动态监控驱动、dll、exe加载
/*
windows2003 x86/x64 window7 x86 windows2008 R2 x64测试通过
*/ #include <ntddk.h>
#include "nt_help.h"
DRIVER_INITIALIZE DriverEntry; typedef struct _OBJECT_TYPE_INITIALIZER {
USHORT Length;
BOOLEAN UseDefaultObject;
BOOLEAN CaseInsensitive;
#if WINVER>=0x0600
ULONG ObjectTypeCode;
#endif
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
BOOLEAN MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
PVOID ParseProcedure;
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; typedef struct _OBJECT_TYPE {
#if WINVER<0x0600
ERESOURCE Mutex;
#endif
LIST_ENTRY TypeList;
UNICODE_STRING Name; // Copy from object header for convenience
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
} OBJECT_TYPE, *POBJECT_TYPE; extern POBJECT_TYPE* MmSectionObjectType;
PVOID pNtCreateSection = NULL;
SYSTEM_MODULE_INFORMATION ntModInfo = {}; #pragma alloc_text(INIT, DriverEntry) NTSTATUS DevicePassthrough(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpSp; irpSp = IoGetCurrentIrpStackLocation(Irp);
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
} VOID DriverUnload (IN PDRIVER_OBJECT DriverObject)
{
(*MmSectionObjectType)->TypeInfo.OpenProcedure = NULL;
KdPrint(("DriverUnload Done!\n"));
} #if WINVER>=0x0600
NTSTATUS HookSectionOpen(
IN ULONG OpenReason,
IN ULONG AccessMode,
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN ACCESS_MASK* GrantedAccess,
IN ULONG HandleCount
)
#else
NTSTATUS HookSectionOpen(
IN ULONG OpenReason,
IN PEPROCESS Process OPTIONAL,
IN PVOID Object,
IN ACCESS_MASK GrantedAccess,
IN ULONG HandleCount
)
#endif
{
PVOID* esp = (PVOID*)&esp;
PVOID* esp_end = (PVOID*)((((DWORD64)esp>>) + )<<); //4k round up
PVOID* p = esp;
ULONG SectionPageProtection, AllocationAttributes;
HANDLE FileHandle;
NTSTATUS Status; /*
* do stack walk back to NtCreateSection function
*/
while (p < esp_end &&
(*p < pNtCreateSection ||
*p > (PVOID)((PBYTE)pNtCreateSection + 0x300)))
p++; if (p >= esp_end){
//KdPrint(("no found NtCreateSection %p -> %p\n", esp, esp_end));
return STATUS_SUCCESS;
} //KdPrint(("%p HookSectionOpen-Object:%p esp:%p %p\n", pNtCreateSection, Object, esp, *p));
#ifdef _WIN64
/*
* esp layout look likes[2003 X64 DUMP]:
fffff800`0104113d nt!KiSystemServiceCopyEnd+0x3 retaddr <-------call nt!NtCreateSection
fffffadf`f662ec00 00000000`00000000 param1
fffffadf`f662ec08 00000000`000f001f param2 DesiredAccess
fffffadf`f662ec10 00000000`00000000
fffffadf`f662ec18 00000000`00000000
fffffadf`f662ec20 00000100`00000010 SectionPageProtection
fffffadf`f662ec28 00000000`01000000 AllocationAttributes
fffffadf`f662ec30 00000000`0000054c FileHandle
* - ...
*/
p++;
/*
* search retaddr -> nt!KiSystemServiceCopyEnd
*/
while (p < esp_end &&
(*p < ntModInfo.ImageBase ||
*p > (PVOID)((PBYTE)ntModInfo.ImageBase + ntModInfo.ImageSize)))
p++; if (p >= esp_end){
//KdPrint(("no found nt!KiSystemxxxx %p -> %p\n", esp, esp_end));
return STATUS_SUCCESS;
}
#else
/* stack DUMP from 2003/x86
* ebp = p - 1
fa06f4d8 fa06f540
fa06f4dc 80908715 nt!NtCreateSection+0x15c
...
fa06f540 fa06f564
fa06f544 808234cb nt!KiFastCallEntry+0xf8
fa06f548 fa06f668 param1
*/
p = (PVOID*)*(p - );
p++;
#endif SectionPageProtection = (ULONG)*(p + );
AllocationAttributes = (ULONG)*(p + );
FileHandle = *(p + ); //KdPrint(("%x %x %p\n", SectionPageProtection, AllocationAttributes, FileHandle)); if (FileHandle
&& SectionPageProtection == PAGE_EXECUTE
&& (AllocationAttributes == SEC_IMAGE || AllocationAttributes == 0x100000)){
/* windows7 AllocationAttributes = 0x100000 to LoadDriver */
PFILE_OBJECT File; Status = ObReferenceObjectByHandle (FileHandle,
,
NULL,
KernelMode,
(PVOID *)&File,
NULL); if (!NT_SUCCESS(Status)) {
return STATUS_SUCCESS;
}
KdPrint(("FileName:%wZ\n", &File->FileName));
ObDereferenceObject(File);
} return STATUS_SUCCESS;
} BOOL GetNtImgBase(PSYSTEM_MODULE_INFORMATION modInfo)
{
PSYSMODULELIST sysModuleList = NULL;
ULONG size, i; NtQuerySystemInformation(SystemModuleInformation, &size, , &size);
sysModuleList = ExAllocatePoolWithTag(PagedPool, size, 'hlpm'); if (sysModuleList){
NtQuerySystemInformation(SystemModuleInformation, sysModuleList, size, NULL);
/* nt module should be the first one */
*modInfo = *sysModuleList->Modules;
ExFreePool(sysModuleList);
return TRUE;
}
return FALSE;
} NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DWORD i;
UNICODE_STRING sFuncName; RtlInitUnicodeString(&sFuncName, L"NtCreateSection");
pNtCreateSection = MmGetSystemRoutineAddress(&sFuncName); if (!GetNtImgBase(&ntModInfo)){
KdPrint(("EnumSysModule nt base failed!\n"));
return STATUS_UNSUCCESSFUL;
} KdPrint(("nt:%p pNtCreateSection:%p\nMmSectionObjectType:%p %p %p\n",
ntModInfo.ImageBase,
pNtCreateSection,
*MmSectionObjectType,
(*MmSectionObjectType)->TypeInfo.OpenProcedure,
(*MmSectionObjectType)->TypeInfo.DeleteProcedure)); (*MmSectionObjectType)->TypeInfo.OpenProcedure = HookSectionOpen; for (i = ; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
DriverObject->MajorFunction[i] = DevicePassthrough; DriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS;
}
动态监控驱动、dll、exe加载的更多相关文章
- dll的加载方式主要分为两大类,显式和隐式链接
之前简单写过如何创建lib和dll文件及简单的使用(http://blog.csdn.net/betabin/article/details/7239200).现在先再深入点写写dll的加载方式. d ...
- Windows7 安装vs2015 之后 调试Web项目IIS启动不了 aspnetcore.dll未能加载
安装windows企业版,整整折腾了两天了,一个本身家里网络环境不好,时不时掉线,终于披荆斩棘,克服了所有困难,结果VS2015 EnterPrise 版本在调试Web环境的时候,始终在任务栏里找不到 ...
- 模块"xxxx.dll"已加载,但对DllRegisterServer的调用失败,错误代码为 XXXXXXXXX
WIN7.WIN8 注册 卸载dll 报错: 模块"xxxx.dll"已加载,但对DllRegisterServer的调用失败,错误代码为 XXXXXXXXX 解决方法: 若为 ...
- [整理]DLL延时加载 && 设置进程私有环境变量
DLL延时加载鉴于静态和动态加载之间,即无需在代码中显示加载但它内队依然是动态加载的方式只是系统帮处理了.这样做好处是: 1. 可以加快启动时间(因为它是动态加载在需要的时间加载), 2. 减小编写L ...
- 模块 DLL C:\WINDOWS\system32\inetsrv\aspnetcore.dll 未能加载。返回的数据为错误信息。
更新了win10的版本后,就启动原来的iis发布的程序 程序池就自动关闭.后来 启动网站 iis程序池自动关闭. 在为应用程序池“.NET v4.5”提供服务的工作进程“21908”中,协议“http ...
- 固定dll的加载基址的方法
调试dll的时候会有一件事情比较烦人,就是dll加载的地址不会很固定(默认设置下编译的dll基址总是0x10000000,多个同基址的dll加载时,后面的肯定会被重定位),这给前后多次调试时对比分析结 ...
- C#开发奇技淫巧二:根据dll文件加载C++或者Delphi插件
原文:C#开发奇技淫巧二:根据dll文件加载C++或者Delphi插件 这两天忙着把框架改为支持加载C++和Delphi的插件,来不及更新blog了. 原来的写的框架只支持c#插件,这个好做 ...
- SAS.EnhancedEditor.dll 已加载,但找不到入口点DLLRegisterServer
SAS.EnhancedEditor.dll 已加载,但找不到入口点DLLRegisterServer 重新安装EnhancedEditor 安装Microsoft.NET Framework 3.5 ...
- DLL内存加载
动态加载dll 功能: 把一个处于内存里的dll直接加载并且使用. 用途: 免杀(静态文件查杀),外挂(防止游戏自己hook了loadlibrary等函数),以及其他. 原理: ...
- DLL延时加载技术与资源释放
DLL延时加载技术与资源释放 0x00 前言 诸如调用非Windows的第三方库,我们或许会使用到dll文件,而这个时候原本程序运行需要相应的dll文件才能加载启动.通过DLL延时加载技术,使用延时加 ...
随机推荐
- TCP/IP 协议介绍
转自http://blog.jobbole.com/104886/ 一.TCP/IP 协议介绍 在介绍 HTTP 协议之前,先简单说一下TCP/IP协议的相关内容.TCP/IP协议是分层的,从底层至应 ...
- urllib编码
python: 1.unquote 2.decode 3.encode
- linux初始化配置-----网络配置
一.设置linux网络 1)零时设置ip地址 由于centos7默认没有ifconfig命令所以为了使用方便我们先安装net-tool使我们能使用ifconfig命令查看ip地址 ·挂载系统光盘 [r ...
- codeforces VK cup 2016-round 1 D.Bear and Contribution
题意大概就是有n个数字,要使至少有k个相同,可以花费b使一个数+5,可以花费c使一个数+1,求最小花费. 要对齐的数肯定是在[v,v+4]之间,所以分别枚举模为0~4的情况就可以了. 排序一下,然后化 ...
- JSON下
JSON下:目录一:把 JSON 文本转换为 JavaScript 对象二:JSON 实例 - 来自字符串的对象 一.把 JSON 文本转换为 JavaScript 对象JSON 最常见的用法之一,是 ...
- Jmeter函数 唯一取值 笔记
java sample时: result.setIdleTime(毫秒):设置waste time ,jmeter在统计响应时间时会自动减去此函数设置的时间 result.setSuccessful( ...
- print函数
python中print既可以写成print a,也可以写成print(a) >>> a=1 >>> print a 1 >>> print(a) ...
- Android自定义View自定义属性
1.引言 对于自定义属性,大家肯定都不陌生,遵循以下几步,就可以实现: 自定义一个CustomView(extends View )类 编写values/attrs.xml,在其中编写styleabl ...
- Annotation
Annotation是给类,方法或域上加的一种特殊的标记,可以通过反射取到注解的类型和值,从而完成某种特定的操作. 定义注解需要使用元注解,元注解有@Retention和@Target p.p1 { ...
- KVC与KVO
KVC:键值编码(Key-Value-Coding),是一个非正式的Protocol,提供一种机制间接访问对象的属性,是路径访问的规范: KVO:键值观察 (Key-Value-Observe),是基 ...