-
-
[旧帖]
[求助]不想活了谁能给看看为啥我这个驱动代码老蓝屏啊
0.00雪花
-
发表于:
2010-12-27 19:13
785
-
[旧帖] [求助]不想活了谁能给看看为啥我这个驱动代码老蓝屏啊
0.00雪花
#include <ntddk.h>
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase; //指向系统服务程序的地址(SSDT)
//指向另一个索引表,该表包含了每个服务表项被调用的次数;不过这个值只在Checkd Build的内核中有效,在Free Build的内核中,这个值总为NULL
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices; //表示当前系统所支持的服务个数
unsigned char *ParamTableBase; //指向SSPT中的参数地址,它们都包含了NumberOfService这么多个数组单元
} ServiceDescriptorTableEntry , *PServiceDescriptorTableEntry;
extern PServiceDescriptorTableEntry KeServiceDescriptorTable;//KeServiceDescriptorTable为导出函数
NTSTATUS _stdcall MyZwOpenProcess(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
return STATUS_SUCCESS;
}
VOID HOOK();//HOOK函数
VOID UNHOOK();//卸载HOOK函数恢复SSDT
VOID Unload(IN PDRIVER_OBJECT DRiver)
{
// UNHOOK();
KdPrint(("卸载驱动成功"));
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RgePath)
{
_asm int 3;
ULONG FirstAddress; //原始函数地址
UNICODE_STRING MyFunctionName;
ULONG MyFunctionAddress=0;
ULONG CurAddress; //当前地址
ULONG CurFunctionAddress;//当前函数地址
// RtlCopyUnicodeString(&MyFunctionName,L"NtOpenProcess");
MyFunctionAddress=(ULONG)MmGetSystemRoutineAddress(L"NtOpenProcess");
KdPrint(("返回的地址为%0x",MyFunctionAddress));
FirstAddress=*(ULONG*)MyFunctionAddress;
KdPrint(("\n原始函数地址为%0x",FirstAddress));
////////////////////////////
// CurAddress=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x7a*4;
// // KdPrint(("SSDT表的地址为\n\n%0x",KeServiceDescriptorTable->ServiceTableBase));
//
// KdPrint(("NtOpenProcess导出表地址为\n%0x",CurAddress));
// CurFunctionAddress=*(ULONG*)CurAddress;
// KdPrint(("当前的NtoPenProcess函数地址为\n%0x",CurFunctionAddress));
DriverObject->DriverUnload=Unload;
return STATUS_SUCCESS;
}
VOID HOOK()
{
ULONG CurAddress;
CurAddress=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x7A*4;
_asm //去掉内存保护
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
*(ULONG*)CurAddress=(ULONG)MyZwOpenProcess;
KdPrint(("HOOK NtOPenProcess函数、HOOK 后的地址为"),*(ULONG*)CurAddress);
_asm //恢复内存保护
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
VOID UNHOOK()//卸载HOOK函数恢复SSDT
{
ULONG CurAddress;
CurAddress=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x7A*4;
_asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
//*(ULONG*)CurAddress=(ULONG)FirstAddress;//
KdPrint(("恢复NtOPenProcess函数 当前地址为%0x",*(ULONG*)CurAddress));
_asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
就DrverEntry这个里面的几句代码我问今天上午8点到10点多一只蓝改了N次,
初学这个但昨天我写这个代码几乎一模一样的也没有蓝啊~
郁闷,求助编译能够通过但一加载就蓝屏..
各位大侠帮忙看看啊,,,实在是找不到问题的所在
[课程]Linux pwn 探索篇!