wes4m
diff --git a/‎Driver/Makefile
Lines changed: 1 addition & 0 deletions b/‎Driver/Makefile
Lines changed: 1 addition & 0 deletions
diff --git a/‎Driver/Source.c
Lines changed: 93 additions & 0 deletions b/‎Driver/Source.c
Lines changed: 93 additions & 0 deletions
diff --git a/‎Driver/Sources
Lines changed: 4 additions & 0 deletions b/‎Driver/Sources
Lines changed: 4 additions & 0 deletions
diff --git a/‎Driver/buildfre_win7_x86.log
Lines changed: 6 additions & 0 deletions b/‎Driver/buildfre_win7_x86.log
Lines changed: 6 additions & 0 deletions
diff --git a/‎Driver/i386/unHooker.pdb
115 KB b/‎Driver/i386/unHooker.pdb
115 KB
diff --git a/‎Driver/i386/unHooker.sys
3.5 KB b/‎Driver/i386/unHooker.sys
3.5 KB
diff --git a/‎Driver/objfre_win7_x86/i386/_objects.mac
Lines changed: 16 additions & 0 deletions b/‎Driver/objfre_win7_x86/i386/_objects.mac
Lines changed: 16 additions & 0 deletions
diff --git a/‎Driver/objfre_win7_x86/i386/source.obj
69.7 KB b/‎Driver/objfre_win7_x86/i386/source.obj
69.7 KB
diff --git a/‎Driver/objfre_win7_x86/i386/source.obj.oacr.root.x86fre.pft.xml
Lines changed: 11 additions & 0 deletions b/‎Driver/objfre_win7_x86/i386/source.obj.oacr.root.x86fre.pft.xml
Lines changed: 11 additions & 0 deletions
diff --git a/‎Loader/unHooker/Debug/CL.read.1.tlog
49.1 KB b/‎Loader/unHooker/Debug/CL.read.1.tlog
49.1 KB
@@ -0,0 +1 @@
+!include $(NTMAKEENV)\makefile.def
@@ -0,0 +1,93 @@
+
+//	# unHooker Driver [ UNCODER ]
+	
+
+#include <Ntddk.h>
+typedef struct HookData
+{
+	int Index;
+	ULONG Addr;
+}cHookData;
+
+// Service Description Table (SDT)
+typedef struct ServiceDescriptorEntry {
+	unsigned int *ServiceTableBase;
+	unsigned int *ServiceCounterTableBase; 
+	unsigned int NumberOfServices;
+	unsigned char *ParamTableBase;
+} ServiceDescriptorTableEntry, *PointerServiceDescriptorTableEntry;
+
+// Import KeServiceDescriptorTable from ntoskrnl.exe
+__declspec(dllimport)  ServiceDescriptorTableEntry KeServiceDescriptorTable;
+
+
+UNICODE_STRING DosName,Name;
+void DriverUnload(IN PDRIVER_OBJECT DriverObject)
+{
+	IoDeleteSymbolicLink(&DosName);
+	IoDeleteDevice(DriverObject->DeviceObject);
+	DbgPrint("Unloaded - unCoder ");
+}
+
+NTSTATUS __stdcall UnhookSsdtService(IN cHookData data)
+{
+	// Disable the Memory Write Protection so we can access the protected System Service Dispatch Table (SSDT)
+	_asm
+	{
+	CLI										
+	MOV	EAX, CR0		
+	AND EAX, NOT 10000H 
+	MOV	CR0, EAX		
+	}
+
+	KeServiceDescriptorTable.ServiceTableBase[data.Index] = (ULONG)data.Addr;
+	
+	_asm 
+	{
+	MOV	EAX, CR0		
+	OR	EAX, 10000H		
+	MOV	CR0, EAX		
+	STI					
+	}
+	
+	DbgPrint("unHooked - unCoder");   
+	
+	return STATUS_SUCCESS;
+}
+
+NTSTATUS __stdcall  IoCreate(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
+{
+	IofCompleteRequest(Irp,IO_NO_INCREMENT);
+	return STATUS_SUCCESS;
+
+}
+NTSTATUS __stdcall IRP_DEVICE_CONTROL(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
+{
+	cHookData data;
+	memcpy(&data,Irp->AssociatedIrp.SystemBuffer,sizeof(data));
+
+	UnhookSsdtService(data);
+	IofCompleteRequest(Irp,IO_NO_INCREMENT);
+	return STATUS_SUCCESS;
+}
+
+NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegPath)
+{
+	NTSTATUS NtStatus;
+	PDEVICE_OBJECT DeviceObject;
+
+	RtlInitUnicodeString(&DosName,L"\\DosDevices\\uHo");
+	RtlInitUnicodeString(&Name,L"\\Device\\uHo");
+	
+	NtStatus = IoCreateDevice(DriverObject,0,&Name,FILE_DEVICE_UNKNOWN,0,FALSE,&DeviceObject);
+	IoCreateSymbolicLink(&DosName,&Name);
+	
+	DbgPrint("Driver Loaded - unCoder");
+	
+	DriverObject->MajorFunction[IRP_MJ_CREATE] = IoCreate;
+	DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IRP_DEVICE_CONTROL;
+	DriverObject->DriverUnload = DriverUnload;
+	
+	
+	return NtStatus;
+}
@@ -0,0 +1,4 @@
+TARGETNAME=unHooker
+TARGETPATH =.
+TARGETTYPE=DRIVER
+SOURCES=Source.c
@@ -0,0 +1,6 @@
+BUILD: Computing Include file dependencies:
+BUILD: Examining c:\users\hp\desktop\unhooker\driver directory for files to compile.
+oacr invalidate root:x86fre /autocleanqueue
+1>Compiling and Linking c:\users\hp\desktop\unhooker\driver *************
+1>'nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR='
+1>c:\users\hp\desktop\unhooker\driver: TARGETPATH is .
@@ -0,0 +1,16 @@
+
+
+386_OBJECTS=\
+ $(OBJ_PATH)\$O\source.obj \
+
+
+
+
+
+# lowercased
+BASEDIR=c:\winddk\7600.16385.1
+OBJECT_ROOT=c:\winddk\7600.16385.1
+MAKEDIR_LOWERCASE=c:\users\hp\desktop\unhooker\driver
+OBJ_PATH=c:\users\hp\desktop\unhooker\driver
+CONCURRENT_MIDL=0
+CONCURRENT_MANIFEST_BUILD=0
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<DEFECTS>
+<OACRDEFECTCOUNT>6</OACRDEFECTCOUNT>
+<OACRERRORCOUNT>0</OACRERRORCOUNT>
+<DEFECT _seq="1"><SFA><LINE>74</LINE><COLUMN>9</COLUMN><FILENAME>source.c</FILENAME><FILEPATH>c:\users\hp\desktop\unhooker\driver\</FILEPATH></SFA><DEFECTCODE>28101</DEFECTCODE><DESCRIPTION>The Drivers module has inferred that the current function is a DRIVER_INITIALIZE function:  This is informational only. No problem has been detected.</DESCRIPTION><FUNCTION>DriverEntry</FUNCTION><FUNCLINE>74</FUNCLINE><PATH/></DEFECT>
+<DEFECT _seq="2"><SFA><LINE>87</LINE><COLUMN>44</COLUMN><FILENAME>source.c</FILENAME><FILEPATH>c:\users\hp\desktop\unhooker\driver\</FILEPATH></SFA><DEFECTCODE>28155</DEFECTCODE><DESCRIPTION>The function being assigned or passed should be a DRIVER_DISPATCH function:  Add the declaration 'DRIVER_DISPATCH IoCreate;' before the current first declaration of IoCreate.</DESCRIPTION><FUNCTION>DriverEntry</FUNCTION><FUNCLINE>74</FUNCLINE><PATH/></DEFECT>
+<DEFECT _seq="3"><SFA><LINE>88</LINE><COLUMN>52</COLUMN><FILENAME>source.c</FILENAME><FILEPATH>c:\users\hp\desktop\unhooker\driver\</FILEPATH></SFA><DEFECTCODE>28155</DEFECTCODE><DESCRIPTION>The function being assigned or passed should be a DRIVER_DISPATCH function:  Add the declaration 'DRIVER_DISPATCH IRP_DEVICE_CONTROL;' before the current first declaration of IRP_DEVICE_CONTROL.</DESCRIPTION><FUNCTION>DriverEntry</FUNCTION><FUNCLINE>74</FUNCLINE><PATH/></DEFECT>
+<DEFECT _seq="4"><SFA><LINE>89</LINE><COLUMN>28</COLUMN><FILENAME>source.c</FILENAME><FILEPATH>c:\users\hp\desktop\unhooker\driver\</FILEPATH></SFA><DEFECTCODE>28155</DEFECTCODE><DESCRIPTION>The function being assigned or passed should be a DRIVER_UNLOAD function:  Add the declaration 'DRIVER_UNLOAD DriverUnload;' before the current first declaration of DriverUnload.</DESCRIPTION><FUNCTION>DriverEntry</FUNCTION><FUNCLINE>74</FUNCLINE><PATH/></DEFECT>
+<DEFECT _seq="5"><SFA><LINE>87</LINE><COLUMN>44</COLUMN><FILENAME>source.c</FILENAME><FILEPATH>c:\users\hp\desktop\unhooker\driver\</FILEPATH></SFA><DEFECTCODE>28169</DEFECTCODE><DESCRIPTION>The dispatch function 'IoCreate' does not have any __drv_dispatchType annotations:  This can be corrected by adding appropriate __drv_dispatchType annotations to the function. Unnecessary casts can cause this warning.</DESCRIPTION><FUNCTION>DriverEntry</FUNCTION><FUNCLINE>74</FUNCLINE><PATH/></DEFECT>
+<DEFECT _seq="6"><SFA><LINE>88</LINE><COLUMN>52</COLUMN><FILENAME>source.c</FILENAME><FILEPATH>c:\users\hp\desktop\unhooker\driver\</FILEPATH></SFA><DEFECTCODE>28169</DEFECTCODE><DESCRIPTION>The dispatch function 'IRP_DEVICE_CONTROL' does not have any __drv_dispatchType annotations:  This can be corrected by adding appropriate __drv_dispatchType annotations to the function. Unnecessary casts can cause this warning.</DESCRIPTION><FUNCTION>DriverEntry</FUNCTION><FUNCLINE>74</FUNCLINE><PATH/></DEFECT>
+</DEFECTS>