-
Notifications
You must be signed in to change notification settings - Fork 126
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7997a75
commit d67123a
Showing
32 changed files
with
3,775 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| ##ShadowSSDT inline hook | ||
| 因为ShadowSSDT需要GUI进程,带一个应用层MFC程序。 |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
|
|
||
|
|
||
| #ifndef CXX_INLINEHOOKSSSDT_H | ||
| #define CXX_INLINEHOOKSSSDT_H | ||
|
|
||
|
|
||
|
|
||
| #include <ntifs.h> | ||
| #include <WINDEF.H> | ||
|
|
||
| typedef struct _SYSTEM_SERVICE_TABLE64{ | ||
| PVOID ServiceTableBase; | ||
| PVOID ServiceCounterTableBase; | ||
| ULONG64 NumberOfServices; | ||
| PVOID ParamTableBase; | ||
| } SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64; | ||
|
|
||
| typedef struct _SYSTEM_SERVICE_TABLE32 { | ||
| PVOID ServiceTableBase; | ||
| PVOID ServiceCounterTableBase; | ||
| ULONG32 NumberOfServices; | ||
| PVOID ParamTableBase; | ||
| } SYSTEM_SERVICE_TABLE32, *PSYSTEM_SERVICE_TABLE32; | ||
|
|
||
| #define DEVICE_NAME L"\\Device\\InlineHookSSSDTDevice" | ||
| #define LINK_NAME L"\\DosDevices\\InlineHookSSSDTLink" | ||
|
|
||
| #define IOCTL_GET_SSSDTSERVERICE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) | ||
|
|
||
| #define IOCTL_INLINEHOOK_SSSDT \ | ||
| CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS) | ||
|
|
||
| #define IOCTL_INLINEUNHOOK_SSSDT \ | ||
| CTL_CODE(FILE_DEVICE_UNKNOWN,0x831,METHOD_BUFFERED,FILE_ANY_ACCESS) | ||
|
|
||
|
|
||
| NTSTATUS ControlPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp); | ||
| NTSTATUS DefaultPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp); | ||
| VOID UnloadDriver(PDRIVER_OBJECT DriverObject); | ||
|
|
||
| PVOID | ||
| GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName); | ||
| PVOID GetKeShadowServiceDescriptorTable32(); | ||
| PVOID GetKeShadowServiceDescriptorTable64(); | ||
| PVOID GetSSSDTFunctionAddress64(ULONG ulIndex); | ||
| PVOID GetSSSDTFunctionAddress32(ULONG ulIndex); | ||
|
|
||
| typedef ULONG_PTR (*pfnNtUserQueryWindow)(HWND WindowHandle, ULONG_PTR TypeInformation); | ||
| typedef ULONG_PTR (*pfnNtUserPostMessage)(HWND WindowHandle,UINT uMsg,WPARAM wParam,LPARAM lParam); | ||
|
|
||
| VOID WPOFF(); | ||
| VOID WPON(); | ||
|
|
||
| BOOLEAN InlineHookSSSDTWin7(PVOID OriginalFunctionAddress,PVOID NewFucntionAddress,ULONG ulPatchSize, | ||
| PVOID* OrigianlFunctionCode); | ||
| VOID InlineUnHookSSSDTWin7(PVOID OriginalFunctionAddress,PVOID OrigianlFunctionCode,ULONG ulPatchSize); | ||
|
|
||
|
|
||
|
|
||
| BOOL InlineHookSSSDTWinXP(PVOID OriginalFunctionAddress,PVOID NewFunctionAddress,ULONG ulPatchSize,PVOID* OrigianlFunctionCode); | ||
| VOID InlineUnHookSSSDTWinXP(PVOID OriginalFunctionAddress,PVOID OrigianlFunctionCode,ULONG ulPatchSize); | ||
|
|
||
| ULONG_PTR Fake_NtUserPostMessageAddress(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam); | ||
| void LDE_Init64() ; | ||
| ULONG GetPatchSize64(PUCHAR Address); | ||
| #endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| Microsoft Visual Studio Solution File, Format Version 11.00 | ||
| # Visual Studio 2010 | ||
| Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InlineHookSSSDT", "InlineHookSSSDT.vcxproj", "{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}" | ||
| EndProject | ||
| Global | ||
| GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
| WinDDK|Win32 = WinDDK|Win32 | ||
| EndGlobalSection | ||
| GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
| {4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.ActiveCfg = WinDDK|Win32 | ||
