Otro más....
LoadDriver SSDT Hook.
Compile it with Meerlat 1.1 (See Kernel-mode section)
Use DbgView to catch informations.
unit ZwLoadDriverHook;
Código: Seleccionar todo
interface
uses
nt_status,
ntoskrnl,
fcall,
KernelUtils,
NtoskrnlCustom;
function _DriverEntry(
DriverObject: PDriverObject;
RegistryPath: PUnicodeString
): NTSTATUS; stdcall;
implementation
type
TZwLoadDriver = function(DriverServiceName: PUnicodeString): NTSTATUS; stdcall;
var
HookActive: Boolean;
ZwLoadDriverNextHook: TZwLoadDriver;
function ZwLoadDriverHookProc(DriverServiceName: PUnicodeString): NTSTATUS; stdcall;
begin
DbgPrint('Driver service name :%wZ', DriverServiceName);
Result := ZwLoadDriverNextHook(DriverServiceName);
end;
procedure DriverUnload(DriverObject: PDriverObject); stdcall;
begin
if HookActive then
begin
DisableWriteProtection();
ZwLoadDriverNextHook := TZwLoadDriver(InterlockedExchange(SystemServiceName(GetImportFunAddr(@ZwLoadDriver)), LONG(@ZwLoadDriverNextHook)));
EnableWriteProtection();
DbgPrint('ZwLoadDriver New Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwLoadDriver))^);
DbgPrint('ZwLoadDriver Old Address: 0x%.8X', DWORD(@ZwLoadDriverNextHook));
HookActive := False;
end;
DbgPrint('DriverUnload(-)');
end;
function _DriverEntry(DriverObject: PDriverObject; RegistryPath: PUnicodeString): NTSTATUS; stdcall;
begin
DriverObject^.DriverUnload := @DriverUnload;
Result := STATUS_SUCCESS;
DbgPrint('DriverEntry(-):0x%.8X', Result);
HookActive := False;
DbgPrint('ZwLoadDriver Import Address: 0x%.8X', GetImportFunAddr(@ZwLoadDriver));
DbgPrint('KeServiceDescriptorTable() Address 1: 0x%.8X', @KeServiceDescriptorTable);
DbgPrint('KeServiceDescriptorTable() Address 2: 0x%.8X', PPointer(@KeServiceDescriptorTable)^);
DbgPrint('ZwLoadDriver Name Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwLoadDriver))^);
DbgPrint('ZwLoadDriver HookProc Address: 0x%.8X', @ZwLoadDriverHookProc);
if not HookActive then
begin
DisableWriteProtection();
ZwLoadDriverNextHook := TZwLoadDriver(InterlockedExchange(SystemServiceName(GetImportFunAddr(@ZwLoadDriver)), LONG(@ZwLoadDriverHookProc)));
EnableWriteProtection();
DbgPrint('ZwLoadDriver New Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwLoadDriver))^);
DbgPrint('ZwLoadDriver Old Address: 0x%.8X', DWORD(@ZwLoadDriverNextHook));
HookActive := True;
end else
begin
DbgPrint('ZwLoadDriver Hooked');
end;
end;
end.Código: Seleccionar todo
interface
uses
nt_status,
ntoskrnl;
function SystemServiceName(AFunc: Pointer): PLONG; stdcall;
function GetImportFunAddr(lpImportAddr: Pointer): Pointer; stdcall;
function SystemServiceOrd(iOrd: ULONG): PLONG; stdcall;
procedure EnableWriteProtection(); stdcall;
procedure DisableWriteProtection(); stdcall;
var uCr0: ULONG;
implementation
procedure DisableWriteProtection(); stdcall;
begin
asm
cli
push eax
mov eax, cr0
mov [uCr0], eax
and eax, not 00010000h
mov cr0, eax
pop eax
end;
end;
procedure EnableWriteProtection(); stdcall;
begin
asm
push eax
mov eax, [uCr0]
mov cr0, eax
pop eax
sti
end;
end;
function GetImportFunAddr(lpImportAddr: Pointer): Pointer; stdcall;
begin
Result := PPointer(PPointer(Cardinal(lpImportAddr) + 2)^)^;
end;
function SystemServiceName(AFunc: Pointer): PLONG; stdcall;
var lpKeServiceDescriptorTable: PServiceDescriptorEntry;
begin
lpKeServiceDescriptorTable := GetImportFunAddr(@KeServiceDescriptorTable);
Result := PLONG(Cardinal(lpKeServiceDescriptorTable^.ServiceTableBase) + (SizeOf(ULONG) * PULONG(ULONG(AFunc) + 1)^));
end;
function SystemServiceOrd(iOrd: ULONG): PLONG; stdcall;
var lpKeServiceDescriptorTable: PServiceDescriptorEntry;
begin
lpKeServiceDescriptorTable := GetImportFunAddr(@KeServiceDescriptorTable);
Result := PLONG(PLONG(Cardinal(lpKeServiceDescriptorTable^.ServiceTableBase) + (SizeOf(ULONG) * iOrd)));
end;
end.Tested in Windows XP SP2 + SP3, Vista and Windows 7.
X86 systems.
Algo viejo..pero bueno...
Delphi project link: [Enlace externo eliminado para invitados]
Espero que os sirva...
Saludos !!
