-
-
[求助]HookNtOpenProces 出现蓝屏
-
发表于:
2018-9-25 05:50
2966
-
[求助]HookNtOpenProces 出现蓝屏
本人小白刚学习内核几天 HookNtOpenProces 出现蓝屏死机
xp 系统 贴上代码 环境VS2017
ULONG GetNtSSDT_Old_Addr(IN PCWSTR FunctionName)
{
UNICODE_STRING Old_NtOpenProcess;
ULONG old_Addr;
RtlInitUnicodeString(&Old_NtOpenProcess, FunctionName);
old_Addr = (ULONG)MmGetSystemRoutineAddress(&Old_NtOpenProcess);
return old_Addr;
}
ULONG NtOpenProcessOld;
PEPROCESS processEPROCESS = NULL;
NTSTATUS __declspec(naked) __stdcall InLineNtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
)
{
HANDLE Pid;
ANSI_STRING str;
if (ClientId!=NULL)
{
Pid = ClientId->UniqueProcess;
DbgPrint("调用者的PID为:%d", (int)Pid);
}
processEPROCESS = IoGetCurrentProcess();
RtlInitAnsiString(&str, (PTSTR)(ULONG)processEPROCESS + 0x174);
DbgPrint("调用者的进程名为:%s", str);
__asm {
push 0C4h
mov eax, NtOpenProcessOld
add eax, 5
jmp eax
}
}
NTSTATUS AnitNtOpenProcess()
{
NtOpenProcessOld = GetNtSSDT_Old_Addr(L"NtOpenProcess");
//*(ULONG *)(Jmp + 1) = (ULONG)InLineNtOpenProcess - ((ULONG)NtOpenProcessOld - 5);
ULONG jmpbyte = (ULONG)InLineNtOpenProcess - NtOpenProcessOld -5;
DbgPrint("\nInLineNtOpenProcess:%0x", InLineNtOpenProcess);
DbgPrint("\nNtOpenProcessOld:%0x", NtOpenProcessOld);
DbgPrint("\njmp:%0x", jmpbyte);
CloseProtect();//去除内核页面保护
__asm
{
mov ebx, NtOpenProcessOld
mov byte ptr ds : [ebx], 0xe9
mov eax, jmpbyte
mov DWORD ptr ds : [ebx + 1], eax
}
StartProtect();//开启内核页面保护
return 1;
}
//InLine NtOpenProcess 实现函数
贴上HOOK之前的原始字节
805c2512 68c4000000 push 0C4h
805c2517 68b0aa4d80 push offset nt!ObWatchHandles+0x25c (804daab0)
805c251c e8ff6bf7ff call nt!_SEH_prolog (80539120)
805c2521 33f6 xor esi,esi
805c2523 8975d4 mov dword ptr [ebp-2Ch],esi
805c2526 33c0 xor eax,eax
805c2528 8d7dd8 lea edi,[ebp-28h]
805c252b ab stos dword ptr es:[edi]
HOOK后的原始字节
805c2512 e9b9ebeb39 jmp Hook!InLineNtOpenProcess (ba4810d0)
805c2517 68b0aa4d80 push offset nt!ObWatchHandles+0x25c (804daab0)
805c251c e8ff6bf7ff call nt!_SEH_prolog (80539120)
805c2521 33f6 xor esi,esi
805c2523 8975d4 mov dword ptr [ebp-2Ch],esi
805c2526 33c0 xor eax,eax
805c2528 8d7dd8 lea edi,[ebp-28h]
805c252b ab stos dword ptr es:[edi]
搞了2天实在无能为力,才上来发帖
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课