hook zwcreateprocessex

Just4life發表於2013-04-25
extern "C"
{
#include <ntddk.h>
}
 
//#define dprintf if (DBG) DbgPrint
#define dprintf DbgPrint
 
#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long
#define BYTE unsigned char
 
extern "C"
{
//宣告核心函式
NTKERNELAPI
UCHAR *
PsGetProcessImageFileName(
        PEPROCESS Process
        );
 
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
       IN PVOID        ProcessId,
       OUT PEPROCESS   *Process
       );
 

NTKERNELAPI
HANDLE
PsGetProcessId(
      PEPROCESS Process
      );
 
NTKERNELAPI NTSTATUS ZwCreateProcessEx(
            PHANDLE ProcessHandle,
            ACCESS_MASK DesiredAccess,
            POBJECT_ATTRIBUTES ObjectAttributes,
            HANDLE ParentProcess,
            ULONG Flags,
            HANDLE SectionHandle,
            HANDLE DebugPort,
            HANDLE ExceptionPort,
            ULONG JobMemberLevel
            );
 
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//SSDT表結構宣告
typedef struct ServiceDescriptorEntry {
 unsigned int *ServiceTableBase;
 unsigned int *ServiceCounterTableBase;
 unsigned int NumberOfServices;
 unsigned char *ParamTableBase;
} SSDT_Entry, *ServiceDescriptorTableEntry_t;
__declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;
}
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//一些巨集定義和MDL表
#define HOOK_SYSCALL(_ServiceId, _Hook, _Orig )       /
 _Orig = (PVOID) InterlockedExchange( (PLONG) /
 &MappedSystemCallTable[_ServiceId], (LONG) _Hook)
#define UNHOOK_SYSCALL(_ServiceId, _Hook, _Orig ) /
 InterlockedExchange((PLONG)           /
 &MappedSystemCallTable[_ServiceId], (LONG) _Hook)
#define SYSTEMSERVICE(_ServiceId) KeServiceDescriptorTable.ServiceTableBase[ _ServiceId ]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//宣告函式
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
VOID DriverUnload(PDRIVER_OBJECT pDriverObj);
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//設定ZwCreateProcessEx的索引,可用冰刃檢視,也可利用函式自行查詢
ULONG ServiceId_ZwCreateProcessEx=0x30;
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//定義一些相關變數
CHAR CreatingProcessImagePath[256]={0};//程式路徑
HANDLE CreatorProcessId=NULL;//父程式Pid
BOOLEAN CreateAllowed=TRUE;//標誌,是否允許執行
BOOLEAN CreateIsProgressing=FALSE;//標誌,防止以後網路延遲造成的混亂,是否正在處理資訊
KEVENT event ; 
char *output;
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//定義一個ZwCreateProcessEx的結構體指標
typedef
NTSTATUS
(*pfnZwCreateProcessEx) (
       PHANDLE ProcessHandle,
       ACCESS_MASK DesiredAccess,
       POBJECT_ATTRIBUTES ObjectAttributes,
       HANDLE ParentProcess,
       ULONG Flags,
       HANDLE SectionHandle,
       HANDLE DebugPort,
       HANDLE ExceptionPort,
       ULONG JobMemberLevel
       );
//宣告Old_ZwCreateProcessEx為pfnZwCreateProcessEx的結構(用來儲存原函式地址)
pfnZwCreateProcessEx Old_ZwCreateProcessEx=NULL;
PVOID      Old_ZwCreateProcessExAddr=NULL;
////////////////////////////////////////////////////////////////////////////////////////////////////
 
// 返回類似於C:/WINDOWS/Explorer.exe (ANSI)
NTSTATUS GetProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName) 
{ 
 PVOID SectionObject;
 PFILE_OBJECT FileObject;
 UNICODE_STRING FilePath; 
 UNICODE_STRING DosName; 
 NTSTATUS Status;
 STRING AnsiString;
 
 SectionObject = NULL; 
 FileObject = NULL; 
 FilePath.Buffer = NULL; 
 FilePath.Length = 0; 
 *ProcessImageName = 0; 
 Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
 if ( NT_SUCCESS(Status) ) 
 { 
  FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200);
  FilePath.MaximumLength = 0x200; 
  FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
  FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
  FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
  ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); 
  RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
  RtlCopyUnicodeString(&FilePath, &DosName); 
  RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
  KdPrint(("Current Process Full Path Name 000: %ws/n",  FileObject->FileName.Buffer));
  ObDereferenceObject(FileObject); 
  ObDereferenceObject(SectionObject); 
  RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); 
  if ( AnsiString.Length >= 256 ) 
  { 
   memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
   *(ProcessImageName + 255) = 0; 
  } 
  else 
  { 
   memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
   ProcessImageName[AnsiString.Length] = 0; 
  } 
  RtlFreeAnsiString(&AnsiString); 
  ExFreePool(DosName.Buffer); 
  ExFreePool(FilePath.Buffer); 
  Status = STATUS_SUCCESS; 
 }
 
 return Status; 
}
 
NTSTATUS ModifyProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName) 
{ 
 PVOID SectionObject;
 PFILE_OBJECT FileObject;
 UNICODE_STRING FilePath; 
 UNICODE_STRING DosName; 
 NTSTATUS Status;
 UNICODE_STRING newName; 
 STRING AnsiString;
 
