STDCALL int RtlEqualString(const struct ustring *s1, const struct ustring *s2, int CaseInsensitive ) { if (s1->len != s2->len) return 0; return !RtlCompareString(s1, s2, CaseInsensitive); }
VOID ProcessCallback( IN HANDLE hParentId, IN HANDLE hProcessId, IN BOOLEAN bCreate ) { PEPROCESS pEProc; CHAR *pName; //进程名 ANSI_STRING Net1ExeName; ANSI_STRING NetExeName; ANSI_STRING MmcExeName; ANSI_STRING CurExeName; PDEVICE_EXTENSION extension; extension = g_pDeviceObject->DeviceExtension; extension->hPParentId = hParentId; extension->hPProcessId = hProcessId; extension->bPCreate = bCreate; PsLookupProcessByProcessId(hProcessId, &pEProc); #if WINVER >= 0x0501 pName = (CHAR*)PsGetProcessImageFileName(pEProc); //获取进程名 #else pName = (CHAR*)pEProc + 0x1FC; #endif ObDereferenceObject(pEProc); DbgPrint ("Create Process Name = %s.\n", pName); RtlInitAnsiString(&CurExeName, pName); RtlInitAnsiString(&Net1ExeName, "net1.exe"); RtlInitAnsiString(&NetExeName, "net.exe"); RtlInitAnsiString(&MmcExeName, "mmc.exe"); if (bCreate && (RtlCompareString(&NetExeName, &CurExeName, TRUE) == 0 || RtlCompareString(&MmcExeName, &CurExeName, TRUE) == 0 || RtlCompareString(&Net1ExeName, &CurExeName, TRUE) == 0)) { KeSetEvent(extension->ProcessEvent, 0, FALSE); KeClearEvent(extension->ProcessEvent); } }
void KillCompare(PANSI_STRING pimagename,PCHAR pstr,PBOOLEAN pbl) { ANSI_STRING exename; RtlInitAnsiString(&exename,pstr); if (RtlCompareString(pimagename,&exename,TRUE)==0) { *pbl=TRUE; } }
PVOID GetSectionDllFuncAddr(IN PCHAR lpFunctionName, IN PVOID BaseAddress) { PVOID functionAddress = NULL; PIMAGE_DOS_HEADER dosheader; PIMAGE_OPTIONAL_HEADER opthdr; PIMAGE_EXPORT_DIRECTORY pExportTable; PDWORD arrayOfFunctionAddresses; PDWORD arrayOfFunctionNames; PWORD arrayOfFunctionOrdinals; DWORD Base; STRING ntFunctionName, ntFunctionNameSearch; PCHAR functionName; DWORD functionOrdinal; ULONG x; ASSERT(lpFunctionName&&BaseAddress); dosheader = (PIMAGE_DOS_HEADER)BaseAddress; opthdr =(PIMAGE_OPTIONAL_HEADER) ((PBYTE)BaseAddress+dosheader->e_lfanew+24); pExportTable =(PIMAGE_EXPORT_DIRECTORY)((PBYTE)BaseAddress + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); // now we can get the exported functions, but note we convert from RVA to address arrayOfFunctionAddresses = (PDWORD)( (PBYTE)BaseAddress + pExportTable->AddressOfFunctions); arrayOfFunctionNames = (PDWORD)( (PBYTE)BaseAddress + pExportTable->AddressOfNames); arrayOfFunctionOrdinals = (PWORD)( (PBYTE)BaseAddress + pExportTable->AddressOfNameOrdinals); Base = pExportTable->Base; RtlInitString(&ntFunctionNameSearch, lpFunctionName); for (x = 0; x < pExportTable->NumberOfFunctions; x++) { functionName = (PCHAR)( (PBYTE)BaseAddress + arrayOfFunctionNames[x]); RtlInitString(&ntFunctionName, functionName); functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0 // this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]... // oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!! if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0) { functionAddress = (PBYTE)BaseAddress + arrayOfFunctionAddresses[functionOrdinal]; break; } } return functionAddress; }
static NTSTATUS v2v_get_remote_state_internal(xenbus_transaction_t xbt, struct v2v_channel *channel, enum v2v_endpoint_state *state) { NTSTATUS status; char *raw; STRING s1, s2; XM_ASSERT(channel != NULL); XM_ASSERT(state != NULL); *state = v2v_state_unknown; status = v2v_xenstore_readv_string(&raw, xbt, channel->remote_prefix, "state", NULL); if (!NT_SUCCESS(status)) return status; RtlInitString(&s1, raw); if (RtlCompareString(&s1, v2v_make_cs(&s2, "unready"), FALSE) == 0) *state = v2v_state_unready; else if (RtlCompareString(&s1, v2v_make_cs(&s2, "listening"), FALSE) == 0) *state = v2v_state_listening; else if (RtlCompareString(&s1, v2v_make_cs(&s2, "connected"), FALSE) == 0) *state = v2v_state_connected; else if (RtlCompareString(&s1, v2v_make_cs(&s2, "disconnecting"), FALSE) == 0) *state = v2v_state_disconnecting; else if (RtlCompareString(&s1, v2v_make_cs(&s2, "disconnected"), FALSE) == 0) *state = v2v_state_disconnected; else if (RtlCompareString(&s1, v2v_make_cs(&s2, "crashed"), FALSE) == 0) *state = v2v_state_crashed; ExFreePoolWithTag(raw, V2V_TAG); return (*state != v2v_state_unknown ? STATUS_SUCCESS : STATUS_DATA_ERROR); }
/** * @name TestMessageHandler * * Test message handler routine * * @param DeviceObject * Device Object. * This is guaranteed not to have been touched by the dispatch function * before the call to the IRP handler * @param Irp * Device Object. * This is guaranteed not to have been touched by the dispatch function * before the call to the IRP handler, except for passing it to * IoGetCurrentStackLocation * @param IoStackLocation * Device Object. * This is guaranteed not to have been touched by the dispatch function * before the call to the IRP handler * * @return Status */ static NTSTATUS TestMessageHandler( IN PDEVICE_OBJECT DeviceObject, IN ULONG ControlCode, IN PVOID Buffer OPTIONAL, IN SIZE_T InLength, IN OUT PSIZE_T OutLength) { NTSTATUS Status = STATUS_SUCCESS; switch (ControlCode) { case IOCTL_NOTIFY: { static int TimesReceived = 0; ++TimesReceived; ok(TimesReceived == 1, "Received control code 1 %d times\n", TimesReceived); ok_eq_pointer(Buffer, NULL); ok_eq_ulong((ULONG)InLength, 0LU); ok_eq_ulong((ULONG)*OutLength, 0LU); break; } case IOCTL_SEND_STRING: { static int TimesReceived = 0; ANSI_STRING ExpectedString = RTL_CONSTANT_STRING("yay"); ANSI_STRING ReceivedString; ++TimesReceived; ok(TimesReceived == 1, "Received control code 2 %d times\n", TimesReceived); ok(Buffer != NULL, "Buffer is NULL\n"); ok_eq_ulong((ULONG)InLength, (ULONG)ExpectedString.Length); ok_eq_ulong((ULONG)*OutLength, 0LU); ReceivedString.MaximumLength = ReceivedString.Length = (USHORT)InLength; ReceivedString.Buffer = Buffer; ok(RtlCompareString(&ExpectedString, &ReceivedString, FALSE) == 0, "Received string: %Z\n", &ReceivedString); break; } case IOCTL_SEND_MYSTRUCT: { static int TimesReceived = 0; MY_STRUCT ExpectedStruct = { 123, ":D" }; MY_STRUCT ResultStruct = { 456, "!!!" }; ++TimesReceived; ok(TimesReceived == 1, "Received control code 3 %d times\n", TimesReceived); ok(Buffer != NULL, "Buffer is NULL\n"); ok_eq_ulong((ULONG)InLength, (ULONG)sizeof ExpectedStruct); ok_eq_ulong((ULONG)*OutLength, 2LU * sizeof ExpectedStruct); if (!skip(Buffer && InLength >= sizeof ExpectedStruct, "Cannot read from buffer!\n")) ok(RtlCompareMemory(&ExpectedStruct, Buffer, sizeof ExpectedStruct) == sizeof ExpectedStruct, "Buffer does not contain expected values\n"); if (!skip(Buffer && *OutLength >= 2 * sizeof ExpectedStruct, "Cannot write to buffer!\n")) { RtlCopyMemory((PCHAR)Buffer + sizeof ExpectedStruct, &ResultStruct, sizeof ResultStruct); *OutLength = 2 * sizeof ExpectedStruct; } break; } default: ok(0, "Got an unknown message! DeviceObject=%p, ControlCode=%lu, Buffer=%p, In=%lu, Out=%lu bytes\n", DeviceObject, ControlCode, Buffer, InLength, *OutLength); break; } return Status; }
BOOLEAN ProtectInitialize() { BOOLEAN bRet; PObjectIdTable processTable; PProcessNameInfo nameInfo; ANSI_STRING ansiImageName; ANSI_STRING ansiFullPath; ANSI_STRING ansiCsrssPath; ANSI_STRING ansiCsrss; ULONG i; KdPrint(("enter ProtectInitialize\n")); HashTableInitialize(&ProtectObject); KeInitializeSpinLock(&ProtectObjectLock); //查找csrss.exe进程的EPROCESS processTable = ProcessEnum(FALSE); if(processTable == NULL) { return FALSE; } RtlInitAnsiString(&ansiCsrss, "CSRSS.EXE"); RtlInitAnsiString(&ansiCsrssPath, "SYSTEM32\\CSRSS.EXE"); bRet = FALSE; for(i = 0; i < processTable->Count; i++) { nameInfo = QueryProcessName((PEPROCESS)processTable->Entry[i].Object); if(nameInfo) { RtlInitAnsiString(&ansiImageName, nameInfo->ImageName); RtlInitAnsiString(&ansiFullPath, nameInfo->FullPath); if(RtlCompareString(&ansiImageName, &ansiCsrss, TRUE) == 0 && ansiFullPath.Length > ansiCsrssPath.Length) { ansiFullPath.Buffer += ansiFullPath.Length - ansiCsrssPath.Length; ansiFullPath.Length = ansiFullPath.MaximumLength = ansiCsrssPath.Length; if(RtlCompareString(&ansiFullPath, &ansiCsrssPath, TRUE) == 0) { CsrssProcess = (PEPROCESS)processTable->Entry[i].Object; bRet = TRUE; } } ExFreePool(nameInfo); } if(bRet == TRUE) break; } ExFreePool(processTable); if(bRet == FALSE) return bRet; //挂钩函数 bRet = HookFunction(ObReferenceObjectByHandle, FakeObReferenceObjectByHandle, (PUCHAR)ObReferenceObjectByHandleJmpBack); if(bRet) ProtectInit = TRUE; else ProtectInit = FALSE; return bRet; }
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { UNICODE_STRING DeviceName,Win32Device; PDEVICE_OBJECT DeviceObject = NULL; NTSTATUS status; unsigned i; HANDLE thhandle; RTL_OSVERSIONINFOW osv; char pszstr[512]; ANSI_STRING str_a0; ANSI_STRING str_a1; RtlInitUnicodeString(&DeviceName,L"\\Device\\hsbsys0"); RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\hsbsys0"); for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) DriverObject->MajorFunction[i] = hsbsysDefaultHandler; DriverObject->MajorFunction[IRP_MJ_CREATE] = hsbsysCreateClose; DriverObject->MajorFunction[IRP_MJ_CLOSE] = hsbsysCreateClose; DriverObject->DriverUnload = hsbsysUnload; status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject); if (!NT_SUCCESS(status)) return status; if (!DeviceObject) return STATUS_UNEXPECTED_IO_ERROR; DeviceObject->Flags |= DO_DIRECT_IO; DeviceObject->AlignmentRequirement = FILE_WORD_ALIGNMENT; status = IoCreateSymbolicLink(&Win32Device, &DeviceName); RtlZeroMemory(pszstr,512); osv.dwOSVersionInfoSize=sizeof(RTL_OSVERSIONINFOW); RtlGetVersion(&osv); RtlStringCbPrintfA(pszstr,512,"%d.%d",osv.dwMajorVersion,osv.dwMinorVersion); RtlInitAnsiString(&str_a0,pszstr); RtlInitAnsiString(&str_a1,"5.1"); if (RtlCompareString(&str_a0,&str_a1,TRUE)==0) //xpsp3 { eprooffset.ImageFileName=0x174; eprooffset.SE_AUDIT_PROCESS_CREATION_INFO=0x1f4; eprooffset.ActiveProcessLinks=0x088; } RtlInitAnsiString(&str_a1,"5.2"); if (RtlCompareString(&str_a0,&str_a1,TRUE)==0) //2003 { eprooffset.ImageFileName=0x164; eprooffset.SE_AUDIT_PROCESS_CREATION_INFO=0x1e4; eprooffset.ActiveProcessLinks=0x098; } RtlInitAnsiString(&str_a1,"6.1"); if (RtlCompareString(&str_a0,&str_a1,TRUE)==0) //win7 { eprooffset.ImageFileName=0x16c; eprooffset.SE_AUDIT_PROCESS_CREATION_INFO=0x1ec; eprooffset.ActiveProcessLinks=0x0b8; } PsCreateSystemThread(&thhandle,0,NULL,NULL,NULL,KillProcess,NULL); DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; return STATUS_SUCCESS; }