[求助]我的这个inline hook NtOpenProcess，哪里有错误？-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
mumaren 雪币： 71 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 48 回帖 659 粉丝 0 关注私信	mumaren 2 楼 #include <ntddk.h> #include <windef.h> #include <ntstatus.h> ULONG CR0VALUE; BYTE OriginalBytes[5]={0}; //保存原始函数前五个字节 BYTE JmpAddress[5]={0xE9,0,0,0,0}; //跳转到HOOK函数的地址 extern POBJECT_TYPE PsProcessType; typedef NTSTATUS (__stdcall NTOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); //HOOK函数 NTSTATUS __stdcall MyNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); void HookNtOpenProcess() { //赋值前面定义的数组 KIRQL Irql; KdPrint(("[NtOpenProcess111] :0x%x",NtOpenProcess)); //地址验证 KdPrint(("[MyNtOpenProcess111] :0x%x",MyNtOpenProcess)); //地址验证 //保存函数前五个字节内容 RtlCopyMemory(OriginalBytes,(BYTE )NtOpenProcess,5); //保存新函数五个字节之后偏移 (ULONG )(JmpAddress+1)=(ULONG)MyNtOpenProcess-((ULONG)NtOpenProcess+5); //开始inline hook //关闭内存写保护 _asm { push eax mov eax, cr0 mov CR0VALUE, eax and eax, 0fffeffffh mov cr0, eax pop eax } //提升IRQL中断级 Irql=KeRaiseIrqlToDpcLevel(); //函数开头五个字节写JMP RtlCopyMemory((BYTE )NtOpenProcess,JmpAddress,5); KdPrint(("JmpAddress :0x%x",JmpAddress)); KdPrint(("[MyNtOpenProcess222] :0x%x",MyNtOpenProcess)); //恢复Irql KeLowerIrql(Irql); //开启内存写保护 __asm { push eax mov eax, CR0VALUE mov cr0, eax pop eax } } NTSTATUS __stdcall OriginalNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ) { _asm { push 0C4h //push offset 4130D8h //call __SEH_prolog mov eax,NTOPENPROCESS add eax,5 jmp eax } return STATUS_SUCCESS; } NTSTATUS MyNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ) { [COLOR="Red"]NTSTATUS rc; ULONG PID; //DbgPrint( "NtOpenProcess() called.\n" ); rc = (NTSTATUS)OriginalNtOpenProcess( ProcessHandle, AccessMask, ObjectAttributes, ClientId ); if( (ClientId != NULL) ) { PID = (ULONG)ClientId->UniqueProcess; //DbgPrint( "%d was opened,Handle is %d.\n", PID, (ULONG)ProcessHandle ); // 如果进程PID是1908，直接返回权限不足，并将句柄设置为空 if( PID == 1908 ) { DbgPrint( "Some want to open pid 1520！\n" ); //调试输出类似C语言的 Printf ProcessHandle = NULL; rc = STATUS_ACCESS_DENIED; } } return rc; [/COLOR] } void UnHookNtOpenProcess() { //把五个字节再写回到原函数 KIRQL Irql; //关闭写保护 _asm { push eax mov eax, cr0 mov CR0VALUE, eax and eax, 0fffeffffh mov cr0, eax pop eax } //提升IRQL到Dpc Irql=KeRaiseIrqlToDpcLevel(); RtlCopyMemory((BYTE *)NtOpenProcess,OriginalBytes,5); KeLowerIrql(Irql); //开启写保护 __asm { push eax mov eax, CR0VALUE mov cr0, eax pop eax } } VOID Unload(IN PDRIVER_OBJECT pDriverObj) { UnHookNtOpenProcess(); KdPrint(("[UnHookNtOpenProcess] Unloaded\n")); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING pRegistryString) { pDriverObj->DriverUnload = Unload; HookNtOpenProcess(); return STATUS_SUCCESS; } 2010-9-27 21:50 0
百折不挠雪币： 217 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 36 回帖 139 粉丝 0 关注私信	百折不挠 3 楼 mov eax,NTOPENPROCESS 是不是汇编不区分大小写？ 2010-9-30 09:15 0
Winker 雪币： 796 活跃值： (370) 能力值： ( LV9，RANK：380 ) 在线值：发帖 133 回帖 1127 粉丝 18 关注私信	Winker 8 4 楼 OriginalNtOpenProcess 写错了。 2010-10-1 22:08 0
jerrynpc 雪币： 284 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 695 粉丝 0 关注私信	jerrynpc 5 楼混乱无序，直接调试吧 2010-10-2 01:16 0
mumaren 雪币： 71 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 48 回帖 659 粉丝 0 关注私信	mumaren 6 楼 #include <ntddk.h> #include <windef.h> #include <ntstatus.h> ULONG CR0VALUE; BYTE OriginalBytes[5]={0}; //保存原始函数前五个字节 BYTE JmpAddress[5]={0xE9,0,0,0,0}; //跳转到HOOK函数的地址 extern POBJECT_TYPE PsProcessType; typedef NTSTATUS (__stdcall NTOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); //HOOK函数 NTSTATUS __stdcall MyNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); void HookNtOpenProcess() { //赋值前面定义的数组 KIRQL Irql; KdPrint(("[NtOpenProcess111] :0x%x",NtOpenProcess)); //地址验证 KdPrint(("[MyNtOpenProcess111] :0x%x",MyNtOpenProcess)); //地址验证 //保存函数前五个字节内容 RtlCopyMemory(OriginalBytes,(BYTE )NtOpenProcess,5); //保存新函数五个字节之后偏移 (ULONG )(JmpAddress+1)=(ULONG)MyNtOpenProcess-((ULONG)NtOpenProcess+5); //开始inline hook //关闭内存写保护 _asm { push eax mov eax, cr0 mov CR0VALUE, eax and eax, 0fffeffffh mov cr0, eax pop eax } //提升IRQL中断级 Irql=KeRaiseIrqlToDpcLevel(); //函数开头五个字节写JMP RtlCopyMemory((BYTE )NtOpenProcess,JmpAddress,5); KdPrint(("JmpAddress :0x%x",JmpAddress)); KdPrint(("[MyNtOpenProcess222] :0x%x",MyNtOpenProcess)); //恢复Irql KeLowerIrql(Irql); //开启内存写保护 __asm { push eax mov eax, CR0VALUE mov cr0, eax pop eax } } NTSTATUS __stdcall OriginalNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ) { _asm { NOP nop NOP nop NOP nop } return STATUS_SUCCESS; } NTSTATUS MyNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ) { NTSTATUS rc; ULONG PID; //DbgPrint( "NtOpenProcess() called.\n" ); rc = (NTSTATUS)OriginalNtOpenProcess( ProcessHandle, AccessMask, ObjectAttributes, ClientId ); if( (ClientId != NULL) ) { PID = (ULONG)ClientId->UniqueProcess; //DbgPrint( "%d was opened,Handle is %d.\n", PID, (ULONG)ProcessHandle ); // 如果进程PID是1908，直接返回权限不足，并将句柄设置为空 if( PID == 1908 ) { DbgPrint( "Some want to open pid 1520！\n" ); //调试输出类似C语言的 Printf ProcessHandle = NULL; rc = STATUS_ACCESS_DENIED; } } return rc; } void UnHookNtOpenProcess() { //把五个字节再写回到原函数 KIRQL Irql; //关闭写保护 _asm { push eax mov eax, cr0 mov CR0VALUE, eax and eax, 0fffeffffh mov cr0, eax pop eax } //提升IRQL到Dpc Irql=KeRaiseIrqlToDpcLevel(); RtlCopyMemory((BYTE *)NtOpenProcess,OriginalBytes,5); KeLowerIrql(Irql); //开启写保护 __asm { push eax mov eax, CR0VALUE mov cr0, eax pop eax } } VOID Unload(IN PDRIVER_OBJECT pDriverObj) { UnHookNtOpenProcess(); KdPrint(("[UnHookNtOpenProcess] Unloaded\n")); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING pRegistryString) { pDriverObj->DriverUnload = Unload; HookNtOpenProcess(); return STATUS_SUCCESS; } 2010-10-3 19:31 0
vfer 雪币： 45 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 84 粉丝 0 关注私信	vfer 7 楼堆栈出错 SSDT HOOK!=INLINE HOOK 2010-10-3 23:55 0
sorosyun 雪币： 229 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 35 粉丝 0 关注私信	sorosyun 8 楼最大的问题是思路混乱了 2010-10-9 15:52 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

mumaren

雪币： 71

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

48

回帖

659

粉丝

0

关注

私信

mumaren: 2 楼

#include <ntddk.h>
#include <windef.h> 
#include <ntstatus.h>
ULONG  CR0VALUE;
BYTE  OriginalBytes[5]={0};             //保存原始函数前五个字节           
BYTE JmpAddress[5]={0xE9,0,0,0,0};       //跳转到HOOK函数的地址
extern POBJECT_TYPE *PsProcessType;
typedef     NTSTATUS     (__stdcall *NTOPENPROCESS)( 

  OUT PHANDLE             ProcessHandle, 
  IN ACCESS_MASK          AccessMask, 
  IN POBJECT_ATTRIBUTES   ObjectAttributes, 
  IN PCLIENT_ID           ClientId );
 
//HOOK函数

NTSTATUS __stdcall MyNtOpenProcess(
										   
  OUT PHANDLE             ProcessHandle, 
  IN ACCESS_MASK          AccessMask, 
  IN POBJECT_ATTRIBUTES   ObjectAttributes, 
  IN PCLIENT_ID           ClientId );



void  HookNtOpenProcess()

{
	
	//赋值前面定义的数组
	KIRQL Irql;
	KdPrint(("[NtOpenProcess111] :0x%x",NtOpenProcess));  //地址验证
    KdPrint(("[MyNtOpenProcess111] :0x%x",MyNtOpenProcess));  //地址验证
	//保存函数前五个字节内容
	RtlCopyMemory(OriginalBytes,(BYTE *)NtOpenProcess,5);
	//保存新函数五个字节之后偏移
	*(ULONG *)(JmpAddress+1)=(ULONG)MyNtOpenProcess-((ULONG)NtOpenProcess+5);
	//开始inline hook
	//关闭内存写保护
	_asm
		
	{
		push eax
			
			mov eax, cr0 
			mov CR0VALUE, eax 
			and eax, 0fffeffffh  
			mov cr0, eax
			pop eax
	}
	
	//提升IRQL中断级
	Irql=KeRaiseIrqlToDpcLevel();
	//函数开头五个字节写JMP 
	RtlCopyMemory((BYTE *)NtOpenProcess,JmpAddress,5);
    KdPrint(("JmpAddress :0x%x",JmpAddress));
    KdPrint(("[MyNtOpenProcess222] :0x%x",MyNtOpenProcess)); 
	//恢复Irql
	KeLowerIrql(Irql);
	//开启内存写保护
	
	__asm
		
	{       
		
		    push eax
			
			mov eax, CR0VALUE 
			
			mov cr0, eax
			
			pop eax
			
	}
	
}


  NTSTATUS __stdcall OriginalNtOpenProcess( 
  OUT PHANDLE             ProcessHandle, 
  IN ACCESS_MASK          AccessMask, 
  IN POBJECT_ATTRIBUTES   ObjectAttributes, 
  IN PCLIENT_ID           ClientId )
 
															 
{
	
	_asm
		
	{   
		
		    push    0C4h
            //push    offset 4130D8h
			
            //call    __SEH_prolog

			mov eax,NTOPENPROCESS
			add eax,5
			jmp eax                
			
	}

return STATUS_SUCCESS;
	
}


NTSTATUS  MyNtOpenProcess(
										   
  OUT PHANDLE             ProcessHandle, 
  IN ACCESS_MASK          AccessMask, 
  IN POBJECT_ATTRIBUTES   ObjectAttributes, 
  IN PCLIENT_ID           ClientId )
										   
