mirror of
https://github.com/ciyze0101/Windows-Rootkits
synced 2024-06-30 18:50:51 +00:00
112 lines
2.7 KiB
C
112 lines
2.7 KiB
C
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef CXX_SSSDTMANAGER_H
|
|
#define CXX_SSSDTMANAGER_H
|
|
|
|
|
|
|
|
#include <ntifs.h>
|
|
#include <devioctl.h>
|
|
#include <ntimage.h>
|
|
#define SEC_IMAGE 0x01000000
|
|
#define CODE_LENGTH 23
|
|
|
|
#define DEVICE_NAME L"\\Device\\SSSDTManagerDevice"
|
|
#define LINK_NAME L"\\DosDevices\\SSSDTManagerLink"
|
|
|
|
|
|
//获得SSSDT和SSDT表
|
|
#define IOCTL_GET_SSSDTSERVERICE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define IOCTL_GET_SSSDT_FUNCTIONADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define IOCTL_GET_SSDTSERVERICE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x807, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define IOCTL_GET_SDT_FUNCTIONADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x809, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
|
//获得模块名称
|
|
#define IOCTL_GET_MODULENAME \
|
|
CTL_CODE(FILE_DEVICE_UNKNOWN,0x840,METHOD_BUFFERED,FILE_ANY_ACCESS)
|
|
#define IOCTL_GET_SSDT_MODULENAME \
|
|
CTL_CODE(FILE_DEVICE_UNKNOWN,0x841,METHOD_BUFFERED,FILE_ANY_ACCESS)
|
|
|
|
|
|
|
|
//在Ring3重定向的时候获取当前模块基地址
|
|
#define IOCTL_GET_SSSDT_SERVERICE_BASE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define CTL_GET_SYS_MODULE_INFOR \
|
|
CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS)
|
|
//SSDT模块
|
|
#define IOCTL_GET_SSDT_SERVERICE_BASE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x806, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define CTL_GET_SSDT_SYS_MODULE_INFOR \
|
|
CTL_CODE(FILE_DEVICE_UNKNOWN,0x832,METHOD_BUFFERED,FILE_ANY_ACCESS)
|
|
|
|
|
|
|
|
|
|
//获得InlineHook当前源码
|
|
#define IOCTL_GET_SSSDT_CURRENT_FUNC_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x811, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define IOCTL_GET_SSDT_CURRENT_FUNC_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x852, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
//恢复Hook
|
|
#define IOCTL_UNHOOK_SSSDT \
|
|
CTL_CODE(FILE_DEVICE_UNKNOWN,0x831,METHOD_BUFFERED,FILE_ANY_ACCESS)
|
|
#define IOCTL_RESUME_SSSDT_INLINEHOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x810, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
#define IOCTL_UNHOOK_SSDT \
|
|
CTL_CODE(FILE_DEVICE_UNKNOWN,0x850,METHOD_BUFFERED,FILE_ANY_ACCESS)
|
|
#define IOCTL_RESUME_SSDT_INLINEHOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x851, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//获得源码接收结构体
|
|
typedef struct _DATA_
|
|
{
|
|
ULONG ulIndex;
|
|
UCHAR szOriginalFunctionCode[CODE_LENGTH];
|
|
}Data0,*pData0;
|
|
|
|
//获得原地址
|
|
typedef struct _DATA2_
|
|
{
|
|
ULONG_PTR OriginalFunctionAddress;
|
|
}Data2,*pData2;
|
|
typedef struct _DATA1_
|
|
{
|
|
ULONG Index;
|
|
ULONG_PTR OriginalAddress;
|
|
}Data1,*pData1;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VOID
|
|
UnloadDriver(PDRIVER_OBJECT DriverObject);
|
|
NTSTATUS
|
|
ControlPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp);
|
|
NTSTATUS
|
|
DefaultPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp);
|
|
|
|
#endif |