首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
KMD Hook NtOpenProcess,下面哪里不对头
发表于: 2006-3-22 14:03 5613

KMD Hook NtOpenProcess,下面哪里不对头

pmma 活跃值
1
2006-3-22 14:03
5613
.386
.model flat, stdcall
option casemap:none

include ntstatus.inc
include ntddk.inc
include ntoskrnl.inc
include w2kundoc.inc
includelib ntoskrnl.lib
include \RadASM\Masm\Macro\Strings.asm

.data
realaddr dd 0
CR0Reg dd 0
Messaga1 db "OpenProcess",0
Messaga2 db "Driver loaded", 0

.code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID

pushad
invoke DbgPrint, addr Messaga2
mov edi, KeServiceDescriptorTable
mov edi, [edi]
mov eax, [edi+(06ah*4)] ;edi+07ah*4 - NtOpenProcess
mov realaddr, eax       ;看了网上资料说是200的服务号是6a,就改了

cli
mov eax, CR0
mov CR0Reg, eax
and eax, -1
mov cr0, eax
mov [edi+(06ah*4)], dword ptr offset hookproc
mov eax, CR0Reg
mov CR0, eax
sti

mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing

popad
mov eax, STATUS_SUCCESS
ret
DriverEntry endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
pushad
mov edi, KeServiceDescriptorTable
mov edi, [edi]
;得到地址
mov eax, CR0
mov CR0Reg, eax
and eax, -1
mov cr0, eax
;这里应该是允许修改代码
mov eax, dword ptr realaddr
mov [edi+(06ah*4)], eax

mov eax, CR0Reg
mov CR0, eax
sti
popad
ret
DriverUnload endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
hookproc proc                          ;这里始终来不了,本来自己的是xp
invoke DbgPrint, addr Messaga1         ;想想可能是服务号不同吧
jmp dword ptr realaddr         ;改了6a放到2000vm里面了,还是没看到输出
; ret
hookproc endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end DriverEntry

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
许仙
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
试试看这个函数:MmGetSystemRoutineAddress
这个函数可以得到NTCALL号,比如:
lkd> u ZwOpenProcess
nt!ZwOpenProcess:
804e4c0a b87a000000       mov     eax,0x7a
804e4c0f 8d542404         lea     edx,[esp+0x4]
804e4c13 9c               pushfd
804e4c14 6a08             push    0x8
804e4c16 e8b69bffff       call    nt!KiDeliverApc+0x9d0 (804de7d1)
804e4c1b c21000           ret     0x10

函数描述:
MmGetSystemRoutineAddress
The MmGetSystemRoutineAddress routine returns a pointer to a function specified by SystemRoutineName.

NTKERNELAPI
PVOID
  MmGetSystemRoutineAddress(
    IN PUNICODE_STRING  SystemRoutineName
    );
Parameters
SystemRoutineName
Specifies name of system routine to resolve.
Return Value
If the function name can be resolved, the routine returns a pointer to the function. Otherwise, the routine returns NULL.

Headers
Declared in wdm.h and ntddk.h.. Include wdm.h and ntddk.h. .

Comments
MmGetSystemRoutineAddress is available on Windows® 2000 and later.

Drivers can use this routine to determine if a routine is available on a specific version of Windows. It can only be used for routines exported by the kernel or HAL, not for any driver-defined routine.

This routine can only be called at IRQL = PASSIVE_LEVEL.

2006-3-24 09:45
0
pmma
雪    币: 178
活跃值: (159)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
3
到wasm.ru问了一下,在这个地方
mov edi, KeServiceDescriptorTable
mov edi, [edi]
下面再加个
mov edi, [edi]
结构定义是这样的,asm里面指两次就好了
typedef struct ServiceDescriptorTable {
SDE ServiceDescriptor[4];
} SDT;
typedef struct ServiceDescriptorEntry {
PDWORD KiServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDE;
2006-3-24 14:42
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//