📄 driver.c
字号:
popad
jmp OldSwapContext
}
}
void Set2kSyscallHook()
{
TIdt Idt;
__asm
{
pushad
cli
sidt [Idt]
mov esi, NewSyscall
mov ebx, Idt.Base
xchg [ebx + 0x170], si
rol esi, 0x10
xchg [ebx + 0x176], si
ror esi, 0x10
mov OldSyscall, esi
sti
popad
}
}
void Win2kSyscallUnhook()
{
TIdt Idt;
__asm
{
pushad
cli
sidt [Idt]
mov esi, OldSyscall
mov ebx, Idt.Base
mov [ebx + 0x170], si
rol esi, 0x10
mov [ebx + 0x176], si
sti
xor eax, eax
mov OldSyscall, eax
popad
}
}
void SetXpSyscallHook()
{
TIdt Idt;
__asm
{
pushad
mov ecx, 0x176
rdmsr
mov OldSyscall, eax
mov eax, NewSyscall
xor edx, edx
wrmsr
sidt [Idt]
mov ebx, Idt.Base
xchg [ebx + 0x170], ax
rol eax, 0x10
xchg [ebx + 0x176], ax
ror eax, 0x10
mov OldInt2E, eax
popad
}
}
void XpSyscallUnhook()
{
TIdt Idt;
__asm
{
pushad
mov ecx, 0x176
mov eax, OldSyscall
xor edx, edx
wrmsr
sidt [Idt]
mov eax, OldInt2E
mov ebx, Idt.Base
mov [ebx + 0x170], ax
rol eax, 0x10
mov [ebx + 0x176], ax
xor eax, eax
mov OldSyscall, eax
popad
}
}
void WorkItemProc(PDEVICE_OBJECT DeviceObject, PWorkItemStruct Data)
{
KeWaitForSingleObject(Data->pEPROCESS, Executive, KernelMode, FALSE, NULL);
DelItem(&wLastItem, Data->pEPROCESS);
ObDereferenceObject(Data->pEPROCESS);
IoFreeWorkItem(Data->IoWorkItem);
ExFreePool(Data);
return;
}
void AddLog(PCHAR Message)
{
KIRQL OldIrql;
KeAcquireSpinLock(&LogSpinLock, &OldIrql);
if (MSG_BUFF_SIZE - strlen(SendMsgs) > strlen(Message) + 3)
{
strcat(SendMsgs, Message);
strcat(SendMsgs, "\x0D\x0A");
}
KeReleaseSpinLock(&LogSpinLock, OldIrql);
}
void NotifyRoutine(IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create)
{
PEPROCESS process;
PWorkItemStruct Data;
CHAR str[256];
if (Create)
{
PsLookupProcessByProcessId(ProcessId, &process);
CollectProcess(process);
sprintf(str, "Process %s created, Pid = %d, ParentPid = %d", (PVOID)((ULONG)process + NameOffset), ProcessId, ParentId);
AddLog(str);
ObDereferenceObject(process);
} else
{
process = PsGetCurrentProcess();
ObReferenceObject(process);
Data = ExAllocatePool(NonPagedPool, sizeof(TWorkItemStruct));
Data->IoWorkItem = IoAllocateWorkItem(deviceObject);
Data->pEPROCESS = process;
sprintf(str, "Process %s terminated, Pid = %d", (PVOID)((ULONG)process + NameOffset), ProcessId);
AddLog(str);
IoQueueWorkItem(Data->IoWorkItem, WorkItemProc, DelayedWorkQueue, Data);
}
return;
}
void ProcessObject(PVOID Object)
{
POBJECT_HEADER ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
if (ObjectHeader->Type == *PsProcessType) CollectProcess(Object);
if (ObjectHeader->Type == *PsThreadType) ThreadCollect(Object);
}
void ScanXpHandleTable(PXP_HANDLE_TABLE HandleTable)
{
int i, j, k;
PHANDLE_TABLE_ENTRY Entry;
ULONG TableCode = HandleTable->TableCode & ~TABLE_LEVEL_MASK;
switch (HandleTable->TableCode & TABLE_LEVEL_MASK)
{
case 0 :
for (i = 0; i < 0x200; i++)
{
Entry = &((PHANDLE_TABLE_ENTRY)TableCode)[i];
if (Entry->Object) ProcessObject((PVOID)((ULONG)Entry->Object & ~XP_TABLE_ENTRY_LOCK_BIT));
}
break;
case 1 :
for (i = 0; i < 0x200; i++)
{
if (((PVOID *)TableCode)[i])
{
for (j = 0; j < 0x200; j++)
{
Entry = &((PHANDLE_TABLE_ENTRY *)TableCode)[i][j];
