Mirrors/Windows-Rootkits
6
0
Fork 0
mirror of https://github.com/ciyze0101/Windows-Rootkits synced 2024-06-30 18:50:51 +00:00
Code Issues Projects Releases Wiki Activity
efd50b6e27
Windows-Rootkits/SSDT-SSSDT-Manager/EnumSSSDTManagerRing0/SSSDTManager.h
Alifcccccc 9492d00a5a Add files via upload
2016-08-29 15:50:25 +08:00

112 lines
2.7 KiB
C
Raw Blame History

#ifndef CXX_SSSDTMANAGER_H
#define CXX_SSSDTMANAGER_H
#include <ntifs.h>
#include <devioctl.h>
#include <ntimage.h>
#define SEC_IMAGE 0x01000000
#define CODE_LENGTH 23
#define DEVICE_NAME L"\\Device\\SSSDTManagerDevice"
#define LINK_NAME L"\\DosDevices\\SSSDTManagerLink"
//获得SSSDT和SSDT表
#define IOCTL_GET_SSSDTSERVERICE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_GET_SSSDT_FUNCTIONADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_GET_SSDTSERVERICE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_GET_SDT_FUNCTIONADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x809, METHOD_BUFFERED, FILE_ANY_ACCESS)
//获得模块名称
#define IOCTL_GET_MODULENAME \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x840,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_GET_SSDT_MODULENAME \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x841,METHOD_BUFFERED,FILE_ANY_ACCESS)
//在Ring3重定向的时候获取当前模块基地址
#define IOCTL_GET_SSSDT_SERVERICE_BASE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define CTL_GET_SYS_MODULE_INFOR \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS)
//SSDT模块
#define IOCTL_GET_SSDT_SERVERICE_BASE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x806, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define CTL_GET_SSDT_SYS_MODULE_INFOR \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x832,METHOD_BUFFERED,FILE_ANY_ACCESS)
//获得InlineHook当前源码
#define IOCTL_GET_SSSDT_CURRENT_FUNC_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x811, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_GET_SSDT_CURRENT_FUNC_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x852, METHOD_BUFFERED, FILE_ANY_ACCESS)
//恢复Hook
#define IOCTL_UNHOOK_SSSDT \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x831,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_RESUME_SSSDT_INLINEHOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x810, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_UNHOOK_SSDT \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x850,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_RESUME_SSDT_INLINEHOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x851, METHOD_BUFFERED, FILE_ANY_ACCESS)
//获得源码接收结构体
typedef struct _DATA_
{
ULONG ulIndex;
UCHAR szOriginalFunctionCode[CODE_LENGTH];
}Data0,*pData0;
//获得原地址
typedef struct _DATA2_
{
ULONG_PTR OriginalFunctionAddress;
}Data2,*pData2;
typedef struct _DATA1_
{
ULONG Index;
ULONG_PTR OriginalAddress;
}Data1,*pData1;
VOID
UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS
ControlPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp);
NTSTATUS
DefaultPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp);
#endif
Reference in New Issue View Git Blame Copy Permalink