commit
6938616da4
|
@ -0,0 +1,22 @@
|
||||||
|
# Auto detect text files and perform LF normalization
|
||||||
|
* text=auto
|
||||||
|
|
||||||
|
# Custom for Visual Studio
|
||||||
|
*.cs diff=csharp
|
||||||
|
*.sln merge=union
|
||||||
|
*.csproj merge=union
|
||||||
|
*.vbproj merge=union
|
||||||
|
*.fsproj merge=union
|
||||||
|
*.dbproj merge=union
|
||||||
|
|
||||||
|
# Standard to msysgit
|
||||||
|
*.doc diff=astextplain
|
||||||
|
*.DOC diff=astextplain
|
||||||
|
*.docx diff=astextplain
|
||||||
|
*.DOCX diff=astextplain
|
||||||
|
*.dot diff=astextplain
|
||||||
|
*.DOT diff=astextplain
|
||||||
|
*.pdf diff=astextplain
|
||||||
|
*.PDF diff=astextplain
|
||||||
|
*.rtf diff=astextplain
|
||||||
|
*.RTF diff=astextplain
|
|
@ -0,0 +1,215 @@
|
||||||
|
#################
|
||||||
|
## Eclipse
|
||||||
|
#################
|
||||||
|
|
||||||
|
*.pydevproject
|
||||||
|
.project
|
||||||
|
.metadata
|
||||||
|
bin/
|
||||||
|
tmp/
|
||||||
|
*.tmp
|
||||||
|
*.bak
|
||||||
|
*.swp
|
||||||
|
*~.nib
|
||||||
|
local.properties
|
||||||
|
.classpath
|
||||||
|
.settings/
|
||||||
|
.loadpath
|
||||||
|
|
||||||
|
# External tool builders
|
||||||
|
.externalToolBuilders/
|
||||||
|
|
||||||
|
# Locally stored "Eclipse launch configurations"
|
||||||
|
*.launch
|
||||||
|
|
||||||
|
# CDT-specific
|
||||||
|
.cproject
|
||||||
|
|
||||||
|
# PDT-specific
|
||||||
|
.buildpath
|
||||||
|
|
||||||
|
|
||||||
|
#################
|
||||||
|
## Visual Studio
|
||||||
|
#################
|
||||||
|
|
||||||
|
## Ignore Visual Studio temporary files, build results, and
|
||||||
|
## files generated by popular Visual Studio add-ons.
|
||||||
|
|
||||||
|
# User-specific files
|
||||||
|
*.suo
|
||||||
|
*.user
|
||||||
|
*.sln.docstates
|
||||||
|
|
||||||
|
# Build results
|
||||||
|
|
||||||
|
[Dd]ebug/
|
||||||
|
[Rr]elease/
|
||||||
|
x64/
|
||||||
|
build/
|
||||||
|
[Bb]in/
|
||||||
|
[Oo]bj/
|
||||||
|
|
||||||
|
# MSTest test Results
|
||||||
|
[Tt]est[Rr]esult*/
|
||||||
|
[Bb]uild[Ll]og.*
|
||||||
|
|
||||||
|
*_i.c
|
||||||
|
*_p.c
|
||||||
|
*.ilk
|
||||||
|
*.meta
|
||||||
|
*.obj
|
||||||
|
*.pch
|
||||||
|
*.pdb
|
||||||
|
*.pgc
|
||||||
|
*.pgd
|
||||||
|
*.rsp
|
||||||
|
*.sbr
|
||||||
|
*.tlb
|
||||||
|
*.tli
|
||||||
|
*.tlh
|
||||||
|
*.tmp
|
||||||
|
*.tmp_proj
|
||||||
|
*.log
|
||||||
|
*.vspscc
|
||||||
|
*.vssscc
|
||||||
|
.builds
|
||||||
|
*.pidb
|
||||||
|
*.log
|
||||||
|
*.scc
|
||||||
|
|
||||||
|
# Visual C++ cache files
|
||||||
|
ipch/
|
||||||
|
*.aps
|
||||||
|
*.ncb
|
||||||
|
*.opensdf
|
||||||
|
*.sdf
|
||||||
|
*.cachefile
|
||||||
|
|
||||||
|
# Visual Studio profiler
|
||||||
|
*.psess
|
||||||
|
*.vsp
|
||||||
|
*.vspx
|
||||||
|
|
||||||
|
# Guidance Automation Toolkit
|
||||||
|
*.gpState
|
||||||
|
|
||||||
|
# ReSharper is a .NET coding add-in
|
||||||
|
_ReSharper*/
|
||||||
|
*.[Rr]e[Ss]harper
|
||||||
|
|
||||||
|
# TeamCity is a build add-in
|
