蹂躪D&F學習之重複NtCreateFile之三

//rlTenD.cpp
#include <ntddk.h>
#include "SSDTHOOK.h"
#include "rlTenD.h"

ULONG g_uOldNtCreateFileAddr = 0;
PFNNTCREATEFILE g_pfnNtCreateFile = NULL;
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING str)
{
	//驅動 ->驅動卸載=卸載驅動
	pDriver->DriverUnload = UnloadDriver;
	//調試輸出
	DbgPrint("Loading MyDriver...\r");


	ULONG uAddr = GetSSDTAddr(0x42);
	if (uAddr)
	{
		g_pfnNtCreateFile = (PFNNTCREATEFILE)uAddr;
		HookSSDT(0x42, (ULONG)rlNtCreateFile, &g_uOldNtCreateFileAddr);
		KdPrint(("NtCreateFile: 0x%08x\r", uAddr));
	}
	return STATUS_SUCCESS;
}

void UnloadDriver(PDRIVER_OBJECT pDriver)
{
	UnHookSSDT(0x42, g_pfnNtCreateFile);
	//調試輸出
	DbgPrint("unLoading MyDriver...\r");

}

NTSTATUS rlNtCreateFile(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	)
{
	if (ObjectAttributes && ObjectAttributes->ObjectName)
	{
		if (wcsstr(ObjectAttributes->ObjectName->Buffer, L"1.txt") != 0)
		{
			
	
		KdPrint(("NtCreateFile: %wZ\r", ObjectAttributes->ObjectName));
		return STATUS_UNSUCCESSFUL;
		}
	}
	return g_pfnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
		AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);

}

//rlTenD.h


void UnloadDriver(PDRIVER_OBJECT pDriver);

NTSTATUS rlNtCreateFile(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	);

typedef NTSTATUS (*PFNNTCREATEFILE)(
	_Out_     PHANDLE FileHandle,
	_In_      ACCESS_MASK DesiredAccess,
	_In_      POBJECT_ATTRIBUTES ObjectAttributes,
	_Out_     PIO_STATUS_BLOCK IoStatusBlock,
	_In_opt_  PLARGE_INTEGER AllocationSize,
	_In_      ULONG FileAttributes,
	_In_      ULONG ShareAccess,
	_In_      ULONG CreateDisposition,
	_In_      ULONG CreateOptions,
	_In_      PVOID EaBuffer,
	_In_      ULONG EaLength
	);
void DisableWP();
void EnableWP();

//SSDTHOOK.cpp
#include "SSDTHOOK.h"

ULONG GetSSDTAddr(ULONG uIndex)
{
	ULONG uAddr = *(PULONG)((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
	return uAddr;
 }

BOOLEAN HookSSDT(ULONG uIndex,ULONG uNewAddr,PULONG puOldAddr)
{
	if (uNewAddr ==0 || puOldAddr == NULL)
	{
		return FALSE;
	}

	ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));
	*puOldAddr = *(PULONG)uAddr;
	void DisableWP();

	*(PULONG)uAddr = uNewAddr;
	void EnableWP();
	return TRUE;

}


BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr)
{
	if (uOldAddr = 0)
	{
		return FALSE;
	}
	ULONG uAddr = ((ULONG)(*KeServiceDescriptorTable).ServiceTableBase + uIndex * sizeof(ULONG));

	void DisableWP();
	*(PULONG)uAddr = uOldAddr;
	void EnableWP();
	return TRUE;

}

void DisableWP()
{
	__asm
	{
		cli 
		push eax
		mov eax,cr0
		and eax,0xfffeffff
		mov cr0,eax
		pop eax
	}
}

void EnableWP()
{

	__asm
	{
		push eax
			mov eax,cr0
			or eax,0x10000
			mov cr0,eax
			pop eax
			sti
	}
}

//SSDTHOOK.h
#pragma once

#ifdef __cplusplus
exern "C"
#endif
#include <ntddk.h>
#include <string.h>
#ifdef __cplusplus
};
#endif

typedef struct _SDT_ENTRY
{
	PVOID *ServiceTableBase;
	PULONG ServiceCounterTableBase; //Used only in checked build
	ULONG NumberOfServices;
	PUCHAR ParamTableBase;
} SDT_ENTRY, *PSDT_ENTRY;


EXTERN_C SDT_ENTRY *KeServiceDescriptorTable;

ULONG GetSSDTAddr(ULONG uIndex);
BOOLEAN HookSSDT(ULONG uIndex, ULONG uNewAddr, PULONG puOldAddr);
BOOLEAN UnHookSSDT(ULONG uIndex, ULONG uOldAddr);

void DisableWP();
void EnableWP();