我贴代码了 直接拿现成的修复了一下相关结构的偏移 不知为什么 HOOK就蓝屏
#include "hidewinex.h"
ULONG SearchProcess(char *szProcessName)
{
ULONG pEprocess,LastProcess;
ULONG Current_Pid;
ULONG Start_Pid;
int index;
PLIST_ENTRY pList_Active_Process;
if (!MmIsAddressValid(szProcessName))
return 0;
index = 0;
pEprocess = (ULONG)PsGetCurrentProcess();
Start_Pid = *(ULONG*)(pEprocess+PROCESSID_OFFSET);
Current_Pid = Start_Pid;
while(TRUE)
{
LastProcess = pEprocess;
pList_Active_Process = (PLIST_ENTRY)(pEprocess+PROCESSLIST_OFFSET);
pEprocess = (ULONG)pList_Active_Process->Flink;
pEprocess = pEprocess - PROCESSLIST_OFFSET;
Current_Pid = *(ULONG*)(pEprocess+PROCESSID_OFFSET);
KdPrint(("name:",*(char*)(LastProcess+0x170)));
if ((Current_Pid==Start_Pid)&&index>0)
{
return 0;
}else if (strstr((char*)LastProcess+0x170,szProcessName)!=0)
{
return pEprocess;
}
index++;
}
return 0;
}
ULONG KeQueryRuntimeProcess (PKPROCESS Process)
{
KLOCK_QUEUE_HANDLE LockHandle;
PULONG SSDTShadowAddress=0;
PLIST_ENTRY NextEntry;
PKTHREAD Thread;
ULONG TotalTime;
PKSPIN_LOCK ProcessLock;
PLIST_ENTRY Thread_List_Head;
ASSERT(KeGetCurrentIrql() <= DISPATCH_LEVEL);
ProcessLock = (PKSPIN_LOCK)((ULONG)Process+0x034); // ProcessLock
//_EPROCESS结构中的ThreadListHead 成员,指向进程保护的线程列表。
Thread_List_Head=(PLIST_ENTRY)((ULONG)Process+0x02c);
NextEntry = Thread_List_Head->Flink;
while (NextEntry != Thread_List_Head)
{
//循环线程列表取出每一个线程_KTHREAD结构体。
Thread = (PKTHREAD)((ULONG)NextEntry - 0x1d4);
//查找每一个线程,看看这个成员是否为0。非0是gui线程表示这个线程是GUI线程。
if(((ULONG)Thread+0x124)!=0)
{
//如果是GUI线程,那么_KTHREAD的ServiceTable成员将指向SSDT SHADOW table地址。
SSDTShadowAddress = (PULONG)((ULONG)Thread +0x03c);
break;
}
NextEntry = NextEntry->Flink;
}
return *SSDTShadowAddress; //返回shadow地址。
}
ULONG SearchGUIThread(ULONG uProcessObj,ULONG uflag)
{
ULONG uThreadObj;
ULONG uSeviceTable,uW32Thread;
PLIST_ENTRY pListHead,pNextList;
if (!MmIsAddressValid((PVOID)uProcessObj))
{
return 0;
}
pListHead = *(PLIST_ENTRY*)(uProcessObj+THREADHEADOFPROCESS_OFFSET);
if (!MmIsAddressValid(pListHead))
{
return 0;
}
pNextList = pListHead->Flink;
while (pNextList!=pListHead)
{
uThreadObj = (ULONG)pNextList - THREADLISTOFTHREAD_OFFSET;
if (uflag==0)
{
uSeviceTable = *(ULONG*)(uThreadObj+SEVICETABLEOFTHREAD_OFFSET);
if (MmIsAddressValid((PVOID)uSeviceTable))
{
if (uSeviceTable!=(ULONG)(&KeServiceDescriptorTable))
{
return uThreadObj;
}
}
}else if (uflag==1)
{
uW32Thread = *(ULONG*)(uThreadObj+WIN32THREAD_OFFSET);
if (uW32Thread)
{
return uThreadObj;
}
}
pNextList = pNextList->Flink;
}
return 0;
}
VOID InitializeProtectWindow()
{
PServiceDescriptorTableEntry_t pShadowSSDT;
g_GUIProcessObj = SearchProcess("smss");
if (g_GUIProcessObj==0)
{
KdPrint(("get explorer error."));
g_bProtectWindow = FALSE;
return;
}
g_GUIProcessId = *(ULONG*)(g_GUIProcessObj+PROCESSID_OFFSET);
// g_GUIThreadObj = SearchGUIThread(g_GUIProcessObj,0);
g_GUIThreadObj=KeQueryRuntimeProcess(g_GUIProcessObj);
if (!MmIsAddressValid((PVOID)g_GUIThreadObj))
{
KdPrint(("get gui thread error."));
g_bProtectWindow = FALSE;
return;
}
pShadowSSDT = *(PServiceDescriptorTableEntry_t*)\
(g_GUIThreadObj+SEVICETABLEOFTHREAD_OFFSET);
pShadowSSDT++;
KeAttachProcess((PKPROCESS)g_GUIProcessObj);
gfn_NtUserFindWindowEx = \
pShadowSSDT->ServiceTableBase[NTUSERFINDWINDOWEXID];
gfn_NtUserBuildHwndList = \
pShadowSSDT->ServiceTableBase[NTUSERBUILDHWNDLISTID];
gfn_NtUserQueryWindow = \
pShadowSSDT->ServiceTableBase[NTUSERQUERYWINDOWID];
//gfn_NtUserQueryWindow =(gfn_NtUserQueryWindow+20);
gfn_NtUserGetForegroundWindow = \
pShadowSSDT->ServiceTableBase[NTUSERGETFOREGROUNDWINDOWID];
gfn_NtUserWindowFromPoint = \
pShadowSSDT->ServiceTableBase[NTUSERWINDOWFROMPOINTID];
gfn_NtUserWindowFromPoint = (gfn_NtUserWindowFromPoint+17) + \
*(ULONG*)(gfn_NtUserWindowFromPoint+18) + 5;
_gptiCurrent = *(PVOID*)(\
pShadowSSDT->ServiceTableBase[NTUSERCREATEDESKTOPEXID]+0x12);
if (!gfn_NtUserFindWindowEx||
!gfn_NtUserBuildHwndList||
!gfn_NtUserQueryWindow||
!gfn_NtUserGetForegroundWindow||
!gfn_NtUserWindowFromPoint||
!_gptiCurrent)
{
KdPrint(("get function error."));
g_bProtectWindow = FALSE;
KeDetachProcess();
return;
}
KdPrint(("xxxx:%X :",gfn_NtUserGetForegroundWindow));
KdPrint(("xxxx:%X :",gfn_NtUserFindWindowEx));
KdPrint(("xxxx:%X :",gfn_NtUserBuildHwndList));
KdPrint(("xxxx:%X :",gfn_NtUserQueryWindow));
KdPrint(("xxxx:%X :",gfn_NtUserGetForegroundWindow));
KdPrint(("xxxx:%X :",gfn_NtUserWindowFromPoint));
KdPrint(("xxxcx:%X :",g_GUIProcessObj));
g_FindWindowExTackValue1 = (ULONG)*(UCHAR*)(gfn_NtUserFindWindowEx+1);
g_FindWindowExTackValue2 = *(ULONG*)(gfn_NtUserFindWindowEx+3);
g_JmpNtUserFindWindowEx = gfn_NtUserFindWindowEx+7;
g_BuildHwndListTackValue1 = (ULONG)*(UCHAR*)(gfn_NtUserBuildHwndList+1);
g_BuildHwndListTackValue2 = *(ULONG*)(gfn_NtUserBuildHwndList+3);
g_JmpNtUserBuildHwndList = gfn_NtUserBuildHwndList+7;
g_QueryWindowTackValue1 = g_QueryWindowTackValue2 = 0;
g_JmpNtUserQueryWindow = gfn_NtUserQueryWindow+5;
g_GetForegroundWindowTackValue1 = (gfn_NtUserGetForegroundWindow+3)\
+ *(ULONG*)(gfn_NtUserGetForegroundWindow+4) + 5;
g_GetForegroundWindowTackValue2 = 0;
g_JmpNtUserGetForegroundWindow = gfn_NtUserGetForegroundWindow+8;
g_WindowFromPointTackValue1 = 0;
g_WindowFromPointTackValue2 = 0;
g_JmpNtUserWindowFromPoint = gfn_NtUserWindowFromPoint+5;
KeDetachProcess();
g_bProtectWindow = TRUE;
}
ULONG __stdcall PublicFiterFunc()
{
if (strstr((char*)PsGetCurrentProcess()+0x170,GAME_NAME)!=0 ||
strstr((char*)PsGetCurrentProcess()+0x170,"GameMon")!=0)
{
return 1;
}
return 0;
}
VOID NewNtUserFindWindowEx()
{
__asm{
pushad
pushfd
call PublicFiterFunc
test eax,eax
je __Exit
popfd
popad
xor eax,eax
retn 14h
__Exit:
popfd
popad
push g_FindWindowExTackValue1
push g_FindWindowExTackValue2
jmp g_JmpNtUserFindWindowEx
}
}
VOID HookNtUserFindWindowEx()
{
KeAttachProcess((PKPROCESS)g_GUIProcessObj);
g_bHookNtUserFindWindowEx = Jmp_HookFunction(\
gfn_NtUserFindWindowEx,\
(ULONG)NewNtUserFindWindowEx,\
g_cNtUserFindWindowEx\
);
KeDetachProcess();
}
VOID UnHookNtUserFindWindowEx()
{
KeAttachProcess((PKPROCESS)g_GUIProcessObj);
if (g_bHookNtUserFindWindowEx)
{
Res_HookFunction(\
gfn_NtUserFindWindowEx,\
g_cNtUserFindWindowEx,\
5);
}
KeDetachProcess();
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
