-
-
[旧帖] 原创:同时HOOK SSDT NTOPENPROCESS和NTTERMINATEPROCESS的完整源码(求邀请码) 0.00雪花
-
发表于: 2010-12-24 12:00 1050
-
[旧帖] 原创:同时HOOK SSDT NTOPENPROCESS和NTTERMINATEPROCESS的完整源码(求邀请码) 0.00雪花
2010-12-24 12:00
1050
初学驱动,希望管理员能给个邀请码啊,附上完整源码:
#include "ntddk.h"
#pragma pack(1)
typedef struct _ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry KeServiceDescriptorTable;
//////////////////////////////////////////////////
ULONG NtTerminateProcess_Addr;
VOID SSDTHook_NtOpenProcess();
VOID UnSSDTHook_NtOpenProcess();
VOID SSDTHook_NtTerminateProcess();
VOID UnSSDTHook_NtTerminateProcess();
//////////////////////////////////////////////////
ULONG JmpAddress_NtOpenProcess;
ULONG pNtOpenProcess;
ULONG OldNtOpenProcess;
ULONG JmpAddress_NtTerminateProcess;
ULONG pNtTerminateProcess;
ULONG OldNtTerminateProcess;
//////////////////////////////////////////////////
__declspec(naked) VOID __stdcall SetModifyMem()
{
__asm
{
cli;
push eax;
mov eax, cr0;
and eax, not 10000h;
mov cr0, eax;
pop eax;
ret;
}
}
//////////////////////////////////////////////////
__declspec(naked) VOID __stdcall UnSetModifyMem()
{
__asm
{
push eax;
mov eax, cr0;
or eax, 10000h;
mov cr0, eax;
pop eax;
sti;
ret;
}
}
//////////////////////////////////////////////////
__declspec(naked) NTSTATUS MyNtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
DbgPrint("MyNtOpenProcess() called! \n");
__asm
{
push 0C4h;
jmp JmpAddress_NtOpenProcess;
}
}
//////////////////////////////////////////////////
__declspec(naked) NTSTATUS MyNtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
)
{
DbgPrint("MyNtTerminateProcess() called! \n");
DbgPrint("Jmp to NtTerminateProcess() + 5 at 0x%x\n", JmpAddress_NtTerminateProcess);
__asm
{
mov edi, edi;
push ebp;
mov ebp, esp;
jmp JmpAddress_NtTerminateProcess;
}
}
//////////////////////////////////////////////////
VOID SSDTHook_NtOpenProcess()
{
pNtOpenProcess = (ULONG)KeServiceDescriptorTable.ServiceTableBase + 0x7A * 4;
OldNtOpenProcess = *(ULONG *)pNtOpenProcess;
JmpAddress_NtOpenProcess = (ULONG)NtOpenProcess + 5;
SetModifyMem();
*(ULONG *)pNtOpenProcess = (ULONG)MyNtOpenProcess;
UnSetModifyMem();
DbgPrint("Hooking Succed !\n");
}
VOID UnSSDTHook_NtOpenProcess()
{
SetModifyMem();
*( (ULONG *)pNtOpenProcess ) = OldNtOpenProcess;
UnSetModifyMem();
DbgPrint("UnHooking Succed !\n");
}
//////////////////////////////////////////////////
VOID SSDTHook_NtTerminateProcess()
{
pNtTerminateProcess = (ULONG)KeServiceDescriptorTable.ServiceTableBase + 0x101 * 4;
OldNtTerminateProcess = NtTerminateProcess_Addr = *(ULONG *)pNtTerminateProcess;
JmpAddress_NtTerminateProcess = NtTerminateProcess_Addr + 5;
SetModifyMem();
*(ULONG *)pNtTerminateProcess = (ULONG)MyNtTerminateProcess;
UnSetModifyMem();
DbgPrint("Hooking Succed !\n");
}
VOID UnSSDTHook_NtTerminateProcess()
{
SetModifyMem();
*( (ULONG *)pNtTerminateProcess ) = OldNtTerminateProcess;
UnSetModifyMem();
DbgPrint("UnHooking Succed !\n");
}
//////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Driver is to be UnLoadded!\n");
UnSSDTHook_NtOpenProcess();
UnSSDTHook_NtTerminateProcess();
}
//////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
DriverObject->DriverUnload = OnUnload;
SSDTHook_NtOpenProcess();
SSDTHook_NtTerminateProcess();
