typedefNTSTATUS(* NtOpenPs)( __out PHANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in_opt PCLIENT_ID ClientId );typedef NTSTATUS(* NtRead) ( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BufferSize, OUT PULONG NumberOfBytesRead OPTIONAL );NtRead NtReadVirtualMemory = (NtRead)nNtReadVirtualMemoryAddr;NtOpenPs NtOpenProcessnew = (NtOpenPs)nNtOpenProcessAddr;ULONG ThreadFunAddr = 0;VOID ReadConText(IN PCONTEXT ThreadContext,IN HANDLE Handle ){ ULONG ReadOfByte = 0; DbgPrint("%d",PsGetCurrentProcessId());//ThreadContext+0xB0是上下文中的eax //即使下面这句不执行也会蓝屏 NtReadVirtualMemory(Handle,(int *)ThreadContext+0xB0,&ThreadFunAddr,4,&ReadOfByte);}//下面是HOOK单元typedef struct _INITIAL_TEB { struct { PVOID OldStackBase; PVOID OldStackLimit; } OldInitialTeb; PVOID StackBase; PVOID StackLimit; PVOID StackAllocationBase;} INITIAL_TEB, *PINITIAL_TEB;ULONG NtCreateThreadJmp = 0;__declspec(naked) void MyNtCreateThread(__out PHANDLE ThreadHandle, __in ACCESS_MASK DesiredAccess, __in_opt POBJECT_ATTRIBUTES ObjectAttributes, __in HANDLE ProcessHandle, __out PCLIENT_ID ClientId, __in PCONTEXT ThreadContext, __in PINITIAL_TEB InitialTeb, __in BOOLEAN CreateSuspended){ if(AssertProcessName(PROCESSNAME)) { //ThreadContext+0xB0 线程函数 //堆栈中第七个 ReadConText(ThreadContext,ProcessHandle); DbgPrint("%X\n",ThreadFunAddr); } __asm { jmp NtCreateThreadJmp }}VOID HookNtCreateThread(){ NtCreateThreadJmp = GetSSDTFunctionAddr(53); DbgPrint("%X",NtCreateThreadJmp); if (NtCreateThreadJmp != NULL) { SSDTHookEngine(53,(int)MyNtCreateThread); } return ; }VOID UnHookNtCreateThread(){ if (NtCreateThreadJmp != NULL) { SSDTHookEngine(53,NtCreateThreadJmp); }}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
谁来帮帮啊
