蹂躏D&F学习之重复NtCreateFile之三

//rlTenD.cpp#include <ntddk.h>#include "SSDTHOOK.h"#include "rlTenD.h"ULONG g_uOldNtCreateFileAddr = 0;PFNNTCREATEFILE g_pfnNtCreateFile = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str){//驱动 ->驱动卸载=卸载驱动pDriver->DriverUnload = UnloadDriver;//调试输出DbgPrint("Loading MyDriver...\r");ULONG uAddr = GetSSDTAddr(0x42);if (uAddr){g_pfnNtCreateFile = (PFNNTCREATEFILE)uAddr;HookSSDT(0x42, (ULONG)rlNtCreateFile, &g_uOldNtCreateFileAddr);KdPrint(("NtCreateFile: 0x%08x\r", uAddr));}return STATUS_SUCCESS;}void UnloadDriver(PDRIVER_OBJECT pDriver){UnHookSSDT(0x42, g_pfnNtCreateFile);//调试输出DbgPrint("unLoading MyDriver...\r");}NTSTATUS rlNtCreateFile(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength){if (ObjectAttributes && ObjectAttributes->ObjectName){if (wcsstr(ObjectAttributes->ObjectName->Buffer, L"1.txt") != 0){KdPrint(("NtCreateFile: %wZ\r", ObjectAttributes->ObjectName));return STATUS_UNSUCCESSFUL;}}return g_pfnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);}

//rlTenD.hvoid UnloadDriver(PDRIVER_OBJECT pDriver);NTSTATUS rlNtCreateFile(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength);typedef NTSTATUS (*PFNNTCREATEFILE)(_Out_     PHANDLE FileHandle,_In_      ACCESS_MASK DesiredAccess,_In_      POBJECT_ATTRIBUTES ObjectAttributes,_Out_     PIO_STATUS_BLOCK IoStatusBlock,_In_opt_  PLARGE_INTEGER AllocationSize,_In_      ULONG FileAttributes,_In_      ULONG ShareAccess,_In_      ULONG CreateDisposition,_In_      ULONG CreateOptions,_In_      PVOID EaBuffer,_In_      ULONG EaLength);void DisableWP();void EnableWP();

//SSDTHOOK.cpp#include "SSDTHOOK.h"ULONG GetSSDTAddr(ULONG uIndex){ULONG uAddr = *(PULONG)((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));return uAddr; }BOOLEAN HookSSDT(ULONG uIndex,ULONG uNewAddr,PULONG puOldAddr){if (uNewAddr ==0 || puOldAddr == NULL){return FALSE;}ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));*puOldAddr = *(PULONG)uAddr;void DisableWP();*(PULONG)uAddr = uNewAddr;void EnableWP();return TRUE;}BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr){if (uOldAddr = 0){return FALSE;}ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));void DisableWP();*(PULONG)uAddr = uOldAddr;void EnableWP();return TRUE;}void DisableWP(){__asm{cli push eaxmov eax,cr0and eax,0xfffeffffmov cr0,eaxpop eax}}void EnableWP(){__asm{push eaxmov eax,cr0or eax,0x10000mov cr0,eaxpop eaxsti}}

//SSDTHOOK.h#pragma once#ifdef __cplusplusexern "C"#endif#include <ntddk.h>#include <string.h>#ifdef __cplusplus};#endiftypedef struct _SDT_ENTRY{PVOID *ServiceTableBase;PULONG ServiceCounterTableBase; //Used only in checked buildULONG NumberOfServices;PUCHAR ParamTableBase;} SDT_ENTRY, *PSDT_ENTRY;EXTERN_C SDT_ENTRY *KeServiceDescriptorTable;ULONG GetSSDTAddr(ULONG uIndex);BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr);void DisableWP();void EnableWP();