-
-
[旧帖] [求助]郁闷了我3天的小问题,谁帮忙指点下!!! 0.00雪花
-
发表于: 2009-8-23 22:43
-
这是一个极简单的SSDT Hook程序.
.386
.model flat,stdcall
option casemap:none
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib w2k\ntoskrnl.lib
.code
New_func proc aa,bb,cc,ddd,ee;任何调用直接返回
mov eax,STATUS_ACCESS_DENIED
ret
New_func endp
start:
DriverEntry proc pDriverObject:PDRIVER_OBJECT,RegPath:dword
local mdl:PMDL
local SSDTBaseaddr:dword
pushad
mov eax,KeServiceDescriptorTable
mov eax,[eax]
mov SSDTBaseaddr,eax
mov ebx,[eax+8]
lea ebx,[ebx*4];这里是ServiceNumber*4
invoke MmCreateMdl,0,eax,ebx;用mdl解除内存保护
mov mdl,eax
invoke MmBuildMdlForNonPagedPool,eax
mov eax,mdl
assume eax:PMDL
or [eax].MdlFlags,MDL_MAPPED_TO_SYSTEM_VA
assume eax:nothing
invoke MmMapLockedPages,mdl,KernelMode
lea eax,[SSDTBaseaddr+0e0h*4];这里Hook的ZwSetInformationFile()
mov [eax],offset New_func
popad
xor eax,eax
ret
DriverEntry endp
end start
我基本照着网上的写的,怎么老是没出效果呢,我加载了驱动可还是可以删除任何文件!!应该加载后不能删除任何文件的啊.....................忘看雪的兄弟们指点下.
.386
.model flat,stdcall
option casemap:none
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib w2k\ntoskrnl.lib
.code
New_func proc aa,bb,cc,ddd,ee;任何调用直接返回
mov eax,STATUS_ACCESS_DENIED
ret
New_func endp
start:
DriverEntry proc pDriverObject:PDRIVER_OBJECT,RegPath:dword
local mdl:PMDL
local SSDTBaseaddr:dword
pushad
mov eax,KeServiceDescriptorTable
mov eax,[eax]
mov SSDTBaseaddr,eax
mov ebx,[eax+8]
lea ebx,[ebx*4];这里是ServiceNumber*4
invoke MmCreateMdl,0,eax,ebx;用mdl解除内存保护
mov mdl,eax
invoke MmBuildMdlForNonPagedPool,eax
mov eax,mdl
assume eax:PMDL
or [eax].MdlFlags,MDL_MAPPED_TO_SYSTEM_VA
assume eax:nothing
invoke MmMapLockedPages,mdl,KernelMode
lea eax,[SSDTBaseaddr+0e0h*4];这里Hook的ZwSetInformationFile()
mov [eax],offset New_func
popad
xor eax,eax
ret
DriverEntry endp
end start
我基本照着网上的写的,怎么老是没出效果呢,我加载了驱动可还是可以删除任何文件!!应该加载后不能删除任何文件的啊.....................忘看雪的兄弟们指点下.
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
