parent
5c9f3b9caa
commit
c5f8f3c489
|
@ -5,179 +5,179 @@
|
|||
|
||||
/*创建文件对象,相当于自己实现了IoCreateFile FileObject中的IrpList循环指向自身*/
|
||||
NTSTATUS
|
||||
IrpCreateFile(
|
||||
IN PUNICODE_STRING FilePath,
|
||||
IN ACCESS_MASK DesiredAccess,
|
||||
IN ULONG FileAttributes,
|
||||
IN ULONG ShareAccess,
|
||||
IN ULONG CreateDisposition,
|
||||
IN ULONG CreateOptions,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
IN PDEVICE_OBJECT RealDevice,
|
||||
OUT PFILE_OBJECT *FileObject
|
||||
)
|
||||
IrpCreateFile(
|
||||
IN PUNICODE_STRING FilePath,
|
||||
IN ACCESS_MASK DesiredAccess,
|
||||
IN ULONG FileAttributes,
|
||||
IN ULONG ShareAccess,
|
||||
IN ULONG CreateDisposition,
|
||||
IN ULONG CreateOptions,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
IN PDEVICE_OBJECT RealDevice,
|
||||
OUT PFILE_OBJECT *FileObject
|
||||
)
|
||||
{
|
||||
NTSTATUS ntStatus;
|
||||
NTSTATUS ntStatus;
|
||||
|
||||
HANDLE hFile;
|
||||
PFILE_OBJECT _FileObject;
|
||||
UNICODE_STRING UniDeviceNameString;
|
||||
OBJECT_ATTRIBUTES ObjectAttributes;
|
||||
IO_STATUS_BLOCK IoStatusBlock;
|
||||
WCHAR *FileNameBuffer=NULL;
|
||||
WORD FileObjectSize;
|
||||
HANDLE hFile;
|
||||
PFILE_OBJECT _FileObject;
|
||||
UNICODE_STRING UniDeviceNameString;
|
||||
OBJECT_ATTRIBUTES ObjectAttributes;
|
||||
IO_STATUS_BLOCK IoStatusBlock;
|
||||
WCHAR *FileNameBuffer=NULL;
|
||||
WORD FileObjectSize;
|
||||
|
||||
|
||||
PIRP Irp;
|
||||
KEVENT kEvent;
|
||||
PIO_STACK_LOCATION IrpSp;
|
||||
ACCESS_STATE AccessState;
|
||||
AUX_ACCESS_DATA AuxData;
|
||||
IO_SECURITY_CONTEXT SecurityContext;
|
||||
PIRP Irp;
|
||||
KEVENT kEvent;
|
||||
PIO_STACK_LOCATION IrpSp;
|
||||
ACCESS_STATE AccessState;
|
||||
AUX_ACCESS_DATA AuxData;
|
||||
IO_SECURITY_CONTEXT SecurityContext;
|
||||
|
||||
PLIST_ENTRY IrpList;
|
||||
PLIST_ENTRY IrpList;
|
||||
|
||||
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_CASE_INSENSITIVE, 0, NULL);
|
||||
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_CASE_INSENSITIVE, 0, NULL);
|
||||
|
||||
//in win7 x86
|
||||
FileObjectSize=0x80;
|
||||
//in win7 x86
|
||||
FileObjectSize=0x80;
|
||||
|
||||
|
||||
//创建文件对象
|
||||
ntStatus = ObCreateObject(KernelMode,
|
||||
*IoFileObjectType,
|
||||
&ObjectAttributes,
|
||||
KernelMode,
|
||||
NULL,
|
||||
FileObjectSize,
|
||||
0,
|
||||
0,
|
||||
&_FileObject);
|
||||
//创建文件对象
|
||||
ntStatus = ObCreateObject(KernelMode,
|
||||
*IoFileObjectType,
|
||||
&ObjectAttributes,
|
||||
KernelMode,
|
||||
NULL,
|
||||
FileObjectSize,
|
||||
0,
|
||||
0,
|
||||
&_FileObject);
|
||||
|
||||
if(!NT_SUCCESS(ntStatus))
|
||||
{
|
||||
return ntStatus;
|
||||
}
|
||||
if(!NT_SUCCESS(ntStatus))
|
||||
{
|
||||
return ntStatus;
|
||||
}
|
||||
|
||||
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE); //在Irp堆栈上申请内存空间 大小为之前查询的DeviceObject->Size
|
||||
if(Irp == NULL)
|
||||
{
|
||||
ObDereferenceObject(_FileObject);
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
}
|
||||
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE); //在Irp堆栈上申请内存空间 大小为之前查询的DeviceObject->Size
|
||||
if(Irp == NULL)
|
||||
{
|
||||
ObDereferenceObject(_FileObject);
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
}
|
||||
|
||||
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
|
||||
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
|
||||
|
||||
RtlZeroMemory(_FileObject, FileObjectSize);
|
||||
_FileObject->Type = IO_TYPE_FILE; //文件对象类型
|
||||
_FileObject->Size = FileObjectSize; //文件对象大小
|
||||
_FileObject->DeviceObject = RealDevice; //查询到的卷设备
|
||||
_FileObject->Flags = FO_SYNCHRONOUS_IO;
|
||||
FileNameBuffer=ExAllocatePool(NonPagedPool,FilePath->MaximumLength);
|
||||
if (FileNameBuffer==NULL)
|
||||
{
|
||||
ObDereferenceObject(_FileObject);
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
}
|
||||
RtlCopyMemory(FileNameBuffer,FilePath->Buffer,FilePath->Length);//文件对象中的文件路径
|
||||
_FileObject->FileName.Buffer=FileNameBuffer; //
|
||||
_FileObject->FileName.Length=FilePath->Length;
|
||||
_FileObject->FileName.MaximumLength=FilePath->MaximumLength;
|
||||
RtlZeroMemory(_FileObject, FileObjectSize);
|
||||
_FileObject->Type = IO_TYPE_FILE; //文件对象类型
|
||||
_FileObject->Size = FileObjectSize; //文件对象大小
|
||||
_FileObject->DeviceObject = RealDevice; //查询到的卷设备
|
||||
_FileObject->Flags = FO_SYNCHRONOUS_IO;
|
||||
FileNameBuffer=ExAllocatePool(NonPagedPool,FilePath->MaximumLength);
|
||||
if (FileNameBuffer==NULL)
|
||||
{
|
||||
ObDereferenceObject(_FileObject);
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
}
|
||||
RtlCopyMemory(FileNameBuffer,FilePath->Buffer,FilePath->Length);//文件对象中的文件路径
|
||||
_FileObject->FileName.Buffer=FileNameBuffer; //
|
||||
_FileObject->FileName.Length=FilePath->Length;
|
||||
_FileObject->FileName.MaximumLength=FilePath->MaximumLength;
|
||||
|
||||
|
||||
IrpList=(PLIST_ENTRY)((DWORD)FileObject+0x74); //IrpList 循环指向自身
|
||||
IrpList->Flink=IrpList;
|
||||
IrpList->Blink=IrpList;
|
||||
IrpList=(PLIST_ENTRY)((DWORD)FileObject+0x74); //IrpList 循环指向自身
|
||||
IrpList->Flink=IrpList;
|
||||
IrpList->Blink=IrpList;
|
||||
|
||||
KeInitializeEvent(&_FileObject->Lock, SynchronizationEvent, FALSE);
|
||||
KeInitializeEvent(&_FileObject->Event, NotificationEvent, FALSE);
|
||||
KeInitializeEvent(&_FileObject->Lock, SynchronizationEvent, FALSE);
|
||||
KeInitializeEvent(&_FileObject->Event, NotificationEvent, FALSE);
|
||||
|
||||
RtlZeroMemory(&AuxData, sizeof(AUX_ACCESS_DATA));
|
||||
ntStatus = SeCreateAccessState( &AccessState, //访问权限
|
||||
&AuxData,
|
||||
DesiredAccess,
|
||||
IoGetFileObjectGenericMapping());
|
||||
RtlZeroMemory(&AuxData, sizeof(AUX_ACCESS_DATA));
|
||||
ntStatus = SeCreateAccessState( &AccessState, //访问权限
|
||||
&AuxData,
|
||||
DesiredAccess,
|
||||
IoGetFileObjectGenericMapping());
|
||||
|
||||
if (!NT_SUCCESS(ntStatus))
|
||||
{
|
||||
IoFreeIrp(Irp);
|
||||
ObDereferenceObject(_FileObject);
|
||||
ExFreePool(FileNameBuffer);
|
||||
return ntStatus;
|
||||
}
|
||||
if (!NT_SUCCESS(ntStatus))
|
||||
{
|
||||
IoFreeIrp(Irp);
|
||||
ObDereferenceObject(_FileObject);
|
||||
ExFreePool(FileNameBuffer);
|
||||
return ntStatus;
|
||||
}
|
||||
|
||||
SecurityContext.SecurityQos = NULL;
|
||||
SecurityContext.AccessState = &AccessState;
|
||||
SecurityContext.DesiredAccess = DesiredAccess;
|
||||
SecurityContext.FullCreateOptions = 0;
|
||||
SecurityContext.SecurityQos = NULL;
|
||||
SecurityContext.AccessState = &AccessState;
|
||||
SecurityContext.DesiredAccess = DesiredAccess;
|
||||
SecurityContext.FullCreateOptions = 0;
|
||||
|
||||
Irp->MdlAddress = NULL;
|
||||
Irp->AssociatedIrp.SystemBuffer = NULL;
|
||||
Irp->Flags = IRP_CREATE_OPERATION|IRP_SYNCHRONOUS_API;
|
||||
Irp->RequestorMode = KernelMode;
|
||||
Irp->UserIosb = &IoStatusBlock;
|
||||
Irp->UserEvent = &kEvent;
|
||||
Irp->PendingReturned = FALSE;
|
||||
Irp->Cancel = FALSE;
|
||||
Irp->CancelRoutine = NULL;
|
||||
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
|
||||
Irp->Tail.Overlay.AuxiliaryBuffer = NULL;
|
||||
Irp->Tail.Overlay.OriginalFileObject = _FileObject;
|
||||
Irp->MdlAddress = NULL;
|
||||
Irp->AssociatedIrp.SystemBuffer = NULL;
|
||||
Irp->Flags = IRP_CREATE_OPERATION|IRP_SYNCHRONOUS_API;
|
||||
Irp->RequestorMode = KernelMode;
|
||||
Irp->UserIosb = &IoStatusBlock;
|
||||
Irp->UserEvent = &kEvent;
|
||||
Irp->PendingReturned = FALSE;
|
||||
Irp->Cancel = FALSE;
|
||||
Irp->CancelRoutine = NULL;
|
||||
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
|
||||
Irp->Tail.Overlay.AuxiliaryBuffer = NULL;
|
||||
Irp->Tail.Overlay.OriginalFileObject = _FileObject;
|
||||
|
||||
IrpSp = IoGetNextIrpStackLocation(Irp);
|
||||
IrpSp->MajorFunction = IRP_MJ_CREATE;
|
||||
IrpSp->DeviceObject = DeviceObject;
|
||||
IrpSp->FileObject = _FileObject;
|
||||
IrpSp->Parameters.Create.SecurityContext = &SecurityContext;
|
||||
IrpSp->Parameters.Create.Options = (CreateDisposition << 24) | CreateOptions;
|
||||
IrpSp->Parameters.Create.FileAttributes = (USHORT)FileAttributes;
|
||||
IrpSp->Parameters.Create.ShareAccess = (USHORT)ShareAccess;
|
||||
IrpSp->Parameters.Create.EaLength = 0;
|
||||
IrpSp = IoGetNextIrpStackLocation(Irp);
|
||||
IrpSp->MajorFunction = IRP_MJ_CREATE;
|
||||
IrpSp->DeviceObject = DeviceObject;
|
||||
IrpSp->FileObject = _FileObject;
|
||||
IrpSp->Parameters.Create.SecurityContext = &SecurityContext;
|
||||
IrpSp->Parameters.Create.Options = (CreateDisposition << 24) | CreateOptions;
|
||||
IrpSp->Parameters.Create.FileAttributes = (USHORT)FileAttributes;
|
||||
IrpSp->Parameters.Create.ShareAccess = (USHORT)ShareAccess;
|
||||
IrpSp->Parameters.Create.EaLength = 0;
|
||||
|
||||
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
|
||||
ntStatus = IoCallDriver(DeviceObject, Irp);
|
||||
if(ntStatus == STATUS_PENDING)
|
||||
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
|
||||
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
|
||||
ntStatus = IoCallDriver(DeviceObject, Irp);
|
||||
if(ntStatus == STATUS_PENDING)
|
||||
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
|
||||
|
||||
ntStatus = IoStatusBlock.Status;
|
||||
ntStatus = IoStatusBlock.Status;
|
||||
|
||||
if(!NT_SUCCESS(ntStatus))
|
||||
{
|
||||
_FileObject->DeviceObject = NULL;
|
||||
ObDereferenceObject(_FileObject);
|
||||
if(!NT_SUCCESS(ntStatus))
|
||||
{
|
||||
_FileObject->DeviceObject = NULL;
|
||||
ObDereferenceObject(_FileObject);
|
||||
|
||||
}
|
||||
else
|
||||
{//增加引用计数
|
||||
InterlockedIncrement(&_FileObject->DeviceObject->ReferenceCount);
|
||||
if (_FileObject->Vpb)
|
||||
InterlockedIncrement(&_FileObject->Vpb->ReferenceCount);
|
||||
*FileObject = _FileObject;
|
||||
}
|
||||
}
|
||||
else
|
||||
{//增加引用计数
|
||||
InterlockedIncrement(&_FileObject->DeviceObject->ReferenceCount);
|
||||
if (_FileObject->Vpb)
|
||||
InterlockedIncrement(&_FileObject->Vpb->ReferenceCount);
|
||||
*FileObject = _FileObject;
|
||||
}
|
||||
|
||||
|
||||
return ntStatus;
|
||||
return ntStatus;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
NTSTATUS
|
||||
IoCompletionRoutine(
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
IN PIRP Irp,
|
||||
IN PVOID Context)
|
||||
IoCompletionRoutine(
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
IN PIRP Irp,
|
||||
IN PVOID Context)
|
||||
{
|
||||
*Irp->UserIosb = Irp->IoStatus;
|
||||
if (Irp->UserEvent)
|
||||
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);
|
||||
if (Irp->MdlAddress)
|
||||
{
|
||||
IoFreeMdl(Irp->MdlAddress);
|
||||
Irp->MdlAddress = NULL;
|
||||
}
|
||||
IoFreeIrp(Irp);
|
||||
return STATUS_MORE_PROCESSING_REQUIRED;
|
||||
*Irp->UserIosb = Irp->IoStatus;
|
||||
if (Irp->UserEvent)
|
||||
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);
|
||||
if (Irp->MdlAddress)
|
||||
{
|
||||
IoFreeMdl(Irp->MdlAddress);
|
||||
Irp->MdlAddress = NULL;
|
||||
}
|
||||
IoFreeIrp(Irp);
|
||||
return STATUS_MORE_PROCESSING_REQUIRED;
|
||||
}
|
||||
|
||||
|
||||
|
@ -185,122 +185,122 @@ NTSTATUS
|
|||
|
||||
//查询irp堆栈信息,传入FileObject
|
||||
NTSTATUS
|
||||
IrpQueryInformationFile(
|
||||
IN PFILE_OBJECT FileObject,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
OUT PVOID FileInformation,
|
||||
IN ULONG Length,
|
||||
IN FILE_INFORMATION_CLASS FileInformationClass)
|
||||
IrpQueryInformationFile(
|
||||
IN PFILE_OBJECT FileObject,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
OUT PVOID FileInformation,
|
||||
IN ULONG Length,
|
||||
IN FILE_INFORMATION_CLASS FileInformationClass)
|
||||
{
|
||||
NTSTATUS ntStatus;
|
||||
PIRP Irp;
|
||||
KEVENT kEvent;
|
||||
PIO_STACK_LOCATION IrpSp;
|
||||
IO_STATUS_BLOCK IoStatusBlock;
|
||||
NTSTATUS ntStatus;
|
||||
PIRP Irp;
|
||||
KEVENT kEvent;
|
||||
PIO_STACK_LOCATION IrpSp;
|
||||
IO_STATUS_BLOCK IoStatusBlock;
|
||||
|
||||
// if (FileObject->Vpb == 0 || FileObject->Vpb->DeviceObject == NULL)
|
||||
// return STATUS_UNSUCCESSFUL;
|
||||
// if (FileObject->Vpb == 0 || FileObject->Vpb->DeviceObject == NULL)
|
||||
// return STATUS_UNSUCCESSFUL;
|
||||
|
||||
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
|
||||
if(Irp == NULL)
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
|
||||
if(Irp == NULL)
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
|
||||
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
|
||||
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
|
||||
|
||||
RtlZeroMemory(FileInformation, Length);
|
||||
Irp->AssociatedIrp.SystemBuffer = FileInformation;
|
||||
Irp->UserEvent = &kEvent;
|
||||
Irp->UserIosb = &IoStatusBlock;
|
||||
Irp->RequestorMode = KernelMode;
|
||||
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
|
||||
Irp->Tail.Overlay.OriginalFileObject = FileObject;
|
||||
RtlZeroMemory(FileInformation, Length);
|
||||
Irp->AssociatedIrp.SystemBuffer = FileInformation;
|
||||
Irp->UserEvent = &kEvent;
|
||||
Irp->UserIosb = &IoStatusBlock;
|
||||
Irp->RequestorMode = KernelMode;
|
||||
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
|
||||
Irp->Tail.Overlay.OriginalFileObject = FileObject;
|
||||
|
||||
IrpSp = IoGetNextIrpStackLocation(Irp);
|
||||
IrpSp->MajorFunction = IRP_MJ_QUERY_INFORMATION;
|
||||
IrpSp->DeviceObject = DeviceObject;
|
||||
IrpSp->FileObject = FileObject;
|
||||
IrpSp->Parameters.QueryFile.Length = Length;
|
||||
IrpSp->Parameters.QueryFile.FileInformationClass = FileInformationClass;
|
||||
IrpSp = IoGetNextIrpStackLocation(Irp);
|
||||
IrpSp->MajorFunction = IRP_MJ_QUERY_INFORMATION;
|
||||
IrpSp->DeviceObject = DeviceObject;
|
||||
IrpSp->FileObject = FileObject;
|
||||
IrpSp->Parameters.QueryFile.Length = Length;
|
||||
IrpSp->Parameters.QueryFile.FileInformationClass = FileInformationClass;
|
||||
|
||||
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
|
||||
ntStatus = IoCallDriver(DeviceObject, Irp);
|
||||
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
|
||||
ntStatus = IoCallDriver(DeviceObject, Irp);
|
||||
|
||||
if (ntStatus == STATUS_PENDING)
|
||||
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
|
||||
if (ntStatus == STATUS_PENDING)
|
||||
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
|
||||
|
||||
return IoStatusBlock.Status;
|
||||
return IoStatusBlock.Status;
|
||||
}
|
||||
|
||||
|
||||
|
||||
//Irp请求,将文件读入缓冲区中
|
||||
NTSTATUS
|
||||
IrpReadFile(
|
||||
IN PFILE_OBJECT FileObject,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
||||
OUT PVOID Buffer,
|
||||
IN ULONG Length,
|
||||
IN PLARGE_INTEGER ByteOffset OPTIONAL)
|
||||
IrpReadFile(
|
||||
IN PFILE_OBJECT FileObject,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
||||
OUT PVOID Buffer,
|
||||
IN ULONG Length,
|
||||
IN PLARGE_INTEGER ByteOffset OPTIONAL)
|
||||
{
|
||||
NTSTATUS ntStatus;
|
||||
PIRP Irp;
|
||||
KEVENT kEvent;
|
||||
PIO_STACK_LOCATION IrpSp;
|
||||
//
|
||||
NTSTATUS ntStatus;
|
||||
PIRP Irp;
|
||||
KEVENT kEvent;
|
||||
PIO_STACK_LOCATION IrpSp;
|
||||
//
|
||||
|
||||
|
||||
if(ByteOffset == NULL)
|
||||
{
|
||||
if(!(FileObject->Flags & FO_SYNCHRONOUS_IO))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
ByteOffset = &FileObject->CurrentByteOffset;
|
||||
}
|
||||
if(ByteOffset == NULL)
|
||||
{
|
||||
if(!(FileObject->Flags & FO_SYNCHRONOUS_IO))
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
ByteOffset = &FileObject->CurrentByteOffset;
|
||||
}
|
||||
|
||||
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
|
||||
if(Irp == NULL) return STATUS_INSUFFICIENT_RESOURCES;
|
||||
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
|
||||
if(Irp == NULL) return STATUS_INSUFFICIENT_RESOURCES;
|
||||
|
||||
RtlZeroMemory(Buffer, Length);
|
||||
if(FileObject->DeviceObject->Flags & DO_BUFFERED_IO) //缓冲方式
|
||||
{
|
||||
Irp->AssociatedIrp.SystemBuffer = Buffer;
|
||||
}
|
||||
else if(FileObject->DeviceObject->Flags & DO_DIRECT_IO) //直接方式
|
||||
{
|
||||
Irp->MdlAddress = IoAllocateMdl(Buffer, Length, 0, 0, 0);
|
||||
if (Irp->MdlAddress == NULL)
|
||||
{
|
||||
IoFreeIrp(Irp);
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
}
|
||||
MmBuildMdlForNonPagedPool(Irp->MdlAddress);
|
||||
}
|
||||
else //其他方式
|
||||
{
|
||||
Irp->UserBuffer = Buffer;
|
||||
}
|
||||
RtlZeroMemory(Buffer, Length);
|
||||
if(FileObject->DeviceObject->Flags & DO_BUFFERED_IO) //缓冲方式
|
||||
{
|
||||
Irp->AssociatedIrp.SystemBuffer = Buffer;
|
||||
}
|
||||
else if(FileObject->DeviceObject->Flags & DO_DIRECT_IO) //直接方式
|
||||
{
|
||||
Irp->MdlAddress = IoAllocateMdl(Buffer, Length, 0, 0, 0);
|
||||
if (Irp->MdlAddress == NULL)
|
||||
{
|
||||
IoFreeIrp(Irp);
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
}
|
||||
MmBuildMdlForNonPagedPool(Irp->MdlAddress);
|
||||
}
|
||||
else //其他方式
|
||||
{
|
||||
Irp->UserBuffer = Buffer;
|
||||
}
|
||||
|
||||
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
|
||||
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
|
||||
|
||||
Irp->UserEvent = &kEvent;
|
||||
Irp->UserIosb = IoStatusBlock;
|
||||
Irp->RequestorMode = KernelMode;
|
||||
Irp->Flags = IRP_READ_OPERATION;
|
||||
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
|
||||
Irp->Tail.Overlay.OriginalFileObject = FileObject;
|
||||
Irp->UserEvent = &kEvent;
|
||||
Irp->UserIosb = IoStatusBlock;
|
||||
Irp->RequestorMode = KernelMode;
|
||||
Irp->Flags = IRP_READ_OPERATION;
|
||||
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
|
||||
Irp->Tail.Overlay.OriginalFileObject = FileObject;
|
||||
|
||||
IrpSp = IoGetNextIrpStackLocation(Irp);
|
||||
IrpSp->MajorFunction = IRP_MJ_READ;
|
||||
IrpSp->MinorFunction = IRP_MN_NORMAL;
|
||||
IrpSp->DeviceObject = DeviceObject;
|
||||
IrpSp->FileObject = FileObject;
|
||||
IrpSp->Parameters.Read.Length = Length;
|
||||
IrpSp->Parameters.Read.ByteOffset = *ByteOffset;
|
||||
IrpSp = IoGetNextIrpStackLocation(Irp);
|
||||
IrpSp->MajorFunction = IRP_MJ_READ;
|
||||
IrpSp->MinorFunction = IRP_MN_NORMAL;
|
||||
IrpSp->DeviceObject = DeviceObject;
|
||||
IrpSp->FileObject = FileObject;
|
||||
IrpSp->Parameters.Read.Length = Length;
|
||||
IrpSp->Parameters.Read.ByteOffset = *ByteOffset;
|
||||
|
||||
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
|
||||
ntStatus = IoCallDriver(DeviceObject, Irp);
|
||||
if (ntStatus == STATUS_PENDING)
|
||||
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
|
||||
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
|
||||
ntStatus = IoCallDriver(DeviceObject, Irp);
|
||||
if (ntStatus == STATUS_PENDING)
|
||||
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
|
||||
|
||||
return IoStatusBlock->Status;
|
||||
return IoStatusBlock->Status;
|
||||
}
|
||||
|
|
|
@ -4,39 +4,39 @@
|
|||
|
||||
|
||||
NTSTATUS
|
||||
IrpCreateFile(
|
||||
IN PUNICODE_STRING FilePath,
|
||||
IN ACCESS_MASK DesiredAccess,
|
||||
IN ULONG FileAttributes,
|
||||
IN ULONG ShareAccess,
|
||||
IN ULONG CreateDisposition,
|
||||
IN ULONG CreateOptions,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
IN PDEVICE_OBJECT RealDevice,
|
||||
OUT PFILE_OBJECT *FileObject
|
||||
);
|
||||
IrpCreateFile(
|
||||
IN PUNICODE_STRING FilePath,
|
||||
IN ACCESS_MASK DesiredAccess,
|
||||
IN ULONG FileAttributes,
|
||||
IN ULONG ShareAccess,
|
||||
IN ULONG CreateDisposition,
|
||||
IN ULONG CreateOptions,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
IN PDEVICE_OBJECT RealDevice,
|
||||
OUT PFILE_OBJECT *FileObject
|
||||
);
|
||||
NTSTATUS
|
||||
IoCompletionRoutine(
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
IN PIRP Irp,
|
||||
IN PVOID Context);
|
||||
IoCompletionRoutine(
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
IN PIRP Irp,
|
||||
IN PVOID Context);
|
||||
|
||||
|
||||
NTSTATUS
|
||||
IrpQueryInformationFile(
|
||||
IN PFILE_OBJECT FileObject,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
OUT PVOID FileInformation,
|
||||
IN ULONG Length,
|
||||
IN FILE_INFORMATION_CLASS FileInformationClass);
|
||||
IrpQueryInformationFile(
|
||||
IN PFILE_OBJECT FileObject,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
OUT PVOID FileInformation,
|
||||
IN ULONG Length,
|
||||
IN FILE_INFORMATION_CLASS FileInformationClass);
|
||||
|
||||
|
||||
//Irp请求,将文件读入缓冲区中
|
||||
NTSTATUS
|
||||
IrpReadFile(
|
||||
IN PFILE_OBJECT FileObject,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
||||
OUT PVOID Buffer,
|
||||
IN ULONG Length,
|
||||
IN PLARGE_INTEGER ByteOffset OPTIONAL);
|
||||
IrpReadFile(
|
||||
IN PFILE_OBJECT FileObject,
|
||||
IN PDEVICE_OBJECT DeviceObject,
|
||||
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
||||
OUT PVOID Buffer,
|
||||
IN ULONG Length,
|
||||
IN PLARGE_INTEGER ByteOffset OPTIONAL);
|
||||
|
|
|
@ -6,341 +6,341 @@
|
|||
重定位表 修复
|
||||
*/
|
||||
BOOLEAN
|
||||
FixBaseRelocTable (
|
||||
PVOID NewImageBase,
|
||||
DWORD ExistImageBase
|
||||
)
|
||||
FixBaseRelocTable (
|
||||
PVOID NewImageBase,
|
||||
DWORD ExistImageBase
|
||||
)
|
||||
{
|
||||
LONGLONG Diff;
|
||||
ULONG TotalCountBytes = 0;
|
||||
ULONG_PTR VA;
|
||||
ULONGLONG OriginalImageBase;
|
||||
ULONG SizeOfBlock;
|
||||
PUCHAR FixupVA;
|
||||
USHORT Offset;
|
||||
PUSHORT NextOffset = NULL;
|
||||
PIMAGE_NT_HEADERS NtHeaders;
|
||||
PIMAGE_BASE_RELOCATION NextBlock;
|
||||
LONGLONG Diff;
|
||||
ULONG TotalCountBytes = 0;
|
||||
ULONG_PTR VA;
|
||||
ULONGLONG OriginalImageBase;
|
||||
ULONG SizeOfBlock;
|
||||
PUCHAR FixupVA;
|
||||
USHORT Offset;
|
||||
PUSHORT NextOffset = NULL;
|
||||
PIMAGE_NT_HEADERS NtHeaders;
|
||||
PIMAGE_BASE_RELOCATION NextBlock;
|
||||
|
||||
|
||||
NtHeaders = RtlImageNtHeader( NewImageBase );
|
||||
if (NtHeaders == NULL)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
NtHeaders = RtlImageNtHeader( NewImageBase );
|
||||
if (NtHeaders == NULL)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
switch (NtHeaders->OptionalHeader.Magic) {
|
||||
switch (NtHeaders->OptionalHeader.Magic) {
|
||||
|
||||
case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
|
||||
case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
|
||||
|
||||
OriginalImageBase =
|
||||
((PIMAGE_NT_HEADERS32)NtHeaders)->OptionalHeader.ImageBase;
|
||||
break;
|
||||
OriginalImageBase =
|
||||
((PIMAGE_NT_HEADERS32)NtHeaders)->OptionalHeader.ImageBase;
|
||||
break;
|
||||
|
||||
case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
|
||||
case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
|
||||
|
||||
OriginalImageBase =
|
||||
((PIMAGE_NT_HEADERS64)NtHeaders)->OptionalHeader.ImageBase;
|
||||
break;
|
||||
OriginalImageBase =
|
||||
((PIMAGE_NT_HEADERS64)NtHeaders)->OptionalHeader.ImageBase;
|
||||
break;
|
||||
|
||||
default:
|
||||
return FALSE;
|
||||
}
|
||||
default:
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
//
|
||||
// Locate the relocation section.