||||||
|
_TeamCity*
|
||||||
|
|
||||||
|
# DotCover is a Code Coverage Tool
|
||||||
|
*.dotCover
|
||||||
|
|
||||||
|
# NCrunch
|
||||||
|
*.ncrunch*
|
||||||
|
.*crunch*.local.xml
|
||||||
|
|
||||||
|
# Installshield output folder
|
||||||
|
[Ee]xpress/
|
||||||
|
|
||||||
|
# DocProject is a documentation generator add-in
|
||||||
|
DocProject/buildhelp/
|
||||||
|
DocProject/Help/*.HxT
|
||||||
|
DocProject/Help/*.HxC
|
||||||
|
DocProject/Help/*.hhc
|
||||||
|
DocProject/Help/*.hhk
|
||||||
|
DocProject/Help/*.hhp
|
||||||
|
DocProject/Help/Html2
|
||||||
|
DocProject/Help/html
|
||||||
|
|
||||||
|
# Click-Once directory
|
||||||
|
publish/
|
||||||
|
|
||||||
|
# Publish Web Output
|
||||||
|
*.Publish.xml
|
||||||
|
*.pubxml
|
||||||
|
|
||||||
|
# NuGet Packages Directory
|
||||||
|
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
|
||||||
|
#packages/
|
||||||
|
|
||||||
|
# Windows Azure Build Output
|
||||||
|
csx
|
||||||
|
*.build.csdef
|
||||||
|
|
||||||
|
# Windows Store app package directory
|
||||||
|
AppPackages/
|
||||||
|
|
||||||
|
# Others
|
||||||
|
sql/
|
||||||
|
*.Cache
|
||||||
|
ClientBin/
|
||||||
|
[Ss]tyle[Cc]op.*
|
||||||
|
~$*
|
||||||
|
*~
|
||||||
|
*.dbmdl
|
||||||
|
*.[Pp]ublish.xml
|
||||||
|
*.pfx
|
||||||
|
*.publishsettings
|
||||||
|
|
||||||
|
# RIA/Silverlight projects
|
||||||
|
Generated_Code/
|
||||||
|
|
||||||
|
# Backup & report files from converting an old project file to a newer
|
||||||
|
# Visual Studio version. Backup files are not needed, because we have git ;-)
|
||||||
|
_UpgradeReport_Files/
|
||||||
|
Backup*/
|
||||||
|
UpgradeLog*.XML
|
||||||
|
UpgradeLog*.htm
|
||||||
|
|
||||||
|
# SQL Server files
|
||||||
|
App_Data/*.mdf
|
||||||
|
App_Data/*.ldf
|
||||||
|
|
||||||
|
#############
|
||||||
|
## Windows detritus
|
||||||
|
#############
|
||||||
|
|
||||||
|
# Windows image file caches
|
||||||
|
Thumbs.db
|
||||||
|
ehthumbs.db
|
||||||
|
|
||||||
|
# Folder config file
|
||||||
|
Desktop.ini
|
||||||
|
|
||||||
|
# Recycle Bin used on file shares
|
||||||
|
$RECYCLE.BIN/
|
||||||
|
|
||||||
|
# Mac crap
|
||||||
|
.DS_Store
|
||||||
|
|
||||||
|
|
||||||
|
#############
|
||||||
|
## Python
|
||||||
|
#############
|
||||||
|
|
||||||
|
*.py[co]
|
||||||
|
|
||||||
|
# Packages
|
||||||
|
*.egg
|
||||||
|
*.egg-info
|
||||||
|
dist/
|
||||||
|
build/
|
||||||
|
eggs/
|
||||||
|
parts/
|
||||||
|
var/
|
||||||
|
sdist/
|
||||||
|
develop-eggs/
|
||||||
|
.installed.cfg
|
||||||
|
|
||||||
|
# Installer logs
|
||||||
|
pip-log.txt
|
||||||
|
|
||||||
|
# Unit test / coverage reports
|
||||||
|
.coverage
|
||||||
|
.tox
|
||||||
|
|
||||||
|
#Translations
|
||||||
|
*.mo
|
||||||
|
|
||||||
|
#Mr Developer
|
||||||
|
.mr.developer.cfg
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,33 @@
|
||||||
|
#include "drvdef.h"
|
||||||
|
#include "nthook.h"
|
||||||
|
|
||||||
|
//init code seg. Deleted after using.
