好友
阅读权限10
听众
最后登录1970-1-1
|
BOOLEAN
MapNtfsDriver()
{
CHAR KernelPath[256];
PVOID KernelBase=NULL;
NTSTATUS st;
UNICODE_STRING ustrKernelPath;
ANSI_STRING astrKernelPath;
KernelBase=GetKernelModuleBase("ntfs.sys");
g_NtfsBase=KernelBase;
if (!KernelBase)
{
return FALSE;
}
if (!NT_SUCCESS(GetSystemRoot(KernelPath,256)))
{
return FALSE;
}
strncat (KernelPath,"system32\\drivers\\",255);
strncat (KernelPath,"ntfs.sys",255);
RtlInitAnsiString(&astrKernelPath,KernelPath);
if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&ustrKernelPath,&astrKernelPath,TRUE))) return FALSE;
g_MappedNtfsBase=MapViewOfImage(ustrKernelPath.Buffer,KernelBase);
RtlFreeUnicodeString(&ustrKernelPath);
if (!g_MappedNtfsBase) return FALSE;
return TRUE;
}
BOOLEAN
GetDispatchTable(
PVOID ModuleBase,
PVOID *DispatchTableBuffer
)
{
UCHAR *cPtr, *pOpcode;
ULONG Length;
PVOID ModuleGsDriverEntry;
PIMAGE_NT_HEADERS NtHeaders=(PIMAGE_NT_HEADERS)(((PIMAGE_DOS_HEADER)ModuleBase)->e_lfanew+(ULONG)ModuleBase);
ModuleGsDriverEntry=(PVOID)(NtHeaders->OptionalHeader.AddressOfEntryPoint+(ULONG)ModuleBase);
for (cPtr = (PUCHAR)ModuleGsDriverEntry;
cPtr < (PUCHAR)ModuleGsDriverEntry + SizeOfProc(ModuleGsDriverEntry);
cPtr += Length)
{
LONG MajorFunctionIndex;
PVOID MajorFunction;
ULONG RegEax;
Length = SizeOfCode(cPtr, &pOpcode);
if (!Length)
{
DbgPrint("[EDHelper] GetDispatchTable: Unknwon opcode length.\n");
break;
}
if (*(PUSHORT)cPtr == 0x46C7) // mov dword ptr [esi+0xXX(8Bit)]
{
MajorFunctionIndex=((LONG)(*(cPtr+2))-FIELD_OFFSET(DRIVER_OBJECT,MajorFunction))/4;
if (MajorFunctionIndex<0 || MajorFunctionIndex>IRP_MJ_MAXIMUM_FUNCTION)
continue;
MajorFunction=*(PVOID *)(cPtr+3);
}
else if (*(PUSHORT)cPtr == 0x86C7) // mov dword ptr [esi+0xXXXXXXXX(32Bit)]
{
MajorFunctionIndex=(*((PLONG)(cPtr+2))-FIELD_OFFSET(DRIVER_OBJECT,MajorFunction))/4;
if (MajorFunctionIndex<0 || MajorFunctionIndex>IRP_MJ_MAXIMUM_FUNCTION)
continue;
MajorFunction=*(PVOID *)(cPtr+6);
}
else if (*(PUCHAR)cPtr == 0xB8) // mov eax, 0xXXXXXXXX(32Bit)
{
RegEax=*(PULONG)(cPtr+1);
continue;
}
else if ((*(PUSHORT)cPtr == 0x4689) || (*(PUSHORT)cPtr == 0x8689))
{
MajorFunctionIndex=((LONG)*((PUCHAR)(cPtr+2))-FIELD_OFFSET(DRIVER_OBJECT,MajorFunction))/4;
if (MajorFunctionIndex<0 || MajorFunctionIndex>IRP_MJ_MAXIMUM_FUNCTION)
{
continue;
}
MajorFunction=(PVOID)RegEax;
}
else
{
continue;
}
DispatchTableBuffer[MajorFunctionIndex]=MajorFunction;
}
return TRUE;
}
if (g_NtfsDriverObject)
{
if (!GetDispatchTable(
g_MappedNtfsBase,
(PVOID *)&NtfsDriverDispatch
))
{
DriverTerminate();
return STATUS_UNSUCCESSFUL;
}
} |
免费评分
-
查看全部评分
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2009-5-31 12:30
发表于 2009-5-31 12:53
炉子的东西
