• <转>ssdt hook 源码


    来自网上。

    typedef struct _SERVICE_DESCRIPTOR_TABLE
    {
      PVOID   ServiceTableBase;
      PULONG  ServiceCounterTableBase;
      ULONG   NumberOfService;
      ULONG   ParamTableBase;
    }SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; // As KeServiceDescriptorTable only one here on the simple point
    extern PSERVICE_DESCRIPTOR_TABLE    KeServiceDescriptorTable;//KeServiceDescriptorTable For the exported function
    
    /////////////////////////////////////
    VOID Hook();
    VOID Unhook();
    VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
    //////////////////////////////////////
    ULONG JmpAddress; //Jump to NtOpenProcess address
    ULONG OldServiceAddress;//Original NtOpenProcess service address
    //////////////////////////////////////
    __declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
                   ACCESS_MASK DesiredAccess,
                   POBJECT_ATTRIBUTES ObjectAttributes,
                   PCLIENT_ID ClientId) 
    {
      DbgPrint("NtOpenProcess() called");
      __asm{
        push    0C4h
        push    804eb560h  //10 bytes
        jmp     [JmpAddress]     
      }
    }
    ///////////////////////////////////////////////////
    NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
    {
      DriverObject->DriverUnload = OnUnload;
      DbgPrint("Unhooker load");
      Hook();
      return STATUS_SUCCESS;
    }
    /////////////////////////////////////////////////////
    VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
    {
      DbgPrint("Unhooker unload!");
      Unhook();
    }
    /////////////////////////////////////////////////////
    VOID Hook()
    {
      ULONG  Address;
      Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//0x7A for NtOpenProcess service ID
      DbgPrint("Address:0xX",Address);
    
      OldServiceAddress = *(ULONG*)Address;//Save original NtOpenProcess address
      DbgPrint("OldServiceAddress:0xX",OldServiceAddress);
    
      DbgPrint("MyNtOpenProcess:0xX",MyNtOpenProcess);
    
      JmpAddress = (ULONG)NtOpenProcess + 10; //Jump to NtOpenProcess function header +10
      DbgPrint("JmpAddress:0xX",JmpAddress);
        
      __asm{                //Remove the memory protection
        cli
             mov  eax,cr0
        and  eax,not 10000h
        mov  cr0,eax
      }
    
      *((ULONG*)Address) = (ULONG)MyNtOpenProcess;    //HOOK SSDT
    
      __asm{                //Restore the memory protection
              mov  eax,cr0
        or   eax,10000h
        mov  cr0,eax
        sti
      }
    }
    //////////////////////////////////////////////////////
    VOID Unhook()
    {
      ULONG  Address;
      Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;    //Find SSDT
    
      __asm{
        cli
              mov  eax,cr0
        and  eax,not 10000h
        mov  cr0,eax
      }
    
      *((ULONG*)Address) = (ULONG)OldServiceAddress;    //Restore SSDT
    
      __asm{  
             mov  eax,cr0
        or   eax,10000h
        mov  cr0,eax
        sti
      }
    
      //Debugging
      DbgPrint("Unhook");
    }
    本人新博客网址为:http://www.hizds.com
    本博客注有“转”字样的为转载文章,其余为本人原创文章,转载请务必注明出处或保存此段。c++/lua/windows逆向交流群:69148232
  • 相关阅读:
    低情商大神的思维,高情商的你会懂么?为什么非常多计算机老师都是坏脾气?为什么提问没人回答?为什么要通过网络自主学习?
    Add Binary
    Codeforces Round #252 (Div. 2) B. Valera and Fruits(模拟)
    cocos2d-x项目101次相遇: Scenes , Director, Layers, Sprites
    Android应用性能优化系列视图篇——隐藏在资源图片中的内存杀手
    Android屏幕信息获取
    android 比较靠谱的图片压缩
    Android 图片压缩,基于比例和质量压缩
    android Bitmap类方法属性 详细说明
    Android入门——Bitmap和BitmapFactory
  • 原文地址:https://www.cnblogs.com/zhangdongsheng/p/2794978.html
Copyright © 2020-2023  润新知