|
||||||
|
#pragma INITCODE
|
||||||
|
|
||||||
|
//Driver Entry-like main
|
||||||
|
NTSTATUS DriverEntry(PDRIVER_OBJECT pDrv,PUNICODE_STRING pCode)
|
||||||
|
{
|
||||||
|
NTSTATUS status;
|
||||||
|
//Unload function
|
||||||
|
pDrv->DriverUnload=Driver_Unload;
|
||||||
|
//Create Device
|
||||||
|
status=CreateDevice(pDrv);
|
||||||
|
//Dispatch functions - for communication
|
||||||
|
pDrv->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchRoutine_Device_Control;
|
||||||
|
pDrv->MajorFunction[IRP_MJ_CLOSE] = DispatchRoutine_Close;
|
||||||
|
pDrv->MajorFunction[IRP_MJ_WRITE] = DispatchRoutine_Write;
|
||||||
|
pDrv->MajorFunction[IRP_MJ_READ] = DispatchRoutine_Read;
|
||||||
|
pDrv->MajorFunction[IRP_MJ_CREATE] = DispatchRoutine_Create;
|
||||||
|
//print
|
||||||
|
DbgPrint("Driver Successfully Loaded\n");
|
||||||
|
//store initial address of NtTerminateProcess
|
||||||
|
InitialNtTerminateProcessAddress = (PNtTerminateProcess)GetNtCurrentAddress(NtTerminateProcessIndex);
|
||||||
|
//Hook NtTerminateProcess
|
||||||
|
status = Nt_SSDT_Hook(NtTerminateProcessIndex,(ULONG)HookedNtTerminateProcess);
|
||||||
|
//Hook NtTerminateProcess
|
||||||
|
InitialNtOpenProcessAddress = (PNtOpenProcess)GetNtCurrentAddress(NtOpenProcessIndex);
|
||||||
|
//Hook NtTerminateProcess
|
||||||
|
status = Nt_SSDT_Hook(NtOpenProcessIndex,(ULONG)HookedNtOpenProcess);
|
||||||
|
//return
|
||||||
|
return status;
|
||||||
|
}
|
|
@ -0,0 +1,14 @@
|
||||||
|
#ifndef _controlcode_H_
|
||||||
|
#define _controlcode_H_
|
||||||
|
|
||||||
|
#define NtGetPhysicalAddressCode CTL_CODE(FILE_DEVICE_UNKNOWN,0x801,METHOD_BUFFERED,FILE_ANY_ACCESS)
|
||||||
|
|
||||||
|
#define NtProcessProtectCode CTL_CODE(FILE_DEVICE_UNKNOWN,0x802,METHOD_BUFFERED,FILE_ANY_ACCESS)
|
||||||
|
|
||||||
|
#define NtOpenProcessIndex 0x7A
|
||||||
|
|
||||||
|
#define NtTerminateProcessIndex 0x101
|
||||||
|
|
||||||
|
#define NtQuerySystemInformationIndex 0xAD
|
||||||
|
|
||||||
|
#endif
|
|
@ -0,0 +1,83 @@
|
||||||
|
|
||||||
|
#ifndef _drvdef_H_
|
||||||
|
#define _drvdef_H_
|
||||||
|
#include <ntddk.h>
|
||||||
|
|
||||||
|
#include <windef.h>
|
||||||
|
|
||||||
|
#define INITCODE code_seg("INIT")
|
||||||
|
|
||||||
|
#define PAGECODE code_seg("PAGE")
|
||||||
|
|
||||||
|
//For controlcodes
|
||||||
|
#include "controlcode.h"
|
||||||
|
|
||||||
|
|
||||||
|
//function declaration
|
||||||
|
typedef NTSTATUS (* PNtTerminateProcess)(
|
||||||
|
IN HANDLE ProcessHandle OPTIONAL,
|
||||||
|
IN NTSTATUS ExitStatus);
|
||||||
|
PNtTerminateProcess InitialNtTerminateProcessAddress;
|
||||||
|
|
||||||
|
typedef NTSTATUS (* PNtOpenProcess) (
|
||||||
|
__out PHANDLE ProcessHandle,
|
||||||
|
__in ACCESS_MASK DesiredAccess,
|
||||||
|
__in POBJECT_ATTRIBUTES ObjectAttributes,
|
||||||
|
__in_opt PCLIENT_ID ClientId
|
||||||
|
);
|
||||||
|
|
||||||
|
PNtOpenProcess InitialNtOpenProcessAddress;
|
||||||
|
|
||||||
|
void Driver_Unload(PDRIVER_OBJECT pDrv);
|
||||||
|
|
||||||
|
NTSTATUS CreateDevice(IN PDRIVER_OBJECT pDriverObject);
|
||||||
|
|
||||||
|
NTSTATUS HookedNtTerminateProcess(
|
||||||
|
IN HANDLE ProcessHandle OPTIONAL,
|
||||||
|
IN NTSTATUS ExitStatus);
|
||||||
|
|
||||||
|
NTSTATUS HookedNtOpenProcess(
|
||||||
|
__out PHANDLE ProcessHandle,
|
||||||
|
__in ACCESS_MASK DesiredAccess,
|
||||||
|
__in POBJECT_ATTRIBUTES ObjectAttributes,
|
||||||
|
__in_opt PCLIENT_ID ClientId
|
||||||
|
);
|
||||||
|
|
||||||
|
void GetNtGDT();
|
||||||
|
|
||||||
|
NTSTATUS DispatchRoutine_Close(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
|
||||||
|
|
||||||
|
NTSTATUS DispatchRoutine_Create(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
|
||||||
|
|
||||||
|
NTSTATUS DispatchRoutine_Read(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
|
||||||
|
|
||||||
|
NTSTATUS DispatchRoutine_Device_Control(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
|
||||||
|
|
||||||
|
NTSTATUS DispatchRoutine_Write(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
|
||||||
|
|
||||||
|
void SSDT_UNHOOK_ALL();
|
||||||
|
|
||||||
|
//KeServiceDescriptorTable
|
||||||
|
typedef struct _ServiceDescriptorTable {
|
||||||
|
PVOID ServiceTableBase;
|
||||||
|
PVOID ServiceCounterTable;
|
||||||
|
unsigned int NumberOfServices;
|
||||||
|
PVOID ParamTableBase;
|
||||||
|
} *PServiceDescriptorTable;
|
||||||
|
|
||||||
|
extern PServiceDescriptorTable KeServiceDescriptorTable;
|
||||||
|
|
||||||
|
typedef struct _Hook_Entry {
|
||||||
|
ULONG NtIndex;
|
||||||
|
ULONG InitialAddress;
|
||||||
|
ULONG HookedAddress;
|
||||||
|
} HookEntry, *PHookEntry;
|
||||||
|
|
||||||
|
int SSDT_HOOK_NUMBER = 0;
|
||||||
|
|
||||||
|
int Protect_PID_Number = 0;
|
||||||
|
|
||||||
|
HookEntry Global_Hook_Entry[255];
|
||||||
|
|
||||||
|
