想通过SSDT HOOK 写个驱动实现进程保护文件保护但是在2003下蓝屏

cewei30mkk

想通过SSDT HOOK 写个驱动实现进程保护文件保护但是在2003下蓝屏 [复制链接]

用 SSDT HOOK  写了一个驱动  实现进程保护文件保护注册表保护
但是在2003下打开驱动以后  如果打开IE 访问页面的时候就蓝屏请达人指出错误！非常感谢！

代码：
[code]
BOOLEAN PidVerify(PEPROCESS target)
{
int i;
for (i = 0; i < curProcNum; i++)
{
if(ProcProtectArr == target)
return TRUE;
}
return FALSE;
}

//key:驱动存储的保护路径 tar:当前操作文件路径
BOOLEAN wchCmp(PWCHAR key, PWCHAR tar, int iLen)
{
WCHAR temp1 = 0,temp2 = 0;
int i;
if(iLen < 1 || iLen > MAXPATHLEN) return FALSE;
for (i = 0; i < iLen; i++)
{

temp1 = RtlUpcaseUnicodeChar(key);

temp2 = RtlUpcaseUnicodeChar(tar);
if(temp1 != temp2)
return FALSE;

}
return TRUE;
}

//文件路径验证
BOOLEAN FileDirVerify(PWCHAR targetDir)
{
PWCHAR temp;
int  j;
//DbgPrint("targetDir:%ws\n",targetDir);
for (j = 0; j < curFileFilterNum; j++)
{
if(fileFilter[j].wchProtDirName[0] != L'\\') //表示是个带盘符的路径
{
temp = wcsstr(fileFilter[j].wchProtDirName, L":");
temp++;//指向：的下一个WCHAR
}
else  //表示只是个关键过滤路径
temp = fileFilter[j].wchProtDirName;
/*if(wcsstr(targetDir,temp) != NULL)
return TRUE;*/
if(wchCmp(temp,targetDir,wcslen(temp)) == TRUE)
return TRUE;

}
return FALSE;
}

//注册表路径验证
BOOLEAN RegLocVerify(UCHAR* targetRegLoc)
{
int k;
for(k = 0; k < curRegFilterNum; k++)
{
if(strncmp(regFilter[k].ucProtRegName, targetRegLoc, strlen(regFilter[k].ucProtRegName)) == 0)
return TRUE;
}
return FALSE;
}

BOOLEAN ProtectIDVerify(PEPROCESS target)
{
int idix;
for (idix = 0; idix < curThirdProcNum; idix++)
{
if(ThirdPartProcProt[idix] == target)
return TRUE;
}
return FALSE;

}

//used for SSDT hook
#define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig )    \
_Orig = (PVOID) InterlockedExchange( (PLONG) \
&MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

#define UNHOOK_SYSCALL(_Func, _Hook, _Orig )  \
InterlockedExchange((PLONG)          \
&MappedSystemCallTable[SYSCALL_INDEX(_Func)], (LONG) _Hook)

//LOCAL FUNCTION will be used in device Object control routinue

//begin real implemation

wangkj11

接着是下面的核心代码

NTSTATUS  DriverEntry( IN PDRIVER_OBJECT DriverObject,  IN PUNICODE_STRING RegistryPath )
{
UNICODE_STRING  nameString, linkString;

NTSTATUS       status;
PDEVICE_OBJECT    deviceObject;
int             i;

//建立设备
RtlInitUnicodeString( &nameString,STR_STD_OBJ_NAME );

status = IoCreateDevice( DriverObject,
0,
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject
);

if (!NT_SUCCESS( status ))
return status;

DriverObject->DriverUnload = DriverUnload;

RtlInitUnicodeString( &linkString, STR_DOS_OBJ_NAME );

status = IoCreateSymbolicLink (&linkString, &nameString);

if (!NT_SUCCESS( status ))
{
IoDeleteDevice (DriverObject->DeviceObject);
return status;
}

for ( i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {

DriverObject->MajorFunction = MydrvDispatch;
}

HookSSDTTable();
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = drvIOCtrlDispatch;
return STATUS_SUCCESS;

}

static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return Irp->IoStatus.Status;

}

static NTSTATUS
drvIOCtrlDispatch(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   )
{

NTSTATUS Status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack;

PVOID ioBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
ULONG RequireLength=0;
DWORD dwItemNum,dwNextIndex;
DWORD PPID;
NTSTATUS res;
int tempCount = 0;
KIRQL old_spin_lock_val;//中断级
int i;

SIZE_T desiredBufferLength;

irpStack = IoGetCurrentIrpStackLocation(Irp);

ioControlCode= irpStack->Parameters.DeviceIoControl.IoControlCode;

ioBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
Status = STATUS_SUCCESS;

switch (ioControlCode)
{
case IOCTL_HMRS_SET_PROTECT:
desiredBufferLength = 0;
tmpBuf = (DWORD*)ioBuffer;
if (inputBufferLength break;
}
else
{
curProcNum = inputBufferLength / sizeof(DWORD);
for (i = 0; i < curProcNum && i < MAXPROTPROCNUM; i++)
{
DWORD tmpPID;
tmpPID = *tmpBuf;
//DbgPrint("pid %d",tmpPID);
PsLookupProcessByProcessId( (ULONG)tmpPID, &ProcProtectArr);
tmpBuf++;
}
}
break;
case IOCTL_HMRS_THIRDPART_PROTECT:
desiredBufferLength = 0;
if(inputBufferLength < sizeof(DWORD))
break;
else
{
DWORD tmpPID = *((DWORD*)ioBuffer);
if(curThirdProcNum < MAXTOPROTNUM)
{
PsLookupProcessByProcessId( (ULONG)tmpPID, &ThirdPartProcProt[curThirdProcNum]);
InterlockedExchangeAdd(&curThirdProcNum, 1);

}
}
break;

case IOCTL_HMRS_PROCESS_FORCEKILL:
break;
case IOCTL_HMRS_REGLOC_PROTECT:
//开始处理逻辑
desiredBufferLength = 0;
if(inputBufferLength < sizeof(UCHAR))
{
Status = STATUS_BUFFER_TOO_SMALL;
break;
}
//strcpy(RegProtLoc,(UCHAR *)ioBuffer);
if(curRegFilterNum < MAXPROTREGNUM && inputBufferLength <= (MAXPATHLEN * sizeof(UCHAR)) )
{
//strcpy(regFilter[curRegFilterNum].ucProtRegName,(UCHAR*)ioBuffer);
strncpy(regFilter[curRegFilterNum].ucProtRegName, (const char *)ioBuffer, strlen(ioBuffer));
InterlockedExchangeAdd(&curRegFilterNum, 1);
DbgPrint("regFilter input is:%s\n",regFilter[curRegFilterNum - 1].ucProtRegName);
}
break;
//通过参数传输文件保护路径(WCHAR)
case IOCTL_HMRS_FILENAME_PROTECT:
//开始存储
desiredBufferLength = 0;
if(inputBufferLength < sizeof(WCHAR))
{
Status = STATUS_BUFFER_TOO_SMALL;
break;
}
if(curFileFilterNum < MAXPROTFILENUM && inputBufferLength <= (MAXPATHLEN * sizeof(WCHAR)) )
{
//wcscpy(fileFilter[curFileFilterNum].wchProtDirName, (PWCHAR)ioBuffer);
wcsncpy(fileFilter[curFileFilterNum].wchProtDirName, (const wchar_t *)ioBuffer, wcslen(ioBuffer));
tempCount = InterlockedExchangeAdd(&curFileFilterNum, 1);
DbgPrint("curFileFilterNum:%d&&filefilter[curFileFilterNum]=:%ws",curFileFilterNum,fileFilter[tempCount].wchProtDirName);
}
break;
default:
Status = STATUS_INVALID_PARAMETER;
break;

}

Irp->IoStatus.Status = Status;
Irp->IoStatus.Information = outputBufferLength;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return Status;
}

gmy800101

接着是几个HOOK

NTSTATUS
NTAPI
NewZwTerminateProcess(
   IN HANDLE ProcessHandle OPTIONAL,
   IN NTSTATUS ExitStatus
   )
{
PEPROCESS process_to_kill;
if (ObReferenceObjectByHandle(ProcessHandle,GENERIC_READ,NULL,KernelMode,
&process_to_kill,0) == STATUS_SUCCESS){

//if ( PEPROCESS2PROTECTED== process_to_kill &&
if ( (PidVerify(process_to_kill) == TRUE || ProtectIDVerify(process_to_kill) == TRUE) &&
PsGetCurrentProcess() != process_to_kill)
return STATUS_ACCESS_DENIED;
}
return  Old_ZwTerminateProcess(ProcessHandle,ExitStatus);