{
	
    [COLOR="Red"]NTSTATUS     rc; 
    ULONG       PID; 
   
    //DbgPrint( "NtOpenProcess() called.\n" ); 
   
    rc = (NTSTATUS)OriginalNtOpenProcess( 
          ProcessHandle, 
          AccessMask, 
          ObjectAttributes, 
          ClientId ); 
   
    if( (ClientId != NULL) ) 
    { 
      PID = (ULONG)ClientId->UniqueProcess; 
      //DbgPrint( "%d was opened,Handle is %d.\n", PID, (ULONG)ProcessHandle ); 
      
      // 如果进程PID是1908，直接返回权限不足，并将句柄设置为空 
      if( PID == 1908 ) 
      { 
         DbgPrint( "Some want to open pid 1520！\n" ); //调试输出 类似C语言的 Printf
             
             ProcessHandle = NULL; 
                     
         rc = STATUS_ACCESS_DENIED;    } 
    } 
   
    return rc;  [/COLOR]  
   
}

void UnHookNtOpenProcess()

{
	
	//把五个字节再写回到原函数
	
	KIRQL Irql;
	
    //关闭写保护
	
	_asm
		
	{
		
		push eax
			
			mov eax, cr0 
			
			mov CR0VALUE, eax 
			
			and eax, 0fffeffffh  
			
			mov cr0, eax
			
			pop eax
			
	}
	
    //提升IRQL到Dpc
	
    Irql=KeRaiseIrqlToDpcLevel();
	
	RtlCopyMemory((BYTE *)NtOpenProcess,OriginalBytes,5);
	
	KeLowerIrql(Irql);
	
    //开启写保护
	
	__asm
		
	{       
		
		    push eax
			mov eax, CR0VALUE 
			mov cr0, eax
			
			pop eax
			
	}
}


VOID Unload(IN PDRIVER_OBJECT pDriverObj)
{

UnHookNtOpenProcess();

KdPrint(("[UnHookNtOpenProcess] Unloaded\n"));

}


NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING      pRegistryString)

{

pDriverObj->DriverUnload = Unload;

HookNtOpenProcess();

return STATUS_SUCCESS;

}

2010-9-27 21:50

0

百折不挠

雪币： 217

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

36

回帖

139

粉丝

0

关注

私信

百折不挠: 3 楼

mov eax,NTOPENPROCESS
是不是汇编不区分大小写？

2010-9-30 09:15

0

Winker

雪币： 796

活跃值： (370)

能力值：

( LV9，RANK：380 )

在线值：

发帖

133

回帖

1127

粉丝

18

关注

私信

Winker 8: 4 楼

OriginalNtOpenProcess 写错了。

2010-10-1 22:08

0

jerrynpc

雪币： 284

活跃值： (16)

能力值：

( LV2，RANK：10 )

在线值：

发帖

18

回帖

695

粉丝

0

关注

私信

jerrynpc: 5 楼

混乱无序，直接调试吧

2010-10-2 01:16

0

mumaren

雪币： 71

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

48

回帖

659

粉丝

0

关注

私信

mumaren: 6 楼

#include <ntddk.h>
#include <windef.h>
#include <ntstatus.h>
ULONG  CR0VALUE;
BYTE  OriginalBytes[5]={0};          //保存原始函数前五个字节
BYTE JmpAddress[5]={0xE9,0,0,0,0};    //跳转到HOOK函数的地址
extern POBJECT_TYPE *PsProcessType;
typedef    NTSTATUS    (__stdcall *NTOPENPROCESS)(

   OUT PHANDLE          ProcessHandle,
   IN ACCESS_MASK       AccessMask,
   IN POBJECT_ATTRIBUTES ObjectAttributes,
   IN PCLIENT_ID          ClientId );

//HOOK函数

NTSTATUS __stdcall MyNtOpenProcess(

   OUT PHANDLE          ProcessHandle,
   IN ACCESS_MASK       AccessMask,
   IN POBJECT_ATTRIBUTES ObjectAttributes,
   IN PCLIENT_ID          ClientId );

void  HookNtOpenProcess()

{

   //赋值前面定义的数组
   KIRQL Irql;
   KdPrint(("[NtOpenProcess111] :0x%x",NtOpenProcess));  //地址验证
KdPrint(("[MyNtOpenProcess111] :0x%x",MyNtOpenProcess));  //地址验证
   //保存函数前五个字节内容
   RtlCopyMemory(OriginalBytes,(BYTE *)NtOpenProcess,5);
   //保存新函数五个字节之后偏移
   *(ULONG *)(JmpAddress+1)=(ULONG)MyNtOpenProcess-((ULONG)NtOpenProcess+5);
   //开始inline hook
   //关闭内存写保护
   _asm

   {
push eax

   mov eax, cr0
   mov CR0VALUE, eax
   and eax, 0fffeffffh
   mov cr0, eax
   pop eax
   }

   //提升IRQL中断级
   Irql=KeRaiseIrqlToDpcLevel();
   //函数开头五个字节写JMP
   RtlCopyMemory((BYTE *)NtOpenProcess,JmpAddress,5);
KdPrint(("JmpAddress :0x%x",JmpAddress));
KdPrint(("[MyNtOpenProcess222] :0x%x",MyNtOpenProcess));
   //恢复Irql
   KeLowerIrql(Irql);
   //开启内存写保护

   __asm

   {

push eax

   mov eax, CR0VALUE

   mov cr0, eax

   pop eax

   }

}

   NTSTATUS __stdcall OriginalNtOpenProcess(
   OUT PHANDLE          ProcessHandle,
   IN ACCESS_MASK       AccessMask,
   IN POBJECT_ATTRIBUTES ObjectAttributes,
   IN PCLIENT_ID          ClientId )


{

   _asm

   {

NOP
nop
NOP
nop

NOP
nop
   }

return STATUS_SUCCESS;

}

NTSTATUS  MyNtOpenProcess(

   OUT PHANDLE          ProcessHandle,
   IN ACCESS_MASK       AccessMask,
   IN POBJECT_ATTRIBUTES ObjectAttributes,
   IN PCLIENT_ID          ClientId )

{

NTSTATUS    rc;
ULONG    PID;

//DbgPrint( "NtOpenProcess() called.\n" );

rc = (NTSTATUS)OriginalNtOpenProcess(
   ProcessHandle,
   AccessMask,
   ObjectAttributes,
   ClientId );

if( (ClientId != NULL) )
{
   PID = (ULONG)ClientId->UniqueProcess;
   //DbgPrint( "%d was opened,Handle is %d.\n", PID, (ULONG)ProcessHandle );

   // 如果进程PID是1908，直接返回权限不足，并将句柄设置为空
   if( PID == 1908 )
   {
   DbgPrint( "Some want to open pid 1520！\n" ); //调试输出类似C语言的 Printf

   ProcessHandle = NULL;

   rc = STATUS_ACCESS_DENIED; }
}

return rc;

}

void UnHookNtOpenProcess()

{

   //把五个字节再写回到原函数

   KIRQL Irql;

//关闭写保护

   _asm

   {

push eax

   mov eax, cr0

   mov CR0VALUE, eax

   and eax, 0fffeffffh

   mov cr0, eax

   pop eax

   }

//提升IRQL到Dpc

Irql=KeRaiseIrqlToDpcLevel();

   RtlCopyMemory((BYTE *)NtOpenProcess,OriginalBytes,5);

   KeLowerIrql(Irql);

//开启写保护

   __asm

   {

push eax
   mov eax, CR0VALUE
   mov cr0, eax

   pop eax

   }
}

VOID Unload(IN PDRIVER_OBJECT pDriverObj)
{

UnHookNtOpenProcess();

KdPrint(("[UnHookNtOpenProcess] Unloaded\n"));

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING    pRegistryString)

{

pDriverObj->DriverUnload = Unload;

HookNtOpenProcess();

return STATUS_SUCCESS;

}

2010-10-3 19:31

0