#ifndef CXX_IOTIMERINLINEHOOK_H
# include "IoTimerInlineHook.h"
#endif
ULONG32 SSDT_NtOpenProcessIndex = ;
pfnNtOpenProcess Old_NtOpenProcess = NULL;
PULONG32 ServiceTableBase = NULL;
ULONG32 Old_NtOpenProcessOffset = ; //针对Win7 x64
PVOID NtOpenProcessPassCode = NULL; //释放内存
PVOID Old_NtOpenProcessHeaderBytes = NULL; //释放内存
NTSTATUS
DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegisterPath)
{
NTSTATUS Status;
PDEVICE_OBJECT DeviceObject = NULL;
UNICODE_STRING uniDeviceName;
#ifdef _WIN64
ULONG64 SSDTAddress = NULL;
ULONG32 ulVariable = ;
CHAR szFindFunctionName[] = "ZwOpenProcess";
if (GetSSDTAddressInWin7_X64(&SSDTAddress)==FALSE)
{
return STATUS_UNSUCCESSFUL;
}
DbgPrint("Win7_X64 SSDT:%p\r\n",SSDTAddress);
DbgPrint("Win7_X64 SSDTBase:%p\r\n",((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase);
if (GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWin7_X64(szFindFunctionName,
&SSDT_NtOpenProcessIndex)==FALSE)
{
return STATUS_UNSUCCESSFUL;
}
DbgPrint("Win7x64 SSDT_NtOpenProcessIndex:%d\r\n",SSDT_NtOpenProcessIndex);
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase;
Old_NtOpenProcessOffset = (ULONG32)(ServiceTableBase[SSDT_NtOpenProcessIndex]);
ulVariable = Old_NtOpenProcessOffset>>;
Old_NtOpenProcess = (ULONG64)((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase + ulVariable;
DbgPrint("Win7_X64 Old_NtOpenProcess:%p\r\n",ulVariable);
#else
ULONG32 SSDTAddress = NULL;
CHAR szFindFunctionName[] = "ZwOpenProcess";
if (GetSSDTAddressInWinXP_X86(&SSDTAddress)==FALSE)
{
return STATUS_UNSUCCESSFUL;
}
DbgPrint("WinXP_X86 SSDT:%p\r\n",SSDTAddress);
DbgPrint("WinXP_X86 SSDTBase:%p\r\n",((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase);
if (GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWinXP_X86(szFindFunctionName,
&SSDT_NtOpenProcessIndex)==FALSE)
{
return STATUS_UNSUCCESSFUL;
}
DbgPrint("WinXP_X86 SSDT_NtOpenProcessIndex:%d\r\n",SSDT_NtOpenProcessIndex);
//先保存原先的函数地址
ServiceTableBase = (PULONG32)((PSYSTEM_SERVICE_TABLE)SSDTAddress)->ServiceTableBase;
Old_NtOpenProcess = (pfnNtOpenProcess)(ServiceTableBase[SSDT_NtOpenProcessIndex]);
DbgPrint("WinXP_X86 Old_NtOpenProcess:%p\r\n",Old_NtOpenProcess);
#endif
RtlInitUnicodeString(&uniDeviceName,DEVICE_NAME);
Status = IoCreateDevice(DriverObject,,&uniDeviceName,FILE_DEVICE_UNKNOWN,,FALSE,&DeviceObject);
if (!NT_SUCCESS(Status))
{
return Status;
}
IoInitializeTimer(DeviceObject,(PIO_TIMER_ROUTINE)CallBackProcedure,NULL);
IoStartTimer(DeviceObject);
DriverObject->DriverUnload = UnloadDriver;
return Status;
}
VOID
CallBackProcedure(PDEVICE_OBJECT DeviceObject,PVOID Context)
{
#ifdef _WIN64
InlineHookSSDTWin7_X64((ULONG64)Old_NtOpenProcess,(ULONG64)Fake_NtOpenProcess,);
#else
InlineHookSSDTWinXP_X86((ULONG32)Old_NtOpenProcess,(ULONG32)Fake_NtOpenProcess,);
#endif
}
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{
IoStopTimer(DriverObject->DeviceObject);
if (DriverObject->DeviceObject!=NULL)
{
IoDeleteDevice(DriverObject->DeviceObject);
}
#ifdef _WIN64
UnInlineHookSSDTWin7_X64((ULONG64)Old_NtOpenProcess,(ULONG64)Old_NtOpenProcessHeaderBytes,);
if (Old_NtOpenProcessHeaderBytes!=NULL)
{
ExFreePool(Old_NtOpenProcessHeaderBytes);
Old_NtOpenProcessHeaderBytes = NULL;
}
if (NtOpenProcessPassCode!=NULL)
{
ExFreePool(NtOpenProcessPassCode);
NtOpenProcessPassCode = NULL;
}
#else
UnInlineHookSSDTWinXP_X86((ULONG32)Old_NtOpenProcess,(ULONG32)Old_NtOpenProcessHeaderBytes,);
if (Old_NtOpenProcessHeaderBytes!=NULL)
{
ExFreePool(Old_NtOpenProcessHeaderBytes);
Old_NtOpenProcessHeaderBytes = NULL;
}
if (NtOpenProcessPassCode!=NULL)
{
ExFreePool(NtOpenProcessPassCode);
NtOpenProcessPassCode = NULL;
}
#endif
}
BOOLEAN GetSSDTAddressInWinXP_X86(ULONG32* SSDTAddress)
{
//从NtosKernel.exe 模块中的导出表获得该导出变量 KeServiceDescriptorTable
/*
kd> dd KeServiceDescriptorTable
80563520 804e58a0 00000000 0000011c 805120bc
*/
*SSDTAddress = NULL;
*SSDTAddress = (ULONG32)GetExportVariableAddressFormNtosExportTableByVariableName(L"KeServiceDescriptorTable");
if (*SSDTAddress!=NULL)
{
return TRUE;
}
return FALSE;
}
PVOID
GetExportVariableAddressFormNtosExportTableByVariableName(WCHAR *wzVariableName)
{
UNICODE_STRING uniVariableName;
PVOID VariableAddress = NULL;
if (wzVariableName && wcslen(wzVariableName) > )
{
RtlInitUnicodeString(&uniVariableName, wzVariableName);
//从Ntos模块的导出表中获得一个导出变量的地址
VariableAddress = MmGetSystemRoutineAddress(&uniVariableName);
}
return VariableAddress;
}
VOID UnInlineHookSSDTWinXP_X86(ULONG32 ulCurrentVariable,ULONG32 ulOldVariable,ULONG32 ulPatchSize)
{
WPOFF();
memcpy((PVOID)ulCurrentVariable,(PVOID)ulOldVariable,ulPatchSize);
WPON();
}
BOOLEAN InlineHookSSDTWinXP_X86(ULONG32 ulOldVariable,ULONG32 ulFakeVariable,ULONG32 ulPatchSize)
{
UCHAR v1[] = "\xe9\x00\x00\x00\x00";
UCHAR v2[] = "\xe9\x00\x00\x00\x00";
ULONG32 ulTemp = ;
/*
kd> u 8058270A
nt!NtOpenProcess:
8058270a 68c4000000 push 0C4h
8058270f 68d8524f80 push offset nt!ObWatchHandles+0x25c (804f52d8)
80582714 e85a17f6ff call nt!_SEH_prolog (804e3e73)
80582719 33f6 xor esi,esi
8058271b 8975d4 mov dword ptr [ebp-2Ch],esi
8058271e 33c0 xor eax,eax
80582720 8d7dd8 lea edi,[ebp-28h]
80582723 ab stos dword ptr es:[edi]
*/
Old_NtOpenProcessHeaderBytes = ExAllocatePool(NonPagedPool,ulPatchSize);
if (Old_NtOpenProcessHeaderBytes==NULL)
{
return FALSE;
}
WPOFF();
memcpy(Old_NtOpenProcessHeaderBytes,(PVOID)ulOldVariable,ulPatchSize);
// Old_NtOpenProcessHeaderBytes[ 68c4000000 ]
WPON();
NtOpenProcessPassCode = ExAllocatePool(NonPagedPool,(ulPatchSize+));
if (NtOpenProcessPassCode==NULL)
{
if (Old_NtOpenProcessHeaderBytes!=NULL)
{
ExFreePool(Old_NtOpenProcessHeaderBytes);
Old_NtOpenProcessHeaderBytes = NULL;
}
return FALSE;
}
RtlFillMemory(NtOpenProcessPassCode,ulPatchSize+,0x90); //NOP
//NtOpenProcessPassCode[0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90]
memcpy((PUCHAR)NtOpenProcessPassCode,Old_NtOpenProcessHeaderBytes,ulPatchSize);
//NtOpenProcessPassCode[ 68c4000000 0x90 0x90 0x90 0x90 0x90]
ulTemp=(ULONG32)ulOldVariable+ulPatchSize;
//8058270a + 5 = 8058270f = ulTemp
*((ULONG32*)&v2[]) = (ULONG32)ulTemp - ((ULONG32)NtOpenProcessPassCode + + ); //第一个+5 是过前5个字节 第二个加 是 新 - (旧+5)
