📄 usbmon.c
字号:
#include "usbmon.h"
#include "inlinehook.h"
#include "scsi.h"
#include "aestable.h" //AES对称加密算法
#include "rc4.h" //RC4流加密算法
GLOBALS Globals = {0};
#define USB_STOR_DRIVER_NAME L"\\Driver\\USBSTOR"
#define USB_HUB_DRIVER_NAME L"\\Driver\\USBHUB"
#define FAST_FAT_DRIVER_NAME L"\\FileSystem\\Fastfat"
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
PDRIVER_OBJECT usbRoot;
UNICODE_STRING usbRootName;
INT i;
//初始化密钥
for (i=0; i<sizeof(Globals.Key); i++)
Globals.Key[i] = i;
KdPrint(("Usb mon DriverEntry...\n"));
RtlInitUnicodeString(&usbRootName, USB_HUB_DRIVER_NAME);
if (NT_SUCCESS(ObReferenceObjectByName(&usbRootName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, 0, 0, &usbRoot)))
{
ObDereferenceObject(usbRoot);
KdPrint(("%wZ:%08x\n", &usbRootName, usbRoot));
//HOOK IRP_MJ_PNP
Globals.PnpHookHandle = SetupInlineHook(usbRoot->MajorFunction[IRP_MJ_PNP], HookPnpDevice, NULL);
}
DriverObject->DriverUnload = UsbMonUnload;
return STATUS_SUCCESS;
}
VOID
UsbMonUnload(
IN PDRIVER_OBJECT DriverObject
)
{
PDRIVER_OBJECT usbStor;
UNICODE_STRING usbStorName;
KdPrint(("Usb mon unload...\n"));
if (Globals.PnpHookHandle)
{
KdPrint(("Remove usbhub pnp handle...\n"));
ClearInlineHook(Globals.PnpHookHandle);
}
if (Globals.fsdReadHookHandle)
{
KdPrint(("Remove fsdReadHookHandle...\n"));
ClearInlineHook(Globals.fsdReadHookHandle);
}
if (Globals.fsdWriteHookHandle)
{
KdPrint(("Remove fsdWriteHookHandle...\n"));
ClearInlineHook(Globals.fsdWriteHookHandle);
}
//
//ScsiHookHandle = UsbStor->IRP_MJ_SCSI函数
//USBSTOR驱动不常驻内存有可能已经卸载
//
RtlInitUnicodeString(&usbStorName, USB_STOR_DRIVER_NAME);
if (NT_SUCCESS(ObReferenceObjectByName(&usbStorName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, 0, 0, &usbStor)))
{
ObDereferenceObject(usbStor);
if (MmIsAddressValid(Globals.ScsiHookHandle))
{
KdPrint(("Remove usbstor scsi handle...\n"));
ClearInlineHook(Globals.ScsiHookHandle);
}
}
}
NTSTATUS
HookPnpDevice(
IN HANDLE OrgFunction,
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PDRIVER_OBJECT usbStor;
UNICODE_STRING usbStorName;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
switch(irpStack->MinorFunction)
{
case IRP_MN_START_DEVICE:
if (KeGetCurrentIrql() == PASSIVE_LEVEL)
{
//HOOK USBSTOR IRP_MJ_SCSI
RtlInitUnicodeString(&usbStorName, USB_STOR_DRIVER_NAME);
if (NT_SUCCESS(ObReferenceObjectByName(&usbStorName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, 0, 0, &usbStor)))
{
ObDereferenceObject(usbStor);
KdPrint(("Usb device %08x %08x %08x started...\n", DeviceObject, usbStor, irpStack->FileObject));
if (Globals.UsbStorDriver
&& Globals.UsbStorDriver != usbStor)
{
ASSERT(Globals.ScsiHookHandle);
KdPrint(("RE_HOOK USBSTOR SCSI!!!!"));
ClearInlineHook(Globals.ScsiHookHandle);
Globals.ScsiHookHandle = NULL;
Globals.ScsiReadCompletionHandle = NULL;
Globals.UsbStorDriver = usbStor;
}
if (!Globals.ScsiHookHandle)
{
KdPrint(("Hook UsbStor ...\n"));
Globals.ScsiHookHandle = SetupInlineHook(usbStor->MajorFunction[IRP_MJ_SCSI], HookUsbScsi, NULL);
