看了大米牛的一篇调试文章,才有了这篇,本来想hook NtfsCreateFcb,不过也偷了下懒。
参考资料:
achillis牛的文章:
http://hi.baidu.com/_achillis/blog/item/629923fbef65cc19a9d311c7.html
大米牛的文章:
http://bbs.pediy.com/showthread.php?t=87741&prefixid=phpforce_38
不过他好像没放出code,所以意淫了下,失误之处请指正。
代码:
#include "ntifs.h" unsigned char OrigCode[5]; ULONG OrigNtfsCreateFcb = NULL; VOID wpoff() { __asm { cli mov eax,cr0 and eax,not 10000h mov cr0,eax } } VOID wpon() { __asm { mov eax,cr0 or eax,10000h mov cr0,eax sti } } NTSTATUS fake_NtfsCreateFcb() { return STATUS_SUCCESS;//OrigNtfsCreateFcb(); } VOID init_hook(ULONG ret) { ULONG pOrigNtfsCeateFcb = 0; PULONG i = NULL; ULONG n = 0; i = (PULONG)(ret - 4); n = *i; n = 0xffffffff-n; OrigNtfsCreateFcb = ret - 5 - n + 4; DbgPrint("NtfsCreateFcb = 0x%08x.\n",OrigNtfsCreateFcb); wpoff(); RtlCopyMemory(ExAllocatePoolWithTag,OrigCode,5); wpon(); } _declspec(naked) PVOID T_ExAllocatePoolWithTag( IN POOL_TYPE PoolType, IN SIZE_T NumberOfBytes, IN ULONG Tag ) { __asm { mov edi,edi push ebp mov ebp,esp mov eax,[ebp+0xc] cmp eax,20h jnz end mov eax,[ebp+0x10] cmp eax,7346744Eh jnz end mov ebx,[ebp] mov eax,[ebx+4] push eax call init_hook end: mov eax,ExAllocatePoolWithTag add eax,5 jmp eax } } VOID inline_ExAllocatePoolWithTag() { unsigned char JmpCode[5] = { 0xe9 }; ULONG Jmpoffset = 0; Jmpoffset = (ULONG)((char*)T_ExAllocatePoolWithTag - (char*)ExAllocatePoolWithTag - 5); RtlCopyMemory(JmpCode+1, &Jmpoffset, 4); wpoff(); RtlCopyMemory(OrigCode,ExAllocatePoolWithTag,5); RtlCopyMemory(ExAllocatePoolWithTag,JmpCode,5); wpon(); } VOID Unload(PDRIVER_OBJECT DriverObject) { } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { DriverObject->DriverUnload = Unload; inline_ExAllocatePoolWithTag(); return STATUS_SUCCESS; }