ssdtdump.c

获取SSDT列表的程序源码

//////////////////////////////////////////////////////////////////////////
// SSDTDump by 李马
// http://www.titilima.cn
//////////////////////////////////////////////////////////////////////////

#include <ntddk.h>
#include "ioctl.h"
#include "SSDTDump.h"

#pragma alloc_text( PAGE, SSDT_DeviceIoControl )
#pragma alloc_text( PAGE, SSDT_Unimplmented )
#pragma alloc_text( PAGE, SSDT_Unload )

extern PSSDT    KeServiceDescriptorTable;

NTSTATUS SSDT_IoCtlDispath( IN PFILE_OBJECT FileObject,
                           IN BOOLEAN Wait, IN PVOID InputBuffer,
                           IN ULONG InputBufferLength,
                           OUT PVOID OutputBuffer,
                           IN ULONG OutputBufferLength,
                           IN ULONG IoControlCode,
                           OUT PIO_STATUS_BLOCK IoStatus,
                           IN PDEVICE_OBJECT DeviceObject )
{
	NTSTATUS ntStatus;

	IoStatus->Status = STATUS_SUCCESS;
    IoStatus->Information = 0;

    switch ( IoControlCode ) 
	{
	case IOCTL_GETSSDT:
        {
            __try
            {
                ProbeForWrite( OutputBuffer, sizeof( SSDT ), sizeof( ULONG ) );
                RtlCopyMemory( OutputBuffer, KeServiceDescriptorTable, sizeof( SSDT ) );
            }
            __except ( EXCEPTION_EXECUTE_HANDLER )
            {
                IoStatus->Status = GetExceptionCode();
            }
        }
        break;
	case IOCTL_GETPROC:
        {
            ULONG uIndex = 0;
            PULONG pBase = NULL;

            __try
            {
                ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
                ProbeForWrite( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
            }
            __except( EXCEPTION_EXECUTE_HANDLER )
            {
                IoStatus->Status = GetExceptionCode();
                break;
            }

            uIndex = *(PULONG)InputBuffer;
            if ( KeServiceDescriptorTable->ulNumberOfServices <= uIndex )
            {
			    IoStatus->Status = STATUS_INVALID_PARAMETER;
                break;
            }
            pBase  = KeServiceDescriptorTable->pvSSDTBase;
            *((PULONG)OutputBuffer) = *( pBase + uIndex );
        }
        break;
	default:
		IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
		break;
	}

    return IoStatus->Status;
}

NTSTATUS SSDT_DeviceIoControl( PDEVICE_OBJECT DeviceObject, PIRP irp )
{
    PIO_STACK_LOCATION irpStack;
    PVOID              inputBuffer;
    PVOID              outputBuffer;
    ULONG              inputBufferLength;
    ULONG              outputBufferLength;
    ULONG              ioControlCode;
	NTSTATUS           ntstatus;

    ntstatus = irp->IoStatus.Status = STATUS_SUCCESS;
    irp->IoStatus.Information = 0;

    irpStack = IoGetCurrentIrpStackLocation( irp );

    inputBuffer             = irpStack->Parameters.DeviceIoControl.Type3InputBuffer;
    inputBufferLength       = irpStack->Parameters.DeviceIoControl.InputBufferLength;
    outputBuffer            = irp->UserBuffer;
    outputBufferLength      = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
    ioControlCode           = irpStack->Parameters.DeviceIoControl.IoControlCode;

    ntstatus = SSDT_IoCtlDispath( irpStack->FileObject, TRUE,
        inputBuffer, inputBufferLength, 
        outputBuffer, outputBufferLength,
        ioControlCode, &irp->IoStatus, DeviceObject );
    IoCompleteRequest( irp, IO_NO_INCREMENT );

    return ntstatus;   
}

NTSTATUS SSDT_Unimplmented( PDEVICE_OBJECT DeviceObject, PIRP irp )
{
    KdPrint(( "Not implmented!\r\n" ));
    return STATUS_NOT_SUPPORTED;
}

void SSDT_Unload( PDRIVER_OBJECT DriverObject )
{
    UNICODE_STRING usDosDeviceName;
    KdPrint(( "SSDT_Unload called!\r\n" ));
    RtlInitUnicodeString( &usDosDeviceName, L"\\DosDevices\\SSDTDump" );
    IoDeleteSymbolicLink( &usDosDeviceName );
    IoDeleteDevice( DriverObject->DeviceObject );
}