- UID
- 2
- 精华
- 积分
- 7770
- 威望
- 点
- 宅币
- 个
- 贡献
- 次
- 宅之契约
- 份
- 最后登录
- 1970-1-1
- 在线时间
- 小时
|
- #include <Ntddk.h>
- #include "DriverMonitor.h"
- VOID __stdcall unload(PDRIVER_OBJECT)
- {
- }
- ULONG GetModuleBase(PCHAR modulename);
- extern "C"
- {
- extern POBJECT_TYPE *IoDriverObjectType;
- extern POBJECT_TYPE *IoDeviceObjectType;
- NTSTATUS __stdcall NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS,PVOID,ULONG,PULONG);
- NTSTATUS __stdcall ObReferenceObjectByName(PUNICODE_STRING,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PVOID,PVOID);
- // NTSTATUS __stdcall IoGetDeviceObjectPointer(PUNICODE_STRING ,ACCESS_MASK,PFILE_OBJECT,PDEVICE_OBJECT);
- NTSTATUS __stdcall ObOpenObjectByName(POBJECT_ATTRIBUTES,POBJECT_TYPE,KPROCESSOR_MODE,PACCESS_STATE,ACCESS_MASK,PVOID,PHANDLE);
- NTSTATUS __stdcall ObOpenObjectByPointer(PVOID,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PHANDLE);
- NTSTATUS __stdcall ObReferenceObjectByPointer(PVOID,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE);
- };
- PWCHAR DriverName[]=
- {
- L"\\Driver\\QMUDisk",
- L"\\Driver\\TAOAccelerator",
- L"\\Driver\\TAOKernelDriver",
- L"\\Driver\\TSDefenseBt",
- L"\\Driver\\TsFltMgr",
- L"\\Driver\\TSKSP",
- L"\\Driver\\TSSysKit",
- L"\\Driver\\Ts888",
- };
- const int num=sizeof(DriverName)/sizeof(DriverName[0]);
- PDRIVER_OBJECT DriverObject[num]={0};
- PDRIVER_DISPATCH OriginDispatch[num]={0};
- BOOLEAN bitmap[num]={FALSE};
- //打开驱动对象的方式: ObReferenceObjectByName ObOpenObjectByName
- NTSTATUS __stdcall IoCtlDispatch(PDEVICE_OBJECT DeviceObject,PIRP Irp)
- {
- PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
- int index=-1;
- for(int i=0;i<num;i++)
- {
- if(DriverObject[i] == DeviceObject->DriverObject)
- {
- index=i;
- break;
- }
- }
- if(stack->MajorFunction == IRP_MJ_DEVICE_CONTROL)
- {
- ULONG iocode = stack->Parameters.DeviceIoControl.IoControlCode;
- switch(iocode)
- {
- //不监视
- case 0x222428:
- case 0x222430:
- case 0x222800:
- case 0x222804:
- case 0x224008:
- case 0x22E004:
- case 0x22E040:
- case 0x22E064:
- case 0x22E08C:
- case 0x22E0C4:
- case 0x22E0C8:
- case 0x22E0CC:
- case 0x22E0D0:
- case 0x22E100:
- case 0x22E104:
- case 0x22E420:
- case 0x22E424:
- break;
- //监视且已知
- case 0x221C00:
- case 0x222004:
- case 0x222008:
- case 0x22200C:
- case 0x222010:
- case 0x222404:
- case 0x222408:
- case 0x22240C:
- case 0x222410:
- case 0x222414:
- case 0x222418:
- case 0x22241C:
- case 0x222420:
- case 0x222424:
- case 0x22242C:
- case 0x22400C:
- case 0x224010:
- case 0x224014:
- case 0x224018:
- case 0x22401C:
- case 0x224020:
- case 0x224024:
- case 0x22402C:
- case 0x22E01C:
- case 0x22E05C:
- case 0x22E070:
- case 0x22E0D8:
- case 0x22E0E0:
- case 0x22E0E4:
- case 0x22E404:
- DbgPrint("%ws ioctlcode=0x%08x known\n",DriverName[index],iocode);
- break;
- //监视且未知
- case 0x221C04:
- case 0x221C08:
- case 0x221C0C:
- case 0x221C10:
- case 0x221C14:
- case 0x224028:
- case 0x22E008:
- case 0x22E010:
- case 0x22E014:
- case 0x22E020:
- case 0x22E028:
- case 0x22E030:
- case 0x22E034:
- case 0x22E038:
- case 0x22E03C:
- case 0x22E044:
- case 0x22E048:
- case 0x22E04C:
- case 0x22E050:
- case 0x22E054:
- case 0x22E058:
- case 0x22E06C:
- case 0x22E078:
- case 0x22E07C:
- case 0x22E080:
- case 0x22E084:
- case 0x22E0E8:
- case 0x22E0EC:
- case 0x22E0F0:
- case 0x22E108:
- case 0x22E10C:
- case 0x22E110:
- case 0x22E114:
- case 0x22E400:
- case 0x22E414:
- case 0x22E418:
- case 0x22E41C:
- DbgPrint("%ws ioctlcode=0x%08x unknown1\n",DriverName[index],iocode);
- break;
- //完全未知
- default:
- DbgPrint("%ws ioctlcode=0x%08x unknown2\n",DriverName[index],iocode);
- break;
- }
- }
- NTSTATUS status;
- if(index != -1 && OriginDispatch[index])
- status=OriginDispatch[index](DeviceObject,Irp);
- return status;
- }
- BOOLEAN IsHooked(int index,PUCHAR FuncAddr)
- {
- if(IoCtlDispatch==DriverObject[index]->MajorFunction[IRP_MJ_DEVICE_CONTROL])
- return TRUE;
- return FALSE;
- }
- void Hook(int index,PDRIVER_DISPATCH* FuncAddr)
- {
- InterlockedExchangePointer((PLONG)FuncAddr,IoCtlDispatch);
- }
- void __stdcall OnTimer(PDEVICE_OBJECT DeviceObject,PVOID Context)
- {
- for(int i=0;i<num;i++)
- {
- if(bitmap[i] && !IsHooked(i,(PUCHAR)DriverObject[i]->MajorFunction[IRP_MJ_DEVICE_CONTROL]))
- {
- DbgPrint("Hook is unhooked! rehook it\n");
- Hook(i,&DriverObject[i]->MajorFunction[IRP_MJ_DEVICE_CONTROL]);
- }
- }
- }
- extern "C"
- {
- NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
- {
- int ret=0;
- pdr->DriverUnload=unload;
- PDEVICE_OBJECT DevObj = NULL;
- IoCreateDevice(pdr,0,NULL,0x22,0,0,&DevObj);
- DbgPrint("Hook Everything\n");
- __debugbreak();
- for(int i=0;i<num;i++)
- {
- UNICODE_STRING uStr;
- NTSTATUS status=0;
- PFILE_OBJECT FileObject=NULL;
- RtlInitUnicodeString(&uStr,DriverName[i]);
-
- status = ObReferenceObjectByName(&uStr,OBJ_CASE_INSENSITIVE,NULL,0,*IoDriverObjectType,KernelMode,NULL,DriverObject+i);
- if(NT_SUCCESS(status) && DriverObject[i])
- {
- DbgPrint("%ws ioctl hooked\n",DriverName[i]);
- PDRIVER_DISPATCH* Addr=&DriverObject[i]->MajorFunction[IRP_MJ_DEVICE_CONTROL];
- OriginDispatch[i]=*Addr;
- InterlockedExchangePointer((PLONG)Addr,IoCtlDispatch);
- bitmap[i]=TRUE;
- }
- }
- IoInitializeTimer(DevObj,OnTimer,NULL);
- IoStartTimer(DevObj);
- __debugbreak();
- return STATUS_SUCCESS;
- }
- };
- ULONG GetModuleBase(PCHAR modulename)
- {
- PVOID Buffer = NULL;
- ULONG ReturnLength = 0;
- NTSTATUS status;
- PRTL_PROCESS_MODULES modules = NULL;
- ULONG BaseAddr = NULL;
- NtQuerySystemInformation(SystemModuleInformation,&ReturnLength,0,&ReturnLength);
- if(ReturnLength)
- Buffer = ExAllocatePool(PagedPool,ReturnLength);
- if(Buffer)
- status = NtQuerySystemInformation(SystemModuleInformation,Buffer,ReturnLength,NULL);
- modules = (PRTL_PROCESS_MODULES)Buffer;
- if(NT_SUCCESS(status))
- {
- for(int i=0;i<modules->NumberOfModules;i++)
- {
- int offset = modules->Modules[i].OffsetToFileName;
- if(!_stricmp((const char*)(modules->Modules[i].FullPathName+offset),modulename))
- {
- BaseAddr = (ULONG)modules->Modules[i].ImageBase;
- }
- }
- }
- if(Buffer)
- ExFreePool(Buffer);
- return BaseAddr;
- }
复制代码 |
|