Hook SSDT
#include "ntddk.h"
#define NT_DEVICE_NAME L"//Device//ProtectProcess"#define DOS_DEVICE_NAME L"//DosDevices//ProtectProcess"#define IOCTL_PROTECT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);void OnUnload(IN PDRIVER_OBJECT DriverObject);#pragma pack(1)
typedef struct ServiceDescriptorEntry{
unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase;
} SSDT_Entry,*pSSDT_Entry;#pragma pack()__declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;#define SYSTEMSERVICE(_func) / KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_func+1)]NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);ZWOPENPROCESS OldZwOpenProcess;long pid = 0;NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL){ NTSTATUS nStatus = STATUS_SUCCESS; if((long)ClientId->UniqueProcess == pid)
{ DbgPrint("保护进程 PID:%d/n",pid); return STATUS_ACCESS_DENIED;
} nStatus = OldZwOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); return nStatus;}void OnUnload(IN PDRIVER_OBJECT DriverObject){ UNICODE_STRING DeviceLinkString; PDEVICE_OBJECT DeviceObjectTemp1 = NULL; PDEVICE_OBJECT DeviceObjectTemp2 = NULL; DbgPrint("驱动程序卸载
/n"); RtlInitUnicodeString(&DeviceLinkString,DOS_DEVICE_NAME); IoDeleteSymbolicLink(&DeviceLinkString); if(DriverObject) { DeviceObjectTemp1 = DriverObject->DeviceObject; while(DeviceObjectTemp1) { DeviceObjectTemp2 = DeviceObjectTemp1; DeviceObjectTemp1 = DeviceObjectTemp1->NextDevice; IoDeleteDevice(DeviceObjectTemp2); } } DbgPrint("设备已卸载/n"); DbgPrint("修复SSDT/n"); (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess)) = OldZwOpenProcess; DbgPrint("驱动卸载完毕/n");}NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){ NTSTATUS nStatus = STATUS_SUCCESS; ULONG IoControlCode = 0; PIO_STACK_LOCATION IrpStack = NULL; long* inBuf = NULL; char* outBuf = NULL; ULONG inSize = 0; ULONG outSize = 0; PCHAR buffer = NULL; PMDL mdl = NULL; Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IrpStack = IoGetCurrentIrpStackLocation(Irp); switch(IrpStack->MajorFunction) { case IRP_MJ_CREATE: DbgPrint("IRP_MJ_CREATE 被调用/n"); break; case IRP_MJ_CLOSE: DbgPrint("IRP_MJ_CLOSE 被调用/n"); break; case IRP_MJ_DEVICE_CONTROL: DbgPrint("IRP_MJ_DEVICE_CONTROL 被调用/n"); IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode; switch(IoControlCode) { case IOCTL_PROTECT_CONTROL: inSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength; outSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength; inBuf = (long*)Irp->AssociatedIrp.SystemBuffer; pid = *inBuf; DbgPrint("=========================================/n"); DbgPrint("IOCTRL_PROTECT_CONTROL 被调用,通讯成功!/n"); DbgPrint("输入缓冲区大小:%d/n",inSize); DbgPrint("输出缓冲区大小:%d/n",outSize); DbgPrint("输入缓冲区内容:%ld/n",*inBuf); DbgPrint("当前保护进程ID:%ld/n",pid); DbgPrint("=========================================/n"); strcpy(Irp->UserBuffer,"OK/n"); break; default: break; } break; default: DbgPrint("未知请求包被调用/n"); break; } nStatus = Irp->IoStatus.Status; IoCompleteRequest(Irp,IO_NO_INCREMENT); return nStatus;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING theRegistryPath){ NTSTATUS ntStatus = STATUS_SUCCESS; UNICODE_STRING ntDeviceName; UNICODE_STRING DeviceLinkString; PDEVICE_OBJECT deviceObject = NULL; DbgPrint("驱动程序加载/n"); RtlInitUnicodeString(&ntDeviceName,NT_DEVICE_NAME); ntStatus = IoCreateDevice( DriverObject, 0, &ntDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &deviceObject); if(!NT_SUCCESS(ntStatus)) { DbgPrint("无法创建驱动设备"); return ntStatus; } RtlInitUnicodeString(&DeviceLinkString,DOS_DEVICE_NAME); ntStatus = IoCreateSymbolicLink(&DeviceLinkString,&ntDeviceName); if(!NT_SUCCESS(ntStatus)) { DbgPrint("无法创建驱动设备"); return ntStatus; } DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchDeviceControl; DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchDeviceControl; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl; DriverObject->DriverUnload = OnUnload; DbgPrint("驱动程序已经启动/n"); DbgPrint("修改SSDT/n"); OldZwOpenProcess = (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess)); (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess)) = NewZwOpenProcess; DbgPrint("驱动程序加载完毕/n"); return STATUS_SUCCESS;}
typedef 
服务安装程序:
//
ProtectInstaller.cpp : Defines the entry point for the console application.
