加工厂

2018年2月9日星期五

查看系统的minifilter信息

标题：查看系统的minifilter信息

minifilter驱动也写几年了，别人的minifilter驱动也分析了几个。

突然之间，思想有所觉悟，看看系统的minifilter驱动框架的信息，因为系统不只是自己的驱动，还有别的驱动，甚至是系统自身的。

再比如，有时用procmon监控文件操作时，看到：FASTIO_NETWORK_QUERY_OPEN的结果是FAST IO DISALLOWED。
稍微懂点内核的人都知道，这是不好的，费时间和效率的，甚至想是哪个王八蛋驱动搞得这个结果。
这用procmon之身是查不出的，因为它的机制(ETW)，尽管它用了minifilter，不信，你看调用栈。
咋办呢？相信你看完本文，你就能做到，做不到等于你看不懂本文。

看完本文，你应该能做到不卸载某个minifilter驱动，但是让它的效果失效。
那个驱动可以是别人的文件保护驱动，透明加解密驱动，杀毒软件的驱动等。

首先说明，本文不说原始的设备挂载的文件过来驱动，如：sfilter等。
这个应该简单，根据驱动（或设备）对象，依次能找到好多有用的信息/函数。

--------------------------------------------------------------------------------------------------

下面正式开始：

首先说下本文的实验环境：
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff803`1968f000 PsLoadedModuleList = 0xfffff803`199f5fd0
Debug session time: Thu Jan 11 09:19:53.306 2018 (UTC + 8:00)
System Uptime: 0 days 2:41:56.055

查看系统上的minifilter驱动，只需要一个命令就可以了。
0: kd> !fltkd.filters

Filter List: ffffa28ba51f83a0 "Frame 1"
FLT_FILTER: ffffa28bae0c8830 "PROCMON23" "385200"
Filter List: ffffa28ba4bd10c0 "Frame 0"
FLT_FILTER: ffffa28ba7ecf350 "storqosflt" "244000"
FLT_FILTER: ffffa28ba7db7a80 "wcifs" "189900"
FLT_INSTANCE: ffffa28ba7df9950 "wcifs Instance" "189900"
FLT_INSTANCE: ffffa28ba7dff950 "wcifs Instance" "189900"
FLT_FILTER: ffffa28ba7e9fb40 "CldFlt" "180451"
FLT_FILTER: ffffa28ba6136b30 "FileCrypt" "141100"
FLT_INSTANCE: ffffa28ba7347460 "FileCrypt Instance" "141100"
FLT_FILTER: ffffa28ba7e91010 "luafv" "135000"
FLT_INSTANCE: ffffa28ba7e93010 "luafv" "135000"
FLT_FILTER: ffffa28ba64cb750 "npsvctrig" "46000"
FLT_INSTANCE: ffffa28ba65f8910 "npsvctrig" "46000"
FLT_FILTER: ffffa28ba57e59a0 "Wof" "40700"
FLT_INSTANCE: ffffa28ba61abb60 "Wof Instance" "40700"
FLT_INSTANCE: ffffa28ba696a780 "Wof Instance" "40700"
FLT_INSTANCE: ffffa28ba66d8460 "Wof Instance" "40700"
FLT_INSTANCE: ffffa28ba6752b60 "Wof Instance" "40700"
FLT_FILTER: ffffa28ba57e4490 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba61c2b40 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba618eb40 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba64e1010 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba66d8910 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba734e910 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba76feb40 "FileInfo" "40500"

这里有两个Filter List，这个不关系，不深入分析。
Filter List下有FLT_FILTER，这就是每个minifilter驱动，这其实是_FLT_FILTER结构，也可以用!fltkd.filter来查看。
FLT_FILTER下有FLT_INSTANCE，这就是这个minifilter附加了哪个设备/卷，这其实是_FLT_INSTANCE结构，也可以用!fltkd.instace来查看

这里选用FileCrypt，之所以选择这个，是因为这个信息全，有上下文。

0: kd> !fltkd.filter ffffa28ba6136b30

FLT_FILTER: ffffa28ba6136b30 "FileCrypt" "141100"
FLT_OBJECT: ffffa28ba6136b30 [02000000] Filter
RundownRef : 0x0000000000000006 (3)
PointerCount : 0x00000001
PrimaryLink : [ffffa28ba7e91020-ffffa28ba7e9fb50]
Frame : ffffa28ba4bd1010 "Frame 0"
Flags : [00000002] FilteringInitiated
DriverObject : ffffa28ba63fcac0
FilterLink : [ffffa28ba7e91020-ffffa28ba7e9fb50]
PreVolumeMount : 0000000000000000 (null)
PostVolumeMount : 0000000000000000 (null)
FilterUnload : fffff801814eb820 filecrypt!FCFilterUnload
InstanceSetup : fffff801814ea010 filecrypt!FCInstanceSetup
InstanceQueryTeardown : fffff801814ea420 filecrypt!FCInstanceQueryTeardown
InstanceTeardownStart : 0000000000000000 (null)
InstanceTeardownComplete : 0000000000000000 (null)
ActiveOpens : (ffffa28ba6136ce8) mCount=0
Communication Port List : (ffffa28ba6136d38) mCount=0
Client Port List : (ffffa28ba6136d88) mCount=0
VerifierExtension : 0000000000000000
Operations : ffffa28ba6136de0
OldDriverUnload : 0000000000000000 (null)
SupportedContexts : (ffffa28ba6136c60)
VolumeContexts : (ffffa28ba6136c60)
ALLOCATE_CONTEXT_NODE: ffffa28ba6135d80 "FileCrypt" [01] LookasideList (size=56)
InstanceContexts : (ffffa28ba6136c68)
FileContexts : (ffffa28ba6136c70)
StreamContexts : (ffffa28ba6136c78)
ALLOCATE_CONTEXT_NODE: ffffa28ba6135ec0 "FileCrypt" [01] LookasideList (size=40)
StreamHandleContexts : (ffffa28ba6136c80)
TransactionContext : (ffffa28ba6136c88)
(null) : (ffffa28ba6136c90)
InstanceList : (ffffa28ba6136b98)
FLT_INSTANCE: ffffa28ba7347460 "FileCrypt Instance" "141100"

看到了吧！
这里显示不少的信息。
有些信息很明显，这里就不细说了。
这里主要说三个：
1.Operations成员里面存放是的指针，指针的类型后面说。
2.SupportedContexts是个数组，数组的大小后面给出，缩进的是显示的数组的内容。
3.InstanceList后面给出所有的实例，这个驱动只有一个，这和!fltkd.filters显示的是一样的。

--------------------------------------------------------------------------------------------------

说到实例，这里就先说下，插一道杠子。
0: kd> dt fltmgr!_FLT_INSTANCE ffffa28ba7347460
+0x000 Base : _FLT_OBJECT
+0x030 OperationRundownRef : 0xffffa28b`a6caec20 _EX_RUNDOWN_REF_CACHE_AWARE
+0x038 Volume : 0xffffa28b`a730e7e0 _FLT_VOLUME
+0x040 Filter : 0xffffa28b`a6136b30 _FLT_FILTER
+0x048 Flags : 0 (No matching name)
+0x050 Altitude : _UNICODE_STRING "141100"
+0x060 Name : _UNICODE_STRING "FileCrypt Instance"
+0x070 FilterLink : _LIST_ENTRY [ 0xffffa28b`a6136c00 - 0xffffa28b`a6136c00 ]
+0x080 ContextLock : _EX_PUSH_LOCK
+0x088 Context : (null)
+0x090 TransactionContexts : _CONTEXT_LIST_CTRL
+0x098 TrackCompletionNodes : 0xffffa28b`a6aacc90 _TRACK_COMPLETION_NODES
+0x0a0 CallbackNodes : [50] (null)
0: kd> !fltkd.instance ffffa28ba7347460

FLT_INSTANCE: ffffa28ba7347460 "FileCrypt Instance" "141100"
FLT_OBJECT: ffffa28ba7347460 [01000000] Instance
RundownRef : 0x0000000000000000 (0)
PointerCount : 0x00000001
PrimaryLink : [ffffa28ba6752b70-ffffa28ba7dff960]
OperationRundownRef : ffffa28ba6caec20
Number : 4
PoolToFree : ffffa28ba72fe5d0
OperationsRefs : ffffa28ba72fe600 (0)
PerProcessor Ref[0] : 0xffffffffffffff56 (-85)
PerProcessor Ref[1] : 0x0000000000000006 (3)
PerProcessor Ref[2] : 0x00000000000000bc (94)
PerProcessor Ref[3] : 0xffffffffffffffe8 (-12)
Flags : [00000000]
Volume : ffffa28ba730e7e0 "\Device\HarddiskVolume4"
Filter : ffffa28ba6136b30 "FileCrypt"
TrackCompletionNodes : ffffa28ba6aacc90
ContextLock : (ffffa28ba73474e0)
Context : 0000000000000000
CallbackNodes : (ffffa28ba7347500)
VolumeLink : [ffffa28ba6752b70-ffffa28ba7dff960]
FilterLink : [ffffa28ba6136c00-ffffa28ba6136c00]
这里也有一些信息，很直白，都不说了。

--------------------------------------------------------------------------------------------------

继续上面的，咱可以换另一种看法：
0: kd> dt fltmgr!_FLT_FILTER ffffa28ba6136b30
+0x000 Base : _FLT_OBJECT
+0x030 Frame : 0xffffa28b`a4bd1010 _FLTP_FRAME
+0x038 Name : _UNICODE_STRING "FileCrypt"
+0x048 DefaultAltitude : _UNICODE_STRING "141100"
+0x058 Flags : 2 ( FLTFL_FILTERING_INITIATED )
+0x060 DriverObject : 0xffffa28b`a63fcac0 _DRIVER_OBJECT
+0x068 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x0e8 VerifierExtension : (null)
+0x0f0 VerifiedFiltersLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x100 FilterUnload : 0xfffff801`814eb820 long filecrypt!FCFilterUnload+0
+0x108 InstanceSetup : 0xfffff801`814ea010 long filecrypt!FCInstanceSetup+0
+0x110 InstanceQueryTeardown : 0xfffff801`814ea420 long filecrypt!FCInstanceQueryTeardown+0
+0x118 InstanceTeardownStart : (null)
+0x120 InstanceTeardownComplete : (null)
+0x128 SupportedContextsListHead : 0xffffa28b`a6135d80 _ALLOCATE_CONTEXT_HEADER
+0x130 SupportedContexts : [7] 0xffffa28b`a6135d80 _ALLOCATE_CONTEXT_HEADER
+0x168 PreVolumeMount : (null)
+0x170 PostVolumeMount : (null)
+0x178 GenerateFileName : (null)
+0x180 NormalizeNameComponent : (null)
+0x188 NormalizeNameComponentEx : (null)
+0x190 NormalizeContextCleanup : (null)
+0x198 KtmNotification : (null)
+0x1a0 SectionNotification : (null)
+0x1a8 Operations : 0xffffa28b`a6136de0 _FLT_OPERATION_REGISTRATION
+0x1b0 OldDriverUnload : (null)
+0x1b8 ActiveOpens : _FLT_MUTEX_LIST_HEAD
+0x208 ConnectionList : _FLT_MUTEX_LIST_HEAD
+0x258 PortList : _FLT_MUTEX_LIST_HEAD
+0x2a8 PortLock : _EX_PUSH_LOCK
这里之关心：Operations和SupportedContexts（SupportedContextsListHead），别的都很直白。
这里要和前面的!fltkd.filter结合讲会更好。
因为，我们不但关心FLT_REGISTRATION，还关心这个结构的FLT_CONTEXT_REGISTRATION和FLT_OPERATION_REGISTRATION子结构。
注意：这个结构的好些成员也是结构，如Frame是_FLTP_FRAME。

可以看到SupportedContexts和SupportedContextsListHead的值是一样的。
SupportedContexts的数组的大小是7，WIN8之前是6，增加了一个FLT_SECTION_CONTEXT。
尽管开发是时候是以FLT_CONTEXT_END结束的，但是实际上这个好像没有用。

点击SupportedContexts出现：
0: kd> dx -id 0,0,ffffa28ba514a080 -r1 (*((FLTMGR!_ALLOCATE_CONTEXT_HEADER * (*)[7])0xffffa28ba6136c60))
(*((FLTMGR!_ALLOCATE_CONTEXT_HEADER * (*)[7])0xffffa28ba6136c60)) [Type: _ALLOCATE_CONTEXT_HEADER * [7]]
[0] : 0xffffa28ba6135d80 [Type: _ALLOCATE_CONTEXT_HEADER *]
[1] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[2] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[3] : 0xffffa28ba6135ec0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[4] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[5] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[6] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
空的是没有的，就是驱动编码时没有填写的。
看样子和他们定义的顺序时一一对应的。索引0对应FLT_VOLUME_CONTEXT，索引3对应FLT_STREAM_CONTEXT，等等。
分别点击0和3出现：
0: kd> dx -id 0,0,ffffa28ba514a080 -r1 ((FLTMGR!_ALLOCATE_CONTEXT_HEADER *)0xffffa28ba6135d80)
((FLTMGR!_ALLOCATE_CONTEXT_HEADER *)0xffffa28ba6135d80) : 0xffffa28ba6135d80 [Type: _ALLOCATE_CONTEXT_HEADER *]
[+0x000] Filter : 0xffffa28ba6136b30 [Type: _FLT_FILTER *]
[+0x008] ContextCleanupCallback : 0xfffff801814eb7d0 [Type: void (__cdecl*)(void *,unsigned short)]
[+0x010] Next : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[+0x018] ContextType : 0x1 [Type: unsigned short]
[+0x01a] Flags : 0x1 [Type: unsigned char]
[+0x01b] AllocationType : 0x1 [Type: unsigned char]
0: kd> dx -id 0,0,ffffa28ba514a080 -r1 ((FLTMGR!_ALLOCATE_CONTEXT_HEADER *)0xffffa28ba6135ec0)
((FLTMGR!_ALLOCATE_CONTEXT_HEADER *)0xffffa28ba6135ec0) : 0xffffa28ba6135ec0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[+0x000] Filter : 0xffffa28ba6136b30 [Type: _FLT_FILTER *]
[+0x008] ContextCleanupCallback : 0xfffff801814eb790 [Type: void (__cdecl*)(void *,unsigned short)]
[+0x010] Next : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[+0x018] ContextType : 0x8 [Type: unsigned short]
[+0x01a] Flags : 0x1 [Type: unsigned char]
[+0x01b] AllocationType : 0x1 [Type: unsigned char]
分别点击上面的ContextCleanupCallback出现：
其实，你也可以自己输入，如果你的windbg不支持的话。
0: kd> u fffff801814eb7d0
filecrypt!FCCleanupVolumeContext:
fffff801`814eb7d0 4053 push rbx
fffff801`814eb7d2 4883ec20 sub rsp,20h
fffff801`814eb7d6 488bd9 mov rbx,rcx
fffff801`814eb7d9 488b4908 mov rcx,qword ptr [rcx+8]
fffff801`814eb7dd 4885c9 test rcx,rcx
fffff801`814eb7e0 7413 je filecrypt!FCCleanupVolumeContext+0x25 (fffff801`814eb7f5)
fffff801`814eb7e2 ba46436e76 mov edx,766E4346h
fffff801`814eb7e7 ff1553caffff call qword ptr [filecrypt!_imp_ExFreePoolWithTag (fffff801`814e8240)]
0: kd> u fffff801814eb790
filecrypt!FCCleanupStreamContext:
fffff801`814eb790 4053 push rbx
fffff801`814eb792 4883ec20 sub rsp,20h
fffff801`814eb796 488bd9 mov rbx,rcx
fffff801`814eb799 488b4918 mov rcx,qword ptr [rcx+18h]
fffff801`814eb79d 4885c9 test rcx,rcx
fffff801`814eb7a0 740d je filecrypt!FCCleanupStreamContext+0x1f (fffff801`814eb7af)
fffff801`814eb7a2 e81d0b0000 call filecrypt!FCpFreeChamberId (fffff801`814ec2c4)
fffff801`814eb7a7 48c7431800000000 mov qword ptr [rbx+18h],0

关于FLTMGR!_ALLOCATE_CONTEXT_HEADER和FLT_CONTEXT_REGISTRATION的关系，这里就不说了。

至此，上下文分析完毕。

--------------------------------------------------------------------------------------------------

下面分析重要的文件各种操作对应的处理函数。

首先要说说这个，对文件各种操作的类型的处理的数量。
我们开发的时候，经常这样写IRP_MJ_OPERATION_END，就是把这个放在数组的最后一个。
这个的定义是：
#define IRP_MJ_OPERATION_END ((UCHAR)0x80)

经过IDA分析FltRegisterFilter函数可知，它也是搜索这个标志，得到处理消息的个数的。

这是个数组，每个数组成员的大小，在X64上是：
0: kd> ?? sizeof(fltmgr!_FLT_OPERATION_REGISTRATION)
unsigned int64 0x20

这里先解释下，后面的命令显示那个数组的数量的问题。

简单的，你可以这么看：
0: kd> dt 0xffffa28b`a6136de0 _FLT_OPERATION_REGISTRATION
FLTMGR!_FLT_OPERATION_REGISTRATION
+0x000 MajorFunction : 0 ''
+0x004 Flags : 0
+0x008 PreOperation : 0xfffff801`814ebb70 _FLT_PREOP_CALLBACK_STATUS filecrypt!FCPreCreate+0
+0x010 PostOperation : 0xfffff801`814eb890 _FLT_POSTOP_CALLBACK_STATUS filecrypt!FCPostCreate+0
+0x018 Reserved1 : (null)
这是显示第一个（索引为0）的MajorFunction == 0（即IRP_MJ_CREATE）的注册的信息。
还可以继续：
0: kd> dt 0xffffa28b`a6136de0 + @@(sizeof(FLTMGR!_FLT_OPERATION_REGISTRATION)) _FLT_OPERATION_REGISTRATION
FLTMGR!_FLT_OPERATION_REGISTRATION
+0x000 MajorFunction : 0x6 ''
+0x004 Flags : 0
+0x008 PreOperation : 0xfffff801`814ec040 _FLT_PREOP_CALLBACK_STATUS filecrypt!FCPreSetInformation+0
+0x010 PostOperation : (null)
+0x018 Reserved1 : (null)
直到出现：MajorFunction == IRP_MJ_OPERATION_END，如:
0: kd> dt 0xffffa28b`a6136e00 + @@(sizeof(FLTMGR!_FLT_OPERATION_REGISTRATION)) _FLT_OPERATION_REGISTRATION
FLTMGR!_FLT_OPERATION_REGISTRATION
+0x000 MajorFunction : 0x80 ''
+0x004 Flags : 0
+0x008 PreOperation : (null)
+0x010 PostOperation : (null)
+0x018 Reserved1 : (null)
如果，对脚本熟悉，这里可以编写脚本处理。
也可以用另一种方式显示：
0: kd> dps 0xffffa28b`a6136de0 L80
ffffa28b`a6136de0 00000000`00000000
ffffa28b`a6136de8 fffff801`814ebb70 filecrypt!FCPreCreate
ffffa28b`a6136df0 fffff801`814eb890 filecrypt!FCPostCreate
ffffa28b`a6136df8 00000000`00000000
ffffa28b`a6136e00 00000000`00000006
ffffa28b`a6136e08 fffff801`814ec040 filecrypt!FCPreSetInformation
ffffa28b`a6136e10 00000000`00000000
ffffa28b`a6136e18 00000000`00000000
ffffa28b`a6136e20 00000000`00000080
ffffa28b`a6136e28 00000000`00000000
ffffa28b`a6136e30 00000000`00000000
ffffa28b`a6136e38 00000000`00000000
......

至此，文件的消息的处理函数分析完毕。
很幸运，这个驱动处理的消息/操作很少。

--------------------------------------------------------------------------------------------------

其实操作系统也提供了各种信息枚举的接口，不信，你看：
0: kd> x fltmgr!fltenum*
fffff801`800a0220 FLTMGR!FltEnumerateInstanceInformationByDeviceObject (void)
fffff801`800a9256 FLTMGR!FltEnumerateInstanceInformationByDeviceObject$fin$0 (void)
fffff801`800ae5a1 FLTMGR!FltEnumerateInstanceInformationByVolumeName$fin$0 (void)
fffff801`8009d580 FLTMGR!FltEnumerateInstances (void)
fffff801`800a5fb0 FLTMGR!FltEnumerateFilterInformation (void)
fffff801`800ae4a0 FLTMGR!FltEnumerateInstanceInformationByVolume (<no parameter info>)
fffff801`800ae290 FLTMGR!FltEnumerateFilters (<no parameter info>)
fffff801`800ae600 FLTMGR!FltEnumerateVolumes (<no parameter info>)
fffff801`800ae3b0 FLTMGR!FltEnumerateInstanceInformationByFilter (<no parameter info>)
fffff801`800ae4d0 FLTMGR!FltEnumerateInstanceInformationByVolumeName (<no parameter info>)
fffff801`800ae5d0 FLTMGR!FltEnumerateVolumeInformation (<no parameter info>)
一个编码的例子，可参考：
http://correy.webs.com/articles/computer/c/FltEnumerateFilters.C.txt
再结合本文的分析，你所能做的事都在于你的脑子了。

made by correy
made at 14:03 2018/1/10
http://correy.web.com

查看注册表回调的函数的地址

标题：查看注册表回调的函数的地址。

经IDA分析：
CmRegisterCallback调用了CmpRegisterCallbackInternal
CmRegisterCallbackEx调用了CmpRegisterCallbackInternal
CmpRegisterCallbackInternal调用了CmpInsertCallbackInListByAltitude
CmpInsertCallbackInListByAltitude用到了CmpCallbackListLock，CallbackListHead，CmpCallbackCookie，CmpCallBackCount。
这里用到的只有CallbackListHead和CmpCallBackCount。

注意：
由CmpRegisterCallbackInternal构造的传递给CmpInsertCallbackInListByAltitude的第一个参数是个结构。
这个结构的第六个成员（索引为5）是回调函数的地址。

注意：一般情况下CmpCallBackCount的值位0。

--------------------------------------------------------------------------------------------------

下面是简要的分析过程：
4: kd> ||
. 0 Remote KD: KdSrv:Server=@{<Local>},Trans=@{COM:Port=\\.\pipe\com1,Baud=115200,Pipe,Timeout=4000,Resets=2}
4: kd> vertarget
Windows 10 Kernel Version 14393 MP (6 procs) Free x64
Built by: 14393.1593.amd64fre.rs1_release.170731-1934
Machine Name:
Kernel base = 0xfffff802`d5478000 PsLoadedModuleList = 0xfffff802`d5776040
Debug session time: Sun Jan 7 10:57:14.914 2018 (UTC + 8:00)
System Uptime: 0 days 0:11:10.290

4: kd> dd nt!CmpCallBackCount l1
fffff802`d5794e98 00000004

0: kd> dq nt!CallbackListHead
fffff802`d5791c20 ffffbb89`e1685e00 ffffbb89`e1cab4d0
fffff802`d5791c30 00000000`00000000 01d38761`8331470c
fffff802`d5791c40 00000000`00000000 00000000`00000000 第一个是空的。
fffff802`d5791c50 fffff802`d5791c50 fffff802`d5791c50
fffff802`d5791c60 00000000`00060001 fffff802`d5791c68
fffff802`d5791c70 fffff802`d5791c68 00000000`00000000
fffff802`d5791c80 00000000`00060001 fffff802`d5791c88
fffff802`d5791c90 fffff802`d5791c88 00000000`00000000
0: kd> dq ffffbb89`e1cab4d0 下一个
ffffbb89`e1cab4d0 fffff802`d5791c20 ffffbb89`e4789d10
ffffbb89`e1cab4e0 00000000`00000000 01d38761`8331470a
ffffbb89`e1cab4f0 00000000`00000000 fffff802`d58bfa30
ffffbb89`e1cab500 00420074`000c000c ffffbb89`e17b9930
ffffbb89`e1cab510 ffffbb89`e1cab510 ffffbb89`e1cab510
ffffbb89`e1cab520 6d4e6f49`03090106 9369ee85`4faf2548
ffffbb89`e1cab530 006e0069`0057005c 00730077`006f0064
ffffbb89`e1cab540 00730079`0053005c 0033006d`00650074
0: kd> u fffff802`d58bfa30
nt!RegistryCallback:竟然是这个
fffff802`d58bfa30 4c8bdc mov r11,rsp
fffff802`d58bfa33 49895b08 mov qword ptr [r11+8],rbx
fffff802`d58bfa37 49897310 mov qword ptr [r11+10h],rsi
fffff802`d58bfa3b 57 push rdi
fffff802`d58bfa3c 4883ec50 sub rsp,50h
fffff802`d58bfa40 488b05f980eaff mov rax,qword ptr [nt!_security_cookie (fffff802`d5767b40)]
fffff802`d58bfa47 4833c4 xor rax,rsp
fffff802`d58bfa4a 4889442440 mov qword ptr [rsp+40h],rax
0: kd> dq ffffbb89`e4789d10 下一个
ffffbb89`e4789d10 ffffbb89`e1cab4d0 ffffbb89`e25b60e0
ffffbb89`e4789d20 00360061`00000000 01d38761`8331470c
ffffbb89`e4789d30 00000000`00000000 fffff805`ebdd1060
ffffbb89`e4789d40 00320035`000c000c ffffbb89`e3433cb0
ffffbb89`e4789d50 ffffbb89`e4789d50 ffffbb89`e4789d50
ffffbb89`e4789d60 58706e50`03040106 9369ee85`4a1d0d08
ffffbb89`e4789d70 ffffbb89`e3999210 ffffbb89`e47e5f10
ffffbb89`e4789d80 ffffbb89`e3ebe980 00000000`00000000
0: kd> u fffff805`ebdd1060 自己注册的，测试专用。
test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]:
fffff805`ebdd1060 4c89442418 mov qword ptr [rsp+18h],r8
fffff805`ebdd1065 4889542410 mov qword ptr [rsp+10h],rdx
fffff805`ebdd106a 48894c2408 mov qword ptr [rsp+8],rcx
fffff805`ebdd106f 4883ec18 sub rsp,18h
fffff805`ebdd1073 c7042400000000 mov dword ptr [rsp],0
fffff805`ebdd107a 8b0424 mov eax,dword ptr [rsp]
fffff805`ebdd107d 4883c418 add rsp,18h
fffff805`ebdd1081 c3 ret
0: kd> u test!RegistryCallback 反过来，验证下，也是正确的。
test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]:
fffff805`ebdd1060 4c89442418 mov qword ptr [rsp+18h],r8
fffff805`ebdd1065 4889542410 mov qword ptr [rsp+10h],rdx
fffff805`ebdd106a 48894c2408 mov qword ptr [rsp+8],rcx
fffff805`ebdd106f 4883ec18 sub rsp,18h
fffff805`ebdd1073 c7042400000000 mov dword ptr [rsp],0
fffff805`ebdd107a 8b0424 mov eax,dword ptr [rsp]
fffff805`ebdd107d 4883c418 add rsp,18h
fffff805`ebdd1081 c3 ret
0: kd> dq ffffbb89`e25b60e0 下一个
ffffbb89`e25b60e0 ffffbb89`e4789d10 ffffbb89`e1685e00
ffffbb89`e25b60f0 00000000`00000000 01d38761`8331470b
ffffbb89`e25b6100 00000000`00000000 fffff805`eb762fa0
ffffbb89`e25b6110 00000000`000c000c ffffbb89`ebfbc1a0
ffffbb89`e25b6120 ffffbb89`e25b6120 ffffbb89`e25b6120
ffffbb89`e25b6130 6944624f`03030406 00000000`00000000
ffffbb89`e25b6140 ffffbb89`e208a240 ffffce07`2ce7a960
ffffbb89`e25b6150 00000000`2125a355 00000000`00000000
0: kd> u fffff805`eb762fa0
registry!RegistryCallback: 还有这个？
fffff805`eb762fa0 48895c2408 mov qword ptr [rsp+8],rbx
fffff805`eb762fa5 57 push rdi
fffff805`eb762fa6 4881ec80000000 sub rsp,80h
fffff805`eb762fad 488b05ac30ffff mov rax,qword ptr [registry!_security_cookie (fffff805`eb756060)]
fffff805`eb762fb4 4833c4 xor rax,rsp
fffff805`eb762fb7 4889442470 mov qword ptr [rsp+70h],rax
fffff805`eb762fbc 33db xor ebx,ebx
fffff805`eb762fbe 83fa0e cmp edx,0Eh
0: kd> dq ffffbb89`e1685e00 下一个
ffffbb89`e1685e00 ffffbb89`e25b60e0 fffff802`d5791c20
ffffbb89`e1685e10 00310030`00000000 01d38761`83314709
ffffbb89`e1685e20 00000000`00000000 fffff805`e99d7a50
ffffbb89`e1685e30 10000000`000c000c ffffbb89`e17c3ea0
ffffbb89`e1685e40 ffffbb89`e1685e40 ffffbb89`e1685e40
ffffbb89`e1685e50 6d4e624f`03030406 9369ee85`4f0dce38
ffffbb89`e1685e60 004c0074`00690042 0065006b`0063006f
ffffbb89`e1685e70 10000000`00000072 00000000`00001000
0: kd> u fffff805`e99d7a50
*** ERROR: Module load completed but symbols could not be loaded for SysmonDrv.sys
SysmonDrv+0x7a50: 这个不说了，你懂的。
fffff805`e99d7a50 48895c2408 mov qword ptr [rsp+8],rbx
fffff805`e99d7a55 4889742410 mov qword ptr [rsp+10h],rsi
fffff805`e99d7a5a 57 push rdi
fffff805`e99d7a5b 4154 push r12
fffff805`e99d7a5d 4155 push r13
fffff805`e99d7a5f 4156 push r14
fffff805`e99d7a61 4157 push r15
fffff805`e99d7a63 4881ecc0000000 sub rsp,0C0h
再下一个就是开头了。

--------------------------------------------------------------------------------------------------

另一个看法：
5: kd> dd nt!CmpCallBackCount l1
fffff802`d5794e98 00000003
5: kd> dps nt!CallbackListHead
fffff802`d5791c20 ffffbb89`e25b60e0
fffff802`d5791c28 ffffbb89`e1cab4d0
fffff802`d5791c30 00000000`00000000
fffff802`d5791c38 01d38761`8331470c
fffff802`d5791c40 00000000`00000000
fffff802`d5791c48 00000000`00000000 为空
fffff802`d5791c50 fffff802`d5791c50 nt!CmpPreloadedHivesList
fffff802`d5791c58 fffff802`d5791c50 nt!CmpPreloadedHivesList
fffff802`d5791c60 00000000`00060001
fffff802`d5791c68 fffff802`d5791c68 nt!CmpLoadWorkerEvent+0x8
fffff802`d5791c70 fffff802`d5791c68 nt!CmpLoadWorkerEvent+0x8
fffff802`d5791c78 00000000`00000000
fffff802`d5791c80 00000000`00060001
fffff802`d5791c88 fffff802`d5791c88 nt!CmpLoadWorkerDebugEvent+0x8
fffff802`d5791c90 fffff802`d5791c88 nt!CmpLoadWorkerDebugEvent+0x8
fffff802`d5791c98 00000000`00000000
5: kd> dps ffffbb89`e1cab4d0
ffffbb89`e1cab4d0 fffff802`d5791c20 nt!CallbackListHead
ffffbb89`e1cab4d8 ffffbb89`e4789d10
ffffbb89`e1cab4e0 00000000`00000000
ffffbb89`e1cab4e8 01d38761`8331470a
ffffbb89`e1cab4f0 00000000`00000000
ffffbb89`e1cab4f8 fffff802`d58bfa30 nt!RegistryCallback
ffffbb89`e1cab500 00420074`000c000c
ffffbb89`e1cab508 ffffbb89`e17b9930
ffffbb89`e1cab510 ffffbb89`e1cab510
ffffbb89`e1cab518 ffffbb89`e1cab510
ffffbb89`e1cab520 6d4e6f49`03090106
ffffbb89`e1cab528 9369ee85`4faf2548
ffffbb89`e1cab530 006e0069`0057005c
ffffbb89`e1cab538 00730077`006f0064
ffffbb89`e1cab540 00730079`0053005c
ffffbb89`e1cab548 0033006d`00650074
5: kd> dps ffffbb89`e4789d10
ffffbb89`e4789d10 ffffbb89`e1cab4d0
ffffbb89`e4789d18 ffffbb89`e25b60e0
ffffbb89`e4789d20 00360061`00000000
ffffbb89`e4789d28 01d38761`8331470c
ffffbb89`e4789d30 00000000`00000000
ffffbb89`e4789d38 fffff805`ebdd1060 test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]
ffffbb89`e4789d40 00320035`000c000c
ffffbb89`e4789d48 ffffbb89`e3433cb0
ffffbb89`e4789d50 ffffbb89`e4789d50
ffffbb89`e4789d58 ffffbb89`e4789d50
ffffbb89`e4789d60 58706e50`03040106
ffffbb89`e4789d68 9369ee85`4a1d0d08
ffffbb89`e4789d70 ffffbb89`e3999210
ffffbb89`e4789d78 ffffbb89`e47e5f10
ffffbb89`e4789d80 ffffbb89`e3ebe980
ffffbb89`e4789d88 00000000`00000000
5: kd> dps ffffbb89`e25b60e0
ffffbb89`e25b60e0 ffffbb89`e4789d10
ffffbb89`e25b60e8 fffff802`d5791c20 nt!CallbackListHead
ffffbb89`e25b60f0 00000000`00000000
ffffbb89`e25b60f8 01d38761`8331470b
ffffbb89`e25b6100 00000000`00000000
ffffbb89`e25b6108 fffff805`eb762fa0 registry!RegistryCallback
ffffbb89`e25b6110 00000000`000c000c
ffffbb89`e25b6118 ffffbb89`ebfbc1a0
ffffbb89`e25b6120 ffffbb89`e25b6120
ffffbb89`e25b6128 ffffbb89`e25b6120
ffffbb89`e25b6130 6944624f`03030406
ffffbb89`e25b6138 00000000`00000000
ffffbb89`e25b6140 ffffbb89`e208a240
ffffbb89`e25b6148 ffffce07`2ce7a960
ffffbb89`e25b6150 00000000`2125a355
ffffbb89`e25b6158 00000000`00000000
再继续就从头开始了。

--------------------------------------------------------------------------------------------------

第三种分析思路：

1: kd> dd nt!CmpCallBackCount l1
fffff801`6919ae98 00000002

;注释：nt!CallbackListHead是个LIST_ENTRY结构的全局变量。
1: kd> x nt!CallbackListHead
fffff801`69197c20 nt!CallbackListHead = <no type information>
1: kd> dt nt!_LIST_ENTRY fffff801`69197c20
[ 0xffff9d06`80d42870 - 0xffff9d06`7a3da980 ]
+0x000 Flink : 0xffff9d06`80d42870 _LIST_ENTRY [ 0xffff9d06`7a3da980 - 0xfffff801`69197c20 ]
+0x008 Blink : 0xffff9d06`7a3da980 _LIST_ENTRY [ 0xfffff801`69197c20 - 0xffff9d06`80d42870 ]
;注释：经过IDA的分析可知这个结构的大小是0x50.
1: kd> dps 0xffff9d06`7a3da980 L(0x50/@@(sizeof(void *)))
ffff9d06`7a3da980 fffff801`69197c20 nt!CallbackListHead
ffff9d06`7a3da988 ffff9d06`80d42870
ffff9d06`7a3da990 00000000`00000000
ffff9d06`7a3da998 01d38a03`2a85ebf0
ffff9d06`7a3da9a0 00000000`00000000
ffff9d06`7a3da9a8 fffff801`692c5a30 nt!RegistryCallback
ffff9d06`7a3da9b0 00420074`000c000c
ffff9d06`7a3da9b8 ffff9d06`79f6fcb0
ffff9d06`7a3da9c0 ffff9d06`7a3da9c0
ffff9d06`7a3da9c8 ffff9d06`7a3da9c0
1: kd> dps ffff9d06`80d42870 L(0x50/@@(sizeof(void *)))
ffff9d06`80d42870 ffff9d06`7a3da980
ffff9d06`80d42878 fffff801`69197c20 nt!CallbackListHead
ffff9d06`80d42880 00380002`00000000
ffff9d06`80d42888 01d38a03`2a85ebf1
ffff9d06`80d42890 00000000`00000000
ffff9d06`80d42898 fffff80a`bf002fa0
ffff9d06`80d428a0 00000001`000c000c
ffff9d06`80d428a8 ffff9d06`809702c0
ffff9d06`80d428b0 ffff9d06`80d428b0
ffff9d06`80d428b8 ffff9d06`80d428b0
自此结束了，在分析就是从头开始了，你看fffff801`69197c20 nt!CallbackListHead又出现了。

--------------------------------------------------------------------------------------------------

最后得出重要的脚本：
待定。

--------------------------------------------------------------------------------------------------

made by correy
made at 12:07 2018/1/7
http://correy.webs.com

查看映像回调的函数的地址

标题：查看映像回调的函数的地址。

经IDA分析：
PsSetLoadImageNotifyRoutine调用了PsSetLoadImageNotifyRoutineEx
PsSetLoadImageNotifyRoutineEx用到了PspLoadImageNotifyRoutine，PspLoadImageNotifyRoutineCount。

下面是简要的分析过程：
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`95414000 PsLoadedModuleList = 0xfffff800`95775ff0
Debug session time: Fri Jan 5 20:23:00.320 2018 (UTC + 8:00)
System Uptime: 1 days 0:23:22.648
0: kd> dd nt!PspLoadImageNotifyRoutineCount L1
fffff800`95bfee80 00000001
0: kd> dq nt!PspLoadImageNotifyRoutine
fffff800`957ace80 ffffd489`9e93125f 00000000`00000000
fffff800`957ace90 00000000`00000000 00000000`00000000
fffff800`957acea0 00000000`00000000 00000000`00000000
fffff800`957aceb0 00000000`00000000 00000000`00000000
fffff800`957acec0 00000000`00000000 00000000`00000000
fffff800`957aced0 00000000`00000000 00000000`00000000
fffff800`957acee0 00000000`00000000 00000000`00000000
fffff800`957acef0 00000000`00000000 00000000`00000000
0: kd> dq ffffd489`9e93125f - @@(sizeof(void *)) L1
ffffd489`9e931257 fff80184`974e1000
0: kd> u fffff80184`974e10
ahcache!CitmpLoadImageCallback:
fffff801`84974e10 4885c9 test rcx,rcx
fffff801`84974e13 0f8472010000 je ahcache!CitmpLoadImageCallback+0x17b (fffff801`84974f8b)
fffff801`84974e19 4c8bdc mov r11,rsp
fffff801`84974e1c 55 push rbp
fffff801`84974e1d 4156 push r14
fffff801`84974e1f 4157 push r15
fffff801`84974e21 4883ec60 sub rsp,60h
fffff801`84974e25 4533ff xor r15d,r15d

最后得出重要的脚本：
0: kd> r @$t0=poi(nt!PspLoadImageNotifyRoutineCount);r @$t1=nt!PspLoadImageNotifyRoutine;.for(r @$t2=0; @$t2<@$t0; r @$t2=@$t2+1){.printf /D "ImageNotifyRoutine(%d):%y\n", (@$t2 + 1), ((poi(((poi(@$t1+@$t2*@@(sizeof(void *))))-@@(sizeof(void *))))>>8) | ff00000000000000)}
ImageNotifyRoutine(1):ahcache!CitmpLoadImageCallback (fffff801`84974e10)
ImageNotifyRoutine(2):Memory access error at ')>>8) | ff00000000000000)'

--------------------------------------------------------------------------------------------------

made by correy
made at 9:59 2018/1/7
http://correy.webs.com

查看线程回调的函数的地址

标题：查看线程回调的函数的地址。

经IDA分析：
PsSetCreateThreadNotifyRoutine调用了PspSetCreateThreadNotifyRoutine
PsSetCreateThreadNotifyRoutineEx也调用了PspSetCreateThreadNotifyRoutine

分析PspSetCreateThreadNotifyRoutine用到了PspCreateThreadNotifyRoutine，PspCreateThreadNotifyRoutineCount，PspCreateThreadNotifyRoutineNonSystemCount。

下面是简要的分析过程：
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`95414000 PsLoadedModuleList = 0xfffff800`95775ff0
Debug session time: Fri Jan 5 20:23:00.320 2018 (UTC + 8:00)
System Uptime: 1 days 0:23:22.648
0: kd> dd nt!PspCreateThreadNotifyRoutineCount L1
fffff800`95bfee84 00000002
0: kd> dd nt!PspCreateThreadNotifyRoutineNonSystemCount l1
fffff800`95bfee88 00000000
0: kd> dq nt!PspCreateThreadNotifyRoutine
fffff800`957acc80 ffffd489`a0e2ec0f ffffd489`a6c4a1ff
fffff800`957acc90 00000000`00000000 00000000`00000000
fffff800`957acca0 00000000`00000000 00000000`00000000
fffff800`957accb0 00000000`00000000 00000000`00000000
fffff800`957accc0 00000000`00000000 00000000`00000000
fffff800`957accd0 00000000`00000000 00000000`00000000
fffff800`957acce0 00000000`00000000 00000000`00000000
fffff800`957accf0 00000000`00000000 00000000`00000000
0: kd> dq ffffd489`a0e2ec0f - @@(sizeof(void *)) L1
ffffd489`a0e2ec07 fff80187`22d16c00
0: kd> u fffff80187`22d16c
nvlddmkm+0x11d16c:
fffff801`8722d16c 48895c2408 mov qword ptr [rsp+8],rbx
fffff801`8722d171 4889742410 mov qword ptr [rsp+10h],rsi
fffff801`8722d176 57 push rdi
fffff801`8722d177 4883ec20 sub rsp,20h
fffff801`8722d17b 488bf1 mov rsi,rcx
fffff801`8722d17e 418ad8 mov bl,r8b
fffff801`8722d181 488b0df0b76e00 mov rcx,qword ptr [nvlddmkm!nvDumpConfig+0x82f68 (fffff801`87918978)]
fffff801`8722d188 488bfa mov rdi,rdx

最后得出重要的脚本：
0: kd> r @$t0=(poi(nt!PspCreateThreadNotifyRoutineCount) + poi(nt!PspCreateThreadNotifyRoutineNonSystemCount));r @$t1=nt!PspCreateThreadNotifyRoutine;.for(r @$t2=0; @$t2<@$t0; r @$t2=@$t2+1){.printf /D "ThreadNotifyRoutine(%d):%y\n", (@$t2 + 1), ((poi(((poi(@$t1+@$t2*@@(sizeof(void *))))-@@(sizeof(void *))))>>8) | ff00000000000000)}
ThreadNotifyRoutine(1):nvlddmkm+0x11d16c (fffff801`8722d16c)
ThreadNotifyRoutine(2):mmcss!CiThreadNotification (fffff801`88081010)

--------------------------------------------------------------------------------------------------

made by correy
made at 9:59 2018/1/7
http://correy.webs.com

2017年12月26日星期二

DbgPrintEx或KdPrintEx的用法

/*
题目：
简单的说是DbgPrintEx and KdPrintEx的用法。
复杂的说是Windows驱动的（调试）打印信息子系统的设计。

参考：
Reading and Filtering Debugging Messages
https://docs.microsoft.com/zh-cn/windows-hardware/drivers/devtest/reading-and-filtering-debugging-messages

说是说有这么几种类型的设备信息：
IHVVIDEO Video driver
IHVAUDIO Audio driver
IHVNETWORK Network driver
IHVSTREAMING Kernel streaming driver
IHVBUS Bus driver
IHVDRIVER Any other type of driver

我们开发硬件驱动的不多，所以，如果要编写网络驱动就用DPFLTR_IHVNETWORK_ID，其余的非硬件的就用DPFLTR_IHVDRIVER_ID，若文件和磁盘相关的等。
其实dpfilter.h文件里定义的更多。
还可以用windbg来验证/查看：
0: kd> x nt!Kd_*_Mask
fffff802`d35bb310 nt!Kd_LDR_Mask = <no type information>
fffff802`d35bb2bc nt!Kd_WDI_Mask = <no type information>
fffff802`d35bb21c nt!Kd_POWER_Mask = <no type information>
fffff802`d35bb208 nt!Kd_CAPIMG_Mask = <no type information>
fffff802`d35bb45c nt!Kd_SETUP_Mask = <no type information>
fffff802`d35bb358 nt!Kd_DMIO_Mask = <no type information>
fffff802`d35bb2fc nt!Kd_STORMINIPORT_Mask = <no type information>
fffff802`d35bb350 nt!Kd_DMADMIN_Mask = <no type information>
fffff802`d35bb3cc nt!Kd_SCCLIENT_Mask = <no type information>
fffff802`d35bb3ec nt!Kd_TCPIP_Mask = <no type information>
fffff802`d35bb400 nt!Kd_AMLI_Mask = <no type information>
fffff802`d35bb368 nt!Kd_PREFETCHER_Mask = <no type information>
fffff802`d35bb2f0 nt!Kd_VERIFIER_Mask = <no type information>
fffff802`d35bb450 nt!Kd_CRASHDUMP_Mask = <no type information>
fffff802`d35bb3d0 nt!Kd_SCSERVER_Mask = <no type information>
fffff802`d35bb410 nt!Kd_MOUCLASS_Mask = <no type information>
fffff802`d35bb288 nt!Kd_FVEVOL_Mask = <no type information>
fffff802`d35bb384 nt!Kd_MCHGR_Mask = <no type information>
fffff802`d35bb3a4 nt!Kd_WMICORE_Mask = <no type information>
fffff802`d35bb3b0 nt!Kd_UNIMODEM_Mask = <no type information>
fffff802`d35bb380 nt!Kd_IDEP_Mask = <no type information>
fffff802`d35bb230 nt!Kd_EXFAT_Mask = <no type information>
fffff802`d35bb314 nt!Kd_RTLTHREADPOOL_Mask = <no type information>
fffff802`d35bb298 nt!Kd_THREADORDER_Mask = <no type information>
fffff802`d35bb37c nt!Kd_PCIIDE_Mask = <no type information>
fffff802`d35bb320 nt!Kd_IHVSTREAMING_Mask = <no type information>
fffff802`d35bb214 nt!Kd_GPIO_Mask = <no type information>
fffff802`d35bb2e4 nt!Kd_VDSDYN_Mask = <no type information>
fffff802`d35bb3e0 nt!Kd_FASTFAT_Mask = <no type information>
fffff802`d35bb200 nt!Kd_STORAGECLASSMEMORY_Mask = <no type information>
fffff802`d35bb34c nt!Kd_WSOCKTRANSPORT_Mask = <no type information>
fffff802`d35bb24c nt!Kd_MSDSM_Mask = <no type information>
fffff802`d35bb254 nt!Kd_FLTREGRESS_Mask = <no type information>
fffff802`d35bb378 nt!Kd_FLOPPY_Mask = <no type information>
fffff802`d35bb224 nt!Kd_SE_Mask = <no type information>
fffff802`d35bb338 nt!Kd_SR_Mask = <no type information>
fffff802`d35bb3e8 nt!Kd_DMSYNTH_Mask = <no type information>
fffff802`d35bb394 nt!Kd_FUSION_Mask = <no type information>
fffff802`d35bb43c nt!Kd_REDBOOK_Mask = <no type information>
fffff802`d35bb26c nt!Kd_COVERAGE_Mask = <no type information>
fffff802`d35bb330 nt!Kd_IHVDRIVER_Mask = <no type information>
fffff802`d35bb370 nt!Kd_TERMSRV_Mask = <no type information>
fffff802`d35bb3c4 nt!Kd_SERENUM_Mask = <no type information>
fffff802`d35bb32c nt!Kd_IHVVIDEO_Mask = <no type information>
fffff802`d35bb318 nt!Kd_HPS_Mask = <no type information>
fffff802`d35bb2d0 nt!Kd_DEFAULT_Mask = <no type information>
fffff802`d35bb3d4 nt!Kd_NETAPI_Mask = <no type information>
fffff802`d35bb434 nt!Kd_SCSIPORT_Mask = <no type information>
fffff802`d3572920 nt!Kd_WIN2000_Mask = <no type information>
fffff802`d35bb31c nt!Kd_IHVBUS_Mask = <no type information>
fffff802`d35bb3e4 nt!Kd_NTOSPNP_Mask = <no type information>
fffff802`d35bb274 nt!Kd_USBSTOR_Mask = <no type information>
fffff802`d35bb258 nt!Kd_KSECDD_Mask = <no type information>
fffff802`d35bb428 nt!Kd_I8042PRT_Mask = <no type information>
fffff802`d35bb354 nt!Kd_DMCONFIG_Mask = <no type information>
fffff802`d35bb420 nt!Kd_LSERMOUS_Mask = <no type information>
fffff802`d35bb3a0 nt!Kd_BURNENG_Mask = <no type information>
fffff802`d35bb268 nt!Kd_CACHEMGR_Mask = <no type information>
fffff802`d35bb328 nt!Kd_IHVAUDIO_Mask = <no type information>
fffff802`d35bb33c nt!Kd_DMSERVER_Mask = <no type information>
fffff802`d35bb220 nt!Kd_DRIVEEXTENDER_Mask = <no type information>
fffff802`d35bb3fc nt!Kd_HALIA64_Mask = <no type information>
fffff802`d35bb414 nt!Kd_KBDCLASS_Mask = <no type information>
fffff802`d35bb39c nt!Kd_IMAPI_Mask = <no type information>
fffff802`d35bb3b4 nt!Kd_DCOMSS_Mask = <no type information>
fffff802`d35bb458 nt!Kd_NTFS_Mask = <no type information>
fffff802`d35bb35c nt!Kd_PCI_Mask = <no type information>
fffff802`d35bb340 nt!Kd_PROCESSOR_Mask = <no type information>
fffff802`d35bb29c nt!Kd_TPM_Mask = <no type information>
fffff802`d35bb454 nt!Kd_FSTUB_Mask = <no type information>
fffff802`d35bb390 nt!Kd_IDLETASK_Mask = <no type information>
fffff802`d35bb22c nt!Kd_FILETRACE_Mask = <no type information>
fffff802`d35bb2ac nt!Kd_HEAP_Mask = <no type information>
fffff802`d35bb438 nt!Kd_STORPROP_Mask = <no type information>
fffff802`d35bb278 nt!Kd_APPCOMPAT_Mask = <no type information>
fffff802`d35bb290 nt!Kd_EMS_Mask = <no type information>
fffff802`d35bb41c nt!Kd_KBDHID_Mask = <no type information>
fffff802`d35bb2b4 nt!Kd_KTM_Mask = <no type information>
fffff802`d35bb294 nt!Kd_ENVIRON_Mask = <no type information>
fffff802`d35bb388 nt!Kd_TAPE_Mask = <no type information>
fffff802`d35bb3f8 nt!Kd_VIDEO_Mask = <no type information>
fffff802`d35bb218 nt!Kd_CRASHDUMPXHCI_Mask = <no type information>
fffff802`d35bb324 nt!Kd_IHVNETWORK_Mask = <no type information>
fffff802`d35bb448 nt!Kd_CDROM_Mask = <no type information>
fffff802`d35bb464 nt!Kd_SYSTEM_Mask = <no type information>
fffff802`d35bb38c nt!Kd_SOFTPCI_Mask = <no type information>
fffff802`d35bb424 nt!Kd_SERMOUSE_Mask = <no type information>
fffff802`d35bb204 nt!Kd_VPCI_Mask = <no type information>
fffff802`d35bb244 nt!Kd_PSHED_Mask = <no type information>
fffff802`d35bb250 nt!Kd_MPIO_Mask = <no type information>
fffff802`d35bb408 nt!Kd_WMILIB_Mask = <no type information>
fffff802`d35bb3f0 nt!Kd_VIDEOPRT_Mask = <no type information>
fffff802`d35bb3d8 nt!Kd_PNPMGR_Mask = <no type information>
fffff802`d35bb2d8 nt!Kd_VDSUTIL_Mask = <no type information>
fffff802`d35bb23c nt!Kd_LSASS_Mask = <no type information>
fffff802`d35bb2f8 nt!Kd_PRINTSPOOLER_Mask = <no type information>
fffff802`d35bb284 nt!Kd_NDIS_Mask = <no type information>
fffff802`d35bb234 nt!Kd_CNG_Mask = <no type information>
fffff802`d35bb3c0 nt!Kd_UHCD_Mask = <no type information>
fffff802`d35bb2cc nt!Kd_MM_Mask = <no type information>
fffff802`d35bb2a4 nt!Kd_USERGDI_Mask = <no type information>
fffff802`d35bb300 nt!Kd_STORPORT_Mask = <no type information>
fffff802`d35bb30c nt!Kd_TCPIP6_Mask = <no type information>
fffff802`d35bb280 nt!Kd_NVCTRACE_Mask = <no type information>
fffff802`d35bb2b8 nt!Kd_PERFLIB_Mask = <no type information>
fffff802`d35bb440 nt!Kd_DISK_Mask = <no type information>
fffff802`d35bb2d4 nt!Kd_DFRGIFC_Mask = <no type information>
fffff802`d35bb3dc nt!Kd_SAMSS_Mask = <no type information>
fffff802`d35bb364 nt!Kd_RSFILTER_Mask = <no type information>
fffff802`d35bb360 nt!Kd_FCPORT_Mask = <no type information>
fffff802`d35bb3b8 nt!Kd_AUTOCHK_Mask = <no type information>
fffff802`d35bb210 nt!Kd_REFS_Mask = <no type information>
fffff802`d35bb2a0 nt!Kd_MMCSS_Mask = <no type information>
fffff802`d35bb334 nt!Kd_INFINIBAND_Mask = <no type information>
fffff802`d35bb374 nt!Kd_FDC_Mask = <no type information>
fffff802`d35bb2ec nt!Kd_VDS_Mask = <no type information>
fffff802`d35bb20c nt!Kd_WER_Mask = <no type information>
fffff802`d35bb2c4 nt!Kd_WOW64_Mask = <no type information>
fffff802`d35bb308 nt!Kd_ISAPNP_Mask = <no type information>
fffff802`d35bb348 nt!Kd_VSS_Mask = <no type information>
fffff802`d35bb228 nt!Kd_XSAVE_Mask = <no type information>
fffff802`d35bb2e8 nt!Kd_VDSBAS_Mask = <no type information>
fffff802`d35bb344 nt!Kd_PNPMEM_Mask = <no type information>
fffff802`d35bb3a8 nt!Kd_FLTMGR_Mask = <no type information>
fffff802`d35bb42c nt!Kd_CONFIG_Mask = <no type information>
fffff802`d35bb2c8 nt!Kd_DFSC_Mask = <no type information>
fffff802`d35bb444 nt!Kd_CLASSPNP_Mask = <no type information>
fffff802`d35bb3f4 nt!Kd_SVCHOST_Mask = <no type information>
fffff802`d35bb25c nt!Kd_TXF_Mask = <no type information>
fffff802`d35bb264 nt!Kd_MOUNTMGR_Mask = <no type information>
fffff802`d35bb404 nt!Kd_ACPI_Mask = <no type information>
fffff802`d35bb1f8 nt!Kd_ENDOFTABLE_Mask = <no type information>
fffff802`d35bb1fc nt!Kd_FSLIB_Mask = <no type information>
fffff802`d35bb270 nt!Kd_SBP2PORT_Mask = <no type information>
fffff802`d35bb28c nt!Kd_WDT_Mask = <no type information>
fffff802`d35bb40c nt!Kd_TWOTRACK_Mask = <no type information>
fffff802`d35bb44c nt!Kd_CDAUDIO_Mask = <no type information>
fffff802`d35bb2f4 nt!Kd_VSSDYNDISK_Mask = <no type information>
fffff802`d35bb36c nt!Kd_W32TIME_Mask = <no type information>
fffff802`d35bb2c0 nt!Kd_ALPC_Mask = <no type information>
fffff802`d35bb248 nt!Kd_UDFS_Mask = <no type information>
fffff802`d35bb3ac nt!Kd_SIS_Mask = <no type information>
fffff802`d35bb398 nt!Kd_SXS_Mask = <no type information>
fffff802`d35bb3c8 nt!Kd_SERIAL_Mask = <no type information>
fffff802`d35bb238 nt!Kd_SSPICLI_Mask = <no type information>
fffff802`d35bb27c nt!Kd_LUAFV_Mask = <no type information>
fffff802`d35bb2e0 nt!Kd_VDSDYNDR_Mask = <no type information>
fffff802`d35bb240 nt!Kd_STORVSP_Mask = <no type information>
fffff802`d35bb2a8 nt!Kd_WHEA_Mask = <no type information>
fffff802`d35bb3bc nt!Kd_RPCPROXY_Mask = <no type information>
fffff802`d35bb460 nt!Kd_SMSS_Mask = <no type information>
fffff802`d35bb418 nt!Kd_MOUHID_Mask = <no type information>
fffff802`d35bb260 nt!Kd_CFR_Mask = <no type information>
fffff802`d35bb430 nt!Kd_SCSIMINIPORT_Mask = <no type information>
fffff802`d35bb2b0 nt!Kd_IOSTRESS_Mask = <no type information>
fffff802`d35bb2dc nt!Kd_VDSLDR_Mask = <no type information>
fffff802`d35bb304 nt!Kd_SHPC_Mask = <no type information>

这次，我们关系的是：nt!Kd_IHVDRIVER_Mask。

关于级别，在dpfilter.h里就定义了这么几种，不过，自己还可以扩充。
#define DPFLTR_ERROR_LEVEL 0
#define DPFLTR_WARNING_LEVEL 1
#define DPFLTR_TRACE_LEVEL 2
#define DPFLTR_INFO_LEVEL 3
#define DPFLTR_MASK 0x80000000
注意：这是按bit来的。

奇怪：
在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter的DEFAULT or IHVDRIVER都设置为f了，但是用
1: kd> dd nt!Kd_IHVDRIVER_Mask L1
fffff802`d35bb330 00000000
的值不是f.
过一会，去了趟厕所，才明白：
DEFAULT不和nt!Kd_IHVDRIVER_Mask对应，而和nt!Kd_DEFAULT_Mask对应
推测IHVDRIVER不和nt!Kd_DEFAULT_Mask对应，而和nt!Kd_IHVDRIVER_Mask对应。

在这种情况下测试，只有DPFLTR_ERROR_LEVEL的信息会显示。
这大概就是：
If Level is 0, the bitfield is equivalent to 0x00000001. If Level is 31, the bitfield is equivalent to 0x80000000.
这句话来解释。

执行：
ed nt!Kd_IHVDRIVER_Mask 3
然后再测试，错误和告警都显示了。

执行：
ed nt!Kd_IHVDRIVER_Mask 7
然后显示：
1: kd> g
ERROR
WARNING
TRACE

执行：
1: kd> ed nt!Kd_IHVDRIVER_Mask 8
然后显示：
0: kd> g
ERROR
INFO
为何?如此？
8是二进制的1000.
只有这样解释，信息位是第三位（从右边数第四个），而第零位是默认的，无论如何在何种情况下都认为是1（不能说显示）。

执行：
ed nt!Kd_IHVDRIVER_Mask f
然后显示：
0: kd> g
ERROR
WARNING
TRACE
INFO
这四个都显示了。

由此可见，我们可以控制nt!Kd_IHVDRIVER_Mask的值，来控制我们的输出，而不用修改代码。
相应的估计注册表也可以，那是IHVDRIVER的键值。
这是一个调试手法，谨记。

进一步的测试：
本工程和nt!Kd_DEFAULT_Mask的值无关，证明见下：
0: kd> ed nt!Kd_DEFAULT_Mask 1
0: kd> dd nt!Kd_DEFAULT_Mask L1
fffff802`d35bb2d0 00000001
0: kd> g
ERROR
WARNING
TRACE
INFO
1: kd> dd nt!Kd_IHVDRIVER_Mask L1
fffff802`d35bb330 0000000f
不过，nt!Kd_DEFAULT_Mask好像和默认的输出有关。

made by correy
made at 2017.12.22
http://correy.webs.com
*/

#pragma once

#include <fltKernel.h>
#include <ntimage.h>
#include <ntstrsafe.h>
#include <ntdef.h>
#include <ntddk.h>
#include <windef.h>

#define TAG 'tset' //test

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
UNREFERENCED_PARAMETER(pDriverObject);
}

extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
UNREFERENCED_PARAMETER(pRegistryPath);

KdBreakPoint();

pDriverObject->DriverUnload = DriverUnload;

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ERROR\n");
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_WARNING_LEVEL, "WARNING\n");
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "TRACE\n");
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "INFO\n");

return STATUS_UNSUCCESSFUL;
}

2017年10月1日星期日

!vtop命令的X64分析

标题：X64的虚拟地址到物理地址的手工分析。

前言：虚拟地址到物理地址的转换这大部分是CPU的事，偶尔OS也做下，程序员一般不接触这，最多是了解下。

这里的实验环境是Windows 10 + windbg + vmware.

这里说下注意事项：
1.确保进程的上下文，就是CR3的值和进程对象的DirBase值一样。
2.加载符号文件，这是基本的也是重要的。
3.选取虚拟地址，如果实在不知道就用lm vm 看看某个模块的基地址。

--------------------------------------------------------------------------------------------------

0: kd> vertarget
Windows 10 Kernel Version 14393 MP (6 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 14393.1593.amd64fre.rs1_release.170731-1934
Machine Name:
Kernel base = 0xfffff800`8f091000 PsLoadedModuleList = 0xfffff800`8f38f040
Debug session time: Sun Oct  1 13:57:58.216 2017 (UTC + 8:00)
System Uptime: 0 days 0:01:27.925

选定一个虚拟内存，这个内存的信息如下：
0: kd> db 0x00007ff7`ceb8df10 L5
00007ff7`ceb8df10  74 65 73 74 00                                   test.

看看系统命令对这个地址的转换：
0: kd> !vtop 0 00007ff7ceb8df10
Amd64VtoP: Virt 00007ff7`ceb8df10, pagedir 3a4d8000
Amd64VtoP: PML4E 3a4d87f8
Amd64VtoP: PDPE 303b5ef8
Amd64VtoP: PDE 34e363a8
Amd64VtoP: PTE 354b7c68
Amd64VtoP: Mapped phys 371def10
Virtual address 7ff7ceb8df10 translates to physical address 371def10.
可以以这个命令的信息为参考进行分析。

查看CR3的值：
0: kd> r cr3 
cr3=000000003a4d8000

自己手动分析虚拟地址的格式：
0: kd> .formats 00007ff7ceb8df10
Evaluate expression:
  Hex:     00007ff7`ceb8df10
  Decimal: 140702301871888
  Octal:   0000003777371656157420
  Binary:  0000000000000000 011111111 111011111 001110101 110001101 111100010000    这里自己格式化下。
                                   ff       1df        75       18d          f10    这个是自己的手工分析，具体的见intel的资料。
  Chars:   .......
  Time:    Wed Jun 13 04:23:50.187 1601 (UTC + 8:00)
  Float:   low -1.55081e+009 high 4.59051e-041
  Double:  6.95162e-310

最终的物理地址的内容是：
0: kd> !db 371def10 L5
#371def10 74 65 73 74 00 test.....E......

!vtop命令已经实现了，但是它是如何实现的呢？
这个命令显示的信息太简单了，下面就是自己的分析。

--------------------------------------------------------------------------------------------------

PML4E 3a4d87f8，这个数是怎么来的呢？
0: kd> ? cr3 + ff * 8
Evaluate expression: 978159608 = 00000000`3a4d87f8

PDPE 303b5ef8，这个数是怎么来的呢？
0: kd> !dq 3a4d87f8 L1
#3a4d87f8 01000000`303b5867
0: kd> ? 303b5000 + 8 * 1df
Evaluate expression: 809197304 = 00000000`303b5ef8

PDE 34e363a8，这个数是怎么来的呢？
0: kd> !dq 303b5ef8 L1
#303b5ef8 01100000`34e36867
0: kd> ? 34e36000 + 8 * 75
Evaluate expression: 887317416 = 00000000`34e363a8

PTE 354b7c68，这个数是怎么来的呢？
0: kd> !dq 34e363a8 L1
#34e363a8 01200000`354b7867
0: kd> ? 354b7000 + 8 * 18d
Evaluate expression: 894139496 = 00000000`354b7c68

最后就是那个物理地址了。
0: kd> !dq 354b7c68 L1
#354b7c68 a0600000`371de025
0: kd> ? 371de000 + f10
Evaluate expression: 924708624 = 00000000`371def10

--------------------------------------------------------------------------------------------------

made by correy
made at 2017/10/1
http://correy.webs.com

2017年9月7日星期四

SeRegisterImageVerificationCallback

/*
如何在驱动中获取SYS或者DLL，EXE等的签名信息？
自己编写代码也可以，就是难定位到文件的签名文件，如：用CAT的。

高版本的WDK下有个Early Launch Anti-Malware Driver或者叫elam工程。
这个工程IoRegisterBootDriverCallback的使用有限制，测试了没有成功：平常返回失败，BOOT启动也失败。
不过，在这里看到一个数据结构：PBDCB_IMAGE_INFORMATION。

偶尔你会看到这两个函数：
SeRegisterImageVerificationCallback，SeUnregisterImageVerificationCallback
在网上一搜，果然看到：
http://www.codemachine.com/article_kernel_callback_functions.html
http://eretik.omegahg.com/art/1E.html
其实这两个函数定义在WDK8.1及以上的版本的WDM.H中，且也导出了，所以可直接使用。
本文就是关于这的测试代码。

made by correy
made at 2017.09.07
http://correy.webs.com
*/

#include <fltKernel.h>

PVOID g_CallbackHandle;

VOID PrintHex(_In_reads_bytes_(DataSize) PVOID Data, _In_ ULONG DataSize)
/*++
Routine Description:
This routine prints out the supplied data in hexadecimal form.
Arguments:
Data - Supplies a pointer to the data to be printed.
DataSize - Supplies the length in bytes of the data to be printed.
--*/
{
PCUCHAR Bytes;
ULONG Index;

for (Bytes = (PCUCHAR)Data, Index = 0; Index < DataSize; Index++)
{
if ((Index & 15) == 0)
{
KdPrint(("\r\n: "));
}

KdPrint(("%02x ", Bytes[Index]));
}

KdPrint(("\r\n"));
}

VOID MY_SE_IMAGE_VERIFICATION_CALLBACK_FUNCTION(_In_opt_ PVOID CallbackContext, _In_ SE_IMAGE_TYPE ImageType, _Inout_ PBDCB_IMAGE_INFORMATION ImageInformation)
/*
加载没有签名的驱动这里拦截不到。

估计这里的ImageType的值和传递给SeRegisterImageVerificationCallback的第一个参数的值一样。
*/
{
UNREFERENCED_PARAMETER(CallbackContext);

KdPrint((" ImageType = 0x%08x.\r\n", ImageType));

// Display the image name and any associated registry path.
KdPrint((" Image name \"%wZ\"\r\n", &ImageInformation->ImageName));
if (ImageInformation->RegistryPath.Buffer != NULL)
{
KdPrint((" Registry path \"%wZ\"\r\n", &ImageInformation->RegistryPath));
}

// Did this image fail Code Integrity checks?
if ((ImageInformation->ImageFlags & BDCB_IMAGEFLAGS_FAILED_CODE_INTEGRITY) != 0)
{
KdPrint((" FAILED Code Integrity checks but boot policy allowed it to be loaded.\r\n"));
}

// Display the image's hash.
if (ImageInformation->ImageHash != NULL && ImageInformation->ImageHashLength != 0)
{
KdPrint((" Image hash algorithm = 0x%08x.\r\n", ImageInformation->ImageHashAlgorithm));
KdPrint((" Image hash:"));
PrintHex(ImageInformation->ImageHash, ImageInformation->ImageHashLength);
}

// Display who signed the image (if at all).
if (ImageInformation->CertificatePublisher.Buffer != NULL)
{
KdPrint((" Image is signed by \"%wZ\".\r\n", &ImageInformation->CertificatePublisher));//重点是获取这个。
if (ImageInformation->CertificateIssuer.Buffer != NULL)
{
KdPrint((" Certificate issued by \"%wZ\".\r\n", &ImageInformation->CertificateIssuer));
}

if (ImageInformation->CertificateThumbprint != NULL && ImageInformation->CertificateThumbprintLength != 0)
{
KdPrint((" Certificate thumb print algorithm = 0x%08x.\r\n", ImageInformation->ThumbprintHashAlgorithm));
KdPrint((" Certificate thumb print:"));
PrintHex(ImageInformation->CertificateThumbprint, ImageInformation->CertificateThumbprintLength);
}
}
else
{
KdPrint((" Not signed.\r\n"));
}

KdPrint(("\r\n"));
}

extern "C" void DriverUnload(PDRIVER_OBJECT driver_object)
{
UNREFERENCED_PARAMETER(driver_object);

SeUnregisterImageVerificationCallback(g_CallbackHandle);
}

extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path)
{
UNREFERENCED_PARAMETER(registry_path);
PAGED_CODE();

__debugbreak();

driver_object->DriverUnload = DriverUnload;

NTSTATUS status = STATUS_SUCCESS;

#if (NTDDI_VERSION < NTDDI_WINBLUE)
return STATUS_UNSUCCESSFUL;
#endif

status = SeRegisterImageVerificationCallback(SeImageTypeDriver, SeImageVerificationCallbackInformational, MY_SE_IMAGE_VERIFICATION_CALLBACK_FUNCTION, NULL, NULL, &g_CallbackHandle);

return status;
}

2017年6月2日星期五

驱动中获取哈希

/*
功能：驱动中获取哈希。

注意事项：
1.要链接到cng.lib，而不是应用层的Bcrypt.lib，
  否则驱动启动因为找不到以来的文件，而显示错误码：2，及找不到文件。
  具体的做法是：
  SOURCE文件的TARGETLIBS加上$(DDK_LIB_PATH)\cng.lib
  或者：
  sources.props或类似的文件里的TARGETLIBS加上$(DDK_LIB_PATH)\cng.lib。
  再说下是DDK_LIB_PATH，而不是SDK_LIB_PATH。

made by correy
made at 2017.06.02
http://correy.webs.com
*/


#include <ntifs.h>
#include <windef.h>
#include <Bcrypt.h>
#include <Ntstrsafe.h>


#pragma warning(disable:4201) // nameless struct/union
#pragma warning(disable:4214) // bit field types other than int
#pragma warning(disable:4100) // 未引用的形参
#pragma warning(disable:4101) // 未引用的局部变量
#pragma warning(disable:4189) // 局部变量已初始化但不引用


#define TAG 'test' //test


BOOL HASH(IN PBYTE rgbMsg, IN ULONG cbInput, LPWSTR algorithm, OUT PBYTE * Hash, DWORD * HashLen)
    /*
    注意：
    1.多字节和单字节。
    2.算法名区分大小写，否者出现异常。
    3.pbHash由调用者释放。

    参考：https://msdn.microsoft.com/en-us/library/windows/desktop/aa376217(v=vs.85).aspx
    */
{
    BOOL B = FALSE;
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    BCRYPT_ALG_HANDLE hAlg = NULL;
    DWORD cbData = 0;//calculate the size of the buffer to hold the hash object
    DWORD cbHashObject    = 0;
    PBYTE pbHashObject = NULL;
    DWORD cbHash = 0;//calculate the length of the hash
    PBYTE pbHash = NULL;
    BCRYPT_HASH_HANDLE hHash = NULL;

    if(!NT_SUCCESS(status = BCryptOpenAlgorithmProvider(&hAlg, algorithm, NULL, 0)))//open an algorithm handle
    {
        goto Cleanup;
    }
    
    if(!NT_SUCCESS(status = BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PBYTE)&cbHashObject, sizeof(DWORD), &cbData, 0)))
    {
        goto Cleanup;
    }
    pbHashObject = (PBYTE)ExAllocatePoolWithTag(NonPagedPoolNx, cbHashObject, TAG);
    if(NULL == pbHashObject)
    {
        goto Cleanup;
    }
    RtlZeroMemory(pbHashObject, cbHashObject);
    
    if(!NT_SUCCESS(status = BCryptGetProperty(hAlg, BCRYPT_HASH_LENGTH, (PBYTE)&cbHash, sizeof(DWORD), &cbData, 0)))
    {
        goto Cleanup;
    }
    pbHash = (PBYTE)ExAllocatePoolWithTag(NonPagedPoolNx, cbHash, TAG);
    if(NULL == pbHash)
    {
        goto Cleanup;
    }
    RtlZeroMemory(pbHash, cbHash);

    if(!NT_SUCCESS(status = BCryptCreateHash(hAlg, &hHash, pbHashObject, cbHashObject, NULL, 0, 0)))//create a hash
    {
        goto Cleanup;
    }
    
    if(!NT_SUCCESS(status = BCryptHashData(hHash, rgbMsg, cbInput, 0)))//hash some data
    {
        goto Cleanup;
    }

    //pbHash是哈希内容，cbHash是哈希的长度。
    
    if(!NT_SUCCESS(status = BCryptFinishHash(hHash, pbHash, cbHash, 0)))//close the hash
    {
        goto Cleanup;
    }

    //wprintf(L"Success!\n");

    * Hash = pbHash;
    * HashLen = cbHash;
    B = TRUE;

Cleanup:

    if(hAlg)
    {
        BCryptCloseAlgorithmProvider(hAlg,0);
    }

    if (hHash)    
    {
        BCryptDestroyHash(hHash);
    }

    if(pbHashObject)
    {
        ExFreePoolWithTag(pbHashObject, TAG);
    }

    //if(pbHash)
    //{
    //    HeapFree(GetProcessHeap(), 0, pbHash);
    //}

    return B;
}


BOOL HASHFILE(LPCTSTR lpFileName, LPWSTR algorithm, LPWSTR lpFileHash)
    /*
    注意：lpFileName支持DOS格式，包括流，
         但是不支持:
         1.NT式的，\Device\XXX 
         2.带环境扩展的，%systemroot%
         3.网络的也不行，如：\Device\Mup\vmware-host\Shared Folders\XXX
         4.还有\SystemRoot\system32\drivers\spsys.sys。
    注意：lpFileHash提供的空间要足够大，足够容纳想要的数据。
    */
{
    unsigned int status = STATUS_SUCCESS;
    BOOL B = FALSE;
    HANDLE hFile = NULL; 
    PBYTE buffer = NULL;
    DWORD NumberOfBytesRead = 0;
    PBYTE Hash;
    DWORD HashLen;
    unsigned int i;
    OBJECT_ATTRIBUTES ob;
    IO_STATUS_BLOCK  IoStatusBlock = {0};
    LARGE_INTEGER AllocationSize = {0};
    UNICODE_STRING FileName;
    PFILE_OBJECT FileObject = 0;
    LARGE_INTEGER file_size = {0};
    LARGE_INTEGER ByteOffset = {0};

    RtlInitUnicodeString(&FileName, lpFileName);
    InitializeObjectAttributes(&ob, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
    status = ZwCreateFile(
        &hFile, 
        FILE_ALL_ACCESS | SYNCHRONIZE, 
        &ob,
        &IoStatusBlock,
        &AllocationSize, 
        FILE_ATTRIBUTE_NORMAL,
        FILE_SHARE_VALID_FLAGS, 
        FILE_OPEN, 
        FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, 
        NULL,
        0
        );
    if (!NT_SUCCESS (status)) 
    {
        return FALSE;
    }

    status = ObReferenceObjectByHandle(hFile, FILE_LIST_DIRECTORY | SYNCHRONIZE, *IoFileObjectType, KernelMode, (PVOID *)&FileObject, NULL );
    ASSERT (NT_SUCCESS( status ));
    status = FsRtlGetFileSize(FileObject, &file_size);
    ASSERT (NT_SUCCESS( status ));
    ASSERT(file_size.QuadPart);
    ASSERT(0 == file_size.HighPart);

    buffer = (PBYTE)ExAllocatePoolWithTag(NonPagedPoolNx, file_size.LowPart, TAG);//文件过大，这里会失败。
    ASSERT(NULL != buffer);
    
    status = ZwReadFile(hFile, NULL, NULL, NULL, &IoStatusBlock, buffer, file_size.LowPart, &ByteOffset, NULL);
    ASSERT (NT_SUCCESS( status ));

    B = HASH(buffer, file_size.LowPart, algorithm, &Hash, &HashLen);
    if (B)
    {
        //确保lpFileHash的大小大于HashLen
        for (i = 0; i < HashLen; i++)
        {
            RtlStringCchPrintfW(&lpFileHash[i * 2], 4, L"%02X", Hash[i]);
        }
    }

    ExFreePoolWithTag(Hash, TAG);
    ExFreePoolWithTag(buffer, TAG);
    ObDereferenceObject(FileObject);
    ZwClose( hFile );
    return B;
}


VOID Unload(_In_ PDRIVER_OBJECT DriverObject)
{  
    UNREFERENCED_PARAMETER(DriverObject);

    PAGED_CODE();

}


NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
    NTSTATUS Status = STATUS_SUCCESS;
    wchar_t buffer[MAX_PATH] = {0};
    BOOL B = FALSE;
    
    UNREFERENCED_PARAMETER(RegistryPath);

    PAGED_CODE();

    KdBreakPoint();

    DriverObject->DriverUnload = Unload;
    
    B = HASHFILE(L"\\Device\\HarddiskVolume1\\test.txt", BCRYPT_SHA256_ALGORITHM, buffer);

    return Status;
}

驱动中获取域名的IP地址

/*
功能：获取域名的IP地址。

made by correy
made at 2017.06.01
http://correy.webs.com
*/


#include <ntddk.h>
#include <wsk.h>
#include <ws2def.h>


#pragma warning(disable:4201) // nameless struct/union
#pragma warning(disable:4214) // bit field types other than int
#pragma warning(disable:4100) // 未引用的形参
#pragma warning(disable:4101) // 未引用的局部变量
#pragma warning(disable:4189) // 局部变量已初始化但不引用


const WSK_CLIENT_DISPATCH WskAppDispatch = {
  MAKE_WSK_VERSION(1,0), // Use WSK version 1.0
  0,    // Reserved
  NULL  // WskClientEvent callback not required for WSK version 1.0
};


WSK_REGISTRATION WskRegistration;


NTSTATUS
SyncIrpCompletionRoutine(
    __in PDEVICE_OBJECT Reserved,
    __in PIRP Irp,
    __in PVOID Context
    )
{    
    PKEVENT compEvent = (PKEVENT)Context;
    UNREFERENCED_PARAMETER(Reserved);
    UNREFERENCED_PARAMETER(Irp);
    KeSetEvent(compEvent, 2, FALSE);    
    return STATUS_MORE_PROCESSING_REQUIRED;
}


NTSTATUS
KernelNameResolutionSample(
    __in PCWSTR NodeName,
    __in_opt PCWSTR ServiceName,
    __in_opt PADDRINFOEXW Hints,
    __in PWSK_PROVIDER_NPI WskProviderNpi
    )
    //https://docs.microsoft.com/en-us/windows-hardware/drivers/network/resolving-host-names-and-ip-addresses
{
    NTSTATUS status;
    PIRP irp;
    KEVENT completionEvent;
    UNICODE_STRING uniNodeName, uniServiceName, *uniServiceNamePtr;
    PADDRINFOEXW results;
    SOCKADDR_IN * psi = NULL;
    wchar_t buffer[64] = {0};
    PWSTR p = NULL;
    UNICODE_STRING ip = {0};
    const struct in_addr * temp = NULL;

    PAGED_CODE();
    
    RtlInitUnicodeString(&uniNodeName, NodeName);// Initialize UNICODE_STRING structures for NodeName and ServiceName 

    if(ServiceName == NULL) {
        uniServiceNamePtr = NULL;
    }
    else {
        RtlInitUnicodeString(&uniServiceName, ServiceName);
        uniServiceNamePtr = &uniServiceName;
    }
    
    KeInitializeEvent(&completionEvent, SynchronizationEvent, FALSE);// Use an event object to synchronously wait for the WskGetAddressInfo request to be completed. 

    // Allocate an IRP for the WskGetAddressInfo request, and set the IRP completion routine, which will signal the completionEvent when the request is completed.
    irp = IoAllocateIrp(1, FALSE);
    if(irp == NULL) {
        return STATUS_INSUFFICIENT_RESOURCES;
    }        

    IoSetCompletionRoutine(irp, SyncIrpCompletionRoutine, &completionEvent, TRUE, TRUE, TRUE);

    // Make the WskGetAddressInfo request.
    WskProviderNpi->Dispatch->WskGetAddressInfo (
        WskProviderNpi->Client,
        &uniNodeName,
        uniServiceNamePtr,
        NS_ALL,
        NULL, // Provider
        Hints,
        &results, 
        NULL, // OwningProcess
        NULL, // OwningThread
        irp);

    // Wait for completion.
    // Note that processing of name resolution results can also be handled directly within the IRP completion routine,
    // but for simplicity, this example shows how to wait synchronously for completion.
    KeWaitForSingleObject(&completionEvent, Executive, KernelMode, FALSE, NULL);
    status = irp->IoStatus.Status;
    IoFreeIrp(irp);
    if(!NT_SUCCESS(status)) {
        return status;
    }

    // Process the name resolution results by iterating through the addresses within the returned ADDRINFOEXW structure.
    //results; // your code here
    psi = (SOCKADDR_IN *)results->ai_addr;//注意：这一行很重要。有时要该为IPV6版本的。
    temp = (const struct in_addr *)&psi->sin_addr;
    p = RtlIpv4AddressToString(temp, buffer);
    ASSERT(p);
    RtlInitUnicodeString(&ip, buffer);
    KdPrint(("ipv4:%wZ.\r\n", &ip));
    
    WskProviderNpi->Dispatch->WskFreeAddressInfo(WskProviderNpi->Client, results);// Release the returned ADDRINFOEXW structure when no longer needed.

    return status;
} 


VOID Unload(_In_ PDRIVER_OBJECT DriverObject)
{  
    UNREFERENCED_PARAMETER(DriverObject);

    PAGED_CODE();

    WskDeregister(&WskRegistration);
}


NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
    NTSTATUS Status = STATUS_SUCCESS;
    WSK_CLIENT_NPI wskClientNpi;
    WSK_PROVIDER_NPI wskProviderNpi;
    //UNICODE_STRING test  = RTL_CONSTANT_STRING(L"DESKTOP-SQRJ1QU");
    
    UNREFERENCED_PARAMETER(RegistryPath);

    PAGED_CODE();

    KdBreakPoint();

    DriverObject->DriverUnload = Unload;
    
    wskClientNpi.ClientContext = NULL;
    wskClientNpi.Dispatch = &WskAppDispatch;
    Status = WskRegister(&wskClientNpi, &WskRegistration);
    ASSERT(NT_SUCCESS(Status));

    Status = WskCaptureProviderNPI(&WskRegistration, WSK_INFINITE_WAIT, &wskProviderNpi);
    ASSERT(NT_SUCCESS(Status));

    /*
    做一些事情。
    */
    Status = KernelNameResolutionSample(L"www.baidu.com", NULL, NULL, &wskProviderNpi);
    ASSERT(NT_SUCCESS(Status));

    WskReleaseProviderNPI(&WskRegistration);

    return Status;
}

snwscanf

/*
文件名snwscanf.C

缘故：
系统中格式化字符串的函数不少，如：
2: kd> x nt!*Printf*
fffff800`04dd1fa4 nt!vsnwprintf (<no parameter info>)
fffff800`04dbe0e8 nt!RtlStringCbPrintfA (<no parameter info>)
fffff800`04c96890 nt!RtlStringCbVPrintfA (<no parameter info>)
fffff800`04dd746c nt!snwprintf_s (<no parameter info>)
fffff800`04dd20b0 nt!vsnprintf_l (<no parameter info>)
fffff800`04ec3e04 nt!StringCchPrintfExW (<no parameter info>)
fffff800`04dd36f4 nt!sprintf (<no parameter info>)
fffff800`04dd4164 nt!vsprintf_l (<no parameter info>)
fffff800`04dd7ddc nt!sprintf_s (<no parameter info>)
fffff800`04dd2098 nt!vsnprintf (<no parameter info>)
fffff800`04dd7380 nt!snprintf_s (<no parameter info>)
fffff800`04dd6c70 nt!vswprintf_s (<no parameter info>)
fffff800`04dd1fbc nt!vsnwprintf_l (<no parameter info>)
fffff800`04dd748c nt!vsnwprintf_s (<no parameter info>)
fffff800`04c9cf54 nt!RtlStringCbPrintfW (<no parameter info>)
fffff800`04d83d80 nt!StringCchPrintfW (<no parameter info>)
fffff800`04f867e8 nt!g_AslLogPfnVPrintf = <no type information>
fffff800`04d7e268 nt!RtlStringCbPrintfExW (<no parameter info>)
fffff800`04dd29e0 nt!swprintf (<no parameter info>)
fffff800`04dd29e0 nt!swprintf (<no parameter info>)
fffff800`04dd6750 nt!get_printf_count_output (<no parameter info>)
fffff800`04dd24d0 nt!snprintf (<no parameter info>)
fffff800`05352008 nt!AslLogCallPrintf (<no parameter info>)
fffff800`04dd2578 nt!snwprintf (<no parameter info>)
fffff800`04dd6c50 nt!swprintf_s (<no parameter info>)
fffff800`04dd2aa0 nt!vswprintf_l (<no parameter info>)
fffff800`04dd2a94 nt!vswprintf (<no parameter info>)
fffff800`04dbfdcc nt!RtlUnicodeStringPrintf (<no parameter info>)
fffff800`04dd41dc nt!vsprintf (<no parameter info>)
fffff800`04dd73a0 nt!vsnprintf_s (<no parameter info>)
fffff800`04e5eba0 nt!RtlUnicodeStringPrintfEx (<no parameter info>)
fffff800`04dd7dfc nt!vsprintf_s (<no parameter info>)
fffff800`04d331b0 nt!RtlStringCchPrintfExW (<no parameter info>)
fffff800`04e41a80 nt!RtlStringCbPrintfExA (<no parameter info>)
fffff800`04dbfc5c nt!RtlStringCchPrintfA (<no parameter info>)
fffff800`04d8ca18 nt!RtlStringCchPrintfW (<no parameter info>)
WRK中也有不少，不信，你看代码。

凡是反过来，就没有，如：WRK中没有，XP和2003中没有。

还好vista开始有了，不信，你看：
2: kd> x nt!*scanf*
fffff800`04dd7434 nt!snscanf_s (<no parameter info>)
fffff800`04dd7e44 nt!sscanf_s (<no parameter info>)
fffff800`04dd8298 nt!swscanf_s (<no parameter info>)
fffff800`04dd752c nt!snwscanf_s (<no parameter info>)
有此足矣！

stdio.h中尽管有_snwscanf_s的定义/声明，但是没有实现，不信，你编译下：
error LNK2019: 无法解析的外部符号 _snwscanf_s，该符号在函数 XXX 中被引用。
但是，这不是难事，不信，你看本文的实现办法。

参考：
https://msdn.microsoft.com/zh-cn/library/dktz45bk.aspx

made by correy
made at 2017.03.31
homepage:http://correy.webs.com 
*/

#include <ntifs.h>
//#include <ntddk.h> //这两个次序不能乱(乱会出错的)，有上面的，这个可以注释掉。
#include <windef.h>
#include <stdio.h>

#define tag  'tset' //test

#pragma warning(disable:4100) //未引用的形参
#pragma warning(disable:4214) //整形以外的位域类型
#pragma warning(disable:4121) //封装要区分成员对齐方式
#pragma warning(disable:4189) //局部变量已初始化但不引用
#pragma warning(disable:4101) //未引用的局部变量
#pragma warning(disable:4201) //使用了非标准扩展 : 无名称的结构/联合
#pragma warning(disable:4055) //

//typedef OBJECT_TYPE * (*ObGetObjectType)(IN PVOID pObject);
typedef  int (__cdecl * SNWSCANF_S)(//snwscanf_s
   const wchar_t * input,
   size_t length,
   const wchar_t * format,
   ...
);

SNWSCANF_S g_snwscanf_s;


DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
}


DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT  * DriverObject, __in PUNICODE_STRING  RegistryPath)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    UNICODE_STRING test;

    KdBreakPoint();

    DriverObject->DriverUnload = Unload;

    RtlInitUnicodeString( &test, L"_snwscanf_s" );
    g_snwscanf_s = (SNWSCANF_S)MmGetSystemRoutineAddress(&test);//注意：赋值的类型转换。
    if (g_snwscanf_s)
    {
        wchar_t input[] = L"999999999"; 
        int number = 0;
        int i = g_snwscanf_s(input, wcslen(input) * sizeof(wchar_t),  L"%d", &number);
        ASSERT(i);
    }

    return status;
}

2017年1月13日星期五

IPv6EnableFirewallHook.C

/*
文件名：IPv6EnableFirewallHook.C

这是一项过时的技术：Available on Microsoft Windows XP with Service Pack 2 (SP2) and Windows Server 2003 with Service Pack 1 (SP1).
而且编译平台只有：XP和2003，因为：只有这个有Tcpip6.lib。
运行平台，那你就测试吧！

不过，有时还是必不可少的技术。

前提条件：安装IPV6协议，
非正式的办法是加载并运行Tcpip6.SYS。
其中的一个检测办法是查看：sc query tcpip6是否运行。
否则本驱动启动失败，返回错误值2，找不到文件，这个文件肯定是Tcpip6.SYS，不信看这两个文件的导出依赖信息。
也就是说Tcpip6.SYS本身是存在的，但是默认没有安装，更不用说启动了。

made by correy
made at 2017.01.13.
homepage:http://correy.webs.com
*/

#include <ntifs.h>
#include <windef.h>
#include <ntddk.h>
#include <ntstrsafe.h>
#include <assert.h>
#include <ipexport.h>
#include <Ip6firewall.h> //编译版本不能超过：NTDDI_LONGHORN。

#pragma warning(disable:4100) //未引用的形参
#pragma warning(disable:4214) //整形以外的位域类型
#pragma warning(disable:4121) //封装要区分成员对齐方式
#pragma warning(disable:4189) //局部变量已初始化但不引用

KEVENT DisableCompleteEvent;// Event to indicate when the disable is complete

#define DATA_ALIGNMENT 4// Alignment for packet data

// Driver's FirewallHook function
IPv6Action
FirewallHook(
const IPv6Addr *SourceAddress,
const IPv6Addr *DestinationAddress,
uint PayloadLength,
uchar HeaderType,
const uchar *HeaderData,
const void *PacketContext,
uint DataLength,
uint InterfaceIndex,
IPv6Direction Direction,
BOOLEAN IsLoopBack
)
{
const uchar *PacketData;
IP6RouteEntry SourceRoute;
IP6RouteEntry DestinationRoute;
IP_STATUS Status;

// Obtain a pointer to the packet data
PacketData = IPv6ObtainPacketData(PacketContext, DataLength, DATA_ALIGNMENT);
if (!PacketData)// Check result
{
return ActionDrop;// Drop the packet to be safe
}

// Get the source route information
Status = IPv6GetBestRouteInfo(
SourceAddress,
0, // Global scope
0, // No interface constraint
&SourceRoute
);
if (Status != IP_SUCCESS)// Check result
{
return ActionDrop;// Drop the packet to be safe
}

// Get the destination route information
Status = IPv6GetBestRouteInfo(
DestinationAddress,
0, // Global scope
0, // No interface constraint
&DestinationRoute
);
if (Status != IP_SUCCESS)// Check result
{
return ActionDrop;// Drop the packet to be safe
}

// Inspect the various data sources to determine
// the action to be taken on the packet
//...

// If there is a reason why the packet should be dropped...
//if (...)
{
// Drop the packet
//return ActionDrop;
}

return ActionAccept;// Accept the packet
}

// Disable completion routine
VOID DisableComplete(VOID)
{
KeSetEvent(&DisableCompleteEvent, 0, FALSE);// Set the disable complete event
}

DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
KeInitializeEvent(&DisableCompleteEvent, NotificationEvent, FALSE);// Initialize the disable complete event
IPv6DisableFirewallHook(DisableComplete);// Disable the firewall hook
KeWaitForSingleObject(&DisableCompleteEvent, Executive, KernelMode, FALSE, NULL);// Wait for the disable complete event to be signaled
}

NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;

//KdBreakPoint();
__debugbreak();

DriverObject->DriverUnload = Unload;

status = IPv6EnableFirewallHook(FirewallHook);// Enable the FirewallHook callback function

return status;
}

PacketFilterExtensionPtr.C

/*
文件名：PacketFilterExtensionPtr.C

说明：经常看到WDK的Hook Drivers，Filter-Hook Drivers，一直没有深入研究，直到今天。

参考：
1.WDK
2.http://newbiecoder.0ginr.com/blog/?p=550#comment-122368
3.开源防火墙NetDefender的IP过滤驱动模块
4.http://myblog-maurice.blogspot.jp/2012/02/sniffer.html

注意：
1.IpFilterDriver模块默认安装，但是没有运行。
2.或许是上面的原因，这个模块/功能会被删除/禁用掉。

made by correy
made at 2017.01.09.
homepage:http://correy.webs.com
*/

#include <ntifs.h>
#include <windef.h>
#include <ntddk.h>
#include <ntstrsafe.h>
#include <assert.h>
#include <Ntdddisk.h>

#include <ndis.h>
#include <Pfhook.h>

#include <intrin.h> //VS2012编译。
#include <immintrin.h>//VS2012编译。
//#include <mmintrin.h> //WDK 编译。
//#include <emmintrin.h>//WDK 编译。
//#include <xmmintrin.h>//WDK 编译。

#pragma warning(disable:4100) //未引用的形参
#pragma warning(disable:4214) //整形以外的位域类型
#pragma warning(disable:4121) //封装要区分成员对齐方式
#pragma warning(disable:4189) //局部变量已初始化但不引用

#define TAG 'test' test

PF_FORWARD_ACTION PacketFilterExtension(
IN unsigned char *PacketHeader,
IN unsigned char *Packet,
IN unsigned int PacketLength,
IN unsigned int RecvInterfaceIndex,
IN unsigned int SendInterfaceIndex,
IN IPAddr RecvLinkNextHop,
IN IPAddr SendLinkNextHop
)
{
return PF_FORWARD;
}

NTSTATUS StopIpFilter()
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING IpFilterDriver = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\IpFilterDriver");//默认情况下，注册表已经存在，但是没有启动。
UNICODE_STRING IpFilterDevice = RTL_CONSTANT_STRING(DD_IPFLTRDRVR_DEVICE_NAME);
PDEVICE_OBJECT deviceObject;
PFILE_OBJECT fileObject;
PF_SET_EXTENSION_HOOK_INFO psehi = {0};
KEVENT event;
IO_STATUS_BLOCK ioStatusBlock;
PIRP irp;

status = IoGetDeviceObjectPointer(&IpFilterDevice, FILE_READ_ATTRIBUTES, &fileObject, &deviceObject);
ASSERT(NT_SUCCESS(status));

psehi.ExtensionPointer = NULL;

KeInitializeEvent(&event, NotificationEvent, FALSE);

irp = IoBuildDeviceIoControlRequest(IOCTL_PF_SET_EXTENSION_POINTER, deviceObject, &psehi, sizeof(PF_SET_EXTENSION_HOOK_INFO), NULL, 0, FALSE, &event, &ioStatusBlock);
if (!irp)
{
ObDereferenceObject(fileObject);
return STATUS_INSUFFICIENT_RESOURCES;
}

status = IoCallDriver(deviceObject, irp);
if (status == STATUS_PENDING)
{
KeWaitForSingleObject(&event, Executive, KernelMode, FALSE, NULL);
status = ioStatusBlock.Status;
}
ASSERT(NT_SUCCESS(status));

ObDereferenceObject(fileObject);

status = ZwUnloadDriver(&IpFilterDriver);
if (!NT_SUCCESS(status))
{
KdPrint(("ZwLoadDriver fail with 0x%x.\r\n", status));
return status;
}

return status;
}

NTSTATUS StartIpFilter(PacketFilterExtensionPtr PacketFilter)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING IpFilterDriver = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\IpFilterDriver");//默认情况下，注册表已经存在，但是没有启动。
UNICODE_STRING IpFilterDevice = RTL_CONSTANT_STRING(DD_IPFLTRDRVR_DEVICE_NAME);
PDEVICE_OBJECT deviceObject;
PFILE_OBJECT fileObject;
PF_SET_EXTENSION_HOOK_INFO psehi = {0};
KEVENT event;
IO_STATUS_BLOCK ioStatusBlock;
PIRP irp;

status = ZwLoadDriver(&IpFilterDriver);
if (!NT_SUCCESS(status))
{
KdPrint(("ZwLoadDriver fail with 0x%x.\r\n", status));
return status;
}

status = IoGetDeviceObjectPointer(&IpFilterDevice, FILE_READ_ATTRIBUTES, &fileObject, &deviceObject);
ASSERT(NT_SUCCESS(status));

psehi.ExtensionPointer = PacketFilter;

KeInitializeEvent(&event, NotificationEvent, FALSE);

irp = IoBuildDeviceIoControlRequest(IOCTL_PF_SET_EXTENSION_POINTER, deviceObject, &psehi, sizeof(PF_SET_EXTENSION_HOOK_INFO), NULL, 0, FALSE, &event, &ioStatusBlock);
if (!irp)
{
ObDereferenceObject(fileObject);
return STATUS_INSUFFICIENT_RESOURCES;
}

status = IoCallDriver(deviceObject, irp);
if (status == STATUS_PENDING)
{
KeWaitForSingleObject(&event, Executive, KernelMode, FALSE, NULL);
status = ioStatusBlock.Status;
}
ASSERT(NT_SUCCESS(status));

ObDereferenceObject(fileObject);

return status;
}

//DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
StopIpFilter();
}

NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;

//KdBreakPoint();
__debugbreak();

DriverObject->DriverUnload = Unload;

status = StartIpFilter(PacketFilterExtension);
if (!NT_SUCCESS(status))
{
KdPrint(("StartIpFilter fail with 0x%x.\r\n", status));
return status;
}

return status;
}

2016年8月31日星期三

枚举ALE的endpoints

/*
目的：演示FwpsAleEndpointEnum的用法。
注意：编译的平台和运行的平台。
说明：Ale的Endpoint，这是什么呢？
类似TCPView.exe不停的显示和更新，
当然这个函数每次获取的值/数量也是不同的。

made by correy
made at 2016.08.31.
homepage:http://correy.webs.com
*/

#include <ntifs.h>
#include <windef.h>
#include <ntddk.h>
#include <ntstrsafe.h>
#include <Fwpsk.h>
#include <initguid.h> //静态定义UUID用的，否则：error LNK2001。
#include <Fwpmk.h>
#include <ndis.h>
#include <Wsk.h>
#include <ipmib.h>
#include <netpnp.h>
#include <ntintsafe.h>

#include <intrin.h> //VS2012编译。
#include <immintrin.h>//VS2012编译。
//#include <mmintrin.h> //WDK 编译。
//#include <emmintrin.h>//WDK 编译。
//#include <xmmintrin.h>//WDK 编译。

#pragma warning(disable:4100) //未引用的形参
#pragma warning(disable:4214) //整形以外的位域类型
#pragma warning(disable:4121) //封装要区分成员对齐方式

#define TAG 'test' //test

//https://msdn.microsoft.com/en-us/library/windows/desktop/ms738518%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
//其实：IPV4的只需This buffer should be large enough to hold at least 16 characters.
#define MAX_ADDRESS_STRING_LENGTH 64

wchar_t * get_protocol_name(UINT8 protocol)
{
wchar_t * protocol_name = 0;

switch(protocol)
{
case IPPROTO_TCP:
protocol_name = L"TCP";
break;
case IPPROTO_UDP:
protocol_name = L"UDP";
break;
case IPPROTO_IPV4:
protocol_name = L"IPV4";
break;
case IPPROTO_IPV6:
protocol_name = L"IPV6";
break;
case IPPROTO_ICMP:
protocol_name = L"ICMP";
break;
case IPPROTO_IGMP:
protocol_name = L"IGMP";
break;
case IPPROTO_ICMPV6:
protocol_name = L"ICMPV6";
break;
default:
protocol_name = L"未知";//也可打印一个数值。
break;
}

return protocol_name;
}

//DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{

}

//DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath)
{
HANDLE gEngineHandle;
NTSTATUS Status = STATUS_SUCCESS;
FWPM_SESSION0 session = {0};
FWPS_ALE_ENDPOINT_ENUM_TEMPLATE0 enumTemplate;//编译为WIN 7版本，VISTA是没有这个变量的。
HANDLE enumHandle;
FWPS_ALE_ENDPOINT_PROPERTIES0 **entries;
UINT32 numEntriesReturned;
UINT32 calloutIndex = 0;
UNICODE_STRING appId = {0};

//KdBreakPoint();
__debugbreak();

DriverObject->DriverUnload = Unload;

session.flags = FWPM_SESSION_FLAG_DYNAMIC;
Status = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &gEngineHandle);
ASSERT (NT_SUCCESS(Status));

RtlZeroMemory(&enumTemplate, sizeof(FWPS_ALE_ENDPOINT_ENUM_TEMPLATE0));
Status = FwpsAleEndpointCreateEnumHandle0(gEngineHandle, &enumTemplate, &enumHandle);//Available starting with Windows 7
ASSERT (NT_SUCCESS(Status));

Status = FwpsAleEndpointEnum0(gEngineHandle, enumHandle, 0xFFFFFFFF, &entries, &numEntriesReturned);//Available starting with Windows 7
ASSERT (NT_SUCCESS(Status));

KdPrint(("numEntriesReturned:0x%x.\n\n\n", numEntriesReturned));

for( ; calloutIndex < numEntriesReturned; calloutIndex++)
{
KdPrint(("calloutIndex:0x%x.\n",(calloutIndex + 1)));

if (entries[calloutIndex]->ipVersion == FWP_IP_VERSION_V4)
{
UINT32 l4a = RtlUlongByteSwap((ULONG)entries[calloutIndex]->localV4Address);
UINT32 r4a = RtlUlongByteSwap((ULONG)entries[calloutIndex]->remoteV4Address);
wchar_t localV4Address[MAX_ADDRESS_STRING_LENGTH] = {0};
wchar_t remoteV4Address[MAX_ADDRESS_STRING_LENGTH] = {0};

RtlIpv4AddressToString((const struct in_addr *)&l4a, localV4Address);
RtlIpv4AddressToString((const struct in_addr *)&r4a, remoteV4Address);

KdPrint(("ipVersion:FWP_IP_VERSION_V4.\n"));
KdPrint(("localV4Address:%ws.\n", localV4Address));
KdPrint(("remoteV4Address:%ws.\n", remoteV4Address));
}
else if (entries[calloutIndex]->ipVersion == FWP_IP_VERSION_V6)
{
/*
这个IPV6的地址的字节序需要转换不？
最大是RtlUlonglongByteSwap，64-bit，但是IPv6 is 128 bits。
难道要用这个函数两次，两次的也不符合，自己写个函数？自己可以验证下。
*/
wchar_t localV6Address[MAX_ADDRESS_STRING_LENGTH] = {0};
wchar_t remoteV6Address[MAX_ADDRESS_STRING_LENGTH] = {0};

RtlIpv6AddressToString((const struct in6_addr *)&entries[calloutIndex]->localV6Address, localV6Address);
RtlIpv6AddressToString((const struct in6_addr *)&entries[calloutIndex]->remoteV6Address, remoteV6Address);

KdPrint(("ipVersion:FWP_IP_VERSION_V6.\n"));
KdPrint(("localV6Address:%ws.\n", localV6Address));
KdPrint(("remoteV6Address:%ws.\n", remoteV6Address));
}
else
{
KdBreakPoint();
}

KdPrint(("ipProtocol:%ws.\n", get_protocol_name(entries[calloutIndex]->ipProtocol)));
KdPrint(("localPort:%d.\n", entries[calloutIndex]->localPort));
KdPrint(("remotePort:%d.\n", entries[calloutIndex]->remotePort));
KdPrint(("localTokenModifiedId:0x%x.\n", entries[calloutIndex]->localTokenModifiedId));
KdPrint(("mmSaId:0x%x.\n", entries[calloutIndex]->mmSaId));
KdPrint(("qmSaId:0x%x.\n", entries[calloutIndex]->qmSaId));
KdPrint(("ipsecStatus:0x%x.\n", entries[calloutIndex]->ipsecStatus));
KdPrint(("flags:0x%x.\n", entries[calloutIndex]->flags));

appId.Buffer = (PWCH)&entries[calloutIndex]->appId.data[0];
appId.Length = (USHORT)entries[calloutIndex]->appId.size;
appId.MaximumLength = appId.Length;
KdPrint(("appId:%wZ.\n", &appId));//进程的完整路径（NT式的设备路径）。一个特殊是：System。

KdPrint(("\n"));
}

FwpmFreeMemory((VOID**)&entries);
Status = FwpsAleEndpointDestroyEnumHandle0(gEngineHandle, enumHandle);//Available starting with Windows 7
ASSERT (NT_SUCCESS(Status));

FwpmEngineClose0(gEngineHandle);

return Status;
}

订阅：博文 (Atom)