DWORD Global_Protect_PID_Table[255];
|
||||||
|
#endif
|
|
@ -0,0 +1,353 @@
|
||||||
|
#ifndef _nthook_H_
|
||||||
|
#define _nthook_H_
|
||||||
|
#include "drvdef.h"
|
||||||
|
|
||||||
|
#include "controlcode.h"
|
||||||
|
|
||||||
|
//Function Declaration
|
||||||
|
ULONG GetNtInitialAddress(UNICODE_STRING FuncName);
|
||||||
|
|
||||||
|
ULONG GetNtCurrentAddress(ULONG NtIndex);
|
||||||
|
|
||||||
|
BOOL IsProcessProtected(DWORD PID);
|
||||||
|
|
||||||
|
NTSTATUS Nt_SSDT_Hook(ULONG NtIndex,ULONG HookedAddress);
|
||||||
|
|
||||||
|
NTSTATUS Nt_SSDT_UnHook(ULONG NtIndex,ULONG InitialAddress);
|
||||||
|
|
||||||
|
void ClosePageProtection();
|
||||||
|
|
||||||
|
void OpenPageProtection();
|
||||||
|
|
||||||
|
void Write_SSDT_Hook_Table(HookEntry* Hook_Entry,ULONG NtIndex,ULONG InitialAddress,ULONG HookedAddress);
|
||||||
|
|
||||||
|
//PAGE
|
||||||
|
#pragma PAGECODE
|
||||||
|
|
||||||
|
//Used for getting the address of Nt functions
|
||||||
|
ULONG GetNtInitialAddress(UNICODE_STRING FuncName)
|
||||||
|
{
|
||||||
|
return (ULONG)MmGetSystemRoutineAddress(&FuncName);
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
|
||||||
|
ULONG GetNtCurrentAddress(ULONG NtIndex)
|
||||||
|
{
|
||||||
|
ULONG RTN;
|
||||||
|
ULONG _index = NtIndex * 4;
|
||||||
|
|
||||||
|
__asm
|
||||||
|
{
|
||||||
|
push ecx
|
||||||
|
|
||||||
|
mov ecx,KeServiceDescriptorTable
|
||||||
|
//get the first term
|
||||||
|
mov ecx,[ecx]
|
||||||
|
//nth term = base+4n
|
||||||
|
add ecx,_index
|
||||||
|
|
||||||
|
mov ecx,[ecx]
|
||||||
|
|
||||||
|
mov RTN,ecx
|
||||||
|
pop ecx
|
||||||
|
}
|
||||||
|
return RTN;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
//the function to hook ssdt table
|
||||||
|
NTSTATUS Nt_SSDT_Hook(ULONG NtIndex,ULONG HookedAddress)
|
||||||
|
{
|
||||||
|
ULONG _InitialAddress,_HookedAddress;
|
||||||
|
ULONG _index = NtIndex * 4;
|
||||||
|
_InitialAddress = GetNtCurrentAddress(NtIndex);
|
||||||
|
_HookedAddress = HookedAddress;
|
||||||
|
//close page protection to write the SSDT
|
||||||
|
ClosePageProtection();
|
||||||
|
__asm{
|
||||||
|
push ecx
|
||||||
|
push edx
|
||||||
|
mov ecx,KeServiceDescriptorTable
|
||||||
|
mov ecx,[ecx]
|
||||||
|
add ecx,_index
|
||||||
|
mov edx,_HookedAddress
|
||||||
|
mov [ecx],edx
|
||||||
|
pop edx
|
||||||
|
pop ecx
|
||||||
|
}
|
||||||
|
//don't be a dick to your OS. now reopen the page protection.
