获取ntfs的dispatch
BOOLEANMapNtfsDriver()
{
CHAR KernelPath;
PVOID KernelBase=NULL;
NTSTATUS st;
UNICODE_STRING ustrKernelPath;
ANSI_STRING astrKernelPath;
KernelBase=GetKernelModuleBase("ntfs.sys");
g_NtfsBase=KernelBase;
if (!KernelBase)
{
return FALSE;
}
if (!NT_SUCCESS(GetSystemRoot(KernelPath,256)))
{
return FALSE;
}
strncat (KernelPath,"system32\\drivers\\",255);
strncat (KernelPath,"ntfs.sys",255);
RtlInitAnsiString(&astrKernelPath,KernelPath);
if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&ustrKernelPath,&astrKernelPath,TRUE))) return FALSE;
g_MappedNtfsBase=MapViewOfImage(ustrKernelPath.Buffer,KernelBase);
RtlFreeUnicodeString(&ustrKernelPath);
if (!g_MappedNtfsBase) return FALSE;
return TRUE;
}
BOOLEAN
GetDispatchTable(
PVOID ModuleBase,
PVOID *DispatchTableBuffer
)
{
UCHAR *cPtr, *pOpcode;
ULONG Length;
PVOID ModuleGsDriverEntry;
PIMAGE_NT_HEADERS NtHeaders=(PIMAGE_NT_HEADERS)(((PIMAGE_DOS_HEADER)ModuleBase)->e_lfanew+(ULONG)ModuleBase);
ModuleGsDriverEntry=(PVOID)(NtHeaders->OptionalHeader.AddressOfEntryPoint+(ULONG)ModuleBase);
for (cPtr = (PUCHAR)ModuleGsDriverEntry;
cPtr < (PUCHAR)ModuleGsDriverEntry + SizeOfProc(ModuleGsDriverEntry);
cPtr += Length)
{
LONG MajorFunctionIndex;
PVOID MajorFunction;
ULONG RegEax;
Length = SizeOfCode(cPtr, &pOpcode);
if (!Length)
{
DbgPrint(" GetDispatchTable: Unknwon opcode length.\n");
break;
}
if (*(PUSHORT)cPtr == 0x46C7) // mov dword ptr
{
MajorFunctionIndex=((LONG)(*(cPtr+2))-FIELD_OFFSET(DRIVER_OBJECT,MajorFunction))/4;
if (MajorFunctionIndex<0 || MajorFunctionIndex>IRP_MJ_MAXIMUM_FUNCTION)
continue;
MajorFunction=*(PVOID *)(cPtr+3);
}
else if (*(PUSHORT)cPtr == 0x86C7) // mov dword ptr
{
MajorFunctionIndex=(*((PLONG)(cPtr+2))-FIELD_OFFSET(DRIVER_OBJECT,MajorFunction))/4;
if (MajorFunctionIndex<0 || MajorFunctionIndex>IRP_MJ_MAXIMUM_FUNCTION)
continue;
MajorFunction=*(PVOID *)(cPtr+6);
}
else if (*(PUCHAR)cPtr == 0xB8) // mov eax, 0xXXXXXXXX(32Bit)
{
RegEax=*(PULONG)(cPtr+1);
continue;
}
else if ((*(PUSHORT)cPtr == 0x4689) || (*(PUSHORT)cPtr == 0x8689))
{
MajorFunctionIndex=((LONG)*((PUCHAR)(cPtr+2))-FIELD_OFFSET(DRIVER_OBJECT,MajorFunction))/4;
if (MajorFunctionIndex<0 || MajorFunctionIndex>IRP_MJ_MAXIMUM_FUNCTION)
{
continue;
}
MajorFunction=(PVOID)RegEax;
}
else
{
continue;
}
DispatchTableBuffer=MajorFunction;
}
return TRUE;
}
if (g_NtfsDriverObject)
{
if (!GetDispatchTable(
g_MappedNtfsBase,
(PVOID *)&NtfsDriverDispatch
))
{
DriverTerminate();
return STATUS_UNSUCCESSFUL;
}
} :lol炉子的东西
看不懂 看来我的代码风格依然不怎么好理解 - -
页:
[1]