NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
{
KdPrint(("%wZ DriverEntry.\r\n", pRegistryPath));
// 初始化事件、锁、链表头
KeInitializeEvent(&g_Event, SynchronizationEvent, TRUE);
KeInitializeSpinLock(&g_Lock);
InitializeListHead(&g_ListHead);
// 开始注册表监控
CmRegisterCallback(RegistryCallback, 0, &g_Cookie);
// 创建设备和符号链接
CreateDevice(pDriverObject);
// IoControl
pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCompleteRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCompleteRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ] = ReadCompleteRoutine;
pDriverObject->MajorFunction[IRP_MJ_WRITE] = WriteCompleteRoutine;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControlCompleteRoutine;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
NTSTATUS
RegFuncRegister( IN PDRIVER_OBJECT pDriverObject )
{
NTSTATUS Status = STATUS_SUCCESS;
UNREFERENCED_PARAMETER( pDriverObject );
Status = CmRegisterCallback( RegFunc, NULL, &g_MalwFind.lnRegCookie );
if(!NT_SUCCESS( Status ))
{
KdPrint(("CmRegisterCallBack Failed. [ 0x%x ] \n", Status ));
}
return Status;
}
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This routine is called when a driver first loads. Its purpose is to
initialize global state and then register with FltMgr to start filtering.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Status of the operation.
--*/
{
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
NTSTATUS status = STATUS_SUCCESS;
try {
//
// Initialize global data structures.
//
MiniSpyData.LogSequenceNumber = 0;
MiniSpyData.MaxRecordsToAllocate = DEFAULT_MAX_RECORDS_TO_ALLOCATE;
MiniSpyData.RecordsAllocated = 0;
MiniSpyData.NameQueryMethod = DEFAULT_NAME_QUERY_METHOD;
MiniSpyData.DriverObject = DriverObject;
InitializeListHead( &MiniSpyData.OutputBufferList );
KeInitializeSpinLock( &MiniSpyData.OutputBufferLock );
ExInitializeNPagedLookasideList( &MiniSpyData.FreeBufferList,
NULL,
NULL,
0,
RECORD_SIZE,
SPY_TAG,
0 );
#if MINISPY_VISTA
//
// Dynamically import FilterMgr APIs for transaction support
//
#pragma warning(push)
#pragma warning(disable:4055) // type cast from data pointer to function pointer
MiniSpyData.PFltSetTransactionContext = (PFLT_SET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltSetTransactionContext" );
MiniSpyData.PFltGetTransactionContext = (PFLT_GET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltGetTransactionContext" );
MiniSpyData.PFltEnlistInTransaction = (PFLT_ENLIST_IN_TRANSACTION) FltGetRoutineAddress( "FltEnlistInTransaction" );
#pragma warning(pop)
#endif
//
// Read the custom parameters for MiniSpy from the registry
//
SpyReadDriverParameters(RegistryPath);
//
// Now that our global configuration is complete, register with FltMgr.
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&MiniSpyData.Filter );
if (!NT_SUCCESS( status )) {
leave;
}
status = FltBuildDefaultSecurityDescriptor( &sd,
FLT_PORT_ALL_ACCESS );
if (!NT_SUCCESS( status )) {
leave;
}
RtlInitUnicodeString( &uniString, MINISPY_PORT_NAME );
InitializeObjectAttributes( &oa,
&uniString,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
sd );
status = FltCreateCommunicationPort( MiniSpyData.Filter,
&MiniSpyData.ServerPort,
&oa,
NULL,
SpyConnect,
SpyDisconnect,
SpyMessage,
1 );
FltFreeSecurityDescriptor( sd );
if (!NT_SUCCESS( status )) {
leave;
}
//
// We are now ready to start filtering
//
status = FltStartFiltering( MiniSpyData.Filter );
//If all went ok, register a process creation notification cb.
if (NT_SUCCESS(status))
{
status = PsSetCreateProcessNotifyRoutine(ProcessCreationCB, FALSE);
}
//If all went ok, register also a register filter.
if (NT_SUCCESS(status))
{
status = CmRegisterCallback(RegistryCallback, NULL, &g_CmCookie);
}
} finally {
if (!NT_SUCCESS( status ) ) {
if (NULL != MiniSpyData.ServerPort) {
FltCloseCommunicationPort( MiniSpyData.ServerPort );
}
if (NULL != MiniSpyData.Filter) {
FltUnregisterFilter( MiniSpyData.Filter );
}
ExDeleteNPagedLookasideList( &MiniSpyData.FreeBufferList );
}
}
return status;
}
NTSTATUS SSDTDeviceIoCtl( PDEVICE_OBJECT pDeviceObject, PIRP Irp )
{
// ULONG pbuf;
PLOG_BUF old;
NTSTATUS s;
PIO_STACK_LOCATION IrpStack;
PVOID InputBuffer;
PVOID OutputBuffer;
ULONG InputBufferLength;
ULONG OutputBufferLength;
ULONG IoControlCode;
s = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation( Irp );
InputBuffer = IrpStack->Parameters.DeviceIoControl.Type3InputBuffer;
InputBufferLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
OutputBuffer = Irp->UserBuffer;
OutputBufferLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
///////////////////////////////////////////////
//这里处理分发例程
switch( IoControlCode )
{
case IOCTL_REG_PROTECTION://开启注册表保护
CmRegisterCallback(RegistryCallback,
NULL,
&Cookie
);
Prot=TRUE;
break;
case IOCTL_STOP_PROTECTION://停止注册表保护
CmUnRegisterCallback(Cookie);
Prot=FALSE;
break;
case IOCTL_SAVE_EVENT://把事件传到驱动
{
EVENT_INFORMATION EvntInfo;
__try
{
ProbeForRead( InputBuffer, sizeof(EvntInfo), sizeof( ULONG ) );
memcpy(&EvntInfo,InputBuffer,8);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
if (!NT_SUCCESS(ObReferenceObjectByHandle(EvntInfo.hKernelSetEvent,0,*ExEventObjectType,UserMode,&EventKernelSet,NULL)))
{
EventKernelSet=NULL;
}
if (!NT_SUCCESS(ObReferenceObjectByHandle(EvntInfo.hKernelWaitEvent,0,*ExEventObjectType,UserMode,&EventKernelWait,NULL)))
{
EventKernelWait=NULL;
}
DbgPrint("[Kernel_Driver] EventKernelSet = 0x%X, EventKernelWait=0x%X.\n",EventKernelSet,EventKernelWait);
s = STATUS_SUCCESS;
break;
}
case IOCTL_REGISTRY_INFO://获得注册表信息
{
DbgPrint("[Kernel_Driver] IOCTL_GET_CREATE_PROC_INFO.\n");
__try
{
REGISTRY_INFORMATION RegInfo={0};
memcpy(RegInfo.ProcessName,aProcessName,256);
memcpy(RegInfo.KeyPath,astr.Buffer,256);
DbgPrint("%s %s.\n",RegInfo.ProcessName,RegInfo.KeyPath);
ProbeForWrite( OutputBuffer, sizeof(RegInfo), sizeof( ULONG ) );
RtlCopyMemory(OutputBuffer,&RegInfo,sizeof(RegInfo)); // it's strange.
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("[Kernel_Driver] IOCTL_GET_CREATE_PROC_INFO raised exception.\n");
;
}
break;
}
case IOCTL_ALLOW_MODIFY://允许修改
{
__try
{
ProbeForRead( InputBuffer, sizeof(CreateAllowed), sizeof( ULONG ) );
memcpy(&CreateAllowed,InputBuffer,sizeof(CreateAllowed));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
//*************************************************
case IOCTL_GETSSDT: //得到SSDT
__try
{
ProbeForWrite( OutputBuffer, sizeof( MYSSDT ), sizeof( ULONG ) );
RtlCopyMemory( OutputBuffer, KeServiceDescriptorTable, sizeof( MYSSDT ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
DbgPrint( "SSDT: GetSSDT Completeled!" );
break;
case IOCTL_KILL:
{
__try
{
ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
memcpy(&processID,InputBuffer,sizeof(processID));
s=PsLookupProcessByProcessId(processID,&eProcess);
if(NT_SUCCESS(s))
{
ObDereferenceObject(eProcess);
}
s=TerminateProcess(eProcess);
if(NT_SUCCESS(s))
{
DbgPrint("TerminateProcess Ok!\n");
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
// status = STATUS_SUCCESS;
break;
}
case IOCTL_ENUMTCP://枚举TCP连接
{
PVOID pOut=NULL;
ULONG OutLen=0;
if(OutputBufferLength<sizeof(CONNINFO102))
{
KdPrint(("输出缓冲区长度无效\n"));
s=STATUS_BUFFER_OVERFLOW;
break;
}
pOut=EnumPortInformation(&OutLen,TCPPORT);
if(!pOut)
{
KdPrint(("获取TCP端口信息失败!\n"));
s=STATUS_UNSUCCESSFUL;
break;
}
if(OutputBufferLength<OutLen)
{
KdPrint(("输出缓冲区太小,应为%ld\n",OutLen));
ExFreePool(pOut);
s=STATUS_BUFFER_OVERFLOW;
break;
}
RtlCopyMemory(OutputBuffer,pOut,OutLen);
ExFreePool(pOut);
Irp->IoStatus.Information = OutLen;
break;
}
case IOCTL_ENUMUDP://枚举UDP连接
{
PVOID pOut=NULL;
ULONG OutLen=0;
if(OutputBufferLength<sizeof(UDPCONNINFO))
{
KdPrint(("输出缓冲区长度无效\n"));
s=STATUS_BUFFER_OVERFLOW;
break;
}
pOut=EnumPortInformation(&OutLen,UDPPORT);
if(!pOut)
{
KdPrint(("获取UDP端口信息失败!\n"));
s=STATUS_UNSUCCESSFUL;
break;
}
if(OutputBufferLength<OutLen)
{
KdPrint(("输出缓冲区太小,应为%ld\n",OutLen));
ExFreePool(pOut);
s=STATUS_BUFFER_OVERFLOW;
break;
}
RtlCopyMemory(OutputBuffer,pOut,OutLen);
ExFreePool(pOut);
Irp->IoStatus.Information = OutLen;
break;
}
case IOCTL_QSIADDR:
EnumProcess();
__try {
ProbeForWrite( OutputBuffer,
OutputBufferLength,
sizeof( UCHAR ));
} __except( EXCEPTION_EXECUTE_HANDLER ) {
Irp->IoStatus.Information = STATUS_INVALID_PARAMETER;
return FALSE;
}
if(MAX_MESSAGE > OutputBufferLength)
{
return FALSE;
}
else
if(Log->Length != 0 || Log->Next != NULL)
{
//pReturnLog = Log;
MUTEX_P(LogMutex);
// NewLog();
old=OldestLog();
if(old!=Log)
{
MUTEX_V(LogMutex);
DbgPrint("Old log\n");
}
memcpy(OutputBuffer,old->Message,old->Length);
Irp->IoStatus.Information = old->Length;
if(old!=Log)
{
ExFreePool(old);
}
else
{
DbgPrint("Current log\n");
Log->Length=0;
MUTEX_V(LogMutex);
}
}
else
{
// MUTEX_V(LogMutex);
Irp->IoStatus.Information = 0;
}
DbgPrint("SSDT: Set QuerySystemInformation Address Completed!");
break;
case IOCTL_SETSSDT: //设置 SSDT
__try
{
ProbeForRead( InputBuffer, sizeof( MYSSDT ), sizeof( ULONG ) );
//去掉内存保护
__asm
{
cli ;//关中断
mov eax, cr0
and eax, ~0x10000
mov cr0, eax
}
RtlCopyMemory( KeServiceDescriptorTable, InputBuffer, sizeof( MYSSDT ) );
//开中断,把内存保护加上
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti ;//开中断
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
DbgPrint( "SSDT: SetSSDT Completeled!" );
break;
//*************************************************
case IOCTL_GETHOOK: //查询SSDT指定地址
__try
{
ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
ProbeForWrite( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
//测试传入的参数是否正确
if( KeServiceDescriptorTable->ulNumberOfServices <= *(PULONG)InputBuffer )
{
s = STATUS_INVALID_PARAMETER;
break;
}
//将结果传到用户输出位置
*((PULONG)OutputBuffer) = *( (PULONG)(KeServiceDescriptorTable->pvSSDTBase) + *(PULONG)InputBuffer );
DbgPrint( "SSDT: GetHookedAddress Completeled!" );
break;
//*************************************************
case IOCTL_SETHOOK: //设置SSDT指定地址
__try
{
ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
ProbeForRead( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
//测试传入的参数是否正确
if( KeServiceDescriptorTable->ulNumberOfServices <= *(PULONG)InputBuffer )
{
s = STATUS_INVALID_PARAMETER;
break;
}
//在此将输出缓冲区当作输入缓冲区来用,输入指定SSDT HOOK的地址值
//去掉内存保护
__asm
{
cli ;//关中断
mov eax, cr0
and eax, ~0x10000
mov cr0, eax
}
*( (PULONG)(KeServiceDescriptorTable->pvSSDTBase) + *(PULONG)InputBuffer ) = *((PULONG)OutputBuffer);
//开中断,把内存保护加上
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti ;//开中断
}
DbgPrint( "SSDT: SetHookedAddress Completeled!" );
break;
//*************************************************
default:
s = STATUS_INVALID_DEVICE_REQUEST;
DbgPrint( "SSDT: Invalid Parameter Completeled!" );
break;
}
///////////////////////////////////////////////
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return s;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Description : initializes the driver and the filter port, registers driver and registry callbacks.
//
// Parameters :
// _in_ PDRIVER_OBJECT pDriverObject : Data structure used to represent the driver.
// _in_ PUNICODE_STRING pRegistryPath : Registry location where the information for the driver
// was stored.
// Return value :
// NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed
// Process :
// Defines hidden / blocked processes names.
// Creates the device driver and its symbolic link.
// Sets IRP callbacks.
// Creates filter communication port to send logs from the driver to the userland process.
// Creates logs mutex.
// Register image load and registry callbacks.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
PVOID adrFunc;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING usDriverName;
UNICODE_STRING filterPortName;
UNICODE_STRING function;
OBJECT_ATTRIBUTES objAttr;
RTL_OSVERSIONINFOW osInfo;
PSECURITY_DESCRIPTOR securityDescriptor;
NTSTATUS status;
ULONG i;
// import some functions we will need
RtlInitUnicodeString(&function, L"ZwQueryInformationThread");
ZwQueryInformationThread = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&function, L"ZwQueryInformationProcess");
ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&function, L"ZwQuerySystemInformation");
ZwQuerySystemInformation = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT");
RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT");
status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
if(!NT_SUCCESS(status))
return status;
status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
if(!NT_SUCCESS(status))
return status;
pDeviceObject->Flags |= DO_BUFFERED_IO;
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = ioctl_NotSupported;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl;
monitored_process_list = NULL;
hidden_process_list = NULL;
monitored_handle_list = NULL;
// initialize every function pointers to null
oldNtMapViewOfSection = NULL;
oldNtSetContextThread = NULL;
oldNtCreateThread = NULL;
oldNtQueueApcThread = NULL;
oldNtCreateProcess = NULL;
oldNtSystemDebugControl = NULL;
oldNtCreateProcessEx = NULL;
oldNtWriteVirtualMemory = NULL;
oldNtDebugActiveProcess = NULL;
oldNtOpenProcess = NULL;
oldNtOpenThread = NULL;
oldNtQuerySystemInformation = NULL;
oldNtCreateFile = NULL;
oldNtReadFile = NULL;
oldNtWriteFile = NULL;
oldNtDeleteFile = NULL;
oldNtSetInformationFile = NULL;
oldNtQueryInformationFile = NULL;
oldNtCreateMutant = NULL;
oldNtDeviceIoControlFile = NULL;
oldNtTerminateProcess = NULL;
oldNtDelayExecution = NULL;
oldNtQueryValueKey = NULL;
oldNtQueryAttributesFile = NULL;
oldNtReadVirtualMemory = NULL;
oldNtResumeThread = NULL;
oldNtCreateSection = NULL;
oldNtUserCallOneParam = NULL;
oldNtUserCallNoParam = NULL;
oldNtClose = NULL;
oldNtOpenFile = NULL;
#ifdef DEBUG
DbgPrint("IOCTL_CUCKOO_PATH : 0x%08x\n", IOCTL_CUCKOO_PATH);
#endif
// get os version
if(!NT_SUCCESS(RtlGetVersion(&osInfo)))
return status;
// check os version
if(osInfo.dwMajorVersion == 5 && osInfo.dwMinorVersion == 1) // xp 32 bits
{
is_xp = 1;
#ifdef DEBUG
DbgPrint("windows xp !\n");
#endif
}
else if(osInfo.dwMajorVersion == 6 && osInfo.dwMinorVersion == 1) // win 7
{
is_xp = 0;
#ifdef DEBUG
DbgPrint("windows 7!\n");
#endif
}
else
{
#ifdef DEBUG
DbgPrint("error : not supported os\n");
#endif
return -1;
}
status = FltRegisterFilter(pDriverObject,®istration,&filter);
if(!NT_SUCCESS(status))
return status;
RtlInitUnicodeString(&filterPortName, L"\\FilterPort");
status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS);
if(!NT_SUCCESS(status))
return status;
InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor);
status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1);
FltFreeSecurityDescriptor(securityDescriptor);
if(!NT_SUCCESS(status))
return status;
KeInitializeMutex(&mutex, 0);
status = CmRegisterCallback(regCallback, NULL, &cookie);
if(!NT_SUCCESS(status))
return status;
status = PsSetLoadImageNotifyRoutine(imageCallback);
if(!NT_SUCCESS(status))
return status;
KeServiceDescriptorTableShadow = getShadowTableAddress();
if(!KeServiceDescriptorTableShadow)
{
#ifdef DEBUG
DbgPrint("error : couldn't retrieve Shadow SSDT\n");
#endif
return STATUS_UNSUCCESSFUL;
}
pDriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Description : initializes the driver and the filter port, registers driver and registry callbacks.
//
// Parameters :
// _in_ PDRIVER_OBJECT pDriverObject : Data structure used to represent the driver.
// _in_ PUNICODE_STRING pRegistryPath : Registry location where the information for the driver
// was stored.
// Return value :
// NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed
// Process :
// Defines hidden / blocked processes names.
// Creates the device driver and its symbolic link.
// Sets IRP callbacks.
// Creates filter communication port to send logs from the driver to the userland process.
// Creates logs mutex.
// Hooks SSDT.
// Register image load and registry callbacks.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
PVOID adrFunc;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING usDriverName;
UNICODE_STRING filterPortName;
UNICODE_STRING function;
OBJECT_ATTRIBUTES objAttr;
PSECURITY_DESCRIPTOR securityDescriptor;
NTSTATUS status;
ULONG i;
// import some functions we will need
RtlInitUnicodeString(&function, L"ZwQueryInformationThread");
ZwQueryInformationThread = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&function, L"ZwQueryInformationProcess");
ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT");
RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT");
status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
if(!NT_SUCCESS(status))
return status;
status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
if(!NT_SUCCESS(status))
return status;
pDeviceObject->Flags |= DO_BUFFERED_IO;
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = ioctl_NotSupported;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl;
monitored_process_list = NULL;
hidden_process_list = NULL;
// initialize every function pointers to null
oldZwMapViewOfSection = NULL;
oldZwSetContextThread = NULL;
oldZwCreateThread = NULL;
oldZwQueueApcThread = NULL;
oldZwCreateProcess = NULL;
oldZwSystemDebugControl = NULL;
oldZwCreateProcessEx = NULL;
oldZwWriteVirtualMemory = NULL;
oldZwDebugActiveProcess = NULL;
oldZwOpenProcess = NULL;
oldZwOpenThread = NULL;
oldZwQuerySystemInformation = NULL;
oldZwCreateFile = NULL;
oldZwReadFile = NULL;
oldZwWriteFile = NULL;
oldZwDeleteFile = NULL;
oldZwSetInformationFile = NULL;
oldZwQueryInformationFile = NULL;
oldZwCreateMutant = NULL;
status = FltRegisterFilter(pDriverObject,®istration,&filter);
if(!NT_SUCCESS(status))
return status;
RtlInitUnicodeString(&filterPortName, L"\\FilterPort");
status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS);
if(!NT_SUCCESS(status))
return status;
InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor);
status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1);
FltFreeSecurityDescriptor(securityDescriptor);
if(!NT_SUCCESS(status))
return status;
KeInitializeMutex(&mutex, 0);
status = CmRegisterCallback(regCallback, NULL, &cookie);
if(!NT_SUCCESS(status))
return status;
status = PsSetLoadImageNotifyRoutine(imageCallback);
if(!NT_SUCCESS(status))
return status;
hook_ssdt_entries();
pDriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
extern "C" NTSTATUS DriverEntry (
IN PDRIVER_OBJECT pDriObj,
IN PUNICODE_STRING pRegPath
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
PDEVICE_EXTENSION pDevExt;
pDriObj->DriverUnload = DriverUnloadRoutine;
pDriObj->MajorFunction[IRP_MJ_CREATE] = OnCreate;
pDriObj->MajorFunction[IRP_MJ_CLOSE] = OnCreate;
pDriObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoControl;
g_MonitoringOn = FALSE;
InUse = 0;
UNICODE_STRING DeviceName;
UNICODE_STRING SymLinkName;
RtlInitUnicodeString(&DeviceName, DEVICENAME);
RtlInitUnicodeString(&SymLinkName, SYMLINKNAME);
do{
status = IoCreateDevice(pDriObj, sizeof(DEVICE_EXTENSION),
&DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE,
&g_DeviceObject);
if (!NT_SUCCESS(status)) {
KdPrint(("[RegMon] 设备无法创建(0x%08x)\n", status));
break;
}
g_DeviceObject->Flags |= DO_BUFFERED_IO;
pDevExt = (PDEVICE_EXTENSION)g_DeviceObject->DeviceExtension;
pDevExt->pDevObj = g_DeviceObject;
status = IoCreateSymbolicLink(&SymLinkName, &DeviceName);
if (!NT_SUCCESS(status)) {
KdPrint(("[RegMon] 符号链接无法创建(0x%08x)\n", status));
IoDeleteDevice(g_DeviceObject);
break;
}
pDevExt->ustrDevSymLinkName = SymLinkName;
status = CmRegisterCallback(RegistryCallback, pDevExt, &pDevExt->RegCallbackCookies);
if (!NT_SUCCESS(status)) {
KdPrint(("[RegMon] 注册表回调函数无法注册(0x%08x)\n", status));
IoDeleteSymbolicLink(&SymLinkName);
IoDeleteDevice(g_DeviceObject);
break;
}
if (!pDevExt->Queue.Init() ||
!pDevExt->WhiteList.Init(NULL, 0) ||
!pDevExt->BlockList.Init(NULL, 0))
{
KdPrint(("[RegMon] 列表初始化失败\n"));
CmUnRegisterCallback(pDevExt->RegCallbackCookies);
pDevExt->BlockList.FreeList();
pDevExt->WhiteList.FreeList();
pDevExt->Queue.FreeQueue();
IoDeleteSymbolicLink(&SymLinkName);
IoDeleteDevice(g_DeviceObject);
break;
}
status = STATUS_SUCCESS;
} while(0);
KdPrint(("[RegMon] 注册表监控驱动加载完毕(0x%08x)\n", status));
return status;
}
