/*
* SSDT操作程序
* Made By Adly
*
* QQ:369046978
*
*/
/////////////////////////////////////////////////////////////////////////
//SSDT.c
#include <ntddk.h>
#include <ntstatus.h>
#include "..\\IOCTL.h"
extern PSSDT KeServiceDescriptorTable;
NTSTATUS SSDTDeviceIoCtl( PDEVICE_OBJECT pDeviceObject, PIRP Irp )
{
NTSTATUS s;
PIO_STACK_LOCATION IrpStack;
PVOID InputBuffer;
PVOID OutputBuffer;
ULONG InputBufferLength;
ULONG OutputBufferLength;
ULONG IoControlCode;
s = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation( Irp );
InputBuffer = IrpStack->Parameters.DeviceIoControl.Type3InputBuffer;
InputBufferLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
OutputBuffer = Irp->UserBuffer;
OutputBufferLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
///////////////////////////////////////////////
//这里处理分发例程
switch( IoControlCode )
{
//*************************************************
case IOCTL_GETSSDT: //得到SSDT
__try
{
ProbeForWrite( OutputBuffer, sizeof( SSDT ), sizeof( ULONG ) );
RtlCopyMemory( OutputBuffer, KeServiceDescriptorTable, sizeof( SSDT ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
DbgPrint( "SSDT: GetSSDT Completeled!" );
break;
//*************************************************
case IOCTL_SETSSDT: //设置 SSDT
__try
{
ProbeForRead( InputBuffer, sizeof( SSDT ), sizeof( ULONG ) );
//去掉内存保护
__asm
{
cli ;//关中断
mov eax, cr0
and eax, ~0x10000
mov cr0, eax
}
RtlCopyMemory( KeServiceDescriptorTable, InputBuffer, sizeof( SSDT ) );
//开中断,把内存保护加上
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti ;//开中断
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
DbgPrint( "SSDT: SetSSDT Completeled!" );
break;
//*************************************************
case IOCTL_GETHOOK: //查询SSDT指定地址
__try
{
ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
ProbeForWrite( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
//测试传入的参数是否正确
if( KeServiceDescriptorTable->ulNumberOfServices <= *(PULONG)InputBuffer )
{
s = STATUS_INVALID_PARAMETER;
break;
}
//将结果传到用户输出位置
*((PULONG)OutputBuffer) = *( (PULONG)(KeServiceDescriptorTable->pvSSDTBase) + *(PULONG)InputBuffer );
DbgPrint( "SSDT: GetHookedAddress Completeled!" );
break;
//*************************************************
case IOCTL_SETHOOK: //设置SSDT指定地址
__try
{
ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
ProbeForRead( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
//测试传入的参数是否正确
if( KeServiceDescriptorTable->ulNumberOfServices <= *(PULONG)InputBuffer )
{
s = STATUS_INVALID_PARAMETER;
break;
}
//在此将输出缓冲区当作输入缓冲区来用,输入指定SSDT HOOK的地址值
//去掉内存保护
__asm
{
cli ;//关中断
mov eax, cr0
and eax, ~0x10000
mov cr0, eax
}
*( (PULONG)(KeServiceDescriptorTable->pvSSDTBase) + *(PULONG)InputBuffer ) = *((PULONG)OutputBuffer);
//开中断,把内存保护加上
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti ;//开中断
}
DbgPrint( "SSDT: SetHookedAddress Completeled!" );
break;
//*************************************************
default:
s = STATUS_INVALID_DEVICE_REQUEST;
DbgPrint( "SSDT: Invalid Parameter Completeled!" );
break;
}
///////////////////////////////////////////////
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return s;
}
void SSDTUnload( PDRIVER_OBJECT pDriverObject )
{
UNICODE_STRING usDosDeviceName;
RtlInitUnicodeString( &usDosDeviceName, DEVICE_NAME );
IoDeleteSymbolicLink( &usDosDeviceName );
IoDeleteDevice( pDriverObject->DeviceObject );
DbgPrint( "SSDT: Unload Success!" );
}
NTSTATUS SSDTCreate( IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp )
{
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
DbgPrint( "SSDT: Create Success!" );
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject,
PUNICODE_STRING pRegistryPath )
{
PDEVICE_OBJECT pdo = NULL;
NTSTATUS s = STATUS_SUCCESS;
UNICODE_STRING usDriverName, usDosDeviceName;
RtlInitUnicodeString( &usDriverName, DRIVER_NAME );
RtlInitUnicodeString( &usDosDeviceName, DEVICE_NAME );
s = IoCreateDevice( pDriverObject, 0, &usDriverName, \
FILE_DRIVER_SSDT, FILE_DEVICE_SECURE_OPEN, \
FALSE, &pdo );
if( STATUS_SUCCESS == s )
{
pDriverObject->MajorFunction[IRP_MJ_CREATE] = SSDTCreate;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] \
= SSDTDeviceIoCtl;
pDriverObject->DriverUnload = SSDTUnload;
IoCreateSymbolicLink( &usDosDeviceName, &usDriverName );
}
DbgPrint( "SSDT: Load Success!" );
return s;
}
没有合适的资源?快使用搜索试试~ 我知道了~
SSDT查看和恢复工具
共39个文件
h:12个
cpp:8个
ico:2个
4星 · 超过85%的资源 需积分: 47 344 下载量 161 浏览量
2010-07-01
01:00:47
上传
评论
收藏 136KB RAR 举报
温馨提示
SSDT查看和恢复,SSDT查看和恢复,SSDT查看和恢复,SSDT查看和恢复
资源推荐
资源详情
资源评论
收起资源包目录
SSDT.rar (39个子文件)
SSDT
EXE
SSDT.cpp 18KB
SSDT.h 2KB
SSDT查看恢复工具
StdAfx.cpp 218B
resource.h 694B
SSDT查看恢复工具Dlg.h 1KB
SSDT查看恢复工具.cpp 2KB
SSDT查看恢复工具.dsp 4KB
SSDT查看恢复工具Dlg.cpp 8KB
StdAfx.h 1KB
res
SSDT查看恢复工具.rc2 408B
SSDT查看恢复工具.ico 4KB
SSDT查看恢复工具.dsw 557B
SSDT查看恢复工具.rc 5KB
SSDT查看恢复工具.h 1KB
SYS
SSDT.c 5KB
MAKEFILE 267B
SOURCES 70B
SSDT
EXE
SSDT.cpp 18KB
SSDT.h 2KB
SSDT查看恢复工具
StdAfx.cpp 218B
resource.h 694B
SSDT查看恢复工具Dlg.h 1KB
SSDT查看恢复工具.cpp 2KB
SSDT查看恢复工具.dsp 4KB
SSDT查看恢复工具Dlg.cpp 8KB
StdAfx.h 1KB
res
SSDT查看恢复工具.rc2 408B
SSDT查看恢复工具.ico 4KB
SSDT查看恢复工具.dsw 557B
SSDT查看恢复工具.rc 5KB
SSDT查看恢复工具.h 1KB
SYS
SSDT.c 5KB
MAKEFILE 267B
SOURCES 70B
BIN
SSDT查看恢复工具.exe 102KB
SSDT.sys 3KB
IOCTL.h 2KB
BIN
SSDT.sys 3KB
IOCTL.h 2KB
共 39 条
- 1
chinalongship
- 粉丝: 4
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
- 1
- 2
- 3
- 4
前往页