irpHook的代码~

NTSTATUS FASTCALL
NewpIofCallDriver(
IN PDEVICE_OBJECT DeviceObject,
IN OUT PIRP Irp
)
{
NTSTATUS stat;
DbgPrint("Hacked Great!");
//Code deleted
__asm
{
mov ecx,DeviceObject
mov edx,Irp
Call old_piofcalldriver
mov stat,eax
}
return stat;
}
NTSTATUS DriverIoControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
PIO_STACK_LOCATION pisl;
NTSTATUS ns = STATUS_UNSUCCESSFUL;
ULONG BuffSize, DataSize;
PVOID pBuff, pData,pInout;
KIRQL OldIrql;
ULONG i;
pisl = IoGetCurrentIrpStackLocation (Irp);

BuffSize = pisl->Parameters.DeviceIoControl.OutputBufferLength;

pBuff = Irp->AssociatedIrp.SystemBuffer;

Irp->IoStatus.Information = 0;
switch(pisl->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_DISABLE:
{
//Code deleted
ns = STATUS_SUCCESS;
break;
}
case IOCTL_ENABLE:
{
//Code deleted
ns = STATUS_SUCCESS;
break;
}
}

Irp->IoStatus.Status = ns;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return ns;
}

NTSTATUS DrivercreateClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;

}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
IodeleteSymbolicLink(&SymbolicLinkName);
IodeleteDevice(deviceObject);
}
NTSTATUS DriverClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
return DrivercreateClose(DeviceObject,Irp);
}
NTSTATUS IoComplete(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;

}

void HookpIofCallDriver()
{
KIRQL oldIrql;
ULONG addr = (ULONG)IofCallDriver;
__asm
{
mov eax,addr
mov esi,[eax+2]
mov eax,[esi]
mov old_piofcalldriver,eax
}
oldIrql = KeRaiseIrqlToDpcLevel();
__asm{
mov eax,cr0
mov oData,eax
and eax,0xffffffff
mov cr0,eax
mov eax,addr
mov esi,[eax+2]
mov dword ptr [esi],offset NewpIofCallDriver
mov eax,oData
mov cr0,eax
}
KeLowerIrql(oldIrql);
return ;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
PDRIVER_DISPATCH *ppdd;
ULONG i;
PCWSTR dDeviceName = L"\\Device\\irphook";
PCWSTR dSymbolicLinkName = L"\\DosDevices\\irphook";

RtlInitUnicodeString(&DeviceName, dDeviceName);
RtlInitUnicodeString(&SymbolicLinkName, dSymbolicLinkName);
status = IocreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject);
if (!NT_SUCCESS(status)) return status;
status = IocreateSymbolicLink(&SymbolicLinkName, &DeviceName);
#ifdef DEBUG
DriverObject->DriverUnload = DriverUnload;
#endif
DriverObject->DriverUnload =0;
ppdd = DriverObject->MajorFunction;
for(i =0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++)
ppdd = IoComplete;

ppdd [IRP_MJ_create] = DrivercreateClose;
ppdd [IRP_MJ_DEVICE_CONTROL ] = DriverIoControl;
g_drvobj = DriverObject;
HookpIofCallDriver();
return status;
}
关注微信公众号,手机阅读更方便: 程序员的阅微草堂

知识共享许可协议莿鸟栖草堂CFC4N 创作,采用 知识共享 署名-非商业性使用-相同方式共享(3.0未本地化版本)许可协议进行许可。基于http://www.cnxct.com上的作品创作。转载请注明转自:irpHook的代码~

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据