What's wrong with my "SSDT HOOK ZwCreateSection"?

Question

0.00/5 (No votes)

See more:

Following is my code to hook CreateSection,I just make it run in an another place, but when the service start up, I can't open any Process,it means the routine doesn't run successfully but why?

#include "ntddk.h"
#pragma pack(1)
typedef struct _SYS_SERVICE_TABLE { 
	void*ServiceTable;//
	void *CounterTable; //
	unsigned long ServiceLimit; //
	void*ArgumentsTable; 
}SYS_SERVICE_TABLE,*PSSDT; 
#pragma pack()
extern PSSDT KeServiceDescriptorTable; 
PMDL   g_pmdlSystemCall;//
void *MappedSSDT;//
const WCHAR devicename[]=L"\\Device\\Protector";//
const WCHAR devicelink[]=L"\\DosDevices\\PROTECTOR";//
typedef NTSTATUS (*CREATESECTION)(OUT PHANDLE  SectionHandle,IN ACCESS_MASK  DesiredAccess,IN POBJECT_ATTRIBUTES  ObjectAttributes OPTIONAL,IN PLARGE_INTEGER  MaximumSize OPTIONAL,IN ULONG  SectionPageProtection,IN ULONG  AllocationAttributes,IN HANDLE  FileHandle OPTIONAL);
CREATESECTION RealCallee;//
ULONG SSDT_Address;//
//------------------------------------------------------------------------------------------------------------------
//this function decides whether we should allow NtCreateSection() call to be successfull
NTSTATUS MyCreateSection(OUT PHANDLE  SectionHandle,IN ACCESS_MASK  DesiredAccess,IN POBJECT_ATTRIBUTES  ObjectAttributes OPTIONAL,IN PLARGE_INTEGER  MaximumSize OPTIONAL,IN ULONG  SectionPageProtection,IN ULONG  AllocationAttributes,IN HANDLE  FileHandle OPTIONAL) 
{
   
   return RealCallee(SectionHandle,DesiredAccess,ObjectAttributes,MaximumSize,SectionPageProtection,AllocationAttributes,FileHandle); 
}

//----------------------------Dispatch Routine--------------------------------------------------------------------
NTSTATUS DrvDispatch(IN PDEVICE_OBJECT device,IN PIRP Irp)
{
    ULONG Input; 
    PIO_STACK_LOCATION loc=IoGetCurrentIrpStackLocation(Irp);//
    if(Ioc->Parameters.DeviceIoControl.IoControlCode==1000)
	{
          SSDT_Address=(ULONG)(((PSSDT)MappedSSDT)->ServiceTable)+4*50;
          RealCallee=(CREATESECTION)(*((ULONG*)SSDT_Address));
	  Input=(ULONG)MyCreateSection;//
	  RtlMoveMemory((ULONG*)SSDT_Address,&Input,4);//         
	}
     Irp->IoStatus.Status=0;
          IoCompleteRequest(Irp,IO_NO_INCREMENT);
     return 0;
}
//-----------------------------------------------------------
// nothing special
NTSTATUS DrvCreateClose(IN PDEVICE_OBJECT device,IN PIRP Irp)
{
	
Irp->IoStatus.Information=0;
Irp->IoStatus.Status=0;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return 0;
}

//------------------------------------------------------------------------------------------------------------
// nothing special -just a cleanup
void DrvUnload(IN PDRIVER_OBJECT driver)
{
UNICODE_STRING devlink;
RtlMoveMemory((PVOID)SSDT_Address,&RealCallee,4);//
if(g_pmdlSystemCall)
{
MmUnmapLockedPages(MappedSSDT,g_pmdlSystemCall);//
MmUnlockPages(g_pmdlSystemCall);//
IoFreeMdl(g_pmdlSystemCall);
}
RtlInitUnicodeString(&devlink,devicelink);
IoDeleteSymbolicLink(&devlink);
IoDeleteDevice(driver->DeviceObject);
KdPrint(("Unloaded.\n"));
}
//--------------------------------------------------------------------------------------------------------
//DriverEntry just creates our device - nothing special here initial SSDT
NTSTATUS DriverEntry(IN PDRIVER_OBJECT driver,IN PUNICODE_STRING path)
{
PDEVICE_OBJECT devobject;
UNICODE_STRING devlink,devname;//
devobject=0;
RtlInitUnicodeString(&devname,devicename);//
RtlInitUnicodeString(&devlink,devicelink);
IoCreateDevice(driver,256,&devname,FILE_DEVICE_UNKNOWN,0,TRUE,&devobject);//
IoCreateSymbolicLink(&devlink,&devname);//

driver->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DrvDispatch;//
driver->MajorFunction[IRP_MJ_CREATE]=DrvCreateClose;//
driver->MajorFunction[IRP_MJ_CLOSE]=DrvCreateClose;//
driver->DriverUnload=DrvUnload;//
g_pmdlSystemCall =IoAllocateMdl(KeServiceDescriptorTable->ServiceTable,KeServiceDescriptorTable->ServiceLimit*4,FALSE,FALSE,NULL);//allocate
if(!g_pmdlSystemCall)
  return STATUS_UNSUCCESSFUL;
  
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);//
MmProbeAndLockPages(g_pmdlSystemCall,KernelMode,IoWriteAccess);//lock it  and modify its protection attributes
MappedSSDT=MmMapLockedPagesSpecifyCache(            
										g_pmdlSystemCall,
										KernelMode,
										MmCached,
										NULL,
										FALSE,
										NormalPagePriority
										);			//get the virtual start address								
return 0;
}

Posted 29-Mar-10 20:03pm

WindowsProgramer

Updated 29-Mar-10 21:22pm

Saurabh.Garg

v6

Add a Solution

6 solutions

Solution 3

:laugh: VM means the "Virtual Machine"
can you help me dbg it?

Posted 29-Mar-10 20:47pm

WindowsProgramer

Solution 2

sorry,I don't know how do dbg it,because my computer is 1G memory and not allow me to Setup a VM to debug a driver;
can you help me dbg ? 3Q very mach...

Posted 29-Mar-10 20:35pm

WindowsProgramer

Solution 4

I just call CreateProcess("MOTEPAD"...) in application; what suprise me:the function return "1" and exists at the Process List,but it didn't show me !

Posted 29-Mar-10 21:22pm

WindowsProgramer

Solution 5

Second started?
I can't see it run with GUI,but it actually be created in Process-List;

Posted 29-Mar-10 23:10pm

WindowsProgramer

Solution 6

3Q very mach~nice to know you~you are a hot-heart、 kind and clever man~
I'm bo tang,you can call me English name："wood";
what's your name?do you have an MSN?
Then we can discuss it mmediately；

Posted 30-Mar-10 2:54am

WindowsProgramer

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Eugen Podsypalnikov · Accepted Answer · 2010-03-29T20:13:00

Have you already tried to attach a (the VS) Debugger
to the running service, to step it through ? :)

[Edit 1]

WindowsProgramer wrote:
sorry,I don't know how do dbg it,because my computer is 1G memory and not allow me to Setup a VM to debug a driver;
can you help me dbg ?

OK, that is an argument (for a VM) ! :)

You could try to log any results and "LastErrors"
of your code lines to a "output.txt" file,
before you will want (must) to debug it on a "real" machine... :)

[Edit 2]

WindowsProgramer wrote:
I just call CreateProcess("MOTEPAD"...) in application; what suprise me:the function return "1" and exists at the Process List,but it didn't show me !

Can you see a second started "NOTEPAD" ? :)

[Edit 3]

WindowsProgramer wrote:
Second started?
I can't see it run with GUI,but it actually be created in Process-List;

Yes :) If it would be possible for you
to see the GUI of the secon Notepad instance -
then the driver does hang...

...but it is probably not the case,
so I would trace all keyresults of the driver in a text file
to compare them (the results) with the working case... :)

What's wrong with my "SSDT HOOK ZwCreateSection"?

6 solutions

Solution 3

Solution 1

Solution 2

Solution 4

Solution 5

Solution 6

Add your solution here

Preview 0

Existing Members

...or Join us