if (Entry->Object) ProcessObject((PVOID)((ULONG)Entry->Object & ~XP_TABLE_ENTRY_LOCK_BIT));
}
}
}
break;
case 2 :
for (i = 0; i < 0x200; i++)
{
if (((PVOID *)TableCode)[i])
{
for (j = 0; j < 0x200; j++)
{
if (((PVOID **)TableCode)[i][j])
{
for (k = 0; k < 0x200; k++)
{
Entry = &((PHANDLE_TABLE_ENTRY **)TableCode)[i][j][k];
if (Entry->Object) ProcessObject((PVOID)((ULONG)Entry->Object & ~XP_TABLE_ENTRY_LOCK_BIT));
}
}
}
}
}
break;
}
}
void ScanWin2KHandleTable(PWIN2K_HANDLE_TABLE HandleTable)
{
int i, j, k;
PHANDLE_TABLE_ENTRY Entry;
for (i = 0; i < 0x100; i++)
{
if (HandleTable->Table[i])
{
for (j = 0; j < 0x100; j++)
{
if (HandleTable->Table[i][j])
{
for (k = 0; k < 0x100; k++)
{
Entry = &HandleTable->Table[i][j][k];
if (Entry->Object) ProcessObject((PVOID)((ULONG)Entry->Object | WIN2K_TABLE_ENTRY_LOCK_BIT));
}
}
}
}
}
}
void ScanHandleTablesList()
{
PLIST_ENTRY CurrTable;
PEPROCESS QuotaProcess;
for (CurrTable = HandleTableListHead->Flink;
CurrTable != HandleTableListHead;
CurrTable = CurrTable->Flink)
{
QuotaProcess = *(PEPROCESS *)((PUCHAR)CurrTable - HandleTableListOffset + QuotaProcessOffset);
if (QuotaProcess) CollectProcess(QuotaProcess);
}
}
#ifdef DEBUG
void DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
if (OldSwapContext) UnhookCode(OldSwapContext);
if (OldSyscall) SyscallUnhook();
PsSetCreateProcessNotifyRoutine(NotifyRoutine, TRUE);
FreePointers(wLastItem);
IoDeleteSymbolicLink(&SymbolicLinkName);
IoDeleteDevice(deviceObject);
ExFreePool(SendMsgs);
}
#endif
NTSTATUS GetServiceConsts()
{
NTSTATUS st = STATUS_SUCCESS;
PEPROCESS SysProc = PsGetCurrentProcess();
switch (*NtBuildNumber)
{
case 2195 : //win 2k
pIdOffset = 0x09C;
ActPsLink = 0x0A0;
NameOffset = 0x1FC;
ppIdOffset = 0x1C8;
ThreadProc = 0x22C;
WaitProcOffset = 0x1D0;
HandleTableOffset = 0x128;
HandleTableListOffset = 0x054;
QuotaProcessOffset = 0x00C;
SetSyscallHook = Set2kSyscallHook;
SyscallUnhook = Win2kSyscallUnhook;
ScanHandleTable = ScanWin2KHandleTable;
Win2KGetKiDispatcherReadyListHead();
Win2KGetKiWaitInOutListHeads();
break;
case 2600 : //win xp
pIdOffset = 0x084;
NameOffset = 0x174;
ppIdOffset = 0x14C;
ActPsLink = 0x088;
ThreadProc = 0x220;
WaitProcOffset = 0x1C0;
HandleTableOffset = 0x0C4;
HandleTableListOffset = 0x01C;
QuotaProcessOffset = 0x004;
SetSyscallHook = SetXpSyscallHook;
SyscallUnhook = XpSyscallUnhook;
ScanHandleTable = ScanXpHandleTable;
XPGetKiWaitListHead();
XPGetKiDispatcherReadyListHead();
break;
default :
st = STATUS_NOT_IMPLEMENTED;
break;
}
GetSwapContextAddress();
GetPspCidTable();
GetHandleTableListHead();
PsActiveProcessHead = *(PVOID *)((PUCHAR)SysProc + ActPsLink + 4);
return st;
}
NTSTATUS DriverIoControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
PIO_STACK_LOCATION pisl;
NTSTATUS ns = STATUS_UNSUCCESSFUL;
ULONG BuffSize, DataSize;
PVOID pBuff, pData;
KIRQL OldIrql;
pisl = IoGetCurrentIrpStackLocation (Irp);
BuffSize = pisl->Parameters.DeviceIoControl.OutputBufferLength;
pBuff = Irp->AssociatedIrp.SystemBuffer;
Irp->IoStatus.Information = 0;
switch(pisl->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_SET_SWAPCONTEXT_HOOK :
if (pSwapContext && !OldSwapContext)
{
