[半原创]山寨版NtSystemDebugControl(8)(9) - MySystemDebugControl
这个可以干什么就不多说了,自己琢磨吧。。。======
核心驱动代码:
#include <ntddk.h>
#define DEVICE_NAME L"\\Device\\MySystemDebugControl" //Driver Name
#define LINK_NAME L"\\DosDevices\\MySystemDebugControl"//Link Name
#define IOCTL_BASE 0x800
#define TEMPLATE_CTL_CODE(i) \
CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_SET_ADDRESS TEMPLATE_CTL_CODE(1)
#define IOCTL_ReadKernelMemory TEMPLATE_CTL_CODE(2)
#define IOCTL_WriteKernelMemory TEMPLATE_CTL_CODE(3)
#define IOCTL_GetEmptySubAddress TEMPLATE_CTL_CODE(4)
#define IOCTL_ClearEmptySub TEMPLATE_CTL_CODE(5)
#define IOCTL_CallEmptySub TEMPLATE_CTL_CODE(6)
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
VOID DriverUnload(PDRIVER_OBJECT pDriverObj);
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
static KIRQL OldIrql;
ULONG EmptySubAddr=0;
VOID WpOffAndToDpcLevel();
VOID WpOn();
VOID EmptySub();
NTSTATUS ReadKernelMemory(PVOID Address, ULONG Size, PVOID OutBuffer);
NTSTATUS WriteKernelMemory(PVOID Address, ULONG Size, PVOID InBuffer);
PVOID AddressSet = 0;
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
DbgPrint("Drv DriverEntry: %S\n",pRegistryString->Buffer);
// Create dispatch points for device control, create, close.
pDriverObj->MajorFunction = DispatchCreate;
pDriverObj->MajorFunction = DispatchClose;
pDriverObj->MajorFunction = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
DbgPrint("Drv Device Name %S",ustrDevName.Buffer);
if(!NT_SUCCESS(status))
{
DbgPrint("Drv IoCreateDevice = 0x%x\n", status);
return status;
}
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
DbgPrint("Drv IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObj);
return status;
}
DbgPrint("Drv SymbolicLink:%S",ustrLinkName.Buffer);
EmptySubAddr=(ULONG)EmptySub;
DbgPrint("EmptySub Address=%x",EmptySubAddr);
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack;
ULONG uIoControlCode;
PVOID pIoBuffer;
ULONG uInSize;
ULONG uOutSize;
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
uIoControlCode = pIrpStack->;Parameters.DeviceIoControl.IoControlCode;
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
uInSize = pIrpStack->;Parameters.DeviceIoControl.InputBufferLength;
uOutSize = pIrpStack->;Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode)
{
//设置地址
case IOCTL_SET_ADDRESS:
{
__try
{
AddressSet = *(PVOID *)pIoBuffer;
DbgPrint("Add:%d",AddressSet);
status = STATUS_SUCCESS;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
status = GetExceptionCode();
break;
}
}break;
//读内核内存
case IOCTL_ReadKernelMemory:
{
DbgPrint("Read Add:%d",AddressSet);
status = ReadKernelMemory(AddressSet, uOutSize, pIoBuffer);
AddressSet = 0;
break;
}
//写内核内存
case IOCTL_WriteKernelMemory:
{
DbgPrint("Write Add:%d",AddressSet);
status = WriteKernelMemory(AddressSet, uInSize, pIoBuffer);
AddressSet = 0;
break;
}
//得到空函数地址
case IOCTL_GetEmptySubAddress:
{
EmptySubAddr=(ULONG)EmptySub;
memcpy(pIoBuffer, &EmptySubAddr, sizeof(ULONG));
status = STATUS_SUCCESS;
break;
}
//清空空白函数
case IOCTL_ClearEmptySub:
{
memset((PVOID)(EmptySubAddr+2), 0x90, 256);
break;
}
//调用空白函数
case IOCTL_CallEmptySub:
{
EmptySub();
break;
}
}
if(status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
RtlInitUnicodeString(&strLink, LINK_NAME);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
DbgPrint("Driver Unloaded\n");
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
DbgPrint("Driver IRP_MJ_CREATE\n");
return STATUS_SUCCESS;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
DbgPrint("Driver IRP_MJ_CLOSEE\n");
return STATUS_SUCCESS;
}
VOID WpOffAndToDpcLevel()
{
OldIrql = KeRaiseIrqlToDpcLevel();
__asm
{
cli
push eax
mov eax, cr0
and eax, 0FFFEFFFFh
mov cr0, eax
pop eax
}
}
VOID WpOn()
{
__asm
{
push eax
mov eax, cr0
or eax, 10000h
mov cr0, eax
pop eax
sti
}
KeLowerIrql(OldIrql);
}
NTSTATUS ReadKernelMemory(PVOID Address, ULONG Size, PVOID OutBuffer)
{
NTSTATUS st = STATUS_UNSUCCESSFUL;
PMDLpMdl = 0;
PVOID pAddress = 0;
if (!Address) return st;
pMdl = IoAllocateMdl(Address, Size, FALSE, FALSE, 0);
if (pMdl)
{
MmBuildMdlForNonPagedPool(pMdl);
pAddress = MmGetSystemAddressForMdlSafe(pMdl, NormalPagePriority);
if (pAddress)
{
__try
{
RtlCopyMemory(OutBuffer, pAddress, Size);
st = STATUS_SUCCESS;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
IoFreeMdl(pMdl);
}
return st;
}
NTSTATUS WriteKernelMemory(PVOID Address, ULONG Size, PVOID InBuffer)
{
NTSTATUS st = STATUS_UNSUCCESSFUL;
PMDLpMdl = 0;
PVOID pAddress = 0;
KSPIN_LOCK spinlock;
KIRQL oldirql;
if (!Address) return st;
pMdl = IoAllocateMdl(Address, Size, FALSE, FALSE, 0);
if (pMdl)
{
MmBuildMdlForNonPagedPool(pMdl);
pAddress = MmGetSystemAddressForMdlSafe(pMdl, NormalPagePriority);
if (pAddress)
{
__try
{
KeInitializeSpinLock(&spinlock);
KeAcquireSpinLock(&spinlock,&oldirql);
WpOffAndToDpcLevel();
RtlCopyMemory(pAddress, InBuffer, Size);
WpOn();
KeReleaseSpinLock(&spinlock, oldirql);
st = STATUS_SUCCESS;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
IoFreeMdl(pMdl);
}
return st;
}
VOID EmptySub()
{
_asm
{
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
}
}
VB调用代码:
Option Explicit
Public DrvController As New cls_Driver
Private Const IOCTL_SET_ADDRESS = &H801
Private Const IOCTL_READ_KERNEL_MEM = &H802
Private Const IOCTL_WRITE_KERNEL_MEM = &H803
Private Const IOCTL_GetEmptySubAddress = &H804
Private Const IOCTL_ClearEmptySub = &H805
Private Const IOCTL_CallEmptySub = &H806
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
'长整形数字转成字节数组:输入Long,输出Byte数组
Public Sub Long2ByteArray(ByVal lng As Long, ByRef ba() As Byte)
Dim TempBytes(0 To 3) As Byte
CopyMemory TempBytes(0), lng, 4
ba = TempBytes
End Sub
'字节数组转成长整形数字:输入Byte数组,输出Long
Public Sub ByteArray2Long(ByRef lng As Long, ByRef ba() As Byte)
CopyMemory lng, ba(0), 4
End Sub
'读取内核数据:地址,长度,输出缓冲区
Public Function ReadKernelMemoryEx(ByVal Address As Long, ByVal nSize As Long, ByVal OutBuffer As Long) As Long
With DrvController
.IoControl .CTL_CODE_GEN(IOCTL_SET_ADDRESS), VarPtr(Address), 4, 0, 0
ReadKernelMemoryEx = .IoControl(.CTL_CODE_GEN(IOCTL_READ_KERNEL_MEM), 0, 0, OutBuffer, nSize)
End With
End Function
'修改内核数据:地址,长度,输入缓冲区
Public Function ModifyKernelMemoryEx(ByVal Address As Long, ByVal nSize As Long, ByVal InBuffer As Long) As Long
With DrvController
.IoControl .CTL_CODE_GEN(IOCTL_SET_ADDRESS), VarPtr(Address), 4, 0, 0
ModifyKernelMemoryEx = .IoControl(.CTL_CODE_GEN(IOCTL_WRITE_KERNEL_MEM), InBuffer, nSize, 0, 0)
End With
End Function
'读取内核数据:读取定长为4的内核内存数据
Public Sub ReadKernelMemory(ByVal Address As Long, ByRef ulData As Long)
Dim bytX(0 To 3) As Byte
ReadKernelMemoryEx Address, 4, VarPtr(bytX(0))
ByteArray2Long ulData, bytX
End Sub
'修改内核数据:修改定长为4的内核内存数据
Public Sub ModifyKernelMemory(ByVal Address As Long, ByVal ulData As Long)
Dim bytX() As Byte
Long2ByteArray ulData, bytX'数值
ModifyKernelMemoryEx Address, 4, VarPtr(bytX(0))
End Sub
'读取内核数据:地址,长度,返回字节数组
Public Sub ReadKernelMemory2(ByVal Address As Long, ByVal nSize As Long, ByRef BytBuf() As Byte)
ReDim BytBuf(nSize - 1) As Byte
ReadKernelMemoryEx Address, nSize, VarPtr(BytBuf(0))
End Sub
'修改内核数据:地址,长度,以及字节数组
Public Sub ModifyKernelMemory2(ByVal Address As Long, ByVal nSize As Long, ByRef BytBuf() As Byte)
ModifyKernelMemoryEx Address, nSize, VarPtr(BytBuf(0))
End Sub
'得到空函数地址
Public Function GetEmptySubAddr() As Long
Dim Ltmp As Long
With DrvController
.IoControl .CTL_CODE_GEN(IOCTL_GetEmptySubAddress), 0, 0, VarPtr(Ltmp), 4
End With
GetEmptySubAddr = Ltmp
End Function
'擦除空函数内容
Public Sub ClearEmptySub()
With DrvController
.IoControl .CTL_CODE_GEN(IOCTL_ClearEmptySub), 0, 0, 0, 0
End With
End Sub
'调用空函数
Public Sub CallEmptySub()
With DrvController
.IoControl .CTL_CODE_GEN(IOCTL_CallEmptySub), 0, 0, 0, 0
End With
End Sub
陈辉的cls_driver.cls就自己找吧,网上很多的。 VB调用驱动函数,利用MySystemDebugControl实现。 不知道有啥用..............:L 本帖最后由 HoviDelphic 于 2010-7-16 20:45 编辑
回复 5# 马大哈
这是几个使用MySystemDebugControl的demo,主要代码都不是我写的。 先记录下、也许有用 好東西 值得收藏
页:
[1]