/*--------------------------------------------------------------
* 文件名稱 : Driver.c
* 作 者 : Vinurpe
* 創建日期 : 2013-03-02
* 編譯環境 : WDK 7600.16385.1
/---------------------------------------------------------------
* File Name : Driver.c
* Date of creation : 2013-03-02
* Author(s) : Vinurpe
* Building environment : WDK 7600.16385.1
----------------------------------------------------------------*/
#include <ntddk.h>
//獲得由ntoskrnl.exe導出函數,以Zw*開頭函數的地址,這個函數的返回值就是Nt*函數,Nt*函數的地址就在SSDT中
#define SYSTEMSERVICE(_func) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_func+1)]
//獲得Zw*函數的地址並返回與之通信的函數在SSDT中的索引。
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
typedef struct ServiceDescriptorEntry
{
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} SSDTEntry;
__declspec(dllimport) SSDTEntry KeServiceDescriptorTable;
typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL);
ZWOPENPROCESS NtOpenProcess_Addr;
UCHAR NtOpenProcess_Win7_Org_Mem[6] = {0x00,0x00,0x00,0x00,0x00,0x00};
ULONG NewOpenProcess_Win7_Hook_Addr;
UCHAR NewOpenProcess_Win7_Hook_Mem[6] = {0xe9,0x00,0x00,0x00,0x00,0x90};
ULONG NewOpenProcess_Win7_Hook_Call;
ULONG NewOpenProcess_Win7_Hook_Jmp;
ULONG NewOpenProcess_Win7_JmpCalc;
///////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
///////////////////////////////////////////////////
VOID WPOFF()
{
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
VOID WPON()
{
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
__declspec(naked) NTSTATUS __stdcall NewOpenProcess_Win7()
{
__asm
{
_EMIT 0x90;
_EMIT 0x90;
_EMIT 0x90;
_EMIT 0x90;
_EMIT 0x90;
_EMIT 0x90;
}
__asm
{
call NewOpenProcess_Win7_Hook_Call
jmp [NewOpenProcess_Win7_Hook_Jmp]
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = OnUnload;
NtOpenProcess_Addr = (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess)); //非硬編碼,不過這種方法只可以用在DDK有導出的函數...
//因 Win7 Ntop結構與 WinXp 不同所以只能針對ASM寫...地址偏移部分如要更嚴謹請使用反彙編引擎來計算
//----------------------------------------------------------------
NewOpenProcess_Win7_Hook_Addr = (ULONG)NtOpenProcess_Addr + 0x22;
NewOpenProcess_Win7_Hook_Jmp = (ULONG)NtOpenProcess_Addr + 0x2D;
//Call轉換
NewOpenProcess_Win7_Hook_Call = (ULONG)NtOpenProcess_Addr + 0x29;
NewOpenProcess_Win7_Hook_Call = 0xFFFFFFFF - *(PULONG)(NewOpenProcess_Win7_Hook_Call);
NewOpenProcess_Win7_Hook_Call = NewOpenProcess_Win7_Hook_Jmp - NewOpenProcess_Win7_Hook_Call - 0x1;
//Jmp轉換
NewOpenProcess_Win7_JmpCalc = (PCHAR)NewOpenProcess_Win7- (PCHAR)NewOpenProcess_Win7_Hook_Addr - 5;
RtlCopyMemory(NewOpenProcess_Win7_Hook_Mem + 1,&NewOpenProcess_Win7_JmpCalc,4);
WPOFF();
RtlCopyMemory (NtOpenProcess_Win7_Org_Mem, (PVOID)NewOpenProcess_Win7_Hook_Addr , 6);
RtlCopyMemory((PVOID)NewOpenProcess_Win7,NtOpenProcess_Win7_Org_Mem,6);
RtlCopyMemory((PVOID)NewOpenProcess_Win7_Hook_Addr ,(PVOID)NewOpenProcess_Win7_Hook_Mem,6);
WPON();
//----------------------------------------------------------------
return STATUS_SUCCESS;
}
/////////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
WPOFF();
RtlCopyMemory((PVOID)NewOpenProcess_Win7_Hook_Addr,NtOpenProcess_Win7_Org_Mem,6);
WPON();
DbgPrint("Driver UnLoad!\n");
}
/////////////////////////////////////////////////////首先,各路大神抱歉小弟獻醜了 <(_ _)>
想了很久終於OpenSource了
裡面的概念幾乎都是前幾篇筆記有提到的
當然如果想完整Bypass HackShield 並使用Debug的話 前面還有很多難關需要過
以過來人經驗建議直接學習內核重載技術比較省事
