能力值:
( LV6,RANK:90 )
|
-
-
2 楼
NtHookSSDT proc
pushad
mov eax,KeServiceDescriptorTable
mov esi,[eax]
获得KeServiceDescriptorTable结构
mov esi,[esi]
获得KeServiceDescriptorTable.ServiceTableBase的地址
invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("ZwOpenProcess")
inc eax
movzx ecx,byte ptr[eax]
获得"ZwOpenProcess"的系统服务号 i
sal ecx,2
add esi,ecx ( KeServiceDescriptorTable.ServiceTableBase + ecx * 4) 获得ZwOpenProcess的函数地址
mov dwZwOpenProcess_Addr,esi
mov edi,dword ptr[esi]
mov OriginalZwOpenProcess,edi
mov edi,offset NewZwOpenProcess
cli
mov eax,cr0
xor eax,10000h
mov cr0,eax
mov dword ptr[esi],edi
mov eax, cr0
xor eax,10000h
mov cr0, eax
sti
popad
ret
NtHookSSDT endp
把上面这段程序给你转换成 C吧
RtlInitUnicodeString (&TempName, L"ZwOpenProcess");
Address = MmGetSystemRoutineAddress( &TempName);
SsdtIndex = *(PULONG)((PUCHAR)Address +1);
OriginalZwOpenAddress = KeServiceDescriptorTable.ServiceTableBase + SsdtIndex * 4;
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
extern PServiceDescriptorTableEntry_t KeServiceDescriptorTable
#pragma pack()
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
汇编资料太少了。 完全不明白什么意思 你这么一说我懂了 谢谢你。分就全给你吧 下次
|
|
|