1
2
3 #include "ntddk.h"
4 #include <stdio.h>
5
6
7
8 #define DWORD unsigned long
9 #define WORD unsigned short
10 #define BOOL unsigned long
11 #define BYTE unsigned char
12 //SIDT 指令在内存中为每个CPU寻找IDT,返回IDTINFO的地址,
13 typedef struct
14 {
15 WORD IDTLimit ;
16 WORD LowIDTBase ;
17 WORD HideIDTBase ;
18 }IDTINFO;
19
20
21
22
23 #define MAKELONG(a, b) ((LONG)(( ( WORD )( a ) ) | ( ( DWORD )( ( WORD ) ( b )) ) << 16 ))
24
25
26
27 #pragma pack(1)
28
29
30
31 //IDT中每一项都是这个结构
32 typedef struct
33 {
34 WORD LowOffset ; // 这个和HiOffset 组成了中断处理程序的地址
35 WORD selector ;
36 BYTE unused_lo ;
37 unsigned char unusaed_hi : 5 ;
38 unsigned char DPL : 2;
39 unsigned char P : 1 ;
40 WORD HiOffset ;
41 }IDTENTRY;
42
43
44
45 #pragma pack()
46
47
48
49
50 DWORD KiRealSystemServicISR_Ptr ;
51 #define IDT_SYSTEM_SERVICE 0x2E
52
53
54
55
56 //
57 _declspec(naked) MyKisystemService ()
58 {
59 KdBreakPoint();
60 __asm
61 {
62 pushad
63 pushfd
64 push fs
65 mov bx,0x30
66 mov fs,bx
67 push dx
68 push es
69 Finish:
70 pop es
71 pop dx
72 pop fs
73 popfd
74 popad
75
76 jmp KiRealSystemServicISR_Ptr ;
77 }
78
79
80
81 }
82
83
84
85
86
87
88
89
90
91
92
93 int HookInterRuput ( )
94
95
96
97 {
98
99 IDTINFO Idt_info ;
100 IDTENTRY * Idt_Entry ;
101 IDTENTRY * Idt2_Entry ;
102 KdBreakPoint();
103 __asm
104 {
105 sidt Idt_info ; //返回IDT
106 }
107
108
109
110 Idt_Entry = (IDTINFO*) MAKELONG (Idt_info.LowIDTBase,Idt_info.HideIDTBase);
111 //返回的是0x2e中断处理程序的地址
112 KiRealSystemServicISR_Ptr = MAKELONG( Idt_Entry[IDT_SYSTEM_SERVICE].LowOffset,\
113 Idt_Entry[IDT_SYSTEM_SERVICE].HiOffset ) ;
114
115
116
117
118 Idt2_Entry = &(Idt_Entry[IDT_SYSTEM_SERVICE]) ;
119
120
121
122
123 __asm
124 {
125 cli ;
126 lea eax, MyKisystemService // 将我们的恶意函数
127 mov ebx,Idt2_Entry
128 mov [ebx] ,ax
129 shr eax,16
130 mov [ebx+6], ax
131 sti ;
132 }
133
134
135
136 return 1 ;
137 }
138
139
140
141
142 /*NTSTATUS UnLoadDrivice ()
143 {
144 IDTINFO Idt_info ;
145 IDTINFO * Idt_Entry ;
146 IDTINFO * Idt2_Entry ;
147 _asm
148 {
149 sidt Idt_info ; //返回IDT
150 }
151
152
153
154 Idt_Entry = (IDTINFO*) MAKELONG (Idt_info.LowIDTBase,Idt_info.HideIDTBase)
155 Idt2_Entry = &(Idt_Entry[IDT_SYSTEM_SERVICE]) ;
156 *Idt2_Entry = KiRealSystemServicISR_Ptr ;
157 return NTSTATUS_SUCCESS ;
158 } */
159
160
161
162 NTSTATUS DriverEntry(PDRIVER_OBJECT driver , PUNICODE_STRING reg_path)
163
164
165
166 {
167 HookInterRuput() ;
168 //OBJ->DriverUnload = UnLoadDrivice ;
169
170
171
172 return STATUS_SUCCESS ;
173 }
174
175 /
浙公网安备 33010602011771号