookSSDTWrite(ULONG_PTR ulIndex)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
|
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PULONG32 ServiceTableBase = NULL;
|
|
|
|
|
|
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
WPOFF();
|
|
|
|
|
|
ServiceTableBase[ulIndex] = (ULONG32)Old_NtWriteFileWinXP;
|
|
|
|
|
|
WPON();
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
VOID
|
2018-08-14 13:58:47 +00:00
|
|
|
|
UnHookSSDTDelete(ULONG_PTR ulIndex)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
PULONG32 ServiceTableBase = NULL;
|
|
|
|
|
|
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
WPOFF();
|
|
|
|
|
|
ServiceTableBase[ulIndex] = (ULONG32)Old_NtDeleteFileWinXP;
|
|
|
|
|
|
WPON();
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS Fake_NtSetInformationFileWinXP(
|
2018-08-14 13:58:47 +00:00
|
|
|
|
__in HANDLE FileHandle,
|
|
|
|
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
|
|
|
|
__in_bcount(Length) PVOID FileInformation,
|
|
|
|
|
|
__in ULONG Length,
|
|
|
|
|
|
__in FILE_INFORMATION_CLASS FileInformationClass
|
|
|
|
|
|
)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
PFILE_OBJECT hObject;
|
|
|
|
|
|
POBJECT_NAME_INFORMATION ObjetNameInfor;
|
|
|
|
|
|
|
|
|
|
|
|
Status = ObReferenceObjectByHandle(FileHandle,FILE_READ_DATA,0,KernelMode,&hObject, 0);
|
|
|
|
|
|
//ͨ<><CDA8><EFBFBD><EFBFBD><EFBFBD>̾<EFBFBD><CCBE><EFBFBD><EFBFBD><EFBFBD>ȡEProcess<73><73><EFBFBD><EFBFBD>
|
|
|
|
|
|
|
|
|
|
|
|
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)hObject, &ObjetNameInfor)))
|
|
|
|
|
|
{
|
|
|
|
|
|
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
|
|
|
|
|
|
{
|
|
|
|
|
|
if(FileInformationClass == FileRenameInformation)
|
|
|
|
|
|
{
|
|
|
|
|
|
return STATUS_ACCESS_DENIED;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
2018-08-14 13:58:47 +00:00
|
|
|
|
Fake_NtWriteFileWinXP (
|
|
|
|
|
|
__in HANDLE FileHandle,
|
|
|
|
|
|
__in_opt HANDLE Event,
|
|
|
|
|
|
__in_opt PIO_APC_ROUTINE ApcRoutine,
|
|
|
|
|
|
__in_opt PVOID ApcContext,
|
|
|
|
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
|
|
|
|
__in_bcount(Length) PVOID Buffer,
|
|
|
|
|
|
__in ULONG Length,
|
|
|
|
|
|
__in_opt PLARGE_INTEGER ByteOffset,
|
|
|
|
|
|
__in_opt PULONG Key
|
|
|
|
|
|
)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
PFILE_OBJECT hObject;
|
|
|
|
|
|
POBJECT_NAME_INFORMATION ObjetNameInfor;
|
|
|
|
|
|
|
|
|
|
|
|
Status = ObReferenceObjectByHandle(FileHandle,FILE_READ_DATA,0,KernelMode,&hObject, 0);
|
|
|
|
|
|
//ͨ<><CDA8><EFBFBD><EFBFBD><EFBFBD>̾<EFBFBD><CCBE><EFBFBD><EFBFBD><EFBFBD>ȡEProcess<73><73><EFBFBD><EFBFBD>
|
|
|
|
|
|
|
|
|
|
|
|
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)hObject, &ObjetNameInfor)))
|
|
|
|
|
|
{
|
|
|
|
|
|
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
|
|
|
|
|
|
{
|
|
|
|
|
|
return STATUS_ACCESS_DENIED;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS Fake_NtDeleteFileWinXP(
|
2018-08-14 13:58:47 +00:00
|
|
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes
|
|
|
|
|
|
)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
if(wcsstr((ObjectAttributes->ObjectName)->Buffer,L"D:\\Shine.txt"))
|
|
|
|
|
|
{
|
|
|
|
|
|
return STATUS_ACCESS_DENIED;
|
|
|
|
|
|
}
|
|
|
|
|
|
return Old_NtDeleteFileWinXP(ObjectAttributes);
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PVOID
|
2018-08-14 13:58:47 +00:00
|
|
|
|
GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
UNICODE_STRING uniFunctionName;
|
|
|
|
|
|
PVOID FunctionAddress = NULL;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
if (wzFunctionName && wcslen(wzFunctionName) > 0)
|
|
|
|
|
|
{
|
|
|
|
|
|
RtlInitUnicodeString(&uniFunctionName, wzFunctionName);
|
|
|
|
|
|
FunctionAddress = MmGetSystemRoutineAddress(&uniFunctionName);
|
|
|
|
|
|
}
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
return FunctionAddress;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
|
|
|
|
|
|
{
|
|
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
NTSTATUS Status = STATUS_UNSUCCESSFUL;
|
|
|
|
|
|
PVOID MapBase = NULL;
|
|
|
|
|
|
PIMAGE_NT_HEADERS NtHeader;
|
|
|
|
|
|
PIMAGE_EXPORT_DIRECTORY ExportTable;
|
|
|
|
|
|
ULONG* FunctionAddresses;
|
|
|
|
|
|
ULONG* FunctionNames;
|
|
|
|
|
|
USHORT* FunctionIndexs;
|
|
|
|
|
|
ULONG ulIndex;
|
|
|
|
|
|
ULONG i;
|
|
|
|
|
|
CHAR* szFunctionName;
|
|
|
|
|
|
SIZE_T ViewSize=0;
|
|
|
|
|
|
ULONG_PTR ulFunctionAddress;
|
|
|
|
|
|
WCHAR wzNtdll[] = L"\\SystemRoot\\System32\\ntdll.dll";
|
|
|
|
|
|
|
|
|
|
|
|
Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
|
{
|
|
|
|
|
|
return STATUS_UNSUCCESSFUL;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
__try{
|
|
|
|
|
|
NtHeader = RtlImageNtHeader(MapBase);
|
|
|
|
|
|
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){
|
|
|
|
|
|
ExportTable =(IMAGE_EXPORT_DIRECTORY*)((ULONG_PTR)MapBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
|
|
|
|
|
|
FunctionAddresses = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfFunctions);
|
|
|
|
|
|
FunctionNames = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfNames);
|
|
|
|
|
|
FunctionIndexs = (USHORT*)((ULONG_PTR)MapBase + ExportTable->AddressOfNameOrdinals);
|
|
|
|
|
|
for(i = 0; i < ExportTable->NumberOfNames; i++)
|
|
|
|
|
|
{
|
|
|
|
|
|
szFunctionName = (LPSTR)((ULONG_PTR)MapBase + FunctionNames[i]);
|
|
|
|
|
|
if (_stricmp(szFunctionName, szFindFunctionName) == 0)
|
|
|
|
|
|
{
|
|
|
|
|
|
ulIndex = FunctionIndexs[i];
|
|
|
|
|
|
ulFunctionAddress = (ULONG_PTR)((ULONG_PTR)MapBase + FunctionAddresses[ulIndex]);
|
|
|
|
|
|
ulIndex=*(ULONG*)(ulFunctionAddress+IndexOffsetOfFunction);
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}__except(EXCEPTION_EXECUTE_HANDLER)
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (ulIndex == -1)
|
|
|
|
|
|
{
|
|
|
|
|
|
DbgPrint("%s Get Index Error\n", szFindFunctionName);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ZwUnmapViewOfSection(NtCurrentProcess(), MapBase);
|
|
|
|
|
|
return ulIndex;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
2018-08-14 13:58:47 +00:00
|
|
|
|
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
|
|
|
|
|
|
OUT PVOID *BaseAddress,
|
|
|
|
|
|
OUT PSIZE_T ViewSize OPTIONAL)
|
2016-08-29 03:02:47 +00:00
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
NTSTATUS Status = STATUS_INVALID_PARAMETER;
|
|
|
|
|
|
HANDLE hFile = NULL;
|
|
|
|
|
|
HANDLE hSection = NULL;
|
|
|
|
|
|
OBJECT_ATTRIBUTES oa;
|
|
|
|
|
|
SIZE_T MapViewSize = 0;
|
|
|
|
|
|
IO_STATUS_BLOCK Iosb;
|
|
|
|
|
|
UNICODE_STRING uniFilePath;
|
|
|
|
|
|
|
|
|
|
|
|
if (!wzFilePath || !BaseAddress){
|
|
|
|
|
|
return Status;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
RtlInitUnicodeString(&uniFilePath, wzFilePath);
|
|
|
|
|
|
InitializeObjectAttributes(&oa,
|
|
|
|
|
|
&uniFilePath,
|
|
|
|
|
|
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
NULL
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
Status = IoCreateFile(&hFile,
|
|
|
|
|
|
GENERIC_READ | SYNCHRONIZE,
|
|
|
|
|
|
&oa,
|
|
|
|
|
|
&Iosb,
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
FILE_ATTRIBUTE_NORMAL,
|
|
|
|
|
|
FILE_SHARE_READ,
|
|
|
|
|
|
FILE_OPEN,
|
|
|
|
|
|
FILE_SYNCHRONOUS_IO_NONALERT,
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
0,
|
|
|
|
|
|
CreateFileTypeNone,
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
IO_NO_PARAMETER_CHECKING
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
|
{
|
|
|
|
|
|
return Status;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
oa.ObjectName = NULL;
|
|
|
|
|
|
Status = ZwCreateSection(&hSection,
|
|
|
|
|
|
SECTION_QUERY | SECTION_MAP_READ,
|
|
|
|
|
|
&oa,
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
PAGE_WRITECOPY,
|
|
|
|
|
|
SEC_IMAGE,
|
|
|
|
|
|
hFile
|
|
|
|
|
|
);
|
|
|
|
|
|
ZwClose(hFile);
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
|
{
|
|
|
|
|
|
return Status;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!hProcess){
|
|
|
|
|
|
hProcess = NtCurrentProcess();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
Status = ZwMapViewOfSection(hSection,
|
|
|
|
|
|
hProcess,
|
|
|
|
|
|
BaseAddress,
|
|
|
|
|
|
0,
|
|
|
|
|
|
0,
|
|
|
|
|
|
0,
|
|
|
|
|
|
ViewSize ? ViewSize : &MapViewSize,
|
|
|
|
|
|
ViewUnmap,
|
|
|
|
|
|
0,
|
|
|
|
|
|
PAGE_WRITECOPY
|
|
|
|
|
|
);
|
|
|
|
|
|
ZwClose(hSection);
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
|
{
|
|
|
|
|
|
return Status;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return Status;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
|
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
ULONG_PTR ServiceTableBase= 0 ;
|
|
|
|
|
|
PSYSTEM_SERVICE_TABLE32 SSDT = (PSYSTEM_SERVICE_TABLE32)SSDTDescriptor;
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
ServiceTableBase=(ULONG)(SSDT ->ServiceTableBase);
|
2016-08-29 03:02:47 +00:00
|
|
|
|
|
2018-08-14 13:58:47 +00:00
|
|
|
|
return (*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex));
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
VOID WPOFF()
|
|
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
ULONG_PTR cr0 = 0;
|
|
|
|
|
|
Irql = KeRaiseIrqlToDpcLevel();
|
|
|
|
|
|
cr0 =__readcr0();
|
|
|
|
|
|
cr0 &= 0xfffffffffffeffff;
|
|
|
|
|
|
__writecr0(cr0);
|
|
|
|
|
|
//_disable();
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
VOID WPON()
|
|
|
|
|
|
{
|
2018-08-14 13:58:47 +00:00
|
|
|
|
ULONG_PTR cr0=__readcr0();
|
|
|
|
|
|
cr0 |= 0x10000;
|
|
|
|
|
|
//_enable();
|
|
|
|
|
|
__writecr0(cr0);
|
|
|
|
|
|
KeLowerIrql(Irql);
|
2016-08-29 03:02:47 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
