HOOK-NtReadFile 实现驱动与应用程序通信
**测试环境:Windows XP SP3**
**本质:通过InlineHOOK,NtReadFile,判断参数来判断是否是自己的暗号**
**Ring3(应用)代码:**
```
#include "stdio.h"
#include "windows.h"
void main(){
char buf = {0};
ReadFile(-1,buf,0,0,0);
getchar();
return;
}
```
**Ring0(驱动)头文件**
```
#pragma once
#include "ntifs.h"
typedef NTSTATUS(*p)(
HANDLE FileHandle ,
HANDLE Event ,
PIO_APC_ROUTINEApcRoutine ,
PVOID ApcContext ,
PIO_STATUS_BLOCK IoStatusBlock ,
PVOID Buffer ,
ULONG Length ,
PLARGE_INTEGER ByteOffset ,
PULONG Key
);
//获取NtReadFile函数地址
unsigned int GetNtReadFileAddr();
//改回原来的数据
void cancel();
//修改成jmp到自己的函数
void Modify();
//原始数据保留
extern UCHAR buf;
```
**Ring0(驱动)主函数**
```
#include "Tools.h"
VOID DriverUnload(PDRIVER_OBJECT driver) {
cancel();
DbgPrint("firts:Our driver is unloading!!\r\n");
}
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath){
DriverObject->DriverUnload = DriverUnload;
DbgPrint("first : hello ,load server!!\n");
DbgPrint("NtReadFile:%x\n" , GetNtReadFileAddr());
//保留原始数据
for(size_t i = 0; i < 10; i++) {
buf = *(unsigned char*) (GetNtReadFileAddr() + i);
}
Modify();
return STATUS_SUCCESS;
}
```
**Ring0(驱动)实现**
```
#include "Tools.h"
UCHAR buf = { 0 };
unsigned int GetNtReadFileAddr() {
unsigned int* SericeTable;
_asm {
mov eax , fs:;
mov eax , ;
mov , eax;
}
return *(unsigned int*) (*SericeTable + 0xb7 * 4);
}
NTSTATUS MyNtReadFile(
HANDLE FileHandle ,
HANDLE Event ,
PIO_APC_ROUTINEApcRoutine ,
PVOID ApcContext ,
PIO_STATUS_BLOCK IoStatusBlock ,
PVOID Buffer ,
ULONG Length ,
PLARGE_INTEGER ByteOffset ,
PULONG Key
) {
if(-1 == (unsigned int) FileHandle) {
if(NULL != Buffer) {
LPSTR str = (LPSTR) Buffer;
strcpy(str , "Hello World!\n");
}
DbgPrint("成功捕捉!\n");
}
p NtReadFile = (p) GetNtReadFileAddr();
cancel();
NTSTATUS ret = NtReadFile(FileHandle , Event , ApcRoutine , ApcContext , IoStatusBlock , Buffer , Length , ByteOffset , Key);
Modify();
return ret;
}
void Modify() {
unsigned int NtReadFile = GetNtReadFileAddr();
*(UCHAR*) NtReadFile = 0xe9;
*(unsigned int*) (NtReadFile + 1) = (unsigned int) &MyNtReadFile - GetNtReadFileAddr() - 5;
}
void cancel() {
for(size_t i = 0; i < 10; i++) {
*(unsigned char*) (GetNtReadFileAddr() + i) = buf;
}
}
``` Chaozzz 发表于 2021-9-22 16:31
大佬的工作很有意思啊,期待下一次更新,要是能给个项目让菜鸡(me)学学,更是极好的
这些都是从滴水上面学习来的{:301_1009:} yunruifuzhu 发表于 2021-9-18 09:07
驱动编程,环境要怎么安装啊。。第一步就卡住了
sdk和wdk都得装,如果需要编程xp的驱动,vs版本得是不超过vs2017。 驱动编程,环境要怎么安装啊。。第一步就卡住了 驱动编程 厉害啊老哥 好用,强大,感谢楼主分享! 为什么还用xp? 小木曾雪菜 发表于 2021-9-18 11:16
为什么还用xp?
还在学习阶段 好用,强大,感谢楼主分享! 思路还不错。不过XP有点过时了。楼主可以试试WIN7 x64的 寒雪冰熊 发表于 2021-9-18 17:05
思路还不错。不过XP有点过时了。楼主可以试试WIN7 x64的
{:301_999:}还在学习阶段,等学完了,再去弄高版本系统
页:
[1]
2