测品娱乐

全部频道

您的当前位置:首页驱动防杀防删(附代码)

驱动防杀防删(附代码)

来源:测品娱乐
/////////////////////////////////////////////////////////////////////////// //挂钩80x86 CPU ,Win2k或更高版本的系统服务表,这个驱动用来防止删除指定文件// //Code by gt2333588 09/08/2008 //

//教师节要到了,老师们辛苦了,祝锦州铁路高中全 // //体老师节日快乐,身体健康! //

///////////////////////////////////////////////////////////////////////////

#include #include

typedef struct _SRVTABLE {

PVOID *ServiceTable; ULONG LowCall; ULONG HiCall;

PVOID *ArgTable; } SRVTABLE, *PSRVTABLE;

extern PSRVTABLE KeServiceDescriptorTable;

//调用原函数 #define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)]

PSRVTABLE ServiceTable;

NTSTATUS

(*RealZwSetInformationFile)(IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FileInformation, IN ULONG Length,

IN FILE_INFORMATION_CLASS FileInformationClass); //原函数

NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FileInformation, IN ULONG Length,

IN FILE_INFORMATION_CLASS FileInformationClass); //自己的函数

VOID HookAPI();

VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject);

VOID UnHook();

VOID UnhookSystemCall();

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath) {

DriverObject->DriverUnload = DriverUnload; ServiceTable = KeServiceDescriptorTable; HookAPI();

return STATUS_SUCCESS; }

VOID HookAPI() {

RealZwSetInformationFile = SYSCALL(ZwSetInformationFile); __asm { cli

mov eax,cr0

and eax,not 10000h mov cr0,eax }

SYSCALL(ZwSetInformationFile) = (PVOID)HookZwSetInformationFile; __asm {

mov eax,cr0 or eax,10000h mov cr0,eax sti }

return; }

NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FileInformation, IN ULONG Length,

IN FILE_INFORMATION_CLASS FileInformationClass) {

PFILE_OBJECT pFileObject;

NTSTATUS nRet= ObReferenceObjectByHandle(FileHandle, GENERIC_READ, *IoFileObjectType, KernelMode, (PVOID*)&pFileObject, 0);

if(NT_SUCCESS(nRet)) {

UNICODE_STRING uDosName;

nRet = IoVolumeDeviceToDosName(pFileObject->DeviceObject, &uDosName); if (NT_SUCCESS(nRet)) { if (!_wcsicmp(pFileObject->FileName.Buffer, \\\\HOOK\\\\objchk_wxp_x86\\\\i386\\\est.txt\") &&

!_wcsicmp(uDosName.Buffer, L\"D:\")) {

ExFreePool(uDosName.Buffer); return STATUS_ACCESS_DENIED; }

ExFreePool(uDosName.Buffer); } }

return RealZwSetInformationFile(FileHandle, FileInformation,

Length, FileInformationClass); }

VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject) {

UnHook(); }

VOID UnHook() {

__asm {

cli

mov eax,cr0

and eax,not 10000h mov cr0,eax }

UnhookSystemCall(); __asm {

mov eax,cr0 or eax,10000h mov cr0,eax sti }

L\"\\\\工作IoStatusBlock, }

VOID UnhookSystemCall() {

SYSCALL(ZwSetInformationFile) = (PVOID)RealZwSetInformationFile;

return; }

因篇幅问题不能全部显示,请点此查看更多更全内容

查看全文