}

NTSTATUS
NTAPI
NewZwOpenProcess(
   IN PHANDLE ProcessHandle,
   ACCESS_MASK MASK,
   POBJECT_ATTRIBUTES attr,
   PCLIENT_ID cid1
   )
{
PEPROCESS EProcess;
if(cid1 != NULL)
{
DbgPrint("myZwOpneProcess Begin\n");
PsLookupProcessByProcessId( *(ULONG *)cid1, &EProcess);
//if ((MASK != 0x401 ) && (MASK != 0x400 ) && PEPROCESS2PROTECTED== EProcess &&
if ((MASK != 0x401 ) && (MASK != 0x400 ) && PidVerify(EProcess) &&
PsGetCurrentProcess() != EProcess) return STATUS_ACCESS_DENIED;
DbgPrint("myZwOpneProcess End\n");

}

return Old_ZwOpenProcess(ProcessHandle,MASK,attr,cid1);
}
void HookSSDTTable()
{
Old_ZwTerminateProcess =(PZwTerminateProcess)(SYSTEMSERVICE(ZwTerminateProcess));
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);

if(!g_pmdlSystemCall)
return;

MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;

MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
DbgPrint("Lijun_Hooked!\n");

HOOK_SYSCALL( ZwTerminateProcess, NewZwTerminateProcess, Old_ZwTerminateProcess );
HOOK_SYSCALL( ZwOpenProcess, NewZwOpenProcess, Old_ZwOpenProcess );
HOOK_SYSCALL(ZwSetValueKey,FakedZwSetValueKey,RealZwSetValueKey);
HOOK_SYSCALL(ZwDeleteKey, FakedZwDeleteKey,RealDeleteKey);
HOOK_SYSCALL(ZwDeleteValueKey,FakedZwDeleteValueKey,RealDeleteValueKey);
HOOK_SYSCALL(ZwSetInformationFile, FakedZwSetInformationFile,RealSetInformationFile);
HOOK_SYSCALL(ZwCreateFile, FakedZwCreateFile, RealZwCreateFile);

}

void UnHookSSDTTable(){

if (Old_ZwTerminateProcess){
UNHOOK_SYSCALL( ZwTerminateProcess, Old_ZwTerminateProcess, NewZwTerminateProcess );
UNHOOK_SYSCALL( ZwOpenProcess, Old_ZwOpenProcess, NewZwOpenProcess );
UNHOOK_SYSCALL(ZwSetValueKey, RealZwSetValueKey, FakedZwSetValueKey);
UNHOOK_SYSCALL(ZwDeleteKey, RealDeleteKey,FakedZwDeleteKey);
UNHOOK_SYSCALL(ZwDeleteValueKey,RealDeleteValueKey,FakedZwDeleteValueKey);
UNHOOK_SYSCALL(ZwSetInformationFile, RealSetInformationFile, FakedZwSetInformationFile);
UNHOOK_SYSCALL(ZwCreateFile, RealZwCreateFile, FakedZwCreateFile);
}
if(g_pmdlSystemCall)
{
MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
IoFreeMdl(g_pmdlSystemCall);
}
}

BOOLEAN GetFullName(HANDLE handle,char * pch)
{

ULONG uactLength;
POBJECT_NAME_INFORMATION  pustr;
ANSI_STRING astr;
PVOID pObj;
NTSTATUS ns;
ns = ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL );
if (!NT_SUCCESS(ns))
{
return FALSE;
}
pustr = ExAllocatePool(NonPagedPool,1024+4);

if (pObj==NULL||pch==NULL)
return FALSE;

ns = ObQueryNameString(pObj,pustr,512,&uactLength);

if (NT_SUCCESS(ns))
{
RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)pustr,TRUE);
strcpy(pch,astr.Buffer);
}
ExFreePool(pustr);
RtlFreeAnsiString( &astr );
if (pObj)
{
ObDereferenceObject(pObj);
}

