-
-
[求助]ssdt hook NtGetContextThread/NtSetContextThread 在打开OD附件任何程序就蓝屏
-
发表于:
2011-2-24 05:35
8748
-
[求助]ssdt hook NtGetContextThread/NtSetContextThread 在打开OD附件任何程序就蓝屏
#define DNF_EXE "DNF.exe" //DNF进程名
ULONG uNtSetContextThreadAddress;
ULONG uNtGetContextThreadAddress;
ULONG TenNtSetContextThread,TenNtGetContextThread;
//////////////////////////////////////////////////////////////////////
// 名称: _MyNtGetThreadContext
// 功能: 两个SSDT HOOK伪造函数的中继函数
// 参数:
// 返回:
//////////////////////////////////////////////////////////////////////
NTSTATUS _declspec(naked) Nakd_NtGetThreadContext(HANDLE hThread,PCONTEXT pContext)
{
__asm
{
jmp dword ptr [TenNtGetContextThread]
}
}
NTSTATUS _declspec(naked) Nakd_NtSetThreadContext(HANDLE hThread,PCONTEXT pContext)
{
__asm
{
jmp dword ptr [TenNtSetContextThread]
}
}
//////////////////////////////////////////////////////////////////////
// 名称: MyNtGetThreadContext && MyNtSetThreadContext
// 功能: NtGetThreadContext与NtSetThreadContext函数被SSDT HOOK的伪造函数
// 参数:
// 返回:
//////////////////////////////////////////////////////////////////////
//UCHAR* PsGetProcessImageFileName( IN PEPROCESS Process );
extern "C" UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);
NTSTATUS MyNtGetThreadContext(HANDLE hThread , PCONTEXT pContext)
{
if (_stricmp((const char*)PsGetProcessImageFileName(PsGetCurrentProcess()),DNF_EXE))
{
KdPrint(("------------------%S",PsGetProcessImageFileName(PsGetCurrentProcess())));
return Nakd_NtGetThreadContext(hThread,pContext);
}
return STATUS_SUCCESS;
}
NTSTATUS MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)
{
if (_stricmp((const char*)PsGetProcessImageFileName(PsGetCurrentProcess()),DNF_EXE))
{
return Nakd_NtSetThreadContext(hThread,pContext);
}
return STATUS_SUCCESS;
}
//////////////////////////////////////////////////////////////////////
// 名称: My_Recovery_HardwareBreakpoint
// 功能: 通过对set与get进行SSDT HOOK来恢复硬件断点
// 参数:
// 返回:
//////////////////////////////////////////////////////////////////////
NTSTATUS My_Recovery_HardwareBreakpoint()
{
KIRQL Irql;
uNtGetContextThreadAddress=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0xD5*4;
uNtSetContextThreadAddress=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x55*4;
TenNtGetContextThread=uNtGetContextThreadAddress;
TenNtSetContextThread=uNtSetContextThreadAddress;
KdPrint(("Set地址:%0X\n",TenNtSetContextThread));
KdPrint(("Get地址:%0X\n",TenNtGetContextThread));
WPOFF();
Irql=KeRaiseIrqlToDpcLevel();
*(ULONG*)uNtGetContextThreadAddress=(ULONG)MyNtGetThreadContext;
*(ULONG*)uNtSetContextThreadAddress=(ULONG)MyNtSetThreadContext;
KeLowerIrql(Irql);
WPON();
return STATUS_SUCCESS;
加载完自己写的驱动以后,在打开OD附加任务的程序 都蓝屏
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
