动态监控驱动、dll、exe加载

/*
windows2003 x86/x64 window7 x86 windows2008 R2 x64测试通过
*/

#include <ntddk.h>
#include "nt_help.h"
DRIVER_INITIALIZE DriverEntry;

typedef struct _OBJECT_TYPE_INITIALIZER {
    USHORT Length;
    BOOLEAN UseDefaultObject;
    BOOLEAN CaseInsensitive;
#if WINVER>=0x0600
    ULONG ObjectTypeCode;
#endif
    ULONG InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ULONG ValidAccessMask;
    BOOLEAN SecurityRequired;
    BOOLEAN MaintainHandleCount;
    BOOLEAN MaintainTypeList;
    POOL_TYPE PoolType;
    ULONG DefaultPagedPoolCharge;
    ULONG DefaultNonPagedPoolCharge;
    PVOID DumpProcedure;
    PVOID OpenProcedure;
    PVOID CloseProcedure;
    PVOID DeleteProcedure;
    PVOID ParseProcedure;
    PVOID SecurityProcedure;
    PVOID QueryNameProcedure;
    PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE {
#if WINVER<0x0600
    ERESOURCE Mutex;
#endif
    LIST_ENTRY TypeList;
    UNICODE_STRING Name;            // Copy from object header for convenience
    PVOID DefaultObject;
    ULONG Index;
    ULONG TotalNumberOfObjects;
    ULONG TotalNumberOfHandles;
    ULONG HighWaterNumberOfObjects;
    ULONG HighWaterNumberOfHandles;
    OBJECT_TYPE_INITIALIZER TypeInfo;
} OBJECT_TYPE, *POBJECT_TYPE;

extern POBJECT_TYPE* MmSectionObjectType;
PVOID pNtCreateSection = NULL;
SYSTEM_MODULE_INFORMATION ntModInfo = {0};

#pragma alloc_text(INIT, DriverEntry)

NTSTATUS DevicePassthrough(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
        NTSTATUS status = STATUS_SUCCESS;
        PIO_STACK_LOCATION  irpSp;
        
        irpSp = IoGetCurrentIrpStackLocation(Irp);
        Irp->IoStatus.Status = status;
        IoCompleteRequest(Irp, IO_NO_INCREMENT);
        return status;
}

VOID DriverUnload (IN PDRIVER_OBJECT DriverObject)
{
        (*MmSectionObjectType)->TypeInfo.OpenProcedure = NULL;
        KdPrint(("DriverUnload Done!
"));
}

#if WINVER>=0x0600
NTSTATUS HookSectionOpen(
    IN ULONG OpenReason,
    IN ULONG AccessMode,
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN ACCESS_MASK* GrantedAccess,
    IN ULONG HandleCount
    )
#else
NTSTATUS HookSectionOpen(
    IN ULONG OpenReason,
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN ACCESS_MASK GrantedAccess,
    IN ULONG HandleCount
    )
#endif
{
        PVOID* esp = (PVOID*)&esp;
        PVOID* esp_end = (PVOID*)((((DWORD64)esp>>12) + 1)<<12);        //4k round up
        PVOID* p = esp;
        ULONG SectionPageProtection, AllocationAttributes;
        HANDLE FileHandle;
        NTSTATUS Status;

        /*
         * do stack walk back to NtCreateSection function
         */
        while (p < esp_end &&
                (*p < pNtCreateSection ||
                 *p > (PVOID)((PBYTE)pNtCreateSection + 0x300)))
                p++;

        if (p >= esp_end){
                //KdPrint(("no found NtCreateSection %p -> %p
", esp, esp_end));
                return STATUS_SUCCESS;
        }

        //KdPrint(("%p HookSectionOpen-Object:%p esp:%p %p
", pNtCreateSection, Object, esp, *p));
#ifdef _WIN64
        /*
         * esp layout look likes[2003 X64 DUMP]:
         fffff800`0104113d nt!KiSystemServiceCopyEnd+0x3 retaddr <-------call nt!NtCreateSection
         fffffadf`f662ec00  00000000`00000000 param1
         fffffadf`f662ec08  00000000`000f001f param2 DesiredAccess
         fffffadf`f662ec10  00000000`00000000
         fffffadf`f662ec18  00000000`00000000
         fffffadf`f662ec20  00000100`00000010 SectionPageProtection
         fffffadf`f662ec28  00000000`01000000 AllocationAttributes
         fffffadf`f662ec30  00000000`0000054c FileHandle
         * - ...
         */
        p++;
        /*
         * search retaddr -> nt!KiSystemServiceCopyEnd
         */
        while (p < esp_end &&
                (*p < ntModInfo.ImageBase ||
                 *p > (PVOID)((PBYTE)ntModInfo.ImageBase + ntModInfo.ImageSize)))
                p++;

        if (p >= esp_end){
                //KdPrint(("no found nt!KiSystemxxxx %p -> %p
", esp, esp_end));
                return STATUS_SUCCESS;
        }
#else
        /* stack DUMP from 2003/x86
         * ebp = p - 1
         fa06f4d8  fa06f540
         fa06f4dc  80908715 nt!NtCreateSection+0x15c
         ...
         fa06f540  fa06f564
         fa06f544  808234cb nt!KiFastCallEntry+0xf8
         fa06f548  fa06f668 param1
         */
        p = (PVOID*)*(p - 1);
        p++;
#endif

        SectionPageProtection = (ULONG)*(p + 5);
        AllocationAttributes = (ULONG)*(p + 6);
        FileHandle = *(p + 7);

        //KdPrint(("%x %x %p
", SectionPageProtection, AllocationAttributes, FileHandle));

        if (FileHandle
                && SectionPageProtection == PAGE_EXECUTE
                && (AllocationAttributes == SEC_IMAGE || AllocationAttributes == 0x100000)){
                /* windows7 AllocationAttributes = 0x100000 to LoadDriver */
                PFILE_OBJECT File;

                Status = ObReferenceObjectByHandle (FileHandle,
                                0,
                                NULL,
                                KernelMode,
                                (PVOID *)&File,
                                NULL);

                if (!NT_SUCCESS(Status)) {
                        return STATUS_SUCCESS;
                }
                KdPrint(("FileName:%wZ
", &File->FileName));
                ObDereferenceObject(File);
        }

        return STATUS_SUCCESS;
}

BOOL GetNtImgBase(PSYSTEM_MODULE_INFORMATION modInfo)
{
        PSYSMODULELIST sysModuleList = NULL;
        ULONG size, i;

        NtQuerySystemInformation(SystemModuleInformation, &size, 0, &size);
        sysModuleList = ExAllocatePoolWithTag(PagedPool, size, 'hlpm');

        if (sysModuleList){
                NtQuerySystemInformation(SystemModuleInformation, sysModuleList, size, NULL);
                /* nt module should be the first one */
                *modInfo = *sysModuleList->Modules;
                ExFreePool(sysModuleList);
                return TRUE;
        }
        return FALSE;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
        DWORD i;
        UNICODE_STRING sFuncName;
        
        RtlInitUnicodeString(&sFuncName, L"NtCreateSection");
        pNtCreateSection = MmGetSystemRoutineAddress(&sFuncName);

        if (!GetNtImgBase(&ntModInfo)){
                KdPrint(("EnumSysModule nt base failed!
"));
                return STATUS_UNSUCCESSFUL;
        }

        KdPrint(("nt:%p pNtCreateSection:%p
MmSectionObjectType:%p %p %p
",
                                ntModInfo.ImageBase,
                                pNtCreateSection,
                                *MmSectionObjectType,
                                (*MmSectionObjectType)->TypeInfo.OpenProcedure,
                                (*MmSectionObjectType)->TypeInfo.DeleteProcedure));
        
        (*MmSectionObjectType)->TypeInfo.OpenProcedure = HookSectionOpen;

        for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
                DriverObject->MajorFunction[i] = DevicePassthrough;

        DriverObject->DriverUnload = DriverUnload;

        return STATUS_SUCCESS;
}