zoukankan      html  css  js  c++  java

  • <转>ssdt hook 源码

    来自网上。

    typedef struct _SERVICE_DESCRIPTOR_TABLE
{
  PVOID   ServiceTableBase;
  PULONG  ServiceCounterTableBase;
  ULONG   NumberOfService;
  ULONG   ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; // As KeServiceDescriptorTable only one here on the simple point
extern PSERVICE_DESCRIPTOR_TABLE    KeServiceDescriptorTable;//KeServiceDescriptorTable For the exported function

/////////////////////////////////////
VOID Hook();
VOID Unhook();
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
//////////////////////////////////////
ULONG JmpAddress; //Jump to NtOpenProcess address
ULONG OldServiceAddress;//Original NtOpenProcess service address
//////////////////////////////////////
__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
               ACCESS_MASK DesiredAccess,
               POBJECT_ATTRIBUTES ObjectAttributes,
               PCLIENT_ID ClientId) 
{
  DbgPrint("NtOpenProcess() called");
  __asm{
    push    0C4h
    push    804eb560h  //10 bytes
    jmp     [JmpAddress]     
  }
}
///////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
  DriverObject->DriverUnload = OnUnload;
  DbgPrint("Unhooker load");
  Hook();
  return STATUS_SUCCESS;
}
/////////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
  DbgPrint("Unhooker unload!");
  Unhook();
}
/////////////////////////////////////////////////////
VOID Hook()
{
  ULONG  Address;
  Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//0x7A for NtOpenProcess service ID
  DbgPrint("Address:0xX",Address);

  OldServiceAddress = *(ULONG*)Address;//Save original NtOpenProcess address
  DbgPrint("OldServiceAddress:0xX",OldServiceAddress);

  DbgPrint("MyNtOpenProcess:0xX",MyNtOpenProcess);

  JmpAddress = (ULONG)NtOpenProcess + 10; //Jump to NtOpenProcess function header +10
  DbgPrint("JmpAddress:0xX",JmpAddress);
    
  __asm{                //Remove the memory protection
    cli
         mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }

  *((ULONG*)Address) = (ULONG)MyNtOpenProcess;    //HOOK SSDT

  __asm{                //Restore the memory protection
          mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }
}
//////////////////////////////////////////////////////
VOID Unhook()
{
  ULONG  Address;
  Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;    //Find SSDT

  __asm{
    cli
          mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }

  *((ULONG*)Address) = (ULONG)OldServiceAddress;    //Restore SSDT

  __asm{  
         mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }

  //Debugging
  DbgPrint("Unhook");
}
    本人新博客网址为:http://www.hizds.com
    本博客注有“转”字样的为转载文章,其余为本人原创文章,转载请务必注明出处或保存此段。c++/lua/windows逆向交流群:69148232
  • 相关阅读:
    《程序设计与数据结构》 课程教学
    ISO GPS定位,坐标转换以及如何显示
    iOS_生成pem推送证书(用于百度云推送)
    iOS 基础-----关于UIView 的 frame 与 bounds
    IOS开发之UIScrollVIew运用
    ios 精简日历
    IOS UIView自动调整尺寸
    IOS 实现录音PCM转MP3格式(边录音边转码)
    IOS开发UIImage中stretchableImageWithLeftCapWidth方法的解释
    ios Coredata 关联 UITableView 数据自动更新
  • 原文地址:https://www.cnblogs.com/zhangdongsheng/p/2794978.html
Copyright © 2011-2022 走看看