📄 nthook.c
字号:
#include <ntddk.h>
#include <windef.h>
#include "nthook.h"
//--------------------------------------------------------------------------------
//--------------------------------------------------------------------------------
static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject);
//--------------------------------------------------------------------------------
//hook unexport function
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SYSCALL(_function) KeServiceDescriptorTable->ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
unsigned long CR0VALUE = 0;
//
// 禁用Windows NT/2000的内存保护,使只读内存区可写
//
void DisableProtection()
{
__asm
{
cli
mov eax,cr0
mov CR0VALUE,eax
and eax,0fffeffffh
mov cr0,eax
}
}
//
// 启用Windows NT/2000的内存保护
//
void EnableProtection()
{
__asm
{
mov eax,CR0VALUE
mov cr0,eax
sti
}
}
void GetDllFunctionAddress(STRING* searchFunctionNameListA,DWORD* functionAddressListA,DWORD sizeA)
{
HANDLE hFile,hSection, hMod;
PVOID BaseAddress = NULL;
IMAGE_DOS_HEADER* dosheader = NULL;
IMAGE_OPTIONAL_HEADER* opthdr = NULL;
IMAGE_EXPORT_DIRECTORY* pExportTable = NULL;
DWORD* arrayOfFunctionAddresses = NULL;
DWORD* arrayOfFunctionNames = NULL;
WORD* arrayOfFunctionOrdinals = NULL;
DWORD functionOrdinal = -1;
DWORD Base = 1 , x = 0, j = 0;
char* functionNameL = NULL;
STRING functionNameStrL;
DWORD functionAddressL = 0;
SIZE_T sizeL = 0;
UNICODE_STRING dllName;
//查找模块基地址
OBJECT_ATTRIBUTES oa = {sizeof oa, 0, &dllName, OBJ_CASE_INSENSITIVE};
IO_STATUS_BLOCK iosb;
RtlInitUnicodeString(&dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll");
if(ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT) == STATUS_SUCCESS)
{
oa.ObjectName = 0;
if(ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile) == STATUS_SUCCESS)
{
ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &sizeL, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
}
ZwClose(hFile);
// 查找导出表
if(BaseAddress)
{
hMod = BaseAddress;
dosheader = (IMAGE_DOS_HEADER *)hMod;
opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24);
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions);
arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames);
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
sizeL = 0;
//查找匹配的函数地址
for(x = 0; x < pExportTable->NumberOfFunctions; x++)
{
functionNameL = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]);
RtlInitString(&functionNameStrL, functionNameL);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddressL = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]);
for(j = 0; j < sizeA; ++j)
{
if (RtlCompareString(&functionNameStrL, &(searchFunctionNameListA [j]), TRUE) == 0)
{
++sizeL;
functionAddressListA[j] = functionAddressL;
break;
}
}
if(sizeL == sizeA)
break;
}
}
ZwClose(hSection);
}
}
DWORD g_functionAddress = 0;
ZWQUERYFULLATTRIBUTEFILE g_oldZwQueryFullAttributeFile;
VOID
hookUnExportFunction()
{
#define NUMBEROFFUNCTION 1
//获得函数地址
STRING functionNameList[NUMBEROFFUNCTION];
DWORD functionAddressList[NUMBEROFFUNCTION] = { 0};
RtlInitString(&functionNameList[0], "ZwQueryFullAttributesFile");
GetDllFunctionAddress(functionNameList,functionAddressList,NUMBEROFFUNCTION);
g_functionAddress = functionAddressList[0];
if(g_functionAddress != 0)
{
//保存旧的函数地址
g_oldZwQueryFullAttributeFile = (ZWQUERYFULLATTRIBUTEFILE)(SYSCALL(g_functionAddress));
DisableProtection() ;
//符值Hook地址
(SYSCALL(g_functionAddress)) = (ULONG)HookNtQueryFullAttributeFile;
EnableProtection();
}
}
VOID UnHookFunction()
{
if(g_oldZwQueryFullAttributeFile != 0)
{
/* __asm
{
cli
mov eax,cr0
and eax,NOT 10000h
mov cr0,eax
}*/
DisableProtection() ;
(SYSCALL(g_functionAddress)) = (ULONG)g_oldZwQueryFullAttributeFile;
EnableProtection();
/* __asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}*/
}
}
//--------------------------------------------------------------------------------
// 驱动入口
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
UNICODE_STRING nameString, linkString;
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
HANDLE hHandle;
PCHAR pModuleAddress;
int i;
//卸载驱动
DriverObject->DriverUnload = DriverUnload;
//建立设备
RtlInitUnicodeString( &nameString, L"\\Device\\WssHookPE" );
status = IoCreateDevice( DriverObject,
0,
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject
);
if (!NT_SUCCESS( status ))
return status;
RtlInitUnicodeString( &linkString, L"\\DosDevices\\WssHookPE" );
status = IoCreateSymbolicLink (&linkString, &nameString);
if (!NT_SUCCESS( status ))
{
IoDeleteDevice (DriverObject->DeviceObject);
return status;
}
for ( i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction[i] = MydrvDispatch;
}
hookUnExportFunction();
// GetNdisModuleAddress();
return STATUS_SUCCESS;
}
//处理设备对象操作
static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return Irp->IoStatus.Status;
}
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject)
{
UNICODE_STRING nameString;
PCHAR pModuleAddress;
UnHookFunction();
RtlInitUnicodeString( &nameString, L"\\DosDevices\\WssHookPE" );
IoDeleteSymbolicLink(&nameString);
IoDeleteDevice(pDriverObject->DeviceObject);
return;
}
NTSTATUS
HookNtQueryFullAttributeFile(
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
)
{
NTSTATUS status;
DbgPrint("Hook ZwQureryFullAttributeFile()\n");
status = ((ZWQUERYFULLATTRIBUTEFILE)(g_oldZwQueryFullAttributeFile))(
ObjectAttributes,
FileInformation
);
return status;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -