if (!RvAModu1eNameIsZory && !_strnicmp(ModuleName, ImportName, sizeof(ImportName))) { //得到输入表结构里指向INT和IAT的VA OriginalFirstThunk = (ULONG *)((CHAR *)ModlueBase + pImportModuleDirectory->OriginalFirstThunk); FirstThunk = (ULONG *)((CHAR *)ModlueBase + pImportModuleDirectory->FirstThunk); for (i=0;FirstThunk[i];i++) { Imageimportbyname = OriginalFirstThunk[i]; if ( Imageimportbyname < (ULONG)ModlueBase ) Imageimportbyname += (ULONG)ModlueBase; if (Imageimportbyname) { //以函数名称方式输入 if (!_strnicmp((PCHAR)&Imageimportbyname->Name[0], ApiName, strlen(ApiName)) && MmIsAddressValid(FirstThunk[i])) { /* DbgPrint(^i=%d, funcname=[%s]----hookfunc=[%s]\n", i, (PCHAR)&Imageimportbynam e->Name[0],ApiName); 这里请注意Imageimportbyname->Name得到的是 函数名称的首字母*/ DbgPrint("IAT ENTRY=0x%x, IatAddress=Ox%X, funcname=[%s]----hookfunc=[%s]\n' (ULONG *) ((CHAR *)ModlueBase + pImportModuleDirectory->FirstThunk+i*4), FirstThunk[i], (PCHAR)&Imageimportby name->Name[0], ApiName); *originalFuncAddr = (ULONG)Fi rs tThunk[i]; reslut = HookFunc(&FirstThunk[i], fakeFunctionAddr); goto Exit; break; } pImportModuleDirectory++; _except (EXCEPTION_EXECUTE_HANDLER) { reslut =0; } else reslut =0; Exit: return result; ULONG HookFunc(lN PVOID ImportFuncVA, IN ULONG fake_func) { PMDL ImportFuncThunkEntry__MDL; PVOID ImportFuncMapAddress; PVOID ImportFuncThunkEntry; //导入表函数的THUNK地址--指针地址 ULONG result; BOOL IsMapped; IsMapped = 0; if (ImportFuncVA && fake_func) { ImportFuncThunkEntry = (PVOID)ImportFuncVA; ImportFuncThunkEntry_MDL = IoAllocateMdl(ImportFuncThunkEntry, sizeof(ULONG), FALSE, FALSE, NULL); i f (ImportFuncThunkEntry__MDL) { MmProbeAndLockPages(lmportFuncThunkEntry_MDL, KernelMode, IoWriteAccess); IsMapped =1; if (lmportFuncThunkEntry_MDL->MdlFlags & (MDL_MAPPED_TO_SYSTEM_VA|MDL_SOURCE_IS_NONPAGED_POOL)) ImportFuncMapAddress = ImportFuncThunkEntry_MDL->MappedSystemVa; else ImportFuncMapAddress = MmMapLockedPagesSpecifyCache(ImportFuncThunkEntry_MDL, KernelMode, MmCached, N ULL, NULL, NormalPagePriority); if ( MmIsAddressValid(lmportFuncMapAddress)) { InterlockedExchangePointer(ImportFuncMapAddress, fake_func); result = 1; } } if (IsMapped) MmUnlockPages(ImportFuncThunkEntry_MDL); Jelse result = 0; return result; NTSTATUS fake_KeUserModeCallback(IN ULONG ApiNumber, IN PVOID InputBuffer, IN ULONG InputLength, OUT ULONG OutputBuffer, IN PULONG OutputLength) { UNICODE_STRING uniDllPath={0}; STRING aniDLLPath={0}; CHAR outDllPath[MAX_PATH]={0}; ULONG PID; CHAR FullPath [MAX_PATH] = {0}; //被注入DLL的进程全路径 if (g_IsDLLDefendMon && !KeGetCurrentIrql() && ApiNumber == LOAD_IMAGE_API_NUM && InputLength >= LOAD_IMAGE_APINAME_OFFSET && MmIsAddressVa1id(InputBuffer) && InputBuffer ) { PID = (ULONG)PsGetCurrentProcessId(); uniDllPath. Length = *(WORD *)((CHAR *)InputBuffer + LOAD_IMAGE_APINAMELENGTH_OFFSET); uniDllPath. MaximumLength = *(WORD *)((CHAR *)InputBuffer + LOAD_IMAGE_APINAMEMAXLENGTH_OFFSET); uniDllPath. Buffer = (PWSTR) ((CHAR *)InputBuffer + LOAD_IMAGE_APINAME_OFFSET); //这里得到加载的dll的符号全路径 aniDLLPath. Buffer = (PCHAR)&outD11Path; aniDLLPath. Length = 256; aniDLLPath. MaximumLength = 256; RtlUnicodeStringToAnsiString(&aniDLLPath, &uniDllPath, FALSE); GetFullPathFromPID(PID. &FullPath. 256): if (VoteModule(FullPath, outDllPath)==1) return STATUS_UNSUCCESSFUL; } return g_KeUserModeCallback(ApiNumber, InputBuffer, InputLength, OutputBuffer, OutputL ength); } BOOL GetFul lPathFromPID (IN ULONG PID, OUT CHAR *Ful lPath, IN ULONG Ful lPathLen) { WCHAR ProcessPathw[MAX_PATH*2]={0}; WCHAR ProcessDosPathw[MAX_PATH*2]={0}; BOOL result; PWCHAR NamePosW; WCHAR singleWchar; ULONG ResultSize; ULONG BytesInUnicodeString; result = 0; if (FullPath) { result = QueryProcessPathff(PID, &ProcessPathw, 0x100); if (result) { result = QueryProcessDosPathW(&ProcessPathw, &ProcessDosPathw, 0x100); if (result) { //将读取出来得roSnAME的WCHAR路径转化为CHAR路径 NamePosW = (PWCHAR) &ProcessDosPathw; do { singleWchar = *NamePosW; NamePosW++; } while(singleWchar); BytesInUnicodeString = 2 * ((ULONG)((char *)singleWchar -&ProcessDosPathw) » 1); |
