[求助]各位帮帮~我这Inline hook 哪里错了-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]各位帮帮~我这Inline hook 哪里错了 0.00雪花

发表于: 2009-8-23 22:22 1145

[旧帖] [求助]各位帮帮~我这Inline hook 哪里错了 0.00雪花

zhuruinan

2009-8-23 22:22

1145

我用同方法  Inline  hook  NtOpenProcess 没有事

但是  Inline  hook  NtDeleteValueKey 出现蓝屏~~！！！

怎么回事？？？？哪里错了？？？

#include "ntddk.h"

#define FUNC_NAME L"NtDeleteValueKey"

PVOID Old_FuncAddress;

UCHAR oricode[5] = {0};

UCHAR nowcode[5] = { 0xe9, 0, 0, 0, 0 };
UCHAR jmpcode[5] = { 0xe9, 0, 0, 0, 0 };

VOID DisableWP();
VOID EnableWP();

const WCHAR tty[] =L"zhu";

NTSTATUS  NTAPI HookFunc(IN HANDLE KeyHandle,IN PUNICODE_STRING  ValueName);

NTSTATUS  NTAPI JmpFunc(IN HANDLE KeyHandle,IN PUNICODE_STRING  ValueName);

VOID HookOn();
VOID HookOff();

#define DELAY_ONE_MICROSECOND (-10)
#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)

VOID KernelSleep(LONG msec)
{
LARGE_INTEGER my_interval;
my_interval.QuadPart = DELAY_ONE_MILLISECOND;
my_interval.QuadPart *= msec;
KeDelayExecutionThread(KernelMode,0,&my_interval);
}

VOID DisableWP()
{
   _asm{
cli
         mov  eax, cr0
         and  eax, 0FFFEFFFFh
         mov  cr0, eax
   }

}

VOID EnableWP()
{
   _asm{
      mov  eax, cr0
      or eax, not 0FFFEFFFFh
      mov  cr0, eax
      sti
   }
}

NTSTATUS NTAPI HookFunc(IN HANDLE KeyHandle,IN PUNICODE_STRING  ValueName)
{

      UNICODE_STRING yyo;
      UNICODE_STRING dut;
      ANSI_STRING tbb;
      RtlUnicodeStringToAnsiString(&tbb,ValueName,TRUE);
      RtlInitUnicodeString(&yyo,tty);
      RtlAnsiStringToUnicodeString(&dut,&tbb,TRUE);
if(RtlEqualUnicodeString(&yyo,&dut,TRUE))
{
   return STATUS_ACCESS_DENIED;
}
      else
      {
      return JmpFunc(KeyHandle,ValueName);
      }

}

__declspec(naked)

NTSTATUS  NTAPI JmpFunc(IN HANDLE KeyHandle,IN PUNICODE_STRING  ValueName)
{
__asm
{
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}

VOID HookOn()
{

UNICODE_STRING funcName;
RtlInitUnicodeString(&funcName,FUNC_NAME);

Old_FuncAddress=MmGetSystemRoutineAddress(&funcName);

RtlCopyMemory(oricode,(UCHAR*)Old_FuncAddress,5);
*((ULONG*)(nowcode+1)) = (ULONG)HookFunc - (ULONG)Old_FuncAddress - 5;

DisableWP();

RtlCopyMemory((UCHAR*)Old_FuncAddress,nowcode,5);

RtlCopyMemory((UCHAR*)JmpFunc,oricode,5);

*((ULONG*)(jmpcode+1)) = (ULONG)Old_FuncAddress - (ULONG)JmpFunc - 5;

RtlCopyMemory((UCHAR*)JmpFunc+5,jmpcode,5);

EnableWP();

return;
}

VOID HookOff()
{
DisableWP();
RtlCopyMemory((UCHAR*)Old_FuncAddress,oricode,5);
EnableWP();
return;
}

VOID xie(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING DeviceLinkString;
PDEVICE_OBJECT DeviceObjectTemp1=NULL;
PDEVICE_OBJECT DeviceObjectTemp2=NULL;
RtlInitUnicodeString(&DeviceLinkString,DOS_DEVICE_NAME);
IoDeleteSymbolicLink(&DeviceLinkString);
if(DriverObject)
{
DeviceObjectTemp1=DriverObject->DeviceObject;
while(DeviceObjectTemp1)
{
DeviceObjectTemp2=DeviceObjectTemp1;
DeviceObjectTemp1=DeviceObjectTemp1->NextDevice;
IoDeleteDevice(DeviceObjectTemp2);
}
}

      HookOff();
}

NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT  DeviceObject,IN PIRP  Irp)
{

.........................................
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING theRegistryPath)
{
..................................................................

      HookOn();

return STATUS_SUCCESS;
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・0

支持