监视Win2k文件系统驱动程序的监视程序

2008-04-09 04:00:02来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

监视Win2k文件系统驱动程序的监视程序

Author: whg
Email: whg@whitecell.org
Homepage:http://www.whitecell.org


include IFSDDK.inc
locals
.586p
.model flat,STDCALL

.data

gDriverObject dd 26 dup(0) ;查找调用地址
gDeviceObject dd 26 dup(0) ;分析查找路径
gCreate dd 26 dup(0) ;函数地址

gObjectAttrib OBJECT_ATTRIB < size OBJECT_ATTRIB,0,OBJ_CASE_INSENSITIVE,0,0,0>
gDiskSymbolLink dw '','D','o','s','D','e','v','i','c','e','s','','X',':','',0,0

Msg00 db 'Driver: %s ',0
Msg01 db 'Access File: %c:',0
Msg02 DB '%s',0ah,0,0

.code

extrn _RtlInitUnicodeString@8: proc
extrn _DbgPrint: proc
extrn _ZwCreateFile@44: proc
extrn _ZwClose@4: proc
extrn _ObReferenceObjectByHandle@24: proc
extrn _ObDereferenceObject@4: proc
extrn _IoGetRelatedDeviceObject@4: proc
extrn _RtlUnicodeStringToAnsiString@12: proc
extrn _RtlFreeAnsiString@4: proc

public _DriverEntry@8
_DriverEntry@8 proc uses ebx esi edi,pDriverObject:dword,pRegPath:dword

local DeviceName: UNICODE_STRING
local SymbolLink: UNICODE_STRING

mov ebx,pDriverObject
mov [ebx.doDriverUnload],OFF Unload
call HookFileSystem
xor eax,eax
ret
_DriverEntry@8 endp

Unload proc uses ebx esi edi,pDriverObject:dword

local SymbolLink: UNICODE_STRING

;做复原工作
mov edi,OFF gDriverObject
mov ecx,26
xor edx,edx
@@RepRestore:
mov ebx,[edi edx*4]
or ebx,ebx
jz short @@RestoreNext
mov eax,[edx*4 OFF gCreate]
or eax,eax
jz short @@RestoreNext
mov [ebx.doMajorFunction IRP_MJ_CREATE*4],eax
@@RestoreNext:
inc edx
loop short @@RepRestore
ret
Unload endp

HookFileSystem proc uses ebx esi edi
mov ecx,26
xor edi,edi
@@RepHookXXX:
mov esi,ecx
mov edx,edi
call GetDeviceObject
mov ecx,esi
test eax,eax
jz short @@NoFindDriver
;保存设备对象DEVICE OBJECT
mov [edi*4 OFF gDeviceObject],eax
;保存驱动程序对象DRIVER OBJECT
mov ebx,[eax.doDriverObject]
mov [edi*4 OFF gDriverObject],ebx
;挂接MJ_IRP_CREATE
@@HookCreate:
mov eax,[ebx.doMajorFunction IRP_MJ_CREATE*4]
;是否已经被挂接
cmp eax,OFF HookCreate
jz short @@NoFindDriver
mov [edi*4 OFF gCreate],eax
mov [ebx.doMajorFunction IRP_MJ_CREATE*4],OFF HookCreate
@@NoFindDriver:
inc edi
loop short @@RepHookXXX
ret
HookFileSystem endp

;edx=Log disk index : eax=pDeviceObject,eax=0 No Found
GetDeviceObject proc uses ebx esi edi

local SymbolLink: UNICODE_STRING
local hFile: dword
local IoStatus: IO_STATUS_BLOCK
local pFileObject: dword

;构造对象名字串
lea esi,gDiskSymbolLink
add edx,'A'
mov [esi 12*2],dl
lea edi,SymbolLink
call _RtlInitUnicodeString@8,edi,esi
;填写对象属性域
lea esi,gObjectAttrib
mov [esi.oaObjectName],edi
;打开这个设备文件
lea edi,hFile
lea ebx,IoStatus
call _ZwCreateFile@44,edi,SYNCHRONIZE or FILE_ANY_ACCESS,esi,ebx,0,0,FILE_SHARE_READ or FILE_SHARE_WRITE,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT or FILE_DIRECTORY_FILE,0,0
test eax,eax
jnl short @@OpenFileOk
xor eax,eax
jmp short @@FailExit
@@OpenFileOk:
;从文件句柄中得到文件对象指针
lea esi,pFileObject
call _ObReferenceObjectByHandle@24,dword ptr[edi],FILE_READ_DATA,0,0,esi,0
test eax,eax
jnl short @@ReferenceObjectOk
call _ZwClose@4,dword ptr[edi]
xor eax,eax
jmp short @@FailExit
@@ReferenceObjectOk:
;从文件对象中得到关联设备对象
call _IoGetRelatedDeviceObject@4,dword ptr [esi]
mov ebx,eax
call _ObDereferenceObject@4,dword ptr[esi]
call _ZwClose@4,dword ptr[edi]
test ebx,ebx
jnz short @@GetRelatedDeviceOk
xor eax,eax
jmp short @@FailExit
@@GetRelatedDeviceOk:
mov eax,ebx
@@FailExit:
ret
GetDeviceObject endp

;MJ_IRP_CREATE挂接例程的处理
HookCreate proc uses ebx esi edi,pDeviceObject:dword,pIrp:dword

local DriverName: ANSI_STRING
local FileName: ANSI_STRING
local RegEsp: dword

mov esi,pDeviceObject
mov esi,[esi.doDriverObject]
lea esi,[esi.doDriverName]
lea edi,DriverName
call _RtlUnicodeStringToAnsiString@12,edi,esi,TRUE
mov edx,[edi.asBuffer]

mov RegEsp,esp
call _DbgPrint,OFF Msg00,edx
mov esp,RegEsp

call _RtlFreeAnsiString@4,edi

call FindObject,pDeviceObject,OFF gDeviceObject
or eax,eax
jz short @@NoIsLogDisk
add edx,'A'
jmp short @@IsLogDisk
@@NoIsLogDisk:
mov edx,'?'
@@IsLogDisk:

mov RegEsp,esp
call _DbgPrint,OFF Msg01,edx
mov esp,RegEsp

mov esi,pIrp
;得到当前IRP栈位置IoGetCurrentIrpStackLocation()
mov esi,[esi 60h]
mov esi,[esi.ioslFileObject]
lea esi,[esi.foFileName]
or esi,esi
jz short @@ExitDbg
lea edi,FileName
call _RtlUnicodeStringToAnsiString@12,edi,esi,TRUE

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:Modification.Win32.BlueBall.4117病毒演示

下一篇:隐藏任意进程,目录/文件,注册表,端口