欧美日韩福利视频,依依成人综合视频,亚洲电影第1页

Hook SSDT

Posted on 2009-03-21 16:19 Tommy Liang 閱讀(1270) 評(píng)論(0) 編輯收藏引用所屬分類: 進(jìn)程與線程

看了《Rootkit》和《黑客防線2009》的文章，代碼寫了一下，有些體會(huì)：

驅(qū)動(dòng)程序代碼：

#include "ntddk.h"

#define NT_DEVICE_NAME L"\\Device\\ProtectProcess"

#define DOS_DEVICE_NAME L"\\DosDevices\\ProtectProcess"

#define IOCTL_PROTECT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)

NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);

void OnUnload(IN PDRIVER_OBJECT DriverObject);

#pragma pack(1)

typedef struct ServiceDescriptorEntry{

unsigned int *ServiceTableBase;

unsigned int *ServiceCounterTableBase;

unsigned int NumberOfServices;

unsigned char *ParamTableBase;

} SSDT_Entry,*pSSDT_Entry;

#pragma pack()

__declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;

#define SYSTEMSERVICE(_func) \

KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_func+1)]

NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle,

IN ACCESS_MASK DesiredAccess,

IN POBJECT_ATTRIBUTES ObjectAttributes,

IN PCLIENT_ID ClientId OPTIONAL);

typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle,

IN ACCESS_MASK DesiredAccess,

IN POBJECT_ATTRIBUTES ObjectAttributes,

IN PCLIENT_ID ClientId OPTIONAL);

ZWOPENPROCESS OldZwOpenProcess;

long pid = 0;

NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle,

IN ACCESS_MASK DesiredAccess,

IN POBJECT_ATTRIBUTES ObjectAttributes,

IN PCLIENT_ID ClientId OPTIONAL)

{

NTSTATUS nStatus = STATUS_SUCCESS;

if((long)ClientId->UniqueProcess == pid)

{

DbgPrint("保護(hù)進(jìn)程 PID:%d\n",pid);

return STATUS_ACCESS_DENIED;

}

nStatus = OldZwOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);

return nStatus;

}

void OnUnload(IN PDRIVER_OBJECT DriverObject)

{

UNICODE_STRING DeviceLinkString;

PDEVICE_OBJECT DeviceObjectTemp1 = NULL;

PDEVICE_OBJECT DeviceObjectTemp2 = NULL;

DbgPrint("驅(qū)動(dòng)程序卸載

\n");

RtlInitUnicodeString(&DeviceLinkString,DOS_DEVICE_NAME);

IoDeleteSymbolicLink(&DeviceLinkString);

if(DriverObject)

{

DeviceObjectTemp1 = DriverObject->DeviceObject;

while(DeviceObjectTemp1)

{

DeviceObjectTemp2 = DeviceObjectTemp1;

DeviceObjectTemp1 = DeviceObjectTemp1->NextDevice;

IoDeleteDevice(DeviceObjectTemp2);

}

DbgPrint("設(shè)備已卸載\n");

DbgPrint("修復(fù)SSDT\n");

(ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess)) = OldZwOpenProcess;

DbgPrint("驅(qū)動(dòng)卸載完畢\n");

}

NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

NTSTATUS nStatus = STATUS_SUCCESS;

ULONG IoControlCode = 0;

PIO_STACK_LOCATION IrpStack = NULL;

long* inBuf = NULL;

char* outBuf = NULL;

ULONG inSize = 0;

ULONG outSize = 0;

PCHAR buffer = NULL;

PMDL mdl = NULL;

Irp->IoStatus.Status = STATUS_SUCCESS;

Irp->IoStatus.Information = 0;

IrpStack = IoGetCurrentIrpStackLocation(Irp);

switch(IrpStack->MajorFunction)

{

case IRP_MJ_CREATE:

DbgPrint("IRP_MJ_CREATE 被調(diào)用\n");

break;

case IRP_MJ_CLOSE:

DbgPrint("IRP_MJ_CLOSE 被調(diào)用\n");

break;

case IRP_MJ_DEVICE_CONTROL:

DbgPrint("IRP_MJ_DEVICE_CONTROL 被調(diào)用\n");

IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;

switch(IoControlCode)

