|
#2
qq8725519692012-08-16 09:35
这个问题问得不错,我不是很熟悉这方面的东西,容我研究研究。
 |
程序代码:#include <ntddk.h>
#define INITCODE code_seg("INIT")
#define PAGECODE code_seg("PAGE") /*表示内存不足时,可以被置换到硬盘*/
typedef struct _ServiceDescriptorTable
{
PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
PVOID ServiceCounterTable; //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
ULONG NumberOfServices; //由 ServiceTableBase 描述的服务的数目。
PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
}* PServiceDescriptorTable;
extern PServiceDescriptorTable KeServiceDescriptorTable;
UNICODE_STRING g_DeviceName;
UNICODE_STRING g_Symlink;
PDEVICE_OBJECT g_pDevice;
ULONG ObOpen; //系统函数ntkrnlpa.ObOpenObjectByPointer地址
LONG gAdressPro1Sub; //NtOpenProcess 函数地址差
ULONG addrMyOpenProc1;
ULONG addrNtOpenProcess; //NtOpenProcess 函数地址
ULONG jmpProc1End;
NTSTATUS MyCreateDevice(PDRIVER_OBJECT _DriverObject);
void MyDriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS MyDispatchFunc(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
ULONG GetServiceFunAddress(int index);
__declspec(naked) void MyNtOpenProcess1()
{
__asm //恢复NtOpenProcess 第一个修改的地方 0x805cc61e
{
push eax
push dword ptr [ebp-38h]
push dword ptr [ebp-23h]
call ObOpen
jmp jmpProc1End
ret
}
}
#pragma INITCODE
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
ULONG CroValue;
NTSTATUS status ;
ObOpen = 0x805B234A;// 前一个为虚拟机 本地0x805BCC5C;
addrNtOpenProcess = GetServiceFunAddress(122); //获得NtOpenProcess函数地址
jmpProc1End = addrNtOpenProcess+0x229 ;
__asm int 3
__asm
{
push eax
lea eax,MyNtOpenProcess1
mov addrMyOpenProc1,eax
pop eax
}
gAdressPro1Sub = addrMyOpenProc1 - addrNtOpenProcess - 0x21d - 5;
__asm
{
cli
push eax
mov eax,cr0
mov CroValue,eax
and eax,not 0x10000
mov cr0,eax
pop eax
}
__asm
{
push eax
mov eax ,addrNtOpenProcess
add eax,0x21d
mov byte ptr [eax],0E9h
add eax,1
push ebx
mov ebx,gAdressPro1Sub
mov dword ptr [eax],ebx
pop ebx
pop eax
}
__asm // 恢复页面保护
{
push eax
mov eax,CroValue
mov cr0,eax
sti
pop eax
}
status = MyCreateDevice(DriverObject);
DriverObject->DriverUnload = MyDriverUnload;
return status;
}
//卸载例程
#pragma PAGECODE
void RtlString()
{
RtlInitUnicodeString(&g_DeviceName,L"\\Device\\PSYS");
RtlInitUnicodeString(&g_Symlink,L"\\??\\SymLink_ME");
}
#pragma PAGECODE
ULONG GetServiceFunAddress(int index)
{
ULONG funaddr = index* 4;
__asm //获取NtOpenProcess函数地址
{
push eax
mov eax, KeServiceDescriptorTable
mov eax,[eax] //函数表基址
add eax,funaddr
mov eax,[eax]
mov funaddr,eax
pop eax
}
return funaddr;
}
#pragma PAGECODE
void MyDriverUnload( IN PDRIVER_OBJECT _DriverObject)
{
NTSTATUS status;
status = IoDeleteSymbolicLink(&g_Symlink);
if (status == STATUS_SUCCESS)
{
KdPrint(("删除符号链接成功\n"));
IoDeleteDevice(_DriverObject->DeviceObject);
KdPrint(("卸载设备成功\n"));
}
else
{
KdPrint(("卸载设备失败\n"));
}
}
#pragma PAGECODE
NTSTATUS MyCreateDevice(PDRIVER_OBJECT _DriverObject)
{
NTSTATUS status;
RtlString(); //初始化设备字串
status = IoCreateDevice(_DriverObject,0,&g_DeviceName,FILE_DEVICE_UNKNOWN ,0,TRUE,&g_pDevice);
if (STATUS_SUCCESS == status)
{
KdPrint(("创建设备成功\n"));
g_pDevice->Flags |= DO_BUFFERED_IO;
status = IoCreateSymbolicLink(&g_Symlink,&g_DeviceName);
if ( status == STATUS_SUCCESS)
{
KdPrint(("创建符号链接成功\n"));
}
else
{
KdPrint(("创建符号链接失败\n"));
}
return status;
}
else
{
KdPrint(("创建设备失败\n"));
if (status == STATUS_INSUFFICIENT_RESOURCES)
{
KdPrint(("资源不足\n"));
}
else if (status == STATUS_OBJECT_NAME_EXISTS)
{
KdPrint(("设备已存在\n"));
}
else if (status == STATUS_OBJECT_NAME_COLLISION)
{
KdPrint(("设备名冲突\n"));
}
else
{
KdPrint(("未知错误\n"));
}
}
return status;
}
自己能力有限实在找不出 错误的地方了 希望和大家一起学习#define INITCODE code_seg("INIT")
#define PAGECODE code_seg("PAGE") /*表示内存不足时,可以被置换到硬盘*/
typedef struct _ServiceDescriptorTable
{
PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
PVOID ServiceCounterTable; //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
ULONG NumberOfServices; //由 ServiceTableBase 描述的服务的数目。
PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
}* PServiceDescriptorTable;
extern PServiceDescriptorTable KeServiceDescriptorTable;
UNICODE_STRING g_DeviceName;
UNICODE_STRING g_Symlink;
PDEVICE_OBJECT g_pDevice;
ULONG ObOpen; //系统函数ntkrnlpa.ObOpenObjectByPointer地址
LONG gAdressPro1Sub; //NtOpenProcess 函数地址差
ULONG addrMyOpenProc1;
ULONG addrNtOpenProcess; //NtOpenProcess 函数地址
ULONG jmpProc1End;
NTSTATUS MyCreateDevice(PDRIVER_OBJECT _DriverObject);
void MyDriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS MyDispatchFunc(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
ULONG GetServiceFunAddress(int index);
__declspec(naked) void MyNtOpenProcess1()
{
__asm //恢复NtOpenProcess 第一个修改的地方 0x805cc61e
{
push eax
push dword ptr [ebp-38h]
push dword ptr [ebp-23h]
call ObOpen
jmp jmpProc1End
ret
}
}
#pragma INITCODE
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
ULONG CroValue;
NTSTATUS status ;
ObOpen = 0x805B234A;// 前一个为虚拟机 本地0x805BCC5C;
addrNtOpenProcess = GetServiceFunAddress(122); //获得NtOpenProcess函数地址
jmpProc1End = addrNtOpenProcess+0x229 ;
__asm int 3
__asm
{
push eax
lea eax,MyNtOpenProcess1
mov addrMyOpenProc1,eax
pop eax
}
gAdressPro1Sub = addrMyOpenProc1 - addrNtOpenProcess - 0x21d - 5;
__asm
{
cli
push eax
mov eax,cr0
mov CroValue,eax
and eax,not 0x10000
mov cr0,eax
pop eax
}
__asm
{
push eax
mov eax ,addrNtOpenProcess
add eax,0x21d
mov byte ptr [eax],0E9h
add eax,1
push ebx
mov ebx,gAdressPro1Sub
mov dword ptr [eax],ebx
pop ebx
pop eax
}
__asm // 恢复页面保护
{
push eax
mov eax,CroValue
mov cr0,eax
sti
pop eax
}
status = MyCreateDevice(DriverObject);
DriverObject->DriverUnload = MyDriverUnload;
return status;
}
//卸载例程
#pragma PAGECODE
void RtlString()
{
RtlInitUnicodeString(&g_DeviceName,L"\\Device\\PSYS");
RtlInitUnicodeString(&g_Symlink,L"\\??\\SymLink_ME");
}
#pragma PAGECODE
ULONG GetServiceFunAddress(int index)
{
ULONG funaddr = index* 4;
__asm //获取NtOpenProcess函数地址
{
push eax
mov eax, KeServiceDescriptorTable
mov eax,[eax] //函数表基址
add eax,funaddr
mov eax,[eax]
mov funaddr,eax
pop eax
}
return funaddr;
}
#pragma PAGECODE
void MyDriverUnload( IN PDRIVER_OBJECT _DriverObject)
{
NTSTATUS status;
status = IoDeleteSymbolicLink(&g_Symlink);
if (status == STATUS_SUCCESS)
{
KdPrint(("删除符号链接成功\n"));
IoDeleteDevice(_DriverObject->DeviceObject);
KdPrint(("卸载设备成功\n"));
}
else
{
KdPrint(("卸载设备失败\n"));
}
}
#pragma PAGECODE
NTSTATUS MyCreateDevice(PDRIVER_OBJECT _DriverObject)
{
NTSTATUS status;
RtlString(); //初始化设备字串
status = IoCreateDevice(_DriverObject,0,&g_DeviceName,FILE_DEVICE_UNKNOWN ,0,TRUE,&g_pDevice);
if (STATUS_SUCCESS == status)
{
KdPrint(("创建设备成功\n"));
g_pDevice->Flags |= DO_BUFFERED_IO;
status = IoCreateSymbolicLink(&g_Symlink,&g_DeviceName);
if ( status == STATUS_SUCCESS)
{
KdPrint(("创建符号链接成功\n"));
}
else
{
KdPrint(("创建符号链接失败\n"));
}
return status;
}
else
{
KdPrint(("创建设备失败\n"));
if (status == STATUS_INSUFFICIENT_RESOURCES)
{
KdPrint(("资源不足\n"));
}
else if (status == STATUS_OBJECT_NAME_EXISTS)
{
KdPrint(("设备已存在\n"));
}
else if (status == STATUS_OBJECT_NAME_COLLISION)
{
KdPrint(("设备名冲突\n"));
}
else
{
KdPrint(("未知错误\n"));
}
}
return status;
}
[ 本帖最后由 oicq 于 2012-8-21 14:54 编辑 ]