|
||||
//
|
||||
//
|
||||
// Locate the relocation section.
|
||||
//
|
||||
|
||||
NextBlock = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(
|
||||
NewImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &TotalCountBytes);
|
||||
NextBlock = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(
|
||||
NewImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &TotalCountBytes);
|
||||
|
||||
//
|
||||
// It is possible for a file to have no relocations, but the relocations
|
||||
// must not have been stripped.
|
||||
//
|
||||
//
|
||||
// It is possible for a file to have no relocations, but the relocations
|
||||
// must not have been stripped.
|
||||
//
|
||||
|
||||
if (!NextBlock || !TotalCountBytes)
|
||||
{
|
||||
if (!NextBlock || !TotalCountBytes)
|
||||
{
|
||||
|
||||
if (NtHeaders->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)
|
||||
{
|
||||
DbgPrint("Image can't be relocated, no fixup information.\n");
|
||||
return FALSE;
|
||||
if (NtHeaders->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)
|
||||
{
|
||||
DbgPrint("Image can't be relocated, no fixup information.\n");
|
||||
return FALSE;
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// If the image has a relocation table, then apply the specified fixup
|
||||
// information to the image.
|
||||
//
|
||||
Diff = (ULONG_PTR)ExistImageBase - OriginalImageBase;
|
||||
while (TotalCountBytes)
|
||||
{
|
||||
SizeOfBlock = NextBlock->SizeOfBlock;
|
||||
TotalCountBytes -= SizeOfBlock;
|
||||
SizeOfBlock -= sizeof(IMAGE_BASE_RELOCATION);
|
||||
SizeOfBlock /= sizeof(USHORT);
|
||||
NextOffset = (PUSHORT)((PCHAR)NextBlock + sizeof(IMAGE_BASE_RELOCATION));
|
||||
//
|
||||
// If the image has a relocation table, then apply the specified fixup
|
||||
// information to the image.
|
||||
//
|
||||
Diff = (ULONG_PTR)ExistImageBase - OriginalImageBase;
|
||||
while (TotalCountBytes)
|
||||
{
|
||||
SizeOfBlock = NextBlock->SizeOfBlock;
|
||||
TotalCountBytes -= SizeOfBlock;
|
||||
SizeOfBlock -= sizeof(IMAGE_BASE_RELOCATION);
|
||||
SizeOfBlock /= sizeof(USHORT);
|
||||
NextOffset = (PUSHORT)((PCHAR)NextBlock + sizeof(IMAGE_BASE_RELOCATION));
|
||||
|
||||
VA = (ULONG_PTR)NewImageBase + NextBlock->VirtualAddress;
|
||||
VA = (ULONG_PTR)NewImageBase + NextBlock->VirtualAddress;
|
||||
|
||||
if ( !(NextBlock = LdrProcessRelocationBlockLongLong( VA,
|
||||
SizeOfBlock,
|
||||
NextOffset,
|
||||
Diff)) )
|
||||
{
|
||||
if ( !(NextBlock = LdrProcessRelocationBlockLongLong( VA,
|
||||
SizeOfBlock,
|
||||
NextOffset,
|
||||
Diff)) )
|
||||
{
|
||||
|
||||
DbgPrint("%s: Unknown base relocation type\n");
|
||||
return FALSE;
|
||||
DbgPrint("%s: Unknown base relocation type\n");
|
||||
return FALSE;
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/*修复重定位表*/
|
||||
PIMAGE_BASE_RELOCATION
|
||||
LdrProcessRelocationBlockLongLong(
|
||||
IN ULONG_PTR VA,
|
||||
IN ULONG SizeOfBlock,
|
||||
IN PUSHORT NextOffset,
|
||||
IN LONGLONG Diff
|
||||
)
|
||||
LdrProcessRelocationBlockLongLong(
|
||||
IN ULONG_PTR VA,
|
||||
IN ULONG SizeOfBlock,
|
||||
IN PUSHORT NextOffset,
|
||||
IN LONGLONG Diff
|
||||
)
|
||||
{
|
||||
PUCHAR FixupVA;
|
||||
USHORT Offset;
|
||||
LONG Temp;
|
||||
ULONG Temp32;
|
||||
ULONGLONG Value64;
|
||||
LONGLONG Temp64;
|
||||
PUCHAR FixupVA;
|
||||
USHORT Offset;
|
||||
LONG Temp;
|
||||
ULONG Temp32;
|
||||
ULONGLONG Value64;
|
||||
LONGLONG Temp64;
|
||||
|
||||
|
||||
|
||||
while (SizeOfBlock--) {
|
||||
while (SizeOfBlock--) {
|
||||
|
||||
Offset = *NextOffset & (USHORT)0xfff;
|
||||
FixupVA = (PUCHAR)(VA + Offset);
|
||||
Offset = *NextOffset & (USHORT)0xfff;
|
||||
FixupVA = (PUCHAR)(VA + Offset);
|
||||
|
||||
//
|
||||
// Apply the fixups.
|
||||
//
|
||||
//
|
||||
// Apply the fixups.
|
||||
//
|
||||
|
||||
switch ((*NextOffset) >> 12) {
|
||||
switch ((*NextOffset) >> 12) {
|
||||
|
||||
case IMAGE_REL_BASED_HIGHLOW :
|
||||
//
|
||||
// HighLow - (32-bits) relocate the high and low half
|
||||
// of an address.
|
||||
//
|
||||
*(LONG UNALIGNED *)FixupVA += (ULONG) Diff;
|
||||
break;
|
||||
case IMAGE_REL_BASED_HIGHLOW :
|
||||
//
|
||||
// HighLow - (32-bits) relocate the high and low half
|
||||
// of an address.
|
||||
//
|
||||
*(LONG UNALIGNED *)FixupVA += (ULONG) Diff;
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_HIGH :
|
||||
//
|
||||
// High - (16-bits) relocate the high half of an address.
|
||||
//
|
||||
Temp = *(PUSHORT)FixupVA << 16;
|
||||
Temp += (ULONG) Diff;
|
||||
*(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
|
||||
break;
|
||||
case IMAGE_REL_BASED_HIGH :
|
||||
//
|
||||
// High - (16-bits) relocate the high half of an address.
|
||||
//
|
||||
Temp = *(PUSHORT)FixupVA << 16;
|
||||
Temp += (ULONG) Diff;
|
||||
*(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_HIGHADJ :
|
||||
//
|
||||
// Adjust high - (16-bits) relocate the high half of an
|
||||
// address and adjust for sign extension of low half.
|
||||
//
|
||||
case IMAGE_REL_BASED_HIGHADJ :
|
||||
//
|
||||
// Adjust high - (16-bits) relocate the high half of an
|
||||
// address and adjust for sign extension of low half.
|
||||
//
|
||||
|
||||
//
|
||||
// If the address has already been relocated then don't
|
||||
// process it again now or information will be lost.
|
||||
//
|
||||
if (Offset & LDRP_RELOCATION_FINAL) {
|
||||
++NextOffset;
|
||||
--SizeOfBlock;
|
||||
break;
|
||||
}
|
||||
//
|
||||
// If the address has already been relocated then don't
|
||||
// process it again now or information will be lost.
|
||||
//
|
||||
if (Offset & LDRP_RELOCATION_FINAL) {
|
||||
++NextOffset;
|
||||
--SizeOfBlock;
|
||||
break;
|
||||
}
|
||||
|
||||
Temp = *(PUSHORT)FixupVA << 16;
|
||||
++NextOffset;
|
||||
--SizeOfBlock;
|
||||
Temp += (LONG)(*(PSHORT)NextOffset);
|
||||
Temp += (ULONG) Diff;
|
||||
Temp += 0x8000;
|
||||
*(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
|
||||
Temp = *(PUSHORT)FixupVA << 16;
|
||||
++NextOffset;
|
||||
--SizeOfBlock;
|
||||
Temp += (LONG)(*(PSHORT)NextOffset);
|
||||
Temp += (ULONG) Diff;
|
||||
Temp += 0x8000;
|
||||
*(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
|
||||
|
||||
break;
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_LOW :
|
||||
//
|
||||
// Low - (16-bit) relocate the low half of an address.
|
||||
//
|
||||
Temp = *(PSHORT)FixupVA;
|
||||
Temp += (ULONG) Diff;
|
||||
*(PUSHORT)FixupVA = (USHORT)Temp;
|
||||
break;
|
||||
case IMAGE_REL_BASED_LOW :
|
||||
//
|
||||
// Low - (16-bit) relocate the low half of an address.
|
||||
//
|
||||
Temp = *(PSHORT)FixupVA;
|
||||
Temp += (ULONG) Diff;
|
||||
*(PUSHORT)FixupVA = (USHORT)Temp;
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_IA64_IMM64:
|
||||
case IMAGE_REL_BASED_IA64_IMM64:
|
||||
|
||||
//
|
||||
// Align it to bundle address before fixing up the
|
||||
// 64-bit immediate value of the movl instruction.
|
||||
//
|
||||
//
|
||||
// Align it to bundle address before fixing up the
|
||||
// 64-bit immediate value of the movl instruction.
|
||||
//
|
||||
|
||||
FixupVA = (PUCHAR)((ULONG_PTR)FixupVA & ~(15));
|
||||
Value64 = (ULONGLONG)0;
|
||||
FixupVA = (PUCHAR)((ULONG_PTR)FixupVA & ~(15));
|
||||
Value64 = (ULONGLONG)0;
|
||||
|
||||
//
|
||||
// Extract the lower 32 bits of IMM64 from bundle
|
||||
//
|
||||
//
|
||||
// Extract the lower 32 bits of IMM64 from bundle
|
||||
//
|
||||
|
||||
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IMM7B_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IMM7B_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM7B_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IMM9D_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IMM9D_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM9D_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IMM5C_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IMM5C_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM5C_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IC_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IC_SIZE_X,
|
||||
EMARCH_ENC_I17_IC_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IC_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IMM41a_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IMM41a_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41a_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IMM7B_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IMM7B_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM7B_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IMM9D_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IMM9D_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM9D_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IMM5C_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IMM5C_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM5C_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IC_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IC_SIZE_X,
|
||||
EMARCH_ENC_I17_IC_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IC_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
(PULONG)FixupVA + EMARCH_ENC_I17_IMM41a_INST_WORD_X,
|
||||
EMARCH_ENC_I17_IMM41a_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41a_VAL_POS_X);
|
||||
|
||||
EXT_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41b_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41b_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41b_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41c_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41c_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41c_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_SIGN_INST_WORD_X),
|
||||
EMARCH_ENC_I17_SIGN_SIZE_X,
|
||||
EMARCH_ENC_I17_SIGN_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_SIGN_VAL_POS_X);
|
||||
//
|
||||
// Update 64-bit address
|
||||
//
|
||||
EXT_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41b_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41b_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41b_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41c_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41c_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41c_VAL_POS_X);
|
||||
EXT_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_SIGN_INST_WORD_X),
|
||||
EMARCH_ENC_I17_SIGN_SIZE_X,
|
||||
EMARCH_ENC_I17_SIGN_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_SIGN_VAL_POS_X);
|
||||
//
|
||||
// Update 64-bit address
|
||||
//
|
||||
|
||||
Value64+=Diff;
|
||||
Value64+=Diff;
|
||||
|
||||
//
|
||||
// Insert IMM64 into bundle
|
||||
//
|
||||
//
|
||||
// Insert IMM64 into bundle
|
||||
//
|
||||
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM7B_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM7B_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM7B_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM9D_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM9D_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM9D_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM5C_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM5C_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM5C_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IC_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IC_SIZE_X,
|
||||
EMARCH_ENC_I17_IC_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IC_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41a_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41a_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41a_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41b_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41b_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41b_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41c_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41c_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41c_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_SIGN_INST_WORD_X),
|
||||
EMARCH_ENC_I17_SIGN_SIZE_X,
|
||||
EMARCH_ENC_I17_SIGN_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_SIGN_VAL_POS_X);
|
||||
break;
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM7B_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM7B_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM7B_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM9D_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM9D_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM9D_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM5C_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM5C_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM5C_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IC_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IC_SIZE_X,
|
||||
EMARCH_ENC_I17_IC_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IC_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41a_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41a_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41a_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41b_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41b_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41b_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41c_INST_WORD_X),
|
||||
EMARCH_ENC_I17_IMM41c_SIZE_X,
|
||||
EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_IMM41c_VAL_POS_X);
|
||||
INS_IMM64(Value64,
|
||||
((PULONG)FixupVA + EMARCH_ENC_I17_SIGN_INST_WORD_X),
|
||||
EMARCH_ENC_I17_SIGN_SIZE_X,
|
||||
EMARCH_ENC_I17_SIGN_INST_WORD_POS_X,
|
||||
EMARCH_ENC_I17_SIGN_VAL_POS_X);
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_DIR64:
|
||||
case IMAGE_REL_BASED_DIR64:
|
||||
|
||||
*(ULONGLONG UNALIGNED *)FixupVA += Diff;
|
||||
*(ULONGLONG UNALIGNED *)FixupVA += Diff;
|
||||
|
||||
break;
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_MIPS_JMPADDR :
|
||||
//
|
||||
// JumpAddress - (32-bits) relocate a MIPS jump address.
|
||||
//
|
||||
Temp = (*(PULONG)FixupVA & 0x3ffffff) << 2;
|
||||
Temp += (ULONG) Diff;
|
||||
*(PULONG)FixupVA = (*(PULONG)FixupVA & ~0x3ffffff) |
|
||||
((Temp >> 2) & 0x3ffffff);
|
||||
case IMAGE_REL_BASED_MIPS_JMPADDR :
|
||||
//
|
||||
// JumpAddress - (32-bits) relocate a MIPS jump address.
|
||||
//
|
||||
Temp = (*(PULONG)FixupVA & 0x3ffffff) << 2;
|
||||
Temp += (ULONG) Diff;
|
||||
*(PULONG)FixupVA = (*(PULONG)FixupVA & ~0x3ffffff) |
|
||||
((Temp >> 2) & 0x3ffffff);
|
||||
|
||||
break;
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_ABSOLUTE :
|
||||
//
|
||||
// Absolute - no fixup required.
|
||||
//
|
||||
break;
|
||||
case IMAGE_REL_BASED_ABSOLUTE :
|
||||
//
|
||||
// Absolute - no fixup required.
|
||||
//
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_SECTION :
|
||||
//
|
||||
// Section Relative reloc. Ignore for now.
|
||||
//
|
||||
break;
|
||||
case IMAGE_REL_BASED_SECTION :
|
||||
//
|
||||
// Section Relative reloc. Ignore for now.
|
||||
//
|
||||
break;
|
||||
|
||||
case IMAGE_REL_BASED_REL32 :
|
||||
//
|
||||
// Relative intrasection. Ignore for now.
|
||||
//
|
||||
break;
|
||||
case IMAGE_REL_BASED_REL32 :
|
||||
//
|
||||
// Relative intrasection. Ignore for now.
|
||||
//
|
||||
break;
|
||||
|
||||
default :
|
||||
//
|
||||
// Illegal - illegal relocation type.
|
||||
//
|
||||
default :
|
||||
//
|
||||
// Illegal - illegal relocation type.
|
||||
//
|
||||
|
||||
return (PIMAGE_BASE_RELOCATION)NULL;
|
||||
}
|
||||
++NextOffset;
|
||||
}
|
||||
return (PIMAGE_BASE_RELOCATION)NextOffset;
|
||||
return (PIMAGE_BASE_RELOCATION)NULL;
|
||||
}
|
||||
++NextOffset;
|
||||
}
|
||||
return (PIMAGE_BASE_RELOCATION)NextOffset;
|
||||
}
|
||||
|
||||
|
||||
|
@ -348,114 +348,114 @@ PIMAGE_BASE_RELOCATION
|
|||
获得NtHeader
|
||||
*/
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
RtlImageNtHeaderEx(
|
||||
ULONG Flags,
|
||||
PVOID Base,
|
||||
ULONG64 Size,
|
||||
OUT PIMAGE_NT_HEADERS * OutHeaders
|
||||
)
|
||||
NTAPI
|
||||
RtlImageNtHeaderEx(
|
||||
ULONG Flags,
|
||||
PVOID Base,
|
||||
ULONG64 Size,
|
||||
OUT PIMAGE_NT_HEADERS * OutHeaders
|
||||
)
|
||||
|
||||
{
|
||||
PIMAGE_NT_HEADERS NtHeaders = 0;
|
||||
ULONG e_lfanew = 0;
|
||||
BOOLEAN RangeCheck = 0;
|
||||
NTSTATUS Status = 0;
|
||||
const ULONG ValidFlags =
|
||||
RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK;
|
||||
PIMAGE_NT_HEADERS NtHeaders = 0;
|
||||
ULONG e_lfanew = 0;
|
||||
BOOLEAN RangeCheck = 0;
|
||||
NTSTATUS Status = 0;
|
||||
const ULONG ValidFlags =
|
||||
RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK;
|
||||
|
||||
if (OutHeaders != NULL) {
|
||||
*OutHeaders = NULL;
|
||||
}
|
||||
if (OutHeaders == NULL) {
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
goto Exit;
|
||||
}
|
||||
if ((Flags & ~ValidFlags) != 0) {
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
goto Exit;
|
||||
}
|
||||
if (Base == NULL || Base == (PVOID)(LONG_PTR)-1) {
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
goto Exit;
|
||||
}
|
||||
if (OutHeaders != NULL) {
|
||||
*OutHeaders = NULL;
|
||||
}
|
||||
if (OutHeaders == NULL) {
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
goto Exit;
|
||||
}
|
||||
if ((Flags & ~ValidFlags) != 0) {
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
goto Exit;
|
||||
}
|
||||
if (Base == NULL || Base == (PVOID)(LONG_PTR)-1) {
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
goto Exit;
|
||||
}
|
||||
|
||||
RangeCheck = ((Flags & RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK) == 0);
|
||||
if (RangeCheck) {
|
||||
if (Size < sizeof(IMAGE_DOS_HEADER)) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
goto Exit;
|
||||
}
|
||||
}
|
||||
RangeCheck = ((Flags & RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK) == 0);
|
||||
if (RangeCheck) {
|
||||
if (Size < sizeof(IMAGE_DOS_HEADER)) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
goto Exit;
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Exception handling is not available in the boot loader, and exceptions
|
||||
// were not historically caught here in kernel mode. Drivers are considered
|
||||
// trusted, so we can't get an exception here due to a bad file, but we
|
||||
// could take an inpage error.
|
||||
//
|
||||
//
|
||||
// Exception handling is not available in the boot loader, and exceptions
|
||||
// were not historically caught here in kernel mode. Drivers are considered
|
||||
// trusted, so we can't get an exception here due to a bad file, but we
|
||||
// could take an inpage error.
|
||||
//
|
||||
#define EXIT goto Exit
|
||||
if (((PIMAGE_DOS_HEADER)Base)->e_magic != IMAGE_DOS_SIGNATURE) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
e_lfanew = ((PIMAGE_DOS_HEADER)Base)->e_lfanew;
|
||||
if (RangeCheck) {
|
||||
if (e_lfanew >= Size
|
||||
if (((PIMAGE_DOS_HEADER)Base)->e_magic != IMAGE_DOS_SIGNATURE) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
e_lfanew = ((PIMAGE_DOS_HEADER)Base)->e_lfanew;
|
||||
if (RangeCheck) {
|
||||
if (e_lfanew >= Size
|
||||
#define SIZEOF_PE_SIGNATURE 4
|
||||
|| e_lfanew >= (MAXULONG - SIZEOF_PE_SIGNATURE - sizeof(IMAGE_FILE_HEADER))
|
||||
|| (e_lfanew + SIZEOF_PE_SIGNATURE + sizeof(IMAGE_FILE_HEADER)) >= Size
|
||||
) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
}
|
||||
|| e_lfanew >= (MAXULONG - SIZEOF_PE_SIGNATURE - sizeof(IMAGE_FILE_HEADER))
|
||||
|| (e_lfanew + SIZEOF_PE_SIGNATURE + sizeof(IMAGE_FILE_HEADER)) >= Size
|
||||
) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
}
|
||||
|
||||
NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + e_lfanew);
|
||||
NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + e_lfanew);
|
||||
|
||||
//
|
||||
// In kernelmode, do not cross from usermode address to kernelmode address.
|
||||
//
|
||||
if (Base < MM_HIGHEST_USER_ADDRESS) {
|
||||
if ((PVOID)NtHeaders >= MM_HIGHEST_USER_ADDRESS) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
//
|
||||
// Note that this check is slightly overeager since IMAGE_NT_HEADERS has
|
||||
// a builtin array of data_directories that may be larger than the image
|
||||
// actually has. A better check would be to add FileHeader.SizeOfOptionalHeader,
|
||||
// after ensuring that the FileHeader does not cross the u/k boundary.
|
||||
//
|
||||
if ((PVOID)((PCHAR)NtHeaders + sizeof (IMAGE_NT_HEADERS)) >= MM_HIGHEST_USER_ADDRESS) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
}
|
||||
//
|
||||
// In kernelmode, do not cross from usermode address to kernelmode address.
|
||||
//
|
||||
if (Base < MM_HIGHEST_USER_ADDRESS) {
|
||||
if ((PVOID)NtHeaders >= MM_HIGHEST_USER_ADDRESS) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
//
|
||||
// Note that this check is slightly overeager since IMAGE_NT_HEADERS has
|
||||
// a builtin array of data_directories that may be larger than the image
|
||||
// actually has. A better check would be to add FileHeader.SizeOfOptionalHeader,
|
||||
// after ensuring that the FileHeader does not cross the u/k boundary.
|
||||
//
|
||||
if ((PVOID)((PCHAR)NtHeaders + sizeof (IMAGE_NT_HEADERS)) >= MM_HIGHEST_USER_ADDRESS) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
}
|
||||
|
||||
if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
Status = STATUS_SUCCESS;
|
||||
if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
|
||||
Status = STATUS_INVALID_IMAGE_FORMAT;
|
||||
EXIT;
|
||||
}
|
||||
Status = STATUS_SUCCESS;
|
||||
|
||||
Exit:
|
||||
if (NT_SUCCESS(Status)) {
|
||||
*OutHeaders = NtHeaders;
|
||||
}
|
||||
return Status;
|
||||
if (NT_SUCCESS(Status)) {
|
||||
*OutHeaders = NtHeaders;
|
||||
}
|
||||
return Status;
|
||||
}
|
||||
|
||||
|
||||
PIMAGE_NT_HEADERS
|
||||
NTAPI
|
||||
RtlImageNtHeader(
|
||||
PVOID Base
|
||||
)
|
||||
NTAPI
|
||||
RtlImageNtHeader(
|
||||
PVOID Base
|
||||
)
|
||||
{
|
||||
PIMAGE_NT_HEADERS NtHeaders = NULL;
|
||||
(VOID)RtlImageNtHeaderEx(RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK, Base, 0, &NtHeaders);
|
||||
return NtHeaders;
|
||||
PIMAGE_NT_HEADERS NtHeaders = NULL;
|
||||
(VOID)RtlImageNtHeaderEx(RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK, Base, 0, &NtHeaders);
|
||||
return NtHeaders;
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -4,30 +4,30 @@
|
|||
|
||||
|
||||
BOOLEAN
|
||||
FixBaseRelocTable (
|
||||
PVOID NewImageBase,
|
||||
DWORD ExistImageBase
|
||||
);
|
||||
FixBaseRelocTable (
|
||||
PVOID NewImageBase,
|
||||
DWORD ExistImageBase
|
||||
);
|
||||
|
||||
PIMAGE_BASE_RELOCATION
|
||||
LdrProcessRelocationBlockLongLong(
|
||||
IN ULONG_PTR VA,
|
||||
IN ULONG SizeOfBlock,
|
||||
IN PUSHORT NextOffset,
|
||||
IN LONGLONG Diff
|
||||
);
|
||||
LdrProcessRelocationBlockLongLong(
|
||||
IN ULONG_PTR VA,
|
||||
IN ULONG SizeOfBlock,
|
||||
IN PUSHORT NextOffset,
|
||||
IN LONGLONG Diff
|
||||
);
|
||||
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
RtlImageNtHeaderEx(
|
||||
ULONG Flags,
|
||||
PVOID Base,
|
||||
ULONG64 Size,
|
||||
OUT PIMAGE_NT_HEADERS * OutHeaders
|
||||
);
|
||||
NTAPI
|
||||
RtlImageNtHeaderEx(
|
||||
ULONG Flags,
|
||||
PVOID Base,
|
||||
ULONG64 Size,
|
||||
OUT PIMAGE_NT_HEADERS * OutHeaders
|
||||
);
|
||||
|
||||
PIMAGE_NT_HEADERS
|
||||
NTAPI
|
||||
RtlImageNtHeader(
|
||||
PVOID Base
|
||||
);
|
||||
NTAPI
|
||||
RtlImageNtHeader(
|
||||
PVOID Base
|
||||
);
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -15,12 +15,12 @@ BOOLEAN GetDeviceObjectFromFileFullName(WCHAR *FileFullName,PDEVICE_OBJECT *Real
|
|||
BOOLEAN GetWindowsRootName(WCHAR *WindowsRootName);
|
||||
|
||||
NTSTATUS KernelOpenFile(wchar_t *FileFullName,
|
||||
PHANDLE FileHandle,
|
||||
ACCESS_MASK DesiredAccess,
|
||||
ULONG FileAttributes,
|
||||
ULONG ShareAccess,
|
||||
ULONG CreateDisposition,
|
||||
ULONG CreateOptions);
|
||||
PHANDLE FileHandle,
|
||||
ACCESS_MASK DesiredAccess,
|
||||
ULONG FileAttributes,
|
||||
ULONG ShareAccess,
|
||||
ULONG CreateDisposition,
|
||||
ULONG CreateOptions);
|
||||
|
||||
|
||||
|
||||
|
@ -42,12 +42,12 @@ BOOLEAN InsertOriginalFirstThunk(DWORD ImageBase,DWORD ExistImageBase,PIMAGE_THU
|
|||
|
||||
|
||||
PVOID
|
||||
MiFindExportedRoutine (
|
||||
IN PVOID DllBase,
|
||||
BOOLEAN ByName,
|
||||
IN char *RoutineName,
|
||||
DWORD Ordinal
|
||||
);
|
||||
MiFindExportedRoutine (
|
||||
IN PVOID DllBase,
|
||||
BOOLEAN ByName,
|
||||
IN char *RoutineName,
|
||||
DWORD Ordinal
|
||||
);
|
||||
|
||||
|
||||
|
||||
|
@ -55,10 +55,10 @@ BOOLEAN FixImportTable(BYTE *ImageBase,DWORD ExistImageBase,PDRIVER_OBJECT Drive
|
|||
|
||||
|
||||
BOOLEAN PeLoad(
|
||||
WCHAR *FileFullPath,
|
||||
BYTE **ImageModeleBase,
|
||||
PDRIVER_OBJECT DeviceObject,
|
||||
DWORD ExistImageBase
|
||||
);
|
||||
WCHAR *FileFullPath,
|
||||
BYTE **ImageModeleBase,
|
||||
PDRIVER_OBJECT DeviceObject,
|
||||
DWORD ExistImageBase
|
||||
);
|
||||
|
||||
|
||||
|
|
|
@ -14,18 +14,18 @@ PSERVICE_DESCRIPTOR_TABLE Safe_ServiceDescriptorTable;
|
|||
|
||||
|
||||
NTSTATUS
|
||||
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
||||
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
||||
{
|
||||
DWORD RetAddr = 0;
|
||||
PEPROCESS Eprocess1 = NULL;
|
||||
PEPROCESS Eprocess2 = NULL;
|
||||
DriverObject->DriverUnload = UnloadDriver;
|
||||
DWORD RetAddr = 0;
|
||||
PEPROCESS Eprocess1 = NULL;
|
||||
PEPROCESS Eprocess2 = NULL;
|
||||
DriverObject->DriverUnload = UnloadDriver;
|
||||
|
||||
ReLoadNtos(DriverObject,RetAddr);
|
||||
ReLoadNtos(DriverObject,RetAddr);
|
||||
|
||||
Eprocess1 = RPsGetCurrentProcess();
|
||||
Eprocess2 = PsGetCurrentProcess();
|
||||
return STATUS_SUCCESS;
|
||||
Eprocess1 = RPsGetCurrentProcess();
|
||||
Eprocess2 = PsGetCurrentProcess();
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
/*
|
||||
输入FuncName 、 原来Ntos地址 、自己重载 Ntos地址
|
||||
|
@ -35,338 +35,338 @@ NTSTATUS
|
|||
*/
|
||||
PUCHAR ReLoadNtosCALL(WCHAR *lpwzFuncTion,ULONG ulOldNtosBase,ULONG ulReloadNtosBase)
|
||||
{
|
||||
UNICODE_STRING UnicodeFunctionName;
|
||||
ULONG ulOldFunctionAddress;
|
||||
PUCHAR ulReloadFunctionAddress;
|
||||
int index=0;
|
||||
PIMAGE_DOS_HEADER pDosHeader;
|
||||
PIMAGE_NT_HEADERS NtDllHeader;
|
||||
UNICODE_STRING UnicodeFunctionName;
|
||||
ULONG ulOldFunctionAddress;
|
||||
PUCHAR ulReloadFunctionAddress;
|
||||
int index=0;
|
||||
PIMAGE_DOS_HEADER pDosHeader;
|
||||
PIMAGE_NT_HEADERS NtDllHeader;
|
||||
|
||||
IMAGE_OPTIONAL_HEADER opthdr;
|
||||
DWORD* arrayOfFunctionAddresses;
|
||||
DWORD* arrayOfFunctionNames;
|
||||
WORD* arrayOfFunctionOrdinals;
|
||||
DWORD functionOrdinal;
|
||||
DWORD Base, x, functionAddress,position;
|
||||
char* functionName;
|
||||
IMAGE_EXPORT_DIRECTORY *pExportTable;
|
||||
ULONG ulNtDllModuleBase;
|
||||
IMAGE_OPTIONAL_HEADER opthdr;
|
||||
DWORD* arrayOfFunctionAddresses;
|
||||
DWORD* arrayOfFunctionNames;
|
||||
WORD* arrayOfFunctionOrdinals;
|
||||
DWORD functionOrdinal;
|
||||
DWORD Base, x, functionAddress,position;
|
||||
char* functionName;
|
||||
IMAGE_EXPORT_DIRECTORY *pExportTable;
|
||||
ULONG ulNtDllModuleBase;
|
||||
|
||||
UNICODE_STRING UnicodeFunction;
|
||||
UNICODE_STRING UnicodeExportTableFunction;
|
||||
ANSI_STRING ExportTableFunction;
|
||||
//第一次都是通过 系统的原来偏移 + NewBase 获得函数地址
|
||||
//然后通过自己的RMmGetSystemRoutineAddress获得 偏移+NewBase 获得函数地址
|
||||
__try
|
||||
{
|
||||
if (RRtlInitUnicodeString &&
|
||||
RRtlCompareUnicodeString &&
|
||||
RMmGetSystemRoutineAddress &&
|
||||
RMmIsAddressValid)
|
||||
{
|
||||
RRtlInitUnicodeString(&UnicodeFunctionName,lpwzFuncTion);
|
||||
ulOldFunctionAddress = (DWORD)RMmGetSystemRoutineAddress(&UnicodeFunctionName);
|
||||
ulReloadFunctionAddress = (PUCHAR)(ulOldFunctionAddress - ulOldNtosBase + ulReloadNtosBase); //获得重载的FuncAddr
|
||||
if (RMmIsAddressValid(ulReloadFunctionAddress)) //如果无效就从 导出表 获取? 应该不会无效
|
||||
{
|
||||
return ulReloadFunctionAddress;
|
||||
}
|
||||
//从导出表里获取
|
||||
ulNtDllModuleBase = ulReloadNtosBase;
|
||||
pDosHeader = (PIMAGE_DOS_HEADER)ulReloadNtosBase;
|
||||
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
|
||||
{
|
||||
KdPrint(("failed to find NtHeader\r\n"));
|
||||
return NULL;
|
||||
}
|
||||
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
|
||||
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
|
||||
{
|
||||
KdPrint(("failed to find NtHeader\r\n"));
|
||||
return NULL;
|
||||
}
|
||||
opthdr = NtDllHeader->OptionalHeader;
|
||||
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulNtDllModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //得到导出表
|
||||
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulNtDllModuleBase + pExportTable->AddressOfFunctions); //地址表
|
||||
arrayOfFunctionNames = (DWORD*)((BYTE*)ulNtDllModuleBase + pExportTable->AddressOfNames); //函数名表
|
||||
arrayOfFunctionOrdinals = (WORD*)((BYTE*)ulNtDllModuleBase + pExportTable->AddressOfNameOrdinals);
|
||||
UNICODE_STRING UnicodeFunction;
|
||||
UNICODE_STRING UnicodeExportTableFunction;
|
||||
ANSI_STRING ExportTableFunction;
|
||||
//第一次都是通过 系统的原来偏移 + NewBase 获得函数地址
|
||||
//然后通过自己的RMmGetSystemRoutineAddress获得 偏移+NewBase 获得函数地址
|
||||
__try
|
||||
{
|
||||
if (RRtlInitUnicodeString &&
|
||||
RRtlCompareUnicodeString &&
|
||||
RMmGetSystemRoutineAddress &&
|
||||
RMmIsAddressValid)
|
||||
{
|
||||
RRtlInitUnicodeString(&UnicodeFunctionName,lpwzFuncTion);
|
||||
ulOldFunctionAddress = (DWORD)RMmGetSystemRoutineAddress(&UnicodeFunctionName);
|
||||
ulReloadFunctionAddress = (PUCHAR)(ulOldFunctionAddress - ulOldNtosBase + ulReloadNtosBase); //获得重载的FuncAddr
|
||||
if (RMmIsAddressValid(ulReloadFunctionAddress)) //如果无效就从 导出表 获取? 应该不会无效
|
||||
{
|
||||
return ulReloadFunctionAddress;
|
||||
}
|
||||
//从导出表里获取
|
||||
ulNtDllModuleBase = ulReloadNtosBase;
|
||||
pDosHeader = (PIMAGE_DOS_HEADER)ulReloadNtosBase;
|
||||
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
|
||||
{
|
||||
KdPrint(("failed to find NtHeader\r\n"));
|
||||
return NULL;
|
||||
}
|
||||
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
|
||||
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
|
||||
{
|
||||
KdPrint(("failed to find NtHeader\r\n"));
|
||||
return NULL;
|
||||
}
|
||||
opthdr = NtDllHeader->OptionalHeader;
|
||||
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulNtDllModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //得到导出表
|
||||
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulNtDllModuleBase + pExportTable->AddressOfFunctions); //地址表
|
||||
arrayOfFunctionNames = (DWORD*)((BYTE*)ulNtDllModuleBase + pExportTable->AddressOfNames); //函数名表
|
||||
arrayOfFunctionOrdinals = (WORD*)((BYTE*)ulNtDllModuleBase + pExportTable->AddressOfNameOrdinals);
|
||||
|
||||
Base = pExportTable->Base;
|
||||
Base = pExportTable->Base;
|
||||
|
||||
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //在整个导出表里扫描
|
||||
{
|
||||
functionName = (char*)( (BYTE*)ulNtDllModuleBase + arrayOfFunctionNames[x]);
|
||||
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
|
||||
functionAddress = (DWORD)((BYTE*)ulNtDllModuleBase + arrayOfFunctionAddresses[functionOrdinal]);
|
||||
RtlInitAnsiString(&ExportTableFunction,functionName);
|
||||
RtlAnsiStringToUnicodeString(&UnicodeExportTableFunction,&ExportTableFunction,TRUE);
|
||||
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //在整个导出表里扫描
|
||||
{
|
||||
functionName = (char*)( (BYTE*)ulNtDllModuleBase + arrayOfFunctionNames[x]);
|
||||
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
|
||||
functionAddress = (DWORD)((BYTE*)ulNtDllModuleBase + arrayOfFunctionAddresses[functionOrdinal]);
|
||||
RtlInitAnsiString(&ExportTableFunction,functionName);
|
||||
RtlAnsiStringToUnicodeString(&UnicodeExportTableFunction,&ExportTableFunction,TRUE);
|
||||
|
||||
RRtlInitUnicodeString(&UnicodeFunction,lpwzFuncTion);
|
||||
if (RRtlCompareUnicodeString(&UnicodeExportTableFunction,&UnicodeFunction,TRUE) == 0)
|
||||