 SectionObject = NULL; 
 FileObject = NULL; 
 FilePath.Buffer = NULL; 
 FilePath.Length = 0; 
 *ProcessImageName = 0; 
 Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
 if ( NT_SUCCESS(Status) ) 
 { 
  //FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200);
  //FilePath.MaximumLength = 0x200; 
  FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
  FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
  FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
  ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); 
  RtlInitUnicodeString(&newName,L"zhang.txt");
  //RtlCopyUnicodeString(&FileObject->FileName, &newName); 
  ObDereferenceObject(FileObject); 
  ObDereferenceObject(SectionObject); 
  /*RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
  RtlCopyUnicodeString(&FilePath, &DosName); 
  RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
  KdPrint(("Current Process Full Path Name 000: %ws/n",  FileObject->FileName.Buffer));
  
  RtlCopyUnicodeString(&FileObject->FileName, &newName); 
  
  RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); */
  /*if ( AnsiString.Length >= 256 ) 
  { 
   memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
   *(ProcessImageName + 255) = 0; 
  } 
  else 
  { 
   memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
   ProcessImageName[AnsiString.Length] = 0; 
  } */
  /*RtlFreeAnsiString(&AnsiString); 
  ExFreePool(DosName.Buffer); 
  ExFreePool(FilePath.Buffer); */
  RtlFreeUnicodeString(&newName);
  Status = STATUS_SUCCESS; 
 }
 
 return Status; 
} 
///////////////////////////////////////////////////////////////////////////////////////////////////
 
//定義我們的新函式及其功能,禁止程式執行和允許的,其中一個註釋掉了
NTSTATUS New_ZwCreateProcessEx (
        PHANDLE ProcessHandle,
        ACCESS_MASK DesiredAccess,
        POBJECT_ATTRIBUTES ObjectAttributes,
        HANDLE ParentProcess,
        ULONG Flags,
        HANDLE SectionHandle,
        HANDLE DebugPort,
        HANDLE ExceptionPort,
        ULONG JobMemberLevel
        )
{
 if (CreateIsProgressing) return STATUS_ACCESS_DENIED;
 CreateIsProgressing=TRUE;
 GetProcessImageName(SectionHandle,CreatingProcessImagePath);
 CreatorProcessId=PsGetProcessId(PsGetCurrentProcess());
 dprintf("呼叫了ZwCreateProcessEx函式. /n程式路徑 = %s /n父程式 = %s /n",CreatingProcessImagePath,PsGetProcessImageFileName(PsGetCurrentProcess()));
 dprintf("父程式Pid = %ld/n",CreatorProcessId);
 CreateIsProgressing=FALSE;
 // return STATUS_ACCESS_DENIED;//返回失敗,也就是禁止執行
 NTSTATUS hr= Old_ZwCreateProcessEx(ProcessHandle,DesiredAccess,ObjectAttributes,ParentProcess,Flags,SectionHandle,DebugPort,ExceptionPort,JobMemberLevel);
 
 PEPROCESS        EProcess,PProcess;
 
 NTSTATUS        status;
 HANDLE            TId;
 
 
 

 /*status = PsLookupProcessByProcessId((PVOID)ProcessHandle, &EProcess);
 char * pEpb=(char*)EProcess;
 if (NT_SUCCESS( status ))
 {
  DbgPrint( "jincheng:%18s/n",(char *)(pEpb+0x174));
  char ch[16]={"zhang.exe"};
  memcpy((char*)(pEpb+0x174), ch, 0x10); 
 }*/
 //ModifyProcessImageName(SectionHandle,CreatingProcessImagePath);
 
 return hr;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
 
//開始HOOK函式
BOOLEAN EnableDriver()
{
 HOOK_SYSCALL(ServiceId_ZwCreateProcessEx,New_ZwCreateProcessEx,Old_ZwCreateProcessExAddr);
 Old_ZwCreateProcessEx=(pfnZwCreateProcessEx)Old_ZwCreateProcessExAddr;
 dprintf("已經開始HOOK./n");
 return TRUE;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
 
//解除HOOK函式
BOOLEAN DisableDriver()
{
 UNHOOK_SYSCALL(ServiceId_ZwCreateProcessEx,Old_ZwCreateProcessExAddr,New_ZwCreateProcessEx);
 dprintf("已經解除HOOK./n");
 return TRUE;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
 
//驅動入口點
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
 dprintf("註冊到登錄檔: %S/n",pRegistryString->Buffer);
 
 
 
 
 

 //開始修改MDL表
 g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
 if(!g_pmdlSystemCall)
  return STATUS_UNSUCCESSFUL;
 MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
 g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;//可寫
 MappedSystemCallTable =(PVOID*) MmMapLockedPages(g_pmdlSystemCall, KernelMode);
 //宣告解除安裝函式
 pDriverObj->DriverUnload = DriverUnload;
 //開始HOOK
 EnableDriver();
 return STATUS_SUCCESS;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
//驅動解除安裝時所呼叫的函式
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{ 
 DisableDriver();
 dprintf("驅動已經解除安裝./n");
}
/////////////////////////////////////////////////////////////////////////////////////////////////////

相關文章