驱动加载监控x86
2016-04-10 18:28
274 查看
Hook_ZwLoadDriver
HOOK_ZwSetSystemInformation
NTSTATUS
NTAPI HOOK_NtSetSystemInformation
(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength
)
((SystemInformationClass == SystemLoadAndCallImage)
(SystemInformationClass == SystemLoadImage))
//问题 在ZwLoadDriver中 如果是用SCM加载驱动,那么得到的进程路径是server.exe,解决的方法是hook下面的函数
XP:
NtRequestWaitReplyPort
Win7:
ZwAlpcSendWaitReceivePort
Unhook需要通过deviceiocontrol来进行
参考【原创】总结一把,较为精确判断SCM加载 - 看雪安全论坛
部分代码:
HOOK_ZwSetSystemInformation
NTSTATUS
NTAPI HOOK_NtSetSystemInformation
(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength
)
((SystemInformationClass == SystemLoadAndCallImage)
(SystemInformationClass == SystemLoadImage))
//问题 在ZwLoadDriver中 如果是用SCM加载驱动,那么得到的进程路径是server.exe,解决的方法是hook下面的函数
XP:
NtRequestWaitReplyPort
Win7:
ZwAlpcSendWaitReceivePort
Unhook需要通过deviceiocontrol来进行
参考【原创】总结一把,较为精确判断SCM加载 - 看雪安全论坛
部分代码:
#include "precomp.h" #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)] #define SDT SYSTEMSERVICE #define KSDT KeServiceDescriptorTable void StartHook(void); void RemoveHook(void); NTKERNELAPI NTSTATUS ZwLoadDriver( IN PUNICODE_STRING DriverServiceName ); NTSTATUS Hook_ZwLoadDriver( IN PUNICODE_STRING DriverServiceName ); typedef NTSTATUS (*ZWLOADDRIVER)( IN PUNICODE_STRING DriverServiceName ); static ZWLOADDRIVER OldZwLoadDriver; NTSTATUS Hook_ZwLoadDriver( IN PUNICODE_STRING DriverServiceName ) { UNICODE_STRING uPath = {0}; NTSTATUS status = STATUS_SUCCESS; BOOL skipOriginal = FALSE; WCHAR szTargetDriver[MAX_PATH] = {0}; WCHAR szTarget[MAX_PATH] = {0}; R3_RESULT CallBackResult = R3Result_Pass; WCHAR wszPath[MAX_PATH] = {0}; UNICODE_STRING ustrProcessPath = {0}; WCHAR wszProcessPath[MAX_PATH] = {0}; __try { UNICODE_STRING CapturedName; if((ExGetPreviousMode() == KernelMode) || (DriverServiceName == NULL)) { skipOriginal = TRUE; status = OldZwLoadDriver(DriverServiceName); return status; } uPath.Length = 0; uPath.MaximumLength = MAX_PATH * sizeof(WCHAR); uPath.Buffer = wszPath; CapturedName = ProbeAndReadUnicodeString(DriverServiceName); ProbeForRead(CapturedName.Buffer, CapturedName.Length, sizeof(WCHAR)); RtlCopyUnicodeString(&uPath, &CapturedName); if(ntGetDriverImagePath(&uPath, szTargetDriver)) { // if(ntIsDosDeviceName(szTargetDriver)) // { // if( ntGetNtDeviceName(szTargetDriver, // szTarget)) // { // RtlStringCbCopyW(szTargetDriver, // sizeof(szTargetDriver), // szTarget); // } // } DbgPrint("Driver:%ws will be loaded\n", szTargetDriver); ustrProcessPath.Buffer = wszProcessPath; ustrProcessPath.Length = 0; ustrProcessPath.MaximumLength = sizeof(wszProcessPath); GetProcessFullNameByPid(PsGetCurrentProcessId(), &ustrProcessPath); DbgPrint("Parent:%wZ\n", &ustrProcessPath); //CallBackResult = hipsGetResultFromUser(L"加载", szTargetDriver, NULL,User_DefaultNon); if (CallBackResult == R3Result_Block) { return STATUS_ACCESS_DENIED; } skipOriginal = TRUE; status = OldZwLoadDriver(DriverServiceName); return status; } } __except(EXCEPTION_EXECUTE_HANDLER) { } if(skipOriginal) return status; return OldZwLoadDriver(DriverServiceName); } void StartHook (void) { //获取未导出的服务函数索引号 HANDLE hFile; PCHAR pDllFile; ULONG ulSize; ULONG ulByteReaded; __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } OldZwLoadDriver = (ZWLOADDRIVER)InterlockedExchange((PLONG) &SDT(ZwLoadDriver), (LONG)Hook_ZwLoadDriver); //关闭 __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } return ; } void RemoveHook (void) { __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } InterlockedExchange( (PLONG) &SDT(ZwLoadDriver) , (LONG) OldZwLoadDriver ); __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } }
相关文章推荐
- 【OpenGL4.0】GLSL-Flat Shading平面着色
- 采用maven 对tomcat 进行自动部署
- 编译安装LAMP(一)
- Openstack学习笔记(七)-在Win环境下通过XManager(xshell)远程打开eclipse
- CentOS6.5系统双网卡绑定配置详解
- modSecurity和Naxsi哪个更适合Nginx搭建WAF
- Linux内核分析作业7:Linux内核如何装载和启动一个可执行程序
- Linux基础09_shellscript练习
- opencv图像霍夫变化
- CentOs 安装 Redmine 部分问题解决
- Linux基础08_数据流重导向与特殊符号
- 团队视频网站地址
- linux串口编程--规范模式和非规范模式及read的阻塞与非阻塞
- Linux基础07_管线命令与命名历史
- Docker 学习笔记(一) Docker实战入门以及Dockerfile
- Centos 上网
- linux使用未解决问题
- 非常详细的 Docker 学习笔记
- [Zabbix3.0 ]添加Nginx监控
- [Zabbix3.0 ]添加Nginx监控