驅動獲取SSDT表程式碼

摘要： #include <ntddk.h> typedef struct _SERVICE_DESCRIPTOR_TABLE { /* * Table containing cServices elements of pointers to service handler * f...

#include <ntddk.h>

typedef struct _SERVICE_DESCRIPTOR_TABLE {
/*
* Table containing cServices elements of pointers to service handler
* functions, indexed by service ID.
*/
PULONGServiceTable;
/*
* Table that counts how many times each service is used. This table
* is only updated in checked builds.
*/
PULONGCounterTable;
/*
* Number of services contained in this table.
*/
ULONGTableSize;
/*
* Table containing the number of bytes of parameters the handler
* function takes.
*/
PUCHARArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

typedef NTSTATUS (*ZWCREATEFILE)(
OUT PHANDLEFileHandle,
IN ACCESS_MASKDesiredAccess,
IN POBJECT_ATTRIBUTESObjectAttributes,
OUT PIO_STATUS_BLOCKIoStatusBlock,
IN PLARGE_INTEGERAllocationSize OPTIONAL,
IN ULONGFileAttributes,
IN ULONGShareAccess,
IN ULONGCreateDisposition,
IN ULONGCreateOptions,
IN PVOIDEaBuffer OPTIONAL,
IN ULONGEaLength );
static ZWCREATEFILEOldZwCreateFile;

extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SSDKREPLACE(_function) KeServiceDescriptorTable->ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
#define SDT SSDKREPLACE


void EndHookSSDT()
{
__asm
{
pusheax
moveax, CR0
andeax, 0FFFEFFFFh
movCR0, eax
popeax
}
(ZWCREATEFILE)InterlockedExchange((PLONG)&SDT(ZwCreateFile),(LONG)OldZwCreateFile);
__asm
{
pusheax
moveax, CR0
oreax, NOT 0FFFEFFFFh
movCR0, eax
popeax
}
}

void DriverUnLoad(PDRIVER_OBJECT pDriver)
{
KdPrint(("DriverUnload..."));
EndHookSSDT();
return ;
}

void PrintfSSDT()
{
int i=0;
while(i < KeServiceDescriptorTable->TableSize)
{
KdPrint(("%d--->%X\n",i+1,KeServiceDescriptorTable->ServiceTable[i++]));
}
}

NTSTATUS Hook_ZwCreateFile(
OUT PHANDLEFileHandle,
IN ACCESS_MASKDesiredAccess,
IN POBJECT_ATTRIBUTESObjectAttributes,
OUT PIO_STATUS_BLOCKIoStatusBlock,
IN PLARGE_INTEGERAllocationSize OPTIONAL,
IN ULONGFileAttributes,
IN ULONGShareAccess,
IN ULONGCreateDisposition,
IN ULONGCreateOptions,
IN PVOIDEaBuffer OPTIONAL,
IN ULONGEaLength )
{
NTSTATUS rc;

rc = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
AllocationSize,FileAttributes,ShareAccess,CreateDisposition,
CreateOptions,EaBuffer,EaLength);
KdPrint(("new createfile-->%wZ",ObjectAttributes->ObjectName));
return rc;
}

void StartHookSSDT()
{
__asm
{
pusheax
moveax, CR0
andeax, 0FFFEFFFFh
movCR0, eax
popeax
}
OldZwCreateFile = (ZWCREATEFILE)InterlockedExchange((PLONG)&SDT(ZwCreateFile),(LONG)Hook_ZwCreateFile);
__asm
{
pusheax
moveax, CR0
oreax, NOT 0FFFEFFFFh
movCR0, eax
popeax
}
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj,PUNICODE_STRING pRegPath)
{
KdPrint(("Driver Load..."));
pDrvObj->DriverUnload = DriverUnLoad;

PrintfSSDT();
StartHookSSDT();
return STATUS_SUCCESS;
}

本文連結地址: ofollow,noindex" target="_blank"> https://www.dbgpro.com/archives/4745.html

——版權宣告——