-
-
[原创]发一个可编译,可替换的hookport代码
-
发表于: 2012-10-19 20:31
-
精华部分很久前就有人逆了,完整的逆向也无数人做了,只是都懒得放出来吧。搜索了一下,貌似只有人放了一个idb,完整的没人放过吧。今天抛块砖,把10年逆的一个放出来,完整度应该超过99%了,可编译,可替换那时候的,不论xp还是win7,均可正常替换工作,放码就行了吧,idb就不放了。
试了下wdk 7600.16385.1测试编译通过,以前貌似还是6000的wdk。
hookport.sys是这个版本
试了下wdk 7600.16385.1测试编译通过,以前貌似还是6000的wdk。
hookport.sys是这个版本
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateKeyIndex] = (PULONG)Fake_ZwCreateKey;//sub_10F5E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwQueryValueKeyIndex] = (PULONG)Fake_ZwQueryValueKey;//sub_1109E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDeleteKeyIndex] = (PULONG)Fake_ZwDeleteKey;//sub_111D4;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDeleteValueKeyIndex] = (PULONG)Fake_ZwDeleteValueKey;//sub_112DE;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwRenameKeyIndex] = (PULONG)Fake_ZwRenameKey;//sub_113F0;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwReplaceKeyIndex] = (PULONG)Fake_ZwReplaceKey;//sub_11502;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwRestoreKeyIndex] = (PULONG)Fake_ZwRestoreKey;//sub_1161E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetValueKeyIndex] = (PULONG)Fake_ZwSetValueKey;//sub_1173A;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateFileIndex] = (PULONG)Fake_ZwCreateFile;//sub_11870;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwFsControlFileIndex] = (PULONG)Fake_ZwFsControlFile;//sub_119CE;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetInformationFileIndex] = (PULONG)Fake_ZwSetInformationFile;//sub_11B28;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwWriteFileIndex] = (PULONG)Fake_ZwWriteFile;//sub_11C56;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateProcessIndex] = (PULONG)Fake_ZwCreateProcess;//sub_11D96;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateProcessExIndex] = (PULONG)Fake_ZwCreateProcessEx;//sub_11EE0;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateUserProcessIndex] = (PULONG)Fake_ZwCreateUserProcess;//sub_12032;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateThreadIndex] = (PULONG)Fake_ZwCreateThread;//sub_12196;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenThreadIndex] = (PULONG)Fake_ZwOpenThread;//sub_122E0;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDeleteFileIndex] = (PULONG)Fake_ZwDeleteFile;//sub_12404;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenFileIndex] = (PULONG)Fake_ZwOpenFile;//sub_1250E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwReadVirtualMemoryIndex] = (PULONG)Fake_ZwReadVirtualMemory;//sub_1263E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwTerminateProcessIndex] = (PULONG)Fake_ZwTerminateProcess;//sub_128A2;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwQueueApcThreadIndex] = (PULONG)Fake_ZwQueueApcThread;//sub_129B4;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetContextThreadIndex] = (PULONG)Fake_ZwSetContextThread;//sub_12AE2;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetInformationThreadIndex] = (PULONG)Fake_ZwSetInformationThread;//sub_12BF4;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwProtectVirtualMemoryIndex] = (PULONG)Fake_ZwProtectVirtualMemory;//sub_12D18;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwWriteVirtualMemoryIndex] = (PULONG)Fake_ZwWriteVirtualMemory;//sub_12770;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwAdjustGroupsTokenIndex] = (PULONG)Fake_ZwAdjustGroupsToken;//sub_12E46;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwAdjustPrivilegesTokenIndex] = (PULONG)Fake_ZwAdjustPrivilegesToken;//sub_12F7E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwRequestWaitReplyPortIndex] = (PULONG)Fake_ZwRequestWaitReplyPort;//sub_130B6;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateSectionIndex] = (PULONG)Fake_ZwCreateSection;//sub_131D2;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenSectionIndex] = (PULONG)Fake_ZwOpenSection;//sub_13312;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateSymbolicLinkObjectIndex] = (PULONG)Fake_ZwCreateSymbolicLinkObject;//sub_1342E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenSymbolicLinkObjectIndex] = (PULONG)Fake_ZwOpenSymbolicLinkObject;//sub_13552;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwLoadDriverIndex] = (PULONG)Fake_ZwLoadDriver;//sub_1366E;//sub_1377E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwUnloadDriverIndex] = (PULONG)Fake_ZwLoadDriver;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwQuerySystemInformationIndex] = (PULONG)Fake_ZwQuerySystemInformation;//sub_1388C;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetSystemInformationIndex] = (PULONG)Fake_ZwSetSystemInformation;//sub_1973E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetSystemTimeIndex] = (PULONG)Fake_ZwSetSystemTime;//sub_139B0;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSystemDebugControlIndex] = (PULONG)Fake_ZwSystemDebugControl;//sub_13AC2;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserBuildHwndListIndex & 0xFFF] = (PULONG)Fake_ZwUserBuildHwndList;//sub_13BF8;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserQueryWindowIndex & 0xFFF] = (PULONG)Fake_ZwUserQueryWindow;//sub_13D38;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserFindWindowExIndex & 0xFFF] = (PULONG)Fake_ZwUserFindWindowEx;//sub_13E48;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserWindowFromPointIndex & 0xFFF] = (PULONG)Fake_ZwUserWindowFromPoint;//sub_13F72;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserMessageCallIndex & 0xFFF] = (PULONG)Fake_ZwUserMessageCall;//sub_1408A;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserPostMessageIndex & 0xFFF] = (PULONG)Fake_ZwUserPostMessage;//sub_1426C;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowsHookExIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowsHookEx;//sub_14392;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserPostThreadMessageIndex & 0xFFF] = (PULONG)Fake_ZwUserPostThreadMessage;//sub_144C6;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenProcessIndex] = (PULONG)Fake_ZwOpenProcess;//sub_145EC;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDeviceIoControlFileIndex] = (PULONG)Fake_ZwDeviceIoControlFile;//sub_14710;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetParentIndex & 0xFFF] = (PULONG)Fake_ZwUserSetParent;//sub_14C06;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenKeyIndex] = (PULONG)Fake_ZwOpenKey;//sub_1486A;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwDuplicateObjectIndex] = (PULONG)Fake_ZwDuplicateObject;//sub_14986;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwWriteFileGatherIndex] = (PULONG)Fake_ZwWriteFile;//sub_14AC6;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwResumeThreadIndex] = (PULONG)Fake_ZwResumeThread;//sub_10E4C;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserChildWindowFromPointExIndex & 0xFFF] = (PULONG)Fake_ZwUserChildWindowFromPointEx;//sub_14D16;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserDestroyWindowIndex & 0xFFF] = (PULONG)Fake_ZwUserDestroyWindow;//sub_14E40;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserInternalGetWindowTextIndex & 0xFFF] = (PULONG)Fake_ZwUserInternalGetWindowText;//sub_14F4A;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserMoveWindowIndex & 0xFFF] = (PULONG)Fake_ZwUserMoveWindow;//sub_15062;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserRealChildWindowFromPointIndex & 0xFFF] = (PULONG)Fake_ZwUserRealChildWindowFromPoint;//sub_1519A;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetInformationThreadIndex & 0xFFF] = (PULONG)Fake_ZwUserSetInformationThread;//sub_152BA;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetInternalWindowPosIndex & 0xFFF] = (PULONG)Fake_ZwUserSetInternalWindowPos;//sub_153DC;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowLongIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowLong;//sub_15502;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowPlacementIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowPlacement;//sub_15624;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowPosIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowPos;//sub_15738;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWindowRgnIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWindowRgn;//sub_15878;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserShowWindowIndex & 0xFFF] = (PULONG)Fake_ZwUserShowWindow;//sub_15990;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserShowWindowAsyncIndex & 0xFFF] = (PULONG)Fake_ZwUserShowWindowAsync;//sub_15AA4;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwQueryAttributesFileIndex] = (PULONG)Fake_ZwQueryAttributesFile;//sub_15BB8;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateThreadExIndex] = (PULONG)Fake_ZwCreateThreadEx;//sub_15CC8;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSendInputIndex & 0xFFF] = (PULONG)Fake_ZwUserSendInput;//sub_15E16;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwAlpcSendWaitReceivePortIndex] = (PULONG)Fake_ZwAlpcSendWaitReceivePort;//sub_15F2E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwUnmapViewOfSectionIndex] = (PULONG)Fake_ZwUnmapViewOfSection;//sub_16074;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserSetWinEventHookIndex & 0xFFF] = (PULONG)Fake_ZwUserSetWinEventHook;//sub_16184;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwSetSecurityObjectIndex] = (PULONG)Fake_ZwSetSecurityObject;//sub_162CA;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserCallHwndParamLockIndex & 0xFFF] = (PULONG)Fake_ZwUserCallHwndParamLock;//sub_163E2;
if ( (WORD)NtBuildNumber == 2600 )
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserRegisterUserApiHookIndex & 0xFFF] = (PULONG)Fake_ZwUserRegisterUserApiHookXp;//sub_164FA;
else
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[ZwUserRegisterUserApiHookIndex & 0xFFF] = (PULONG)Fake_ZwUserRegisterUserApiHook;//sub_165CA;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[HookportFilterFunc76 & 0xFFF] = (PULONG)Fake_HookportFilterFunc76;//sub_166A2;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[HookportFilterFunc77 & 0xFFF] = (PULONG)Fake_HookportFilterFunc77;//sub_167A8;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwAllocateVirtualMemoryIndex] = (PULONG)Fake_ZwAllocateVirtualMemory;//sub_168AE;
g_SS_Filter_Table->ProxyShadowSSDTServiceAddress[HookportFilterFunc79 & 0xFFF] = (PULONG)Fake_HookportFilterFunc79;//sub_169E2;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwCreateMutantIndex] = (PULONG)Fake_ZwCreateMutant;//sub_16C0A;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwOpenIoCompletionIndex] = (PULONG)Fake_ZwOpenIoCompletion;//sub_16AF2;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwVdmControlIndex] = (PULONG)Fake_ZwVdmControl;//sub_16D2E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwGetNextProcessIndex] = (PULONG)Fake_ZwGetNextProcess;//sub_16E3E;
g_SS_Filter_Table->ProxySSDTServiceAddress[ZwGetNextThreadIndex] = (PULONG)Fake_ZwGetNextThread;//sub_16F68;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 楼主,到底何方神圣啊, 天天爆猛料,我跟你混算啦...
|
|
|
|
|
|
|
|
|
膜拜大牛
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
感觉好深哦,学习学习哦
|
|
|
Thanks for share.
|
|
|
|
|
|
 逆了三个月捂了半年吧?
|
|
|
|
|
|
我的最爱~
|
|
|
|
|
|
|
|
|
|
|
|
|
