写了几个函数 来防止ntfs.sys被hook
2006-04-05 14:08
330 查看
日子无聊的很
还好电脑总是最听话的 你叫他玩游戏 他不会看电影
哈哈 至少很少说谎
以后找女人也要找这样的
ULONG get_funaddr(ULONG* pdriver_entry,ULONG major_function)
{
int i=0;
ULONG function=0;
ULONG index = major_function*4+0x38;
//找到所对应的函数地址
if(index < 0x80)
index = (index<<24)+0x43c700;
else
index = (index<<24)+0x83c700;
for (i=0;i<SearchDepth;i++)
{
((char*)pdriver_entry)++;
if((*pdriver_entry&0xffffff00) == index)
{
if(index < 0x8083c700)
{
DbgPrint("GetFunctionAddrByID:0x%08x/n",(ULONG)((char*)pdriver_entry+4));
function=*(ULONG*)((char*)pdriver_entry+4);
break;
}
else
{
DbgPrint("GetFunctionAddrByID:0x%08x/n",(ULONG)((char*)pdriver_entry+4));
function=*(ULONG*)((char*)pdriver_entry+7);
break;
}
}
}
return function;
}
0008BE6D: 8B 3D 58 2A 02 00 MOV EDI,[00022A58]
0008BE73: C7 43 38 7A E4 02 00 MOV DWORD PTR [EBX+38],0002E47A
0008BE7A: C7 43 40 F0 B8 02 00 MOV DWORD PTR [EBX+40],0002B8F0
0008BE81: C7 43 44 A3 2F 01 00 MOV DWORD PTR [EBX+44],00012FA3
0008BE88: C7 43 48 20 03 01 00 MOV DWORD PTR [EBX+48],00010320
0008BE8F: C7 43 4C 4C EB 02 00 MOV DWORD PTR [EBX+4C],0002EB4C
0008BE96: C7 43 50 27 88 02 00 MOV DWORD PTR [EBX+50],00028827
0008BE9D: C7 43 54 95 1B 06 00 MOV DWORD PTR [EBX+54],00061B95
0008BEA4: C7 43 58 DF 1C 06 00 MOV DWORD PTR [EBX+58],00061CDF
0008BEAB: C7 43 5C DF A6 03 00 MOV DWORD PTR [EBX+5C],0003A6DF
0008BEB2: C7 43 60 B8 4F 03 00 MOV DWORD PTR [EBX+60],00034FB8
0008BEB9: C7 43 64 E6 7C 08 00 MOV DWORD PTR [EBX+64],00087CE6
0008BEC0: C7 43 68 9D 06 03 00 MOV DWORD PTR [EBX+68],0003069D
0008BEC7: C7 43 6C 28 22 03 00 MOV DWORD PTR [EBX+6C],00032228
0008BECE: C7 43 70 BB FD 04 00 MOV DWORD PTR [EBX+70],0004FDBB
0008BED5: C7 43 7C F5 BA 03 00 MOV DWORD PTR [EBX+7C],0003BAF5
0008BEDC: C7 83 80 00 00 00 91 CC 02 00 MOV DWORD PTR [EBX+00000080],0002CC91
0008BEE6: C7 83 88 00 00 00 50 AC 02 00 MOV DWORD PTR [EBX+00000088],0002AC50
0008BEF0: C7 83 8C 00 00 00 F6 FF 07 00 MOV DWORD PTR [EBX+0000008C],0007FFF6
0008BEFA: C7 43 78 12 12 02 00 MOV DWORD PTR [EBX+78],00021212
0008BF01: C7 83 9C 00 00 00 52 62 07 00 MOV DWORD PTR [EBX+0000009C],00076252
0008BF0B: C7 83 A0 00 00 00 9C 63 07 00 MOV DWORD PTR [EBX+000000A0],0007639C
0008BF15: C7 83 A4 00 00 00 C2 5E 07 00 MOV DWORD PTR [EBX+000000A4],00075EC2
0008BF1F: C7 43 28 C0 5E 02 00 MOV DWORD PTR [EBX+28],00025EC0
0008BF26: A3 04 5F 02 00 MOV [00025F04],EAX
ntfs.sys反汇编出来的东西
通过查询c7 43 xx
c7 83 xx
来找到入口
PVOID get_object(WCHAR* name)
{
NTSTATUS status;
UNICODE_STRING file_ntfs;
PDRIVER_OBJECT pfile_driver_object;
RtlInitUnicodeString( &file_ntfs, name);
status = ObReferenceObjectByName (
&file_ntfs,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
(void*)&pfile_driver_object);
if( !NT_SUCCESS(status)) {
DbgPrint("myfsd: create failed./n");
return NULL;
}
return pfile_driver_object;
}
PVOID get_moudle(char* name)
{
NTSTATUS status;
PVOID pbuffer, pmodule;
ULONG nret_size, i, n;
PSYSTEM_MODULE_INFORMATION pmoudle_info;
pbuffer = ExAllocatePool(PagedPool, 0x1000);
if (NULL == pbuffer)
{
DbgPrint("myfsd:allocate failed: %d/n");
return NULL;
}
status = ZwQuerySystemInformation(SystemModuleInformation, pbuffer, 0x1000, &nret_size);
if (STATUS_INFO_LENGTH_MISMATCH == status)
{
// 缓冲区不够时,重新分配
ExFreePool(pbuffer);
pbuffer = ExAllocatePool(PagedPool, nret_size);
if (NULL == pbuffer)
{
DbgPrint("myfsd:localalloc failed: %d/n");
return NULL;
}
status = ZwQuerySystemInformation(SystemModuleInformation, pbuffer, nret_size, &nret_size);
}
if (!NT_SUCCESS(status))
{
DbgPrint("myfsd:systeminformation failed: %d/n");
ExFreePool(pbuffer);
return NULL;
}
pmoudle_info = (PSYSTEM_MODULE_INFORMATION)((ULONG)pbuffer + 4);
n = *(ULONG*)pbuffer;
pmodule = NULL;
// 搜索指定的模块名
for (i=0; i<n; i++)
{
if (!_stricmp(pmoudle_info->ImageName+pmoudle_info->ModuleNameOffset, name))
{
pmodule = pmoudle_info->Base;
break;
}
pmoudle_info++;
}
ExFreePool(pbuffer);
return pmodule;
}
void init_ntfs_fun(char* name,WCHAR* link_name,ULONG* map_fun,ULONG* map_base,ULONG index)
{
PVOID base_addr,fact_addr;
ULONG cause_addr;
PDRIVER_OBJECT pdriver_obj =NULL;
base_addr = get_moudle(name);
cause_addr = (ULONG)base_addr+(ULONG)map_fun-(ULONG)map_base;
pdriver_obj = (PDRIVER_OBJECT)get_object(link_name);
fact_addr = pdriver_obj->MajorFunction[index];
if( (ULONG)fact_addr != cause_addr)//查看入口是否被改
{
DbgPrint("DriverDispatcher:0x%08x/n" ,fact_addr);
fact_addr = (PVOID)cause_addr;
pdriver_obj->MajorFunction[index] = fact_addr;
}
DbgPrint("basemoudleaddress:0x%08x/n",base_addr);
DbgPrint("causeaddr:0x%08x/n",cause_addr);
DbgPrint("factaddr:0x%08x/n" ,fact_addr);
_asm{//查看前20字节是否有变动 如果有就恢复
mov eax, cr0
and eax, NOT 10000H
mov cr0, eax
pushad mov ecx,5
xor edx,edx
mov edi,map_fun
mov esi,fact_addr
mov eax,dword ptr[edi]
mov ebx,dword ptr[esi]
cli
again: cmp eax,ebx
jz next
mov dword ptr[esi+edx*4],eax
next: inc edx
mov eax,dword ptr[edi+4*edx]
mov ebx,dword ptr[esi+edx*4]
loopz again
sti
popad
mov eax, cr0
or eax, 10000H
mov cr0, eax
}
}
NTSTATUS init_ntfs(ULONG index)
{
UNICODE_STRING file_sys_name;
OBJECT_ATTRIBUTES ob;
NTSTATUS status;
HANDLE h_file,h_section,h_mod;
IO_STATUS_BLOCK stat;
PVOID base_address,point_address;
IMAGE_DOS_HEADER* dos_header;
IMAGE_OPTIONAL_HEADER* op_header;
ULONG img_fun_address;
ULONG* img_fun_point;
SIZE_T size=0;
file_sys_name.Length = 0;
RtlInitUnicodeString( &file_sys_name,L"//??//C://WINNT//system32//drivers//ntfs.sys");
if(file_sys_name.Length == 0)
{
DbgPrint("myfsd:Unicode fails/n");
return 0;
}
InitializeObjectAttributes( &ob,&file_sys_name,
OBJ_CASE_INSENSITIVE,0, NULL );
status = ZwOpenFile ( &h_file,FILE_EXECUTE|FILE_READ_DATA, &ob, &stat, 0,0);
if( !NT_SUCCESS( status )) {
DbgPrint("fails/n");
return status;
}
ob.ObjectName = 0;
status = ZwCreateSection(&h_section, SECTION_ALL_ACCESS, &ob, 0,PAGE_EXECUTE, SEC_IMAGE, h_file);
if( !NT_SUCCESS(status)) {
DbgPrint("myfsd: Create Section failed./n");
return status;
}
//把目标文件映射到内存
//大小根据SizeOfImage而定
status = ZwMapViewOfSection(h_section,
NtCurrentProcess(),
&base_address,
0,
0x7ffff,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE);
if( !NT_SUCCESS(status)) {
DbgPrint("myfsd: mapviewofsection fails./n");
ZwClose(h_file);
ZwClose(h_section);
return status;
}
h_mod = base_address;
dos_header = (IMAGE_DOS_HEADER *)h_mod;
op_header =(IMAGE_OPTIONAL_HEADER *) ((char*)h_mod+dos_header->e_lfanew+24);
DbgPrint("BaseAddress:0x%08x/n",(ULONG)base_address);
DbgPrint("EntryPoint:0x%08x/n",(LONG)op_header->AddressOfEntryPoint);
DbgPrint("ImageBase:0x%08x/n",(LONG)op_header->ImageBase);
DbgPrint("SizeOfImage:0x%08x/n",op_header->SizeOfImage);
point_address = (PVOID*)((ULONG)base_address+op_header->AddressOfEntryPoint);
DbgPrint("FunAddr:0x%08x/n",*(ULONG*)point_address);
img_fun_address = get_funaddr(point_address,index);
DbgPrint("FunAddr:0x%08x/n",img_fun_address);
img_fun_point = (ULONG*)((ULONG)base_address+img_fun_address-(LONG)op_header->ImageBase);
DbgPrint("funaddress:0x%08x/n",img_fun_point);
init_ntfs_fun("ntfs.sys",L"//FileSystem//Ntfs",img_fun_point,base_address,index);
ZwClose(h_file);
ZwUnmapViewOfSection(h_section, base_address);
ZwClose(h_section);
return status;
}
代码2000上写的 或许不打稳定 嘿嘿
还好电脑总是最听话的 你叫他玩游戏 他不会看电影
哈哈 至少很少说谎
以后找女人也要找这样的
ULONG get_funaddr(ULONG* pdriver_entry,ULONG major_function)
{
int i=0;
ULONG function=0;
ULONG index = major_function*4+0x38;
//找到所对应的函数地址
if(index < 0x80)
index = (index<<24)+0x43c700;
else
index = (index<<24)+0x83c700;
for (i=0;i<SearchDepth;i++)
{
((char*)pdriver_entry)++;
if((*pdriver_entry&0xffffff00) == index)
{
if(index < 0x8083c700)
{
DbgPrint("GetFunctionAddrByID:0x%08x/n",(ULONG)((char*)pdriver_entry+4));
function=*(ULONG*)((char*)pdriver_entry+4);
break;
}
else
{
DbgPrint("GetFunctionAddrByID:0x%08x/n",(ULONG)((char*)pdriver_entry+4));
function=*(ULONG*)((char*)pdriver_entry+7);
break;
}
}
}
return function;
}
0008BE6D: 8B 3D 58 2A 02 00 MOV EDI,[00022A58]
0008BE73: C7 43 38 7A E4 02 00 MOV DWORD PTR [EBX+38],0002E47A
0008BE7A: C7 43 40 F0 B8 02 00 MOV DWORD PTR [EBX+40],0002B8F0
0008BE81: C7 43 44 A3 2F 01 00 MOV DWORD PTR [EBX+44],00012FA3
0008BE88: C7 43 48 20 03 01 00 MOV DWORD PTR [EBX+48],00010320
0008BE8F: C7 43 4C 4C EB 02 00 MOV DWORD PTR [EBX+4C],0002EB4C
0008BE96: C7 43 50 27 88 02 00 MOV DWORD PTR [EBX+50],00028827
0008BE9D: C7 43 54 95 1B 06 00 MOV DWORD PTR [EBX+54],00061B95
0008BEA4: C7 43 58 DF 1C 06 00 MOV DWORD PTR [EBX+58],00061CDF
0008BEAB: C7 43 5C DF A6 03 00 MOV DWORD PTR [EBX+5C],0003A6DF
0008BEB2: C7 43 60 B8 4F 03 00 MOV DWORD PTR [EBX+60],00034FB8
0008BEB9: C7 43 64 E6 7C 08 00 MOV DWORD PTR [EBX+64],00087CE6
0008BEC0: C7 43 68 9D 06 03 00 MOV DWORD PTR [EBX+68],0003069D
0008BEC7: C7 43 6C 28 22 03 00 MOV DWORD PTR [EBX+6C],00032228
0008BECE: C7 43 70 BB FD 04 00 MOV DWORD PTR [EBX+70],0004FDBB
0008BED5: C7 43 7C F5 BA 03 00 MOV DWORD PTR [EBX+7C],0003BAF5
0008BEDC: C7 83 80 00 00 00 91 CC 02 00 MOV DWORD PTR [EBX+00000080],0002CC91
0008BEE6: C7 83 88 00 00 00 50 AC 02 00 MOV DWORD PTR [EBX+00000088],0002AC50
0008BEF0: C7 83 8C 00 00 00 F6 FF 07 00 MOV DWORD PTR [EBX+0000008C],0007FFF6
0008BEFA: C7 43 78 12 12 02 00 MOV DWORD PTR [EBX+78],00021212
0008BF01: C7 83 9C 00 00 00 52 62 07 00 MOV DWORD PTR [EBX+0000009C],00076252
0008BF0B: C7 83 A0 00 00 00 9C 63 07 00 MOV DWORD PTR [EBX+000000A0],0007639C
0008BF15: C7 83 A4 00 00 00 C2 5E 07 00 MOV DWORD PTR [EBX+000000A4],00075EC2
0008BF1F: C7 43 28 C0 5E 02 00 MOV DWORD PTR [EBX+28],00025EC0
0008BF26: A3 04 5F 02 00 MOV [00025F04],EAX
ntfs.sys反汇编出来的东西
通过查询c7 43 xx
c7 83 xx
来找到入口
PVOID get_object(WCHAR* name)
{
NTSTATUS status;
UNICODE_STRING file_ntfs;
PDRIVER_OBJECT pfile_driver_object;
RtlInitUnicodeString( &file_ntfs, name);
status = ObReferenceObjectByName (
&file_ntfs,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
(void*)&pfile_driver_object);
if( !NT_SUCCESS(status)) {
