MSRHook与SSDTHook

//方式1:MSR Hook

#include <ntifs.h>

UINT32 oldaddr = 0;
UINT32 pidtoprotect = 3792;
PCLIENT_ID pid = 0;
PUINT32 accessmask = 0;
UINT32 ssdtindex = 0;



VOID MyKiFastCallEntry();
//#pragma alloc_text(NONE_PAGE,MyKiFastCallEntry)

VOID OnHook()
{

    __asm
    {
            pushad
            pushfd

            mov ecx, 0x176
            rdmsr
            mov oldaddr, eax

            mov ecx, 0x176
            xor edx, edx
            mov eax, MyKiFastCallEntry
            wrmsr

            popfd
            popad
    }



}

VOID OffHook()
{
    __asm
    {
        pushad
        pushfd

        mov ecx,0x176
        xor edx,edx
        mov eax,oldaddr
        wrmsr

        popfd
        popad
    }
}

VOID UnloadMe(PDRIVER_OBJECT pdo)
{
    OffHook();
}

__declspec(naked) VOID MyKiFastCallEntry()  //原来裸函数内不能使用auto或register变量的
{
    __asm
    {
        mov ssdtindex, eax;
    }
    
    if (ssdtindex == 0xbe)
    {
        _asm
        {
            push dword ptr[edx + 4 * 5];
            pop  pid;
            push edx;
            add dword ptr[esp], 12;
            pop accessmask;                        //这里得注意,这种方式,得到的是accessmask的地址..太阴险了
            pushad;
        }
        if ((pid->UniqueProcess == pidtoprotect) && (*accessmask&0x0001))
        {
            KdPrint(("I'm Here2!
"));
            *accessmask &= ~0x0001;
        }
        _asm popad;
    }
    __asm
    {
        
        jmp oldaddr;
    }
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pdo, PUNICODE_STRING ppath)
{
    OnHook();

    pdo->DriverUnload = UnloadMe;
    return STATUS_SUCCESS;
}

//不知为何,虽然保护成功了,但是在任务管理器多次结束任务,那么那个进程还是被结束了..

//方式2:SSDT Hook

#include <ntifs.h>

#pragma pack(1)
typedef struct _ServiceDescriptorEntry
{
    ULONG *ServiceTableBase;
    ULONG *ServiceCounterTableBase;
    ULONG NumberOfServices;
    UCHAR *ParamTableBase;
}SSDTEntry, *PSSDTEntry;
#pragma pack()

NTSYSAPI SSDTEntry KeServiceDescriptorTable;
VOID OnHook();
VOID OffHook();

VOID OffMemProtect()
{
    __asm
    {
        push eax;
        mov eax, CR0;
        and eax, ~0x10000;
        mov CR0, eax;
        pop eax;
    }
}

VOID OnMemProtect()
{
    __asm
    {
        push eax;
        mov eax, CR0;
        or eax, 0x10000;
        mov CR0, eax;
        pop eax;
    }
}

VOID UnloadMe(PDRIVER_OBJECT pdo)
{
    OffHook();
}

ULONG pidtoprotect = 1796;


typedef NTSTATUS(NTAPI *NTOPENPROCESS)(__out PHANDLE  ProcessHandle,
    __in ACCESS_MASK  DesiredAccess,
    __in POBJECT_ATTRIBUTES  ObjectAttributes,
    __in_opt PCLIENT_ID  ClientId
    );
NTOPENPROCESS oldaddr;


NTSTATUS MyZwOpenProcess(
    _Out_    PHANDLE            ProcessHandle,
    _In_     ACCESS_MASK        DesiredAccess,
    _In_     POBJECT_ATTRIBUTES ObjectAttributes,
    _In_opt_ PCLIENT_ID         ClientId
    );


NTSTATUS MyZwOpenProcess(
    _Out_    PHANDLE            ProcessHandle,
    _In_     ACCESS_MASK        DesiredAccess,
    _In_     POBJECT_ATTRIBUTES ObjectAttributes,
    _In_opt_ PCLIENT_ID         ClientId
    )
{
    if ((ClientId->UniqueProcess == pidtoprotect) && (DesiredAccess & 0x0001))
    {
        KdPrint(("IM in"));
        return STATUS_ACCESS_DENIED;
    }
    else
        return oldaddr(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}



VOID OnHook()
{
    DbgBreakPoint();
    OffMemProtect();

    PULONG pssdtbase = KeServiceDescriptorTable.ServiceTableBase;

    ULONG uIndex = 0xbe;

    oldaddr = pssdtbase[uIndex];
    pssdtbase[uIndex] = MyZwOpenProcess;
    OnMemProtect();

}

VOID OffHook()
{
    OffMemProtect();
    PULONG pssdtbase = KeServiceDescriptorTable.ServiceTableBase;
    ULONG uIndex = 0xbe;
    pssdtbase[uIndex] = oldaddr;
    OnMemProtect();
}



NTSTATUS DriverEntry(PDRIVER_OBJECT pdo, PUNICODE_STRING ppath)
{
    OnHook();

    pdo->DriverUnload = UnloadMe;
    return STATUS_SUCCESS;
}