监视Win2k文件系统驱动程序的监视程序
/ns/wz/comp/data/20020813022853.htm
监视Win2k文件系统驱动程序的监视程序
Author: whg
Email: whg@whitecell.org
Homepage:http://www.whitecell.org
include IFSDDK.inc
locals
.586p
.model flat,STDCALL
.data
gDriverObject dd 26 dup(0) ;查找调用地址
gDeviceObject dd 26 dup(0) ;分析查找路径
gCreate dd 26 dup(0) ;函数地址
gObjectAttrib OBJECT_ATTRIB < size OBJECT_ATTRIB,0,OBJ_CASE_INSENSITIVE,0,0,0>
gDiskSymbolLink dw '','D','o','s','D','e','v','i','c','e','s','','X',':','',0,0
Msg00 db 'Driver: %s ',0
Msg01 db 'Access File: %c:',0
Msg02 DB '%s',0ah,0,0
.code
extrn _RtlInitUnicodeString@8: proc
extrn _DbgPrint: proc
extrn _ZwCreateFile@44: proc
extrn _ZwClose@4: proc
extrn _ObReferenceObjectByHandle@24: proc
extrn _ObDereferenceObject@4: proc
extrn _IoGetRelatedDeviceObject@4: proc
extrn _RtlUnicodeStringToAnsiString@12: proc
extrn _RtlFreeAnsiString@4: proc
public _DriverEntry@8
_DriverEntry@8 proc uses ebx esi edi,pDriverObject:dword,pRegPath:dword
local DeviceName: UNICODE_STRING
local SymbolLink: UNICODE_STRING
mov ebx,pDriverObject
mov [ebx.doDriverUnload],OFF Unload
call HookFileSystem
xor eax,eax
ret
_DriverEntry@8 endp
Unload proc uses ebx esi edi,pDriverObject:dword
local SymbolLink: UNICODE_STRING
;做复原工作
mov edi,OFF gDriverObject
mov ecx,26
xor edx,edx
@@RepRestore:
mov ebx,[edi+edx*4]
or ebx,ebx
jz short @@RestoreNext
mov eax,[edx*4+OFF gCreate]
or eax,eax
jz short @@RestoreNext
mov [ebx.doMajorFunction+IRP_MJ_CREATE*4],eax
@@RestoreNext:
inc edx
loop short @@RepRestore
ret
Unload endp
HookFileSystem proc uses ebx esi edi
mov ecx,26
xor edi,edi
@@RepHookXXX:
mov esi,ecx
mov edx,edi
call GetDeviceObject
mov ecx,esi
test eax,eax
jz short @@NoFindDriver
;保存设备对象DEVICE OBJECT
mov [edi*4+OFF gDeviceObject],eax
;保存驱动程序对象DRIVER OBJECT
mov ebx,[eax.doDriverObject]
mov [edi*4+OFF gDriverObject],ebx
;挂接MJ_IRP_CREATE
@@HookCreate:
mov eax,[ebx.doMajorFunction+IRP_MJ_CREATE*4]
;是否已经被挂接
cmp eax,OFF HookCreate
jz short @@NoFindDriver
mov [edi*4+OFF gCreate],eax
mov [ebx.doMajorFunction+IRP_MJ_CREATE*4],OFF HookCreate
@@NoFindDriver:
inc edi
loop short @@RepHookXXX
ret
HookFileSystem endp
;edx=Log disk index : eax=pDeviceObject,eax=0 No Found
GetDeviceObject proc uses ebx esi edi
local SymbolLink: UNICODE_STRING
local hFile: dword
local IoStatus: IO_STATUS_BLOCK
local pFileObject: dword
;构造对象名字串
lea esi,gDiskSymbolLink
add edx,'A'
mov [esi+12*2],dl
lea edi,SymbolLink
call _RtlInitUnicodeString@8,edi,esi
;填写对象属性域
lea esi,gObjectAttrib
mov [esi.oaObjectName],edi
;打开这个设备文件
lea edi,hFile
lea ebx,IoStatus
call _ZwCreateFile@44,edi,SYNCHRONIZE or FILE_ANY_ACCESS,esi,ebx,0,0,FILE_SHARE_READ or FILE_SHARE_WRITE,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT or FILE_DIRECTORY_FILE,0,0
test eax,eax
jnl short @@OpenFileOk
xor eax,eax
jmp short @@FailExit
@@OpenFileOk:
;从文件句柄中得到文件对象指针
lea esi,pFileObject
call _ObReferenceObjectByHandle@24,dword ptr[edi],FILE_READ_DATA,0,0,esi,0
test eax,eax
jnl short @@ReferenceObjectOk
call _ZwClose@4,dword ptr[edi]
xor eax,eax
jmp short @@FailExit
@@ReferenceObjectOk:
;从文件对象中得到关联设备对象
call _IoGetRelatedDeviceObject@4,dword ptr [esi]
mov ebx,eax
call _ObDereferenceObject@4,dword ptr[esi]
call _ZwClose@4,dword ptr[edi]
test ebx,ebx
jnz short @@GetRelatedDeviceOk
xor eax,eax
jmp short @@FailExit
@@GetRelatedDeviceOk:
mov eax,ebx
@@FailExit:
ret
GetDeviceObject endp
;MJ_IRP_CREATE挂接例程的处理
HookCreate proc uses ebx esi edi,pDeviceObject:dword,pIrp:dword
local DriverName: ANSI_STRING
local FileName: ANSI_STRING
local RegEsp: dword
mov esi,pDeviceObject
mov esi,[esi.doDriverObject]
lea esi,[esi.doDriverName]
lea edi,DriverName
call _RtlUnicodeStringToAnsiString@12,edi,esi,TRUE
mov edx,[edi.asBuffer]
mov RegEsp,esp
call _DbgPrint,OFF Msg00,edx
mov esp,RegEsp
call _RtlFreeAnsiString@4,edi
call FindObject,pDeviceObject,OFF gDeviceObject
or eax,eax
jz short @@NoIsLogDisk
add edx,'A'
jmp short @@IsLogDisk
@@NoIsLogDisk:
mov edx,'?'
@@IsLogDisk:
mov RegEsp,esp
call _DbgPrint,OFF Msg01,edx
mov esp,RegEsp
mov esi,pIrp
;得到当前IRP栈位置IoGetCurrentIrpStackLocation()
mov esi,[esi+60h]
mov esi,[esi.ioslFileObject]
lea esi,[esi.foFileName]
or esi,esi
jz short @@ExitDbg
lea edi,FileName
call _RtlUnicodeStringToAnsiString@12,edi,esi,TRUE
mov edx,[edi.asBuffer]
mov RegEsp,esp
call _DbgPrint,OFF Msg02,edx
mov esp,RegEsp
call _RtlFreeAnsiString@4,edi
@@ExitDbg:
mov eax,pDeviceObject
mov eax,[eax.doDriverObject]
call FindObject,eax,OFF gDriverObject
test eax,eax
jnz short @@DriverCreate
int 3;
@@DriverCreate:
call [edx*4+OFF gCreate],pDeviceObject,pIrp
ret
HookCreate endp
;在26对象数组里查找包含其的索引 eax=bool edx=index
FindObject proc uses ebx,pObject:dword,pObjectList:dword
mov eax,pObject
mov ebx,pObjectList
mov ecx,26
xor edx,edx
@@RepFindObject:
cmp [ebx+edx*4],eax
jz short @@FoundObject
inc edx
loop short @@RepFindObject
xor eax,eax
ret
@@FoundObject:
ret
FindObject endp
end _DriverEntry@8