parent
8080e9d7d3
commit
94f523ced9
|
@ -3,15 +3,11 @@
|
|||
# include "FileProtectX86.h"
|
||||
#endif
|
||||
|
||||
|
||||
ULONG gC2pKeyCount = 0;
|
||||
PDRIVER_OBJECT gDriverObject = NULL;
|
||||
|
||||
|
||||
|
||||
BOOLEAN bOk = FALSE;
|
||||
|
||||
|
||||
ULONG_PTR IndexOffsetOfFunction = 0;
|
||||
ULONG_PTR SSDTDescriptor = 0;
|
||||
KIRQL Irql;
|
||||
|
@ -22,15 +18,11 @@ pfnNtSetInformationFile Old_NtSetInformationFileWinXP = NULL;
|
|||
pfnNtDeleteFile Old_NtDeleteFileWinXP = NULL;
|
||||
//pfnNtCreateFile Old_NtCreateFileWinXP = NULL;
|
||||
pfnNtWriteFile Old_NtWriteFileWinXP = NULL;
|
||||
NTSTATUS
|
||||
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
||||
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
||||
{
|
||||
|
||||
|
||||
ULONG i;
|
||||
NTSTATUS status;
|
||||
|
||||
|
||||
// 填写所有的分发函数的指针
|
||||
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
|
||||
{
|
||||
|
@ -55,14 +47,8 @@ NTSTATUS
|
|||
// 绑定所有键盘设备
|
||||
status =c2pAttachDevices(DriverObject, RegisterPath);
|
||||
|
||||
#ifdef _WIN64
|
||||
// SSDTDescriptor = GetKeServiceDescriptorTable64(); //获取SSDT表
|
||||
// IndexOffsetOfFunction = 4;
|
||||
|
||||
#else
|
||||
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable");
|
||||
IndexOffsetOfFunction = 1;
|
||||
#endif
|
||||
|
||||
ulIndex = GetSSDTApiFunctionIndexFromNtdll("NtSetInformationFile");
|
||||
ulIndex1 = GetSSDTApiFunctionIndexFromNtdll("NtWriteFile");
|
||||
|
@ -72,9 +58,7 @@ NTSTATUS
|
|||
HookWrite(ulIndex1);
|
||||
HookDelete(ulIndex2);
|
||||
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
@ -357,14 +341,11 @@ NTSTATUS c2pReadComplete(
|
|||
// 获得这个缓冲区的长度。一般的说返回值有多长都保存在
|
||||
// Information中。
|
||||
|
||||
|
||||
buf_len = Irp->IoStatus.Information;
|
||||
numKeys = Irp->IoStatus.Information / sizeof(KEYBOARD_INPUT_DATA);
|
||||
|
||||
__try
|
||||
{
|
||||
|
||||
|
||||
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)IrpSp->FileObject, &ObjetNameInfor)))
|
||||
{
|
||||
if(wcsstr(ObjetNameInfor->Name.Buffer,L"Shine.txt")!=0)
|
||||
|
@ -379,34 +360,27 @@ NTSTATUS c2pReadComplete(
|
|||
}
|
||||
|
||||
|
||||
//通过EProcess获得进程名称
|
||||
|
||||
|
||||
//ͨ¹ýProcess»ñµÃ½ø³ÌÃû³Æ
|
||||
for(i = 0; i < numKeys; i++)
|
||||
{
|
||||
// DbgPrint("%02X %d\n",pKeyData[i].MakeCode,pKeyData[i].Flags);
|
||||
|
||||
if(pKeyData[i].MakeCode == 0x1d&&pKeyData[i].Flags ==KEY_MAKE)
|
||||
if(pKeyData[i].MakeCode == 0x1d && pKeyData[i].Flags == KEY_MAKE)
|
||||
{
|
||||
//左Ctrl
|
||||
bOk = TRUE;
|
||||
}
|
||||
|
||||
if(pKeyData[i].MakeCode == 0x2e&&pKeyData[i].Flags==KEY_MAKE&&bOk==TRUE) //按下
|
||||
if(pKeyData[i].MakeCode == 0x2e && pKeyData[i].Flags == KEY_MAKE && bOk == TRUE ) //°´ÏÂ
|
||||
{
|
||||
pKeyData[i].MakeCode = 0x20;
|
||||
bOk = FALSE;
|
||||
DbgPrint("aaaaaaaaaaaaaa");
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
//… 这里可以做进一步的处理。我这里很简单的打印出所有的扫
|
||||
// 描码。
|
||||
|
||||
|
||||
|
||||
// for(i=0;i<buf_len;++i)
|
||||
// {
|
||||
//DbgPrint("ctrl2cap: %2x\r\n", buf[i]);
|
||||
|
@ -463,74 +437,51 @@ NTSTATUS c2pDispatchRead(
|
|||
return IoCallDriver( devExt->LowerDeviceObject, Irp );
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
VOID HookSSDT(ULONG_PTR ulIndex)
|
||||
{
|
||||
|
||||
PULONG32 ServiceTableBase = NULL;
|
||||
|
||||
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
||||
|
||||
Old_NtSetInformationFileWinXP = (pfnNtSetInformationFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
||||
|
||||
|
||||
WPOFF();
|
||||
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtSetInformationFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