memcpy((PUCHAR)NtOpenProcessPassCode+ulPatchSize,v2,);
ulTemp = (ULONG32)ulFakeVariable;
*((ULONG32*)&v1[]) = (ULONG32)ulTemp - ((ULONG32)ulOldVariable +);
WPOFF();
RtlFillMemory((PVOID)ulOldVariable,ulPatchSize,0x90);
memcpy((PVOID)ulOldVariable,v1,);
WPON();
return TRUE;
}
BOOLEAN GetSSDTAddressInWin7_X64(ULONG64* SSDTAddress)
{
/*
kd> rdmsr c0000082
msr[c0000082] = fffff800`03ecf640
kd> u fffff800`03ecf640 l 50
nt!KiSystemCall64:
fffff800`03ecf640 0f01f8 swapgs
fffff800`03ecf643 654889242510000000 mov qword ptr gs:[10h],rsp
fffff800`03ecf64c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff800`03ecf655 6a2b push 2Bh
fffff800`03ecf657 65ff342510000000 push qword ptr gs:[10h]
fffff800`03ecf65f 4153 push r11
fffff800`03ecf661 6a33 push 33h
fffff800`03ecf663 51 push rcx
fffff800`03ecf664 498bca mov rcx,r10
fffff800`03ecf667 4883ec08 sub rsp,8
fffff800`03ecf66b 55 push rbp
fffff800`03ecf66c 4881ec58010000 sub rsp,158h
fffff800`03ecf673 488dac2480000000 lea rbp,[rsp+80h]
fffff800`03ecf67b 48899dc0000000 mov qword ptr [rbp+0C0h],rbx
fffff800`03ecf682 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi
fffff800`03ecf689 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi
fffff800`03ecf690 c645ab02 mov byte ptr [rbp-55h],2
fffff800`03ecf694 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
fffff800`03ecf69d 0f0d8bd8010000 prefetchw [rbx+1D8h]
fffff800`03ecf6a4 0fae5dac stmxcsr dword ptr [rbp-54h]
fffff800`03ecf6a8 650fae142580010000 ldmxcsr dword ptr gs:[180h]
fffff800`03ecf6b1 807b0300 cmp byte ptr [rbx+3],0
fffff800`03ecf6b5 66c785800000000000 mov word ptr [rbp+80h],0
fffff800`03ecf6be 0f848c000000 je nt!KiSystemCall64+0x110 (fffff800`03ecf750)
fffff800`03ecf6c4 488945b0 mov qword ptr [rbp-50h],rax
fffff800`03ecf6c8 48894db8 mov qword ptr [rbp-48h],rcx
fffff800`03ecf6cc 488955c0 mov qword ptr [rbp-40h],rdx
fffff800`03ecf6d0 f6430303 test byte ptr [rbx+3],3
fffff800`03ecf6d4 4c8945c8 mov qword ptr [rbp-38h],r8
fffff800`03ecf6d8 4c894dd0 mov qword ptr [rbp-30h],r9
fffff800`03ecf6dc 7405 je nt!KiSystemCall64+0xa3 (fffff800`03ecf6e3)
fffff800`03ecf6de e80d140000 call nt!KiSaveDebugRegisterState (fffff800`03ed0af0)
fffff800`03ecf6e3 f6430380 test byte ptr [rbx+3],80h
fffff800`03ecf6e7 7442 je nt!KiSystemCall64+0xeb (fffff800`03ecf72b)
fffff800`03ecf6e9 b9020100c0 mov ecx,0C0000102h
fffff800`03ecf6ee 0f32 rdmsr
fffff800`03ecf6f0 48c1e220 shl rdx,20h
fffff800`03ecf6f4 480bc2 or rax,rdx
fffff800`03ecf6f7 483983b8000000 cmp qword ptr [rbx+0B8h],rax
fffff800`03ecf6fe 742b je nt!KiSystemCall64+0xeb (fffff800`03ecf72b)
fffff800`03ecf700 483983b0010000 cmp qword ptr [rbx+1B0h],rax
fffff800`03ecf707 7422 je nt!KiSystemCall64+0xeb (fffff800`03ecf72b)
fffff800`03ecf709 488b93b8010000 mov rdx,qword ptr [rbx+1B8h]
fffff800`03ecf710 0fba6b4c0b bts dword ptr [rbx+4Ch],0Bh
fffff800`03ecf715 66ff8bc4010000 dec word ptr [rbx+1C4h]
fffff800`03ecf71c 48898280000000 mov qword ptr [rdx+80h],rax
fffff800`03ecf723 fb sti
fffff800`03ecf724 e8170b0000 call nt!KiUmsCallEntry (fffff800`03ed0240)
fffff800`03ecf729 eb0f jmp nt!KiSystemCall64+0xfa (fffff800`03ecf73a)