OldSwapContext = HookCode(pSwapContext, NewSwapContext);
ns = STATUS_SUCCESS;
}
break;
case IOCTL_SWAPCONTEXT_UNHOOK :
if (OldSwapContext)
{
UnhookCode(OldSwapContext);
OldSwapContext = NULL;
ns = STATUS_SUCCESS;
}
break;
case IOCTL_SET_SYSCALL_HOOK :
if (!OldSyscall)
{
SetSyscallHook();
ns = STATUS_SUCCESS;
}
break;
case IOCTL_SYSCALL_UNHOOK :
if (OldSyscall)
{
SyscallUnhook();
ns = STATUS_SUCCESS;
}
break;
case IOCTL_GET_EXTEND_PSLIST :
pData = GetHooksProcessList(&DataSize);
if (pData)
{
if (BuffSize >= DataSize)
{
memcpy(pBuff, pData, DataSize);
Irp->IoStatus.Information = DataSize;
ns = STATUS_SUCCESS;
} else ns = STATUS_INFO_LENGTH_MISMATCH;
ExFreePool(pData);
}
break;
case IOCTL_GET_NATIVE_PSLIST :
pData = GetNativeProcessList(&DataSize);
if (pData)
{
if (BuffSize >= DataSize)
{
memcpy(pBuff, pData, DataSize);
Irp->IoStatus.Information = DataSize;
ns = STATUS_SUCCESS;
} else ns = STATUS_INFO_LENGTH_MISMATCH;
ExFreePool(pData);
}
break;
case IOCTL_GET_EPROCESS_PSLIST :
pData = GetEprocessProcessList(&DataSize);
if (pData)
{
if (BuffSize >= DataSize)
{
memcpy(pBuff, pData, DataSize);
Irp->IoStatus.Information = DataSize;
ns = STATUS_SUCCESS;
} else ns = STATUS_INFO_LENGTH_MISMATCH;
ExFreePool(pData);
}
break;
case IOCTL_SCAN_THREADS :
ProcessListHead(KiWaitInListHead);
ProcessListHead(KiWaitOutListHead);
ProcessListHead(KiDispatcherReadyListHead);
ns = STATUS_SUCCESS;
break;
case IOCTL_SCAN_PSP_CID_TABLE :
if(PspCidTable)
{
ScanHandleTable(PspCidTable);
ns = STATUS_SUCCESS;
}
break;
case IOCTL_HANDLETABLES_LIST :
if (HandleTableListHead)
{
ScanHandleTablesList();
ns = STATUS_SUCCESS;
}
break;
case IOCTL_GET_MESSAGES :
if (BuffSize >= MSG_BUFF_SIZE)
{
KeAcquireSpinLock(&LogSpinLock, &OldIrql);
strcpy(pBuff, SendMsgs);
memset(SendMsgs, 0, MSG_BUFF_SIZE);
Irp->IoStatus.Information = MSG_BUFF_SIZE;
ns = STATUS_SUCCESS;
KeReleaseSpinLock(&LogSpinLock, OldIrql);
}
break;
}
Irp->IoStatus.Status = ns;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return ns;
}
NTSTATUS DriverCreateClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
PDRIVER_DISPATCH *ppdd;
PCWSTR dDeviceName = L"\\Device\\phunter";
PCWSTR dSymbolicLinkName = L"\\DosDevices\\phunter";
RtlInitUnicodeString(&DeviceName, dDeviceName);
RtlInitUnicodeString(&SymbolicLinkName, dSymbolicLinkName);
KeInitializeSpinLock(&LogSpinLock);
status = GetServiceConsts();
if (!NT_SUCCESS(status)) return status;
status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject);
if (!NT_SUCCESS(status)) return status;
status = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);
SendMsgs = ExAllocatePool(NonPagedPool, MSG_BUFF_SIZE);
if (!NT_SUCCESS(status) || !SendMsgs)
{
IoDeleteDevice(deviceObject);
if (!SendMsgs) status = STATUS_INSUFFICIENT_RESOURCES;
return status;
}
memset(SendMsgs, 0, MSG_BUFF_SIZE);
PsSetCreateProcessNotifyRoutine(NotifyRoutine, FALSE);
#ifdef DEBUG
DriverObject->DriverUnload = DriverUnload;
#endif
ppdd = DriverObject->MajorFunction;
ppdd [IRP_MJ_CREATE] =
ppdd [IRP_MJ_CLOSE ] = DriverCreateClose;
ppdd [IRP_MJ_DEVICE_CONTROL ] = DriverIoControl;
return status;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -