JustKernel

Ray Of Hope

Want to Hack the Windows OS. Want to Customize it. Want your Win OS to behave As Per your Need.. Hook SSDT.

Sample Code..  for Hooking Nt Functions..

#include “ntddk.h”
#include “stdarg.h”
#include “stdio.h”
#include “hooksys.h”
#include “hook.h”

int ProcessNameOffset;
/*hooktypedefs for each of the functions*/
typedef NTSTATUS (*NTCREATEFILE)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize OPTIONAL,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer OPTIONAL,
ULONG EaLength
);

typedef NTSTATUS(*NTWRITEFILE)(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG Key
);

typedef NTSTATUS (*NTREADFILE)(
HANDLE  FileHandle,
HANDLE  Event,
PIO_APC_ROUTINE  ApcRoutine,
PVOID  ApcContext,
PIO_STATUS_BLOCK  IoStatusBlock,
PVOID  Buffer,
ULONG  Length,
PLARGE_INTEGER  ByteOffset,
PULONG  Key
);

typedef NTSTATUS (*NTDEVICEIOCONTROLFILE) (
HANDLE FileHandle,
HANDLE Event OPTIONAL,
PIO_APC_ROUTINE ApcRoutine OPTIONAL,
PVOID ApcContext OPTIONAL,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer OPTIONAL,
ULONG InputBufferLength,
PVOID OutputBuffer OPTIONAL,
ULONG OutputBufferLength
);

PFILE_NAME_INFORMATION pFileInfo;

#define MAX_PATH 260
#define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
NTCREATEFILE OldNtCreateFile;
NTWRITEFILE  OldNtWriteFile;
NTREADFILE OldNtReadFile;
NTDEVICEIOCONTROLFILE OldNtDeviceIoControlFile;

void DumpData (char* lpbyBuffer, int nLen)
{
#define    SCRATCH_BUF_MAX_LEN    4
#define    DEBUG_LINE_MAX_LEN    24

int        i, j, nTempLen, nResidue;
char    szText [MAX_PATH], szTemp [SCRATCH_BUF_MAX_LEN];
DbgPrint (“Data:”);
nResidue = nLen % DEBUG_LINE_MAX_LEN;
nTempLen = nLen – nResidue;
for (i = 0; i < nTempLen; )
{
szText [0] = 0;
for (j = 0; j < DEBUG_LINE_MAX_LEN; j++)
{
sprintf (szTemp, “%02X “, lpbyBuffer [i]);
strcat (szText, szTemp);
i++;
}
DbgPrint (“%s”, szText);
}

// Dump the residue bytes
if (nResidue > 0)
{
szText [0] = 0;
for (j = 0; j < nResidue; j++)
{
sprintf (szTemp, “%02X “, lpbyBuffer [i]);
strcat (szText, szTemp);
i++;
}
DbgPrint (“%s”, szText);
}
}

/*Hooking NTDeviceIOCOntrol function to as get input and output buffer. Prevent Data from going down*/
NTSTATUS NewNtDeviceIoControlFile(
HANDLE FileHandle,
HANDLE Event OPTIONAL,
PIO_APC_ROUTINE ApcRoutine OPTIONAL,
PVOID ApcContext OPTIONAL,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer OPTIONAL,
ULONG InputBufferLength,
PVOID OutputBuffer OPTIONAL,
ULONG OutputBufferLength )
{
NTSTATUS ntstatus;
PCHAR buf;
if( (IoControlCode == 0x00222b28) )
{
DbgPrint(“NtDeviceIOControl %lx and InputBufferLength=%lx”, IoControlCode, InputBufferLength);
if(InputBufferLength != 0)
DumpData(InputBuffer, InputBufferLength);
DbgPrint(“Output Buffer”);
if(OutputBufferLength != 0)
DumpData(OutputBuffer, OutputBufferLength);
return STATUS_SUCCESS;
}
ntstatus = ((NTDEVICEIOCONTROLFILE)(OldNtDeviceIoControlFile))(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
IoControlCode,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength );
return ntstatus;
}

/*Hooking NewNtReadFIle */
NTSTATUS NewNtReadFile(
HANDLE  FileHandle,
HANDLE  Event,
PIO_APC_ROUTINE  ApcRoutine,
PVOID  ApcContext,
PIO_STATUS_BLOCK  IoStatusBlock,
PVOID  Buffer,
ULONG  Length,
PLARGE_INTEGER  ByteOffset,
PULONG  Key
)
{
NTSTATUS ntstatus;
IO_STATUS_BLOCK iob;
unsigned int i;
ntstatus = ((NTREADFILE)(OldNtReadFile))(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
Buffer,
Length,
ByteOffset,
Key);
return ntstatus;
}

/*Hooking NTWriteFile*/
NTSTATUS NewNtWriteFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG Key)
{
int rc;

rc = ((NTWRITEFILE)(OldNtWriteFile))(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
Buffer,
Length,
ByteOffset,
Key);
return rc;
}

/*Hooking NTCreateFile*/
NTSTATUS NewNtCreateFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize OPTIONAL,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer OPTIONAL,
ULONG EaLength)
{
int rc;
//DbgPrint(“NtCreateFile \n”);

rc=((NTCREATEFILE)(OldNtCreateFile)) (
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength);
return rc;
}

/*Modifying SSDDT tables to hook the functions*/
NTSTATUS HookServices()
{
OldNtCreateFile=(NTCREATEFILE)(SYSTEMSERVICE(ZwCreateFile));
_asm cli
(NTCREATEFILE)(SYSTEMSERVICE(ZwCreateFile))=NewNtCreateFile;
_asm sti

OldNtWriteFile=(NTWRITEFILE)(SYSTEMSERVICE(ZwWriteFile));
_asm cli
(NTWRITEFILE)(SYSTEMSERVICE(ZwWriteFile)) = NewNtWriteFile;
_asm cli

OldNtReadFile=(NTREADFILE)(SYSTEMSERVICE(ZwReadFile));
_asm cli
(NTREADFILE)(SYSTEMSERVICE(ZwReadFile)) = NewNtReadFile;
_asm cli

OldNtDeviceIoControlFile = (NTDEVICEIOCONTROLFILE)(SYSTEMSERVICE(ZwDeviceIoControlFile));
_asm cli
(NTDEVICEIOCONTROLFILE)(SYSTEMSERVICE(ZwDeviceIoControlFile)) = NewNtDeviceIoControlFile;
_asm cli

return STATUS_SUCCESS;
}

/*Modifying SSDT table to unhook the services*/
void UnHookServices()
{
_asm cli
(NTCREATEFILE)(SYSTEMSERVICE(ZwCreateFile))=OldNtCreateFile;
(NTWRITEFILE)(SYSTEMSERVICE(ZwWriteFile))=OldNtWriteFile;
(NTREADFILE)(SYSTEMSERVICE(ZwReadFile))=OldNtReadFile;
_asm sti
return;
}

/*Driver Entry Point*/
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT  DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
MYDRIVERENTRY(DRIVER_DEVICE_NAME,
FILE_DEVICE_HOOKSYS,
HookServices());
return ntStatus;
}

NTSTATUS
DriverDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP           Irp
)
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;

Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;

irpStack = IoGetCurrentIrpStackLocation(Irp);

inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
DbgPrint(“IOControlCode = %lx”, ioControlCode);
switch(irpStack->MajorFunction)
{
case IRP_MJ_DEVICE_CONTROL:
break;
}
IoCompleteRequest (Irp,
IO_NO_INCREMENT
);
return Irp->IoStatus.Status;
}

VOID
DriverUnload(
IN PDRIVER_OBJECT DriverObject
)
{
WCHAR                  deviceLinkBuffer[]  = L”\\DosDevices\\”DRIVER_DEVICE_NAME;
UNICODE_STRING         deviceLinkUnicodeString;

UnHookServices();

RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer
);

IoDeleteSymbolicLink (&deviceLinkUnicodeString);
IoDeleteDevice (DriverObject->DeviceObject);
}
Originally Posted On:2011-05-22 04:35:35

Anshul Makkar,  anshul_makkar@justkernel.com

Tags: , ,

«
»


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

Recent Comments

Archives

Categories

Meta

Powered by Wordpress. Design by Handla-Online.org.