-
-
[求助]关于SSDT挂钩NtReadVirtualMemory的问题
-
发表于: 2009-9-4 21:02
-
刚学习SSDT,用了如下宏:
#define SYSTEMSERVICE(_function) \
KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)]
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
_Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
SYSTEMSERVICE返回的是Nt*系列函数的地址
SYSCALL_INDEX返回的是服务号
HOOK_SYSCALL是开始进行hook
如果挂钩一个由ntoskrnl.exe导出函数,比如ZwEnumerateValueKey那么可以这样用
ZwEnumerateValueKeyAddress = (ZWENUMERATEVALUEKEY)
(SYSTEMSERVICE(ZwEnumerateValueKey));
__asm cli
HOOK_SYSCALL( ZwEnumerateValueKey,
ZwEnumerateValueKeyHook,
ZwEnumerateValueKeyAddress );
__asm sti
但是如果挂钩NtReadVirtualMemory,怎么用这个宏呢?
我这样来弄:
RtlInitUnicodeString( &dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll" );
//获取NtReadVirtualMemory的服务号完毕!
functionAddress = GetDllFunctionAddress("NtReadVirtualMemory", &dllName);
position = *((WORD*)( functionAddress + 1 ));
pos_ReadVirtualMemory = position;
if (pos_ReadVirtualMemory == 0)
{
DbgPrint("can't get services Number");
break;
}
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
NtReadVirtualMemoryAddress = (NTREADVIRTUALMEMORY) (*(KeServiceDescriptorTable.ServiceTableBase + pos_ReadVirtualMemory)); //得到NtReadVirtualMemory函数的原始地址
__asm cli
NtReadVirtualMemoryAddress = (NTREADVIRTUALMEMORY)InterlockedExchange((PLONG)&pos_ReadVirtualMemory,(LONG)NtReadVirtualMemoryHook);
__asm sti
没有效果,盼解!
#define SYSTEMSERVICE(_function) \
KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)]
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
_Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
SYSTEMSERVICE返回的是Nt*系列函数的地址
SYSCALL_INDEX返回的是服务号
HOOK_SYSCALL是开始进行hook
如果挂钩一个由ntoskrnl.exe导出函数,比如ZwEnumerateValueKey那么可以这样用
ZwEnumerateValueKeyAddress = (ZWENUMERATEVALUEKEY)
(SYSTEMSERVICE(ZwEnumerateValueKey));
__asm cli
HOOK_SYSCALL( ZwEnumerateValueKey,
ZwEnumerateValueKeyHook,
ZwEnumerateValueKeyAddress );
__asm sti
但是如果挂钩NtReadVirtualMemory,怎么用这个宏呢?
我这样来弄:
RtlInitUnicodeString( &dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll" );
//获取NtReadVirtualMemory的服务号完毕!
functionAddress = GetDllFunctionAddress("NtReadVirtualMemory", &dllName);
position = *((WORD*)( functionAddress + 1 ));
pos_ReadVirtualMemory = position;
if (pos_ReadVirtualMemory == 0)
{
DbgPrint("can't get services Number");
break;
}
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
NtReadVirtualMemoryAddress = (NTREADVIRTUALMEMORY) (*(KeServiceDescriptorTable.ServiceTableBase + pos_ReadVirtualMemory)); //得到NtReadVirtualMemory函数的原始地址
__asm cli
NtReadVirtualMemoryAddress = (NTREADVIRTUALMEMORY)InterlockedExchange((PLONG)&pos_ReadVirtualMemory,(LONG)NtReadVirtualMemoryHook);
__asm sti
没有效果,盼解!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
