[转载]驱动级文件占坑
本帖最后由 HoviDelphic 于 2010-3-7 01:12 编辑核心源码来自互联网,能让PxNxxx和IxxLxxxx无法正常工作。
BanCrtPT.c
#include "BanCrtPT.h"
#include "dbghelp.h"
#include <windef.h>
NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObject, PUNICODE_STRING pRegString);
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObject, PIRP pIrp);
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObject, PIRP pIrp);
VOID DriverUnload(PDRIVER_OBJECT pDrvObject);
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObject, PIRP pIrp);
HANDLE FileHandle;
VOID OccupyFileTest()
{
NTSTATUS ntStatus;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING UniFileName;
IO_STATUS_BLOCK IoStatusBlock;
PCWSTR FileName = L"\\??\\C:\\WINDOWS\\system32\\ntkrnlpa.exe";
RtlInitUnicodeString(&UniFileName , FileName);
InitializeObjectAttributes(&ObjectAttributes,&UniFileName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
ntStatus=ZwCreateFile(&FileHandle,GENERIC_READ,&ObjectAttributes,&IoStatusBlock,0,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE,NULL,0);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint(" = %d", ntStatus);
}
else
{
DbgPrint(" Success.");
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObject, PUNICODE_STRING pRegString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObject;
//
dprintf(" DriverEntry: %S\n",pRegString->Buffer);
//
pDrvObject->MajorFunction = DispatchCreate;
pDrvObject->MajorFunction = DispatchClose;
pDrvObject->MajorFunction = DispatchIoctl;
pDrvObject->DriverUnload = DriverUnload;
//
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
//
status = IoCreateDevice(pDrvObject,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObject);
//
dprintf(" Device Name %S",ustrDevName.Buffer);
if(!NT_SUCCESS(status))
{
dprintf(" IoCreateDevice = 0x%x\n", status);
return status;
}
//
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
//
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
dprintf(" IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObject);
return status;
}
dprintf(" SymbolicLink:%S",ustrLinkName.Buffer);
//
//OccupyFileTest();
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDrvObject)
{
UNICODE_STRING strLink;
RtlInitUnicodeString(&strLink, LINK_NAME);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDrvObject->DeviceObject);
//
//ZwClose(FileHandle);
dprintf(" Unloaded\n");
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObject, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf(" IRP_MJ_CREATE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObject, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf(" IRP_MJ_CLOSE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObject, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack;
ULONG uIoControlCode;
PVOID pIoBuffer;
ULONG uInSize;
ULONG uOutSize;
//
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
//
switch(uIoControlCode)
{
case IOCTL_StartOF:
{
OccupyFileTest();
status = STATUS_SUCCESS;
break;
}
case IOCTL_EndOF:
{
ZwClose(FileHandle);
status = STATUS_SUCCESS;
break;
}
}
//
if(status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
//
return status;
}
BanCrtPT.h
#include <devioctl.h>
#ifndef _INLINEOBREFERENCEOBJECTBYHANDLE_H
#define _INLINEOBREFERENCEOBJECTBYHANDLE_H 1
//============================================
#define DEVICE_NAME L"\\Device\\devOccupyFile" //Driver Name
#define LINK_NAME L"\\DosDevices\\OccupyFile"//Link Name
//============================================
#define IOCTL_BASE 0x800
#define MY_CTL_CODE(i) \
CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_StartOF MY_CTL_CODE(1) //开始独占
#define IOCTL_EndOF MY_CTL_CODE(2) //停止独占
//============================================
#endif
dbghelp.h
#ifndef _DBGHELP_H
#define _DBGHELP_H 1
#include <ntddk.h>
#define dprintf if (DBG) DbgPrint
#define nprintf DbgPrint
#define kmalloc(_s) ExAllocatePoolWithTag(NonPagedPool, _s, 'SYSQ')
//#define kfree(_p) ExFreePoolWithTag(_p, 'SYSQ')
#define kfree(_p) ExFreePool(_p)
#endif
PCWSTR FileName = L"\\??\\C:\\WINDOWS\\system32\\ntkrnlpa.exe";
在“BanCrtPT.c”中,这句是硬编码,内核文件的路径和名字可以动态获得,这里为叙述方便而省略。 这个没什么价值,在R3下都可以实现了。 .......菜鸟飘过:L C++? 谁能改成VB的呀?????????? Open "C:\WINDOWS\system32\ntkrnlpa.exe" For Binary Access Read Lock Read Write As #1 VB的 谁有VB的码呀? 方法很好啊,还有一个大牛的直接发送IRP打开文件,不关闭,更厉害,不过测试发现开启verifier时候,去保护蓝屏 还不如看我在vbgood发的占坑,目前所有ark无效 不知道还有效没 没必要吧。。。icesword应该还是能删除
它用发irp。。。。
eaaca123
你的程序有效代码就这么一句。。。
Open "c:\hook.dll" For Binary Access Read Lock Read Write As #1
还是过不了icesword 本帖最后由 Tesla.Angela 于 2010-8-7 22:45 编辑
随便说个方法:
打开句柄,设置句柄为禁止关闭(使用SetHandleInformation)。
除了磁盘解析删除文件,否则文件在Ring是无法删除的。 我刚刚试了下(在ring3)
普通工具删不掉
xuetr icesword还是过不了。。。。 我刚刚试了下(在ring3)
普通工具删不掉
xuetr icesword还是过不了。。。。
倒霉蛋儿 发表于 2010-8-8 18:17 http://www.m5home.com/bbs/images/common/back.gif
这份代码不怎么地,我曾经写过一个Ring3版本的,你自己搜搜看。 回复 16# 本网站最菜的人
哪两句? 回复 15# Tesla.Angela
没搜到。。。。 回复Tesla.Angela
没搜到。。。。
倒霉蛋儿 发表于 2010-8-10 13:50 http://www.m5home.com/bbs/images/common/back.gif
莫非我在梦中发帖了???
Option Explicit
Public Declare Function RtlInitUnicodeString Lib "NTDLL.DLL" _
(ByRef DestinationString As UNICODE_STRING, _
ByVal SourceString As Long) As Long
Public Declare Function SetHandleInformation Lib "kernel32.dll" (ByVal hObject As Long, ByVal dwMask As Long, ByVal dwFlags As Long) As Long
Public Sub InitializeObjectAttributes(ByRef InitializedAttributes As OBJECT_ATTRIBUTES, _
ByRef ObjectName As UNICODE_STRING, _
ByVal Attributes As Long, _
ByVal RootDirectory As Long, _
ByVal SecurityDescriptor As Long)
With InitializedAttributes
.Length = LenB(InitializedAttributes)
.Attributes = Attributes
.ObjectName = VarPtr(ObjectName)
.RootDirectory = RootDirectory
.SecurityDescriptor = SecurityDescriptor
.SecurityQualityOfService = 0
End With
End Sub
Public Function OccupyFile(ByVal szFileName As String) As Long
Dim FileHandle As Long
'HANDLE FileHandle;
Dim ObjectAttributes As OBJECT_ATTRIBUTES
'OBJECT_ATTRIBUTES ObjectAttributes;
Dim UniFileName As UNICODE_STRING
'UNICODE_STRING UniFileName;
Dim IoStatusBlock As IO_STATUS_BLOCK
'IO_STATUS_BLOCK IoStatusBlock;
Call RtlInitUnicodeString(UniFileName, StrPtr(szFileName))
'RtlInitUnicodeString(&UniFileName , szFileName);
Call InitializeObjectAttributes(ObjectAttributes, UniFileName, &H40 Or &H200, 0, 0)
'InitializeObjectAttributes(&ObjectAttributes,&UniFileName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
OccupyFile = ZwCreateFile(FileHandle, &H80000000, ObjectAttributes, IoStatusBlock, 0, 128, 0, 3, &H40, 0, 0)
'return ZwCreateFile(&FileHandle,GENERIC_READ,&ObjectAttributes,&IoStatusBlock,0,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE,NULL,0);
Call SetHandleInformation(FileHandle, &H2, &H2)
'SetHandleInformation(FileHandle, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
End Function
Sub main()
Dim ntst As Long
ntst = OccupyFile(InputBox("Input File Name:", "OccupyFile", "\??\c:\testfile\test.txt"))
MsgBox CStr(NT_SUCCESS(ntst)), vbInformation, "Status"
MsgBox "Don't close this Window! Test Your File!", vbInformation, "OccupyFile"
End Sub
有些声明不全,没有声明的你用mNativeDeclares.bas就行了。 权限不够 无法搜索帖子。。。 权限不够 无法搜索帖子。。。
倒霉蛋儿 发表于 2010-8-10 17:27 http://www.m5home.com/bbs/images/common/back.gif
我是要你用谷歌搜索 mark 学习了 学习了
页:
[1]