#include <devioctl.h>
#define IOCTL_SETPROC (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x852, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA )
NTSTATUS DisPatchCreateClose(PDEVICE_OBJECT pDriverObj,PIRP pIrp);
NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP pIrp);
void DriverUnload(PDRIVER_OBJECT pDriverObj);
typedef struct _tagSSDT {
PVOID pvSSDTBase;
PVOID pvServiceCounterTable;
ULONG ulNumberOfServices;
PVOID pvParamTableBase;
} SSDT, *PSSDT;
UNICODE_STRING DerName,DerName2;
PDEVICE_OBJECT pDevObj;
extern PSSDT KeServiceDescriptorTable;
//StartService时调用
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
NTSTATUS status=STATUS_SUCCESS;
ULONG i;
for(i= 0;i<IRP_MJ_MAXIMUM_FUNCTION;++i)
theDriverObject->MajorFunction = DisPatchCreateClose;
theDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchDeviceControl;
theDriverObject->DriverUnload=DriverUnload;
RtlInitUnicodeString(&DerName,L"[url=file://device//RESSDT]//Device//RESSDT[/url]");
status=IoCreateDevice(theDriverObject,0,&DerName,FILE_DEVICE_UNKNOWN,0,FALSE,&pDevObj);
if(!NT_SUCCESS(status))
{
DbgPrint("IoCreateDevice Fail!");
return status;
}
RtlInitUnicodeString(&DerName2,L"[url=file:///??//RESSDTDOS]//??//RESSDTDOS[/url]");
status=IoCreateSymbolicLink(&DerName2,&DerName);
if(!NT_SUCCESS(status))
DbgPrint("IoCreateSymbolicLink fail!");
return status;
}
NTSTATUS DisPatchCreateClose(PDEVICE_OBJECT pDriverObj,PIRP pIrp)
{
DbgPrint("DisPatchCreate!");
pIrp->IoStatus.Status=STATUS_SUCCESS;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//服务停止时执行
void DriverUnload(PDRIVER_OBJECT pDriverObj)
{
if(IoDeleteSymbolicLink(&DerName2)!=STATUS_SUCCESS)
DbgPrint("DeleteSymbolicLink Fail!");
IoDeleteDevice(pDriverObj->DeviceObject);
}
//DeviceIoControl 时执行
NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP pIrp)
{
NTSTATUS status=STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack=IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode=pIrpStack->Parameters.DeviceIoControl.IoControlCode;
PVOID pInputBuffer= pIrpStack->Parameters.DeviceIoControl.Type3InputBuffer;
PVOID pOutputBuffer=pIrp->UserBuffer;
ULONG uInsize=pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG uOutsize=pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
//DbgPrint("DispatchDeviceControl Code:%X",uIoControlCode);
switch(uIoControlCode)
{
case IOCTL_SETPROC:
{
ULONG uIndex = 0;
PULONG pBase = NULL;
__try
{
ProbeForRead( pInputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
ProbeForWrite( pOutputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
status= GetExceptionCode();
break;
}
uIndex = *(PULONG)pInputBuffer;
if ( KeServiceDescriptorTable->ulNumberOfServices <= uIndex )
{
status= STATUS_INVALID_PARAMETER;
break;
}
pBase = KeServiceDescriptorTable->pvSSDTBase;
DbgPrint("0x%x 0x%x",uIndex,*((PULONG)pOutputBuffer));
__asm
{//关中断
cli
mov eax,cr0
and eax,~0x10000
mov cr0,eax
}
*( pBase + uIndex )=*((PULONG)pOutputBuffer);
__asm
{//开中断
mov eax,cr0
or eax,0x10000
mov cr0,eax
sti
}
status=STATUS_SUCCESS;
}
break;
default:
break;
}
if(status==STATUS_SUCCESS)
pIrp->IoStatus.Information=uOutsize;
else
pIrp->IoStatus.Information=0;
pIrp->IoStatus.Status=status;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
下面就是EXE的程序,由于程序稍微有点长并且部分从Root.com的拷贝,所以这里就不贴了,完整的sys+exe源程序可以在附件中下载。
声明:请勿将代码和程序用于非法目的!
附件: RESSDT.rar