||||
WPON();
|
||||
|
||||
|
||||
}
|
||||
|
||||
VOID HookWrite(ULONG_PTR ulIndex)
|
||||
{
|
||||
PULONG32 ServiceTableBase = NULL;
|
||||
|
||||
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
||||
|
||||
Old_NtWriteFileWinXP = (pfnNtWriteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
||||
|
||||
|
||||
WPOFF();
|
||||
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtWriteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
||||
WPON();
|
||||
|
||||
}
|
||||
|
||||
VOID HookDelete(ULONG_PTR ulIndex)
|
||||
{
|
||||
PULONG32 ServiceTableBase = NULL;
|
||||
|
||||
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase; //数组首地址
|
||||
|
||||
Old_NtDeleteFileWinXP = (pfnNtDeleteFile)ServiceTableBase[ulIndex]; //先保存原先的函数地址
|
||||
|
||||
|
||||
WPOFF();
|
||||
ServiceTableBase[ulIndex] = (ULONG32)Fake_NtDeleteFileWinXP; //将KeBugCheckEx函数的偏移地址放入SSDT表中
|
||||
WPON();
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
VOID
|
||||
UnHookSSDT(ULONG_PTR ulIndex)
|
||||
{
|
||||
|
||||
PULONG32 ServiceTableBase = NULL;
|
||||
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
||||
|
||||
WPOFF();
|
||||
ServiceTableBase[ulIndex] = (ULONG32)Old_NtSetInformationFileWinXP;
|
||||
WPON();
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
VOID
|
||||
UnHookSSDTWrite(ULONG_PTR ulIndex)
|
||||
{
|
||||
|
@ -544,25 +495,18 @@ VOID
|
|||
|
||||
}
|
||||
|
||||
|
||||
|
||||
VOID
|
||||
UnHookSSDTDelete(ULONG_PTR ulIndex)
|
||||
{
|
||||
|
||||
PULONG32 ServiceTableBase = NULL;
|
||||
ServiceTableBase=(PULONG32)((PSYSTEM_SERVICE_TABLE32)SSDTDescriptor)->ServiceTableBase;
|
||||
|
||||
WPOFF();
|
||||
ServiceTableBase[ulIndex] = (ULONG32)Old_NtDeleteFileWinXP;
|
||||
WPON();
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
NTSTATUS Fake_NtSetInformationFileWinXP(
|
||||
__in HANDLE FileHandle,
|
||||
__out PIO_STATUS_BLOCK IoStatusBlock,
|
||||
|
@ -582,14 +526,14 @@ NTSTATUS Fake_NtSetInformationFileWinXP(
|
|||
{
|
||||
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
|
||||
{
|
||||
if(FileInformationClass==FileRenameInformation)
|
||||
if(FileInformationClass == FileRenameInformation)
|
||||
{
|
||||
return;
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
|
||||
return Old_NtSetInformationFileWinXP(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
|
||||
}
|
||||
|
||||
NTSTATUS
|
||||
|
@ -605,8 +549,6 @@ NTSTATUS
|
|||
__in_opt PULONG Key
|
||||
)
|
||||
{
|
||||
|
||||
|
||||
NTSTATUS Status;
|
||||
PFILE_OBJECT hObject;
|
||||
POBJECT_NAME_INFORMATION ObjetNameInfor;
|
||||
|
@ -618,11 +560,11 @@ NTSTATUS
|
|||
{
|
||||
if(wcsstr((ObjetNameInfor->Name).Buffer,L"D:\\Shine.txt"))
|
||||
{
|
||||
return;
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
}
|
||||
|
||||
Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
|
||||
return Old_NtWriteFileWinXP(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
|
||||
}
|
||||
|
||||
|
||||
|
@ -632,10 +574,9 @@ NTSTATUS Fake_NtDeleteFileWinXP(
|
|||
{
|
||||
if(wcsstr((ObjectAttributes->ObjectName)->Buffer,L"D:\\Shine.txt"))
|
||||
{
|
||||
return;
|
||||
return STATUS_ACCESS_DENIED;
|
||||
}
|
||||
Old_NtDeleteFileWinXP(ObjectAttributes);
|
||||
|
||||
return Old_NtDeleteFileWinXP(ObjectAttributes);
|
||||
}
|
||||
|
||||
|
||||
|
@ -655,36 +596,6 @@ PVOID
|
|||
return FunctionAddress;
|
||||
}
|
||||
|
||||
|
||||
PVOID GetKeServiceDescriptorTable64()
|
||||
{
|
||||
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
|
||||
