驱动防杀防删代码
作者:未知 文章来源:本站原创 点击数: 更新时间:2008-9-10
#include <ntddk.h>
#include <stdio.h>
typedef struct _SRVTABLE {
PVOID *ServiceTable;
ULONG LowCall;
ULONG HiCall;
PVOID *ArgTable;
} SRVTABLE, *PSRVTABLE;
extern PSRVTABLE KeServiceDescriptorTable;
//调用原函数
#define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)]
PSRVTABLE ServiceTable;
NTSTATUS
(*RealZwSetInformationFile)(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass); //原函数
NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass); //自己的函数
VOID HookAPI();
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject);
VOID UnHook();
VOID UnhookSystemCall();
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
ServiceTable = KeServiceDescriptorTable;
HookAPI();
return STATUS_SUCCESS;
}
VOID HookAPI()
{
RealZwSetInformationFile = SYSCALL(ZwSetInformationFile);
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
SYSCALL(ZwSetInformationFile) = (PVOID)HookZwSetInformationFile;
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
return;
}
NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass)
{
PFILE_OBJECT pFileObject;
NTSTATUS nRet= ObReferenceObjectByHandle(FileHandle, GENERIC_READ,
*IoFileObjectType, KernelMode, (PVOID*)&pFileObject, 0);
if(NT_SUCCESS(nRet))
{
UNICODE_STRING uDosName;
nRet = IoVolumeDeviceToDosName(pFileObject->DeviceObject, &uDosName);
if (NT_SUCCESS(nRet))
{
if (!_wcsicmp(pFileObject->FileName.Buffer, L"\\工作\\HOOK\\objchk_wxp_x86\\i386\\test.txt") &&
!_wcsicmp(uDosName.Buffer, L"D:"))
{
ExFreePool(uDosName.Buffer);
return STATUS_ACCESS_DENIED;
}
ExFreePool(uDosName.Buffer);
}
}
return RealZwSetInformationFile(FileHandle, IoStatusBlock, FileInformation,
Length, FileInformationClass);
}
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
UnHook();
}
VOID UnHook()
{
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
UnhookSystemCall();
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
VOID UnhookSystemCall()
{
SYSCALL(ZwSetInformationFile) = (PVOID)RealZwSetInformationFile;
return;
}
