- 注册时间
- 2010-7-22
- 最后登录
- 2011-10-24
- 在线时间
- 7 小时
编程入门
- 魔鬼币
- 7621
|
(只限技术交流)
- (只限技术交流)[code]
-
- #include<ntddk.h>
- #include<windef.h>
- typedef struct _SERVICE_DESCRIPTOR_TABLE
- {
- unsigned int *ServiceTableBase;
- unsigned int *ServiceCounterTableBase;
- unsigned int NumberTableBase;
- unsigned char *ParamTableBase;
- }SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;
-
- extern PSERVICE_DESCRIPTOR_TABLEKeServiceDescriptorTable;
-
- typedef NTSTATUS (*REALZWOPENPROCESS)
- (
- OUT PHANDLE ProcessHandle,
- IN ACCESS_MASK AccessMask,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- IN PCLIENT_ID ClientId);
- typedef NTSTATUS (*READVIRTUALMEMORY)(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- OUT PVOID Buffer,
- N ULONG BufferLength,
- OUT PULONG ReturnLength OPTIONAL);
-
- typedef NTSTATUS (*WRITEVIRTUALMEMORY)(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- IN PVOID Buffer,
- IN ULONG BufferLength,
- OUT PULONG ReturnLength OPTIONAL
- );
- REALZWOPENPROCESSRealZwOpenProcess;
- READVIRTUALMEMORYRealNtReadVirtualMemory;
- WRITEVIRTUALMEMORY RealNtWriteVirtualMemory;
- //***************************************************************************
- VOID Hook();
- VOID Unhook();
- VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
- NTSTATUS rc;
- //NTSTATUS rc1;
- //NTSTATUS rc2;
- DWORD bix,tiao;
- //////////////////////////////////////
- ULONG JmpAddress;//跳转到NtOpenProcess里的地址
- ULONG JmpAddress1;
- ULONG JmpAddress2;
- ULONG OldServiceAddress;//原来NtOpenProcess的服务地址
- ULONG OldServiceAddress1;
- ULONG OldServiceAddress2;
- //////////////////////////////////////
- __declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
- ACCESS_MASK DesiredAccess,
- POBJECT_ATTRIBUTES ObjectAttributes,
- PCLIENT_ID ClientId)
- {
-
- //RealZwOpenProcess=(REALZWOPENPROCESS)OldServiceAddress;
-
- //rc = (NTSTATUS)(REALZWOPENPROCESS)RealZwOpenProcess( ProcessHandle, DesiredAccess, ObjectAttributes, Client
- Id );
- __asm{
- push0C4h
- push804daab0h//共十个字节
- mov eax,80538d00h
- call eax
- jmp [JmpAddress]
- }
- }
- __declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- OUT PVOID Buffer,
- IN ULONG BufferLength,
- OUT PULONG ReturnLength OPTIONAL)
- {
- //RealNtReadVirtualMemory=(READVIRTUALMEMORY)OldServiceAddress1;
- //rc1 = (NTSTATUS)(READVIRTUALMEMORY)RealNtReadVirtualMemory( ProcessHandle, BaseAddress, Buffer, BufferLength,ReturnLength);
-
- __asm{
- push1Ch
- push804da4e0h//共十个字节
- mov eax,80538d00h
- call eax
- jmp [JmpAddress1]
- }
-
- }
-
-
-
- __declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- OUT PVOID Buffer,
- IN ULONG BufferLength,
- OUT PULONG ReturnLength OPTIONAL)
-
- {
- //RealNtWriteVirtualMemory=(WRITEVIRTUALMEMORY)OldServiceAddress2;
- //rc2=(NTSTATUS)(WRITEVIRTUALMEMORY)RealNtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, BufferLen
- gth,ReturnLength);
-
- __asm{
- push1Ch
- push804da4f8h//共十个字节
- mov eax,80538d00h
- call eax
- jmp [JmpAddress2]
- }
-
-
- }
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
- {
- DriverObject->DriverUnload = OnUnload;
- DbgPrint("Unhooker load");
- Hook();
- return STATUS_SUCCESS;
- }
- /////////////////////////////////////////////////////
- VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
- {
- DbgPrint("Unhooker unload!");
- Unhook();
- }
- /////////////////////////////////////////////////////
- VOID Hook()
- {
- ULONG Address;
- ULONG Address1;
- ULONG Address2;
- Address=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x7A*4;
- Address1=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x0ba*4;
- Address2=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x115*4;
- DbgPrint("Address:0x%08X",Address);
- DbgPrint("Address1:0x%08X",Address1);
- DbgPrint("Address2:0x%08X",Address2);
- OldServiceAddress=*(ULONG*)Address;
- OldServiceAddress1=*(ULONG*)Address1;
- OldServiceAddress2=*(ULONG*)Address2;
- RealZwOpenProcess=(REALZWOPENPROCESS)OldServiceAddress;
- DbgPrint("OldServiceAddress:0x%08X",OldServiceAddress);
- DbgPrint("OldServiceAddress1:0x%08X",OldServiceAddress1);
- DbgPrint("OldServiceAddress2:0x%08X",OldServiceAddress2);
- JmpAddress=OldServiceAddress+15;
- JmpAddress1=OldServiceAddress1+12;
- JmpAddress2=OldServiceAddress2+12;
- //JmpAddress=2153521239;
- DbgPrint("JmpAddress:0x%08X",JmpAddress);
- DbgPrint("JmpAddress1:0x%08X",JmpAddress1);
- DbgPrint("JmpAddress2:0x%08X",JmpAddress2);
- __asm{//去掉内存保护
- cli
- moveax,cr0
- andeax,not 10000h
- movcr0,eax
- }
-
-
- *((ULONG*)Address) = (ULONG)MyNtOpenProcess;//HOOK SSDT
- *((ULONG*)Address1) = (ULONG)MyNtReadVirtualMemory;
- *((ULONG*)Address2) = (ULONG)MyNtWriteVirtualMemory;
- __asm{//恢复内存保护
- moveax,cr0
- or eax,10000h
- movcr0,eax
- sti
- }
- }
- VOID Unhook()
- {
- ULONGAddress;
- ULONGAddress1;
- ULONGAddress2;
- Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//查找SSDT
- Address1=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x0ba*4;
- Address2=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x115*4;
- __asm{
- cli
- moveax,cr0
- andeax,not 10000h
- movcr0,eax
- }
- *((ULONG*)Address) = (ULONG)OldServiceAddress;//还原SSDT
- *((ULONG*)Address1) = (ULONG)OldServiceAddress1;
- *((ULONG*)Address2) = (ULONG)OldServiceAddress2;
- __asm{
- moveax,cr0
- or eax,10000h
- movcr0,eax
- sti
- }
- DbgPrint("Unhook");
- }
|
|
发表于 2010-9-15 10:21:31