首页
社区
课程
招聘
关于SSDT HOOK
发表于: 2010-3-30 12:44 4405

关于SSDT HOOK

2010-3-30 12:44
4405
#include<ntddk.h>
typedef unsigned char BYTE;
VOID Hook();
VOID Unhook();
ULONG OldServiceAddress;
ULONG JmpAddress;
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
  PVOID   ServiceTableBase;
  PULONG  ServiceCounterTableBase;
  ULONG   NumberOfService;
  ULONG   ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; //由于KeServiceDescriptorTable只有一项
extern PSERVICE_DESCRIPTOR_TABLE    KeServiceDescriptorTable;//KeServiceDescriptorTable为导出函数

VOID Hook()
{
ULONG  Address;
BYTE data[20] = {0};
Address= (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//0x7A为;
OldServiceAddress=*(ULONG*)Address;
JmpAddress = (ULONG)NtOpenProcess + 15; 

  __asm{//去掉内存保护
    cli
    mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }
memcpy(NtOpenProcess,data,15);
*((ULONG*)Address) = (ULONG)data;//HOOK SSDT
  __asm{//恢复内存保护  
    mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }


}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
  DriverObject->DriverUnload = OnUnload;
  Hook();
  return STATUS_SUCCESS;
}

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
  DbgPrint("Unhooker unload!");

}



小弟刚学编写驱动。此代码会蓝屏 求教各路大神 求教各路大牛 求教各位教主 求教……

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (9)
雪    币: 236
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
VOID Hook()
{
ULONG  Address;
BYTE data[20] = {0};
Address= (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//0x7A为;
OldServiceAddress=*(ULONG*)Address;
JmpAddress = (ULONG)NtOpenProcess + 15;

data[15] = 0xE9;                                   // 少了这两句!
memcpy(&data[15], &JmpAddress, 4);  // 少了这两句!

  __asm{//去掉内存保护
    cli
    mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }
memcpy(NtOpenProcess,data,15);
*((ULONG*)Address) = (ULONG)data;//HOOK SSDT
  __asm{//恢复内存保护  
    mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }

}
2010-3-30 13:37
0
雪    币: 236
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
// 这句也是错!
memcpy(NtOpenProcess,data,15);

// 应该是
memcpy(data, NtOpenProcess, 15);
2010-3-30 13:40
0
雪    币: 236
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
data[15] = 0xE9;                                   // 少了这两句!
memcpy(&data[16], &JmpAddress, 4);  // 少了这两句!
2010-3-30 13:41
0
雪    币: 25
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
还是蓝了 听说WINDBG可以分析蓝屏的原因 但是我不知道怎么操作 请教各位大神
2010-3-30 17:58
0
雪    币: 236
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
这个绝对不会蓝屏了!

#include <ntddk.h>

WCHAR DEVICE_NAME[256] = L"\\Device\\test";
WCHAR DEVICE_LINK[256] = L"\\DosDevices\\test";

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
  PVOID   ServiceTableBase;
  PULONG  ServiceCounterTableBase;
  ULONG   NumberOfService;
  ULONG   ParamTableBase;
} SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;

_declspec (dllimport) SERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable[2];

typedef NTSTATUS (NTAPI *fNtOpenProcess) (
    PHANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes,
    PCLIENT_ID ClientId
    );
   
fNtOpenProcess OrigNtOpenProcess = NULL;

NTSTATUS
MyNtOpenProcess (
    PHANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes,
    PCLIENT_ID ClientId
    )
{
        DbgPrint("MyNtOpenProcess: Hooked!\n");
        return OrigNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}

void Hook()
{
        ULONG *pSSDT = NULL;
       
        pSSDT = (ULONG *) KeServiceDescriptorTable[0].ServiceTableBase;
       
        DbgPrint("KeServiceDescriptorTable.ServiceTableBase: 0x%X\r\n", pSSDT);
       
        __asm
        {
                cli
                mov  eax,cr0
                and  eax,not 10000h
                mov  cr0,eax
        }

        OrigNtOpenProcess = (PVOID) InterlockedExchange((PLONG) &pSSDT[0x7A], (LONG) MyNtOpenProcess);
       
        __asm
        {
                mov  eax,cr0
                or   eax,10000h
                mov  cr0,eax
                sti
        }
}

void UnHook()
{
        ULONG *pSSDT = NULL;
       
        pSSDT = (ULONG *) KeServiceDescriptorTable[0].ServiceTableBase;
       
        DbgPrint("KeServiceDescriptorTable.ServiceTableBase: 0x%X\r\n", pSSDT);
       
        __asm
        {
                cli
                mov  eax,cr0
                and  eax,not 10000h
                mov  cr0,eax
        }

        InterlockedExchange((PLONG) &pSSDT[0x7A], (LONG) OrigNtOpenProcess);
       
        __asm
        {
                mov  eax,cr0
                or   eax,10000h
                mov  cr0,eax
                sti
        }
}

NTSTATUS DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
        Irp->IoStatus.Status = STATUS_SUCCESS;
        Irp->IoStatus.Information = 0;

        IoCompleteRequest(Irp, IO_NO_INCREMENT);

        return STATUS_SUCCESS;
}

NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
        PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
        ULONG ulOperation = irpStack->Parameters.DeviceIoControl.IoControlCode;
        NTSTATUS ntStatus = STATUS_SUCCESS;

        Irp->IoStatus.Information = 0;
        Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;

        IoCompleteRequest(Irp, IO_NO_INCREMENT);

        return ntStatus;
}

VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
        PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
        UNICODE_STRING ntWin32NameString;

        UnHook();
       
        RtlInitUnicodeString(&ntWin32NameString, DEVICE_LINK);

        IoDeleteSymbolicLink(&ntWin32NameString);

        if (deviceObject != NULL)
        {
                IoDeleteDevice(deviceObject);
        }
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
        NTSTATUS        ntStatus;
        UNICODE_STRING  ntUnicodeString;
        UNICODE_STRING  ntWin32NameString;
        PDEVICE_OBJECT  deviceObject = NULL;

        DbgPrint("DriverEntry: Entering...\n");

        RtlInitUnicodeString(&ntUnicodeString, DEVICE_NAME);

        DbgPrint("DriverEntry: Name of device: %wZ\r\n", &ntUnicodeString);

        ntStatus = IoCreateDevice(
                DriverObject,
                0,
                &ntUnicodeString,
                FILE_DEVICE_UNKNOWN,
                FILE_DEVICE_SECURE_OPEN,
                FALSE,
                &deviceObject
                );

        if (!NT_SUCCESS(ntStatus))
        {
                DbgPrint("DriverEntry: IoCreateDevice error!\n");
                return ntStatus;
        }

        // Initialize the driver object with the driver functions
        DriverObject->DriverUnload                                                        = UnloadDriver;
        DriverObject->MajorFunction[IRP_MJ_CREATE]                        = DispatchCreateClose;
        DriverObject->MajorFunction[IRP_MJ_CLOSE]                        = DispatchCreateClose;
        DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]        = DispatchIoctl;
       
        RtlInitUnicodeString(&ntWin32NameString, DEVICE_LINK);

        DbgPrint("DriverEntry: Symbolic Link of device: %wZ\r\n", &ntWin32NameString);

        // Create symbolic link for our device
        ntStatus = IoCreateSymbolicLink(&ntWin32NameString, &ntUnicodeString);

        if (!NT_SUCCESS(ntStatus))
        {
                IoDeleteDevice(deviceObject);
        }
       
        Hook();

        DbgPrint("DriverEntry: Leaving...\n");

        return ntStatus;
}
2010-3-31 09:55
0
雪    币: 236
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
这里有两个很好的教材:

WinDBG & VMWare:
http://silverstr.ufies.org/lotr0/windbg-vmware.html

http://translate.google.com.hk/translate?hl=zh-TW&sl=en&tl=zh-CN&u=http%3A%2F%2Fsilverstr.ufies.org%2Flotr0%2Fwindbg-vmware.html

http://www.catch22.net/tuts/vmware

http://translate.google.com.hk/translate?hl=zh-TW&sl=en&u=http://www.catch22.net/tuts/vmware&ei=e66yS_zoIInGrAeKxtmRBA&sa=X&oi=translate&ct=result&resnum=2&ved=0CBQQ7gEwAQ&prev=/search%3Fq%3DRemote%2Bdebugging%2Bwindbg%2Bnull%2Bcable%26hl%3Dzh-TW%26sa%3DG
2010-3-31 10:10
0
雪    币: 25
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
大神 能透露下QQ吗 好讨论
2010-3-31 10:13
0
雪    币: 236
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
QQ 834919515
2010-3-31 14:20
0
雪    币: 0
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
听说WINDBG可以分析蓝屏的原因 但是我不知道怎么操作
2010-4-1 16:47
0
游客
登录 | 注册 方可回帖
返回
//