note : IRP hook on R0

发布时间:2017-2-24 9:30:15 编辑:www.fx114.net 分享查询网我要评论
本篇文章主要介绍了"note : IRP hook on R0",主要涉及到note : IRP hook on R0方面的内容,对于note : IRP hook on R0感兴趣的同学可以参考一下。

IRP hook 以FSD Hook 为例, Hook和UnHook的操作, 在DeviceIoControl中响应. Hook 处理 /// @file Fsd.h /// @brief FSD(\\FileSystem\\Ntfs) 处理 #ifndef __FSD_H__ #define __FSD_H__ #include <ntddk.h> #include "constDefine.h" #include "r0ProcessHelper.h" /// @fn ProcessHookFsd /// @brief 处理FSDHook /// @param BOOLEAN bHook, TRUE = hook, FALSE = unHook NTSTATUS ProcessHookFsd(BOOLEAN bHook); NTSTATUS ProcessShowFsd(); NTSTATUS HookFsd(); NTSTATUS UnHookFsd(); #endif // #ifndef __FSD_H__ /// @file Fsd.c /// @brief ... #include "Fsd.h" PDRIVER_DISPATCH g_pDrvDispachIrpMjCreate_Ntfs_org = NULL; NTSTATUS DrvDispachIrpMjCreate_Ntfs_new( __in struct _DEVICE_OBJECT * pDeviceObject, __inout struct _IRP *pIrp ); NTSTATUS ProcessHookFsd(BOOLEAN bHook) { if (bHook) return HookFsd(); else return UnHookFsd(); } NTSTATUS HookFsd() { NTSTATUS status = STATUS_UNSUCCESSFUL; PDRIVER_OBJECT pDrvObj = NULL; DBGPRT((">> HookFsd\n")); status = GetDriverObject(DRVOBJ_NAME_NTFS, &pDrvObj); if (!NT_SUCCESS(status)) goto _HookFsd_END; g_pDrvDispachIrpMjCreate_Ntfs_org = pDrvObj->MajorFunction[IRP_MJ_CREATE]; pDrvObj->MajorFunction[IRP_MJ_CREATE] = DrvDispachIrpMjCreate_Ntfs_new; DBGPRT(("ok : hook fsd IRP_MJ_CREATE\r\n")); _HookFsd_END: if (NULL != pDrvObj) ObDereferenceObject(pDrvObj); DBGPRT(("<< HookFsd\n")); return status; } NTSTATUS UnHookFsd() { NTSTATUS status = STATUS_UNSUCCESSFUL; PDRIVER_OBJECT pDrvObj = NULL; DBGPRT((">> HookFsd\n")); status = GetDriverObject(DRVOBJ_NAME_NTFS, &pDrvObj); if (!NT_SUCCESS(status)) goto _HookFsd_END; /// 防止没有Hook, 就UnHook if (NULL != g_pDrvDispachIrpMjCreate_Ntfs_org) { pDrvObj->MajorFunction[IRP_MJ_CREATE] = g_pDrvDispachIrpMjCreate_Ntfs_org; DBGPRT(("ok : unHook fsd IRP_MJ_CREATE\r\n")); } _HookFsd_END: if (NULL != pDrvObj) ObDereferenceObject(pDrvObj); DBGPRT(("<< HookFsd\n")); return status; } NTSTATUS DrvDispachIrpMjCreate_Ntfs_new( __in struct _DEVICE_OBJECT * pDeviceObject, __inout struct _IRP *pIrp) { NTSTATUS status = STATUS_UNSUCCESSFUL; if (NULL == g_pDrvDispachIrpMjCreate_Ntfs_org) return status; status = g_pDrvDispachIrpMjCreate_Ntfs_org(pDeviceObject, pIrp); return status; } NTSTATUS ProcessShowFsd() { NTSTATUS status = STATUS_UNSUCCESSFUL; NTSTATUS statusOwner = STATUS_UNSUCCESSFUL; PDRIVER_OBJECT pDrvObj = NULL; UINT uIndex = 0; char cModuleName[MAX_PATH]; ULONG_PTR ulAddr = 0; DBGPRT((">> ProcessShowFsd\n")); status = GetDriverObject(DRVOBJ_NAME_NTFS, &pDrvObj); if (!NT_SUCCESS(status)) goto _ProcessShowFsd_END; DBGPRT((\ "pDrvObj->DriverName = %wZ\n" \ "pDrvObj->HardwareDatabase = %wZ\r\n", &pDrvObj->DriverName, pDrvObj->HardwareDatabase)); for (uIndex = 0; uIndex < IRP_MJ_MAXIMUM_FUNCTION; uIndex++) { ulAddr = (ULONG_PTR)pDrvObj->MajorFunction[uIndex]; memset(cModuleName, 0, sizeof(cModuleName)); statusOwner = GetOwnerMoudleNameOfAddress( ulAddr, cModuleName, sizeof(cModuleName)); DBGPRT(( "pDrvObj->MajorFunction[%d] = 0x%X, " "in Module [%s]\n", uIndex, ulAddr, (NT_SUCCESS(statusOwner)) ? cModuleName : "no owner")); } _ProcessShowFsd_END: if (NULL != pDrvObj) ObDereferenceObject(pDrvObj); DBGPRT(("<< ProcessShowFsd\n")); return status; } Helper /// @file r0ProcessHelper.h /// @brief R0层, 进程工具 #ifndef __R0_PROCESS_HELPER_H__ #define __R0_PROCESS_HELPER_H__ #include <ntddk.h> #include "constDefine.h" /// 系统全局变量声明 extern POBJECT_TYPE *IoDriverObjectType; /// 未文档化API声明 NTSTATUS __stdcall ObReferenceObjectByName( IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext OPTIONAL, OUT PVOID *Object); /// 常量 #define DRVOBJ_NAME_NTFS L"\\FileSystem\\Ntfs" /// 内存池类型 #define MEMORY_POOL_TYPE_AUX 'aux' /// 初始化AuxKLib NTSTATUS AuxKlibInitializeEx(); NTSTATUS GetDriverObject( WCHAR * pcDriverObjectName, PDRIVER_OBJECT * ppDrvObj); /// @fn GetOwnerMoudleNameOfAddress /// @brief 判断一个地址所在的模块名称 /// @param ULONG_PTR ulAddr, 地址 /// @param char * cNameModule, 返回的模块名称缓冲区 /// @param UINT uLenModule, 返回的模块名称缓冲区长度 NTSTATUS GetOwnerMoudleNameOfAddress( ULONG_PTR ulAddr, char * cNameModule, UINT uLenModule); BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr); #endif // #ifndef __R0_PROCESS_HELPER_H__ /// @file r0ProcessHelper.c /// @brief ... #include <ntifs.h> #include <Aux_klib.h> ///< need ntifs.h #include "r0ProcessHelper.h" /// AUX库初始化状态 NTSTATUS g_status_AuxKlibInit = STATUS_UNSUCCESSFUL; NTSTATUS AuxKlibInitializeEx() { if (!NT_SUCCESS(g_status_AuxKlibInit)) g_status_AuxKlibInit = AuxKlibInitialize(); return g_status_AuxKlibInit; } NTSTATUS GetOwnerMoudleNameOfAddress( ULONG_PTR ulAddr, char * pcNameModule, UINT uLenModule) { NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG dwLenMoudleInfo = 0; ULONG dwMoudleCnt = 0; ULONG dwIndex = 0; UCHAR * pMoudleInfo = NULL; ULONG_PTR ulImageBase = 0; AUX_MODULE_EXTENDED_INFO * pAuxModuleExInfo = NULL; __try { PAGED_CODE(); if ((NULL == pcNameModule) && (uLenModule < AUX_KLIB_MODULE_PATH_LEN)) { __leave; } status = AuxKlibInitializeEx(); if (!NT_SUCCESS(status)) __leave; status = AuxKlibQueryModuleInformation( &dwLenMoudleInfo, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); if (!NT_SUCCESS(status)) __leave; dwMoudleCnt = dwLenMoudleInfo / sizeof(AUX_MODULE_EXTENDED_INFO); pMoudleInfo = ExAllocatePoolWithTag(PagedPool, dwLenMoudleInfo, MEMORY_POOL_TYPE_AUX); if (NULL == pMoudleInfo) leave; status = AuxKlibQueryModuleInformation( &dwLenMoudleInfo, sizeof(AUX_MODULE_EXTENDED_INFO), pMoudleInfo); if (!NT_SUCCESS(status)) __leave; pAuxModuleExInfo = (AUX_MODULE_EXTENDED_INFO *)pMoudleInfo; for (dwIndex = 0; dwIndex < dwMoudleCnt; dwIndex++) { if (NULL == pAuxModuleExInfo) break; ulImageBase = (ULONG_PTR)pAuxModuleExInfo->BasicInfo.ImageBase; if ((ulAddr >= ulImageBase) && (ulAddr < (ulImageBase + pAuxModuleExInfo->ImageSize))) { status = STATUS_SUCCESS; ///< match memcpy( pcNameModule, pAuxModuleExInfo->FullPathName, strlen((char *)pAuxModuleExInfo->FullPathName)); __leave; } pAuxModuleExInfo++; } } __finally { if (NULL != pMoudleInfo) ExFreePoolWithTag(pMoudleInfo, MEMORY_POOL_TYPE_AUX); } return status; } NTSTATUS GetDriverObject( WCHAR * pcDriverObjectName, PDRIVER_OBJECT * ppDrvObj) { NTSTATUS status = STATUS_UNSUCCESSFUL; UNICODE_STRING strDrvObjName; if (NULL == ppDrvObj) return status; /// 得到驱动对象 /// 参数2 参考 InitializeObjectAttributes.Attributes /// 内核句柄 |大小写不敏感 RtlInitUnicodeString(&strDrvObjName, pcDriverObjectName); status = ObReferenceObjectByName( &strDrvObjName, ///< IN PUNICODE_STRING ObjectName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, ///< IN ULONG Attributes, NULL, ///< IN PACCESS_STATE PassedAccessState OPTIONAL, 0, ///< IN ACCESS_MASK DesiredAccess OPTIONAL, *IoDriverObjectType, ///< IN POBJECT_TYPE ObjectType, KernelMode, ///< IN KPROCESSOR_MODE AccessMode, NULL, ///< IN OUT PVOID ParseContext OPTIONAL, ppDrvObj ///< OUT PVOID *Object ); return status; } BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr) { BOOLEAN bRc = FALSE; ULONG ulIndex = 0; __try { if (!MmIsAddressValid(pstr)) return FALSE; if ((NULL == pstr->Buffer) || (0 == pstr->Length)) return FALSE; for (ulIndex = 0; ulIndex < pstr->Length; ulIndex++) { if (!MmIsAddressValid((UCHAR *)pstr->Buffer + ulIndex)) return FALSE; } bRc = TRUE; } __except(EXCEPTION_EXECUTE_HANDLER) { bRc = FALSE; } return bRc; } 实验数据 #define IRP_MJ_CREATE                   0x00 DisPatchDeviceControl IOCTL 0x22e000 >> ProcessShowFsd pDrvObj->DriverName = \FileSystem\Ntfs pDrvObj->HardwareDatabase = \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM pDrvObj->MajorFunction[0] = 0xF7387E01, in Module [Ntfs.sys] ///< 原始地址 pDrvObj->MajorFunction[1] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[2] = 0xF73872EA, in Module [Ntfs.sys] pDrvObj->MajorFunction[3] = 0xF7364F2F, in Module [Ntfs.sys] pDrvObj->MajorFunction[4] = 0xF7363B4B, in Module [Ntfs.sys] pDrvObj->MajorFunction[5] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[6] = 0xF7365ABB, in Module [Ntfs.sys] pDrvObj->MajorFunction[7] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[8] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[9] = 0xF73A20E5, in Module [Ntfs.sys] pDrvObj->MajorFunction[10] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[11] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[12] = 0xF738A1BD, in Module [Ntfs.sys] pDrvObj->MajorFunction[13] = 0xF738C958, in Module [Ntfs.sys] pDrvObj->MajorFunction[14] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[15] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[16] = 0xF73767F2, in Module [Ntfs.sys] pDrvObj->MajorFunction[17] = 0xF73DBCE9, in Module [Ntfs.sys] pDrvObj->MajorFunction[18] = 0xF7387CB8, in Module [Ntfs.sys] pDrvObj->MajorFunction[19] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[20] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[21] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[22] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[23] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[24] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[25] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[26] = 0xF73884B9, in Module [Ntfs.sys] << ProcessShowFsd DisPatchDeviceControl IOCTL 0x22e000 >> HookFsd ok : hook fsd IRP_MJ_CREATE << HookFsd DisPatchDeviceControl IOCTL 0x22e000 >> ProcessShowFsd pDrvObj->DriverName = \FileSystem\Ntfs pDrvObj->HardwareDatabase = \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM pDrvObj->MajorFunction[0] = 0xF78DE8C0, in Module [\??\C:\Documents and Settings\Administrator\桌面\bin\LsNtDrv.sys] ///< IRP HOOK pDrvObj->MajorFunction[1] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[2] = 0xF73872EA, in Module [Ntfs.sys] pDrvObj->MajorFunction[3] = 0xF7364F2F, in Module [Ntfs.sys] pDrvObj->MajorFunction[4] = 0xF7363B4B, in Module [Ntfs.sys] pDrvObj->MajorFunction[5] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[6] = 0xF7365ABB, in Module [Ntfs.sys] pDrvObj->MajorFunction[7] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[8] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[9] = 0xF73A20E5, in Module [Ntfs.sys] pDrvObj->MajorFunction[10] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[11] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[12] = 0xF738A1BD, in Module [Ntfs.sys] pDrvObj->MajorFunction[13] = 0xF738C958, in Module [Ntfs.sys] pDrvObj->MajorFunction[14] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[15] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[16] = 0xF73767F2, in Module [Ntfs.sys] pDrvObj->MajorFunction[17] = 0xF73DBCE9, in Module [Ntfs.sys] pDrvObj->MajorFunction[18] = 0xF7387CB8, in Module [Ntfs.sys] pDrvObj->MajorFunction[19] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[20] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[21] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[22] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[23] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[24] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[25] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[26] = 0xF73884B9, in Module [Ntfs.sys] << ProcessShowFsd DisPatchDeviceControl IOCTL 0x22e000 >> HookFsd ok : unHook fsd IRP_MJ_CREATE << HookFsd DisPatchDeviceControl IOCTL 0x22e000 >> ProcessShowFsd pDrvObj->DriverName = \FileSystem\Ntfs pDrvObj->HardwareDatabase = \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM pDrvObj->MajorFunction[0] = 0xF7387E01, in Module [Ntfs.sys] ///< UnHook 之后,恢复成原始值 pDrvObj->MajorFunction[1] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[2] = 0xF73872EA, in Module [Ntfs.sys] pDrvObj->MajorFunction[3] = 0xF7364F2F, in Module [Ntfs.sys] pDrvObj->MajorFunction[4] = 0xF7363B4B, in Module [Ntfs.sys] pDrvObj->MajorFunction[5] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[6] = 0xF7365ABB, in Module [Ntfs.sys] pDrvObj->MajorFunction[7] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[8] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[9] = 0xF73A20E5, in Module [Ntfs.sys] pDrvObj->MajorFunction[10] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[11] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[12] = 0xF738A1BD, in Module [Ntfs.sys] pDrvObj->MajorFunction[13] = 0xF738C958, in Module [Ntfs.sys] pDrvObj->MajorFunction[14] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[15] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[16] = 0xF73767F2, in Module [Ntfs.sys] pDrvObj->MajorFunction[17] = 0xF73DBCE9, in Module [Ntfs.sys] pDrvObj->MajorFunction[18] = 0xF7387CB8, in Module [Ntfs.sys] pDrvObj->MajorFunction[19] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[20] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[21] = 0xF7388604, in Module [Ntfs.sys] pDrvObj->MajorFunction[22] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[23] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[24] = 0x804F454A, in Module [\WINDOWS\system32\ntkrnlpa.exe] pDrvObj->MajorFunction[25] = 0xF73884B9, in Module [Ntfs.sys] pDrvObj->MajorFunction[26] = 0xF73884B9, in Module [Ntfs.sys] << ProcessShowFsd

上一篇:命令行开启WIFI
下一篇:android switch模块

相关文章

相关评论