📄 360antiarp.c
字号:
return 0x10001;
quit_hook2:
return ((ARP_RCV_INDICATION_NEW)_ulB)(Handle, Context, Header, HeaderSize,
Data, DataSize, TotalSize, Unknow1, Unknow2);
}
///////////////////////////////////////////////////////////////////////////////
// Hook: NdisRegisterProtocol
VOID
HookProc (PNDIS_STATUS Status, PNDIS_HANDLE Handle,
PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics,
UINT CharacteristicsLength)
{
UCHAR * p, * pMax;
ULONG ul;
KIRQL OldIrql;
p = (UCHAR *)ProtocolCharacteristics->SendCompleteHandler;
if ( !MmIsAddressValid (p) )
goto quit_hook;
if ((ULONG)p < _ul7)
goto quit_hook;
if ((ULONG)p > (_ul7+_ul8))
goto quit_hook;
pMax = p + 0x80;
for (; p<pMax; p++) {
if (!MmIsAddressValid(p) || (*p!=0xE8)) continue;
ul = *(PULONG)(p+1); // get call offset
ul += (ULONG)p+5; // goto subproc entry point
_ulB = ul;
if (!MmIsAddressValid((PVOID)ul)) continue;
if (_ulB > _ul7) {
if (_ulB < (_ul7+_ul8)) break;
}
_ulB = 0;
}
if (_ulB) {
KeAcquireSpinLock (&_SpinLock, &OldIrql);
DisableWriteProtect ();
// Hook & Hook again!
*(PULONG)(p+1) = (ULONG)HookProc2 - (ULONG)p - 5;
EnableWriteProtect();
KeReleaseSpinLock (&_SpinLock, OldIrql);
p = (UCHAR *)ProtocolCharacteristics->ReceivePacketHandler;
if (MmIsAddressValid(p)) {
pMax = p + 0x100;
if (p<pMax) {
for (; p<pMax; p++) {
if (!MmIsAddressValid(p) || *p!= 0xE8) continue;
ul = *(PULONG)(p+1);
ul += (ULONG)p+5;
if (ul == _ulB) break;
}
KeAcquireSpinLock (&_SpinLock, &OldIrql);
DisableWriteProtect();
// Hook, Hook & Hook again!!!
*(PULONG)(p+1) = (ULONG)HookProc2 - (ULONG)p - 5;
EnableWriteProtect();
KeReleaseSpinLock (&_SpinLock, OldIrql);
}
}
}
// para_1
_ulA = (ULONG)ExAllocatePool (NonPagedPool, 0x1000);
_ul9 = 0;
memset ((PVOID)_ulA, 0, 0x1000);
_ulC = (ULONG)ExAllocatePool (NonPagedPool, 0x6);
memset ((PVOID)_ulC, 0, 0x6);
if (!MmIsAddressValid ((PVOID)_ul4))
goto quit_hook;
if (!MmIsAddressValid ((PVOID)_ul6))
goto quit_hook;
KeAcquireSpinLock (&_SpinLock, &OldIrql);
DisableWriteProtect();
*(PULONG)_ul4 = _ul6;
DisableWriteProtect();
KeReleaseSpinLock (&_SpinLock, OldIrql);
quit_hook:
((NDIS_REGISTER_PROTOCOL)_ul6)(Status, Handle, ProtocolCharacteristics,
CharacteristicsLength);
}
VOID
MyLoadImageNotifyProc (PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo)
{
UCHAR sModuleName[0x0C];
UCHAR sFunctionName[0x18];
WCHAR wsBuffer[0x208];
ULONG vul1, vul2;
UNICODE_STRING usModPath;
PUNICODE_STRING pusFullImageName;
KIRQL oldIrql;
memcpy (sFunctionName, _FunctionName, strlen(_FunctionName));
memcpy (sModuleName, _Mod1Name, strlen(_Mod1Name));
pusFullImageName = FullImageName;
if (_ul2) return;
if ((ULONG)ImageInfo->ImageBase < (ULONG)MmUserProbeAddress) return;
if (!MmIsAddressValid(FullImageName->Buffer)) return;
wcscpy (wsBuffer, pusFullImageName->Buffer);
if (!wcsstr (_wcsupr(wsBuffer), _Mod2Name)) return;
if ((ImageInfo->ImageBase == NULL) || (ImageInfo->ImageSize == 0)) return;
RtlInitUnicodeString (&usModPath, _ModPath);
if (!SeekTargetAPI(sFunctionName, sModuleName, &usModPath, &vul1, &vul2)) return;
_ul4 = (ULONG)ImageInfo->ImageBase + vul1*4 + vul2;
if (!MmIsAddressValid((PVOID)_ul4)) return;
_ul6 = *(PULONG)_ul4;
KeAcquireSpinLock (&_SpinLock, &oldIrql);
DisableWriteProtect ();
*(PULONG)_ul4 = (ULONG)HookProc;
EnableWriteProtect();
KeReleaseSpinLock (&_SpinLock, oldIrql);
_ul7 = (ULONG)ImageInfo->ImageBase;
_ul8 = ImageInfo->ImageSize;
_ul2 = 1;
}
int mystrcmp(UCHAR *s1, UCHAR *s2)
{
UCHAR* p1;
UCHAR* p2;
p1= s1;
p2= s2;
while((*p1)&&(*p2))
{
if(*p1==*p2)
{
p1++;p2++;
}else{
return (*p1-*p2);
}
}
return (*p1-*p2);
}
NTSTATUS
HookWriteDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
ARPPACKET ARPBuffer;
// DbgPrint("hook success\r\n");
PIO_STACK_LOCATION pIocurrentstack;
PFILE_OBJECT pFileObject;
NTSTATUS ntStatus;
PVOID OutputBuffer;
PIO_STACK_LOCATION IrpStack = IoGetCurrentIrpStackLocation(Irp);
PVOID lpInOutBuffer;
ULONG nInBufferSize, nOutBufferSize, dwIoControlCode;
DbgPrint("DeviceName:%S\r\n",DeviceObject->DriverObject->DriverName.Buffer);
if(KeGetCurrentIrql() != DISPATCH_LEVEL)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
OutputBuffer = Irp->UserBuffer;
lpInOutBuffer = Irp->AssociatedIrp.SystemBuffer;
nInBufferSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
nOutBufferSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
ARPBuffer = *(ARPPACKET *)lpInOutBuffer;
if (ARPBuffer.ehhdr.eh_type == htons(0x0806)) //数据类型ARP请求或应答
{
if (ARPBuffer.arphdr.arp_hrd == htons(0x0001))//硬件地址为0x0001表示以太网地址
{
if (ARPBuffer.arphdr.arp_pro == htons(0x0800)) //协议类型字段为0x0800表示IP地址
{
if (ARPBuffer.arphdr.arp_hln == 6)
{
if (ARPBuffer.arphdr.arp_pln == 4)
{
if (mystrcmp(ARPBuffer.ehhdr.eh_src,MacGateWay))
{Irp->IoStatus.Status=STATUS_INVALID_PARAMETER;
IofCompleteRequest(Irp,0);
return 0;
}
}
}
}
}
}
}
return RealWriteDispatch(DeviceObject,Irp);;
}
NTSTATUS
HookIoCreateDevice(
IN PDRIVER_OBJECT DriverObject,
IN ULONG DeviceExtensionSize,
IN PUNICODE_STRING DeviceName OPTIONAL,
IN DEVICE_TYPE DeviceType,
IN ULONG DeviceCharacteristics,
IN BOOLEAN Exclusive,
OUT PDEVICE_OBJECT *DeviceObject
)
{
NTSTATUS NtStatus;
ULONG Temp_Addr = 0;
char buff[1024];
HANDLE handle = 0;
PUNICODE_STRING unistr = (PUNICODE_STRING)&buff[0];
ULONG ReturnLength = 0;
PDEVICE_OBJECT DeviceObjectTemp;
DbgPrint("==>Hook IoCreateDevice()");
NtStatus = OldIoCreateDevice(
DriverObject,
DeviceExtensionSize,
DeviceName OPTIONAL,
DeviceType,
DeviceCharacteristics,
Exclusive,
DeviceObject
);
if(!NT_SUCCESS(NtStatus))
{
DbgPrint("m_IoCreateDevice() fail");
return NtStatus;
}
//ObOpenObjectByPointer来打开进程(创建并返回进程句柄)
if(ObOpenObjectByPointer(DriverObject, 0, NULL, 0, 0, KernelMode, &handle))
{
DbgPrint("ObOpenObjectByPointer() Success and return");
return STATUS_SUCCESS;
}
/*
NTSTATUS ZwQueryObject(
IN HANDLE ObjectHandle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
ObjectHandle是我们想要获取有关信息的句柄,ObjectInformationClass是信息类型,
保存在以字节计算长度为ObjectInformationLength的缓冲区ObjectInformation中。
我们对OBJECT_INFORMATION_CLASS使用的类是ObjectNameInformation和ObjectAllTypesInformation。
ObjectNameInfromation类在缓冲区中返回OBJECT_NAME_INFORMATION结构,
而ObjectAllTypesInformation类返回OBJECT_ALL_TYPES_INFORMATION结构。
*/
ZwQueryObject(handle, 1, buff, 256, &ReturnLength);
if(!unistr->Buffer)
{
ZwClose(handle);
return STATUS_SUCCESS;
}
if(wcsncmp(unistr->Buffer, L"\\Device\\NPF_",wcslen(L"\\Device\\NPF_"))!=0 )
{
ZwClose(handle);
return STATUS_SUCCESS;
}
DeviceObjectTemp = *DeviceObject;
DbgPrint("DriverObject:%X, *DeviceObject->DriverObject:%x\nDriverObject->MajorFunction[IRP_MJ_CREATE]:%x,HookWriteDispatch:%x\n",
DriverObject,
DeviceObjectTemp->DriverObject,
(ULONG)DriverObject->MajorFunction[IRP_MJ_WRITE],
HookWriteDispatch);
//hook IRP_MJ_CREATE
Temp_Addr = (ULONG)DriverObject->MajorFunction[IRP_MJ_WRITE];
if(Temp_Addr == (ULONG)HookWriteDispatch)
return STATUS_SUCCESS;
RealWriteDispatch = (ProxyDispatch)Temp_Addr;
DriverObject->MajorFunction[IRP_MJ_WRITE] = HookWriteDispatch;
(*DeviceObject)->DriverObject->MajorFunction[IRP_MJ_WRITE] = HookWriteDispatch;
return NtStatus;
}
char * MyStrchr(const char *str, int ch)
{
while (*str && *str != (char)ch)
str++;
if (*str == (char)ch)
return((char *)str);
return(NULL);
}
PCHAR MyGetModuleBaseAddress( PCHAR pModuleName )
{
PSYSTEM_MODULE_INFORMATION pSysModule;
ULONG uReturn;
ULONG uCount;
PCHAR pBuffer = NULL;
PCHAR pName = NULL;
NTSTATUS status;
UINT ui;
CHAR szBuffer[BASEADDRLEN];
PCHAR pBaseAddress;
status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, BASEADDRLEN, &uReturn );
pBuffer = ( PCHAR )ExAllocatePool( NonPagedPool, uReturn );
if ( pBuffer )
{
status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn );
if( status == STATUS_SUCCESS )
{
uCount = ( ULONG )*( ( ULONG * )pBuffer );
pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) );
for ( ui = 0; ui < uCount; ui++ )
{
pName = MyStrchr( pSysModule->ImageName, '\\' );
if ( !pName )
{
pName = pSysModule->ImageName;
}
else {
pName++;
}
if( !_stricmp( pName, pModuleName ) )
{
pBaseAddress = ( PCHAR )pSysModule->Base;
ExFreePool( pBuffer );
return pBaseAddress;
}
pSysModule ++;
}
}
ExFreePool( pBuffer );
}
return NULL;
}
FARPROC HookFunction( PCHAR pModuleBase, PCHAR HookFunName, FARPROC HookFun )
{
PIMAGE_DOS_HEADER pDosHdr;
PIMAGE_NT_HEADERS pNtHdr;
PIMAGE_SECTION_HEADER pSecHdr;
PIMAGE_EXPORT_DIRECTORY pExtDir;
UINT ui,uj;
PCHAR FunName;
DWORD *dwAddrName;
DWORD *dwAddrFun;
DWORD *dwOldAddrFun;
PVOID dwOldAddr;
FARPROC pOldFun;
ULONG uAttrib;
UNICODE_STRING functionName;
ANSI_STRING aStr;
RtlInitAnsiString(&aStr, HookFunName);
RtlAnsiStringToUnicodeString(&functionName, &aStr, TRUE);
dwOldAddr=MmGetSystemRoutineAddress( &functionName );
/*
小小修改了1下 原来的HookFunction貌似获取的函数地址不对
偶采用先MmGetSystemRoutineAddress获得地址 再做比较的办法
不过只能用在ntoskrnl.exe和win32k.sys的hook
*/
pDosHdr = ( PIMAGE_DOS_HEADER )pModuleBase;
if ( IMAGE_DOS_SIGNATURE == pDosHdr->e_magic )
{
pNtHdr = ( PIMAGE_NT_HEADERS )( pModuleBase + pDosHdr->e_lfanew );
if( IMAGE_NT_SIGNATURE == pNtHdr->Signature || IMAGE_NT_SIGNATURE1 == pNtHdr->Signature )
{
pSecHdr = ( PIMAGE_SECTION_HEADER )( pModuleBase + pDosHdr->e_lfanew + sizeof( IMAGE_NT_HEADERS ) );
for ( ui = 0; ui < (UINT)pNtHdr->FileHeader.NumberOfSections; ui++ )
{
if ( !strcmp( pSecHdr->Name, ".edata" ) )
{
pExtDir = ( PIMAGE_EXPORT_DIRECTORY )( pModuleBase + pSecHdr->VirtualAddress );
dwAddrName = ( PDWORD )(pModuleBase + pExtDir->AddressOfNames );
dwAddrFun = ( PDWORD )(pModuleBase + pExtDir->AddressOfFunctions );
for ( uj = 0; uj < (UINT)pExtDir->NumberOfFunctions; uj++ )
{
FunName = pModuleBase + *dwAddrName;
if( (DWORD)dwOldAddr==*dwAddrFun )
{
DbgPrint(" HOOK %s()\n",FunName);
DisableWriteProtect( );
pOldFun = ( FARPROC )( pModuleBase + *dwAddrFun );
*dwAddrFun = ( PCHAR )HookFun - pModuleBase;
EnableWriteProtect( );
return pOldFun;
}
dwAddrName ++;
dwAddrFun ++;
}
}
pSecHdr++;
}
}
}
return NULL;
}
int HOOKIoConXXX()
{
NTSTATUS status;
HANDLE hHandle;
PCHAR pModuleAddress;
int i;
pModuleAddress = MyGetModuleBaseAddress("ntoskrnl.exe");
if ( pModuleAddress == NULL)
{
DbgPrint(" MyGetModuleBaseAddress()\n");
return 0;
}
OldIoCreateDevice = (IoCreateDeviceXXX)HookFunction( pModuleAddress, "IoCreateDevice",(IoCreateDeviceXXX)HookIoCreateDevice);
if ( OldIoCreateDevice == NULL)
{
DbgPrint(" HOOK FAILED\n");
return 0;
}
DbgPrint("HOOK SUCCEED\n");
return 1;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -