;拦截硬盘物理序列号驱动源码MASM版本
;将VC版的做了简单的转换,变成MASM版本
.386
.model flat, stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib w2k\ntoskrnl.lib
include Strings.mac
HDHOOK_HOOK equ CTL_CODE( FILE_DEVICE_UNKNOWN, 0h, METHOD_BUFFERED, FILE_ANY_ACCESS )
HDHOOK_UNHOOK equ CTL_CODE( FILE_DEVICE_UNKNOWN, 1h, METHOD_BUFFERED, FILE_ANY_ACCESS )
HDHOOK_VERSION equ CTL_CODE( FILE_DEVICE_UNKNOWN, 2h, METHOD_BUFFERED, FILE_ANY_ACCESS )
HDHOOK_SETSELFVALUE equ CTL_CODE( FILE_DEVICE_UNKNOWN, 3h, METHOD_BUFFERED, FILE_ANY_ACCESS )
HDHOOK_SETEMULABLEVALUE equ CTL_CODE( FILE_DEVICE_UNKNOWN, 4h, METHOD_BUFFERED, FILE_ANY_ACCESS )
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProtoRealZwDeviceIoControlFile typedef proto :dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword
_RealZwDeviceIoControlFile typedef ptr _ProtoRealZwDeviceIoControlFile
.const
CCOUNTED_UNICODE_STRING " ;设备名称
CCOUNTED_UNICODE_STRING " ;符号连接
.data
DiskSerial dd 0
IsHooked dd 0
buffer dd 0
buffer1 dd 0
GUIActive dd 0
.data?
RealZwDeviceIoControlFile _RealZwDeviceIoControlFile ?
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
DriverEntry proc pDriverObject:PDRIVER_OBJECT,RegistryPath:PUNICODE_STRING ;驱动入口
LOCAL deviceNameUnicodeString,deviceLinkUnicodeString:UNICODE_STRING
LOCAL status:NTSTATUS
LOCAL pDeviceObject:PVOID
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr DEVICE_NAME, FILE_DEVICE_UNKNOWN, \ ;创建虚拟设备
0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS ;使用NT_SUCCESS宏检测函数调用是否成功
invoke IoCreateSymbolicLink, addr SymbolicLinkName, addr DEVICE_NAME ;创建符号连接
.if eax == STATUS_SUCCESS ;检测函数调用是否成功
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose ;设置IRP派遣例程和卸载例程
mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset HDHookDispatch
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke IoDeleteSymbolicLink, addr SymbolicLinkName
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
IsSubString proc String:PUCHAR,SubString:PUCHAR ,StringLength:dword ,SubStringLength:dword
push ebp
mov ebp, esp
mov eax, StringLength
push ebx
sub eax, SubStringLength
push esi
xor esi, esi
push edi
inc eax
test eax, eax
mov StringLength, eax
jbe @return
mov edi, String
@loop:
xor eax, eax
cmp eax, SubStringLength
jnb @loop1
lea ecx, [esi+edi]
@@:
mov ebx, SubString
mov dl, [ecx+eax]
cmp dl, [eax+ebx]
jnz @f
inc eax
cmp eax, SubStringLength
jb @b
@@:
cmp eax, SubStringLength
@loop1:
jz @loop2
inc esi
cmp esi, StringLength
jb @loop
@return:
xor eax, eax
@exit:
pop edi
pop esi
pop ebx
pop ebp
retn 10h
@loop2:
lea eax, [esi+edi]
jmp @exit
IsSubString endp
HookZwDeviceIoControlFile proc FileHandle:HANDLE,Event:DWORD,ApcRoutine:DWORD,ApcContext:PVOID,IoStatusBlock:PIO_STATUS_BLOCK,IoControlCode:DWORD,InputBuffer:DWORD,InputBufferLength:DWORD,OutputBuffer:DWORD,OutputBufferLength:DWORD
invoke RealZwDeviceIoControlFile,FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,IoControlCode,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength
mov edi,eax
.if IoControlCode==7c088h && OutputBufferLength >14h
invoke IsSubString,OutputBuffer,DiskSerial,OutputBufferLength,14h
.if eax
mov ecx, 14h
sub ecx, eax
@@:
mov dl, [ecx+eax]
mov [eax], dl
inc eax
dec esi
jnz @b
mov eax, edi
.endif
.endif
ret
HookZwDeviceIoControlFile endp
HookStart proc
.if IsHooked==0
mov eax, ds:ZwDeviceIoControlFile
mov ecx, buffer
push esi
mov edx, [eax+1]
mov esi, [ecx]
mov edx, [esi+edx*4]
pop esi
mov RealZwDeviceIoControlFile, edx
mov eax, [eax+1]
mov ecx, [ecx]
mov dword ptr [ecx+eax*4], offset HookZwDeviceIoControlFile
mov IsHooked, 1
.endif
ret
HookStart endp
HookStop proc
.if IsHooked==1
mov eax, ds:ZwDeviceIoControlFile
mov ecx, buffer
mov edx, RealZwDeviceIoControlFile
mov eax, [eax+1]
mov ecx, [ecx]
mov [ecx+eax*4], edx
and IsHooked, 0
.endif
ret
HookStop endp
HDHookDeviceControl proc FileObject:PFILE_OBJECT,pWait:dword,InputBuffer:dword,InputBufferLength:dword,OutputBuffer:dword,OutputBufferLength:dword,IoControlCode:dword,IoStatus:PIO_STATUS_BLOCK,DeviceObject:PDEVICE_OBJECT
mov eax,STATUS_SUCCESS
mov IoStatus,eax
mov IoStatus,0
mov ecx,IoControlCode
.if ecx==HDHOOK_HOOK
call HookStart
.elseif ecx==HDHOOK_UNHOOK
call HookStop
.elseif ecx==HDHOOK_SETSELFVALUE
.if OutputBufferLength < 4 || OutputBuffer==0
mov IoStatus,STATUS_INVALID_PARAMETER
mov dword ptr [eax], 0C000000Dh
jmp @exit
.endif
mov dword ptr [ecx], 168h
mov [eax+4], edx
jmp @exit
.elseif ecx==HDHOOK_SETEMULABLEVALUE
.if InputBufferLength < 14h || InputBuffer==0
mov IoStatus,STATUS_INVALID_PARAMETER
mov dword ptr [eax], 0C000000Dh
jmp @exit
.endif
xor ecx, ecx
sub esi, offset DiskSerial
@@:
mov dl, byte ptr DiskSerial[esi+ecx]
lea eax, DiskSerial[ecx]
inc ecx
cmp ecx, 14h
mov [eax], dl
jb @b
jmp @exit
.elseif ecx==HDHOOK_VERSION
.if InputBufferLength < 14h || InputBuffer==0
mov IoStatus,STATUS_INVALID_PARAMETER
mov dword ptr [eax], 0C000000Dh
jmp @exit
.endif
xor ecx, ecx
sub esi, buffer1
@@:
mov dl, byte ptr buffer1[esi+ecx]
lea eax, buffer1[ecx]
inc ecx
cmp ecx, 14h
mov [eax], dl
jb @b
jmp @exit
.else
mov dword ptr [eax], 0C0000010h
.endif
@exit:
mov al,1
ret
HDHookDeviceControl endp
HDHookDispatch proc pDriverObject:PDRIVER_OBJECT,pIrp:PIRP
LOCAL irpStack:PIO_STACK_LOCATION
local inputBuffer:PVOID
local outputBuffer:PVOID
local outputBufferLength:dword
local inputBufferLength:dword
local ioControlCode:dword
local workItem:dword ;WORK_QUEUE_ITEM
LOCAL status : NTSTATUS
LOCAL dwBytesReturned
LOCAL IoStatus:dword
mov status,STATUS_SUCCESS
mov esi, pIrp
assume esi : ptr _IRP
IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi : ptr IO_STACK_LOCATION
mov eax,[esi].IoStatus.Status
mov IoStatus,eax
mov eax, [edi].Parameters.DeviceIoControl.IoControlCode
mov ioControlCode,eax
mov eax, [esi].AssociatedIrp.SystemBuffer
mov inputBuffer,eax
mov outputBuffer,eax
mov eax,[edi].Parameters.DeviceIoControl.InputBufferLength
mov inputBufferLength,eax
mov eax,[edi].Parameters.DeviceIoControl.OutputBufferLength
mov outputBufferLength,eax
.if ioControlCode==IRP_MJ_CREATE
mov GUIActive,1
.elseif ioControlCode==IRP_MJ_SHUTDOWN
.elseif ioControlCode==IRP_MJ_CLOSE
mov GUIActive,0
.elseif ioControlCode==IRP_MJ_DEVICE_CONTROL
invoke HDHookDeviceControl,irpStack,TRUE,inputBuffer, inputBufferLength,outputBuffer, outputBufferLength,ioControlCode,IoStatus, pDriverObject
.endif
invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT
ret
HDHookDispatch endp
end DriverEntry
