extern "C"
{
#include <ntddk.h>
}
//#define dprintf if (DBG) DbgPrint
#define dprintf DbgPrint
#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long
#define BYTE unsigned char
extern "C"
{
//宣告核心函式
NTKERNELAPI
UCHAR *
PsGetProcessImageFileName(
PEPROCESS Process
);
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
IN PVOID ProcessId,
OUT PEPROCESS *Process
);
NTKERNELAPI
HANDLE
PsGetProcessId(
PEPROCESS Process
);
NTKERNELAPI NTSTATUS ZwCreateProcessEx(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort,
ULONG JobMemberLevel
);
////////////////////////////////////////////////////////////////////////////////////////////////////
//SSDT表結構宣告
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} SSDT_Entry, *ServiceDescriptorTableEntry_t;
__declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;
}
////////////////////////////////////////////////////////////////////////////////////////////////////
//一些巨集定義和MDL表
#define HOOK_SYSCALL(_ServiceId, _Hook, _Orig ) /
_Orig = (PVOID) InterlockedExchange( (PLONG) /
&MappedSystemCallTable[_ServiceId], (LONG) _Hook)
#define UNHOOK_SYSCALL(_ServiceId, _Hook, _Orig ) /
InterlockedExchange((PLONG) /
&MappedSystemCallTable[_ServiceId], (LONG) _Hook)
#define SYSTEMSERVICE(_ServiceId) KeServiceDescriptorTable.ServiceTableBase[ _ServiceId ]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
////////////////////////////////////////////////////////////////////////////////////////////////////
//宣告函式
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
VOID DriverUnload(PDRIVER_OBJECT pDriverObj);
////////////////////////////////////////////////////////////////////////////////////////////////////
//設定ZwCreateProcessEx的索引,可用冰刃檢視,也可利用函式自行查詢
ULONG ServiceId_ZwCreateProcessEx=0x30;
////////////////////////////////////////////////////////////////////////////////////////////////////
//定義一些相關變數
CHAR CreatingProcessImagePath[256]={0};//程式路徑
HANDLE CreatorProcessId=NULL;//父程式Pid
BOOLEAN CreateAllowed=TRUE;//標誌,是否允許執行
BOOLEAN CreateIsProgressing=FALSE;//標誌,防止以後網路延遲造成的混亂,是否正在處理資訊
KEVENT event ;
char *output;
////////////////////////////////////////////////////////////////////////////////////////////////////
//定義一個ZwCreateProcessEx的結構體指標
typedef
NTSTATUS
(*pfnZwCreateProcessEx) (
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort,
ULONG JobMemberLevel
);
//宣告Old_ZwCreateProcessEx為pfnZwCreateProcessEx的結構(用來儲存原函式地址)
pfnZwCreateProcessEx Old_ZwCreateProcessEx=NULL;
PVOID Old_ZwCreateProcessExAddr=NULL;
////////////////////////////////////////////////////////////////////////////////////////////////////
// 返回類似於C:/WINDOWS/Explorer.exe (ANSI)
NTSTATUS GetProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName)
{
PVOID SectionObject;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
UNICODE_STRING DosName;
NTSTATUS Status;
STRING AnsiString;
SectionObject = NULL;
FileObject = NULL;
FilePath.Buffer = NULL;
FilePath.Length = 0;
*ProcessImageName = 0;
Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
if ( NT_SUCCESS(Status) )
{
FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200);
FilePath.MaximumLength = 0x200;
FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
KdPrint(("Current Process Full Path Name 000: %ws/n", FileObject->FileName.Buffer));
ObDereferenceObject(FileObject);
ObDereferenceObject(SectionObject);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
if ( AnsiString.Length >= 256 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 255) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
}
RtlFreeAnsiString(&AnsiString);
ExFreePool(DosName.Buffer);
ExFreePool(FilePath.Buffer);
Status = STATUS_SUCCESS;
}
return Status;
}
NTSTATUS ModifyProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName)
{
PVOID SectionObject;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
UNICODE_STRING DosName;
NTSTATUS Status;
UNICODE_STRING newName;
STRING AnsiString;
SectionObject = NULL;
FileObject = NULL;
FilePath.Buffer = NULL;
FilePath.Length = 0;
*ProcessImageName = 0;
Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
if ( NT_SUCCESS(Status) )
{
//FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200);
//FilePath.MaximumLength = 0x200;
FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
RtlInitUnicodeString(&newName,L"zhang.txt");
//RtlCopyUnicodeString(&FileObject->FileName, &newName);
ObDereferenceObject(FileObject);
ObDereferenceObject(SectionObject);
/*RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
KdPrint(("Current Process Full Path Name 000: %ws/n", FileObject->FileName.Buffer));
RtlCopyUnicodeString(&FileObject->FileName, &newName);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); */
/*if ( AnsiString.Length >= 256 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 255) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
} */
/*RtlFreeAnsiString(&AnsiString);
ExFreePool(DosName.Buffer);
ExFreePool(FilePath.Buffer); */
RtlFreeUnicodeString(&newName);
Status = STATUS_SUCCESS;
}
return Status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
//定義我們的新函式及其功能,禁止程式執行和允許的,其中一個註釋掉了
NTSTATUS New_ZwCreateProcessEx (
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort,
ULONG JobMemberLevel
)
{
if (CreateIsProgressing) return STATUS_ACCESS_DENIED;
CreateIsProgressing=TRUE;
GetProcessImageName(SectionHandle,CreatingProcessImagePath);
CreatorProcessId=PsGetProcessId(PsGetCurrentProcess());
dprintf("呼叫了ZwCreateProcessEx函式. /n程式路徑 = %s /n父程式 = %s /n",CreatingProcessImagePath,PsGetProcessImageFileName(PsGetCurrentProcess()));
dprintf("父程式Pid = %ld/n",CreatorProcessId);
CreateIsProgressing=FALSE;
// return STATUS_ACCESS_DENIED;//返回失敗,也就是禁止執行
NTSTATUS hr= Old_ZwCreateProcessEx(ProcessHandle,DesiredAccess,ObjectAttributes,ParentProcess,Flags,SectionHandle,DebugPort,ExceptionPort,JobMemberLevel);
PEPROCESS EProcess,PProcess;
NTSTATUS status;
HANDLE TId;
/*status = PsLookupProcessByProcessId((PVOID)ProcessHandle, &EProcess);
char * pEpb=(char*)EProcess;
if (NT_SUCCESS( status ))
{
DbgPrint( "jincheng:%18s/n",(char *)(pEpb+0x174));
char ch[16]={"zhang.exe"};
memcpy((char*)(pEpb+0x174), ch, 0x10);
}*/
//ModifyProcessImageName(SectionHandle,CreatingProcessImagePath);
return hr;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
//開始HOOK函式
BOOLEAN EnableDriver()
{
HOOK_SYSCALL(ServiceId_ZwCreateProcessEx,New_ZwCreateProcessEx,Old_ZwCreateProcessExAddr);
Old_ZwCreateProcessEx=(pfnZwCreateProcessEx)Old_ZwCreateProcessExAddr;
dprintf("已經開始HOOK./n");
return TRUE;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
//解除HOOK函式
BOOLEAN DisableDriver()
{
UNHOOK_SYSCALL(ServiceId_ZwCreateProcessEx,Old_ZwCreateProcessExAddr,New_ZwCreateProcessEx);
dprintf("已經解除HOOK./n");
return TRUE;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
//驅動入口點
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
dprintf("註冊到登錄檔: %S/n",pRegistryString->Buffer);
//開始修改MDL表
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;//可寫
MappedSystemCallTable =(PVOID*) MmMapLockedPages(g_pmdlSystemCall, KernelMode);
//宣告解除安裝函式
pDriverObj->DriverUnload = DriverUnload;
//開始HOOK
EnableDriver();
return STATUS_SUCCESS;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
//驅動解除安裝時所呼叫的函式
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
DisableDriver();
dprintf("驅動已經解除安裝./n");
}
/////////////////////////////////////////////////////////////////////////////////////////////////////