|
||||||
|
OpenPageProtection();
|
||||||
|
|
||||||
|
Write_SSDT_Hook_Table(&Global_Hook_Entry[0],NtIndex,_InitialAddress,_HookedAddress);
|
||||||
|
//Print "hi bro, hook finished!"
|
||||||
|
DbgPrint("Hooked:Initial Address:%X. Hooked Address:%X. NtIndex:%X.",_InitialAddress,_HookedAddress,NtIndex);
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
//When the driver unloads, unhook the ssdt
|
||||||
|
NTSTATUS Nt_SSDT_UnHook(ULONG index,ULONG InitialAddress)
|
||||||
|
{
|
||||||
|
ULONG _index = index * 4;
|
||||||
|
ClosePageProtection();
|
||||||
|
__asm {
|
||||||
|
push ecx
|
||||||
|
push edx
|
||||||
|
mov ecx,KeServiceDescriptorTable
|
||||||
|
mov ecx,[ecx]
|
||||||
|
add ecx,_index
|
||||||
|
mov edx,InitialAddress
|
||||||
|
mov [ecx],edx
|
||||||
|
pop edx
|
||||||
|
pop ecx
|
||||||
|
}
|
||||||
|
OpenPageProtection();
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
//used for closing page protection
|
||||||
|
void ClosePageProtection()
|
||||||
|
{
|
||||||
|
__asm
|
||||||
|
{
|
||||||
|
cli
|
||||||
|
mov eax,cr0
|
||||||
|
and eax,not 10000h
|
||||||
|
mov cr0,eax
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
void OpenPageProtection()
|
||||||
|
{
|
||||||
|
__asm
|
||||||
|
{
|
||||||
|
mov eax, cr0
|
||||||
|
or eax, 10000h
|
||||||
|
mov cr0, eax
|
||||||
|
sti
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
//Write Hook Table
|
||||||
|
void Write_SSDT_Hook_Table(HookEntry* Hook_Entry,ULONG NtIndex,ULONG InitialAddress,ULONG HookedAddress)
|
||||||
|
{
|
||||||
|
//index in the SSDT
|
||||||
|
Hook_Entry[SSDT_HOOK_NUMBER].NtIndex = NtIndex;
|
||||||
|
//Initial Address
|
||||||
|
Hook_Entry[SSDT_HOOK_NUMBER].InitialAddress = InitialAddress;
|
||||||
|
//store hooked address
|
||||||
|
Hook_Entry[SSDT_HOOK_NUMBER].HookedAddress = HookedAddress;
|
||||||
|
SSDT_HOOK_NUMBER++;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
|
||||||
|
//used for determining whether PID is in the table
|
||||||
|
BOOL IsProcessProtected(DWORD PID)
|
||||||
|
{
|
||||||
|
int i = 0;
|
||||||
|
for(i=0;i<Protect_PID_Number;i++)
|
||||||
|
{
|
||||||
|
if(Global_Protect_PID_Table[i]==PID)
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
NTSTATUS DispatchRoutine_Write(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
|
||||||
|
{
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
NTSTATUS DispatchRoutine_Close(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
|
||||||
|
{
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
NTSTATUS DispatchRoutine_Create(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
|
||||||
|
{
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
NTSTATUS DispatchRoutine_Read(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
|
||||||
|
{
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
NTSTATUS DispatchRoutine_Device_Control(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
|
||||||
|
{
|
||||||
|
NTSTATUS status=STATUS_UNSUCCESSFUL;
|
||||||
|
ULONG ControlCode,info;
|
||||||
|
//get ctrlcode
|
||||||
|
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
|
||||||
|
ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;
|
||||||
|
//What is the ctrlcode?