fffff800`03ecf72b f6430340 test byte ptr [rbx+3],40h
fffff800`03ecf72f 7409 je nt!KiSystemCall64+0xfa (fffff800`03ecf73a)
fffff800`03ecf731 f00fbaab0001000008 lock bts dword ptr [rbx+100h],8
fffff800`03ecf73a 488b45b0 mov rax,qword ptr [rbp-50h]
fffff800`03ecf73e 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff800`03ecf742 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff800`03ecf746 4c8b45c8 mov r8,qword ptr [rbp-38h]
fffff800`03ecf74a 4c8b4dd0 mov r9,qword ptr [rbp-30h]
fffff800`03ecf74e 6690 xchg ax,ax
fffff800`03ecf750 fb sti
fffff800`03ecf751 48898be0010000 mov qword ptr [rbx+1E0h],rcx
fffff800`03ecf758 8983f8010000 mov dword ptr [rbx+1F8h],eax
nt!KiSystemServiceStart:
fffff800`03ecf75e 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp
fffff800`03ecf765 8bf8 mov edi,eax
fffff800`03ecf767 c1ef07 shr edi,7
fffff800`03ecf76a 83e720 and edi,20h
fffff800`03ecf76d 25ff0f0000 and eax,0FFFh
nt!KiSystemServiceRepeat:
fffff800`03ecf772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800`04101840)]
fffff800`03ecf772 + 002320c7 + 7 = fffff800`04101840
*/
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082); //fffff800`03ecf640
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
PUCHAR i = NULL;
UCHAR v1=,v2=,v3=;
INT64 iOffset = ; //002320c7
ULONG64 VariableAddress = ;
*SSDTAddress = NULL;
for(i=StartSearchAddress;i<EndSearchAddress;i++)
{
if( MmIsAddressValid(i) && MmIsAddressValid(i+) && MmIsAddressValid(i+) )
{
v1=*i;
v2=*(i+);
v3=*(i+);
if(v1==0x4c && v2==0x8d && v3==0x15 )
{
memcpy(&iOffset,i+,);
*SSDTAddress = iOffset + (ULONG64)i + ;
break;
}
}
}
if (*SSDTAddress==NULL)
{
return FALSE;
}
/*
kd> dq fffff800`04101840
fffff800`04101840 fffff800`03ed1300 00000000`00000000
fffff800`04101850 00000000`00000191 fffff800`03ed1f8c
*/
return TRUE;
}
BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWin7_X64(CHAR* szFindFunctionName,ULONG32* SSDTFunctionIndex)
{
/*
0:004> u zwopenprocess
ntdll!NtOpenProcess:
00000000`774ddc10 4c8bd1 mov r10,rcx
00000000`774ddc13 b823000000 mov eax,23h
00000000`774ddc18 0f05 syscall
00000000`774ddc1a c3 ret
00000000`774ddc1b 0f1f440000 nop dword ptr [rax+rax]
*/
ULONG32 ulOffset_SSDTFunctionIndex = ;
ULONG i;
BOOLEAN bOk = FALSE;
WCHAR wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
SIZE_T MappingViewSize = ;
PVOID MappingBaseAddress = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
ULONG32* AddressOfFunctions = NULL;
ULONG32* AddressOfNames = NULL;
USHORT* AddressOfNameOrdinals = NULL;
CHAR* szFunctionName = NULL;
ULONG32 ulFunctionOrdinal = ;
ULONG64 ulFunctionAddress = ;
*SSDTFunctionIndex = -;
//将Ntdll.dll 当前的空间中
bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
if (bOk==FALSE)
{
return FALSE;
}
else
{
__try{
NtHeader = RtlImageNtHeader(MappingBaseAddress);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG64)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
AddressOfFunctions = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
AddressOfNames = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNames);