| {4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.Build.0 = WinDDK|Win32 | ||
| EndGlobalSection | ||
| GlobalSection(SolutionProperties) = preSolution | ||
| HideSolutionNode = FALSE | ||
| EndGlobalSection | ||
| EndGlobal |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| <ItemGroup Label="ProjectConfigurations"> | ||
| <ProjectConfiguration Include="WinDDK|Win32"> | ||
| <Configuration>WinDDK</Configuration> | ||
| <Platform>Win32</Platform> | ||
| </ProjectConfiguration> | ||
| </ItemGroup> | ||
| <PropertyGroup Label="Globals"> | ||
| <ProjectGuid>{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}</ProjectGuid> | ||
| <Keyword>Win32Proj</Keyword> | ||
| <RootNamespace>"InlineHookSSSDT"</RootNamespace> | ||
| </PropertyGroup> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> | ||
| <ImportGroup Label="ExtensionSettings"> | ||
| </ImportGroup> | ||
| <PropertyGroup Label="UserMacros" /> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'"> | ||
| <TargetExt>.sys</TargetExt> | ||
| <GenerateManifest>false</GenerateManifest> | ||
| <ExecutablePath>$(WLHBASE)\bin\x86\x86;$(WLHBASE)\bin\x86</ExecutablePath> | ||
| <IncludePath>$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc</IncludePath> | ||
| <ReferencePath /> | ||
| <LibraryPath>$(WLHBASE)\lib\win7\i386</LibraryPath> | ||
| <SourcePath /> | ||
| <ExcludePath /> | ||
| </PropertyGroup> | ||
| <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'"> | ||
| <ClCompile> | ||
| <PreprocessorDefinitions>_X86_;DBG=1</PreprocessorDefinitions> | ||
| <ExceptionHandling>false</ExceptionHandling> | ||
| <BufferSecurityCheck>false</BufferSecurityCheck> | ||
| <CallingConvention>StdCall</CallingConvention> | ||
| <CompileAs>CompileAsC</CompileAs> | ||
| <AdditionalIncludeDirectories> | ||
| </AdditionalIncludeDirectories> | ||
| </ClCompile> | ||
| <Link> | ||
| <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;%(AdditionalDependencies)</AdditionalDependencies> | ||
| </Link> | ||
| <Link> | ||
| <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries> | ||
| <SubSystem>Native</SubSystem> | ||
| <Driver>Driver</Driver> | ||
| <EntryPointSymbol>DriverEntry</EntryPointSymbol> | ||
| <SetChecksum>true</SetChecksum> | ||
| <BaseAddress>0x10000</BaseAddress> | ||
| <RandomizedBaseAddress> | ||
| </RandomizedBaseAddress> | ||
| <DataExecutionPrevention> | ||
| </DataExecutionPrevention> | ||
| </Link> | ||
| </ItemDefinitionGroup> | ||
| <ItemGroup> | ||
| <ClCompile Include=".\InlineHookSSSDT.c" /> | ||
| <ClCompile Include=".\InlineHookSSSDT.h" /> | ||
| </ItemGroup> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> | ||
| <ImportGroup Label="ExtensionTargets"> | ||
| </ImportGroup> | ||
| </Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| </Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| rem ///////////////// | ||
| rem / Add by ChiChou | ||
| rem / | ||
| rem / FileName:Clean.bat | ||
| rem / Description:Clean | ||
| rem / | ||
| rem //////////////// | ||
| rd .\bin /s /q | ||
| rd .\WinDDK /s /q | ||
| rd .\objchk_w2k_x86 /s /q | ||
| rd .\objchk_wxp_x86 /s /q | ||
| rd .\objchk_wnet_x86 /s /q | ||
| rd .\objchk_wlh_x86 /s /q | ||
| rd .\objfre_w2k_x86 /s /q | ||
| rd .\objfre_wxp_x86 /s /q | ||
| rd .\objfre_wnet_x86 /s /q | ||
| rd .\objfre_wlh_x86 /s /q | ||
| del .\*.log | ||
| del .\*.err | ||
| del .\*.xml | ||
| rem ***** del VS2005 file ***** | ||
| del .\*.ncb | ||
| del .\*.user | ||
| del .\*.suo /A:H | ||
| rem ***** del VS6.0 file ***** | ||
| del .\*.plg | ||
| del .\*.opt | ||
| exit |
Oops, something went wrong.