日期:2014-05-17 浏览次数:20723 次
//driver.h
typedef PCHAR PBYTE; //不想在一个一个替换了,so...
typedef NTSTATUS (__fastcall *PIOFCALLDRIVER)(PDEVICE_OBJECT,PIRP);
typedef struct _DEVICE_EXTENSION {
PDEVICE_OBJECT pDevice;
UNICODE_STRING ustrDeviceName; //设备名称
UNICODE_STRING ustrSymLinkName; //符号链接名
PIOFCALLDRIVER nativerIofCallDriver; //保存系统的IofCallDriver的地址
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
//driver.cpp
#include "Driver.h"
ULONG g_uCR0; //保存我们修改CRP寄存器之前的它的值
KSPIN_LOCK SDTSpinLock;
NTSTATUS FASTCALL MyIofCallDriver(IN PDEVICE_OBJECT,IN OUT PIRP); //我们的IofCallDriver;
PIOFCALLDRIVER HookIofCallDriver(IN PIOFCALLDRIVER,
IN BOOLEAN ); //Hook IofCallDriver or unhook
VOID WPOFF(); //
VOID WPON(); //
#pragma PAGEDCODE
VOID WPOFF()
{
ULONG uAttr;
_asm
{
push eax;
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax;
cli
};
g_uCR0=uAttr;
}
VOID WPON()
{
_asm
{
sti
push eax;
mov eax, g_uCR0; //恢復原有 CR0 屬性
mov cr0, eax;
pop eax;
};
}
#pragma PAGEDCODE
NTSTATUS FASTCALL MyIofCallDriver(IN PDEVICE_OBJECT pDevObj,IN OUT PIRP pIrp)
{
DbgPrint("HDM:This is MyIofCallDriver! You succeed!\n");
PDEVICE_EXTENSION pdx=(PDEVICE_EXTENSION)pDevObj->DeviceExtension;
return (*(pdx->nativerIofCallDriver))(pDevObj,pIrp);
}
#pragma PAGEDCODE
//
//当hookOrUnhook为TRUE时,IofCallDriver为我们的替换函数的地址
//当hookOrUnhook为FALSE时,则为系统IofCallDriver的地址
//无论是hook or unhook,当函数成功时,返回系统IofCallDriver的地址,否则返回NULL
PIOFCALLDRIVER HookIofCallDriver(IN PIOFCALLDRIVER IofCallDriver,
IN BOOLEAN hookOrUnhook)
{
DbgPrint("HDM:Enter HookIofCallDriver\n");
UNICODE_STRING functionName;
PBYTE address=NULL; //通过调用MmGetSystemRoutineAddress得到的IofCallDriver的入口地址
PBYTE nativeIofCallDriver=NULL; //IofCallDriver执行体的地址
RtlInitUnicodeString(&functionName,L"IofCallDriver");
//得到IofCallDriver的入口地址
address=(PBYTE)MmGetSystemRoutineAddress(&functionName);
if (address==NULL)
{
return NULL;
}
if (hookOrUnhook)
{