|
||||||
|
switch(ControlCode)
|
||||||
|
{
|
||||||
|
//if NtGetPhysicalAddressCode, return physical address(failed)
|
||||||
|
case NtGetPhysicalAddressCode:
|
||||||
|
{
|
||||||
|
PVOID In_Physical_Address_Buffer = (PVOID)pIrp->AssociatedIrp.SystemBuffer;
|
||||||
|
PPHYSICAL_ADDRESS Out_Physical_Address_Buffer = (PPHYSICAL_ADDRESS)pIrp->AssociatedIrp.SystemBuffer;
|
||||||
|
DbgPrint("NtGetPhysicalAddressCode Received.\n");
|
||||||
|
DbgPrint("The Virtual Address Received is %X\n",In_Physical_Address_Buffer);
|
||||||
|
*(Out_Physical_Address_Buffer) = MmGetPhysicalAddress(In_Physical_Address_Buffer);
|
||||||
|
DbgPrint("The Physical Address is %X.\n",(*(Out_Physical_Address_Buffer)));
|
||||||
|
info = sizeof(PHYSICAL_ADDRESS);
|
||||||
|
status = STATUS_SUCCESS;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
//Very Important£º
|
||||||
|
case NtProcessProtectCode:
|
||||||
|
{
|
||||||
|
PDWORD uPID = (PDWORD)pIrp->AssociatedIrp.SystemBuffer;
|
||||||
|
DbgPrint("NtProcessProtectCode Received.\n");
|
||||||
|
//write the HookTable
|
||||||
|
Global_Protect_PID_Table[Protect_PID_Number] = *uPID;
|
||||||
|
DbgPrint("Protected Process PID Number:%d\n",*uPID);
|
||||||
|
//protected process number + 1
|
||||||
|
Protect_PID_Number++;
|
||||||
|
info = 4;
|
||||||
|
status = STATUS_SUCCESS;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
//ignore other types
|
||||||
|
default:
|
||||||
|
{
|
||||||
|
DbgPrint("Unknown Type NtControlCode Received.\n");
|
||||||
|
status = STATUS_SUCCESS;
|
||||||
|
info = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
//bytes returned to the user
|
||||||
|
pIrp->IoStatus.Information=info;
|
||||||
|
//set status
|
||||||
|
pIrp->IoStatus.Status=STATUS_SUCCESS;
|
||||||
|
//complete request
|
||||||
|
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
|
||||||
|
DbgPrint("DeviceIoControl Completed.\n");
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
//create device
|
||||||
|
#pragma INITCODE
|
||||||
|
NTSTATUS CreateDevice(IN PDRIVER_OBJECT pDriverObject)
|
||||||
|
{
|
||||||
|
PDEVICE_OBJECT pDevObj;
|
||||||
|
UNICODE_STRING pDevName;
|
||||||
|
UNICODE_STRING pDevSymLinkName;
|
||||||
|
NTSTATUS status;
|
||||||
|
RtlInitUnicodeString(&pDevName,L"\\Device\\Hyper_Assembler");
|
||||||
|
status = IoCreateDevice( pDriverObject,0,&pDevName,FILE_DEVICE_UNKNOWN,0, TRUE,&pDevObj);
|
||||||
|
if(!NT_SUCCESS(status))
|
||||||
|
{
|
||||||
|
DbgPrint("Error creating device\n");
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
DbgPrint("Device Create Succeeded\n");
|
||||||
|
pDevObj->Flags |= DO_BUFFERED_IO;
|
||||||
|
RtlInitUnicodeString(&pDevSymLinkName,L"\\??\\Hyper_ASM");
|
||||||
|
status = IoCreateSymbolicLink( &pDevSymLinkName,&pDevName);
|
||||||
|
if (!NT_SUCCESS(status))
|
||||||
|
{
|
||||||
|
DbgPrint("Error Linking Name\n");
|
||||||
|
IoDeleteDevice(pDevObj);
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
DbgPrint("Linking Name Succeeded\n");
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
#pragma PAGECODE
|
||||||
|
//Hooked NtTerminateProcess
|
||||||
|
NTSTATUS HookedNtTerminateProcess(
|
||||||
|
IN HANDLE ProcessHandle OPTIONAL,
|
||||||
|
IN NTSTATUS ExitStatus)
|
||||||
|
{
|
||||||
|
DWORD PID;
|
||||||
|
NTSTATUS status;
|
||||||
|
PEPROCESS eProcess;
|
||||||
|
//Get process object
|
||||||
|
status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,NULL,KernelMode,&eProcess,NULL);
|
||||||
|
if(!NT_SUCCESS(status))
|
||||||
|
{
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
//Get PID
|
||||||
|
PID = (DWORD)PsGetProcessId(eProcess);
|
||||||
|
if(IsProcessProtected(PID))
|
||||||
|
{
|
||||||
|
//if pid = protected
|
||||||
|
DbgPrint("Protected Process Termination Detected. Access has been denied. PID:%d\n",PID);
|
||||||
|
//return Access Denied!
