-
-
[求助]win7_32位下进程保护的问题,新手学习,大神勿喷
-
发表于: 2015-4-20 21:20
-
最近在学习windows驱动
,想试着写一个在win7_32位下的的进程保护,调试的过程中被hook的函数出现了问题,还请各位大神指点
下面是源码= =
#include <ntddk.h>
typedef struct _KSYSTEM_SERVICE_TABLE
{
PULONG ServiceTableBase;// SSDT的基带址
PULONG ServiceCounterTableBase;// SSDT中每个服务被调用的次数
ULONG NumberOfService;// 服务函数的个数
ULONG ParamTableBase;// SSPT的基地址
}KSYSTEM_SERVICE_TABLE,*PKSYSTEM_SERVICE_TABLE;
typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
KSYSTEM_SERVICE_TABLE ntoskrnl;// SSDT
KSYSTEM_SERVICE_TABLE win32k;// SSDT SHADOW
KSYSTEM_SERVICE_TABLE notUsed1;
KSYSTEM_SERVICE_TABLE notUsed2;
}KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
//导出SSDT
extern KSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
//获取进程名称进程ID的函数声明
NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process);
//typedef NTSTATUS(__fastcall *NTTERMINATEPROCESS)(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus);
NTSTATUS ObReferenceObjectByHandle(
_In_ HANDLE Handle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_TYPE ObjectType,
_In_ KPROCESSOR_MODE AccessMode,
_Out_ PVOID *Object,
_Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation
);
//新函数
NTSTATUS Fuck_NtTermianteProcess(
__in_opt HANDLE ProcessHandle,
__in NTSTATUS ExitStatus)
{
PEPROCESS pEProcess;//程序结构
NTSTATUS status;
status=ObReferenceObjectByHandle(ProcessHandle,
FILE_READ_DATA,
*PsProcessType, KernelMode,
&pEProcess,
NULL);
/*_asm{
int 3
}*/
ANSI_STRING processname;
RtlInitAnsiString(&processname,"calc.exe");
if (RtlCompareString((char*)PsGetProcessImageFileName(pEProcess), &processname, TRUE))//有问题的代码
{
//ObDereferenceObject(pEProcess);
return STATUS_ACCESS_DENIED;
}
else
{
return ZwTerminateProcess(ProcessHandle,ExitStatus);
}
//return status;
}
//安装HOOK
ULONG OldAddr = 0;//这是一个全局变量,记录TermianteProcess的地址
NTSTATUS InstallHOOK()
{
ULONG uOldAddr = 0;
PULONG BaseAddr = KeServiceDescriptorTable.ntoskrnl.ServiceTableBase;
PULONG NtTermianteProcess = (PULONG)((ULONG)*BaseAddr + (370 * 4));
OldAddr = *NtTermianteProcess;
__asm{//去掉内存保护
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
*NtTermianteProcess = Fuck_NtTermianteProcess;
__asm{//恢复内存保护
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
return STATUS_SUCCESS;
}
//卸载HOOK
VOID UnInstallHook()
{
ULONG uOldAddr = 0;
PULONG BaseAddr = KeServiceDescriptorTable.ntoskrnl.ServiceTableBase;
PULONG TermianteProcess = (PULONG)((ULONG)*BaseAddr + (370 * 4));
__asm{//去掉内存保护
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
*TermianteProcess=OldAddr;
__asm{//恢复内存保护
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
}
VOID MyUnHook(PDRIVER_OBJECT pDriverObj)
{
DbgPrint("It's over..\n");
UnInstallHook();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr)
{
DbgPrint("Enter the DriverEntry...\n");
pDriverObj->DriverUnload = MyUnHook;
InstallHOOK();
return STATUS_SUCCESS;
}
,想试着写一个在win7_32位下的的进程保护,调试的过程中被hook的函数出现了问题,还请各位大神指点下面是源码= =
#include <ntddk.h>
typedef struct _KSYSTEM_SERVICE_TABLE
{
PULONG ServiceTableBase;// SSDT的基带址
PULONG ServiceCounterTableBase;// SSDT中每个服务被调用的次数
ULONG NumberOfService;// 服务函数的个数
ULONG ParamTableBase;// SSPT的基地址
}KSYSTEM_SERVICE_TABLE,*PKSYSTEM_SERVICE_TABLE;
typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
KSYSTEM_SERVICE_TABLE ntoskrnl;// SSDT
KSYSTEM_SERVICE_TABLE win32k;// SSDT SHADOW
KSYSTEM_SERVICE_TABLE notUsed1;
KSYSTEM_SERVICE_TABLE notUsed2;
}KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
//导出SSDT
extern KSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
//获取进程名称进程ID的函数声明
NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process);
//typedef NTSTATUS(__fastcall *NTTERMINATEPROCESS)(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus);
NTSTATUS ObReferenceObjectByHandle(
_In_ HANDLE Handle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_TYPE ObjectType,
_In_ KPROCESSOR_MODE AccessMode,
_Out_ PVOID *Object,
_Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation
);
//新函数
NTSTATUS Fuck_NtTermianteProcess(
__in_opt HANDLE ProcessHandle,
__in NTSTATUS ExitStatus)
{
PEPROCESS pEProcess;//程序结构
NTSTATUS status;
status=ObReferenceObjectByHandle(ProcessHandle,
FILE_READ_DATA,
*PsProcessType, KernelMode,
&pEProcess,
NULL);
/*_asm{
int 3
}*/
ANSI_STRING processname;
RtlInitAnsiString(&processname,"calc.exe");
if (RtlCompareString((char*)PsGetProcessImageFileName(pEProcess), &processname, TRUE))//有问题的代码
{
//ObDereferenceObject(pEProcess);
return STATUS_ACCESS_DENIED;
}
else
{
return ZwTerminateProcess(ProcessHandle,ExitStatus);
}
//return status;
}
//安装HOOK
ULONG OldAddr = 0;//这是一个全局变量,记录TermianteProcess的地址
NTSTATUS InstallHOOK()
{
ULONG uOldAddr = 0;
PULONG BaseAddr = KeServiceDescriptorTable.ntoskrnl.ServiceTableBase;
PULONG NtTermianteProcess = (PULONG)((ULONG)*BaseAddr + (370 * 4));
OldAddr = *NtTermianteProcess;
__asm{//去掉内存保护
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
*NtTermianteProcess = Fuck_NtTermianteProcess;
__asm{//恢复内存保护
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
return STATUS_SUCCESS;
}
//卸载HOOK
VOID UnInstallHook()
{
ULONG uOldAddr = 0;
PULONG BaseAddr = KeServiceDescriptorTable.ntoskrnl.ServiceTableBase;
PULONG TermianteProcess = (PULONG)((ULONG)*BaseAddr + (370 * 4));
__asm{//去掉内存保护
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
*TermianteProcess=OldAddr;
__asm{//恢复内存保护
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
}
VOID MyUnHook(PDRIVER_OBJECT pDriverObj)
{
DbgPrint("It's over..\n");
UnInstallHook();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr)
{
DbgPrint("Enter the DriverEntry...\n");
pDriverObj->DriverUnload = MyUnHook;
InstallHOOK();
return STATUS_SUCCESS;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
