您的位置:首页 > 编程语言

驱动防杀防删代码编程

2008-09-15 08:02 309 查看
#include <ntddk.h>
#include <stdio.h>

typedef struct _SRVTABLE {
PVOID *ServiceTable;
ULONG LowCall;
ULONG HiCall;
PVOID *ArgTable;
} SRVTABLE, *PSRVTABLE;

extern PSRVTABLE KeServiceDescriptorTable;

//调用原函数
#define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)]

PSRVTABLE ServiceTable;

NTSTATUS
(*RealZwSetInformationFile)(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass); //原函数

NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass); //自己的函数

VOID HookAPI();
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject);
VOID UnHook();
VOID UnhookSystemCall();

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{

DriverObject->DriverUnload = DriverUnload;
ServiceTable = KeServiceDescriptorTable;
HookAPI();
return STATUS_SUCCESS;
}

VOID HookAPI()
{
RealZwSetInformationFile = SYSCALL(ZwSetInformationFile);
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
SYSCALL(ZwSetInformationFile) = (PVOID)HookZwSetInformationFile;
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
return;
}

NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass)
{
PFILE_OBJECT pFileObject;
NTSTATUS nRet= ObReferenceObjectByHandle(FileHandle, GENERIC_READ,
*IoFileObjectType, KernelMode, (PVOID*)&pFileObject, 0);

if(NT_SUCCESS(nRet))
{
UNICODE_STRING uDosName;
nRet = IoVolumeDeviceToDosName(pFileObject->DeviceObject, &uDosName);
if (NT_SUCCESS(nRet))
{
if (!_wcsicmp(pFileObject->FileName.Buffer, L"//工作//HOOK//objchk_wxp_x86//i386//test.txt") &&
!_wcsicmp(uDosName.Buffer, L"D:"))
{
ExFreePool(uDosName.Buffer);
return STATUS_ACCESS_DENIED;
}
ExFreePool(uDosName.Buffer);
}
}
return RealZwSetInformationFile(FileHandle, IoStatusBlock, FileInformation,
Length, FileInformationClass);
}

VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
UnHook();
}

VOID UnHook()
{
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
UnhookSystemCall();
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}

VOID UnhookSystemCall()
{
SYSCALL(ZwSetInformationFile) = (PVOID)RealZwSetInformationFile;

return;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航