{
|
||||
RtlFreeUnicodeString(&UnicodeExportTableFunction);
|
||||
return (PUCHAR)functionAddress;
|
||||
}
|
||||
RtlFreeUnicodeString(&UnicodeExportTableFunction);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
RtlInitUnicodeString(&UnicodeFunctionName,lpwzFuncTion);
|
||||
ulOldFunctionAddress = (DWORD)MmGetSystemRoutineAddress(&UnicodeFunctionName);
|
||||
ulReloadFunctionAddress = (PUCHAR)(ulOldFunctionAddress - ulOldNtosBase + ulReloadNtosBase);
|
||||
RRtlInitUnicodeString(&UnicodeFunction,lpwzFuncTion);
|
||||
if (RRtlCompareUnicodeString(&UnicodeExportTableFunction,&UnicodeFunction,TRUE) == 0)
|
||||
{
|
||||
RtlFreeUnicodeString(&UnicodeExportTableFunction);
|
||||
return (PUCHAR)functionAddress;
|
||||
}
|
||||
RtlFreeUnicodeString(&UnicodeExportTableFunction);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
RtlInitUnicodeString(&UnicodeFunctionName,lpwzFuncTion);
|
||||
ulOldFunctionAddress = (DWORD)MmGetSystemRoutineAddress(&UnicodeFunctionName);
|
||||
ulReloadFunctionAddress = (PUCHAR)(ulOldFunctionAddress - ulOldNtosBase + ulReloadNtosBase);
|
||||
|
||||
//KdPrint(("%ws:%08x:%08x",lpwzFuncTion,ulOldFunctionAddress,ulReloadFunctionAddress));
|
||||
//KdPrint(("%ws:%08x:%08x",lpwzFuncTion,ulOldFunctionAddress,ulReloadFunctionAddress));
|
||||
|
||||
if (MmIsAddressValid(ulReloadFunctionAddress))
|
||||
{
|
||||
return ulReloadFunctionAddress;
|
||||
}
|
||||
//
|
||||
if (MmIsAddressValid(ulReloadFunctionAddress))
|
||||
{
|
||||
return ulReloadFunctionAddress;
|
||||
}
|
||||
//
|
||||
|
||||
}__except(EXCEPTION_EXECUTE_HANDLER){
|
||||
KdPrint(("EXCEPTION_EXECUTE_HANDLER"));
|
||||
}
|
||||
return NULL;
|
||||
}__except(EXCEPTION_EXECUTE_HANDLER){
|
||||
KdPrint(("EXCEPTION_EXECUTE_HANDLER"));
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/*重载Ntos*/
|
||||
NTSTATUS ReLoadNtos(PDRIVER_OBJECT DriverObject,DWORD RetAddress)
|
||||
{
|
||||
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
||||
ULONG ulKeAddSystemServiceTable;
|
||||
PULONG p;
|
||||
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
||||
ULONG ulKeAddSystemServiceTable;
|
||||
PULONG p;
|
||||
|
||||
|
||||
if (!GetSystemKernelModuleInfo(
|
||||
&SystemKernelFilePath,
|
||||
&SystemKernelModuleBase,
|
||||
&SystemKernelModuleSize
|
||||
))
|
||||
{
|
||||
KdPrint(("Get System Kernel Module failed"));
|
||||
return status;
|
||||
}
|
||||
if (!GetSystemKernelModuleInfo(
|
||||
&SystemKernelFilePath,
|
||||
&SystemKernelModuleBase,
|
||||
&SystemKernelModuleSize
|
||||
))
|
||||
{
|
||||
KdPrint(("Get System Kernel Module failed"));
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
if (InitSafeOperationModule(
|
||||
DriverObject,
|
||||
SystemKernelFilePath,
|
||||
SystemKernelModuleBase
|
||||
))
|
||||
{
|
||||
KdPrint(("Init Ntos module success\r\n"));
|
||||
RRtlInitUnicodeString = NULL;
|
||||
RMmGetSystemRoutineAddress = NULL;
|
||||
RMmIsAddressValid = NULL;
|
||||
RRtlCompareUnicodeString = NULL;
|
||||
RPsGetCurrentProcess = NULL;
|
||||
|
||||
status = STATUS_UNSUCCESSFUL;
|
||||
|
||||
//第一次都是通过 系统的原来偏移 + NewBase 获得函数地址
|
||||
//然后通过自己的RMmGetSystemRoutineAddress获得 偏移+NewBase 获得函数地址
|
||||
RRtlInitUnicodeString = (ReloadRtlInitUnicodeString)ReLoadNtosCALL(L"RtlInitUnicodeString",SystemKernelModuleBase,ImageModuleBase);
|
||||
RRtlCompareUnicodeString = (ReloadRtlCompareUnicodeString)ReLoadNtosCALL(L"RtlCompareUnicodeString",SystemKernelModuleBase,ImageModuleBase);
|
||||
RMmGetSystemRoutineAddress = (ReloadMmGetSystemRoutineAddress)ReLoadNtosCALL(L"MmGetSystemRoutineAddress",SystemKernelModuleBase,ImageModuleBase);
|
||||
RMmIsAddressValid = (ReloadMmIsAddressValid)ReLoadNtosCALL(L"MmIsAddressValid",SystemKernelModuleBase,ImageModuleBase);
|
||||
RPsGetCurrentProcess = (ReloadPsGetCurrentProcess)ReLoadNtosCALL(L"PsGetCurrentProcess",SystemKernelModuleBase,ImageModuleBase);
|
||||
if (!RRtlInitUnicodeString ||
|
||||
!RRtlCompareUnicodeString ||
|
||||
!RMmGetSystemRoutineAddress ||
|
||||
!RMmIsAddressValid ||
|
||||
!RPsGetCurrentProcess)
|
||||
{
|
||||
KdPrint(("Init NtosCALL failed"));
|
||||
return status;
|
||||
}
|
||||
}
|
||||
return status;
|
||||
if (InitSafeOperationModule(
|
||||
DriverObject,
|
||||
SystemKernelFilePath,
|
||||
SystemKernelModuleBase
|
||||
))
|
||||
{
|
||||
KdPrint(("Init Ntos module success\r\n"));
|
||||
RRtlInitUnicodeString = NULL;
|
||||
RMmGetSystemRoutineAddress = NULL;
|
||||
RMmIsAddressValid = NULL;
|
||||
RRtlCompareUnicodeString = NULL;
|
||||
RPsGetCurrentProcess = NULL;
|
||||
|
||||
status = STATUS_UNSUCCESSFUL;
|
||||
|
||||
//第一次都是通过 系统的原来偏移 + NewBase 获得函数地址
|
||||
//然后通过自己的RMmGetSystemRoutineAddress获得 偏移+NewBase 获得函数地址
|
||||
RRtlInitUnicodeString = (ReloadRtlInitUnicodeString)ReLoadNtosCALL(L"RtlInitUnicodeString",SystemKernelModuleBase,ImageModuleBase);
|
||||
RRtlCompareUnicodeString = (ReloadRtlCompareUnicodeString)ReLoadNtosCALL(L"RtlCompareUnicodeString",SystemKernelModuleBase,ImageModuleBase);
|
||||
RMmGetSystemRoutineAddress = (ReloadMmGetSystemRoutineAddress)ReLoadNtosCALL(L"MmGetSystemRoutineAddress",SystemKernelModuleBase,ImageModuleBase);
|
||||
RMmIsAddressValid = (ReloadMmIsAddressValid)ReLoadNtosCALL(L"MmIsAddressValid",SystemKernelModuleBase,ImageModuleBase);
|
||||
RPsGetCurrentProcess = (ReloadPsGetCurrentProcess)ReLoadNtosCALL(L"PsGetCurrentProcess",SystemKernelModuleBase,ImageModuleBase);
|
||||
if (!RRtlInitUnicodeString ||
|
||||
!RRtlCompareUnicodeString ||
|
||||
!RMmGetSystemRoutineAddress ||
|
||||
!RMmIsAddressValid ||
|
||||
!RPsGetCurrentProcess)
|
||||
{
|
||||
KdPrint(("Init NtosCALL failed"));
|
||||
return status;
|
||||
}
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOLEAN InitSafeOperationModule(PDRIVER_OBJECT pDriverObject,WCHAR *SystemModulePath,ULONG KernelModuleBase)
|
||||
{
|
||||
UNICODE_STRING FileName;
|
||||
HANDLE hSection;
|
||||
PDWORD FixdOriginalKiServiceTable;
|
||||
PDWORD CsRootkitOriginalKiServiceTable;
|
||||
ULONG i = 0;
|
||||
UNICODE_STRING FileName;
|
||||
HANDLE hSection;
|
||||
PDWORD FixdOriginalKiServiceTable;
|
||||
PDWORD CsRootkitOriginalKiServiceTable;
|
||||
ULONG i = 0;
|
||||
|
||||
|
||||
//自己peload 一个ntos*,这样就解决了跟其他安全软件的冲突啦~
|
||||
if (!PeLoad(SystemModulePath, (BYTE**)&ImageModuleBase,pDriverObject,KernelModuleBase))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
//自己peload 一个ntos*,这样就解决了跟其他安全软件的冲突啦~
|
||||
if (!PeLoad(SystemModulePath, (BYTE**)&ImageModuleBase,pDriverObject,KernelModuleBase))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
OriginalKiServiceTable = (DWORD)ExAllocatePool(NonPagedPool,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
|
||||
if (!OriginalKiServiceTable)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
//获得SSDT基址,通过重定位表比较得到
|
||||
if(!GetOriginalKiServiceTable((BYTE*)ImageModuleBase,KernelModuleBase,&OriginalKiServiceTable))
|
||||
{
|
||||
ExFreePool((PVOID)OriginalKiServiceTable);
|
||||
return FALSE;
|
||||
}
|
||||
OriginalKiServiceTable = (DWORD)ExAllocatePool(NonPagedPool,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
|
||||
if (!OriginalKiServiceTable)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
//获得SSDT基址,通过重定位表比较得到
|
||||
if(!GetOriginalKiServiceTable((BYTE*)ImageModuleBase,KernelModuleBase,&OriginalKiServiceTable))
|
||||
{
|
||||
ExFreePool((PVOID)OriginalKiServiceTable);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
//修复SSDT函数地址 都是自己Reload的函数地址 干净的
|
||||
FixOriginalKiServiceTable((PDWORD)OriginalKiServiceTable,(DWORD)ImageModuleBase,KernelModuleBase);
|
||||
//修复SSDT函数地址 都是自己Reload的函数地址 干净的
|
||||
FixOriginalKiServiceTable((PDWORD)OriginalKiServiceTable,(DWORD)ImageModuleBase,KernelModuleBase);
|
||||
|
||||
OriginalServiceDescriptorTable = (PSERVICE_DESCRIPTOR_TABLE)ExAllocatePool(NonPagedPool,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
|
||||
if (OriginalServiceDescriptorTable == NULL)
|
||||
{
|
||||
ExFreePool((PVOID)OriginalKiServiceTable);
|
||||
return FALSE;
|
||||
}
|
||||
RtlZeroMemory(OriginalServiceDescriptorTable,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
|
||||
OriginalServiceDescriptorTable = (PSERVICE_DESCRIPTOR_TABLE)ExAllocatePool(NonPagedPool,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
|
||||
if (OriginalServiceDescriptorTable == NULL)
|
||||
{
|
||||
ExFreePool((PVOID)OriginalKiServiceTable);
|
||||
return FALSE;
|
||||
}
|
||||
RtlZeroMemory(OriginalServiceDescriptorTable,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
|
||||
|
||||
//修复SERVICE_DESCRIPTOR_TABLE 结构
|
||||
OriginalServiceDescriptorTable->ServiceTable = (PDWORD)OriginalKiServiceTable;
|
||||
OriginalServiceDescriptorTable->CounterTable = KeServiceDescriptorTable->CounterTable;
|
||||
OriginalServiceDescriptorTable->TableSize = KeServiceDescriptorTable->TableSize;
|
||||
OriginalServiceDescriptorTable->ArgumentTable = KeServiceDescriptorTable->ArgumentTable;
|
||||
//修复SERVICE_DESCRIPTOR_TABLE 结构
|
||||
OriginalServiceDescriptorTable->ServiceTable = (PDWORD)OriginalKiServiceTable;
|
||||
OriginalServiceDescriptorTable->CounterTable = KeServiceDescriptorTable->CounterTable;
|
||||
OriginalServiceDescriptorTable->TableSize = KeServiceDescriptorTable->TableSize;
|
||||
OriginalServiceDescriptorTable->ArgumentTable = KeServiceDescriptorTable->ArgumentTable;
|
||||
|
||||
CsRootkitOriginalKiServiceTable = (PDWORD)ExAllocatePool(NonPagedPool,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
|
||||
if (CsRootkitOriginalKiServiceTable==NULL)
|
||||
{
|
||||
ExFreePool(OriginalServiceDescriptorTable);
|
||||
ExFreePool((PVOID)OriginalKiServiceTable);
|
||||
return FALSE;
|
||||
CsRootkitOriginalKiServiceTable = (PDWORD)ExAllocatePool(NonPagedPool,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
|
||||
if (CsRootkitOriginalKiServiceTable==NULL)
|
||||
{
|
||||
ExFreePool(OriginalServiceDescriptorTable);
|
||||
ExFreePool((PVOID)OriginalKiServiceTable);
|
||||
return FALSE;
|
||||
|
||||
}
|
||||
RtlZeroMemory(CsRootkitOriginalKiServiceTable,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
|
||||
}
|
||||
RtlZeroMemory(CsRootkitOriginalKiServiceTable,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
|
||||
|
||||
Safe_ServiceDescriptorTable = (PSERVICE_DESCRIPTOR_TABLE)ExAllocatePool(NonPagedPool,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
|
||||
if (Safe_ServiceDescriptorTable == NULL)
|
||||
{
|
||||
ExFreePool(OriginalServiceDescriptorTable);
|
||||
ExFreePool(CsRootkitOriginalKiServiceTable);
|
||||
ExFreePool((PVOID)OriginalKiServiceTable);
|
||||
return FALSE;
|
||||
}
|
||||
//这是一个干净的原始表,每个表里所对应的SSDT函数的地址都是原始函数
|
||||
RtlZeroMemory(Safe_ServiceDescriptorTable,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
|
||||
Safe_ServiceDescriptorTable = (PSERVICE_DESCRIPTOR_TABLE)ExAllocatePool(NonPagedPool,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