AddressOfNameOrdinals = (USHORT*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
for(i = ; i < ExportDirectory->NumberOfNames; i++)
{
szFunctionName = (char*)((ULONG64)MappingBaseAddress + AddressOfNames[i]); //获得函数名称
if (_stricmp(szFunctionName, szFindFunctionName) == )
{
ulFunctionOrdinal = AddressOfNameOrdinals[i];
ulFunctionAddress = (ULONG64)((ULONG64)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]);
*SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
break;
}
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
}
ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress);
if (*SSDTFunctionIndex==-)
{
return FALSE;
}
return TRUE;
}
VOID UnInlineHookSSDTWin7_X64(ULONG64 ulCurrentVariable,ULONG64 ulOldVariable,ULONG32 ulPatchSize)
{
WPOFF();
memcpy((PVOID)ulCurrentVariable,(PVOID)ulOldVariable,ulPatchSize);
WPON();
}
BOOLEAN InlineHookSSDTWin7_X64(ULONG64 ulOldVariable,ULONG64 ulFakeVariable,ULONG32 ulPatchSize)
{
UCHAR v1[]="\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
UCHAR v2[]="\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
ULONG64 ulTemp = ;
//保存这14个字节的内容
Old_NtOpenProcessHeaderBytes = ExAllocatePool(NonPagedPool,ulPatchSize);
if (Old_NtOpenProcessHeaderBytes==NULL)
{
return FALSE;
}
WPOFF();
memcpy(Old_NtOpenProcessHeaderBytes,(PVOID)ulOldVariable,ulPatchSize);
WPON();
//构建保存原先的前14个字节的内容和跳转到14个字节之后的指令的内容
NtOpenProcessPassCode = ExAllocatePool(NonPagedPool,(ulPatchSize+));
if (NtOpenProcessPassCode==NULL)
{
ExFreePool(Old_NtOpenProcessHeaderBytes);
Old_NtOpenProcessHeaderBytes = NULL;
return FALSE;
}
RtlFillMemory(NtOpenProcessPassCode,ulPatchSize+,0x90);//NOP
memcpy((PUCHAR)NtOpenProcessPassCode,Old_NtOpenProcessHeaderBytes,ulPatchSize); //保存原先的14个字节
ulTemp=(ULONG64)ulOldVariable+ulPatchSize; //原先函数14个字节之后的内容所在的地址 Temp = 0x12345678
memcpy(v2+,&ulTemp,); //构建跳转到该地址的Shell
memcpy((PUCHAR)NtOpenProcessPassCode+ulPatchSize,v2,ulPatchSize); //保存
//构建跳转到我们Fake函数的Shell
ulTemp = (ULONG64)ulFakeVariable;
memcpy(v1+,&ulTemp,);
//修改原先的14个字节为跳转到Fake的指令
WPOFF();
RtlFillMemory((PVOID)ulOldVariable,ulPatchSize,0x90);
memcpy((PVOID)ulOldVariable,v1,ulPatchSize);
WPON();
}
VOID WPOFF()
{
//选择性编译,是给编译器看的
#if (defined(_M_AMD64) || defined(_M_IA64)) && !defined(_REALLY_GET_CALLERS_CALLER_)
_disable();
__writecr0(__readcr0() & (~(0x10000)));
#else
__asm
{
CLI ;
MOV EAX, CR0;
AND EAX, NOT 10000H;
MOV CR0, EAX;
}
#endif
}
VOID WPON()
{
#if (defined(_M_AMD64) || defined(_M_IA64)) && !defined(_REALLY_GET_CALLERS_CALLER_)
__writecr0(__readcr0() ^ 0x10000);
_enable();
#else
__asm
{
MOV EAX, CR0;
OR EAX, 10000H;
MOV CR0, EAX;
STI;
}
#endif
}
BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWinXP_X86(CHAR* szFindFunctionName,
ULONG32* SSDTFunctionIndex)
{
/*
0:001> u zwopenprocess
ntdll!ZwOpenProcess:
7c92d5e0 b87a000000 mov eax,7Ah
7c92d5e5 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c92d5ea ff12 call dword ptr [edx]
7c92d5ec c21000 ret 10h
7c92d5ef 90 nop
*/
ULONG32 ulOffset_SSDTFunctionIndex = ;
//从Ntdll模块的导出表中获得7c92d5e0
//使用内存映射将Ntdll模块映射到System进程的内存空间进行查找(Ntdll.dll模块的导出表中进行搜索)
ULONG i;
BOOLEAN bOk = FALSE;
WCHAR wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
SIZE_T MappingViewSize = ;
PVOID MappingBaseAddress = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
ULONG32* AddressOfFunctions = NULL;
ULONG32* AddressOfNames = NULL;
USHORT* AddressOfNameOrdinals = NULL;
CHAR* szFunctionName = NULL;
ULONG32 ulFunctionOrdinal = ;
ULONG32 ulFunctionAddress = ;
*SSDTFunctionIndex = -;
//将Ntdll.dll 当前的空间中
bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
if (bOk==FALSE)
{
return FALSE;
}
else
{
__try{
NtHeader = RtlImageNtHeader(MappingBaseAddress);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG32)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
AddressOfFunctions = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
AddressOfNames = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNames);
AddressOfNameOrdinals = (USHORT*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
for(i = ; i < ExportDirectory->NumberOfNames; i++)
{
szFunctionName = (char*)((ULONG32)MappingBaseAddress + AddressOfNames[i]); //获得函数名称
if (_stricmp(szFunctionName, szFindFunctionName) == )
{
ulFunctionOrdinal = AddressOfNameOrdinals[i];
ulFunctionAddress = (ULONG32)((ULONG32)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]);
*SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
break;
}
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
}
ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress);
if (*SSDTFunctionIndex==-)
{
return FALSE;
}
return TRUE;
}
BOOLEAN
MappingPEFileInRing0Space(WCHAR* wzFileFullPath,OUT PVOID* MappingBaseAddress,PSIZE_T MappingViewSize)
{
UNICODE_STRING uniFileFullPath;
OBJECT_ATTRIBUTES oa;
NTSTATUS Status;
IO_STATUS_BLOCK Iosb;
HANDLE hFile = NULL;
HANDLE hSection = NULL;
if (!wzFileFullPath || !MappingBaseAddress){
return FALSE;
}
RtlInitUnicodeString(&uniFileFullPath, wzFileFullPath);
InitializeObjectAttributes(&oa,
&uniFileFullPath,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
//获得文件句柄
Status = IoCreateFile(&hFile,
GENERIC_READ | SYNCHRONIZE,
&oa, //文件绝对路径
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
,
CreateFileTypeNone,
NULL,
IO_NO_PARAMETER_CHECKING
);
if (!NT_SUCCESS(Status))
{
return FALSE;
}
oa.ObjectName = NULL;
Status = ZwCreateSection(&hSection,
SECTION_QUERY | SECTION_MAP_READ,
&oa,
NULL,
PAGE_WRITECOPY,
SEC_IMAGE, //?? 指示内存对齐
hFile
);
ZwClose(hFile);
if (!NT_SUCCESS(Status))
{
return FALSE;
}
Status = ZwMapViewOfSection(hSection,
NtCurrentProcess(), //映射到当前进程的内存空间中
MappingBaseAddress,
,
,
,
MappingViewSize,
ViewUnmap,
,
PAGE_WRITECOPY
);
ZwClose(hSection);
if (!NT_SUCCESS(Status))
{
return FALSE;
}
return TRUE;
}
NTSTATUS Fake_NtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId)
{
PEPROCESS EProcess = PsGetCurrentProcess(); //进程上下背景文
if (EProcess!=NULL)
{
//通过EProcess 获得进程名称
char *szProcessImageName = PsGetProcessImageFileName(EProcess);
if (strstr(szProcessImageName,"EnumProcess")!=)
{
return STATUS_ACCESS_DENIED;
}
}
if (NtOpenProcessPassCode!=NULL)
{
((pfnNtOpenProcess)NtOpenProcessPassCode)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
}
}