调用驱动内的函数？

06benn

调用驱动内的函数？ [复制链接]

/*
jhxxs.C
Author:
Last Updated: 2006-03-23
This framework is generated by EasySYS 0.3.0
This template file is copying from QuickSYS 0.3.0 written by Chunhua Liu
*/
#include "dbghelp.h"
#include "jhxxs.h"
#include
#include
#include
#include
//
// A structure representing the instance information associated with
// a particular device
//
typedef struct _DEVICE_EXTENSION
{
ULONG StateVariable;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
typedef struct _KAPC_STATE{
LIST_ENTRY ApcListHead[2];
PEPROCESS Process;
UCHAR KernelApcInProgress;
UCHAR KernelApcPending;
UCHAR UserApcPending;
}KAPC_STATE,*PKAPC_STATE;
NTKERNELAPI void KeStackAttachProcess(IN PEPROCESS Process, OUT PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(IN PKAPC_STATE ApcState);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS * pEProcess);
NTKERNELAPI NTSTATUS ObOpenObjectByPointer(
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
//
// Device driver routine declarations.
//
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
NTSTATUS
JhxxsDispatchCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
JhxxsDispatchClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
JhxxsDispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID
JhxxsUnload(
IN PDRIVER_OBJECT DriverObject
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, JhxxsDispatchCreate)
#pragma alloc_text(PAGE, JhxxsDispatchClose)
#pragma alloc_text(PAGE, JhxxsDispatchDeviceControl)
#pragma alloc_text(PAGE, JhxxsUnload)
#endif // ALLOC_PRAGMA
NTSTATUS
MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID writebuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(writebuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)writebuffer=(ULONG)0x1;
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (writebuffer, Pbuff, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
if (NT_SUCCESS(status))
{
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress,writebuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
}
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return status;
}
NTSTATUS
MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
if(NT_SUCCESS(status))
{
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (Pbuff, readbuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
}
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}
NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
HANDLE handle = NULL;
UNICODE_STRING y;
PULONG PsProcessType;
status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
handle = 0;
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType = MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
if (NT_SUCCESS(status))
{
*pHandle = handle;
}
}
ObfDereferenceObject(EProcess);
}
return status;
}
//帖子超长了，请续看1楼

复制代码

lsbhjl

NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
UNICODE_STRING dosDeviceName;
PDEVICE_EXTENSION deviceExtension;
PDEVICE_OBJECT deviceObject = NULL;
BOOLEAN fSymbolicLink = FALSE;
KdBreakPoint();
RtlInitUnicodeString(&ntDeviceName, JHXXS_DEVICE_NAME_W);
status = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION),
&ntDeviceName,
FILE_DEVICE_JHXXS,
0,
TRUE,
&deviceObject
);
if (!NT_SUCCESS(status))
{
goto __failed;
}
deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;
RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W);
status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);
if (!NT_SUCCESS(status))
{
goto __failed;
}
fSymbolicLink = TRUE;
DriverObject->MajorFunction[IRP_MJ_CREATE] = JhxxsDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = JhxxsDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = JhxxsDispatchDeviceControl;
DriverObject->DriverUnload = JhxxsUnload;
if (NT_SUCCESS(status))
return status;
__failed:
if (fSymbolicLink)
IoDeleteSymbolicLink(&dosDeviceName);
if (deviceObject)
IoDeleteDevice(deviceObject);
return status;
}
NTSTATUS
JhxxsDispatchCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS
JhxxsDispatchClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS
JhxxsDispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack;
PDEVICE_EXTENSION deviceExtension;
PVOID ioBuf;
ULONG inBufLength, outBufLength;
ULONG ioControlCode;
UCHAR *buff =0;
ULONG OutByteCount =0;
HANDLE Writehandel;
PVOID WriteDstAddr;
PVOID WriteSrcAddr;
ULONG WriteSize;
NTSTATUS WriteReturn;
HANDLE Readhandel;
PVOID ReadBaseAddr;
PVOID ReadBuffer;
ULONG ReadSize;
NTSTATUS ReadReturn;
ULONG OpenPid;
PHANDLE PProcessHandle;
NTSTATUS OpenReturn;
irpStack = IoGetCurrentIrpStackLocation(Irp);
deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
Irp->IoStatus.Information = 0;
ioBuf = Irp->AssociatedIrp.SystemBuffer;
inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (ioControlCode)
{
case 0X0022E004:
{
buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
memmove(&Writehandel,&buff[0],4);
memmove(&WriteDstAddr,&buff[4],4);
memmove(&WriteSrcAddr,&buff[8],4);
memmove(&WriteSize,&buff[12],4);
WriteReturn=MyWriteMemory(Writehandel,WriteDstAddr,WriteSrcAddr,WriteSize);
memmove(Irp->AssociatedIrp.SystemBuffer,&WriteReturn,4);
OutByteCount=4;
break;
}
case 0X0022E008:
{
buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
memmove(&Readhandel,&buff[0],4);
memmove(&ReadBaseAddr,&buff[4],4);
memmove(&ReadBuffer,&buff[8],4);
memmove(&ReadSize,&buff[12],4);
ReadReturn=MyReadMemory(Readhandel,ReadBaseAddr,ReadBuffer,ReadSize);
memmove(&buff[0],&ReadReturn,4);
OutByteCount=4;
break;
}
case 0X0022E000:
{
OpenReturn = MyOpenProcess(*(PULONG)ioBuf,ioBuf);
buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
memmove(&buff[4],&OpenReturn,4);
OutByteCount=8;
break;
}
case IOCTL_JHXXS_HELLO:
{
break;
}
default:
status = STATUS_INVALID_PARAMETER;
break;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = OutByteCount;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
VOID
JhxxsUnload(
IN PDRIVER_OBJECT DriverObject
)
{
UNICODE_STRING dosDeviceName;
RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W);
IoDeleteSymbolicLink(&dosDeviceName);
IoDeleteDevice(DriverObject->DeviceObject);
}

复制代码

以上代码应该是重写了自己的ZwOpenProcess ZwReadVirtualMemory ZwWriteVirtualMemory，这个在自己的程序里该如何调用呢？并希望高人能简单的对上面的代码进行下注释，谢谢！

-------------------------------------------------------------------------------------
看的另外一个HOOK ZwTerminateProcess代码里，有如下部分，但在试验的时候出现了问题，还望高人能一并解答
附上原文地址http://bbs.pediy.com/showthread.php?t=78218

NTSTATUS NewZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
)
{
//return STATUS_SUCCESS; //原文是这句，但是在用"任务管理器"结束"纪事本"进程时，会没有任何反映，并cpu占用100%
return STATUS_UNSUCCESSFUL; //后来改成了这个，用"任务管理器"结束进程时，会提示"无法完成操作连接到系统上的设备没有发挥作用"，HOOK的目的达到了。但是纪事本使用"文件->退出"这样的方法结束程序，cpu还是会变成100%
}

复制代码

maosongbai

貌似有点儿长，顶一下先！

qing_yx

如果是驱动程序，调用MyReadMemory、MyWriteMemory、MyOpenProcess函数；
如果是应用程序，先打开驱动程序创建的设备（上面没有贴出名称），然后用DeviceIoControl，控制码就是上面的三个case，最后再CloseHandle。

代码太长，没时间帮你加注释，这段代码没什么难度，自己慢慢看吧。

如果驱动程序没有做正常的处理，不能随便返回成功，这样会影响程序的后续操作。

youqing20000

我把这个驱动的源文件使用[VS2008+DDK2600]编译了一下，编译出的驱动文件在虚拟机里[WinXP SP2]加载，虚拟机蓝屏了...
源文件下载：[/url]
只有源文件和编译过的sys文件，绝对无毒！可以放心下载=.=

然后去找了几篇文章，想自己调试调试看是哪里出了问题，参考文章：[url=http://hi.baidu.com/1ian9yu/blog/item/96e29bb357acbfa2d8335a25.html]
结果搞成这样:

驱动source文件里这么写的TARGETNAME=jhxxs，所以试着用"bu jhxxs!driverentry"下断点，也不知道下对没。。。(DeviceIoControl调用驱动内函数的时候"驱动程序创建的设备"可能也是"jhxxs"？现在还没机会测试...)
加载jhxxs.sys这个驱动以后，虚拟机就死了，WinDbg最后的输出如下[看样子似乎是没断下...]：
SXS: BasepCreateActCtx() NtOpenFile(\??\C:\??\C:\WINDOWS\system32\winlogon.exe) failed
*** ERROR: Module load completed but symbols could not be loaded for jhxxs.sys
Breakpoint 0's offset expression evaluation failed.
Check for invalid symbols or bad syntax.
WaitForEvent失败
nt!DebugService2+0x11:
8052e681 5d pop ebp

调用驱动内的函数？ [复制链接]

最新回复