{

case IOCTL_PROTECT_CONTROL:

inSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength;

outSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;

inBuf = (long*)Irp->AssociatedIrp.SystemBuffer;

pid = *inBuf;

DbgPrint("=========================================\n");

DbgPrint("IOCTRL_PROTECT_CONTROL 被調(diào)用，通訊成功！\n");

DbgPrint("輸入緩沖區(qū)大?。?d\n",inSize);

DbgPrint("輸出緩沖區(qū)大?。?d\n",outSize);

DbgPrint("輸入緩沖區(qū)內(nèi)容：%ld\n",*inBuf);

DbgPrint("當(dāng)前保護(hù)進(jìn)程ID：%ld\n",pid);

DbgPrint("=========================================\n");

strcpy(Irp->UserBuffer,"OK\n");

break;

default:

break;

}

break;

default:

DbgPrint("未知請(qǐng)求包被調(diào)用\n");

break;

}

nStatus = Irp->IoStatus.Status;

IoCompleteRequest(Irp,IO_NO_INCREMENT);

return nStatus;

}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING theRegistryPath)

{

NTSTATUS ntStatus = STATUS_SUCCESS;

UNICODE_STRING ntDeviceName;

UNICODE_STRING DeviceLinkString;

PDEVICE_OBJECT deviceObject = NULL;

DbgPrint("驅(qū)動(dòng)程序加載

\n");

RtlInitUnicodeString(&ntDeviceName,NT_DEVICE_NAME);

ntStatus = IoCreateDevice(

DriverObject,

&ntDeviceName,

FILE_DEVICE_UNKNOWN,

FALSE,

&deviceObject);

if(!NT_SUCCESS(ntStatus))

{

DbgPrint("無法創(chuàng)建驅(qū)動(dòng)設(shè)備");

return ntStatus;

}

RtlInitUnicodeString(&DeviceLinkString,DOS_DEVICE_NAME);

ntStatus = IoCreateSymbolicLink(&DeviceLinkString,&ntDeviceName);

if(!NT_SUCCESS(ntStatus))

{

DbgPrint("無法創(chuàng)建驅(qū)動(dòng)設(shè)備");

return ntStatus;

}

DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchDeviceControl;

DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchDeviceControl;

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;

DriverObject->DriverUnload = OnUnload;

DbgPrint("驅(qū)動(dòng)程序已經(jīng)啟動(dòng)\n");

DbgPrint("修改SSDT\n");

OldZwOpenProcess = (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess));

(ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess)) = NewZwOpenProcess;

DbgPrint("驅(qū)動(dòng)程序加載完畢\n");

return STATUS_SUCCESS;

}

服務(wù)安裝程序：

// ProtectInstaller.cpp : Defines the entry point for the console application.

#include "stdafx.h"

#define BUF_SIZE 4096

int main(int argc, char* argv[])

{

char path[BUF_SIZE];

char base[BUF_SIZE];

char sername[BUF_SIZE];

char disname[BUF_SIZE];

memset(path,0,BUF_SIZE);

memset(base,0,BUF_SIZE);

memset(sername,0,BUF_SIZE);

memset(disname,0,BUF_SIZE);

SC_HANDLE rh = NULL;

SC_HANDLE sh = NULL;

if(argc == 1)

{

printf("use:install/start/uninstall\n");

exit(0);

}

::GetModuleFileName(0,base,BUF_SIZE);

int p = strlen(base);

while(base[p] != '\\'){ p --; }

strncpy(path,base,p+1);

memset(base,0,BUF_SIZE);

sprintf(base,"%sInstall.ini",path);

memset(path,0,BUF_SIZE);

::GetPrivateProfileString("Config","Path","",path,BUF_SIZE,base);

::GetPrivateProfileString("Config","ServiceName","",sername,BUF_SIZE,base);

::GetPrivateProfileString("Config","DisplayName","",disname,BUF_SIZE,base);

printf("[*]Service Name:%s\n",sername);

printf("[*]Display Name:%s\n",disname);

printf("[*]Driver Path:%s\n",path);

sh = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);

if(!sh){

printf("[-]Error OpenSCManager.\n");

exit(0);

}

if(argc == 2 && !strcmp(argv[1],"install"))

{

if(!strcmp(path,""))

{

printf("[-]error read Install.ini\n");

exit(0);

}

rh = CreateService(sh,

sername,

disname,

SERVICE_ALL_ACCESS,

SERVICE_KERNEL_DRIVER,

SERVICE_DEMAND_START,

SERVICE_ERROR_NORMAL,

path,

NULL,NULL,NULL,NULL,NULL);

if(!rh)

{

printf("[-]error CreateService.\n");

exit(0);

}

printf("[-]Install Service Complete

\n");

}

else if(argc == 2 && !strcmp(argv[1],"start"))

{

rh = OpenService(sh,sername,SERVICE_ALL_ACCESS);

if(!rh)

{

printf("[-]error OpenService.\n");

exit(0);

}

StartService(rh,NULL,NULL);

printf("[-]Start Service Complete

\n");

}

else if(argc == 2 && !strcmp(argv[1],"uninstall"))

{

rh = OpenService(sh,sername,SERVICE_ALL_ACCESS);

if(!rh)

{

printf("[-]error OpenService.\n");

exit(0);

}

SERVICE_STATUS ss;

ControlService(rh,SERVICE_CONTROL_STOP,&ss);

printf("[-]Stop Service Complete

\n");

DeleteService(rh);

printf("[-]Delete Service Complete

\n");

}

CloseServiceHandle(rh);

CloseServiceHandle(sh);

return 1;

}

INI文件：

[Config]

Path=D:\hacker\ddk\Protect\sys\i386\Protect.sys

ServiceName=Rootkit

DisplayName=RootkitKernel

VC05搞了個(gè)解決方案

驅(qū)動(dòng)編譯通過了，安裝程序也通過了，也能啟動(dòng)，
打開DeviceTree看看，搜索 ProtectProcess，找到了:

現(xiàn)在輪到告訴驅(qū)動(dòng)PID的程序：

#include <stdio.h>

#include <stdlib.h>

#include <windows.h>

#include <winioctl.h>

#ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later.

#define _WIN32_WINNT 0x0501 // Change this to the appropriate value to target other versions of Windows.

#endif

#undef UNICODE

#define IOCTL_HELLO_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)

int main(int argc,char* argv[])

{

long pid = 0;

char ret[4096];

DWORD ReBytes = 0;

HANDLE hDevice = CreateFile(L"\\\\.\\ProtectProcess",GENERIC_READ|GENERIC_WRITE,0,NULL,

OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);

if(hDevice == INVALID_HANDLE_VALUE)

{

if(2 == GetLastError())

{

printf("驅(qū)動(dòng)程序未注冊(cè)\n");

}

else

{

printf("CreateFile() GetLastError reports %d \n",GetLastError());

}

return FALSE;

}

memset(ret,0,4096);

printf("請(qǐng)輸入要保護(hù)的進(jìn)程PID");

scanf("%ld",&pid);

DeviceIoControl(hDevice,IOCTL_HELLO_CONTROL,

&pid,sizeof(long),ret,4096,&ReBytes,NULL);

printf("Return Value:%s\n",ret);

CloseHandle(hDevice);

return 1;

}

開始的時(shí)候，在 CreateFile的第一個(gè)參數(shù)那里犯了一個(gè)錯(cuò)誤，沒有在前面加上“L”，結(jié)果一個(gè)下午花了3個(gè)小時(shí)在煩躁，一直提示驅(qū)動(dòng)未安裝，現(xiàn)在好了，PASS。

啟動(dòng)記事本，找到pid，運(yùn)行通信程序，輸入pid，打開任務(wù)管理器，好了，現(xiàn)在殺不掉notepad.exe了：

很有意思。

只有注冊(cè)用戶登錄后才能發(fā)表評(píng)論。
【推薦】100%開源！大型工業(yè)跨平臺(tái)軟件C++源碼提供，建模，組態(tài)！

相關(guān)文章: Hook SSDT 根據(jù)進(jìn)程標(biāo)識(shí)符顯示其相關(guān)信息取得內(nèi)存中的實(shí)例數(shù)

網(wǎng)站導(dǎo)航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

tommy

Hook SSDT

日歷

常用鏈接

留言簿(5)

隨筆分類

隨筆檔案

搜索

最新評(píng)論

閱讀排行榜

評(píng)論排行榜