[求助]有没有ASM的HOOK SSDT模板啊？-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (1)
sharenpk 雪币： 253 活跃值： (169) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 37 粉丝 1 关注私信	sharenpk 2 楼转贴一个别人写的例子，忘了哪看到的了原理就是这样的 .386 .model flat, stdcall option casemap:none include \masm32\include\w2k\ntstatus.inc include \masm32\include\w2k\ntddk.inc include \masm32\include\w2k\ntoskrnl.inc include \masm32\include\w2k\w2kundoc.inc includelib \masm32\lib\w2k\ntoskrnl.lib include \masm32\Macros\Strings.mac .data P_addr dd 0 realaddr dd 0 CR0Reg dd 0 Messaga1 db "OpenProcess",0 Messaga2 db "Driver loaded", 0 .code ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local pDeviceObject:PVOID pushad invoke DbgPrint, addr Messaga2 mov edi, dword ptr KeServiceDescriptorTable mov edi, [edi] lea eax, [edi+(07ah4)] ;edi+07ah4 = NtOpenProcess mov P_addr, eax ;保存地址指针 push [edi+(07ah*4)] pop realaddr ;保存原来的地址 cli mov eax, CR0 mov CR0Reg, eax and eax,0fffeffffh mov cr0, eax mov eax,P_addr mov [eax], dword ptr offset hookproc mov eax, CR0Reg mov CR0, eax sti mov eax, pDriverObject assume eax:PTR DRIVER_OBJECT mov [eax].DriverUnload, offset DriverUnload assume eax:nothing popad mov eax, STATUS_SUCCESS ret DriverEntry endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverUnload proc pDriverObject:PDRIVER_OBJECT pushad cli mov eax, CR0 mov CR0Reg, eax and eax,0fffeffffh mov cr0, eax mov eax,P_addr mov edx,realaddr mov [eax], edx mov eax, CR0Reg mov CR0, eax sti popad ret DriverUnload endp ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: hookproc proc invoke DbgPrint, addr Messaga1 jmp dword ptr realaddr hookproc endp ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: end DriverEntry 2010-8-9 23:03 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

sharenpk

雪币： 253

活跃值： (169)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

sharenpk: 2 楼

转贴一个别人写的例子，忘了哪看到的了
原理就是这样的

.386 
.model flat, stdcall 
option casemap:none 

include \masm32\include\w2k\ntstatus.inc 
include \masm32\include\w2k\ntddk.inc 
include \masm32\include\w2k\ntoskrnl.inc 
include \masm32\include\w2k\w2kundoc.inc 
includelib \masm32\lib\w2k\ntoskrnl.lib 
include \masm32\Macros\Strings.mac 
    
.data 
P_addr   dd 0
realaddr dd 0 
CR0Reg dd 0 
Messaga1 db "OpenProcess",0 
Messaga2 db "Driver loaded", 0 

    .code 
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING 
local pDeviceObject:PVOID 

    pushad 
    invoke DbgPrint, addr Messaga2 

    mov edi, dword ptr KeServiceDescriptorTable 
    mov edi, [edi] 
    lea eax, [edi+(07ah*4)]  ;edi+07ah*4 = NtOpenProcess 
    mov P_addr, eax ;保存地址指针
    push [edi+(07ah*4)]
    pop realaddr ;保存原来的地址
    cli 
    mov eax, CR0 
    mov CR0Reg, eax 
    and eax,0fffeffffh
    mov cr0, eax 
    mov eax,P_addr
    mov [eax], dword ptr offset hookproc 
    mov eax, CR0Reg 
    mov CR0, eax 
    sti 
    
    mov eax, pDriverObject 
    assume eax:PTR DRIVER_OBJECT 
    mov [eax].DriverUnload, offset DriverUnload 
    assume eax:nothing 

    popad 
    mov eax, STATUS_SUCCESS 
    ret 
DriverEntry endp 
;::::::::::::::::::::::::::::::::::::::::::::::::::::: 
DriverUnload proc pDriverObject:PDRIVER_OBJECT 
    pushad 

    cli 
    mov eax, CR0 
    mov CR0Reg, eax 
    and eax,0fffeffffh
    mov cr0, eax 
    
    mov eax,P_addr
    mov edx,realaddr
    mov [eax], edx
    
    mov eax, CR0Reg 
    mov CR0, eax 
    sti 
    popad 
    ret 
DriverUnload endp 
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
hookproc proc 
    invoke DbgPrint, addr Messaga1 
    jmp dword ptr realaddr 
hookproc endp 
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: 
end DriverEntry

2010-8-9 23:03