|
[求助]NtWriteVirtualMemory 在SSDT 中出现,但 ntoskrnl.exe 并没导出 应该怎么实现ssdthook
好邪恶 好强大。。 我这里应该怎么修改 #include <Ntifs.h> #pragma pack(1) typedef struct _SYSTEM_SERVICES_DESCRIPTOR_TABLE { PULONG *ServiceTableBase; PULONG *ServiceCounterTableBase; //Used in check builds only unsigned int NumberOfServices; PULONG *ParamTableBase; }SSDT, *PSSDT; #pragma pack() typedef struct _DEVICE_EXTENSION { PDEVICE_OBJECT pDevObj; UNICODE_STRING uniSymLink; PMDL pMdl; PULONG pulSSDTMapped; }DEVICE_EXTENSION, *PDEVICE_EXTENSION; typedef NTSTATUS (*ZWOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID PCLIENT_ID OPTIONAL ); typedef NTSTATUS (__stdcall *ZWOPENTHREAD) ( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID PCLIENT_ID OPTIONAL ); typedef NTSTATUS (__stdcall *ZWWRITEVIRTUALMEMORY) ( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwOpenThread( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId); NTSYSAPI NTSTATUS NTAPI ZwWriteVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL); /*Getting system service function address, the index of function locates 1 bytes offset*/ #define SYSTEM_SERVICE(_Func) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_Func + 1)] #define SYSTEM_INDEX(_Func) (*(PULONG)((PUCHAR)_Func + 1)) //#define SYSTEM_SERVICEONE(_Func) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_Func + 1)] //#define SYSTEM_INDEXONE(_Func) (*(PULONG)((PUCHAR)_Func + 1)) #define IOCTL_START_PROTECTION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) #define C_MAXPROCNUMS 12 //Global variable //__declspec(dllimport) SSDT KeServiceDescriptorTable; __declspec(dllimport) SSDT KeServiceDescriptorTable; ZWOPENPROCESS ZwOpenProcessReal; ZWOPENTHREAD ZwOpenThreadReal; ZWWRITEVIRTUALMEMORY ZwWriteVirtualMemoryReal; ULONG ulPIDs[C_MAXPROCNUMS]; DRIVER_UNLOAD DriverUnload; DRIVER_DISPATCH DispatchDevOpen, DispatchDevCtl; NTSTATUS ZwOpenProcessHook(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); NTSTATUS ZwOpenThreadHook(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); NTSTATUS ZwWriteVirtualMemoryHook(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer,ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); 而且要兼容 2000以后的系统 xp win7 2003 vista |
|
[求助]懂驱动的帮忙看下啊,谢谢了。3天3夜了 就错这里了
你去看下看雪精华十 里面有一个ssdthook就是那样写的 标 题:打造自己的HOOK引擎 之一 --- SSDT HOOK引擎 作 者:easystone 时 间:2008-12-22 21:50 链 接:http://bbs.pediy.com/showthread.php?t=79247 关键是有一个函数NtWriteVirtualMemory 在SSDT 中出现,但 ntoskrnl.exe 并没导出 但这函数在NTDLL中却有导出,DDK 编译时默认不包含 ntdll.lib 文件. 所以你只要在 SOURCES 文件中加入 TARGETLIBS = $(DDK_LIB_PATH)\ntdll.lib 就可以正常编译这程序. 正常编译之后 驱动无法实现 加载服务失败 |
|
|
|
[求助]如何卸载Dll
http://topic.csdn.net/u/20100603/12/d7454d10-e646-4801-b261-792215de4842.html GetProcAddress(GetModuleHandle(_T("Kernel32")), "FreeLibrary"); 不一定可以的 而且 权限不一定够 http://bbs.pediy.com/showthread.php?p=496021 NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress( GetModuleHandle("你要卸载的dll文件"), "NtUnmapViewOfSection" ); 提权 进程提升到调试权限 查看下驱动 |
|
[求助]懂驱动的帮忙看下啊,谢谢了。3天3夜了 就错这里了
找了下资料 虽然 NtWriteVirtualMemory 在SSDT 中出现,但 ntoskrnl.exe 并没导出(ZwWriteVirtualMemory 或 NtWriteVirtualMemory ). 所以编译的时候 ZwQuerySystemInformation 可以用,而ZwWriteVirtualMemory 却不行. 但这函数在NTDLL中却有导出,DDK 编译时默认不包含 ntdll.lib 文件. 所以你只要在 SOURCES 文件中加入 TARGETLIBS = $(DDK_LIB_PATH)\ntdll.lib 就可以正常编译这程序. 因为 ntdll.dll 和 ntoskrnl.exe 中 Zw***** 函数的第一条指令一样,都是 MOV EAX, 索引号 http://bbs.driverdevelop.com/read.php?tid-102377.html 不知道怎么修改。。。。。。。。。 |
|
|
|
[求助]如何卸载Dll
首先定位到进程 枚举进程时,仅需要使用以下三个函数: CreateToolhelp32Snapshot()、Process32First() 和 Process32Next()。 然后 可以用pid 或者进程名 得到 要操作的进程句柄 然后通过 这个句柄 枚举所有的线程 Thread32First和Thread32Next枚举线程信息(一个数组 里面保存所有线程的信息) 里面就有dll信息 包括路径 线程id等 然后你可以通过线程名 或者线程路径 线程id 的判定条件来定位dll (是否存在) 然后打开进程 分配一块 内存通过远程线程或者其他的办法 来调用一个api来卸载 后面是需要关闭句柄等后续操作 我也是菜鸟一个看别人的代码之后 总结的 |
|
[求助]懂驱动的帮忙看下啊,谢谢了。3天3夜了 就错这里了
谢谢了 不过我原先的文件就是.c格式的 |
|
|
|
|
|
[求助]如何卸载Dll
自己安装下 (易5。11至于正版盗版自己选 支持正版) 或者自己翻译下 过程很详细了 调用的api参数全部都有 你用delphi7。0写个 还不是切菜的功夫啊 内核级别保护的话先 干掉内核 要保证没驱动干扰 否则不行的 没有操作权限 |
|
[求助]求助北极星大牛的遍历通过EPROCESS结构的ActiveProcessLinks链表兼容其他系统的问题
#include <ntddk.h> #include "struct.h" //int pos_CreateFile; /* 保存这些函数的服务号 */ int pos_ReadVirtualMemory; int pos_NtOpenProcess; int pos_NtWriteVirtualMemory; UNICODE_STRING uProcessName; UNICODE_STRING MyuProcessName; ANSI_STRING aProcessName; //特殊的值,目标进程的ID ULONG dwTargetProcessID; #define MY_CONTROL_CODE 0x4021 #define IOCTL_SET_TARGET_PROCESS_ID (ULONG)CTL_CODE( FILE_DEVICE_UNKNOWN, MY_CONTROL_CODE, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA ) //一些常量定义 #define EPROCESS_SIZE 1 #define PEB_OFFSET 2 #define FILE_NAME_OFFSET 3 #define PROCESS_LINK_OFFSET 4 #define PROCESS_ID_OFFSET 5 #define EXIT_TIME_OFFSET 6 //DWORD GetPlantformDependentInfo ( DWORD dwFlag ) //{ //DWORD current_build; //DWORD ans = 0; //PsGetVersion(NULL, NULL,¤t_build, NULL); //switch ( dwFlag ) //{ //case EPROCESS_SIZE: //if (current_build == 2195) ans = 0 ; // 2000,当前不支持2000,下同 //if (current_build == 2600) ans = 0x25C; // xp //if (current_build == 3790) ans = 0x270; // 2003 //break; //case PEB_OFFSET: //if (current_build == 2195) ans = 0; //if (current_build == 2600) ans = 0x1b0; //if (current_build == 3790) ans = 0x1a0; //break; //case FILE_NAME_OFFSET: //if (current_build == 2195) ans = 0; //if (current_build == 2600) ans = 0x174; //if (current_build == 3790) ans = 0x164; //break; //case PROCESS_LINK_OFFSET: //if (current_build == 2195) ans = 0; //if (current_build == 2600) ans = 0x088; //if (current_build == 3790) ans = 0x098; //break; //case PROCESS_ID_OFFSET: //if (current_build == 2195) ans = 0; //if (current_build == 2600) ans = 0x084; //if (current_build == 3790) ans = 0x094; //break; //case EXIT_TIME_OFFSET: //if (current_build == 2195) ans = 0; //if (current_build == 2600) ans = 0x078; //if (current_build == 3790) ans = 0x088; //break; //} //return ans; //} NTSTATUS NewNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId) { NTSTATUS ntStatus; ULONG dwProcessId = NULL; ntStatus = ((ZWCREATEFILE)(OldNtOpenProcess))( ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); if((ClientId != NULL)) { dwProcessId = (ULONG)ClientId->UniqueProcess; if (dwProcessId == dwTargetProcessID) { ntStatus = STATUS_ACCESS_DENIED; } } return ntStatus; } NTSTATUS NewNtWriteVirtualMemory(IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL) { NTSTATUS ntStatus; NTSTATUS ret; PVOID pEprocess; DWORD dwProcessId; ntStatus = ((NTWRITEVIRTUALMEMORY)(OldNtWriteVitualMemory)) ( ProcessHandle, BaseAddress, Buffer, BufferLength, ReturnLength); pEprocess = NULL; ret = ObReferenceObjectByHandle(ProcessHandle , 0, NULL, KernelMode, &pEprocess, NULL); if(STATUS_SUCCESS == ret) { //dwProcessId = *(DWORD*)((BYTE*)pEprocess+dwProcessId); //被扫描进程的PID dwProcessId = PsGetProcessId(ProcessHandle); if ((ULONG)dwProcessId == dwTargetProcessID) { if(dwTargetProcessID == (ULONG)PsGetCurrentProcessId()) { goto Next; } return STATUS_ACCESS_DENIED; } } Next: return ntStatus; } NTSTATUS NewNtReadVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL ) { NTSTATUS ret; PVOID pEprocess; //通过进程句柄得到ID PVOID pExplorer_Eprocess; //过滤掉桌面进程explorer时用到的一个EPROCESS类型临时变量 DWORD dwCurrentPID; //当前ProcessHandle句柄对应的进程号 DWORD dwProcessId; DWORD dwFileName; pEprocess = NULL; //dwProcessId = GetPlantformDependentInfo(PROCESS_ID_OFFSET); //dwFileName = GetPlantformDependentInfo(FILE_NAME_OFFSET); ret = ObReferenceObjectByHandle(ProcessHandle , 0, NULL, KernelMode, &pEprocess, NULL); if(STATUS_SUCCESS == ret) { //DbgPrint("the caller ProcessName is %s\n",(PUCHAR)((BYTE*)pEprocess + dwFileName)); //dwCurrentPID = *(DWORD*)((BYTE*)pEprocess+dwProcessId); //得到被扫描的进程的PID dwCurrentPID = PsGetProcessId(pEprocess); if((ULONG)dwCurrentPID == dwTargetProcessID) //dwTargetProcessID //如果被扫描的进程PID跟预定的一样,那么就开始bypass { DbgPrint("call NtReadVirtualMemory!Target Process is %d. The Caller is %d\n",dwTargetProcessID, PsGetCurrentProcessId()); if(dwTargetProcessID == (ULONG)PsGetCurrentProcessId()) //排除自己调用NtReadVirtualMemory来读取自己内存的情况 { DbgPrint("call NtReadVirtualMemory by myself\n"); goto Next; } pExplorer_Eprocess = PsGetCurrentProcess(); //得到当前进程eprocess结构 RtlInitUnicodeString(&uProcessName,L"explorer.exe"); RtlInitAnsiString(&aProcessName,(PUCHAR)((BYTE*)pExplorer_Eprocess + dwFileName)); RtlAnsiStringToUnicodeString(&MyuProcessName,&aProcessName,TRUE); DbgPrint("call NtReadVirtualMemory by %wZ ---%wZ\n",&MyuProcessName,&uProcessName); if(RtlCompareUnicodeString(&uProcessName,&MyuProcessName, TRUE) == 0) //不区分大小写的对比! { DbgPrint("call NtReadVirtualMemory by explorer process\n"); //排除explorer调用NtReadVirtualMemory来读取自己内存的情况 goto Next; } DbgPrint("call NtReadVirtualMemory by other process %d\n",PsGetCurrentProcessId()); //排除了自己对自己的内存操作,桌面进程对所关心的进程的操作之外,其他的一切进程对多关心的进程进行操作,一律pass ret = ((NTREADVIRTUALMEMORY)(OldNtReadVirtualMemory))( ProcessHandle, BaseAddress, L"Is By PopSky", //自定义的垃圾数据 BufferLength, ReturnLength ); return ret; } } Next: ret = ((NTREADVIRTUALMEMORY)(OldNtReadVirtualMemory))( ProcessHandle, BaseAddress, Buffer, BufferLength, ReturnLength ); return ret; } ///////////////////////////////////////////////////////////////// -- -- //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++// -- - - -- //+ +// -- - - -- //+ 下面2个函数用于得到部分SDT函数的地址 +// -- - -- //+ +// - sudami - //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++// -- -- ///////////////////////////////////////////////////////////////// -- -- // -- -- // -- DWORD GetDllFunctionAddress ( char* lpFunctionName, PUNICODE_STRING pDllName ) { HANDLE hThread, hSection, hFile, hMod; SECTION_IMAGE_INFORMATION