能力值:
( LV13,RANK:1050 )
|
-
-
2 楼
NtSuspendThread或者PsSuspendThread或者KeSuspendThread
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
NtSuspendThread或者PsSuspendThread或者KeSuspendThread 不是停止ring的么 ring的suspendthread最终还是会调用的。。
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
我试过 NtSuspendThread 了。不行的。返回的的是 拒绝访问的错误
0xC0000022 返回值。。 郁闷了。。有其他的方法么。。
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
我的代码是这样的
#include<ntddk.h>
#include<windef.h>
#include<ntdef.h>
/////////////////////////////////////
void OnUnload(IN PDRIVER_OBJECT DriverObject);
//////////////////////////////////////
LARGE_INTEGER liTime;
HANDLE hThread;
ULONG ZwSTAddr=0x805ca69e;
ULONG IsOk;
UNICODE_STRING DerName,DerName2;
PDEVICE_OBJECT pDevObj;
#define IOCTL_STARTTHREAD (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x852, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA )
#define IOCTL_STOPTHREAD (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0x853, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA )
NTSTATUS DisPatchCreateClose(PDEVICE_OBJECT pDriverObj,PIRP pIrp)
{
DbgPrint("DisPatchCreate!");
pIrp->IoStatus.Status=STATUS_SUCCESS;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//////////////////////////////////////
void MyWorkThread(IN PVOID pContext)
{
liTime =RtlConvertLongToLargeInteger(-(LONG)1000* 10000);
//Callers of KeDelayExecutionThread must be running at IRQL <= APC_LEVEL.
while(1)
{
KeDelayExecutionThread(KernelMode,TRUE,&liTime);
DbgPrint("Thread Is Still Alive");
}
}
NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP pIrp)
{
NTSTATUS status=STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack=IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode=pIrpStack->Parameters.DeviceIoControl.IoControlCode;
PVOID pInputBuffer= pIrpStack->Parameters.DeviceIoControl.Type3InputBuffer;
PVOID pOutputBuffer=pIrp->UserBuffer;
ULONG uInsize=pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG uOutsize=pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
//DbgPrint("DispatchDeviceControl Code:%X",uIoControlCode);
switch(uIoControlCode)
{
case IOCTL_STARTTHREAD:
{
IsOk=PsCreateSystemThread(&hThread,(ACCESS_MASK)0,NULL,(HANDLE)0,NULL,MyWorkThread,NULL);
DbgPrint("Have Start MyStartThread IsOk=0x%08X hThread=0x%08X",IsOk,hThread);
break;
}
case IOCTL_STOPTHREAD:
{
__asm
{
push 0
push hThread
call ZwSTAddr
mov IsOk,eax
}
DbgPrint("Have Stop MyStartThread IsOk=0x%08X hThread=0x%08X",IsOk,hThread);
break;
}
break;
default:
break;
}
if(status==STATUS_SUCCESS)
pIrp->IoStatus.Information=uOutsize;
else
pIrp->IoStatus.Information=0;
pIrp->IoStatus.Status=status;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
///////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
NTSTATUS status=STATUS_SUCCESS;
ULONG i;
for(i= 0;i<IRP_MJ_MAXIMUM_FUNCTION;++i)
DriverObject->MajorFunction[i] = DisPatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchDeviceControl;
DriverObject->DriverUnload = OnUnload;
RtlInitUnicodeString(&DerName,L"\\Device\\MyStartThread");
status=IoCreateDevice(DriverObject,0,&DerName,FILE_DEVICE_UNKNOWN,0,FALSE,&pDevObj);
if(!NT_SUCCESS(status))
{
DbgPrint("IoCreateDevice Fail!");
return status;
}
RtlInitUnicodeString(&DerName2,L"\\??\\MyStartThreadDos");
status=IoCreateSymbolicLink(&DerName2,&DerName);
if(!NT_SUCCESS(status))
DbgPrint("IoCreateSymbolicLink fail!");
DbgPrint("MyStartThread Load!");
return status;
}
/////////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
if(IoDeleteSymbolicLink(&DerName2)!=STATUS_SUCCESS)
DbgPrint("DeleteSymbolicLink Fail!");
IoDeleteDevice(DriverObject->DeviceObject);
DbgPrint("MyStartThread Unhooker unload!");
}
|
|
|
