[原创]SSDT Hook ZwSetSystemInformation 防止驱动加载

eros412

Eros412

荣誉会员

Rank: 6 Rank: 6 Rank: 6

帖子: 16
精华: 2
积分: 3710
阅读权限: 100
性别: 男
来自: 马来西亚
在线时间: 125 小时
注册时间: 2007-5-6
最后登录: 2008-7-24

发短消息
加为好友
当前离线

楼主大中小发表于 2007-12-3 01:14 只看该作者

[原创]SSDT Hook ZwSetSystemInformation 防止驱动加载

文章作者：Eros412
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

简介：卡巴封了 ZwSetSystemInformation的driver入口，我们也来封。

复制内容到剪贴板

代码:

#include<ntddk.h>

#include <stdio.h>

#include <stdlib.h>



ULONG krnladdr;

ULONG origaddr;



char buf[255]={0};

#define SystemLoadAndCallImage 38

#pragma pack(1)

typedef struct ServiceDescriptorEntry {

    unsigned int *ServiceTableBase;

    unsigned int *ServiceCounterTableBase;

    unsigned int NumberOfServices;

    unsigned char *ParamTableBase;

} SDT, *PSDT;

#pragma pack()

extern PSDT KeServiceDescriptorTable;



typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE

{

  UNICODE_STRING ModuleName;

} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;

PSYSTEM_LOAD_AND_CALL_IMAGE newimage;



typedef NTSTATUS (*ZWSETSYSTEMINFORMATION)(

                     ULONG,PVOID,ULONG

);



ZWSETSYSTEMINFORMATION OrigSetSystemInformation;

NTSTATUS jmpprocaddr(ULONG number, PVOID image, ULONG dword)

{



  if(number==SystemLoadAndCallImage){ //检查如果是SystemLoadAndCallImage就返回，禁止操作

 DbgPrint("Warning!Rootkit is trying to load");

 newimage=(PSYSTEM_LOAD_AND_CALL_IMAGE)image;

 wcstombs(buf,newimage->ModuleName.Buffer,newimage->ModuleName.Length);

 DbgPrint("Path:%s",buf); //显示rootkit路径



return 0;  

}



 ((ZWSETSYSTEMINFORMATION)(OrigSetSystemInformation)) (number,image, dword );



return 0;

}



VOID

DriverUnload(

  IN PDRIVER_OBJECT DriverObject

  ){



  if(DriverObject->DeviceObject !=NULL)

    IoDeleteDevice(DriverObject->DeviceObject);



  DbgPrint("Bye bye");



 krnladdr =(ULONG)KeServiceDescriptorTable->ServiceTableBase+0xF0*4;



    __asm

   {

      push eax

      mov eax, CR0

      and eax, 0FFFEFFFFh

      mov CR0, eax

     pop eax

   }



 *(ULONG*)krnladdr = (ULONG)origaddr;



__asm

   {

      push eax

      mov eax, CR0

      or eax, NOT 0FFFEFFFFh

      mov CR0, eax

      pop eax

   }



}



ULONG Address;

NTSTATUS

 DriverEntry(

  IN PDRIVER_OBJECT DriverObject,

  IN PUNICODE_STRING RegistryPath

  ){



DriverObject->DriverUnload=DriverUnload;

 krnladdr =(ULONG)KeServiceDescriptorTable->ServiceTableBase+0xF0*4; //0xF0是ZwSetSystemInformation的服务号



 origaddr=*(ULONG*)krnladdr;



OrigSetSystemInformation=(ZWSETSYSTEMINFORMATION )*(ULONG*)krnladdr;



DbgPrint("Address:%.8X\t ZwSetSystemInformation:%.8X",krnladdr,*(ULONG*)krnladdr);



 DbgPrint("Address to be changed:0x%08X",(ULONG)jmpprocaddr);



  __asm

   {

      push eax

      mov eax, CR0

      and eax, 0FFFEFFFFh //把内存的write-protection 改为false

      mov CR0, eax

     pop eax

   }



 *(ULONG*)krnladdr = (ULONG)jmpprocaddr;



__asm

   {

      push eax

      mov eax, CR0

      or eax, NOT 0FFFEFFFFh //把内存的write-protection 改为true

      mov CR0, eax

      pop eax

   }



  return 0;

}

File size: 2127 bytes
MD5: 1024154abecb3a1a00dd1d9b6cf52cfe
SHA1: fcef298926abc146a23117d668e8d37a37612ad8

附件

sss.rar (1 KB)

2007-12-3 01:14, 下载次数: 124

驱动程序

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 论坛原创{ Original Paper } » [原创]SSDT Hook ZwSetSystemInformation 防止驱动加载