您没有来错地!为了更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

拦截硬盘物理序列号驱动源码MASM版本

2009-8-15 11:31| 投稿: security

摘要: 拦截硬盘物理序列号驱动源码MASM版本;拦截硬盘物理序列号驱动源码MASM版本;将VC版的做了简单的转换,变成MASM版本 .386.model flat, stdcalloption casema...
拦截硬盘物理序列号驱动源码MASM版本;拦截硬盘物理序列号驱动源码MASM版本;将VC版的做了简单的转换,变成MASM版本 .386.model flat, stdcalloption casemap:none;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>include w2k\ntstatus.incinclude w2k\ntddk.incinclude w2k\ntoskrnl.incincludelib w2k\ntoskrnl.libinclude Strings.macHDHOOK_HOOK equ CTL_CODE( FILE_DEVICE_UNKNOWN, 0h, METHOD_BUFFERED, FILE_ANY_ACCESS )HDHOOK_UNHOOK equ CTL_CODE( FILE_DEVICE_UNKNOWN, 1h, METHOD_BUFFERED, FILE_ANY_ACCESS )HDHOOK_VERSION equ CTL_CODE( FILE_DEVICE_UNKNOWN, 2h, METHOD_BUFFERED, FILE_ANY_ACCESS )HDHOOK_SETSELFVALUE equ CTL_CODE( FILE_DEVICE_UNKNOWN, 3h, METHOD_BUFFERED, FILE_ANY_ACCESS )HDHOOK_SETEMULABLEVALUE equ CTL_CODE( FILE_DEVICE_UNKNOWN, 4h, METHOD_BUFFERED, FILE_ANY_ACCESS );>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>_ProtoRealZwDeviceIoControlFile              typedef proto :dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword_RealZwDeviceIoControlFile              typedef ptr _ProtoRealZwDeviceIoControlFile .constCCOUNTED_UNICODE_STRING   "\\Device\\HDHOOK",DEVICE_NAME,4                             ;设备名称CCOUNTED_UNICODE_STRING                 "\\DosDevices\\HDHOOK",SymbolicLinkName,4                    ;符号连接.dataDiskSerial    dd 0IsHooked      dd 0buffer        dd 0buffer1       dd 0GUIActive     dd 0.data?RealZwDeviceIoControlFile _RealZwDeviceIoControlFile ?;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.codeDriverEntry proc pDriverObject:PDRIVER_OBJECT,RegistryPath:PUNICODE_STRING                                 ;驱动入口LOCAL deviceNameUnicodeString,deviceLinkUnicodeString:UNICODE_STRINGLOCAL status:NTSTATUSLOCAL pDeviceObject:PVOID      mov status,STATUS_DEVICE_CONFIGURATION_ERROR      invoke IoCreateDevice, pDriverObject, 0, addr DEVICE_NAME, FILE_DEVICE_UNKNOWN, \                     ;创建虚拟设备                                            0, FALSE, addr pDeviceObject                                           .if eax == STATUS_SUCCESS                                                                             ;使用NT_SUCCESS宏检测函数调用是否成功            invoke IoCreateSymbolicLink, addr SymbolicLinkName, addr DEVICE_NAME                            ;创建符号连接           .if eax == STATUS_SUCCESS                                                                        ;检测函数调用是否成功                mov eax, pDriverObject                assume eax:PTR DRIVER_OBJECT                mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose           ;设置IRP派遣例程和卸载例程                mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose                mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose                mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset HDHookDispatch                mov [eax].DriverUnload, offset DriverUnload                assume eax:nothing                mov status, STATUS_SUCCESS           .else                invoke IoDeleteDevice, pDeviceObject           .endif      .endif      mov eax, status      retDriverEntry endpDispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP       mov eax, pIrp       assume eax:ptr _IRP       mov [eax].IoStatus.Status, STATUS_SUCCESS       and [eax].IoStatus.Information, 0       assume eax:nothing       fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT       mov eax, STATUS_SUCCESS       retDispatchCreateClose endpDriverUnload proc pDriverObject:PDRIVER_OBJECT       invoke IoDeleteSymbolicLink, addr SymbolicLinkName                                mov eax, pDriverObject       invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject                     retDriverUnload endpIsSubString proc String:PUCHAR,SubString:PUCHAR ,StringLength:dword ,SubStringLength:dword push ebp mov ebp, esp mov eax, StringLength push ebx sub eax, SubStringLength push esi xor esi, esi push edi inc eax test eax, eax mov StringLength, eax jbe @return mov edi, String@loop:     xor eax, eax cmp eax, SubStringLength jnb @loop1 lea ecx, [esi+edi]@@:     mov ebx, SubString mov dl, [ecx+eax] cmp dl, [eax+ebx] jnz @f inc eax cmp eax, SubStringLength jb @b@@:     cmp eax, SubStringLength@loop1:     jz @loop2 inc esi cmp esi, StringLength jb @loop@return:     xor eax, eax@exit:     pop edi pop esi pop ebx pop ebp retn 10h@loop2:     lea eax, [esi+edi] jmp @exitIsSubString endpHookZwDeviceIoControlFile proc FileHandle:HANDLE,Event:DWORD,ApcRoutine:DWORD,ApcContext:PVOID,IoStatusBlock:PIO_STATUS_BLOCK,IoControlCode:DWORD,InputBuffer:DWORD,InputBufferLength:DWORD,OutputBuffer:DWORD,OutputBufferLength:DWORD  invoke RealZwDeviceIoControlFile,FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,IoControlCode,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength mov edi,eax .if IoControlCode==7c088h && OutputBufferLength >14h         invoke IsSubString,OutputBuffer,DiskSerial,OutputBufferLength,14h         .if eax          mov ecx, 14h           sub ecx, eax@@:                 mov dl, [ecx+eax]           mov [eax], dl          inc eax           dec esi           jnz @b                        mov eax, edi         .endif  .endif retHookZwDeviceIoControlFile endpHookStart proc        .if IsHooked==0  mov eax, ds:ZwDeviceIoControlFile  mov ecx, buffer  push esi  mov edx, [eax+1]  mov esi, [ecx]  mov edx, [esi+edx*4]  pop esi  mov RealZwDeviceIoControlFile, edx  mov eax, [eax+1]  mov ecx, [ecx]  mov dword ptr [ecx+eax*4], offset HookZwDeviceIoControlFile   mov IsHooked, 1        .endif        retHookStart endpHookStop proc        .if IsHooked==1  mov eax, ds:ZwDeviceIoControlFile  mov ecx, buffer  mov edx, RealZwDeviceIoControlFile  mov eax, [eax+1]  mov ecx, [ecx]  mov [ecx+eax*4], edx  and IsHooked, 0        .endif        retHookStop endpHDHookDeviceControl proc FileObject:PFILE_OBJECT,pWait:dword,InputBuffer:dword,InputBufferLength:dword,OutputBuffer:dword,OutputBufferLength:dword,IoControlCode:dword,IoStatus:PIO_STATUS_BLOCK,DeviceObject:PDEVICE_OBJECT mov eax,STATUS_SUCCESS mov IoStatus,eax mov IoStatus,0 mov ecx,IoControlCode .if ecx==HDHOOK_HOOK         call    HookStart .elseif ecx==HDHOOK_UNHOOK          call    HookStop .elseif ecx==HDHOOK_SETSELFVALUE  .if OutputBufferLength < 4 || OutputBuffer==0   mov IoStatus,STATUS_INVALID_PARAMETER   mov     dword ptr [eax], 0C000000Dh   jmp @exit   .endif  mov dword ptr [ecx], 168h  mov [eax+4], edx  jmp @exit .elseif ecx==HDHOOK_SETEMULABLEVALUE  .if InputBufferLength < 14h || InputBuffer==0   mov IoStatus,STATUS_INVALID_PARAMETER    mov     dword ptr [eax], 0C000000Dh     jmp @exit   .endif  xor     ecx, ecx  sub     esi, offset DiskSerial@@:  mov dl, byte ptr DiskSerial[esi+ecx]  lea eax, DiskSerial[ecx]  inc ecx  cmp ecx, 14h  mov [eax], dl  jb @b  jmp @exit   .elseif ecx==HDHOOK_VERSION  .if InputBufferLength < 14h || InputBuffer==0   mov IoStatus,STATUS_INVALID_PARAMETER    mov     dword ptr [eax], 0C000000Dh     jmp @exit      .endif  xor     ecx, ecx  sub esi, buffer1 @@:      mov dl, byte ptr buffer1[esi+ecx]  lea eax, buffer1[ecx]  inc ecx  cmp ecx, 14h  mov [eax], dl  jb @b  jmp @exit .else  mov     dword ptr [eax], 0C0000010h   .endif@exit:         mov al,1 retHDHookDeviceControl endpHDHookDispatch proc pDriverObject:PDRIVER_OBJECT,pIrp:PIRPLOCAL irpStack:PIO_STACK_LOCATIONlocal inputBuffer:PVOID                local outputBuffer:PVOID                  local outputBufferLength:dwordlocal inputBufferLength:dwordlocal ioControlCode:dwordlocal workItem:dword ;WORK_QUEUE_ITEMLOCAL status : NTSTATUSLOCAL dwBytesReturnedLOCAL IoStatus:dword                mov status,STATUS_SUCCESS        mov esi, pIrp        assume esi : ptr _IRP        IoGetCurrentIrpStackLocation esi        mov edi, eax        assume edi : ptr IO_STACK_LOCATION        mov eax,[esi].IoStatus.Status        mov IoStatus,eax        mov eax, [edi].Parameters.DeviceIoControl.IoControlCode        mov ioControlCode,eax        mov eax, [esi].AssociatedIrp.SystemBuffer        mov inputBuffer,eax        mov outputBuffer,eax        mov eax,[edi].Parameters.DeviceIoControl.InputBufferLength         mov inputBufferLength,eax        mov eax,[edi].Parameters.DeviceIoControl.OutputBufferLength         mov outputBufferLength,eax                .if ioControlCode==IRP_MJ_CREATE                mov GUIActive,1        .elseif ioControlCode==IRP_MJ_SHUTDOWN                .elseif ioControlCode==IRP_MJ_CLOSE         mov GUIActive,0        .elseif ioControlCode==IRP_MJ_DEVICE_CONTROL         invoke HDHookDeviceControl,irpStack,TRUE,inputBuffer, inputBufferLength,outputBuffer, outputBufferLength,ioControlCode,IoStatus, pDriverObject        .endif        invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT    retHDHookDispatch endpend DriverEntry

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部