Hook API监视驱动的加载_ASM
2008-06-10 13:30
232 查看
转自:http://blog.csdn.net/iiprogram/archive/2007/09/06/1774026.aspx
;**************************************************************************************************
;Author:dge/D哥
;Date :2006.7.20
;**************************************************************************************************
;@echo off
;goto make
.386
.model flat, stdcall
option casemap:none
;**************************************************************************************************
include d:/masm32/include/w2k/ntstatus.inc
include d:/masm32/include/w2k/ntddk.inc
include d:/masm32/include/w2k/ntoskrnl.inc
includelib d:/masm32/lib/w2k/ntoskrnl.lib
include d:/masm32/Macros/Strings.mac
;**************************************************************************************************
.data
;保存地址
dwOldNtLoadDriver dd ?
dwAddr dd ?
dwDriverName ANSI_STRING
.const
CCOUNTED_UNICODE_STRING "//Device//devHookApi", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "//??//slHookApi", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "ZwLoadDriver", g_usRoutineAddr, 4
;**************************************************************************************************
.code
;让这个函数在NtLoadDriver的调用时被执行以实现监视
NewNtLoadDriver proc lpDriverName:PUNICODE_STRING
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into NEW/n")
invoke RtlUnicodeStringToAnsiString, addr dwDriverName, lpDriverName,TRUE
invoke DbgPrint, $CTA0("/nDriverName: %s.sys/n"), dwDriverName.Buffer
popad
;调用原函数
push lpDriverName
call dwOldNtLoadDriver
ret
NewNtLoadDriver endp
;**************************************************************************************************
HookFunction proc
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into hoookfunction/n")
;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址,这个数组中包含有NtXXXX函数的入口地址。
mov eax, KeServiceDescriptorTable
mov esi, [eax]
mov esi, [esi]
;用MmGetSystemRoutineAddress来获得函数ZwLoadDriver的地址。并从这个函数地址后面的第2个字节中取得服务号。从而
;获得以服务号为下标的数组元素。
invoke MmGetSystemRoutineAddress,addr g_usRoutineAddr
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
;保存旧的函数地址。
mov dwOldNtLoadDriver,edi
mov edi,offset NewNtLoadDriver
;修改入口地址
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS
ret
HookFunction endp
;**************************************************************************************************
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;**************************************************************************************************
DriverUnload proc pDriverObject:PDRIVER_OBJECT
;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverUnload /n")
mov esi,dwAddr
mov eax,dwOldNtLoadDriver
cli
mov dword ptr[esi],eax
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret
DriverUnload endp
;**************************************************************************************************
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverEntry/n")
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
mov [eax].MajorFunction[IRP_MJ_Create*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
<
4000
br />end DriverEntry
;**************************************************************************************************
:make
set drv=HooKapi
d:/masm32/bin/ml /nologo /c /coff %drv%.bat
d:/masm32/bin/link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj
del %drv%.obj
echo.
pause
参考:Undocumented Windows NT
感谢:非常感谢cardmagic大侠的帮助
;**************************************************************************************************
;Author:dge/D哥
;Date :2006.7.20
;**************************************************************************************************
;@echo off
;goto make
.386
.model flat, stdcall
option casemap:none
;**************************************************************************************************
include d:/masm32/include/w2k/ntstatus.inc
include d:/masm32/include/w2k/ntddk.inc
include d:/masm32/include/w2k/ntoskrnl.inc
includelib d:/masm32/lib/w2k/ntoskrnl.lib
include d:/masm32/Macros/Strings.mac
;**************************************************************************************************
.data
;保存地址
dwOldNtLoadDriver dd ?
dwAddr dd ?
dwDriverName ANSI_STRING
.const
CCOUNTED_UNICODE_STRING "//Device//devHookApi", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "//??//slHookApi", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "ZwLoadDriver", g_usRoutineAddr, 4
;**************************************************************************************************
.code
;让这个函数在NtLoadDriver的调用时被执行以实现监视
NewNtLoadDriver proc lpDriverName:PUNICODE_STRING
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into NEW/n")
invoke RtlUnicodeStringToAnsiString, addr dwDriverName, lpDriverName,TRUE
invoke DbgPrint, $CTA0("/nDriverName: %s.sys/n"), dwDriverName.Buffer
popad
;调用原函数
push lpDriverName
call dwOldNtLoadDriver
ret
NewNtLoadDriver endp
;**************************************************************************************************
HookFunction proc
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into hoookfunction/n")
;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址,这个数组中包含有NtXXXX函数的入口地址。
mov eax, KeServiceDescriptorTable
mov esi, [eax]
mov esi, [esi]
;用MmGetSystemRoutineAddress来获得函数ZwLoadDriver的地址。并从这个函数地址后面的第2个字节中取得服务号。从而
;获得以服务号为下标的数组元素。
invoke MmGetSystemRoutineAddress,addr g_usRoutineAddr
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
;保存旧的函数地址。
mov dwOldNtLoadDriver,edi
mov edi,offset NewNtLoadDriver
;修改入口地址
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS
ret
HookFunction endp
;**************************************************************************************************
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;**************************************************************************************************
DriverUnload proc pDriverObject:PDRIVER_OBJECT
;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverUnload /n")
mov esi,dwAddr
mov eax,dwOldNtLoadDriver
cli
mov dword ptr[esi],eax
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret
DriverUnload endp
;**************************************************************************************************
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverEntry/n")
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
mov [eax].MajorFunction[IRP_MJ_Create*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
<
4000
br />end DriverEntry
;**************************************************************************************************
:make
set drv=HooKapi
d:/masm32/bin/ml /nologo /c /coff %drv%.bat
d:/masm32/bin/link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj
del %drv%.obj
echo.
pause
参考:Undocumented Windows NT
感谢:非常感谢cardmagic大侠的帮助
相关文章推荐
- Hook API监视驱动的加载_ASM
- Hook :HOOK API 原理深入剖析3 - Inline(监视任意函数)
- Hook导入表 —— 实现挂钩FreeLibaray和HOOK延迟加载模块的API
- 通过HookNtCreateSection 动态监控驱动sys、动态链接库dll、可执行文件exe加载
- 通过HookNtCreateSection 动态监控驱动sys、动态链接库dll、可执行文件exe加载
- 通过HookNtCreateSection 动态监控驱动sys、动态链接库dll、可执行文件exe加载
- Hook导入表 —— 实现挂钩FreeLibaray和HOOK延迟加载模块的API
- android加固系列—5.加固前先学会破解,hook(钩子)jni层系统api
- Redhat9不支持ndiswrapper加载Intel2200BG XP驱动,不用折腾了
- 驱动开发之 加载NT式驱动
- 百度地图API详解之地图API加载方式
- 截取程序的网络封包(Delphi Hook API)
- linux驱动的入口函数module_init的加载和释放
- linux设备驱动day3-驱动介绍,注册和加载实现
- wince下如何加载驱动(摘录)
- 编写软件动态加载NT式驱动
- Libgdx New 3D API 教程之 -- 使用Libgdx加载模型
- 在MyEclipse中加载Mysql驱动方法
- Vultr VPS自定义安装Windows2003 ISO系统以及加载驱动可远程上网
- Windows API Hook