Mirrors
/
Windows-Rootkits
mirror of https://github.com/ciyze0101/Windows-Rootkits
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

update 

update
This commit is contained in:
LycorisGuard 2018-08-14 22:22:43 +08:00
parent d7ae1105e6
commit eae3805066
9 changed files with 129 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/GetService.c
View File

@ -1,12 +1,8 @@
#include "GetService.h"
PVOID GetKeShadowServiceDescriptorTable64()
{
PUCHAR StartAddress = (PUCHAR)__readmsr(0xC0000082);
PUCHAR i = NULL;
UCHAR v1=0,v2=0,v3=0;
int iOffset = 0;
@ -22,7 +18,6 @@ PVOID GetKeShadowServiceDescriptorTable64()
{
memcpy(&iOffset,i+3,4);
SSSDTDescriptor = iOffset + (ULONG_PTR)i + 7;
/*
: kd> u fffff800`03ed7640 l 100
@ -35,10 +30,7 @@ PVOID GetKeShadowServiceDescriptorTable64()
fffff800`03ed7772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800`04109840)]
fffff800`03ed7779 4c8d1d00212300 lea r11,[nt!KeServiceDescriptorTableShadow (fffff800`04109880)
*/
SSSDTDescriptor+=32;
return (PVOID)SSSDTDescriptor;
}
}
@ -46,13 +38,9 @@ PVOID GetKeShadowServiceDescriptorTable64()
return 0;
}
PVOID GetKeShadowServiceDescriptorTable32()
{
WCHAR wzKeAddSystemServiceTable[] = L"KeAddSystemServiceTable";
ULONG_PTR SSSDTDescriptor = 0;
PUCHAR i = 0;
PUCHAR StartAddress;
@ -70,10 +58,8 @@ PVOID GetKeShadowServiceDescriptorTable32()
805b4002 83b82035568000 cmp dword ptr nt!KeServiceDescriptorTable (80563520)[eax],0
805b4009 753f jne nt!KeAddSystemServiceTable+0x6b (805b404a)
805b400b 8d88e0345680 lea ecx,nt!KeServiceDescriptorTableShadow (805634e0)[eax]
*/
StartAddress = (PUCHAR)GetFunctionAddressByNameFromNtosExport(wzKeAddSystemServiceTable);
if (StartAddress==NULL)
{
return 0;
@ -89,19 +75,13 @@ PVOID GetKeShadowServiceDescriptorTable32()
{
SSSDTDescriptor = *(ULONG_PTR*)(i+2);
SSSDTDescriptor = SSSDTDescriptor + 16;
return (PVOID)SSSDTDescriptor;
}
}
}
return 0;
}
PVOID
GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName)
{
@ -139,7 +119,7 @@ PVOID GetKeServiceDescriptorTable64()
if( b1==0x4c && b2==0x8d && b3==0x15 )
{
memcpy(&ulv1,i+3,4);
FunctionAddress = (ULONG_PTR)ulv1 + (ULONG_PTR)i + 7;
FunctionAddress = (PVOID)((ULONG_PTR)ulv1 + (ULONG_PTR)i + 7);
return FunctionAddress;
}
}

7
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/GetService.h
View File

@ -1,9 +1,4 @@
#pragma once
#include "SSSDTManager.h"
PVOID
GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName);
PVOID GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName);

42
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/SSDT.c
View File

@ -1,6 +1,5 @@
#include "SSDT.h"
extern ULONG_PTR SSDTDescriptor;
extern PDRIVER_OBJECT CurrentDriverObject;
extern PVOID SysSSDTModuleBase;
@ -15,10 +14,9 @@ PVOID GetSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
ulv2 = ServiceTableBase + 4 * ulIndex;
ulv1 = *(PLONG)ulv2;
ulv1 = ulv1>>4;
return ServiceTableBase + (ULONG_PTR)ulv1;
return (PVOID)(ServiceTableBase + (ULONG_PTR)ulv1);
}
PVOID GetSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
{
ULONG_PTR ServiceTableBase= 0 ;
@ -26,14 +24,9 @@ PVOID GetSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
ServiceTableBase=(ULONG)(SSDT ->ServiceTableBase);
return (*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex));
return (PVOID)(*(PULONG_PTR)(ServiceTableBase + 4 * ulIndex));
}
/**/
BOOLEAN GetSysModuleByLdrDataTableSSDT(WCHAR* wzModuleName)
{
@ -42,18 +35,14 @@ BOOLEAN GetSysModuleByLdrDataTableSSDT(WCHAR* wzModuleName)
{
PLDR_DATA_TABLE_ENTRY ListHead = NULL, ListNext = NULL;
ListHead = ListNext = (PLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection; //dt _DriverObject
while((PLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink != ListHead)
{
//DbgPrint("%wZ\r\n",&ListNext->BaseDllName);
if (ListNext->BaseDllName.Buffer&&
wcsstr(ListNext->BaseDllName.Buffer,wzModuleName)!=NULL)
wcsstr((WCHAR*)(ListNext->BaseDllName.Buffer),wzModuleName)!=NULL)
{
SysSSDTModuleBase = ListNext->DllBase;
SysSSDTModuleBase = (PVOID)(ListNext->DllBase);
ulSSDTSysModuleSize = ListNext->SizeOfImage;
//DbgPrint("%x %x\r\n",ListNext->DllBase,ListNext->EntryPoint);
@ -62,11 +51,9 @@ BOOLEAN GetSysModuleByLdrDataTableSSDT(WCHAR* wzModuleName)
bRet = TRUE;
break;
}
ListNext = (PLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink;
}
}
return bRet;
}
@ -82,19 +69,16 @@ NTSTATUS GetSysModuleByLdrDataTable2(PVOID Address,WCHAR* wzModuleName)
PKLDR_DATA_TABLE_ENTRY ListHead = NULL, ListNext = NULL;
ListHead = ListNext = (PKLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection; //dt _DriverObject
while((PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink != ListHead)
{
ulBase = (ListNext)->DllBase;
ulSize = (ListNext)->SizeOfImage;
if(ulBase!=0)
{
if(Address>ulBase&&Address<ulSize+ulBase)
if((ULONG_PTR)Address>ulBase && (ULONG_PTR)Address < ulSize + ulBase)
{
__try
{
DbgPrint("%wZ\r\n",&ListNext->BaseDllName);
DbgPrint("%wZ\r\n",&(ListNext->FullDllName));
@ -109,7 +93,6 @@ NTSTATUS GetSysModuleByLdrDataTable2(PVOID Address,WCHAR* wzModuleName)
break;
}
}
ListNext = (PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink;
}
}
@ -171,9 +154,7 @@ NTSTATUS GetSysModuleByLdrDataTable2(PVOID Address,WCHAR* wzModuleName)
return FALSE;*/
}
VOID UnHookSSDT(ULONG ulIndex, ULONG OriginalFunctionAddress)
VOID UnHookSSDT(ULONG ulIndex, ULONG_PTR OriginalFunctionAddress)
{
#ifdef _WIN64
ULONG_PTR v2 = 0;
@ -209,27 +190,16 @@ VOID UnHookSSDT(ULONG ulIndex, ULONG OriginalFunctionAddress)
BOOLEAN ResumeSSDTInlineHook(ULONG ulIndex,UCHAR* szOriginalFunctionCode)
{
PVOID CurrentFunctionAddress = NULL;
#ifdef _WIN64
CurrentFunctionAddress = GetSSDTFunctionAddress64(ulIndex,SSDTDescriptor);
#else
CurrentFunctionAddress = GetSSDTFunctionAddress32(ulIndex,SSDTDescriptor);
#endif
WPOFF();
SafeCopyMemory(CurrentFunctionAddress,szOriginalFunctionCode,CODE_LENGTH);
WPON();
return TRUE;
}

16
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/SSDT.h
View File

@ -2,31 +2,18 @@
#include "SSSDTManager.h"
#include "common.h"
PVOID GetKeServiceDescriptorTable64();
PVOID GetSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
PVOID GetSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
BOOLEAN GetSysModuleByLdrDataTableSSDT(WCHAR* wzModuleName);
NTSTATUS GetSysModuleByLdrDataTable2(PVOID Address,WCHAR* wzModuleName);
VOID UnHookSSDT(ULONG ulIndex, ULONG OriginalFunctionAddress);
VOID UnHookSSDT(ULONG ulIndex, ULONG_PTR OriginalFunctionAddress);
BOOLEAN ResumeSSDTInlineHook(ULONG ulIndex,UCHAR* szOriginalFunctionCode);
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
@ -113,7 +100,6 @@ typedef enum _SYSTEM_INFORMATION_CLASS {
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;
//ÔÚϵͳģ¿éÖбéÀú
extern
NTSTATUS

57
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/SSSDT.c
View File

@ -2,7 +2,6 @@
extern ULONG_PTR SSSDTDescriptor;
extern PDRIVER_OBJECT CurrentDriverObject;
extern PVOID SysModuleBsse;
extern ULONG_PTR ulSysModuleSize;
@ -10,8 +9,7 @@ extern ULONG_PTR ulSysModuleSize;
//获得SSSDT地址索引*4+SSSDT 存放着一个数右移4位即获得函数偏移。加上SSSDT即得到 对应函数地址
PVOID GetSSSDTFunctionAddress64(ULONG ulIndex)
{
LONG v1 = 0;
LONG v1 = 0;
ULONG_PTR v2 = 0;
ULONG_PTR ServiceTableBase= 0 ;
PSYSTEM_SERVICE_TABLE64 SSSDT = (PSYSTEM_SERVICE_TABLE64)SSSDTDescriptor;
@ -22,21 +20,15 @@ PVOID GetSSSDTFunctionAddress64(ULONG ulIndex)
return (PVOID)(ServiceTableBase + (ULONG_PTR)v1);
}
//SSSDT基地址+4*Index里面存放着SSSDT对应的函数地址
PVOID GetSSSDTFunctionAddress32(ULONG ulIndex)
{
ULONG_PTR ServiceTableBase= 0 ;
PSYSTEM_SERVICE_TABLE32 SSSDT = (PSYSTEM_SERVICE_TABLE32)SSSDTDescriptor;
ServiceTableBase = (ULONG_PTR)(SSSDT->ServiceTableBase);
return (PVOID)(*(PULONG_PTR)((ULONG_PTR)ServiceTableBase + 4 * ulIndex));
}
//Ring3传入模块名称与DriverObject->DriverSection结构的链表中 驱动名称相比较, 一致则返回驱动地址
BOOLEAN GetSysModuleByLdrDataTable(WCHAR* wzModuleName)
{
@ -45,18 +37,14 @@ BOOLEAN GetSysModuleByLdrDataTable(WCHAR* wzModuleName)
{
PKLDR_DATA_TABLE_ENTRY ListHead = NULL, ListNext = NULL;
ListHead = ListNext = (PKLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection; //dt _DriverObject
while((PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink != ListHead)
{
//DbgPrint("%wZ\r\n",&ListNext->BaseDllName);
if (ListNext->BaseDllName.Buffer&&
wcsstr(ListNext->BaseDllName.Buffer,wzModuleName)!=NULL)
wcsstr((WCHAR*)(ListNext->BaseDllName.Buffer),wzModuleName)!=NULL)
{
SysModuleBsse = ListNext->DllBase;
SysModuleBsse = (PVOID)(ListNext->DllBase);
ulSysModuleSize = ListNext->SizeOfImage;
//DbgPrint("%x %x\r\n",ListNext->DllBase,ListNext->EntryPoint);
@ -65,16 +53,12 @@ BOOLEAN GetSysModuleByLdrDataTable(WCHAR* wzModuleName)
bRet = TRUE;
break;
}
ListNext = (PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink;
}
}
return bRet;
}
//遍历DriverObject->DriverSection结构在驱动链表中查找函数所在模块
BOOLEAN GetSysModuleByLdrDataTable1(PVOID Address,WCHAR* wzModuleName)
{
@ -87,37 +71,23 @@ BOOLEAN GetSysModuleByLdrDataTable1(PVOID Address,WCHAR* wzModuleName)
PKLDR_DATA_TABLE_ENTRY ListHead = NULL, ListNext = NULL;
ListHead = ListNext = (PKLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection; //dt _DriverObject
while((PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink != ListHead)
{
ulBase = (ListNext)->DllBase;
ulSize = (ListNext)->SizeOfImage;
if(Address>ulBase&&Address<ulSize+ulBase)
if((ULONG_PTR)Address > ulBase && (ULONG_PTR)Address < ulSize+ulBase)
{
memcpy(wzModuleName,(WCHAR*)(((ListNext)->FullDllName).Buffer),sizeof(WCHAR)*60);
bRet = TRUE;
break;
}
ListNext = (PKLDR_DATA_TABLE_ENTRY)ListNext->InLoadOrderLinks.Flink;
}
}
return bRet;
}
VOID UnHookSSSDTWin7(ULONG ulIndex, ULONG OriginalFunctionAddress)
VOID UnHookSSSDTWin7(ULONG ulIndex, ULONG_PTR OriginalFunctionAddress)
{
ULONG_PTR v2 = 0;
ULONG_PTR ServiceTableBase = 0 ;
@ -132,7 +102,8 @@ VOID UnHookSSSDTWin7(ULONG ulIndex, ULONG OriginalFunctionAddress)
*(PLONG)v2 = CurrentFunctionOffsetOfSSSDT;
WPON();
}
VOID UnHookSSSDTWinXP(ULONG ulIndex, ULONG OriginalFunctionAddress)
VOID UnHookSSSDTWinXP(ULONG ulIndex, ULONG_PTR OriginalFunctionAddress)
{
ULONG_PTR ServiceTableBase = 0 ;
ULONG_PTR v2 = 0;
@ -145,33 +116,19 @@ VOID UnHookSSSDTWinXP(ULONG ulIndex, ULONG OriginalFunctionAddress)
WPON();
}
BOOLEAN ResumeSSSDTInlineHook(ULONG ulIndex,UCHAR* szOriginalFunctionCode)
{
PVOID CurrentFunctionAddress = NULL;
#ifdef _WIN64
CurrentFunctionAddress = GetSSSDTFunctionAddress64(ulIndex);
#else
CurrentFunctionAddress = GetSSSDTFunctionAddress32(ulIndex);
#endif
WPOFF();
SafeCopyMemory(CurrentFunctionAddress,szOriginalFunctionCode,CODE_LENGTH);
//memcpy(CurrentFunctionAddress,szOriginalFunctionCode,CODE_LENGTH);
WPON();
return TRUE;
}

8
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/SSSDT.h
View File

@ -5,17 +5,13 @@
PVOID GetKeShadowServiceDescriptorTable32();
PVOID GetKeShadowServiceDescriptorTable64();
PVOID GetSSSDTFunctionAddress64(ULONG ulIndex);
PVOID GetSSSDTFunctionAddress32(ULONG ulIndex);
BOOLEAN GetSysModuleByLdrDataTable(WCHAR* wzModuleName);
BOOLEAN GetSysModuleByLdrDataTable1(PVOID Address,WCHAR* wzModuleName);
VOID UnHookSSSDTWin7(ULONG ulIndex, ULONG OriginalFunctionAddress);
VOID UnHookSSSDTWinXP(ULONG ulIndex, ULONG OriginalFunctionAddress);
VOID UnHookSSSDTWin7(ULONG ulIndex, ULONG_PTR OriginalFunctionAddress);
VOID UnHookSSSDTWinXP(ULONG ulIndex, ULONG_PTR OriginalFunctionAddress);
BOOLEAN ResumeSSSDTInlineHook(ULONG ulIndex,UCHAR* szOriginalFunctionCode);

212
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/SSSDTManager.c
View File

@ -1,5 +1,3 @@
#ifndef CXX_SSSDTMANAGER_H
# include "SSSDTManager.h"
#include "common.h"
@ -11,14 +9,9 @@
KIRQL Irql;
WIN_VERSION WinVersion = WINDOWS_UNKNOW;
ULONG_PTR SSDTDescriptor = 0;
ULONG_PTR SSSDTDescriptor = 0;
PDRIVER_OBJECT CurrentDriverObject = NULL;
PVOID SysModuleBsse = NULL;
ULONG_PTR ulSysModuleSize = 0;
@ -63,7 +56,6 @@ DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryString)
WinVersion = GetWindowsVersion();
return Status;
}
@ -76,7 +68,6 @@ NTSTATUS
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
@ -87,7 +78,6 @@ NTSTATUS
NTSTATUS
ControlPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS Status = STATUS_SUCCESS;
PIO_STACK_LOCATION IrpSp;
PVOID InputBuffer = NULL;
@ -120,63 +110,50 @@ NTSTATUS
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
#ifdef _WIN64
SSSDTDescriptor = GetKeShadowServiceDescriptorTable64();
SSSDTDescriptor = (ULONG_PTR)GetKeShadowServiceDescriptorTable64();
#else
SSSDTDescriptor = GetKeShadowServiceDescriptorTable32();
SSSDTDescriptor = (ULONG_PTR)GetKeShadowServiceDescriptorTable32();
#endif
if (SSSDTDescriptor==NULL)
if (SSSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
case IOCTL_GET_SSSDT_FUNCTIONADDRESS:
{
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (SSSDTDescriptor==NULL)
if (SSSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
else
{
#ifdef _WIN64
SSSDTFunctionAddress = GetSSSDTFunctionAddress64(*(ULONG*)InputBuffer);
#else
SSSDTFunctionAddress = GetSSSDTFunctionAddress32(*(ULONG*)InputBuffer);
#endif
if (SSSDTFunctionAddress!=NULL)
{
memcpy(OutputBuffer, &SSSDTFunctionAddress,sizeof(PVOID));
Irp->IoStatus.Information = sizeof(PVOID);
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
else
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
@ -190,41 +167,30 @@ NTSTATUS
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (InputBuffer!=NULL)
{
Data.OriginalFunctionAddress = ((pData2)InputBuffer)->OriginalFunctionAddress;
//通过当前驱动对象的DriverSection里面枚举模块获得模块名称
if(GetSysModuleByLdrDataTable1((PVOID)Data.OriginalFunctionAddress,(WCHAR*)wzModuleName2)==TRUE)
{
memcpy((WCHAR*)OutputBuffer,wzModuleName2,OutputSize);
Irp->IoStatus.Information = OutputSize;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
case IOCTL_GET_SSSDT_SERVERICE_BASE://Ring3在重定向的时候需要当前模块基址和SSSDT算出偏移
{
/*
#ifdef _WIN64
SSSDTDescriptor = GetKeShadowServiceDescriptorTable64();
SSSDTServiceTable = (PSYSTEM_SERVICE_TABLE64)SSSDTDescriptor;
#else
SSSDTDescriptor = GetKeShadowServiceDescriptorTable32();
SSSDTServiceTable = (PSYSTEM_SERVICE_TABLE32)SSSDTDescriptor;
#endif
@ -233,11 +199,10 @@ NTSTATUS
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (SSSDTDescriptor==NULL)
if (SSSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
@ -249,34 +214,25 @@ NTSTATUS
memcpy(OutputBuffer,&(SSSDTServiceTable->ServiceTableBase),sizeof(PVOID));
Irp->IoStatus.Information = sizeof(PVOID);
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
case CTL_GET_SYS_MODULE_INFOR:
{
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (InputBuffer!=NULL)
{
memcpy(wzModuleName,(WCHAR*)InputBuffer,InputSize);
if(GetSysModuleByLdrDataTable((WCHAR*)wzModuleName)==TRUE)
{
DbgPrint("%x\r\n",SysModuleBsse);
memcpy((PVOID)OutputBuffer,&SysModuleBsse,sizeof(PVOID));
memcpy(((PULONG_PTR)OutputBuffer)+1,&ulSysModuleSize,sizeof(ULONG_PTR));
Irp->IoStatus.Information = sizeof(PVOID)+sizeof(ULONG_PTR);
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
}
@ -291,7 +247,7 @@ NTSTATUS
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (SSSDTDescriptor==NULL)
if (SSSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
@ -302,53 +258,41 @@ NTSTATUS
{
#ifdef _WIN64
SSSDTFunctionAddress = GetSSSDTFunctionAddress64(*(ULONG*)InputBuffer);
#else
SSSDTFunctionAddress = GetSSSDTFunctionAddress32(*(ULONG*)InputBuffer);
#endif
if (SSSDTFunctionAddress!=NULL)
{
WPOFF();
if(SafeCopyMemory(OutputBuffer,(VOID*)SSSDTFunctionAddress,(SIZE_T)OutputSize)==FALSE)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
WPON();
break;
}
WPON();
Irp->IoStatus.Information = OutputSize;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
case IOCTL_RESUME_SSSDT_INLINEHOOK:
{
Data0 Data = {0};
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
Data.ulIndex = ((pData0)InputBuffer)->ulIndex;
memcpy(Data.szOriginalFunctionCode,((pData0)InputBuffer)->szOriginalFunctionCode,CODE_LENGTH);
if (SSSDTDescriptor==NULL)
if (SSSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
@ -373,77 +317,46 @@ NTSTATUS
Data.Index = ((pData1)InputBuffer)->Index;
Data.OriginalAddress = ((pData1)InputBuffer)->OriginalAddress;
if (SSSDTDescriptor==NULL)
if (SSSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
else
{
#ifdef _WIN64
UnHookSSSDTWin7(Data.Index,Data.OriginalAddress);
#else
UnHookSSSDTWinXP(Data.Index,Data.OriginalAddress);
#endif
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
break;
}
case IOCTL_GET_SSDTSERVERICE:
{
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
#ifdef _WIN64
SSDTDescriptor = GetKeServiceDescriptorTable64(); //»ñÈ¡SSDT±í
SSDTDescriptor = (ULONG_PTR)GetKeServiceDescriptorTable64(); //»ñÈ¡SSDT±í
#else
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable");
#endif
if (SSDTDescriptor==NULL)
if (SSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
@ -452,54 +365,40 @@ NTSTATUS
}
case IOCTL_GET_SDT_FUNCTIONADDRESS://通过索引获得函数地址
{
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (SSDTDescriptor==NULL)
if (SSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
else
{
#ifdef _WIN64
//win7在SSDT基地址+4*Index里面存放着偏移偏移右移4位即是SSDT对应函数地址
SSDTFunctionAddress = GetSSDTFunctionAddress64(*(ULONG*)InputBuffer,SSDTDescriptor);
#else
//XP在SSDT基地址+4*Index里面存放的即是SSDT对应函数地址
SSDTFunctionAddress = GetSSDTFunctionAddress32(*(ULONG*)InputBuffer,SSDTDescriptor);
#endif
if (SSDTFunctionAddress!=NULL)
{
memcpy(OutputBuffer, &SSDTFunctionAddress,sizeof(PVOID));
Irp->IoStatus.Information = sizeof(PVOID);
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
else
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
}
}
case IOCTL_GET_SSDT_MODULENAME:
{
Data2 Data1 = {0};
@ -507,39 +406,28 @@ NTSTATUS
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (InputBuffer!=NULL)
{
Data1.OriginalFunctionAddress = ((pData2)InputBuffer)->OriginalFunctionAddress;
if(GetSysModuleByLdrDataTable2((PVOID)Data1.OriginalFunctionAddress,(WCHAR*)wzModuleName3)==TRUE)
{
memcpy((WCHAR*)OutputBuffer,wzModuleName3,OutputSize);
Irp->IoStatus.Information = OutputSize;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
case IOCTL_GET_SSDT_SERVERICE_BASE:{
case IOCTL_GET_SSDT_SERVERICE_BASE:
{
#ifdef _WIN64
// SSDTDescriptor = GetKeServiceDescriptorTable64();
SSDTServiceTable = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor;
#else
// SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByNameFromNtosExport(L"KeServiceDescriptorTable");
SSDTServiceTable = (PSYSTEM_SERVICE_TABLE32)SSDTDescriptor;
#endif
@ -547,27 +435,23 @@ NTSTATUS
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (SSDTDescriptor==NULL)
if (SSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
memcpy(OutputBuffer,&(SSDTServiceTable->ServiceTableBase),sizeof(PVOID));
Irp->IoStatus.Information = sizeof(PVOID);
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
}
case CTL_GET_SSDT_SYS_MODULE_INFOR:
{
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (InputBuffer!=NULL)
{
memcpy(wzModuleName,(WCHAR*)InputBuffer,InputSize);
@ -578,81 +462,64 @@ NTSTATUS
Irp->IoStatus.Information = sizeof(PVOID)+sizeof(ULONG_PTR);
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
case IOCTL_GET_SSDT_CURRENT_FUNC_CODE:
{
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (SSDTDescriptor==NULL)
if (SSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
else
{
#ifdef _WIN64
SSDTFunctionAddress = GetSSDTFunctionAddress64(*(ULONG*)InputBuffer,SSDTDescriptor);
#else
SSDTFunctionAddress = GetSSDTFunctionAddress32(*(ULONG*)InputBuffer,SSDTDescriptor);
#endif
if (SSDTFunctionAddress!=NULL)
{
WPOFF();
if(SafeCopyMemory(OutputBuffer,(VOID*)SSDTFunctionAddress,(SIZE_T)OutputSize)==FALSE)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
WPON();
break;
}
WPON();
Irp->IoStatus.Information = OutputSize;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
break;
}
}
case IOCTL_RESUME_SSDT_INLINEHOOK:
{
Data0 Data = {0};
InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
Data.ulIndex = ((pData0)InputBuffer)->ulIndex;
Data.ulIndex = ((pData0)InputBuffer)->ulIndex;
memcpy(Data.szOriginalFunctionCode,((pData0)InputBuffer)->szOriginalFunctionCode,CODE_LENGTH);
if (SSDTDescriptor==NULL)
if (SSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
@ -661,10 +528,8 @@ NTSTATUS
}
ResumeSSDTInlineHook(Data.ulIndex,Data.szOriginalFunctionCode);
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
case IOCTL_UNHOOK_SSDT:
@ -676,62 +541,33 @@ NTSTATUS
Data.Index = ((pData1)InputBuffer)->Index;
Data.OriginalAddress = ((pData1)InputBuffer)->OriginalAddress;
if (SSDTDescriptor==NULL)
if (SSDTDescriptor == 0)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
break;
}
else
{
UnHookSSDT(Data.Index,Data.OriginalAddress);
UnHookSSDT(Data.Index,Data.OriginalAddress);
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_SUCCESS;
break;
}
break;
}
default:
{
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
Irp->IoStatus.Information = 0;
break;
}
}
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return Status;
}
VOID
UnloadDriver(PDRIVER_OBJECT DriverObject)
{
@ -740,7 +576,6 @@ UnloadDriver(PDRIVER_OBJECT DriverObject)
PDEVICE_OBJECT NextDeviceObject;
RtlInitUnicodeString(&uniLinkName,LINK_NAME);
IoDeleteSymbolicLink(&uniLinkName);
if (DriverObject->DeviceObject!=NULL)
@ -751,16 +586,11 @@ UnloadDriver(PDRIVER_OBJECT DriverObject)
{
NextDeviceObject = CurrentDeviceObject->NextDevice;
IoDeleteDevice(CurrentDeviceObject);
CurrentDeviceObject = NextDeviceObject;
}
}
DbgPrint("UnloadDriver\r\n");
}

129
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/common.c
View File

@ -10,70 +10,102 @@ VOID WPOFF()
cr0 =__readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
// _disable(); //这句话 屏蔽也没有啥
#ifdef _WIN64
_disable();
#endif
}
VOID WPON()
{
ULONG_PTR cr0=__readcr0();
cr0 |= 0x10000;
// _enable(); //这句话 屏蔽也没有啥
#ifdef _WIN64
_enable();
#endif
__writecr0(cr0);
KeLowerIrql(Irql);
}
WIN_VERSION GetWindowsVersion()
{
RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)};
pfnRtlGetVersion RtlGetVersion = NULL;
WIN_VERSION WinVersion;
WCHAR wzRtlGetVersion[] = L"RtlGetVersion";
RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)};
pfnRtlGetVersion RtlGetVersion = NULL;
WIN_VERSION WinVersion;
WCHAR szRtlGetVersion[] = L"RtlGetVersion";
RtlGetVersion = GetFunctionAddressByName(wzRtlGetVersion); //Ntoskrnl.exe 导出表
if (RtlGetVersion)
{
RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo);
}
else
{
PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL); //Documet
}
RtlGetVersion = (pfnRtlGetVersion)GetFunctionAddressByName(szRtlGetVersion);
DbgPrint("Build Number: %d\r\n", osverInfo.dwBuildNumber);
if (RtlGetVersion)
{
RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo);
}
else
{
PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL);
}
if (osverInfo.dwMajorVersion == 5 && osverInfo.dwMinorVersion == 1)
{
DbgPrint("WINDOWS_XP\r\n");
WinVersion = WINDOWS_XP;
}
else if (osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1)
{
DbgPrint("WINDOWS 7\r\n");
WinVersion = WINDOWS_7;
}
else if (osverInfo.dwMajorVersion == 6 &&
osverInfo.dwMinorVersion == 2 &&
osverInfo.dwBuildNumber == 9200)
{
DbgPrint("WINDOWS 8\r\n");
WinVersion = WINDOWS_8;
}
else if (osverInfo.dwMajorVersion == 6 &&
osverInfo.dwMinorVersion == 3 &&
osverInfo.dwBuildNumber == 9600)
{
DbgPrint("WINDOWS 8.1\r\n");
WinVersion = WINDOWS_8_1;
}
else
{
DbgPrint("WINDOWS_UNKNOW\r\n");
WinVersion = WINDOWS_UNKNOW;
}
//x64λ֧³Ö
if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1 && osverInfo.dwBuildNumber == 7600)
{
DbgPrint("WINDOWS 7\r\n");
WinVersion = WINDOWS_7_7600;
}
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1 && osverInfo.dwBuildNumber == 7601)
{
DbgPrint("WINDOWS 7\r\n");
WinVersion = WINDOWS_7_7601;
}
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 2 && osverInfo.dwBuildNumber == 9200)
{
DbgPrint("WINDOWS 8\r\n");
WinVersion = WINDOWS_8_9200;
}
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 3 && osverInfo.dwBuildNumber == 9600)
{
DbgPrint("WINDOWS 8.1\r\n");
WinVersion = WINDOWS_8_9600;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 10240)
{
DbgPrint("WINDOWS 10 10240\r\n");
WinVersion = WINDOWS_10_10240;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 10586)
{
DbgPrint("WINDOWS 10 10586\r\n");
WinVersion = WINDOWS_10_10586;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 14393)
{
DbgPrint("WINDOWS 10 14393\r\n");
WinVersion = WINDOWS_10_14393;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 15063)
{
DbgPrint("WINDOWS 10 15063\r\n");
WinVersion = WINDOWS_10_15063;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 16299)
{
DbgPrint("WINDOWS 10 16299\r\n");
WinVersion = WINDOWS_10_16299;
}
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 17134)
{
DbgPrint("WINDOWS 10 17134\r\n");
WinVersion = WINDOWS_10_17134;
}
else
{
DbgPrint("This is a new os\r\n");
WinVersion = WINDOWS_UNKNOW;
}
return WinVersion;
return WinVersion;
}
PVOID
GetFunctionAddressByName(WCHAR *wzFunction)
{
@ -89,10 +121,6 @@ PVOID
return AddrBase;
}
BOOLEAN SafeCopyMemory(PVOID DestiAddress, PVOID SourAddress, SIZE_T SizeOfCopy)
{
@ -126,5 +154,4 @@ BOOLEAN SafeCopyMemory(PVOID DestiAddress, PVOID SourAddress, SIZE_T SizeOfCopy)
MmUnlockPages(Mdl);
IoFreeMdl(Mdl);
return TRUE;
}

23
SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/common.h
View File

@ -23,11 +23,18 @@ VOID WPON();
//获取版本信息
typedef enum WIN_VERSION {
WINDOWS_UNKNOW,
WINDOWS_XP,
WINDOWS_7,
WINDOWS_8,
WINDOWS_8_1
WINDOWS_XP,
WINDOWS_7_7600,
WINDOWS_7_7601,
WINDOWS_8_9200,
WINDOWS_8_9600,
WINDOWS_10_10240,
WINDOWS_10_10586,
WINDOWS_10_14393,
WINDOWS_10_15063,
WINDOWS_10_16299,
WINDOWS_10_17134,
WINDOWS_UNKNOW
} WIN_VERSION;
//Windows版本信息
@ -38,15 +45,9 @@ typedef
NTSTATUS
(*pfnRtlGetVersion)(OUT PRTL_OSVERSIONINFOW lpVersionInformation);
BOOLEAN SafeCopyMemory(PVOID DestiAddress, PVOID SourAddress, SIZE_T SizeOfCopy);
typedef struct _KLDR_DATA_TABLE_ENTRY64 {
LIST_ENTRY64 InLoadOrderLinks;
ULONG64 __Undefined1;