sii; IMAGE_DOS_HEADER* dosheader; IMAGE_OPTIONAL_HEADER* opthdr; IMAGE_EXPORT_DIRECTORY* pExportTable; DWORD* arrayOfFunctionAddresses; DWORD* arrayOfFunctionNames; WORD* arrayOfFunctionOrdinals; DWORD functionOrdinal; DWORD Base, x, functionAddress; char* functionName; STRING ntFunctionName, ntFunctionNameSearch; PVOID BaseAddress = NULL; SIZE_T size=0; OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE}; IO_STATUS_BLOCK iosb; //_asm int 3; ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT); oa.ObjectName = 0; ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile); ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE); ZwClose(hFile); hMod = BaseAddress; dosheader = (IMAGE_DOS_HEADER *)hMod; opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24); pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions); arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames); arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals); Base = pExportTable->Base; RtlInitString(&ntFunctionNameSearch, lpFunctionName); for(x = 0; x < pExportTable->NumberOfFunctions; x++) { functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]); RtlInitString(&ntFunctionName, functionName); functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; functionAddress = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]); if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0) { ZwClose(hSection); return functionAddress; } } ZwClose(hSection); return 0; } VOID IoTimeRoutine( IN PDEVICE_OBJECT DeviceObject, IN PVOID Context ) { int cnt = 0; DbgPrint("IoTimerRoutine() is Called!\n"); } NTSTATUS DispatchCreate( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; //dprintf("[KsBinSword] IRP_MJ_CREATE\n"); Irp->IoStatus.Status = status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } NTSTATUS DispatchClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; //DbgBreakPoint(); Irp->IoStatus.Information = 0; //dprintf("[KsBinSword] IRP_MJ_CLOSE\n"); Irp->IoStatus.Status = status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } NTSTATUS DispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp); switch(irpSp->Parameters.DeviceIoControl.IoControlCode) { case 0x1000: dwTargetProcessID = *(PULONG)Irp->AssociatedIrp.SystemBuffer; break; default: Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; Irp->IoStatus.Information = 0; dwTargetProcessID = 0; break; } status = Irp->IoStatus.Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } // 驱动入口 NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath ) { NTSTATUS ntStatus = STATUS_SUCCESS; PDEVICE_OBJECT Device; UNICODE_STRING DeviceName, DeviceLink; //设备名,符号链接名 DbgPrint("[MyDriver] DriverEntry\n"); RtlInitUnicodeString(&DeviceName, L"\\Device\\MyDriver"); //初始化设备名 RtlInitUnicodeString(&DeviceLink, L"\\DosDevices\\MyDriver"); //初始化符号链接名 /* IoCreateDevice 生成设备对象 */ ntStatus = IoCreateDevice(DriverObject, //生成设备的驱动对象 0, //设备扩展区内存大小 &DeviceName, //设备名,\Device\MyDriver FILE_DEVICE_UNKNOWN, //设备类型 0, //填写0即可 FALSE, //必须为FALSE &Device); //设备对象指针返回到DeviceObject中 if (!NT_SUCCESS(ntStatus)) { DbgPrint("[MyDriver] IoCreateDevice FALSE: %.8X\n", ntStatus); return ntStatus; //生成失败就返回 } else DbgPrint("[MyDriver] IoCreateDevice SUCCESS\n"); /* IoCreateSymbolicLink 生成符号链接 */ ntStatus = IoCreateSymbolicLink(&DeviceLink, &DeviceName); if (!NT_SUCCESS(ntStatus)) { DbgPrint("[MyDriver] IoCreateSymbolicLink FALSE: %.8X\n", ntStatus); IoDeleteDevice(Device); //删除设备 return ntStatus; } else DbgPrint("[MyDriver] IoCreateSymbolicLink SUCCESS\n"); Device->Flags &= ~DO_DEVICE_INITIALIZING; //设备初始化完成标记 DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl; DriverObject->DriverUnload = OnUnload; Hook(); //SSDT hook return ntStatus; } // 驱动卸载 VOID OnUnload(IN PDRIVER_OBJECT DriverObject) { UNICODE_STRING dosDeviceName; Unhook(); RtlInitUnicodeString(&dosDeviceName, L"\\DosDevices\\MyDriver"); IoDeleteSymbolicLink(&dosDeviceName); if (DriverObject->DeviceObject != NULL) { IoDeleteDevice(DriverObject->DeviceObject); //删除设备 } } // 此处修改SSDT中的NtCreateFile服务地址 VOID Hook() { UNICODE_STRING dllName; DWORD functionAddress; DWORD NtOpenProcessAddress; DWORD NtWriteVirtualMemoryAddress; int position; int NtOpenProcessposition; int NtWriteVirtualMemoryposinion; PDEVICE_OBJECT pDeviceObject = NULL; RtlInitUnicodeString( &dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll" ); //获取NtReadVirtualMemory的服务号完毕! functionAddress = GetDllFunctionAddress("NtReadVirtualMemory", &dllName); NtOpenProcessAddress = GetDllFunctionAddress("NtOpenProcess", &dllName); NtWriteVirtualMemoryAddress = GetDllFunctionAddress("NtWriteVirtualMemory", &dllName); position = *((WORD*)( functionAddress + 1 )); NtOpenProcessposition = *((WORD*)( NtOpenProcessAddress + 1 )); NtWriteVirtualMemoryposinion = *((WORD*)( NtWriteVirtualMemoryAddress + 1 )); pos_ReadVirtualMemory = position; pos_NtOpenProcess = NtOpenProcessposition; pos_NtWriteVirtualMemory = NtWriteVirtualMemoryposinion; //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> OldNtReadVirtualMemory = (NTREADVIRTUALMEMORY) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_ReadVirtualMemory)); //得到NtReadVirtualMemory函数的原始地址 OldNtOpenProcess = (ZWCREATEFILE) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_NtOpenProcess)); OldNtWriteVitualMemory = (NTWRITEVIRTUALMEMORY) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_NtWriteVirtualMemory)); DbgPrint( "Address of Real OldNtReadVirtualMemory: 0x%08X\n", OldNtReadVirtualMemory ); // 去掉内存保护 __asm { cli mov eax, cr0 and eax, not 10000h mov cr0, eax } (NTREADVIRTUALMEMORY) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_ReadVirtualMemory)) = NewNtReadVirtualMemory; (ZWCREATEFILE) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_NtOpenProcess)) = NewNtOpenProcess;//SSDT HOOK NtReadVirtualMemory (NTWRITEVIRTUALMEMORY) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_NtWriteVirtualMemory)) = NewNtWriteVirtualMemory; DbgPrint(" Address of NewNtReadVirtualMemory: 0x%08X\n", NewNtReadVirtualMemory ); // 恢复内存保护 __asm { mov eax, cr0 or eax, 10000h mov cr0, eax sti } } ////////////////////////////////////////////////////// VOID Unhook() { __asm { cli mov eax, cr0 and eax, not 10000h mov cr0, eax } // 还原SSDT (NTREADVIRTUALMEMORY) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_ReadVirtualMemory)) = OldNtReadVirtualMemory; (ZWCREATEFILE) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_NtOpenProcess)) = OldNtOpenProcess; (NTWRITEVIRTUALMEMORY) (*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + pos_NtWriteVirtualMemory)) = OldNtWriteVitualMemory; __asm { mov eax, cr0 or eax, 10000h mov cr0, eax sti } DbgPrint("Unhook"); } 进入内核方式有问题 提示无法启动服务 |
|
[求助]求助北极星大牛的遍历通过EPROCESS结构的ActiveProcessLinks链表兼容其他系统的问题
http://bbs.pediy.com/showthread.php?t=125737 2楼 的那大段代码 win7好象有什么保护 我去掉了全部硬件编码 用native api提示驱动启动失败 |
|
[求助]如何卸载Dll
.版本 2 .DLL命令 VirtualAllocEx, 整数型, "kernel32", "VirtualAllocEx", , 卸载dll .参数 hProcess, 整数型 .参数 lpAddress, 整数型 .参数 dwSize, 整数型 .参数 flAllocationType, 整数型 .参数 flProtect, 整数型 .版本 2 .DLL命令 GetProcAddress, 整数型 .参数 hModule, 整数型 .参数 lpProcName, 文本型 .版本 2 .DLL命令 CreateRemoteThread, 整数型, "kernel32", "CreateRemoteThread", , 卸载dll .参数 hProcess, 整数型 .参数 lpThreadAttributes, 整数型 .参数 dwStackSize, 整数型 .参数 lpStartAddress, 整数型 .参数 lpParameter, 整数型 .参数 dwCreationFlags, 整数型 .参数 lpThreadId, 整数型 .版本 2 .DLL命令 CloseHandle, , , "CloseHandle", , 关闭一个内核对象 .参数 ProcessHandle, 整数型, , 对象句柄 .版本 2 .DLL命令 API_WaitForSingleObject, 整数型, "kernel32", "WaitForSingleObject", , 监测一个对象 卸载dll .参数 hHandle, 整数型 .参数 dwMilliseconds, 整数型 .版本 2 .DLL命令 API_取中止线程退出代码, 整数型, "kernel32", "GetExitCodeThread", , 获取一个已中止线程的退出代码 非零表示成功,零表示失败。会设置GetLastError 卸载dll .参数 线程句柄, 整数型, , 想获取退出代码的一个线程的句柄 .参数 退出代码, 整数型, 传址, 用于装载线程退出代码的一个长整数变量。如线程尚未中断,则设为常数STILL_ACTIVE; .版本 2 .DLL命令 API_VirtualFreeEx, 整数型, "kernel32.dll", "VirtualFreeEx", , 卸载dll .参数 hProcess, 整数型 .参数 lpAddress, 整数型 .参数 dwSize, 整数型, 传址 .参数 dwFreeType, 整数型 .版本 2 .DLL命令 CloseHandle, , , "CloseHandle", , 关闭一个内核对象 .参数 ProcessHandle, 整数型, , 对象句柄 .版本 2 .DLL命令 GetModuleHandle, 整数型, "kernel32", "GetModuleHandleA", , 卸载dll .参数 lpModuleName, 文本型 |
|
[求助]如何卸载Dll
.版本 2 .子程序 卸载DLL, , , 9-6 .参数 进程ID, 整数型 .参数 DLL全路径, 文本型 .局部变量 进程句柄, 整数型 .局部变量 路径长度, 整数型 .局部变量 返回地址, 整数型 .局部变量 temp, 整数型 .局部变量 模块句柄1, 整数型 .局部变量 远程线程1, 整数型 .局部变量 模块句柄2, 整数型 .局部变量 远程线程2, 整数型 .局部变量 退出代码, 整数型 .局部变量 打开线程, 整数型 进程句柄 = 打开进程 (2035711, 0, 进程ID) .如果 (进程句柄 = 0) 信息框 (“无法获取进程句柄”, #警告图标, “错误”) .否则 ' 返回 (假) .如果结束 路径长度 = 取文本长度 (DLL全路径) + 1 ' dll的全路径名的长度,待会分配内存要用到的 返回地址 = VirtualAllocEx (进程句柄, 0, 路径长度, 4096, 4) ' 向宿主进程分配内存,返回一个指针 ' #MEM_COMMIT=4096, #PAGE_READWRITE=4 ' VirtualAllocEx (进程, 0, 文本长度, 4096, 4) 写内存数据 (进程句柄, 返回地址, 到字节集 (DLL全路径), 路径长度, temp) 模块句柄1 = GetProcAddress (GetModuleHandle (“Kernel32”), “GetModuleHandleA”) ' 获取GetModuleHandleA函数地址 远程线程1 = CreateRemoteThread (进程句柄, 0, 0, 模块句柄1, 返回地址, 0, 0) .如果真 (远程线程1 = 0) CloseHandle (进程句柄) 信息框 (“在目标进程创建远程线程失败”, #警告图标, “错误”) ' 返回 (假) .如果真结束 API_WaitForSingleObject (远程线程1, -1) ' -1表示等待时间为无限时间 API_取中止线程退出代码 (远程线程1, 退出代码) ' 获得GetModuleHandle的返回值 API_VirtualFreeEx (进程句柄, 返回地址, 路径长度, 4096) ' 释放目标进程中申请的空间 CloseHandle (远程线程1) 模块句柄2 = GetProcAddress (GetModuleHandle (“Kernel32”), “FreeLibraryAndExitThread”) 远程线程2 = CreateRemoteThread (进程句柄, 0, 0, 模块句柄2, 退出代码, 0, 0) ' 使目标进程调用FreeLibraryAndExit,卸载DLL,实际也可以用FreeLibrary,但是我发现前者好一点 API_WaitForSingleObject (远程线程2, -1) ' -1表示等待时间为无限时间 等待FreeLibraryAndExitThread执行完毕 CloseHandle (远程线程2) CloseHandle (进程句柄) ------------------------------------------------------------------------------ 大部分上面都解释了。主要就是分配一个内存调用 FreeLibraryAndExitThread 让dll自己安全退出 这个函数比较安全一点 |
|
|
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值