[转载]驱动级文件占坑

Tesla.Angela

核心源码来自互联网，能让PxNxxx和IxxLxxxx无法正常工作。

BanCrtPT.c

1. 
   
2. #include "BanCrtPT.h"   
   
3. #include "dbghelp.h"
   
4. #include <windef.h>
   
5. 
   
6. NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObject, PUNICODE_STRING pRegString);
   
7. NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObject, PIRP pIrp);
   
8. NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObject, PIRP pIrp);
   
9. VOID DriverUnload(PDRIVER_OBJECT pDrvObject);
   
10. NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObject, PIRP pIrp);
    
11. 
    
12. HANDLE FileHandle;
    
13. 
    
14. VOID OccupyFileTest()
    
15. {
    
16.     NTSTATUS ntStatus;
    
17.     OBJECT_ATTRIBUTES ObjectAttributes;
    
18.     UNICODE_STRING UniFileName;
    
19.     IO_STATUS_BLOCK IoStatusBlock;
    
20.     PCWSTR FileName = L"\\??\\C:\\WINDOWS\\system32\\ntkrnlpa.exe";
    
21.     RtlInitUnicodeString(&UniFileName , FileName);
    
22.     InitializeObjectAttributes(&ObjectAttributes,&UniFileName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
    
23.     ntStatus=ZwCreateFile(&FileHandle,GENERIC_READ,&ObjectAttributes,&IoStatusBlock,0,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE,NULL,0);
    
24.     if(!NT_SUCCESS(ntStatus))
    
25.     {
    
26.         DbgPrint("[OccupyFile] = %d", ntStatus);
    
27.     }
    
28.     else
    
29.     {
    
30.         DbgPrint("[OccupyFile] Success.");
    
31.     }
    
32. }
    
33. 
    
34. NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObject, PUNICODE_STRING pRegString)
    
35. {
    
36.     NTSTATUS status = STATUS_SUCCESS;
    
37.     UNICODE_STRING ustrLinkName;
    
38.     UNICODE_STRING ustrDevName;   
    
39.     PDEVICE_OBJECT pDevObject;
    
40.     //
    
41.     dprintf("[OccupyFile] DriverEntry: %S\n",pRegString->Buffer);
    
42.     //
    
43.     pDrvObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
    
44.     pDrvObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
    
45.     pDrvObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
    
46.     pDrvObject->DriverUnload = DriverUnload;
    
47.     //
    
48.     RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
    
49.     //
    
50.     status = IoCreateDevice(pDrvObject,
    
51.         0,
    
52.         &ustrDevName,
    
53.         FILE_DEVICE_UNKNOWN,
    
54.         0,
    
55.         FALSE,
    
56.         &pDevObject);
    
57.     //
    
58.     dprintf("[OccupyFile] Device Name %S",ustrDevName.Buffer);
    
59.    
    
60.     if(!NT_SUCCESS(status))
    
61.     {
    
62.         dprintf("[OccupyFile] IoCreateDevice = 0x%x\n", status);
    
63.         return status;
    
64.     }
    
65.     //
    
66.     RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
    
67.     //
    
68.     status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);  
    
69.     if(!NT_SUCCESS(status))
    
70.     {
    
71.         dprintf("[OccupyFile] IoCreateSymbolicLink = 0x%x\n", status);
    
72.         IoDeleteDevice(pDevObject);  
    
73.         return status;
    
74.     }
    
75.     dprintf("[OccupyFile] SymbolicLink:%S",ustrLinkName.Buffer);
    
76.     //
    
77.     //OccupyFileTest();
    
78.     return STATUS_SUCCESS;
    
79. }
    
80. 
    
81. 
    
82. VOID DriverUnload(PDRIVER_OBJECT pDrvObject)
    
83. {   
    
84.     UNICODE_STRING strLink;
    
85.     RtlInitUnicodeString(&strLink, LINK_NAME);
    
86.     IoDeleteSymbolicLink(&strLink);
    
87.     IoDeleteDevice(pDrvObject->DeviceObject);
    
88.     //
    
89.     //ZwClose(FileHandle);
    
90.     dprintf("[OccupyFile] Unloaded\n");
    
91. }
    
92. 
    
93. NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObject, PIRP pIrp)
    
94. {
    
95.     pIrp->IoStatus.Status = STATUS_SUCCESS;
    
96.     pIrp->IoStatus.Information = 0;
    
97.     dprintf("[OccupyFile] IRP_MJ_CREATE\n");
    
98.     IoCompleteRequest(pIrp, IO_NO_INCREMENT);
    
99.     return STATUS_SUCCESS;
    
100. }
     
101. 
     
102. NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObject, PIRP pIrp)
     
103. {
     
104.     pIrp->IoStatus.Status = STATUS_SUCCESS;
     
105.     pIrp->IoStatus.Information = 0;
     
106.     dprintf("[OccupyFile] IRP_MJ_CLOSE\n");
     
107.     IoCompleteRequest(pIrp, IO_NO_INCREMENT);
     
108.     return STATUS_SUCCESS;
     
109. }
     
110. 
     
111. NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObject, PIRP pIrp)
     
112. {
     
113.     NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
     
114.     PIO_STACK_LOCATION pIrpStack;
     
115.     ULONG uIoControlCode;
     
116.     PVOID pIoBuffer;
     
117.     ULONG uInSize;
     
118.     ULONG uOutSize;
     
119.     //
     
120.     pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
     
121.     uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
     
122.     pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
     
123.     uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
     
124.     uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
     
125.     //
     
126.     switch(uIoControlCode)
     
127.     {
     
128.     case IOCTL_StartOF:
     
129.         {
     
130.             OccupyFileTest();
     
131.             status = STATUS_SUCCESS;
     
132.             break;
     
133.         }
     
134.     case IOCTL_EndOF:
     
135.         {
     
136.             ZwClose(FileHandle);
     
137.             status = STATUS_SUCCESS;
     
138.             break;
     
139.         }
     
140.     }
     
141.     //
     
142.     if(status == STATUS_SUCCESS)
     
143.         pIrp->IoStatus.Information = uOutSize;
     
144.     else
     
145.         pIrp->IoStatus.Information = 0;
     
146.    
     
147.     pIrp->IoStatus.Status = status;
     
148.     IoCompleteRequest(pIrp, IO_NO_INCREMENT);
     
149.     //
     
150.     return status;
     
151. }
     

复制代码

BanCrtPT.h

1. 
   
2. 
   
3. #include <devioctl.h>
   
4. 
   
5. #ifndef _INLINEOBREFERENCEOBJECTBYHANDLE_H
   
6. #define _INLINEOBREFERENCEOBJECTBYHANDLE_H 1
   
7. //============================================
   
8. #define DEVICE_NAME L"\\Device\\devOccupyFile" //Driver Name
   
9. #define LINK_NAME L"\\DosDevices\\OccupyFile"  //Link Name
   
10. //============================================
    
11. #define IOCTL_BASE    0x800
    
12. 
    
13. #define MY_CTL_CODE(i) \
    
14.     CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
    
15. 
    
16. #define IOCTL_StartOF        MY_CTL_CODE(1) //开始独占
    
17. #define IOCTL_EndOF            MY_CTL_CODE(2) //停止独占
    
18. //============================================
    
19. 
    
20. #endif
    

复制代码

dbghelp.h

1. 
   
2. 
   
3. #ifndef _DBGHELP_H
   
4. #define _DBGHELP_H 1
   
5. 
   
6. #include <ntddk.h>
   
7. 
   
8. #define dprintf if (DBG) DbgPrint
   
9. #define nprintf DbgPrint
   
10. 
    
11. #define kmalloc(_s)    ExAllocatePoolWithTag(NonPagedPool, _s, 'SYSQ')
    
12. //#define kfree(_p)    ExFreePoolWithTag(_p, 'SYSQ')
    
13. #define kfree(_p)    ExFreePool(_p)
    
14. 
    
15. #endif  
    

复制代码

1. 
   
2. PCWSTR FileName = L"\\??\\C:\\WINDOWS\\system32\\ntkrnlpa.exe";
   

复制代码

在“BanCrtPT.c”中，这句是硬编码，内核文件的路径和名字可以动态获得，这里为叙述方便而省略。

debugman

这个没什么价值，在R3下都可以实现了。

马大哈

.......菜鸟飘过:L

fengerpro

C++?

fengerpro

谁能改成VB的呀??????????

xiaoly99

Open "C:\WINDOWS\system32\ntkrnlpa.exe" For Binary Access Read Lock Read Write As #1

xiaoly99

VB的

fengerpro

谁有VB的码呀?

jiedengye

方法很好啊，还有一个大牛的直接发送ＩＲＰ打开文件，不关闭，更厉害，不过测试发现开启ｖｅｒｉｆｉｅｒ时候，去保护蓝屏

eaaca123

还不如看我在vbgood发的占坑，目前所有ark无效

8013

不知道还有效没

倒霉蛋儿

没必要吧。。。icesword应该还是能删除
它用发irp。。。。

eaaca123
你的程序有效代码就这么一句。。。
Open "c:\hook.dll" For Binary Access Read Lock Read Write As #1
还是过不了icesword

Tesla.Angela

随便说个方法：
打开句柄，设置句柄为禁止关闭（使用SetHandleInformation）。
除了磁盘解析删除文件，否则文件在Ring是无法删除的。

倒霉蛋儿

我刚刚试了下（在ring3）
普通工具删不掉
xuetr icesword还是过不了。。。。

Tesla.Angela

我刚刚试了下（在ring3）
普通工具删不掉
xuetr icesword还是过不了。。。。
倒霉蛋儿 发表于 2010-8-8 18:17

这份代码不怎么地，我曾经写过一个Ring3版本的，你自己搜搜看。

Tesla.Angela

回复 16# 本网站最菜的人


哪两句？

倒霉蛋儿

回复 15# Tesla.Angela


    没搜到。。。。

Tesla.Angela

回复  Tesla.Angela


    没搜到。。。。
倒霉蛋儿 发表于 2010-8-10 13:50

莫非我在梦中发帖了？？？

1. 
   
2. Option Explicit
   
3. 
   
4. Public Declare Function RtlInitUnicodeString Lib "NTDLL.DLL" _
   
5.                         (ByRef DestinationString As UNICODE_STRING, _
   
6.                         ByVal SourceString As Long) As Long
   
7. 
   
8. Public Declare Function SetHandleInformation Lib "kernel32.dll" (ByVal hObject As Long, ByVal dwMask As Long, ByVal dwFlags As Long) As Long
   
9. 
   
10. Public Sub InitializeObjectAttributes(ByRef InitializedAttributes As OBJECT_ATTRIBUTES, _
    
11.                                       ByRef ObjectName As UNICODE_STRING, _
    
12.                                       ByVal Attributes As Long, _
    
13.                                       ByVal RootDirectory As Long, _
    
14.                                       ByVal SecurityDescriptor As Long)
    
15.     With InitializedAttributes
    
16.         .Length = LenB(InitializedAttributes)
    
17.         .Attributes = Attributes
    
18.         .ObjectName = VarPtr(ObjectName)
    
19.         .RootDirectory = RootDirectory
    
20.         .SecurityDescriptor = SecurityDescriptor
    
21.         .SecurityQualityOfService = 0
    
22.     End With
    
23. End Sub
    
24. 
    
25. Public Function OccupyFile(ByVal szFileName As String) As Long
    
26.     Dim FileHandle As Long
    
27.     'HANDLE FileHandle;
    
28.     Dim ObjectAttributes As OBJECT_ATTRIBUTES
    
29.     'OBJECT_ATTRIBUTES ObjectAttributes;
    
30.     Dim UniFileName As UNICODE_STRING
    
31.     'UNICODE_STRING UniFileName;
    
32.     Dim IoStatusBlock As IO_STATUS_BLOCK
    
33.     'IO_STATUS_BLOCK IoStatusBlock;
    
34.     Call RtlInitUnicodeString(UniFileName, StrPtr(szFileName))
    
35.     'RtlInitUnicodeString(&UniFileName , szFileName);
    
36.     Call InitializeObjectAttributes(ObjectAttributes, UniFileName, &H40 Or &H200, 0, 0)
    
37.     'InitializeObjectAttributes(&ObjectAttributes,&UniFileName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
    
38.     OccupyFile = ZwCreateFile(FileHandle, &H80000000, ObjectAttributes, IoStatusBlock, 0, 128, 0, 3, &H40, 0, 0)
    
39.     'return ZwCreateFile(&FileHandle,GENERIC_READ,&ObjectAttributes,&IoStatusBlock,0,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE,NULL,0);
    
40.     Call SetHandleInformation(FileHandle, &H2, &H2)
    
41.     'SetHandleInformation(FileHandle, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
    
42. End Function
    
43. 
    
44. Sub main()
    
45.     Dim ntst As Long
    
46.     ntst = OccupyFile(InputBox("Input File Name:", "OccupyFile", "\??\c:\testfile\test.txt"))
    
47.     MsgBox CStr(NT_SUCCESS(ntst)), vbInformation, "Status"
    
48.     MsgBox "Don't close this Window! Test Your File!", vbInformation, "OccupyFile"
    
49. End Sub
    

复制代码

有些声明不全，没有声明的你用mNativeDeclares.bas就行了。

倒霉蛋儿

权限不够 无法搜索帖子。。。

Tesla.Angela

权限不够 无法搜索帖子。。。
倒霉蛋儿 发表于 2010-8-10 17:27

我是要你用谷歌搜索

woshewuaa

mark

lkytal

学习了

qwert502

学习了