asm restoressdtWord下载.docx
《asm restoressdtWord下载.docx》由会员分享,可在线阅读,更多相关《asm restoressdtWord下载.docx(25页珍藏版)》请在冰点文库上搜索。
028
029include\masm32\Macros\Strings.mac
030
031include..\common.inc
032
033includeseh0.inc
034
035;
036;
STRUCTURES
037;
038
039SSDTSTRUCT
040pSSATPVOID?
041dwCounterTableBaseDWORD?
042dwNumOfEntriesDWORD?
043pArgsPVOID?
044SSDTENDS
045
046;
047;
CONSTANTS
048;
049
050.const
051CCOUNTED_UNICODE_STRING"
\\Device\\devssdtrestore"
g_usDeviceName,4
052CCOUNTED_UNICODE_STRING"
\\?
?
\\slssdtrestore"
g_usSymbolicLinkName,4
053
054;
Maybeyouhavetousethislineinsteadofaboveone
055;
ifyourWindowsNTversionis<
=4.0
056;
Itwillworkalsounder2K&
XP
057;
CCOUNTED_UNICODE_STRING"
\\DosDevices\\slssdtrestore"
058
059.code
060
061;
062;
Getntoskrnlbaseaddress
063;
064
065GetNtBaseproc
066
067assumefs:
nothing
068push38h
069popebx
070moveax,fs:
[ebx]
071moveax,[eax+4h]
072andax,0f001h
073deceax
074cmpwordptr[eax],5a4dh
075jnz$-10
076
077ret
078
079GetNtBaseendp
080
081;
082;
EnumerateRunningSSDTindexentriesandrestoreifhooked
083;
084
085SetSSDTIndexValuesprocdwRawSSDTValue:
DWORD,dwNtbase:
DWORD,dwSSDTIndexNum:
DWORD
086
087localdwSSDTAddr:
088
089movecx,dwSSDTIndexNum
090
091moveax,KeServiceDescriptorTable
092movebx,[eax]
093movebx,[ebx].SSDT.pSSAT
094leaeax,dwordptr[ebx+ecx*4]
095pusheax
096movdwSSDTAddr,eax
097movebx,eax
098subebx,dwNtbase
099
100.ifebx!
=dwRawSSDTValue
101
102popeax
103
104invokeMmGetPhysicalAddress,eax
105
106invokeMmMapIoSpace,eax,edx,4,0
107
108movedx,dwRawSSDTValue
109anddwNtbase,0ff0fffffh
110addedx,dwNtbase
111mov[eax],edx
112
113invokeMmUnmapIoSpace,eax,4
114
115.endif
116
117ret
118
119SetSSDTIndexValuesendp
120
121;
122;
GetSSDTbaseaddressoffset
123;
124
125DispatchReadprocpDeviceObject:
PDEVICE_OBJECT,pIrp:
PIRP
126
127;
SSDTbaseoffsetwasrequested
128
129localstatus:
NTSTATUS
130localdwBytesReturned:
131localdwNtBaseAddress:
132
133anddwBytesReturned,0
134
135movesi,pIrp
136assumeesi:
ptr_IRP
137
138IoGetCurrentIrpStackLocationesi
139movedi,eax
140assumeedi:
ptrIO_STACK_LOCATION
141
142.if[edi].Parameters.Read._Length>
=RDATA_SIZE
143
144moveax,[esi].UserBuffer
145
146_try
147
148moveax,MmUserProbeAddress
149moveax,[eax]
150moveax,[eax]
151
152.if[esi].UserBuffer<
eax
153
154moveax,KeServiceDescriptorTable
155moveax,[eax]
156moveax,[eax].SSDT.pSSAT
157
158pushad
159
160invokeGetNtBase
161
162movdwNtBaseAddress,eax
163
164popad
165
166subeax,dwNtBaseAddress
167pusheax
168xoreax,eax
169moveax,[esi].UserBuffer
170pop[eax]
171movdwBytesReturned,RDATA_SIZE
172movstatus,STATUS_SUCCESS
173
174.else
175
176movstatus,STATUS_INVALID_PARAMETER
177
178.endif
179
180_finally
181
182.else
183movstatus,STATUS_BUFFER_TOO_SMALL
184.endif
185
186assumeedi:
187
188pushstatus
189pop[esi].IoStatus.Status
190
191pushdwBytesReturned
192pop[esi].IoStatus.Information
193
194assumeesi:
195
196fastcallIofCompleteRequest,esi,IO_NO_INCREMENT
197
198moveax,status
199ret
200
201DispatchReadendp
202
203;
204;
DispatchCreateClose
205;
206
207DispatchCreateCloseprocpDeviceObject:
208
209moveax,pIrp
210assumeeax:
211mov[eax].IoStatus.Status,STATUS_SUCCESS
212and[eax].IoStatus.Information,0
213assumeeax:
214
215fastcallIofCompleteRequest,pIrp,IO_NO_INCREMENT
216
217moveax,STATUS_SUCCESS
218ret
219
220DispatchCreateCloseendp
221
222;
223;
DispatchControl
224;
225
226DispatchControlprocpDeviceObject:
227
228localstatus:
229localdwBytesReturned:
230
231anddwBytesReturned,0
232
233movesi,pIrp
234assumeesi:
235
236IoGetCurrentIrpStackLocationesi
237movedi,eax
238assumeedi:
239
240.if[edi].Parameters.DeviceIoControl.IoControlCode==IOCTL_SET_SSDT_ENTRIES
241
242movstatus,STATUS_BUFFER_TOO_SMALL
243.if([edi].Parameters.DeviceIoControl.OutputBufferLength>
=DATA_SIZE)
244.if([edi].Parameters.DeviceIoControl.InputBufferLength>
245
246movedi,[esi].AssociatedIrp.SystemBuffer
247assumeedi:
ptrDWORD
248
249xorebx,ebx
250movecx,ebx
251
252invokeGetNtBase
253
254.whileebx<
154h
255
256pushebx
257pusheax
258
259invokeSetSSDTIndexValues,[edi],eax,[edi+4]
260
261popeax
262addedi,8h
263popebx
264incebx
265
266.endw
267
268movdwBytesReturned,DATA_SIZE
269movstatus,STATUS_SUCCESS
270
271.endif
272.endif
273
274.else
275movstatus,STATUS_INVALID_DEVICE_REQUEST
276.endif
277
278assumeedi:
279
280pushstatus
281pop[esi].IoStatus.Status
282
283pushdwBytesReturned
284pop[esi].IoStatus.Information
285
286assumeesi:
287
288fastcallIofCompleteRequest,pIrp,IO_NO_INCREMENT
289
290moveax,status
291ret
292
293DispatchControlendp
294
295;
296;
DriverUnload
297;
298
299DriverUnloadprocpDriverObject:
PDRIVER_OBJECT
300
301invokeIoDeleteSymbolicLink,addrg_usSymbolicLinkName
302
303moveax,pDriverObject
304
305invokeIoDeleteDevice,(DRIVER_OBJECTPTR[eax]).DeviceObject
306
307ret
308
309DriverUnloadendp
310
311.codeINIT
312
313;
314;
DriverEntry
315;
316
317DriverEntryprocpDriverObject:
PDRIVER_OBJECT,pusRegistryPath:
PUNICODE_STRING
318
319
320localstatus:
321localpDeviceObject:
PDEVICE_OBJECT
322
323movstatus,STATUS_DEVICE_CONFIGURATION_ERROR
324
325invokeIoCreateDevice,pDriverObject,0,addrg_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addrpDeviceObject
326.ifeax==STATUS_SUCCESS
327invokeIoCreateSymbolicLink,addrg_usSymbolicLinkName,addrg_usDeviceName
328.ifeax==STATUS_SUCCESS
329moveax,pDriverObject
330assumeeax:
ptrDRIVER_OBJECT
331mov[eax].DriverUnload,offsetDriverUnload
332mov[eax].MajorFunction[IRP_MJ_CREATE*(s
升级会员 