动态监控驱动、dll、exe加载

  1 /*
  2 windows2003 x86/x64 window7 x86 windows2008 R2 x64测试通过
  3 */
  4 
  5 #include <ntddk.h>
  6 #include "nt_help.h"
  7 DRIVER_INITIALIZE DriverEntry;
  8 
  9 typedef struct _OBJECT_TYPE_INITIALIZER {
 10     USHORT Length;
 11     BOOLEAN UseDefaultObject;
 12     BOOLEAN CaseInsensitive;
 13 #if WINVER>=0x0600
 14     ULONG ObjectTypeCode;
 15 #endif
 16     ULONG InvalidAttributes;
 17     GENERIC_MAPPING GenericMapping;
 18     ULONG ValidAccessMask;
 19     BOOLEAN SecurityRequired;
 20     BOOLEAN MaintainHandleCount;
 21     BOOLEAN MaintainTypeList;
 22     POOL_TYPE PoolType;
 23     ULONG DefaultPagedPoolCharge;
 24     ULONG DefaultNonPagedPoolCharge;
 25     PVOID DumpProcedure;
 26     PVOID OpenProcedure;
 27     PVOID CloseProcedure;
 28     PVOID DeleteProcedure;
 29     PVOID ParseProcedure;
 30     PVOID SecurityProcedure;
 31     PVOID QueryNameProcedure;
 32     PVOID OkayToCloseProcedure;
 33 } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
 34 
 35 typedef struct _OBJECT_TYPE {
 36 #if WINVER<0x0600
 37     ERESOURCE Mutex;
 38 #endif
 39     LIST_ENTRY TypeList;
 40     UNICODE_STRING Name;            // Copy from object header for convenience
 41     PVOID DefaultObject;
 42     ULONG Index;
 43     ULONG TotalNumberOfObjects;
 44     ULONG TotalNumberOfHandles;
 45     ULONG HighWaterNumberOfObjects;
 46     ULONG HighWaterNumberOfHandles;
 47     OBJECT_TYPE_INITIALIZER TypeInfo;
 48 } OBJECT_TYPE, *POBJECT_TYPE;
 49 
 50 extern POBJECT_TYPE* MmSectionObjectType;
 51 PVOID pNtCreateSection = NULL;
 52 SYSTEM_MODULE_INFORMATION ntModInfo = {0};
 53 
 54 #pragma alloc_text(INIT, DriverEntry)
 55 
 56 NTSTATUS DevicePassthrough(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 57 {
 58         NTSTATUS status = STATUS_SUCCESS;
 59         PIO_STACK_LOCATION  irpSp;
 60         
 61         irpSp = IoGetCurrentIrpStackLocation(Irp);
 62         Irp->IoStatus.Status = status;
 63         IoCompleteRequest(Irp, IO_NO_INCREMENT);
 64         return status;
 65 }
 66 
 67 VOID DriverUnload (IN PDRIVER_OBJECT DriverObject)
 68 {
 69         (*MmSectionObjectType)->TypeInfo.OpenProcedure = NULL;
 70         KdPrint(("DriverUnload Done!
"));
 71 }
 72 
 73 #if WINVER>=0x0600
 74 NTSTATUS HookSectionOpen(
 75     IN ULONG OpenReason,
 76     IN ULONG AccessMode,
 77     IN PEPROCESS Process OPTIONAL,
 78     IN PVOID Object,
 79     IN ACCESS_MASK* GrantedAccess,
 80     IN ULONG HandleCount
 81     )
 82 #else
 83 NTSTATUS HookSectionOpen(
 84     IN ULONG OpenReason,
 85     IN PEPROCESS Process OPTIONAL,
 86     IN PVOID Object,
 87     IN ACCESS_MASK GrantedAccess,
 88     IN ULONG HandleCount
 89     )
 90 #endif
 91 {
 92         PVOID* esp = (PVOID*)&esp;
 93         PVOID* esp_end = (PVOID*)((((DWORD64)esp>>12) + 1)<<12);        //4k round up
 94         PVOID* p = esp;
 95         ULONG SectionPageProtection, AllocationAttributes;
 96         HANDLE FileHandle;
 97         NTSTATUS Status;
 98 
 99         /*
100          * do stack walk back to NtCreateSection function
101          */
102         while (p < esp_end &&
103                 (*p < pNtCreateSection ||
104                  *p > (PVOID)((PBYTE)pNtCreateSection + 0x300)))
105                 p++;
106 
107         if (p >= esp_end){
108                 //KdPrint(("no found NtCreateSection %p -> %p
", esp, esp_end));
109                 return STATUS_SUCCESS;
110         }
111 
112         //KdPrint(("%p HookSectionOpen-Object:%p esp:%p %p
", pNtCreateSection, Object, esp, *p));
113 #ifdef _WIN64
114         /*
115          * esp layout look likes[2003 X64 DUMP]:
116          fffff800`0104113d nt!KiSystemServiceCopyEnd+0x3 retaddr <-------call nt!NtCreateSection
117          fffffadf`f662ec00  00000000`00000000 param1
118          fffffadf`f662ec08  00000000`000f001f param2 DesiredAccess
119          fffffadf`f662ec10  00000000`00000000
120          fffffadf`f662ec18  00000000`00000000
121          fffffadf`f662ec20  00000100`00000010 SectionPageProtection
122          fffffadf`f662ec28  00000000`01000000 AllocationAttributes
123          fffffadf`f662ec30  00000000`0000054c FileHandle
124          * - ...
125          */
126         p++;
127         /*
128          * search retaddr -> nt!KiSystemServiceCopyEnd
129          */
130         while (p < esp_end &&
131                 (*p < ntModInfo.ImageBase ||
132                  *p > (PVOID)((PBYTE)ntModInfo.ImageBase + ntModInfo.ImageSize)))
133                 p++;
134 
135         if (p >= esp_end){
136                 //KdPrint(("no found nt!KiSystemxxxx %p -> %p
", esp, esp_end));
137                 return STATUS_SUCCESS;
138         }
139 #else
140         /* stack DUMP from 2003/x86
141          * ebp = p - 1
142          fa06f4d8  fa06f540
143          fa06f4dc  80908715 nt!NtCreateSection+0x15c
144          ...
145          fa06f540  fa06f564
146          fa06f544  808234cb nt!KiFastCallEntry+0xf8
147          fa06f548  fa06f668 param1
148          */
149         p = (PVOID*)*(p - 1);
150         p++;
151 #endif
152 
153         SectionPageProtection = (ULONG)*(p + 5);
154         AllocationAttributes = (ULONG)*(p + 6);
155         FileHandle = *(p + 7);
156 
157         //KdPrint(("%x %x %p
", SectionPageProtection, AllocationAttributes, FileHandle));
158 
159         if (FileHandle
160                 && SectionPageProtection == PAGE_EXECUTE
161                 && (AllocationAttributes == SEC_IMAGE || AllocationAttributes == 0x100000)){
162                 /* windows7 AllocationAttributes = 0x100000 to LoadDriver */
163                 PFILE_OBJECT File;
164 
165                 Status = ObReferenceObjectByHandle (FileHandle,
166                                 0,
167                                 NULL,
168                                 KernelMode,
169                                 (PVOID *)&File,
170                                 NULL);
171 
172                 if (!NT_SUCCESS(Status)) {
173                         return STATUS_SUCCESS;
174                 }
175                 KdPrint(("FileName:%wZ
", &File->FileName));
176                 ObDereferenceObject(File);
177         }
178 
179         return STATUS_SUCCESS;
180 }
181 
182 BOOL GetNtImgBase(PSYSTEM_MODULE_INFORMATION modInfo)
183 {
184         PSYSMODULELIST sysModuleList = NULL;
185         ULONG size, i;
186 
187         NtQuerySystemInformation(SystemModuleInformation, &size, 0, &size);
188         sysModuleList = ExAllocatePoolWithTag(PagedPool, size, 'hlpm');
189 
190         if (sysModuleList){
191                 NtQuerySystemInformation(SystemModuleInformation, sysModuleList, size, NULL);
192                 /* nt module should be the first one */
193                 *modInfo = *sysModuleList->Modules;
194                 ExFreePool(sysModuleList);
195                 return TRUE;
196         }
197         return FALSE;
198 }
199 
200 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
201 {
202         DWORD i;
203         UNICODE_STRING sFuncName;
204         
205         RtlInitUnicodeString(&sFuncName, L"NtCreateSection");
206         pNtCreateSection = MmGetSystemRoutineAddress(&sFuncName);
207 
208         if (!GetNtImgBase(&ntModInfo)){
209                 KdPrint(("EnumSysModule nt base failed!
"));
210                 return STATUS_UNSUCCESSFUL;
211         }
212 
213         KdPrint(("nt:%p pNtCreateSection:%p
MmSectionObjectType:%p %p %p
",
214                                 ntModInfo.ImageBase,
215                                 pNtCreateSection,
216                                 *MmSectionObjectType,
217                                 (*MmSectionObjectType)->TypeInfo.OpenProcedure,
218                                 (*MmSectionObjectType)->TypeInfo.DeleteProcedure));
219         
220         (*MmSectionObjectType)->TypeInfo.OpenProcedure = HookSectionOpen;
221 
222         for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
223                 DriverObject->MajorFunction[i] = DevicePassthrough;
224 
225         DriverObject->DriverUnload = DriverUnload;
226 
227         return STATUS_SUCCESS;
228 }