//
#include
"
stdafx.h
"
#define
BUF_SIZE 4096
int
main(
int
argc,
char
*
argv[])
{ char path[BUF_SIZE]; char base[BUF_SIZE]; char sername[BUF_SIZE]; char disname[BUF_SIZE]; memset(path,0,BUF_SIZE); memset(base,0,BUF_SIZE); memset(sername,0,BUF_SIZE); memset(disname,0,BUF_SIZE); SC_HANDLE rh = NULL; SC_HANDLE sh = NULL; if(argc == 1) { printf("use:install/start/uninstall/n"); exit(0); } ::GetModuleFileName(0,base,BUF_SIZE); int p = strlen(base); while(base[p] != '//'){ p --; } strncpy(path,base,p+1); memset(base,0,BUF_SIZE); sprintf(base,"%sInstall.ini",path); memset(path,0,BUF_SIZE); ::GetPrivateProfileString("Config","Path","",path,BUF_SIZE,base); ::GetPrivateProfileString("Config","ServiceName","",sername,BUF_SIZE,base); ::GetPrivateProfileString("Config","DisplayName","",disname,BUF_SIZE,base); printf("[*]Service Name:%s/n",sername); printf("[*]Display Name:%s/n",disname); printf("[*]Driver Path:%s/n",path); sh = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); if(!sh){ printf("[-]Error OpenSCManager./n"); exit(0); } if(argc == 2 && !strcmp(argv[1],"install")) { if(!strcmp(path,"")) { printf("[-]error read Install.ini/n"); exit(0); } rh = CreateService(sh, sername, disname, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, path, NULL,NULL,NULL,NULL,NULL); if(!rh) { printf("[-]error CreateService./n"); exit(0); } printf("[-]Install Service Complete/n"); } else if(argc == 2 && !strcmp(argv[1],"start")) { rh = OpenService(sh,sername,SERVICE_ALL_ACCESS); if(!rh) { printf("[-]error OpenService./n"); exit(0); } StartService(rh,NULL,NULL); printf("[-]Start Service Complete/n"); } else if(argc == 2 && !strcmp(argv[1],"uninstall")) { rh = OpenService(sh,sername,SERVICE_ALL_ACCESS); if(!rh) { printf("[-]error OpenService./n"); exit(0); } SERVICE_STATUS ss; ControlService(rh,SERVICE_CONTROL_STOP,&ss); printf("[-]Stop Service Complete/n"); DeleteService(rh); printf("[-]Delete Service Complete/n"); } CloseServiceHandle(rh); CloseServiceHandle(sh); return 1;}
INI文件:
[
Config
]
Path
=
D:/hacker/ddk/Protect/sys/i386/Protect.sysServiceName
=
RootkitDisplayName
=
RootkitKernel
VC05搞了个解决方案
驱动编译通过了,安装程序也通过了,也能启动,
打开DeviceTree看看,搜索 ProtectProcess,找到了:
现在轮到告诉驱动PID的程序:
#include
<
stdio.h
>
#include
<
stdlib.h
>
#include
<
windows.h
>
#include
<
winioctl.h
>
#ifndef _WIN32_WINNT
//
Allow use of features specific to Windows XP or later.
#define
_WIN32_WINNT 0x0501
//
Change this to the appropriate value to target other versions of Windows.
#endif
#undef
UNICODE
#define
IOCTL_HELLO_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)
int
main(
int
argc,
char
*
argv[])
{ long pid = 0; char ret[4096]; DWORD ReBytes = 0; HANDLE hDevice = CreateFile(L"////.//ProtectProcess",GENERIC_READ|GENERIC_WRITE,0,NULL, OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if(hDevice == INVALID_HANDLE_VALUE) { if(2 == GetLastError()) { printf("驱动程序未注册/n"); } else { printf("CreateFile() GetLastError reports %d /n",GetLastError()); } return FALSE; } memset(ret,0,4096); printf("请输入要保护的进程PID"); scanf("%ld",&pid); DeviceIoControl(hDevice,IOCTL_HELLO_CONTROL, &pid,sizeof(long),ret,4096,&ReBytes,NULL); printf("Return Value:%s/n",ret); CloseHandle(hDevice); return 1;}
开始的时候,在 CreateFile的第一个参数那里犯了一个错误,没有在前面加上“L”,结果一个下午花了3个小时在烦躁,一直提示驱动未安装,现在好了,PASS。
启动记事本,找到pid,运行通信程序,输入pid,打开任务管理器,好了,现在杀不掉notepad.exe了:
