NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath) { KdPrint(("%wZ DriverEntry.\r\n", pRegistryPath)); // 初始化事件、锁、链表头 KeInitializeEvent(&g_Event, SynchronizationEvent, TRUE); KeInitializeSpinLock(&g_Lock); InitializeListHead(&g_ListHead); // 开始注册表监控 CmRegisterCallback(RegistryCallback, 0, &g_Cookie); // 创建设备和符号链接 CreateDevice(pDriverObject); // IoControl pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCompleteRoutine; pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCompleteRoutine; pDriverObject->MajorFunction[IRP_MJ_READ] = ReadCompleteRoutine; pDriverObject->MajorFunction[IRP_MJ_WRITE] = WriteCompleteRoutine; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControlCompleteRoutine; pDriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; }
NTSTATUS RegFuncRegister( IN PDRIVER_OBJECT pDriverObject ) { NTSTATUS Status = STATUS_SUCCESS; UNREFERENCED_PARAMETER( pDriverObject ); Status = CmRegisterCallback( RegFunc, NULL, &g_MalwFind.lnRegCookie ); if(!NT_SUCCESS( Status )) { KdPrint(("CmRegisterCallBack Failed. [ 0x%x ] \n", Status )); } return Status; }
NTSTATUS DriverEntry ( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) /*++ Routine Description: This routine is called when a driver first loads. Its purpose is to initialize global state and then register with FltMgr to start filtering. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Status of the operation. --*/ { PSECURITY_DESCRIPTOR sd; OBJECT_ATTRIBUTES oa; UNICODE_STRING uniString; NTSTATUS status = STATUS_SUCCESS; try { // // Initialize global data structures. // MiniSpyData.LogSequenceNumber = 0; MiniSpyData.MaxRecordsToAllocate = DEFAULT_MAX_RECORDS_TO_ALLOCATE; MiniSpyData.RecordsAllocated = 0; MiniSpyData.NameQueryMethod = DEFAULT_NAME_QUERY_METHOD; MiniSpyData.DriverObject = DriverObject; InitializeListHead( &MiniSpyData.OutputBufferList ); KeInitializeSpinLock( &MiniSpyData.OutputBufferLock ); ExInitializeNPagedLookasideList( &MiniSpyData.FreeBufferList, NULL, NULL, 0, RECORD_SIZE, SPY_TAG, 0 ); #if MINISPY_VISTA // // Dynamically import FilterMgr APIs for transaction support // #pragma warning(push) #pragma warning(disable:4055) // type cast from data pointer to function pointer MiniSpyData.PFltSetTransactionContext = (PFLT_SET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltSetTransactionContext" ); MiniSpyData.PFltGetTransactionContext = (PFLT_GET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltGetTransactionContext" ); MiniSpyData.PFltEnlistInTransaction = (PFLT_ENLIST_IN_TRANSACTION) FltGetRoutineAddress( "FltEnlistInTransaction" ); #pragma warning(pop) #endif // // Read the custom parameters for MiniSpy from the registry // SpyReadDriverParameters(RegistryPath); // // Now that our global configuration is complete, register with FltMgr. // status = FltRegisterFilter( DriverObject, &FilterRegistration, &MiniSpyData.Filter ); if (!NT_SUCCESS( status )) { leave; } status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS ); if (!NT_SUCCESS( status )) { leave; } RtlInitUnicodeString( &uniString, MINISPY_PORT_NAME ); InitializeObjectAttributes( &oa, &uniString, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, sd ); status = FltCreateCommunicationPort( MiniSpyData.Filter, &MiniSpyData.ServerPort, &oa, NULL, SpyConnect, SpyDisconnect, SpyMessage, 1 ); FltFreeSecurityDescriptor( sd ); if (!NT_SUCCESS( status )) { leave; } // // We are now ready to start filtering // status = FltStartFiltering( MiniSpyData.Filter ); //If all went ok, register a process creation notification cb. if (NT_SUCCESS(status)) { status = PsSetCreateProcessNotifyRoutine(ProcessCreationCB, FALSE); } //If all went ok, register also a register filter. if (NT_SUCCESS(status)) { status = CmRegisterCallback(RegistryCallback, NULL, &g_CmCookie); } } finally { if (!NT_SUCCESS( status ) ) { if (NULL != MiniSpyData.ServerPort) { FltCloseCommunicationPort( MiniSpyData.ServerPort ); } if (NULL != MiniSpyData.Filter) { FltUnregisterFilter( MiniSpyData.Filter ); } ExDeleteNPagedLookasideList( &MiniSpyData.FreeBufferList ); } } return status; }
NTSTATUS SSDTDeviceIoCtl( PDEVICE_OBJECT pDeviceObject, PIRP Irp ) { // ULONG pbuf; PLOG_BUF old; NTSTATUS s; PIO_STACK_LOCATION IrpStack; PVOID InputBuffer; PVOID OutputBuffer; ULONG InputBufferLength; ULONG OutputBufferLength; ULONG IoControlCode; s = Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IrpStack = IoGetCurrentIrpStackLocation( Irp ); InputBuffer = IrpStack->Parameters.DeviceIoControl.Type3InputBuffer; InputBufferLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength; OutputBuffer = Irp->UserBuffer; OutputBufferLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength; IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode; /////////////////////////////////////////////// //这里处理分发例程 switch( IoControlCode ) { case IOCTL_REG_PROTECTION://开启注册表保护 CmRegisterCallback(RegistryCallback, NULL, &Cookie ); Prot=TRUE; break; case IOCTL_STOP_PROTECTION://停止注册表保护 CmUnRegisterCallback(Cookie); Prot=FALSE; break; case IOCTL_SAVE_EVENT://把事件传到驱动 { EVENT_INFORMATION EvntInfo; __try { ProbeForRead( InputBuffer, sizeof(EvntInfo), sizeof( ULONG ) ); memcpy(&EvntInfo,InputBuffer,8); } __except(EXCEPTION_EXECUTE_HANDLER) { ; } if (!NT_SUCCESS(ObReferenceObjectByHandle(EvntInfo.hKernelSetEvent,0,*ExEventObjectType,UserMode,&EventKernelSet,NULL))) { EventKernelSet=NULL; } if (!NT_SUCCESS(ObReferenceObjectByHandle(EvntInfo.hKernelWaitEvent,0,*ExEventObjectType,UserMode,&EventKernelWait,NULL))) { EventKernelWait=NULL; } DbgPrint("[Kernel_Driver] EventKernelSet = 0x%X, EventKernelWait=0x%X.\n",EventKernelSet,EventKernelWait); s = STATUS_SUCCESS; break; } case IOCTL_REGISTRY_INFO://获得注册表信息 { DbgPrint("[Kernel_Driver] IOCTL_GET_CREATE_PROC_INFO.\n"); __try { REGISTRY_INFORMATION RegInfo={0}; memcpy(RegInfo.ProcessName,aProcessName,256); memcpy(RegInfo.KeyPath,astr.Buffer,256); DbgPrint("%s %s.\n",RegInfo.ProcessName,RegInfo.KeyPath); ProbeForWrite( OutputBuffer, sizeof(RegInfo), sizeof( ULONG ) ); RtlCopyMemory(OutputBuffer,&RegInfo,sizeof(RegInfo)); // it's strange. } __except(EXCEPTION_EXECUTE_HANDLER) { DbgPrint("[Kernel_Driver] IOCTL_GET_CREATE_PROC_INFO raised exception.\n"); ; } break; } case IOCTL_ALLOW_MODIFY://允许修改 { __try { ProbeForRead( InputBuffer, sizeof(CreateAllowed), sizeof( ULONG ) ); memcpy(&CreateAllowed,InputBuffer,sizeof(CreateAllowed)); } __except(EXCEPTION_EXECUTE_HANDLER) { ; } break; } //************************************************* case IOCTL_GETSSDT: //得到SSDT __try { ProbeForWrite( OutputBuffer, sizeof( MYSSDT ), sizeof( ULONG ) ); RtlCopyMemory( OutputBuffer, KeServiceDescriptorTable, sizeof( MYSSDT ) ); } __except( EXCEPTION_EXECUTE_HANDLER ) { s = GetExceptionCode(); break; } DbgPrint( "SSDT: GetSSDT Completeled!" ); break; case IOCTL_KILL: { __try { ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) ); memcpy(&processID,InputBuffer,sizeof(processID)); s=PsLookupProcessByProcessId(processID,&eProcess); if(NT_SUCCESS(s)) { ObDereferenceObject(eProcess); } s=TerminateProcess(eProcess); if(NT_SUCCESS(s)) { DbgPrint("TerminateProcess Ok!\n"); } } __except( EXCEPTION_EXECUTE_HANDLER ) { s = GetExceptionCode(); break; } // status = STATUS_SUCCESS; break; } case IOCTL_ENUMTCP://枚举TCP连接 { PVOID pOut=NULL; ULONG OutLen=0; if(OutputBufferLength<sizeof(CONNINFO102)) { KdPrint(("输出缓冲区长度无效\n")); s=STATUS_BUFFER_OVERFLOW; break; } pOut=EnumPortInformation(&OutLen,TCPPORT); if(!pOut) { KdPrint(("获取TCP端口信息失败!\n")); s=STATUS_UNSUCCESSFUL; break; } if(OutputBufferLength<OutLen) { KdPrint(("输出缓冲区太小,应为%ld\n",OutLen)); ExFreePool(pOut); s=STATUS_BUFFER_OVERFLOW; break; } RtlCopyMemory(OutputBuffer,pOut,OutLen); ExFreePool(pOut); Irp->IoStatus.Information = OutLen; break; } case IOCTL_ENUMUDP://枚举UDP连接 { PVOID pOut=NULL; ULONG OutLen=0; if(OutputBufferLength<sizeof(UDPCONNINFO)) { KdPrint(("输出缓冲区长度无效\n")); s=STATUS_BUFFER_OVERFLOW; break; } pOut=EnumPortInformation(&OutLen,UDPPORT); if(!pOut) { KdPrint(("获取UDP端口信息失败!\n")); s=STATUS_UNSUCCESSFUL; break; } if(OutputBufferLength<OutLen) { KdPrint(("输出缓冲区太小,应为%ld\n",OutLen)); ExFreePool(pOut); s=STATUS_BUFFER_OVERFLOW; break; } RtlCopyMemory(OutputBuffer,pOut,OutLen); ExFreePool(pOut); Irp->IoStatus.Information = OutLen; break; } case IOCTL_QSIADDR: EnumProcess(); __try { ProbeForWrite( OutputBuffer, OutputBufferLength, sizeof( UCHAR )); } __except( EXCEPTION_EXECUTE_HANDLER ) { Irp->IoStatus.Information = STATUS_INVALID_PARAMETER; return FALSE; } if(MAX_MESSAGE > OutputBufferLength) { return FALSE; } else if(Log->Length != 0 || Log->Next != NULL) { //pReturnLog = Log; MUTEX_P(LogMutex); // NewLog(); old=OldestLog(); if(old!=Log) { MUTEX_V(LogMutex); DbgPrint("Old log\n"); } memcpy(OutputBuffer,old->Message,old->Length); Irp->IoStatus.Information = old->Length; if(old!=Log) { ExFreePool(old); } else { DbgPrint("Current log\n"); Log->Length=0; MUTEX_V(LogMutex); } } else { // MUTEX_V(LogMutex); Irp->IoStatus.Information = 0; } DbgPrint("SSDT: Set QuerySystemInformation Address Completed!"); break; case IOCTL_SETSSDT: //设置 SSDT __try { ProbeForRead( InputBuffer, sizeof( MYSSDT ), sizeof( ULONG ) ); //去掉内存保护 __asm { cli ;//关中断 mov eax, cr0 and eax, ~0x10000 mov cr0, eax } RtlCopyMemory( KeServiceDescriptorTable, InputBuffer, sizeof( MYSSDT ) ); //开中断,把内存保护加上 __asm { mov eax, cr0 or eax, 0x10000 mov cr0, eax sti ;//开中断 } } __except( EXCEPTION_EXECUTE_HANDLER ) { s = GetExceptionCode(); break; } DbgPrint( "SSDT: SetSSDT Completeled!" ); break; //************************************************* case IOCTL_GETHOOK: //查询SSDT指定地址 __try { ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) ); ProbeForWrite( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) ); } __except( EXCEPTION_EXECUTE_HANDLER ) { s = GetExceptionCode(); break; } //测试传入的参数是否正确 if( KeServiceDescriptorTable->ulNumberOfServices <= *(PULONG)InputBuffer ) { s = STATUS_INVALID_PARAMETER; break; } //将结果传到用户输出位置 *((PULONG)OutputBuffer) = *( (PULONG)(KeServiceDescriptorTable->pvSSDTBase) + *(PULONG)InputBuffer ); DbgPrint( "SSDT: GetHookedAddress Completeled!" ); break; //************************************************* case IOCTL_SETHOOK: //设置SSDT指定地址 __try { ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) ); ProbeForRead( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) ); } __except( EXCEPTION_EXECUTE_HANDLER ) { s = GetExceptionCode(); break; } //测试传入的参数是否正确 if( KeServiceDescriptorTable->ulNumberOfServices <= *(PULONG)InputBuffer ) { s = STATUS_INVALID_PARAMETER; break; } //在此将输出缓冲区当作输入缓冲区来用,输入指定SSDT HOOK的地址值 //去掉内存保护 __asm { cli ;//关中断 mov eax, cr0 and eax, ~0x10000 mov cr0, eax } *( (PULONG)(KeServiceDescriptorTable->pvSSDTBase) + *(PULONG)InputBuffer ) = *((PULONG)OutputBuffer); //开中断,把内存保护加上 __asm { mov eax, cr0 or eax, 0x10000 mov cr0, eax sti ;//开中断 } DbgPrint( "SSDT: SetHookedAddress Completeled!" ); break; //************************************************* default: s = STATUS_INVALID_DEVICE_REQUEST; DbgPrint( "SSDT: Invalid Parameter Completeled!" ); break; } /////////////////////////////////////////////// IoCompleteRequest( Irp, IO_NO_INCREMENT ); return s; }
////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Description : initializes the driver and the filter port, registers driver and registry callbacks. // // Parameters : // _in_ PDRIVER_OBJECT pDriverObject : Data structure used to represent the driver. // _in_ PUNICODE_STRING pRegistryPath : Registry location where the information for the driver // was stored. // Return value : // NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed // Process : // Defines hidden / blocked processes names. // Creates the device driver and its symbolic link. // Sets IRP callbacks. // Creates filter communication port to send logs from the driver to the userland process. // Creates logs mutex. // Register image load and registry callbacks. ////////////////////////////////////////////////////////////////////////////////////////////////////////////// NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { PVOID adrFunc; PDEVICE_OBJECT pDeviceObject; UNICODE_STRING usDriverName; UNICODE_STRING filterPortName; UNICODE_STRING function; OBJECT_ATTRIBUTES objAttr; RTL_OSVERSIONINFOW osInfo; PSECURITY_DESCRIPTOR securityDescriptor; NTSTATUS status; ULONG i; // import some functions we will need RtlInitUnicodeString(&function, L"ZwQueryInformationThread"); ZwQueryInformationThread = MmGetSystemRoutineAddress(&function); RtlInitUnicodeString(&function, L"ZwQueryInformationProcess"); ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function); RtlInitUnicodeString(&function, L"ZwQuerySystemInformation"); ZwQuerySystemInformation = MmGetSystemRoutineAddress(&function); RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT"); RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT"); status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject); if(!NT_SUCCESS(status)) return status; status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName); if(!NT_SUCCESS(status)) return status; pDeviceObject->Flags |= DO_BUFFERED_IO; pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING); for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++) pDriverObject->MajorFunction[i] = ioctl_NotSupported; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl; monitored_process_list = NULL; hidden_process_list = NULL; monitored_handle_list = NULL; // initialize every function pointers to null oldNtMapViewOfSection = NULL; oldNtSetContextThread = NULL; oldNtCreateThread = NULL; oldNtQueueApcThread = NULL; oldNtCreateProcess = NULL; oldNtSystemDebugControl = NULL; oldNtCreateProcessEx = NULL; oldNtWriteVirtualMemory = NULL; oldNtDebugActiveProcess = NULL; oldNtOpenProcess = NULL; oldNtOpenThread = NULL; oldNtQuerySystemInformation = NULL; oldNtCreateFile = NULL; oldNtReadFile = NULL; oldNtWriteFile = NULL; oldNtDeleteFile = NULL; oldNtSetInformationFile = NULL; oldNtQueryInformationFile = NULL; oldNtCreateMutant = NULL; oldNtDeviceIoControlFile = NULL; oldNtTerminateProcess = NULL; oldNtDelayExecution = NULL; oldNtQueryValueKey = NULL; oldNtQueryAttributesFile = NULL; oldNtReadVirtualMemory = NULL; oldNtResumeThread = NULL; oldNtCreateSection = NULL; oldNtUserCallOneParam = NULL; oldNtUserCallNoParam = NULL; oldNtClose = NULL; oldNtOpenFile = NULL; #ifdef DEBUG DbgPrint("IOCTL_CUCKOO_PATH : 0x%08x\n", IOCTL_CUCKOO_PATH); #endif // get os version if(!NT_SUCCESS(RtlGetVersion(&osInfo))) return status; // check os version if(osInfo.dwMajorVersion == 5 && osInfo.dwMinorVersion == 1) // xp 32 bits { is_xp = 1; #ifdef DEBUG DbgPrint("windows xp !\n"); #endif } else if(osInfo.dwMajorVersion == 6 && osInfo.dwMinorVersion == 1) // win 7 { is_xp = 0; #ifdef DEBUG DbgPrint("windows 7!\n"); #endif } else { #ifdef DEBUG DbgPrint("error : not supported os\n"); #endif return -1; } status = FltRegisterFilter(pDriverObject,®istration,&filter); if(!NT_SUCCESS(status)) return status; RtlInitUnicodeString(&filterPortName, L"\\FilterPort"); status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS); if(!NT_SUCCESS(status)) return status; InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor); status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1); FltFreeSecurityDescriptor(securityDescriptor); if(!NT_SUCCESS(status)) return status; KeInitializeMutex(&mutex, 0); status = CmRegisterCallback(regCallback, NULL, &cookie); if(!NT_SUCCESS(status)) return status; status = PsSetLoadImageNotifyRoutine(imageCallback); if(!NT_SUCCESS(status)) return status; KeServiceDescriptorTableShadow = getShadowTableAddress(); if(!KeServiceDescriptorTableShadow) { #ifdef DEBUG DbgPrint("error : couldn't retrieve Shadow SSDT\n"); #endif return STATUS_UNSUCCESSFUL; } pDriverObject->DriverUnload = Unload; return STATUS_SUCCESS; }
////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Description : initializes the driver and the filter port, registers driver and registry callbacks. // // Parameters : // _in_ PDRIVER_OBJECT pDriverObject : Data structure used to represent the driver. // _in_ PUNICODE_STRING pRegistryPath : Registry location where the information for the driver // was stored. // Return value : // NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed // Process : // Defines hidden / blocked processes names. // Creates the device driver and its symbolic link. // Sets IRP callbacks. // Creates filter communication port to send logs from the driver to the userland process. // Creates logs mutex. // Hooks SSDT. // Register image load and registry callbacks. ////////////////////////////////////////////////////////////////////////////////////////////////////////////// NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { PVOID adrFunc; PDEVICE_OBJECT pDeviceObject; UNICODE_STRING usDriverName; UNICODE_STRING filterPortName; UNICODE_STRING function; OBJECT_ATTRIBUTES objAttr; PSECURITY_DESCRIPTOR securityDescriptor; NTSTATUS status; ULONG i; // import some functions we will need RtlInitUnicodeString(&function, L"ZwQueryInformationThread"); ZwQueryInformationThread = MmGetSystemRoutineAddress(&function); RtlInitUnicodeString(&function, L"ZwQueryInformationProcess"); ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function); RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT"); RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT"); status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject); if(!NT_SUCCESS(status)) return status; status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName); if(!NT_SUCCESS(status)) return status; pDeviceObject->Flags |= DO_BUFFERED_IO; pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING); for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++) pDriverObject->MajorFunction[i] = ioctl_NotSupported; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl; monitored_process_list = NULL; hidden_process_list = NULL; // initialize every function pointers to null oldZwMapViewOfSection = NULL; oldZwSetContextThread = NULL; oldZwCreateThread = NULL; oldZwQueueApcThread = NULL; oldZwCreateProcess = NULL; oldZwSystemDebugControl = NULL; oldZwCreateProcessEx = NULL; oldZwWriteVirtualMemory = NULL; oldZwDebugActiveProcess = NULL; oldZwOpenProcess = NULL; oldZwOpenThread = NULL; oldZwQuerySystemInformation = NULL; oldZwCreateFile = NULL; oldZwReadFile = NULL; oldZwWriteFile = NULL; oldZwDeleteFile = NULL; oldZwSetInformationFile = NULL; oldZwQueryInformationFile = NULL; oldZwCreateMutant = NULL; status = FltRegisterFilter(pDriverObject,®istration,&filter); if(!NT_SUCCESS(status)) return status; RtlInitUnicodeString(&filterPortName, L"\\FilterPort"); status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS); if(!NT_SUCCESS(status)) return status; InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor); status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1); FltFreeSecurityDescriptor(securityDescriptor); if(!NT_SUCCESS(status)) return status; KeInitializeMutex(&mutex, 0); status = CmRegisterCallback(regCallback, NULL, &cookie); if(!NT_SUCCESS(status)) return status; status = PsSetLoadImageNotifyRoutine(imageCallback); if(!NT_SUCCESS(status)) return status; hook_ssdt_entries(); pDriverObject->DriverUnload = Unload; return STATUS_SUCCESS; }
extern "C" NTSTATUS DriverEntry ( IN PDRIVER_OBJECT pDriObj, IN PUNICODE_STRING pRegPath ) { NTSTATUS status = STATUS_UNSUCCESSFUL; PDEVICE_EXTENSION pDevExt; pDriObj->DriverUnload = DriverUnloadRoutine; pDriObj->MajorFunction[IRP_MJ_CREATE] = OnCreate; pDriObj->MajorFunction[IRP_MJ_CLOSE] = OnCreate; pDriObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoControl; g_MonitoringOn = FALSE; InUse = 0; UNICODE_STRING DeviceName; UNICODE_STRING SymLinkName; RtlInitUnicodeString(&DeviceName, DEVICENAME); RtlInitUnicodeString(&SymLinkName, SYMLINKNAME); do{ status = IoCreateDevice(pDriObj, sizeof(DEVICE_EXTENSION), &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_DeviceObject); if (!NT_SUCCESS(status)) { KdPrint(("[RegMon] 设备无法创建(0x%08x)\n", status)); break; } g_DeviceObject->Flags |= DO_BUFFERED_IO; pDevExt = (PDEVICE_EXTENSION)g_DeviceObject->DeviceExtension; pDevExt->pDevObj = g_DeviceObject; status = IoCreateSymbolicLink(&SymLinkName, &DeviceName); if (!NT_SUCCESS(status)) { KdPrint(("[RegMon] 符号链接无法创建(0x%08x)\n", status)); IoDeleteDevice(g_DeviceObject); break; } pDevExt->ustrDevSymLinkName = SymLinkName; status = CmRegisterCallback(RegistryCallback, pDevExt, &pDevExt->RegCallbackCookies); if (!NT_SUCCESS(status)) { KdPrint(("[RegMon] 注册表回调函数无法注册(0x%08x)\n", status)); IoDeleteSymbolicLink(&SymLinkName); IoDeleteDevice(g_DeviceObject); break; } if (!pDevExt->Queue.Init() || !pDevExt->WhiteList.Init(NULL, 0) || !pDevExt->BlockList.Init(NULL, 0)) { KdPrint(("[RegMon] 列表初始化失败\n")); CmUnRegisterCallback(pDevExt->RegCallbackCookies); pDevExt->BlockList.FreeList(); pDevExt->WhiteList.FreeList(); pDevExt->Queue.FreeQueue(); IoDeleteSymbolicLink(&SymLinkName); IoDeleteDevice(g_DeviceObject); break; } status = STATUS_SUCCESS; } while(0); KdPrint(("[RegMon] 注册表监控驱动加载完毕(0x%08x)\n", status)); return status; }