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
|
||||
PUCHAR i = NULL;
|
||||
UCHAR b1=0,b2=0,b3=0;
|
||||
ULONG_PTR ulv1 = 0;
|
||||
PVOID FunctionAddress = 0;
|
||||
for(i=StartSearchAddress;i<EndSearchAddress;i++)
|
||||
{
|
||||
if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
|
||||
{
|
||||
b1=*i;
|
||||
b2=*(i+1);
|
||||
b3=*(i+2);
|
||||
if( b1==0x4c && b2==0x8d && b3==0x15 )
|
||||
{
|
||||
memcpy(&ulv1,i+3,4);
|
||||
FunctionAddress = (ULONG_PTR)ulv1 + (ULONG_PTR)i + 7;
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
|
||||
{
|
||||
|
||||
|
@ -705,9 +616,7 @@ LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
|
|||
Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
|
||||
return STATUS_UNSUCCESSFUL;
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -745,10 +654,6 @@ LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName)
|
|||
return ulIndex;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
NTSTATUS
|
||||
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
|
||||
OUT PVOID *BaseAddress,
|
||||
|
@ -808,7 +713,6 @@ NTSTATUS
|
|||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
return Status;
|
||||
|
||||
}
|
||||
|
||||
if (!hProcess){
|
||||
|
@ -835,10 +739,6 @@ NTSTATUS
|
|||
return Status;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
||||
{
|
||||
ULONG_PTR ServiceTableBase= 0 ;
|
||||
|
@ -849,23 +749,6 @@ ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDe
|
|||
return (*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex));
|
||||
}
|
||||
|
||||
|
||||
|
||||
ULONG_PTR GetFunctionAddressByIndexFromSSDT64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
||||
{
|
||||
LONG ulv1 = 0;
|
||||
ULONG_PTR ulv2 = 0;
|
||||
ULONG_PTR ServiceTableBase= 0 ;
|
||||
PSYSTEM_SERVICE_TABLE64 SSDT = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor;
|
||||
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
|
||||
ulv2 = ServiceTableBase + 4 * ulIndex;
|
||||
ulv1 = *(PLONG)ulv2;
|
||||
ulv1 = ulv1>>4;
|
||||
return ServiceTableBase + (ULONG_PTR)ulv1;
|
||||
}
|
||||
|
||||
|
||||
|
||||
VOID WPOFF()
|
||||
{
|
||||
ULONG_PTR cr0 = 0;
|
||||
|
@ -873,16 +756,14 @@ VOID WPOFF()
|
|||
cr0 =__readcr0();
|
||||
cr0 &= 0xfffffffffffeffff;
|
||||
__writecr0(cr0);
|
||||
// _disable(); //这句话 屏蔽也没有啥
|
||||
|
||||
//_disable();
|
||||
}
|
||||
|
||||
VOID WPON()
|
||||
{
|
||||
|
||||
ULONG_PTR cr0=__readcr0();
|
||||
cr0 |= 0x10000;
|
||||
// _enable(); //这句话 屏蔽也没有啥
|
||||
//_enable();
|
||||
__writecr0(cr0);
|
||||
KeLowerIrql(Irql);
|
||||
}
|
||||
|
|
|
@ -15,14 +15,6 @@ NTSTATUS
|
|||
|
||||
#define SEC_IMAGE 0x01000000
|
||||
|
||||
|
||||
typedef struct _SYSTEM_SERVICE_TABLE64{
|
||||
PVOID ServiceTableBase;
|
||||
PVOID ServiceCounterTableBase;
|
||||
ULONG64 NumberOfServices;
|
||||
PVOID ParamTableBase;
|
||||
} SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64;
|
||||
|
||||
typedef struct _SYSTEM_SERVICE_TABLE32 {
|
||||
PVOID ServiceTableBase;
|
||||
PVOID ServiceCounterTableBase;
|
||||
|
@ -147,9 +139,6 @@ NTSYSAPI
|
|||
RtlImageNtHeader(PVOID Base);
|
||||
|
||||
PVOID GetFunctionAddressByNameFromSSDT(CHAR* szFunctionName,ULONG_PTR SSDTDescriptor);
|
||||
ULONG_PTR GetFunctionAddressByIndexFromSSDT64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
|
||||
PVOID GetKeServiceDescriptorTable64();
|
||||
|
||||
ULONG_PTR GetFunctionAddressByIndexFromSSDT32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
|
||||
PVOID
|
||||
GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName);
|
||||
|
|
Loading…
Reference in New Issue