return TRUE;
}

//Faked的文件操作函数
NTSTATUS FakedZwSetInformationFile(IN HANDLE FileHandle,
   OUT PIO_STATUS_BLOCK IoStatusBlock,
   IN PVOID FileInformation,
   IN ULONG Length,
   IN FILE_INFORMATION_CLASS FileInformationClass)
{
if ( FileHandle != NULL && (FileInformationClass == FileDispositionInformation) )
{
// get delete file name
NTSTATUS nts;
IO_STATUS_BLOCK iosb;
PWCHAR pstring = NULL;
PFILE_NAME_INFORMATION pfni = NULL;
pfni = (PFILE_NAME_INFORMATION) ExAllocatePool( PagedPool, sizeof(FILE_NAME_INFORMATION) + MAXPATHLEN);
if ( NULL != pfni )
{
nts = ZwQueryInformationFile(FileHandle, &iosb, pfni,
sizeof(FILE_NAME_INFORMATION) + MAXPATHLEN, FileNameInformation);
if ( NT_SUCCESS(nts) )
{
pstring = (PWCHAR)pfni->FileName;
//DbgPrint("ZWSetInformation FileName:%ws\n", pstring);
//if ( NULL != pstring && wcsstr(pstring , FileNameTest) != NULL || wcsstr(pstring,ProtFileDir) != NULL)
if ( NULL != pstring && FileDirVerify(pstring) && !PidVerify(PsGetCurrentProcess()))
{
ExFreePool(pfni);
pfni = NULL;
return STATUS_UNSUCCESSFUL;
}
}
ExFreePool(pfni);
pfni = NULL;
}
}
if(FileHandle != NULL && (FileInformationClass == FileRenameInformation))
{
NTSTATUS nts;
IO_STATUS_BLOCK iosb;
PWCHAR pstring = NULL;
PFILE_NAME_INFORMATION pfni = NULL;
pfni = (PFILE_NAME_INFORMATION) ExAllocatePool( PagedPool, sizeof(FILE_NAME_INFORMATION) + MAXPATHLEN);
if ( NULL != pfni )
{
nts = ZwQueryInformationFile(FileHandle, &iosb, pfni,
sizeof(FILE_NAME_INFORMATION) + MAXPATHLEN, FileNameInformation);
if ( NT_SUCCESS(nts) )
{
pstring = (PWCHAR)pfni->FileName;
//DbgPrint("ZWSetInformation RenameFile:%ws\n", pstring);
//if ( NULL != pstring && wcsstr(pstring , FileNameTest) != NULL || wcsstr(pstring,ProtFileDir) != NULL)
if ( NULL != pstring && FileDirVerify(pstring) && !PidVerify(PsGetCurrentProcess()))
{
ExFreePool(pfni);
pfni = NULL;
return STATUS_UNSUCCESSFUL;
}
}
ExFreePool(pfni);
pfni = NULL;
}

}
return RealSetInformationFile(FileHandle, IoStatusBlock, FileInformation,
Length, FileInformationClass);
}

//////////////////////////////////////////////////////////////////////////
NTSTATUS
FakedZwCreateFile(
   OUT PHANDLE  FileHandle,
   IN ACCESS_MASK  DesiredAccess,
   IN POBJECT_ATTRIBUTES  ObjectAttributes,
   OUT PIO_STATUS_BLOCK  IoStatusBlock,
   IN PLARGE_INTEGER  AllocationSize,
   IN ULONG  FileAttributes,
   IN ULONG  ShareAccess,
   IN ULONG  CreateDisposition,
   IN ULONG  CreateOptions,
   IN PVOID  EaBuffer,
   IN ULONG  EaLength
   )
{
UNICODE_STRING _unfile;
PWCHAR temp;
WCHAR tempDir[MAXPATHLEN];
int m;
_unfile.Length = 0;
_unfile.MaximumLength = MAXPATHLEN;
_unfile.Buffer = tempDir;
RtlCopyUnicodeString(&_unfile, ObjectAttributes->ObjectName);
//DbgPrint("out FileOpenDir:%ws\n", tempDir);

for (m = 0; m < curFileFilterNum; m++)
{
temp = wcschr(tempDir,L'?');
if(temp == NULL) break;
temp = temp + 3;
//if(wcsstr(temp, fileFilter[m].wchProtDirName) != NULL && !PidVerify(PsGetCurrentProcess()))
if(wchCmp(fileFilter[m].wchProtDirName, temp, wcslen(fileFilter[m].wchProtDirName)) && !PidVerify(PsGetCurrentProcess()) )
{
//DbgPrint("FileOpenDirVerify:%ws\n",temp);
return -1;
}
}

return RealZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,
ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
}

mamh

请达人帮助啊

richpowerHK

yichi7758

yangbh

架出windbg调试一下不就OK了

Jamie

楼主还是去看雪问比较好。

zhang12

进程保护 :拦截NtOpenProcess就可以了
文件保护 :拦截文件的Create
注册表保护 :2003系统上注册几个注册表回调函数就搞定了

kgduerlu

关注

想通过SSDT HOOK 写个驱动 实现进程保护 文件保护 但是 在2003下蓝屏 [复制链接]

最新回复

想通过SSDT HOOK 写个驱动实现进程保护文件保护但是在2003下蓝屏 [复制链接]