-
通过HookNtCreateSection 动态监控驱动sys、动态链接库dll、可执行文件exe加载
-
-
-
-
-
#include <ntddk.h>
-
#include "nt_help.h"
-
DRIVER_INITIALIZE DriverEntry;
-
-
typedef struct _OBJECT_TYPE_INITIALIZER {
-
USHORT Length;
-
BOOLEAN UseDefaultObject;
-
BOOLEAN CaseInsensitive;
-
#if WINVER>=0x0600
-
ULONG ObjectTypeCode;
-
#endif
-
ULONG InvalidAttributes;
-
GENERIC_MAPPING GenericMapping;
-
ULONG ValidAccessMask;
-
BOOLEAN SecurityRequired;
-
BOOLEAN MaintainHandleCount;
-
BOOLEAN MaintainTypeList;
-
POOL_TYPE PoolType;
-
ULONG DefaultPagedPoolCharge;
-
ULONG DefaultNonPagedPoolCharge;
-
PVOID DumpProcedure;
-
PVOID OpenProcedure;
-
PVOID CloseProcedure;
-
PVOID DeleteProcedure;
-
PVOID ParseProcedure;
-
PVOID SecurityProcedure;
-
PVOID QueryNameProcedure;
-
PVOID OkayToCloseProcedure;
-
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
-
-
typedef struct _OBJECT_TYPE {
-
#if WINVER<0x0600
-
ERESOURCE Mutex;
-
#endif
-
LIST_ENTRY TypeList;
-
UNICODE_STRING Name;
-
PVOID DefaultObject;
-
ULONG Index;
-
ULONG TotalNumberOfObjects;
-
ULONG TotalNumberOfHandles;
-
ULONG HighWaterNumberOfObjects;
-
ULONG HighWaterNumberOfHandles;
-
OBJECT_TYPE_INITIALIZER TypeInfo;
-
} OBJECT_TYPE, *POBJECT_TYPE;
-
-
extern POBJECT_TYPE* MmSectionObjectType;
-
PVOID pNtCreateSection = NULL;
-
SYSTEM_MODULE_INFORMATION ntModInfo = {0};
-
-
#pragma alloc_text(INIT, DriverEntry)
-
-
NTSTATUS DevicePassthrough(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
-
{
-
NTSTATUS status = STATUS_SUCCESS;
-
PIO_STACK_LOCATION irpSp;
-
-
irpSp = IoGetCurrentIrpStackLocation(Irp);
-
Irp->IoStatus.Status = status;
-
IoCompleteRequest(Irp, IO_NO_INCREMENT);
-
return status;
-
}
-
-
VOID DriverUnload (IN PDRIVER_OBJECT DriverObject)
-
{
-
(*MmSectionObjectType)->TypeInfo.OpenProcedure = NULL;
-
KdPrint(("DriverUnload Done!
