首页
社区
课程
招聘
[求助][求助]请教一个驱动的问题
发表于: 2010-5-25 23:24 10875

[求助][求助]请教一个驱动的问题

2010-5-25 23:24
10875
我想弄一个驱动程序 hook住NtGetContextThread、NtSetContextThread和KiUserExceptionDispatcher。但是编译下面的驱动总蓝屏,请教下 大家。
代码如下

/////////////////////
hook.c
/////////////////////

#include <ntddk.h>
#include "ntifs.h"
#include "hook.h"
#include <windef.h>

/*NTSYSAPI
NTSTATUS
NTAPI
ZwGetContextThread(
IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);*/

//NTSYSAPI
NTSTATUS
NTAPI
NewNtGetContextThread(
IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);

int ProcessNameOffset; //Used to find process name

typedef ULONG (*NTGETCONTEXTTHREAD)(HANDLE, PCONTEXT);
//This allows us to define a TYPE that corresponds to our function

//Notice that we use the TYPE that we defined.
NTGETCONTEXTTHREAD OriginalNtGetContextThread;

//Make a variable that will be used to store the Call Number
ULONG NtGetContextThread_callnumber = 0x0055;

//These are macros that lets us easily access function #callnumber in the table
#define SYSCALL_INDEX(_function) *(PULONG)((PUCHAR)_function+1)
#define SYSTEMSERVICE(_callnumber)      KeServiceDescriptorTable->ServiceTable[_callnumber]

PEPROCESS PeProcess;

//hookcode function
void hook()
{
    //ProcessNameOffset = 0; <==== if i enable the following lines i get
                                                      bsod..

    //PeProcess = PsGetCurrentProcess();
    //while (ProcessNameOffset < 0x400 && strncmp("System", (const char *)(PeProcess + ProcessNameOffset), 6))
    //{
        //ProcessNameOffset++;
    //}

    __asm {
    cli      // deny interrupt handling
        push eax
        mov eax, CR0
        and eax, 0x0FFFEFFFF //disables some write protection: http://en.wikibooks.org/wiki/X86_Assembly/Protected_Mode#CR0
        mov CR0, eax
        pop eax
        cli //ignore interrupts for the moment
    }
   
    //NtGetContextThread_callnumber = SYSCALL_INDEX(ZwGetContextThread);
    OriginalNtGetContextThread = SYSTEMSERVICE(NtGetContextThread_callnumber); //store original function

    SYSTEMSERVICE(NtGetContextThread_callnumber) = (PVOID)NewNtGetContextThread; //put our hook function in the table

    __asm{
        push eax
        mov eax, CR0
        or eax, NOT 0x0FFFEFFFF //enables some write protection
        mov CR0, eax
        pop eax
        sti //reenable interrupts
    }
}

NTSTATUS NewNtGetContextThread(HANDLE hThread, PCONTEXT pContext)
{
    PeProcess = PsGetCurrentProcess();
    if (_strnicmp("GAMEMON.DES", (const char *)(PeProcess + ProcessNameOffset), 6)){
        return OriginalNtGetContextThread(hThread, pContext);
    }
    return STATUS_ACCESS_DENIED;
}
/*NTSTATUS ZwGetContextThread(HANDLE hThread, PCONTEXT pContext)
{
}*/

/////////////////////
hook.h
/////////////////////

#ifndef HOOK_H
#define HOOK_H

void hook();

#endif

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 42
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
不懂,帮你顶一下。
2010-5-27 00:57
0
雪    币: 133
活跃值: (587)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
3
#define SYSTEMSERVICE(_callnumber)      KeServiceDescriptorTable->ServiceTable[_callnumber]

感觉是这个问题  我发现
__declspec(dllimport) PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
得到的是函数地址表的基地址
你用WinDbg看下就知道了  但在WinDbg里  ? KeServiceDescriptorTable  得到的是KeServiceDescriptorTable表的基地址
2010-5-27 09:06
0
游客
登录 | 注册 方可回帖
返回
//