蹂躏D&F学习之重复NtCreateFile之二

//rlTenD.cpp#include <ntddk.h>#include "SSDTHOOK.h"#include "rlTenD.h"ULONG g_uOldNtCreateFileAddr = 0;PFNNTCREATEFILE g_pfnNtCreateFile = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str){//驱动 ->驱动卸载=卸载驱动pDriver->DriverUnload = UnloadDriver;//调试输出DbgPrint("Loading MyDriver...\r");ULONG uAddr = GetSSDTAddr(0x42);if (uAddr){g_pfnNtCreateFile = (PFNNTCREATEFILE)uAddr;HookSSDT(0x42, (ULONG)rlNtCreateFile, &g_uOldNtCreateFileAddr);KdPrint(("NtCreateFile: 0x%08x\r", uAddr));}return STATUS_SUCCESS;}void UnloadDriver(PDRIVER_OBJECT pDriver){UnHookSSDT(0x42, g_pfnNtCreateFile);//调试输出DbgPrint("unLoading MyDriver...\r");}NTSTATUS rlNtCreateFile(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength){if (ObjectAttributes && ObjectAttributes->ObjectName){KdPrint(("NtCreateFile: %wZ\r", ObjectAttributes->ObjectName));}return g_pfnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);}

//rlTenD.hvoid UnloadDriver(PDRIVER_OBJECT pDriver);NTSTATUS rlNtCreateFile(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength);typedef NTSTATUS (*PFNNTCREATEFILE)(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength);

//SSDTHOOK.cpp#include "SSDTHOOK.h"ULONG GetSSDTAddr(ULONG uIndex){ULONG uAddr = *(PULONG)((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));return uAddr; }BOOLEAN HookSSDT(ULONG uIndex,ULONG uNewAddr,PULONG puOldAddr){if (uNewAddr ==0 || puOldAddr == NULL){return FALSE;}ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));*puOldAddr = *(PULONG)uAddr;*(PULONG)uAddr = uNewAddr;return TRUE;}BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr){if (uOldAddr = 0){return FALSE;}ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));*(PULONG)uAddr = uOldAddr;return TRUE;}

//SSDTHOOK.h#pragma once#ifdef __cplusplusexern "C"#endif#include <ntddk.h>#include <string.h>#ifdef __cplusplus};#endiftypedef struct _SDT_ENTRY{PVOID *ServiceTableBase;PULONG ServiceCounterTableBase; //Used only in checked buildULONG NumberOfServices;PUCHAR ParamTableBase;} SDT_ENTRY, *PSDT_ENTRY;EXTERN_C SDT_ENTRY *KeServiceDescriptorTable;ULONG GetSSDTAddr(ULONG uIndex);BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr);