Hello,
I’m newbie in kernel driver development and need remove a callback notify routine of a deteminated module (.sys file).
I searched on web and found this (incomplete) example: http://www.mengwuji.net/thread-2134-1-1.html in a chinese forum that show how make this, but my goal is remove only PsSetCreateProcessNotifyRoutine, then from this (incomplete) example i made some adjusts where resulted on following code, but not know if i’m on right direction.
Someone could give me a idea please?
Thank you very much in advance.
Here is my code, compiled with success using VS2010, Visual DDK and WDK 7600.16385.1
status returns: 0xc000007a and only “FIRST” condition block is executed
#include “stdafx.h”
#include “ntddk.h”
#include “WINDEF.H”
typedef struct EX_FAST_REF {
union {
PVOID Object;
ULONG RefCnt : 3;
ULONG Value;
};
}EX_FAST_REF, *PEX_FAST_REF;
typedef struct _EX_PUSH_LOCK
{
union
{
ULONG Locked: 1;
ULONG Waiting: 1;
ULONG Waking: 1;
ULONG MultipleShared: 1;
ULONG Shared: 28;
ULONG Value;
PVOID Ptr;
};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
typedef struct _CM_CALLBACK_CONTEXT_BLOCK {
LARGE_INTEGER Cookie;
LIST_ENTRY ThreadListHead;
EX_PUSH_LOCK ThreadListLock;
PVOID CallerContext;
} CM_CALLBACK_CONTEXT_BLOCK, *PCM_CALLBACK_CONTEXT_BLOCK;
typedef struct _EX_CALLBACK_ROUTINE_BLOCK
{
EX_RUNDOWN_REF RundownProtect;
PEX_CALLBACK_FUNCTION Function;
PCM_CALLBACK_CONTEXT_BLOCK Context;
} EX_CALLBACK_ROUTINE_BLOCK, *PEX_CALLBACK_ROUTINE_BLOCK;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
WORD LoadCount;
WORD TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union
{
ULONG TimeDateStamp;
PVOID LoadedImports;
};
struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY ForwarderLinks;
LIST_ENTRY ServiceTagLinks;
LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
ULONG uMoudleSize = 0;
ULONG uProcessUnKnowTypeAddress = 0;
ULONG GetMoudleBase(PDRIVER_OBJECT pDriverObject, wchar_t *StrC, ULONG unKnowType)
{
LDR_DATA_TABLE_ENTRY *pDataTableEntry, *SectionBase;
PLIST_ENTRY pList;
UNICODE_STRING usString;
ULONG uMoudleBase = 0;
pDataTableEntry = (LDR_DATA_TABLE_ENTRY*)pDriverObject->DriverSection;
if (!pDataTableEntry)
return uMoudleBase;
pList = pDataTableEntry->InLoadOrderLinks.Flink;
while (pList != &pDataTableEntry->InLoadOrderLinks)
{
SectionBase = (LDR_DATA_TABLE_ENTRY*)pList;
RtlInitUnicodeString(&usString, StrC);
if (RtlCompareUnicodeString(&SectionBase->BaseDllName, &usString, TRUE) == 0)
{
uMoudleBase = (ULONG)SectionBase->DllBase;
uMoudleSize = (ULONG)SectionBase->SizeOfImage;
}
if (!(unKnowType > (ULONG)SectionBase->DllBase && unKnowType < (ULONG)SectionBase->SizeOfImage))
{
uProcessUnKnowTypeAddress = unKnowType;
}
pList = pList->Flink;
}
return uMoudleBase;
}
VOID DeletePsSetCreateProcessNotifyRoutineCallBack(PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
UNICODE_STRING szCreateProcess = { 0 };
PVOID pCreateProcess = NULL;
ULONG uMoudleBase = 0;
PEX_FAST_REF pRef = NULL;
PEX_CALLBACK_ROUTINE_BLOCK Point = NULL;
int i;
RtlInitUnicodeString(&szCreateProcess, L"PsSetCreateProcessNotifyRoutine");
pCreateProcess = MmGetSystemRoutineAddress(&szCreateProcess);
if( (pCreateProcess != 0) && MmIsAddressValid(pCreateProcess) ) {
pRef = (PEX_FAST_REF)pCreateProcess;
for (i = 0; i < 100 ; i++)
{
Point = (PEX_CALLBACK_ROUTINE_BLOCK)(pRef->Value);
if ( MmIsAddressValid((PVOID)Point) )
{
uMoudleBase = GetMoudleBase(pDriverObject, L"\SystemRoot\system32\drivers\aswSP.sys", (ULONG)Point->Function);
if (uProcessUnKnowTypeAddress == (ULONG)Point->Function)
{
status = PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)Point->Function, TRUE);
DbgPrint(“FIRST - %08x\n”, status);
}
if (uMoudleBase < (ULONG)Point->Function && (uMoudleBase + uMoudleSize) > (ULONG)Point->Function)
{
status = PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)Point->Function, TRUE);
DbgPrint(“SECOND - %08x\n”, status);
}
}
pRef++;
}
}
}
void CallbackNotifyRemoveUnload(IN PDRIVER_OBJECT DriverObject);
#ifdef __cplusplus
extern “C” NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#endif
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DbgPrint(“Hello from CallbackNotifyRemove!\n”);
DeletePsSetCreateProcessNotifyRoutineCallBack(DriverObject);
DriverObject->DriverUnload = CallbackNotifyRemoveUnload;
return STATUS_SUCCESS;
}
void CallbackNotifyRemoveUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint(“Goodbye from CallbackNotifyRemove!\n”);
}