|
||||||
|
return STATUS_ACCESS_DENIED;
|
||||||
|
}
|
||||||
|
DbgPrint("Normal Process Termination Detected. Call NtTerminateProcess to terminate. PID:%d\n",PID);
|
||||||
|
//or invoke the original NtOpenProcess to handle the request
|
||||||
|
status = InitialNtTerminateProcessAddress(ProcessHandle,ExitStatus);
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
//The hooked NtOpenProcess
|
||||||
|
NTSTATUS HookedNtOpenProcess(
|
||||||
|
__out PHANDLE ProcessHandle,
|
||||||
|
__in ACCESS_MASK DesiredAccess,
|
||||||
|
__in POBJECT_ATTRIBUTES ObjectAttributes,
|
||||||
|
__in_opt PCLIENT_ID ClientId
|
||||||
|
)
|
||||||
|
{
|
||||||
|
DWORD PID;
|
||||||
|
NTSTATUS status;
|
||||||
|
PEPROCESS eProcess;
|
||||||
|
status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,NULL,KernelMode,&eProcess,NULL);
|
||||||
|
if(!NT_SUCCESS(status))
|
||||||
|
{
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
PID = (DWORD)PsGetProcessId(eProcess);
|
||||||
|
if(IsProcessProtected(PID))
|
||||||
|
{
|
||||||
|
DbgPrint("Protected Process Open Detected. Access has been denied. PID:%d\n",PID);
|
||||||
|
ProcessHandle = NULL;
|
||||||
|
return STATUS_ACCESS_DENIED;
|
||||||
|
}
|
||||||
|
DbgPrint("Normal Process Open Detected. Call NtOpenProcess to proceed.\n");
|
||||||
|
status = InitialNtOpenProcessAddress(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
void Driver_Unload(PDRIVER_OBJECT pDrv)
|
||||||
|
{
|
||||||
|
PDEVICE_OBJECT pDevObj;
|
||||||
|
UNICODE_STRING SymLink;
|
||||||
|
//Create Symbol Link Name
|
||||||
|
RtlInitUnicodeString(&SymLink,L"\\??\\Hyper_ASM");
|
||||||
|
pDevObj = pDrv->DeviceObject;
|
||||||
|
//DeleteDevice
|
||||||
|
IoDeleteDevice(pDevObj);
|
||||||
|
IoDeleteSymbolicLink(&SymLink);
|
||||||
|
SSDT_UNHOOK_ALL();
|
||||||
|
DbgPrint("Driver Successfully Unloaded\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
//used for restoring system ssdt
|
||||||
|
void SSDT_UNHOOK_ALL()
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
for (i=SSDT_HOOK_NUMBER-1;i>=0;i--)
|
||||||
|
{
|
||||||
|
Nt_SSDT_UnHook(Global_Hook_Entry[i].NtIndex,Global_Hook_Entry[i].InitialAddress);
|
||||||
|
DbgPrint("UnHooked:Initial Address:%X. Hooked Address:%X. NtIndex:%X.",Global_Hook_Entry[i].InitialAddress,Global_Hook_Entry[i].HookedAddress,Global_Hook_Entry[i].NtIndex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
Binary file not shown.
Loading…
Reference in New Issue