return STATUS_SUCCESS;
}
#include "ntddk.h"
#pragma pack(1)
typedef struct _ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry KeServiceDescriptorTable;
//////////////////////////////////////////////////
ULONG NtTerminateProcess_Addr;
VOID SSDTHook_NtOpenProcess();
VOID UnSSDTHook_NtOpenProcess();
VOID SSDTHook_NtTerminateProcess();
VOID UnSSDTHook_NtTerminateProcess();
//////////////////////////////////////////////////
ULONG JmpAddress_NtOpenProcess;
ULONG pNtOpenProcess;
ULONG OldNtOpenProcess;
ULONG JmpAddress_NtTerminateProcess;
ULONG pNtTerminateProcess;
ULONG OldNtTerminateProcess;
//////////////////////////////////////////////////
__declspec(naked) VOID __stdcall SetModifyMem()
{
__asm
{
cli;
push eax;
mov eax, cr0;
and eax, not 10000h;
mov cr0, eax;
pop eax;
ret;
}
}
//////////////////////////////////////////////////
__declspec(naked) VOID __stdcall UnSetModifyMem()
{
__asm
{
push eax;
mov eax, cr0;
or eax, 10000h;
mov cr0, eax;
pop eax;
sti;
ret;
}
}
//////////////////////////////////////////////////
__declspec(naked) NTSTATUS MyNtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
DbgPrint("MyNtOpenProcess() called! \n");
__asm
{
push 0C4h;
jmp JmpAddress_NtOpenProcess;
}
}
//////////////////////////////////////////////////
__declspec(naked) NTSTATUS MyNtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
)
{
DbgPrint("MyNtTerminateProcess() called! \n");
DbgPrint("Jmp to NtTerminateProcess() + 5 at 0x%x\n", JmpAddress_NtTerminateProcess);
__asm
{
mov edi, edi;
push ebp;
mov ebp, esp;
jmp JmpAddress_NtTerminateProcess;
}
}
//////////////////////////////////////////////////
VOID SSDTHook_NtOpenProcess()
{
pNtOpenProcess = (ULONG)KeServiceDescriptorTable.ServiceTableBase + 0x7A * 4;
OldNtOpenProcess = *(ULONG *)pNtOpenProcess;
JmpAddress_NtOpenProcess = (ULONG)NtOpenProcess + 5;
SetModifyMem();
*(ULONG *)pNtOpenProcess = (ULONG)MyNtOpenProcess;
UnSetModifyMem();
DbgPrint("Hooking Succed !\n");
}
VOID UnSSDTHook_NtOpenProcess()
{
SetModifyMem();
*( (ULONG *)pNtOpenProcess ) = OldNtOpenProcess;
UnSetModifyMem();
DbgPrint("UnHooking Succed !\n");
}
//////////////////////////////////////////////////
VOID SSDTHook_NtTerminateProcess()
{
pNtTerminateProcess = (ULONG)KeServiceDescriptorTable.ServiceTableBase + 0x101 * 4;
OldNtTerminateProcess = NtTerminateProcess_Addr = *(ULONG *)pNtTerminateProcess;
JmpAddress_NtTerminateProcess = NtTerminateProcess_Addr + 5;
SetModifyMem();
*(ULONG *)pNtTerminateProcess = (ULONG)MyNtTerminateProcess;
UnSetModifyMem();
DbgPrint("Hooking Succed !\n");
}
VOID UnSSDTHook_NtTerminateProcess()
{
SetModifyMem();
*( (ULONG *)pNtTerminateProcess ) = OldNtTerminateProcess;
UnSetModifyMem();
DbgPrint("UnHooking Succed !\n");
}
//////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Driver is to be UnLoadded!\n");
UnSSDTHook_NtOpenProcess();
UnSSDTHook_NtTerminateProcess();
}
//////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
DriverObject->DriverUnload = OnUnload;
SSDTHook_NtOpenProcess();
SSDTHook_NtTerminateProcess();
return STATUS_SUCCESS;
}
赞赏
他的文章
- 求助:如何修双学位? 4981
- 求解驱动蓝屏 5147
- 求如下截图所示加密视频的注册码? 10614
- 原创:同时HOOK SSDT NTOPENPROCESS和NTTERMINATEPROCESS的完整源码(求邀请码) 1051
看原图
赞赏
雪币:
留言: