控制码hook简单模型
#include <Ntddk.h>
#include "DriverMonitor.h"
VOID __stdcall unload(PDRIVER_OBJECT)
{
}
ULONG GetModuleBase(PCHAR modulename);
extern "C"
{
extern POBJECT_TYPE *IoDriverObjectType;
extern POBJECT_TYPE *IoDeviceObjectType;
NTSTATUS __stdcall NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS,PVOID,ULONG,PULONG);
NTSTATUS __stdcall ObReferenceObjectByName(PUNICODE_STRING,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PVOID,PVOID);
// NTSTATUS __stdcall IoGetDeviceObjectPointer(PUNICODE_STRING ,ACCESS_MASK,PFILE_OBJECT,PDEVICE_OBJECT);
NTSTATUS __stdcall ObOpenObjectByName(POBJECT_ATTRIBUTES,POBJECT_TYPE,KPROCESSOR_MODE,PACCESS_STATE,ACCESS_MASK,PVOID,PHANDLE);
NTSTATUS __stdcall ObOpenObjectByPointer(PVOID,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PHANDLE);
NTSTATUS __stdcall ObReferenceObjectByPointer(PVOID,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE);
};
PWCHAR DriverName[]=
{
L"\\Driver\\QMUDisk",
L"\\Driver\\TAOAccelerator",
L"\\Driver\\TAOKernelDriver",
L"\\Driver\\TSDefenseBt",
L"\\Driver\\TsFltMgr",
L"\\Driver\\TSKSP",
L"\\Driver\\TSSysKit",
L"\\Driver\\Ts888",
};
const int num=sizeof(DriverName)/sizeof(DriverName);
PDRIVER_OBJECT DriverObject={0};
PDRIVER_DISPATCH OriginDispatch={0};
BOOLEAN bitmap={FALSE};
//打开驱动对象的方式: ObReferenceObjectByName ObOpenObjectByName
NTSTATUS __stdcall IoCtlDispatch(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
int index=-1;
for(int i=0;i<num;i++)
{
if(DriverObject == DeviceObject->DriverObject)
{
index=i;
break;
}
}
if(stack->MajorFunction == IRP_MJ_DEVICE_CONTROL)
{
ULONG iocode = stack->Parameters.DeviceIoControl.IoControlCode;
switch(iocode)
{
//不监视
case 0x222428:
case 0x222430:
case 0x222800:
case 0x222804:
case 0x224008:
case 0x22E004:
case 0x22E040:
case 0x22E064:
case 0x22E08C:
case 0x22E0C4:
case 0x22E0C8:
case 0x22E0CC:
case 0x22E0D0:
case 0x22E100:
case 0x22E104:
case 0x22E420:
case 0x22E424:
break;
//监视且已知
case 0x221C00:
case 0x222004:
case 0x222008:
case 0x22200C:
case 0x222010:
case 0x222404:
case 0x222408:
case 0x22240C:
case 0x222410:
case 0x222414:
case 0x222418:
case 0x22241C:
case 0x222420:
case 0x222424:
case 0x22242C:
case 0x22400C:
case 0x224010:
case 0x224014:
case 0x224018:
case 0x22401C:
case 0x224020:
case 0x224024:
case 0x22402C:
case 0x22E01C:
case 0x22E05C:
case 0x22E070:
case 0x22E0D8:
case 0x22E0E0:
case 0x22E0E4:
case 0x22E404:
DbgPrint("%ws ioctlcode=0x%08x known\n",DriverName,iocode);
break;
//监视且未知
case 0x221C04:
case 0x221C08:
case 0x221C0C:
case 0x221C10:
case 0x221C14:
case 0x224028:
case 0x22E008:
case 0x22E010:
case 0x22E014:
case 0x22E020:
case 0x22E028:
case 0x22E030:
case 0x22E034:
case 0x22E038:
case 0x22E03C:
case 0x22E044:
case 0x22E048:
case 0x22E04C:
case 0x22E050:
case 0x22E054:
case 0x22E058:
case 0x22E06C:
case 0x22E078:
case 0x22E07C:
case 0x22E080:
case 0x22E084:
case 0x22E0E8:
case 0x22E0EC:
case 0x22E0F0:
case 0x22E108:
case 0x22E10C:
case 0x22E110:
case 0x22E114:
case 0x22E400:
case 0x22E414:
case 0x22E418:
case 0x22E41C:
DbgPrint("%ws ioctlcode=0x%08x unknown1\n",DriverName,iocode);
break;
//完全未知
default:
DbgPrint("%ws ioctlcode=0x%08x unknown2\n",DriverName,iocode);
break;
}
}
NTSTATUS status;
if(index != -1 && OriginDispatch)
status=OriginDispatch(DeviceObject,Irp);
return status;
}
BOOLEAN IsHooked(int index,PUCHAR FuncAddr)
{
if(IoCtlDispatch==DriverObject->MajorFunction)
return TRUE;
return FALSE;
}
void Hook(int index,PDRIVER_DISPATCH* FuncAddr)
{
InterlockedExchangePointer((PLONG)FuncAddr,IoCtlDispatch);
}
void __stdcall OnTimer(PDEVICE_OBJECT DeviceObject,PVOID Context)
{
for(int i=0;i<num;i++)
{
if(bitmap && !IsHooked(i,(PUCHAR)DriverObject->MajorFunction))
{
DbgPrint("Hook is unhooked! rehook it\n");
Hook(i,&DriverObject->MajorFunction);
}
}
}
extern "C"
{
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
{
int ret=0;
pdr->DriverUnload=unload;
PDEVICE_OBJECT DevObj = NULL;
IoCreateDevice(pdr,0,NULL,0x22,0,0,&DevObj);
DbgPrint("Hook Everything\n");
__debugbreak();
for(int i=0;i<num;i++)
{
UNICODE_STRING uStr;
NTSTATUS status=0;
PFILE_OBJECT FileObject=NULL;
RtlInitUnicodeString(&uStr,DriverName);
status = ObReferenceObjectByName(&uStr,OBJ_CASE_INSENSITIVE,NULL,0,*IoDriverObjectType,KernelMode,NULL,DriverObject+i);
if(NT_SUCCESS(status) && DriverObject)
{
DbgPrint("%ws ioctl hooked\n",DriverName);
PDRIVER_DISPATCH* Addr=&DriverObject->MajorFunction;
OriginDispatch=*Addr;
InterlockedExchangePointer((PLONG)Addr,IoCtlDispatch);
bitmap=TRUE;
}
}
IoInitializeTimer(DevObj,OnTimer,NULL);
IoStartTimer(DevObj);
__debugbreak();
return STATUS_SUCCESS;
}
};
ULONG GetModuleBase(PCHAR modulename)
{
PVOID Buffer = NULL;
ULONG ReturnLength = 0;
NTSTATUS status;
PRTL_PROCESS_MODULES modules = NULL;
ULONG BaseAddr = NULL;
NtQuerySystemInformation(SystemModuleInformation,&ReturnLength,0,&ReturnLength);
if(ReturnLength)
Buffer = ExAllocatePool(PagedPool,ReturnLength);
if(Buffer)
status = NtQuerySystemInformation(SystemModuleInformation,Buffer,ReturnLength,NULL);
modules = (PRTL_PROCESS_MODULES)Buffer;
if(NT_SUCCESS(status))
{
for(int i=0;i<modules->NumberOfModules;i++)
{
int offset = modules->Modules.OffsetToFileName;
if(!_stricmp((const char*)(modules->Modules.FullPathName+offset),modulename))
{
BaseAddr = (ULONG)modules->Modules.ImageBase;
}
}
}
if(Buffer)
ExFreePool(Buffer);
return BaseAddr;
}
NICE 可以可以!!
页:
[1]