|
||||
if (Safe_ServiceDescriptorTable == NULL)
|
||||
{
|
||||
ExFreePool(OriginalServiceDescriptorTable);
|
||||
ExFreePool(CsRootkitOriginalKiServiceTable);
|
||||
ExFreePool((PVOID)OriginalKiServiceTable);
|
||||
return FALSE;
|
||||
}
|
||||
//这是一个干净的原始表,每个表里所对应的SSDT函数的地址都是原始函数
|
||||
RtlZeroMemory(Safe_ServiceDescriptorTable,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
|
||||
|
||||
//填充原始函数地址
|
||||
for (i=0;i<KeServiceDescriptorTable->TableSize;i++)
|
||||
{
|
||||
CsRootkitOriginalKiServiceTable[i] = OriginalServiceDescriptorTable->ServiceTable[i];
|
||||
}
|
||||
Safe_ServiceDescriptorTable->ServiceTable = (PDWORD)CsRootkitOriginalKiServiceTable;
|
||||
Safe_ServiceDescriptorTable->CounterTable = KeServiceDescriptorTable->CounterTable;
|
||||
Safe_ServiceDescriptorTable->TableSize = KeServiceDescriptorTable->TableSize;
|
||||
Safe_ServiceDescriptorTable->ArgumentTable = KeServiceDescriptorTable->ArgumentTable;
|
||||
//填充原始函数地址
|
||||
for (i=0;i<KeServiceDescriptorTable->TableSize;i++)
|
||||
{
|
||||
CsRootkitOriginalKiServiceTable[i] = OriginalServiceDescriptorTable->ServiceTable[i];
|
||||
}
|
||||
Safe_ServiceDescriptorTable->ServiceTable = (PDWORD)CsRootkitOriginalKiServiceTable;
|
||||
Safe_ServiceDescriptorTable->CounterTable = KeServiceDescriptorTable->CounterTable;
|
||||
Safe_ServiceDescriptorTable->TableSize = KeServiceDescriptorTable->TableSize;
|
||||
Safe_ServiceDescriptorTable->ArgumentTable = KeServiceDescriptorTable->ArgumentTable;
|
||||
|
||||
//释放就会bsod
|
||||
//ExFreePool(OriginalKiServiceTable);
|
||||
|
||||
return TRUE;
|
||||
//释放就会bsod
|
||||
//ExFreePool(OriginalKiServiceTable);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
||||
VOID FixOriginalKiServiceTable(PDWORD OriginalKiServiceTable,DWORD ModuleBase,DWORD ExistImageBase)
|
||||
{
|
||||
DWORD FuctionCount;
|
||||
DWORD Index;
|
||||
FuctionCount=KeServiceDescriptorTable->TableSize; //函数个数
|
||||
|
||||
KdPrint(("ssdt funcion count:%X---KiServiceTable:%X\n",FuctionCount,KeServiceDescriptorTable->ServiceTable));
|
||||
for (Index=0;Index<FuctionCount;Index++)
|
||||
{
|
||||
OriginalKiServiceTable[Index]=OriginalKiServiceTable[Index]-ExistImageBase+ModuleBase; //修复SSDT函数地址
|
||||
}
|
||||
DWORD FuctionCount;
|
||||
DWORD Index;
|
||||
FuctionCount=KeServiceDescriptorTable->TableSize; //函数个数
|
||||
|
||||
KdPrint(("ssdt funcion count:%X---KiServiceTable:%X\n",FuctionCount,KeServiceDescriptorTable->ServiceTable));
|
||||
for (Index=0;Index<FuctionCount;Index++)
|
||||
{
|
||||
OriginalKiServiceTable[Index]=OriginalKiServiceTable[Index]-ExistImageBase+ModuleBase; //修复SSDT函数地址
|
||||
}
|
||||
}
|
||||
|
||||
//通过KeServiceDescriptorTable的RVA与重定位表项解析的地址RVA比较,一致则取出其中的SSDT表地址
|
||||
BOOLEAN GetOriginalKiServiceTable(BYTE *NewImageBase,DWORD ExistImageBase,DWORD *NewKiServiceTable)
|
||||
{
|
||||
PIMAGE_DOS_HEADER ImageDosHeader;
|
||||
PIMAGE_NT_HEADERS ImageNtHeaders;
|
||||
DWORD KeServiceDescriptorTableRva;
|
||||
PIMAGE_BASE_RELOCATION ImageBaseReloc=NULL;
|
||||
DWORD RelocSize;
|
||||
int ItemCount,Index;
|
||||
int Type;
|
||||
PDWORD RelocAddress;
|
||||
DWORD RvaData;
|
||||
DWORD count=0;
|
||||
WORD *TypeOffset;
|
||||
PIMAGE_DOS_HEADER ImageDosHeader;
|
||||
PIMAGE_NT_HEADERS ImageNtHeaders;
|
||||
DWORD KeServiceDescriptorTableRva;
|
||||
PIMAGE_BASE_RELOCATION ImageBaseReloc=NULL;
|
||||
DWORD RelocSize;
|
||||
int ItemCount,Index;
|
||||
int Type;
|
||||
PDWORD RelocAddress;
|
||||
DWORD RvaData;
|
||||
DWORD count=0;
|
||||
WORD *TypeOffset;
|
||||
|
||||
|
||||
ImageDosHeader=(PIMAGE_DOS_HEADER)NewImageBase;
|
||||
if (ImageDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
ImageNtHeaders=(PIMAGE_NT_HEADERS)(NewImageBase+ImageDosHeader->e_lfanew);
|
||||
if (ImageNtHeaders->Signature!=IMAGE_NT_SIGNATURE)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
KeServiceDescriptorTableRva=(DWORD)MiFindExportedRoutine(NewImageBase,TRUE,"KeServiceDescriptorTable",0);
|
||||
if (KeServiceDescriptorTableRva==0)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
ImageDosHeader=(PIMAGE_DOS_HEADER)NewImageBase;
|
||||
if (ImageDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
ImageNtHeaders=(PIMAGE_NT_HEADERS)(NewImageBase+ImageDosHeader->e_lfanew);
|
||||
if (ImageNtHeaders->Signature!=IMAGE_NT_SIGNATURE)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
KeServiceDescriptorTableRva=(DWORD)MiFindExportedRoutine(NewImageBase,TRUE,"KeServiceDescriptorTable",0);
|
||||
if (KeServiceDescriptorTableRva==0)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
KeServiceDescriptorTableRva=KeServiceDescriptorTableRva-(DWORD)NewImageBase;
|
||||
ImageBaseReloc=RtlImageDirectoryEntryToData(NewImageBase,TRUE,IMAGE_DIRECTORY_ENTRY_BASERELOC,&RelocSize);
|
||||
if (ImageBaseReloc==NULL)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
KeServiceDescriptorTableRva=KeServiceDescriptorTableRva-(DWORD)NewImageBase;
|
||||
ImageBaseReloc=RtlImageDirectoryEntryToData(NewImageBase,TRUE,IMAGE_DIRECTORY_ENTRY_BASERELOC,&RelocSize);
|
||||
if (ImageBaseReloc==NULL)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
while (ImageBaseReloc->SizeOfBlock)
|
||||
{
|
||||
count++;
|
||||
ItemCount=(ImageBaseReloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION))/2;
|
||||
TypeOffset=(WORD*)((DWORD)ImageBaseReloc+sizeof(IMAGE_BASE_RELOCATION));
|
||||
for (Index=0;Index<ItemCount;Index++)
|
||||
{
|
||||
Type=TypeOffset[Index]>>12; //高4位是类型 低12位位页内偏移 4k
|
||||
if (Type==3)
|
||||
{
|
||||
//Base + Virtual 定位到页 + 低12位 = RelocAddress 需要修复的地址
|
||||
RelocAddress=(PDWORD)((DWORD)(TypeOffset[Index]&0x0fff)+ImageBaseReloc->VirtualAddress+(DWORD)NewImageBase);
|
||||
RvaData=*RelocAddress-ExistImageBase;
|
||||
|
||||
if (RvaData==KeServiceDescriptorTableRva) //重定位表中的rva 是 KeServiceDescriptorTable 表项的
|
||||
{
|
||||
if(*(USHORT*)((DWORD)RelocAddress-2)==0x05c7)
|
||||
{
|
||||
/*
|
||||
1: kd> dd 0x89651c12 RelocAddress - 2
|
||||
89651c12 79c005c7 bd9c83f8
|
||||
while (ImageBaseReloc->SizeOfBlock)
|
||||
{
|
||||
count++;
|
||||
ItemCount=(ImageBaseReloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION))/2;
|
||||
TypeOffset=(WORD*)((DWORD)ImageBaseReloc+sizeof(IMAGE_BASE_RELOCATION));
|
||||
for (Index=0;Index<ItemCount;Index++)
|
||||
{
|
||||
Type=TypeOffset[Index]>>12; //高4位是类型 低12位位页内偏移 4k
|
||||
if (Type==3)
|
||||
{
|
||||
//Base + Virtual 定位到页 + 低12位 = RelocAddress 需要修复的地址
|
||||
RelocAddress=(PDWORD)((DWORD)(TypeOffset[Index]&0x0fff)+ImageBaseReloc->VirtualAddress+(DWORD)NewImageBase);
|
||||
RvaData=*RelocAddress-ExistImageBase;
|
||||
|
||||
if (RvaData==KeServiceDescriptorTableRva) //重定位表中的rva 是 KeServiceDescriptorTable 表项的
|
||||
{
|
||||
if(*(USHORT*)((DWORD)RelocAddress-2)==0x05c7)
|
||||
{
|
||||
/*
|
||||
1: kd> dd 0x89651c12 RelocAddress - 2
|
||||
89651c12 79c005c7 bd9c83f8
|
||||
|
||||
1: kd> dd KeServiceDescriptorTable
|
||||
83f879c0 83e9bd9c 00000000 00000191 83e9c3e4
|
||||
83f879d0 00000000 00000000 00000000 00000000
|
||||
|
||||
1: kd> dd 0x89651c14 RelocAddress
|
||||
89651c14 83f879c0 83e9bd9c 79c41589 c8a383f8
|
||||
89651c24 c783f879 f879cc05 e9c3e483 d8158983
|
||||
*/
|
||||
//RelocAddress 里面存放着 KeServiceDesriptorTable地址
|
||||
//RelocAddress + 4 存放着 KeServiceDesriptorTable第一成员也就是SSDT基址
|
||||
*NewKiServiceTable=*(DWORD*)((DWORD)RelocAddress+4)-ExistImageBase+(DWORD)NewImageBase;
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
1: kd> dd KeServiceDescriptorTable
|
||||
83f879c0 83e9bd9c 00000000 00000191 83e9c3e4
|
||||
83f879d0 00000000 00000000 00000000 00000000
|
||||
|
||||
1: kd> dd 0x89651c14 RelocAddress
|
||||
89651c14 83f879c0 83e9bd9c 79c41589 c8a383f8
|
||||
89651c24 c783f879 f879cc05 e9c3e483 d8158983
|
||||
*/
|
||||
//RelocAddress 里面存放着 KeServiceDesriptorTable地址
|
||||
//RelocAddress + 4 存放着 KeServiceDesriptorTable第一成员也就是SSDT基址
|
||||
*NewKiServiceTable=*(DWORD*)((DWORD)RelocAddress+4)-ExistImageBase+(DWORD)NewImageBase;
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
ImageBaseReloc=(PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseReloc+ImageBaseReloc->SizeOfBlock);
|
||||
}
|
||||
}
|
||||
ImageBaseReloc=(PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseReloc+ImageBaseReloc->SizeOfBlock);
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
||||
|
||||
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
DbgPrint("UnloadDriver\r\n");
|
||||
DbgPrint("UnloadDriver\r\n");
|
||||
}
|
|
@ -8,83 +8,83 @@ typedef DWORD * PDWORD;
|
|||
typedef unsigned char BYTE, *PBYTE;
|
||||
typedef unsigned short WORD, *PWORD;
|
||||
NTSTATUS
|
||||
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath);
|
||||
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath);
|
||||
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
|
||||
|
||||
typedef struct _SYSTEM_MODULE_INFORMATION // 系统模块信息
|
||||
{
|
||||
ULONG Reserved[2];
|
||||
ULONG Base;
|
||||
ULONG Size;
|
||||
ULONG Flags;
|
||||
USHORT Index;
|
||||
USHORT Unknown;
|
||||
USHORT LoadCount;
|
||||
USHORT ModuleNameOffset;
|
||||
CHAR ImageName[256];
|
||||
ULONG Reserved[2];
|
||||
ULONG Base;
|
||||
ULONG Size;
|
||||
ULONG Flags;
|
||||
USHORT Index;
|
||||
USHORT Unknown;
|
||||
USHORT LoadCount;
|
||||
USHORT ModuleNameOffset;
|
||||
CHAR ImageName[256];
|
||||
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
|
||||
|
||||
typedef struct _tagSysModuleList { //模块链结构
|
||||
ULONG ulCount;
|
||||
SYSTEM_MODULE_INFORMATION smi[1];
|
||||
ULONG ulCount;
|
||||
SYSTEM_MODULE_INFORMATION smi[1];
|
||||
} MODULES, *PMODULES;
|
||||
|
||||
typedef enum _SYSTEM_INFORMATION_CLASS
|
||||
{
|
||||
SystemBasicInformation, // 0 Y N
|
||||
SystemProcessorInformation, // 1 Y N
|
||||
SystemPerformanceInformation, // 2 Y N
|
||||
SystemTimeOfDayInformation, // 3 Y N
|
||||
SystemNotImplemented1, // 4 Y N
|
||||
SystemProcessesAndThreadsInformation, // 5 Y N
|
||||
SystemCallCounts, // 6 Y N
|
||||
SystemConfigurationInformation, // 7 Y N
|
||||
SystemProcessorTimes, // 8 Y N
|
||||
SystemGlobalFlag, // 9 Y Y
|
||||
SystemNotImplemented2, // 10 Y N
|
||||
SystemModuleInformation, // 11 Y N
|
||||
SystemLockInformation, // 12 Y N
|
||||
SystemNotImplemented3, // 13 Y N
|
||||
SystemNotImplemented4, // 14 Y N
|
||||
SystemNotImplemented5, // 15 Y N
|
||||
SystemHandleInformation, // 16 Y N
|
||||
SystemObjectInformation, // 17 Y N
|
||||
SystemPagefileInformation, // 18 Y N
|
||||
SystemInstructionEmulationCounts, // 19 Y N
|
||||
SystemInvalidInfoClass1, // 20
|
||||
SystemCacheInformation, // 21 Y Y
|
||||
SystemPoolTagInformation, // 22 Y N
|
||||
SystemProcessorStatistics, // 23 Y N
|
||||
SystemDpcInformation, // 24 Y Y
|
||||
SystemNotImplemented6, // 25 Y N
|
||||
SystemLoadImage, // 26 N Y
|
||||
SystemUnloadImage, // 27 N Y
|
||||
SystemTimeAdjustment, // 28 Y Y
|
||||
SystemNotImplemented7, // 29 Y N
|
||||
SystemNotImplemented8, // 30 Y N
|
||||
SystemNotImplemented9, // 31 Y N
|
||||
SystemCrashDumpInformation, // 32 Y N
|
||||
SystemExceptionInformation, // 33 Y N
|
||||
SystemCrashDumpStateInformation, // 34 Y Y/N
|
||||
SystemKernelDebuggerInformation, // 35 Y N
|
||||
SystemContextSwitchInformation, // 36 Y N
|
||||
SystemRegistryQuotaInformation, // 37 Y Y
|
||||
SystemLoadAndCallImage, // 38 N Y
|
||||
SystemPrioritySeparation, // 39 N Y
|
||||
SystemNotImplemented10, // 40 Y N
|
||||
SystemNotImplemented11, // 41 Y N
|
||||
SystemInvalidInfoClass2, // 42
|
||||
SystemInvalidInfoClass3, // 43
|
||||
SystemTimeZoneInformation, // 44 Y N
|
||||
SystemLookasideInformation, // 45 Y N
|
||||
SystemSetTimeSlipEvent, // 46 N Y
|
||||
SystemCreateSession, // 47 N Y
|
||||
SystemDeleteSession, // 48 N Y
|
||||
SystemInvalidInfoClass4, // 49
|
||||
SystemRangeStartInformation, // 50 Y N
|
||||
SystemVerifierInformation, // 51 Y Y
|
||||
SystemAddVerifier, // 52 N Y
|
||||
SystemSessionProcessesInformation // 53 Y N
|
||||
SystemBasicInformation, // 0 Y N
|
||||
SystemProcessorInformation, // 1 Y N
|
||||
SystemPerformanceInformation, // 2 Y N
|
||||
SystemTimeOfDayInformation, // 3 Y N
|
||||
SystemNotImplemented1, // 4 Y N
|
||||
SystemProcessesAndThreadsInformation, // 5 Y N
|
||||
SystemCallCounts, // 6 Y N
|
||||
SystemConfigurationInformation, // 7 Y N
|
||||
SystemProcessorTimes, // 8 Y N
|
||||
SystemGlobalFlag, // 9 Y Y
|
||||
SystemNotImplemented2, // 10 Y N
|
||||
SystemModuleInformation, // 11 Y N
|
||||
SystemLockInformation, // 12 Y N
|
||||
SystemNotImplemented3, // 13 Y N
|
||||
SystemNotImplemented4, // 14 Y N
|
||||
SystemNotImplemented5, // 15 Y N
|
||||
SystemHandleInformation, // 16 Y N
|
||||
SystemObjectInformation, // 17 Y N
|
||||
SystemPagefileInformation, // 18 Y N
|
||||
SystemInstructionEmulationCounts, // 19 Y N
|
||||
SystemInvalidInfoClass1, // 20
|
||||
SystemCacheInformation, // 21 Y Y
|
||||
SystemPoolTagInformation, // 22 Y N
|
||||
SystemProcessorStatistics, // 23 Y N
|
||||
SystemDpcInformation, // 24 Y Y
|
||||
SystemNotImplemented6, // 25 Y N
|
||||
SystemLoadImage, // 26 N Y
|
||||
SystemUnloadImage, // 27 N Y
|
||||
SystemTimeAdjustment, // 28 Y Y
|
||||
SystemNotImplemented7, // 29 Y N
|
||||
SystemNotImplemented8, // 30 Y N
|
||||
SystemNotImplemented9, // 31 Y N
|
||||
SystemCrashDumpInformation, // 32 Y N
|
||||
SystemExceptionInformation, // 33 Y N
|
||||
SystemCrashDumpStateInformation, // 34 Y Y/N
|
||||
SystemKernelDebuggerInformation, // 35 Y N
|
||||
SystemContextSwitchInformation, // 36 Y N
|
||||
SystemRegistryQuotaInformation, // 37 Y Y
|
||||
SystemLoadAndCallImage, // 38 N Y
|
||||
SystemPrioritySeparation, // 39 N Y
|
||||
SystemNotImplemented10, // 40 Y N
|
||||
SystemNotImplemented11, // 41 Y N
|
||||
SystemInvalidInfoClass2, // 42
|
||||
SystemInvalidInfoClass3, // 43
|
||||
SystemTimeZoneInformation, // 44 Y N
|
||||
SystemLookasideInformation, // 45 Y N
|
||||
SystemSetTimeSlipEvent, // 46 N Y
|
||||
SystemCreateSession, // 47 N Y
|
||||
SystemDeleteSession, // 48 N Y
|
||||
SystemInvalidInfoClass4, // 49
|
||||
SystemRangeStartInformation, // 50 Y N
|
||||
SystemVerifierInformation, // 51 Y Y
|
||||
SystemAddVerifier, // 52 N Y
|
||||
SystemSessionProcessesInformation // 53 Y N
|
||||
} SYSTEM_INFORMATION_CLASS;
|
||||
|
||||
#define LDRP_RELOCATION_FINAL 0x2
|
||||
|
@ -92,117 +92,117 @@ typedef enum _SYSTEM_INFORMATION_CLASS
|
|||
|
||||
|
||||
typedef struct _AUX_ACCESS_DATA {
|
||||
PPRIVILEGE_SET PrivilegesUsed;
|
||||
GENERIC_MAPPING GenericMapping;
|
||||
ACCESS_MASK AccessesToAudit;
|
||||
ACCESS_MASK MaximumAuditMask;
|
||||
ULONG Unknown[41];
|
||||
PPRIVILEGE_SET PrivilegesUsed;
|
||||
GENERIC_MAPPING GenericMapping;
|
||||
ACCESS_MASK AccessesToAudit;
|
||||
ACCESS_MASK MaximumAuditMask;
|
||||
ULONG Unknown[41];
|
||||
} AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;
|
||||
|
||||
|
||||
|
||||
typedef struct _LDR_DATA_TABLE_ENTRY
|
||||
{
|
||||
LIST_ENTRY InLoadOrderLinks;
|
||||
LIST_ENTRY InMemoryOrderLinks;
|
||||
LIST_ENTRY InInitializationOrderLinks;
|
||||
PVOID DllBase;
|
||||
PVOID EntryPoint;
|
||||
ULONG SizeOfImage;
|
||||
UNICODE_STRING FullDllName;
|
||||
UNICODE_STRING BaseDllName;
|
||||
ULONG Flags;
|
||||
USHORT LoadCount;
|
||||
USHORT TlsIndex;
|
||||
union
|
||||
{
|
||||
LIST_ENTRY HashLinks;
|
||||
struct
|
||||
{
|
||||
PVOID SectionPointer;
|
||||
ULONG CheckSum;
|
||||
};
|
||||
};
|
||||
union
|
||||
{
|
||||
ULONG TimeDateStamp;
|
||||
PVOID LoadedImports;
|
||||
};
|
||||
PVOID EntryPointActivationContext;
|
||||
PVOID PatchInformation;
|
||||
LIST_ENTRY InLoadOrderLinks;
|
||||
LIST_ENTRY InMemoryOrderLinks;
|
||||
LIST_ENTRY InInitializationOrderLinks;
|
||||
PVOID DllBase;
|
||||
PVOID EntryPoint;
|
||||
ULONG SizeOfImage;
|
||||
UNICODE_STRING FullDllName;
|
||||
UNICODE_STRING BaseDllName;
|
||||
ULONG Flags;
|
||||
USHORT LoadCount;
|
||||
USHORT TlsIndex;
|
||||
union
|
||||
{
|
||||
LIST_ENTRY HashLinks;
|
||||
struct
|
||||
{
|
||||
PVOID SectionPointer;
|
||||
ULONG CheckSum;
|
||||
};
|
||||
};
|
||||
union
|
||||
{
|
||||
ULONG TimeDateStamp;
|
||||
PVOID LoadedImports;
|
||||
};
|
||||
PVOID EntryPointActivationContext;
|
||||
PVOID PatchInformation;
|
||||
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
|
||||
// typedef struct _IMAGE_BASE_RELOCATION {
|
||||
// DWORD VirtualAddress;
|
||||
// DWORD SizeOfBlock;
|
||||
// // WORD TypeOffset[1];
|
||||
// DWORD VirtualAddress;
|
||||
// DWORD SizeOfBlock;
|
||||
// // WORD TypeOffset[1];
|
||||
// } IMAGE_BASE_RELOCATION,*PIMAGE_BASE_RELOCATION;
|
||||
// typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
|
||||
|
||||
typedef struct _SERVICE_DESCRIPTOR_TABLE {
|
||||
/*
|
||||
* Table containing cServices elements of pointers to service handler
|
||||
* functions, indexed by service ID.
|
||||
*/
|
||||
PDWORD ServiceTable;
|
||||
/*
|
||||
* Table that counts how many times each service is used. This table
|
||||
* is only updated in checked builds.
|
||||
*/
|
||||
PULONG CounterTable;
|
||||
/*
|
||||
* Number of services contained in this table.
|
||||
*/
|
||||
ULONG TableSize;
|
||||
/*
|
||||
* Table containing the number of bytes of parameters the handler
|
||||
* function takes.
|
||||
*/
|
||||
PUCHAR ArgumentTable;
|
||||
/*
|
||||
* Table containing cServices elements of pointers to service handler
|
||||
* functions, indexed by service ID.
|
||||
*/
|
||||
PDWORD ServiceTable;
|
||||
/*
|
||||
* Table that counts how many times each service is used. This table
|
||||
* is only updated in checked builds.
|
||||
*/
|
||||
PULONG CounterTable;
|
||||
/*
|
||||
* Number of services contained in this table.
|
||||
*/
|
||||
ULONG TableSize;
|
||||
/*
|
||||
* Table containing the number of bytes of parameters the handler
|
||||
* function takes.
|
||||
*/
|
||||
PUCHAR ArgumentTable;
|
||||
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
|
||||
NTSTATUS ReLoadNtos(PDRIVER_OBJECT DriverObject,DWORD RetAddress);
|
||||
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
ZwQuerySystemInformation(
|
||||
IN SYSTEM_INFORMATION_CLASS SystemInfoClass,
|
||||
OUT PVOID SystemInfoBuffer,
|
||||
IN ULONG SystemInfoBufferSize,
|
||||
OUT PULONG BytesReturned OPTIONAL
|
||||
);
|
||||
NTAPI
|
||||
ZwQuerySystemInformation(
|
||||
IN SYSTEM_INFORMATION_CLASS SystemInfoClass,
|
||||
OUT PVOID SystemInfoBuffer,
|
||||
IN ULONG SystemInfoBufferSize,
|
||||
OUT PULONG BytesReturned OPTIONAL
|
||||
);
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
ObCreateObject (
|
||||
IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
|
||||
IN POBJECT_TYPE ObjectType,
|
||||
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
||||
IN KPROCESSOR_MODE AccessMode,
|
||||
IN OUT PVOID ParseContext OPTIONAL,
|
||||
IN ULONG ObjectSize,
|
||||
IN ULONG PagedPoolCharge OPTIONAL,
|
||||
IN ULONG NonPagedPoolCharge OPTIONAL,
|
||||
OUT PVOID *Object
|
||||
);
|
||||
NTAPI
|
||||
ObCreateObject (
|
||||
IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
|
||||
IN POBJECT_TYPE ObjectType,
|
||||
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
||||
IN KPROCESSOR_MODE AccessMode,
|
||||
IN OUT PVOID ParseContext OPTIONAL,
|
||||
IN ULONG ObjectSize,
|
||||
IN ULONG PagedPoolCharge OPTIONAL,
|
||||
IN ULONG NonPagedPoolCharge OPTIONAL,
|
||||
OUT PVOID *Object
|
||||
);
|
||||
|
||||
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
SeCreateAccessState(
|
||||
PACCESS_STATE AccessState,
|
||||
PAUX_ACCESS_DATA AuxData,
|
||||
ACCESS_MASK Access,
|
||||
PGENERIC_MAPPING GenericMapping
|
||||
);
|
||||
NTAPI
|
||||
SeCreateAccessState(
|
||||
PACCESS_STATE AccessState,
|
||||
PAUX_ACCESS_DATA AuxData,
|
||||
ACCESS_MASK Access,
|
||||
PGENERIC_MAPPING GenericMapping
|
||||
);
|
||||
|
||||
|
||||
NTSYSAPI
|
||||
PVOID
|
||||
NTAPI
|
||||
RtlImageDirectoryEntryToData (
|
||||
IN PVOID Base,
|
||||
IN BOOLEAN MappedAsImage,
|
||||
IN USHORT DirectoryEntry,
|
||||
OUT PULONG Size
|
||||
);
|
||||
PVOID
|
||||
NTAPI
|
||||
RtlImageDirectoryEntryToData (
|
||||
IN PVOID Base,
|
||||
IN BOOLEAN MappedAsImage,
|
||||
IN USHORT DirectoryEntry,
|
||||
OUT PULONG Size
|
||||
);
|
||||
|
||||
BOOLEAN InitSafeOperationModule(PDRIVER_OBJECT pDriverObject,WCHAR *SystemModulePath,ULONG KernelModuleBase);
|
||||
|
||||
|
@ -210,29 +210,29 @@ BOOLEAN InitSafeOperationModule(PDRIVER_OBJECT pDriverObject,WCHAR *SystemModule
|
|||
|
||||
|
||||
typedef VOID (__stdcall *ReloadRtlInitUnicodeString)(
|
||||
__inout PUNICODE_STRING DestinationString,
|
||||
__in_opt PCWSTR SourceString
|
||||
);
|
||||
__inout PUNICODE_STRING DestinationString,
|
||||
__in_opt PCWSTR SourceString
|
||||
);
|
||||
ReloadRtlInitUnicodeString RRtlInitUnicodeString;
|
||||
|
||||
typedef LONG (__stdcall * ReloadRtlCompareUnicodeString)(
|
||||
__in PCUNICODE_STRING String1,
|
||||
__in PCUNICODE_STRING String2,
|
||||
__in BOOLEAN CaseInSensitive
|
||||
);
|
||||
__in PCUNICODE_STRING String1,
|
||||
__in PCUNICODE_STRING String2,
|
||||
__in BOOLEAN CaseInSensitive
|
||||
);
|
||||
ReloadRtlCompareUnicodeString RRtlCompareUnicodeString;
|
||||
|
||||
|
||||
typedef PVOID (__stdcall *ReloadMmGetSystemRoutineAddress)(
|
||||
__in PUNICODE_STRING SystemRoutineName
|
||||
);
|
||||
__in PUNICODE_STRING SystemRoutineName
|
||||
);
|
||||
ReloadMmGetSystemRoutineAddress RMmGetSystemRoutineAddress;
|
||||
|
||||
|
||||
|
||||
typedef BOOLEAN (__stdcall * ReloadMmIsAddressValid)(
|
||||
__in PVOID VirtualAddress
|
||||
);
|
||||
__in PVOID VirtualAddress
|
||||
);
|
||||
ReloadMmIsAddressValid RMmIsAddressValid;
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue