2016-08-29 07:50:25 +00:00
|
|
|
|
#include "SSSDT.h"
|
|
|
|
|
|
|
|
|
|
|
|
extern ULONG_PTR SSSDTDescriptor;
|
|
|
|
|
|
|
|
|
|
|
|
extern PDRIVER_OBJECT CurrentDriverObject;
|
|
|
|
|
|
extern PVOID SysModuleBsse;
|
|
|
|
|
|
extern ULONG_PTR ulSysModuleSize;
|
|
|
|
|
|
|
|
|
|
|
|
//<2F><><EFBFBD><EFBFBD>SSSDT<44><54>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD>*4+SSSDT <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>4λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>ú<EFBFBD><C3BA><EFBFBD>ƫ<EFBFBD>ơ<EFBFBD><C6A1><EFBFBD><EFBFBD><EFBFBD>SSSDT<44><54><EFBFBD>õ<EFBFBD> <20><>Ӧ<EFBFBD><D3A6><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ
|
|
|
|
|
|
PVOID GetSSSDTFunctionAddress64(ULONG ulIndex)
|
|
|
|
|
|
{
|
2018-08-14 14:22:43 +00:00
|
|
|
|
LONG v1 = 0;
|
2016-08-29 07:50:25 +00:00
|
|
|
|
ULONG_PTR v2 = 0;
|
|
|
|
|
|
ULONG_PTR ServiceTableBase= 0 ;
|
|
|
|
|
|
PSYSTEM_SERVICE_TABLE64 SSSDT = (PSYSTEM_SERVICE_TABLE64)SSSDTDescriptor;
|
|
|
|
|
|
ServiceTableBase=(ULONG_PTR)(SSSDT ->ServiceTableBase);
|
|
|
|
|
|
v2 = ServiceTableBase + 4 * ulIndex;
|
|
|
|
|
|
v1 = *(PLONG)v2;
|
|
|
|
|
|
v1 = v1>>4;
|
|
|
|
|
|
return (PVOID)(ServiceTableBase + (ULONG_PTR)v1);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//SSSDT<44><54><EFBFBD><EFBFBD>ַ+4*Index<65><78><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>SSSDT<44><54>Ӧ<EFBFBD>ĺ<EFBFBD><C4BA><EFBFBD><EFBFBD><EFBFBD>ַ
|
|
|
|
|
|
PVOID GetSSSDTFunctionAddress32(ULONG ulIndex)
|
|
|
|
|
|
{
|
|
|
|
|
|
ULONG_PTR ServiceTableBase= 0 ;
|
|
|
|
|
|
PSYSTEM_SERVICE_TABLE32 SSSDT = (PSYSTEM_SERVICE_TABLE32)SSSDTDescriptor;
|
|
|
|
|
|
ServiceTableBase = (ULONG_PTR)(SSSDT->ServiceTableBase);
|
|
|
|
|
|
return (PVOID)(*(PULONG_PTR)((ULONG_PTR)ServiceTableBase + 4 * ulIndex));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//Ring3<67><33><EFBFBD><EFBFBD>ģ<EFBFBD><C4A3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>DriverObject->DriverSection<6F>ṹ<EFBFBD><E1B9B9><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƚϣ<C8BD> һ<><D2BB><EFBFBD><EFBFBD><F2B7B5BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ
|
|
|
|
|
|
BOOLEAN GetSysModuleByLdrDataTable(WCHAR* wzModuleName)
|
|
|
|
|
|
{
|
|
|
|
|
|
BOOLEAN bRet = FALSE;
|
|
|
|
|
|
if (CurrentDriverObject)
|
|
|
|
|
|
{
|
|
|
|
|
|
PKLDR_DATA_TABLE_ENTRY ListHead = NULL, ListNext = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
ListHead = ListNext = (PKLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection; //dt _DriverObject
|
|
|
|
|
|
while((PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink != ListHead)
|
|
|
|
|
|
{
|
|
|
|
|
|
//DbgPrint("%wZ\r\n",&ListNext->BaseDllName);
|
|
|
|
|
|
if (ListNext->BaseDllName.Buffer&&
|
2018-08-14 14:22:43 +00:00
|
|
|
|
wcsstr((WCHAR*)(ListNext->BaseDllName.Buffer),wzModuleName)!=NULL)
|
2016-08-29 07:50:25 +00:00
|
|
|
|
{
|
2018-08-14 14:22:43 +00:00
|
|
|
|
SysModuleBsse = (PVOID)(ListNext->DllBase);
|
2016-08-29 07:50:25 +00:00
|
|
|
|
ulSysModuleSize = ListNext->SizeOfImage;
|
|
|
|
|
|
|
|
|
|
|
|
//DbgPrint("%x %x\r\n",ListNext->DllBase,ListNext->EntryPoint);
|
|
|
|
|
|
// DbgPrint("ModuleNameSecondGet:%wZ\r\n",&(ListNext->FullDllName));
|
|
|
|
|
|
|
|
|
|
|
|
bRet = TRUE;
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
ListNext = (PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return bRet;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//<2F><><EFBFBD><EFBFBD>DriverObject->DriverSection<6F>ṹ<EFBFBD><E1B9B9><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>в<EFBFBD><D0B2>Һ<EFBFBD><D2BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ģ<EFBFBD><C4A3>
|
|
|
|
|
|
BOOLEAN GetSysModuleByLdrDataTable1(PVOID Address,WCHAR* wzModuleName)
|
|
|
|
|
|
{
|
|
|
|
|
|
BOOLEAN bRet = FALSE;
|
|
|
|
|
|
ULONG_PTR ulBase;
|
|
|
|
|
|
ULONG ulSize;
|
|
|
|
|
|
|
|
|
|
|
|
if (CurrentDriverObject)
|
|
|
|
|
|
{
|
|
|
|
|
|
PKLDR_DATA_TABLE_ENTRY ListHead = NULL, ListNext = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
ListHead = ListNext = (PKLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection; //dt _DriverObject
|
|
|
|
|
|
while((PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink != ListHead)
|
|
|
|
|
|
{
|
|
|
|
|
|
ulBase = (ListNext)->DllBase;
|
|
|
|
|
|
ulSize = (ListNext)->SizeOfImage;
|
2018-08-14 14:22:43 +00:00
|
|
|
|
if((ULONG_PTR)Address > ulBase && (ULONG_PTR)Address < ulSize+ulBase)
|
2016-08-29 07:50:25 +00:00
|
|
|
|
{
|
|
|
|
|
|
memcpy(wzModuleName,(WCHAR*)(((ListNext)->FullDllName).Buffer),sizeof(WCHAR)*60);
|
|
|
|
|
|
bRet = TRUE;
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
ListNext = (PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return bRet;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-08-14 14:22:43 +00:00
|
|
|
|
VOID UnHookSSSDTWin7(ULONG ulIndex, ULONG_PTR OriginalFunctionAddress)
|
2016-08-29 07:50:25 +00:00
|
|
|
|
{
|
|
|
|
|
|
ULONG_PTR v2 = 0;
|
|
|
|
|
|
ULONG_PTR ServiceTableBase = 0 ;
|
|
|
|
|
|
ULONG CurrentFunctionOffsetOfSSSDT = 0;
|
|
|
|
|
|
PSYSTEM_SERVICE_TABLE64 SSSDT = (PSYSTEM_SERVICE_TABLE64)SSSDTDescriptor;
|
|
|
|
|
|
ServiceTableBase=(ULONG_PTR)(SSSDT ->ServiceTableBase);
|
|
|
|
|
|
CurrentFunctionOffsetOfSSSDT = (ULONG)((ULONG_PTR)OriginalFunctionAddress - (ULONG_PTR)(SSSDT->ServiceTableBase));
|
|
|
|
|
|
CurrentFunctionOffsetOfSSSDT = CurrentFunctionOffsetOfSSSDT<<4;
|
|
|
|
|
|
|
|
|
|
|
|
v2 = ServiceTableBase + 4 * ulIndex;
|
|
|
|
|
|
WPOFF();
|
|
|
|
|
|
*(PLONG)v2 = CurrentFunctionOffsetOfSSSDT;
|
|
|
|
|
|
WPON();
|
|
|
|
|
|
}
|
2018-08-14 14:22:43 +00:00
|
|
|
|
|
|
|
|
|
|
VOID UnHookSSSDTWinXP(ULONG ulIndex, ULONG_PTR OriginalFunctionAddress)
|
2016-08-29 07:50:25 +00:00
|
|
|
|
{
|
|
|
|
|
|
ULONG_PTR ServiceTableBase = 0 ;
|
|
|
|
|
|
ULONG_PTR v2 = 0;
|
|
|
|
|
|
PSYSTEM_SERVICE_TABLE32 SSSDT = (PSYSTEM_SERVICE_TABLE32)SSSDTDescriptor;
|
|
|
|
|
|
ServiceTableBase=(ULONG_PTR)(SSSDT->ServiceTableBase);
|
|
|
|
|
|
|
|
|
|
|
|
v2 = ServiceTableBase + 4 * ulIndex;
|
|
|
|
|
|
WPOFF();
|
|
|
|
|
|
*(PLONG)v2 = (ULONG)OriginalFunctionAddress;
|
|
|
|
|
|
WPON();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
BOOLEAN ResumeSSSDTInlineHook(ULONG ulIndex,UCHAR* szOriginalFunctionCode)
|
|
|
|
|
|
{
|
|
|
|
|
|
PVOID CurrentFunctionAddress = NULL;
|
|
|
|
|
|
#ifdef _WIN64
|
|
|
|
|
|
CurrentFunctionAddress = GetSSSDTFunctionAddress64(ulIndex);
|
|
|
|
|
|
#else
|
|
|
|
|
|
CurrentFunctionAddress = GetSSSDTFunctionAddress32(ulIndex);
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
WPOFF();
|
|
|
|
|
|
SafeCopyMemory(CurrentFunctionAddress,szOriginalFunctionCode,CODE_LENGTH);
|
|
|
|
|
|
//memcpy(CurrentFunctionAddress,szOriginalFunctionCode,CODE_LENGTH);
|
|
|
|
|
|
WPON();
|
|
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
|
}
|