}
}
}
break;
case IRP_MN_REMOVE_DEVICE:
KdPrint(("Usb device %08x %08x %08x removed...\n", DeviceObject, irpStack->FileObject, Globals.usbSection));
break;
}
return ((NTSTATUS(*)(PDEVICE_OBJECT,PIRP))OrgFunction)(DeviceObject, Irp);
}
NTSTATUS
HookFsdReadWrite(
IN HANDLE OrgFunction,
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PFILE_OBJECT fileObj = Irp->Tail.Overlay.OriginalFileObject;
PIO_STACK_LOCATION irsp = IoGetCurrentIrpStackLocation(Irp);
//KdPrint(("Irp:%08x HookFsdRead:%08x Mdl:%08x\n", Irp, Irp->Tail.Overlay.OriginalFileObject, Irp->MdlAddress));
if (Irp->MdlAddress &&
fileObj &&
(fileObj->DeviceObject->DeviceType == FILE_DEVICE_DISK) &&
(fileObj->DeviceObject->Characteristics & FILE_REMOVABLE_MEDIA) &&
fileObj->FileName.Buffer &&
wcschr(fileObj->FileName.Buffer, L'@'))
{
//
//测试该Mdl数据是否需要进行加解密处理
//
NTSTATUS status;
PVOID mmAddr = MmGetSystemAddressForMdl(Irp->MdlAddress);
ULONG mmLength = MmGetMdlByteCount(Irp->MdlAddress);
//KdPrint(("Usb Device:%08x Irp:%08x ", fileObj->DeviceObject, Irp));
//KdPrint(("MmAddress: %08x %wZ\n", mmAddr, &Irp->Tail.Overlay.OriginalFileObject->FileName));
if (irsp->MajorFunction == IRP_MJ_WRITE)
{
KdPrint(("Encrypt Usb IRP_MJ_WRITE %08x %wZ\n", mmAddr, &Irp->Tail.Overlay.OriginalFileObject->FileName));
EncryptBuf_128RC4(mmAddr, mmLength);
}
//
//【注:fastfat会同步等待完成】
//
status = ((NTSTATUS(*)(PDEVICE_OBJECT,PIRP))OrgFunction)(DeviceObject, Irp);
//
//对数据进行解密
//首先写入exe文件,再打开exe报错误--
//
KdPrint(("Decrypt Usb %08x %wZ\n", mmAddr, &Irp->Tail.Overlay.OriginalFileObject->FileName));
DecryptBuf_128RC4(mmAddr, mmLength);
return status;
}
return ((NTSTATUS(*)(PDEVICE_OBJECT,PIRP))OrgFunction)(DeviceObject, Irp);
}
NTSTATUS
HookUsbScsi(
IN HANDLE OrgFunction,
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PMDL mdl = Irp->MdlAddress;
PSCSI_REQUEST_BLOCK srb = NULL;
PCDB cdb = NULL;
PVOID mmAddress = NULL;
PCRYPT_FILE_DES fileCryptDes = NULL;
UNICODE_STRING fastFatName;
srb = irpStack->Parameters.Scsi.Srb;
if (IRP_MJ_INTERNAL_DEVICE_CONTROL == irpStack->MajorFunction && mdl && srb)
{
//SCSI接口命令-参考scsi手册以及机器狗代码
cdb = (PCDB)srb->Cdb;
mmAddress = MmGetSystemAddressForMdl(mdl);
//KdPrint(("Irp:%08x irpStack:%08x irpNextStack:%08x\n", Irp, irpStack, irpNextStack));
if (SCSIOP_READ == cdb->CDB10.OperationCode &&
!Globals.FastFatDriver)
{
RtlInitUnicodeString(&fastFatName, FAST_FAT_DRIVER_NAME);
if (NT_SUCCESS(ObReferenceObjectByName(&fastFatName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, 0, 0, &Globals.FastFatDriver)))
{
ObDereferenceObject(Globals.FastFatDriver);
KdPrint(("Hook %wZ...\n", &fastFatName));
Globals.fsdReadHookHandle = SetupInlineHook(Globals.FastFatDriver->MajorFunction[IRP_MJ_READ], HookFsdReadWrite, NULL);
Globals.fsdWriteHookHandle = SetupInlineHook(Globals.FastFatDriver->MajorFunction[IRP_MJ_WRITE], HookFsdReadWrite, NULL);
}
}
}
return ((NTSTATUS(*)(PDEVICE_OBJECT,PIRP))OrgFunction)(DeviceObject, Irp);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -