#include <ntddk.h>
typedef struct _SERVICE_DESCRIPTOR_TABLE {
/*
* Table containing cServices elements of pointers to service handler
* functions, indexed by service ID.
*/
PULONG ServiceTable;
/*
* Table that counts how many times each service is used. This table
* is only updated in checked builds.
*/
PULONG CounterTable;
/*
* Number of services contained in this table.
*/
ULONG TableSize;
/*
* Table containing the number of bytes of parameters the handler
* function takes.
*/
PUCHAR ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
typedef NTSTATUS (*ZWCREATEFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength );
static ZWCREATEFILE OldZwCreateFile;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SSDKREPLACE(_function) KeServiceDescriptorTable->ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
#define SDT SSDKREPLACE
void EndHookSSDT()
{
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
(ZWCREATEFILE)InterlockedExchange((PLONG)&SDT(ZwCreateFile),(LONG)OldZwCreateFile);
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
}
void DriverUnLoad(PDRIVER_OBJECT pDriver)
{
KdPrint(("DriverUnload..."));
EndHookSSDT();
return ;
}
void PrintfSSDT()
{
int i=0;
while(i < KeServiceDescriptorTable->TableSize)
{
KdPrint(("%d--->%X\n",i+1,KeServiceDescriptorTable->ServiceTable[i++]));
}
}
NTSTATUS Hook_ZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength )
{
NTSTATUS rc;
rc = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
AllocationSize,FileAttributes,ShareAccess,CreateDisposition,
CreateOptions,EaBuffer,EaLength);
KdPrint(("new createfile-->%wZ",ObjectAttributes->ObjectName));
return rc;
}
void StartHookSSDT()
{
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
OldZwCreateFile = (ZWCREATEFILE)InterlockedExchange((PLONG)&SDT(ZwCreateFile),(LONG)Hook_ZwCreateFile);
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj,PUNICODE_STRING pRegPath)
{
KdPrint(("Driver Load..."));
pDrvObj->DriverUnload = DriverUnLoad;
PrintfSSDT();
StartHookSSDT();
return STATUS_SUCCESS;
}
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:
- 架构视角 - DDD、TDD、MDD领域驱动、测试驱动还是模型驱动?
- 事件驱动架构引领产业技术升级: 事件驱动联盟(中国)成立
- 领域驱动设计 (DDD) 实践之路(二):事件驱动与 CQRS
- 领域驱动设计 (DDD) 实践之路(二):事件驱动与 CQRS
- “性能驱动”转向“需求驱动” 中国引领全球超算技术路线
- 解构领域驱动设计(二):领域驱动设计的核心之分层架构
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
