-
-
[旧帖] [分享]通过SSDT Hook 绕过读内存保护 NtReadVirtualMemory 0.00雪花
-
发表于: 2011-6-6 21:42
-
通过SSDT Hook 绕过读内存保护 NtReadVirtualMemory
#pragma PAGECODE
__declspec(naked) VOID yjxsoft_com_NtReadVirtualMemory()
{
//KdPrint(("yjxsoft_com_NtReadVirtualMemory\n"));
__asm
{
//
push 0x1c
push readpush ////压栈参数
//
jmp readjmpaddr
}
}
mov eax, KeServiceDescriptorTable
mov eax,[eax] //address of KeServiceDescriptorTable
mov ssdtaddr,eax
mov eax,ssdtaddr
add eax,2e8h //0xBA * 4 ntreadvirtualmemoryaddr ssdt186
mov eax,DWORD PTR [eax]
mov oldreadaddr,eax
mov ebx,DWORD PTR [eax+3h]
mov readpush,ebx
add eax,7h
mov readjmpaddr,eax
#pragma PAGECODE
__declspec(naked) VOID yjxsoft_com_NtReadVirtualMemory()
{
//KdPrint(("yjxsoft_com_NtReadVirtualMemory\n"));
__asm
{
//
push 0x1c
push readpush ////压栈参数
//
jmp readjmpaddr
}
}
mov eax, KeServiceDescriptorTable
mov eax,[eax] //address of KeServiceDescriptorTable
mov ssdtaddr,eax
mov eax,ssdtaddr
add eax,2e8h //0xBA * 4 ntreadvirtualmemoryaddr ssdt186
mov eax,DWORD PTR [eax]
mov oldreadaddr,eax
mov ebx,DWORD PTR [eax+3h]
mov readpush,ebx
add eax,7h
mov readjmpaddr,eax
