您现在的位置: 骇客基地 >> 黑客文章 >> 黑客攻防 >> 黑客编程 >> 正文

驱动防杀防删代码
骇客基地 阅读: 时间:2008-9-10 4:47:13 来源:www.hookbase.com
   #include <ntddk.h>
#include <stdio.h>

typedef struct _SRVTABLE {
PVOID *ServiceTable;
ULONG LowCall;
ULONG HiCall;
PVOID *ArgTable;
} SRVTABLE, *PSRVTABLE;

extern PSRVTABLE KeServiceDescriptorTable;

//调用原函数
#define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)]

PSRVTABLE ServiceTable;

NTSTATUS
(*RealZwSetInformationFile)(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass); //原函数

NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass); //自己的函数


VOID HookAPI();
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject);
VOID UnHook();
VOID UnhookSystemCall();

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{

DriverObject->DriverUnload = DriverUnload;
ServiceTable = KeServiceDescriptorTable;
HookAPI();
return STATUS_SUCCESS;
}

VOID HookAPI()
{
RealZwSetInformationFile = SYSCALL(ZwSetInformationFile);
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
SYSCALL(ZwSetInformationFile) = (PVOID)HookZwSetInformationFile;
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
return;
}


NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass)
{
PFILE_OBJECT pFileObject;
NTSTATUS nRet= ObReferenceObjectByHandle(FileHandle, GENERIC_READ,
*IoFileObjectType, KernelMode, (PVOID*)&pFileObject, 0);

if(NT_SUCCESS(nRet))
{
UNICODE_STRING uDosName;
nRet = IoVolumeDeviceToDosName(pFileObject->DeviceObject, &uDosName);
if (NT_SUCCESS(nRet))
{
if (!_wcsicmp(pFileObject->FileName.Buffer, L"\\工作\\HOOK\\objchk_wxp_x86\\i386\\test.txt") &&
!_wcsicmp(uDosName.Buffer, L"D:"))
{
ExFreePool(uDosName.Buffer);
return STATUS_ACCESS_DENIED;
}
ExFreePool(uDosName.Buffer);
}
}
return RealZwSetInformationFile(FileHandle, IoStatusBlock, FileInformation,
Length, FileInformationClass);
}

VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
UnHook();
}

VOID UnHook()
{
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
UnhookSystemCall();
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}

VOID UnhookSystemCall()
{
SYSCALL(ZwSetInformationFile) = (PVOID)RealZwSetInformationFile;

return;
}
今天广告
参与评论:
注意事项:
【驱动防杀防删代码】文章由骇客基地网上搜集,其立场行为并不代表本站。
如果您发现该文章若无意中侵犯到您的权利,请联系我们!
未经本站明确许可,任何网站不得非法盗链及抄袭本站资源;如引用页面,请注明来自本站,谢谢您的支持!
最近更新
最新推荐
     
 
黑客首页 | 服务指南 | 软件发布  | 关于我们 | 本站声明  | 隐私声明 | 诚征英才 | 网站地图 | 友情链接 |
 
 
中国·黑客·骇客·基地 请使用IE6.0版本, 分辩率1024×768进行浏览 www.hookbase.com 站长:利客 Email:hookbase@163.com
Copyright © 2004-2009 All Rights Reserved. 粤ICP备05000985号