DbgPrint("myfsd: create failed./n");
return NULL;
}
return pfile_driver_object;
}
PVOID get_moudle(char* name)
{
NTSTATUS status;
PVOID pbuffer, pmodule;
ULONG nret_size, i, n;
PSYSTEM_MODULE_INFORMATION pmoudle_info;
pbuffer = ExAllocatePool(PagedPool, 0x1000);
if (NULL == pbuffer)
{
DbgPrint("myfsd:allocate failed: %d/n");
return NULL;
}
status = ZwQuerySystemInformation(SystemModuleInformation, pbuffer, 0x1000, &nret_size);
if (STATUS_INFO_LENGTH_MISMATCH == status)
{
// 缓冲区不够时,重新分配
ExFreePool(pbuffer);
pbuffer = ExAllocatePool(PagedPool, nret_size);
if (NULL == pbuffer)
{
DbgPrint("myfsd:localalloc failed: %d/n");
return NULL;
}
status = ZwQuerySystemInformation(SystemModuleInformation, pbuffer, nret_size, &nret_size);
}
if (!NT_SUCCESS(status))
{
DbgPrint("myfsd:systeminformation failed: %d/n");
ExFreePool(pbuffer);
return NULL;
}
pmoudle_info = (PSYSTEM_MODULE_INFORMATION)((ULONG)pbuffer + 4);
n = *(ULONG*)pbuffer;
pmodule = NULL;
// 搜索指定的模块名
for (i=0; i<n; i++)
{
if (!_stricmp(pmoudle_info->ImageName+pmoudle_info->ModuleNameOffset, name))
{
pmodule = pmoudle_info->Base;
break;
}
pmoudle_info++;
}
ExFreePool(pbuffer);
return pmodule;
}
void init_ntfs_fun(char* name,WCHAR* link_name,ULONG* map_fun,ULONG* map_base,ULONG index)
{
PVOID base_addr,fact_addr;
ULONG cause_addr;
PDRIVER_OBJECT pdriver_obj =NULL;
base_addr = get_moudle(name);
cause_addr = (ULONG)base_addr+(ULONG)map_fun-(ULONG)map_base;
pdriver_obj = (PDRIVER_OBJECT)get_object(link_name);
fact_addr = pdriver_obj->MajorFunction[index];
if( (ULONG)fact_addr != cause_addr)//查看入口是否被改
{
DbgPrint("DriverDispatcher:0x%08x/n" ,fact_addr);
fact_addr = (PVOID)cause_addr;
pdriver_obj->MajorFunction[index] = fact_addr;
}
DbgPrint("basemoudleaddress:0x%08x/n",base_addr);
DbgPrint("causeaddr:0x%08x/n",cause_addr);
DbgPrint("factaddr:0x%08x/n" ,fact_addr);
_asm{//查看前20字节是否有变动 如果有就恢复
mov eax, cr0
and eax, NOT 10000H
mov cr0, eax
pushad mov ecx,5
xor edx,edx
mov edi,map_fun
mov esi,fact_addr
mov eax,dword ptr[edi]
mov ebx,dword ptr[esi]
cli
again: cmp eax,ebx
jz next
mov dword ptr[esi+edx*4],eax
next: inc edx
mov eax,dword ptr[edi+4*edx]
mov ebx,dword ptr[esi+edx*4]
loopz again
sti
popad
mov eax, cr0
or eax, 10000H
mov cr0, eax
}
}
NTSTATUS init_ntfs(ULONG index)
{
UNICODE_STRING file_sys_name;
OBJECT_ATTRIBUTES ob;
NTSTATUS status;
HANDLE h_file,h_section,h_mod;
IO_STATUS_BLOCK stat;
PVOID base_address,point_address;
IMAGE_DOS_HEADER* dos_header;
IMAGE_OPTIONAL_HEADER* op_header;
ULONG img_fun_address;
ULONG* img_fun_point;
SIZE_T size=0;
file_sys_name.Length = 0;
RtlInitUnicodeString( &file_sys_name,L"//??//C://WINNT//system32//drivers//ntfs.sys");
if(file_sys_name.Length == 0)
{
DbgPrint("myfsd:Unicode fails/n");
return 0;
}
InitializeObjectAttributes( &ob,&file_sys_name,
OBJ_CASE_INSENSITIVE,0, NULL );
status = ZwOpenFile ( &h_file,FILE_EXECUTE|FILE_READ_DATA, &ob, &stat, 0,0);
if( !NT_SUCCESS( status )) {
DbgPrint("fails/n");
return status;
}
ob.ObjectName = 0;
status = ZwCreateSection(&h_section, SECTION_ALL_ACCESS, &ob, 0,PAGE_EXECUTE, SEC_IMAGE, h_file);
if( !NT_SUCCESS(status)) {
DbgPrint("myfsd: Create Section failed./n");
return status;
}
//把目标文件映射到内存
//大小根据SizeOfImage而定
status = ZwMapViewOfSection(h_section,
NtCurrentProcess(),
&base_address,
0,
0x7ffff,
0,
&size,
(SECTION_INHERIT)1,
MEM_TOP_DOWN,
PAGE_READWRITE);
if( !NT_SUCCESS(status)) {
DbgPrint("myfsd: mapviewofsection fails./n");
ZwClose(h_file);
ZwClose(h_section);
return status;
}
h_mod = base_address;
dos_header = (IMAGE_DOS_HEADER *)h_mod;
op_header =(IMAGE_OPTIONAL_HEADER *) ((char*)h_mod+dos_header->e_lfanew+24);
DbgPrint("BaseAddress:0x%08x/n",(ULONG)base_address);
DbgPrint("EntryPoint:0x%08x/n",(LONG)op_header->AddressOfEntryPoint);
DbgPrint("ImageBase:0x%08x/n",(LONG)op_header->ImageBase);
DbgPrint("SizeOfImage:0x%08x/n",op_header->SizeOfImage);
point_address = (PVOID*)((ULONG)base_address+op_header->AddressOfEntryPoint);
DbgPrint("FunAddr:0x%08x/n",*(ULONG*)point_address);
img_fun_address = get_funaddr(point_address,index);
DbgPrint("FunAddr:0x%08x/n",img_fun_address);
img_fun_point = (ULONG*)((ULONG)base_address+img_fun_address-(LONG)op_header->ImageBase);
DbgPrint("funaddress:0x%08x/n",img_fun_point);
init_ntfs_fun("ntfs.sys",L"//FileSystem//Ntfs",img_fun_point,base_address,index);
ZwClose(h_file);
ZwUnmapViewOfSection(h_section, base_address);
ZwClose(h_section);
return status;
}
代码2000上写的 或许不打稳定 嘿嘿
相关文章推荐
- php自带的几个防止sql注入的函数
- php自带的几个防止sql注入的函数
- php自带的几个防止sql注入的函数
- php自带的几个防止sql注入的函数规则
- hook函数实例分析--sys_seteuid调用
- PHP判断是否为空的几个函数对比
- 温习一下string.c里的几个函数
- SYS_CONNECT_BY_PATH 函数
- 有关字符串的几个函数(自己编写的)
- 常用的几个JS验证函数
- php 需熟练掌握的几个函数
- windows下安装pywin32报错:close failed in file object destructor:sys.excepthook is missing lost sys.stderr
- python-Levenshtein几个计算字串相似度的函数解析
- 不带缓存的文件操作用到的几个的函数
- 忠网广告 系统 用到的几个函数
- 有缓冲文件操作的几个函数
- wchar_t类型的几个函数
- 基于glut学习OpenGL时的几个实用函数
- DirectX函数学习:几个数学函数问题
- 工作中遇到的几个函数....