"));
-
}
-
-
#if WINVER>=0x0600
-
NTSTATUS HookSectionOpen(
-
IN ULONG OpenReason,
-
IN ULONG AccessMode,
-
IN PEPROCESS Process OPTIONAL,
-
IN PVOID Object,
-
IN ACCESS_MASK* GrantedAccess,
-
IN ULONG HandleCount
-
)
-
#else
-
NTSTATUS HookSectionOpen(
-
IN ULONG OpenReason,
-
IN PEPROCESS Process OPTIONAL,
-
IN PVOID Object,
-
IN ACCESS_MASK GrantedAccess,
-
IN ULONG HandleCount
-
)
-
#endif
-
{
-
PVOID* esp = (PVOID*)&esp;
-
PVOID* esp_end = (PVOID*)((((DWORD64)esp>>12) + 1)<<12);
-
PVOID* p = esp;
-
ULONG SectionPageProtection, AllocationAttributes;
-
HANDLE FileHandle;
-
NTSTATUS Status;
-
-
-
-
-
while (p < esp_end &&
-
(*p < pNtCreateSection ||
-
*p > (PVOID)((PBYTE)pNtCreateSection + 0x300)))
-
p++;
-
-
if (p >= esp_end){
-
-
return STATUS_SUCCESS;
-
}
-
-
-
#ifdef _WIN64
-
-
-
-
-
-
-
-
-
-
-
-
-
p++;
-
-
-
-
while (p < esp_end &&
-
(*p < ntModInfo.ImageBase ||
-
*p > (PVOID)((PBYTE)ntModInfo.ImageBase + ntModInfo.ImageSize)))
-
p++;
-
-
if (p >= esp_end){
-
-
return STATUS_SUCCESS;
-
}
-
#else
-
-
-
-
-
-
-
-
-
-
p = (PVOID*)*(p - 1);
-
p++;
-
#endif
-
-
SectionPageProtection = (ULONG)*(p + 5);
-
AllocationAttributes = (ULONG)*(p + 6);
-
FileHandle = *(p + 7);
-
-
-
-
if (FileHandle
-
&& SectionPageProtection == PAGE_EXECUTE
-
&& (AllocationAttributes == SEC_IMAGE || AllocationAttributes == 0x100000)){
-
-
PFILE_OBJECT File;
-
-
Status = ObReferenceObjectByHandle (FileHandle,
-
0,
-
NULL,
-
KernelMode,
-
(PVOID *)&File,
-
NULL);
-
-
if (!NT_SUCCESS(Status)) {
-
return STATUS_SUCCESS;
-
}
-
KdPrint(("FileName:%wZ
", &File->FileName));
-
ObDereferenceObject(File);
-
}
-
-
return STATUS_SUCCESS;
-
}
-
-
BOOL GetNtImgBase(PSYSTEM_MODULE_INFORMATION modInfo)
-
{
-
PSYSMODULELIST sysModuleList = NULL;
-
ULONG size, i;
-
-
NtQuerySystemInformation(SystemModuleInformation, &size, 0, &size);
-
sysModuleList = ExAllocatePoolWithTag(PagedPool, size, 'hlpm');
-
-
if (sysModuleList){
-
NtQuerySystemInformation(SystemModuleInformation, sysModuleList, size, NULL);
-
-
*modInfo = *sysModuleList->Modules;
-
ExFreePool(sysModuleList);
-
return TRUE;
-
}
-
return FALSE;
-
}
-
-
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
-
{
-
DWORD i;
-
UNICODE_STRING sFuncName;
-
-
RtlInitUnicodeString(&sFuncName, L"NtCreateSection");
-
pNtCreateSection = MmGetSystemRoutineAddress(&sFuncName);
-
-
if (!GetNtImgBase(&ntModInfo)){
-
KdPrint(("EnumSysModule nt base failed!
"));
-
return STATUS_UNSUCCESSFUL;
-
}
-
-
KdPrint(("nt:%p pNtCreateSection:%p
MmSectionObjectType:%p %p %p
",
-
ntModInfo.ImageBase,
-
pNtCreateSection,
-
*MmSectionObjectType,
-
(*MmSectionObjectType)->TypeInfo.OpenProcedure,
-
(*MmSectionObjectType)->TypeInfo.DeleteProcedure));
-
-
(*MmSectionObjectType)->TypeInfo.OpenProcedure = HookSectionOpen;
-
-
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
-
DriverObject->MajorFunction[i] = DevicePassthrough;
-
-
DriverObject->DriverUnload = DriverUnload;
-
-
return STATUS_SUCCESS;
-
}
-
相关阅读:
HTML <iframe> 标签
HTML <tr> 标签
HTML <img> 标签的 border 属性
jQuery ajax ajax() 方法
CSS padding 属性
SQL Server CONVERT() 函数
CSS overflow 属性
HTML <input> 标签
Java动态代理一——动态类Proxy的使用
Java拆箱装箱小结
-
原文地址:https://www.cnblogs.com/vcerror/p/4289155.html
Copyright © 2020-2023
润新知