• 360比赛第5题-我的解法

这题得了100分哦。

驱动加载后,直接对对IoCreateFile函数进行PATCH,

PATCH前函数为:

引用:
 8056ba8c ff7508          push    dword ptr [ebp+8]
8056ba8f e882f2ffff        call    nt!IopCreateFile (8056ad16)
8056ba94 3bc6            cmp     eax,esi
8056ba96 7d15            jge     nt!IoCreateFile+0xa7 (8056baad)
8056ba98 f6c301          test    bl,1
8056ba9b 0f8574ffffff      jne     nt!IoCreateFile+0xf (8056ba15)
PATCH后函数为:
引用:
 8056ba8c ff7508          push    dword ptr [ebp+8]
8056ba8f e8421a7b78      call    fileprot+0x4d6 (f8d1d4d6)
8056ba94 3bc6            cmp     eax,esi
8056ba96 7d15            jge     nt!IoCreateFile+0xa7 (8056baad)
8056ba98 f6c301          test    bl,1
8056ba9b 0f8574ffffff    jne     nt!IoCreateFile+0xf (8056ba15)
之后所有调用IoCreateFile函数的都要经fileprot进行过滤;
代码:
00010522    call    dword_10804    //  先调用原来的nt!IopCreateFile                                           
00010528    mov     [ebp+var_210], eax                                                 
0001052E    mov     eax, [ebp+var_210]                                                 
00010534    test    eax, eax                                                           
00010536    jl      short loc_105AD                                                    
00010538    mov     edx, [esi+8]                                                       
0001053B    cmp     word ptr [edx], 206h                                               
00010540    ja      short loc_105AD                                                    
00010542    cmp     dword ptr [edx+4], 0                                               
00010546    jz      short loc_105AD                                                    
00010548    cmp     word ptr [edx], 0                                                  
0001054C    jz      short loc_105AD                                                    
0001054E    mov     eax, edx                                                           
00010550    movzx   ecx, word ptr [eax]                                                
00010553    mov     esi, [eax+4]                                                       
00010556    mov     eax, ecx                                                           
00010558    shr     ecx, 2                                                             
0001055B    lea     edi, [ebp+var_20C]                                                 
00010561    rep movsd                                                                  
00010563    mov     ecx, eax                                                           
00010565    and     ecx, 3                                                             
00010568    rep movsb                                                                  
0001056A    movzx   eax, word ptr [edx]                                                
0001056D    and     [ebp+eax+var_20C], 0                                               
00010576    lea     eax, [ebp+var_20C]                                                 
0001057C    push    eax             ; wchar_t *                                        
0001057D    call    ds:_wcsupr                                                         
00010583    lea     eax, [ebp+var_20C]                                                 
00010589    mov     [esp+220h+var_220], offset a360game360game ;
 "360GAME\\360GAME.TXT"
00010590    push    eax             ; wchar_t *                                        
00010591    call    ds:wcsstr                                                          
00010597    test    eax, eax                                                           
00010599    pop     ecx                                                                
0001059A    pop     ecx                                                                
0001059B    jz      short loc_105A7                                                    
0001059D    and     dword ptr [ebx], 0                                                 
000105A0    mov     eax, 0C0000022h  
   

   当发现文件名路径中含有"360GAME\\360GAME.TXT",直接返回0C0000022h,即 拒绝访问,导致访问失败。
  实际上,该驱动不仅保护c:\360game\360game.Txt不被打开,所有文件名路径中含有"360GAME\\360GAME.TXT"都将被保护,如d:\360game\360game.Txt等等。
  要突破其保护,只要文件名路径中不含有"360GAME\\360GAME.TXT"即可,方法是设置当前路径到c:\360game,然后直接对360game.Txt进行写就可以了。
  另外,如果驱动其作用后,试图在通过双击直接打开c:\360game\360game.Txt的动作会导致explorer.exe占用c:\360game\360game.Txt的文件句柄,因此,在对c:\360game\360game.Txt进行写操作之前,先应该释放所有可能占用的文件句柄。在本程序中,是通过CloseFileHandle()来实现的,详细实现参见附件。
  程序运行后,写入的内容为:
“360game by windsun,and the tickCount is %d”
其中%d为GetTickCount()的返回值。
上传的附件 AntiFile_by_windsun.rar