SSDT_HOOK NtOpenProcess(代码)

#include <ntddk.h>
#include <windef.h>
#include <stdlib.h>


typedef struct _ServiceDescriptorTable {
    PVOID ServiceTableBase;            //System Service Dispatch Table 的基地址  
    PVOID ServiceCounterTable;        //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。 
    unsigned int NumberOfServices;    //由 ServiceTableBase 描述的服务的数目。  
    PVOID ParamTableBase;            //包含每个系统服务参数字节数表的基地址-系统服务参数表 
}*PServiceDescriptorTable; 
extern "C" PServiceDescriptorTable KeServiceDescriptorTable;


ULONG Old_NtOpProAddress;
ULONG New_NtOpProAddress;

typedef NTSTATUS  (*NTOPENPROCESS)(
    OUT PHANDLE ProcessHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN PCLIENT_ID ClientId OPTIONAL
    );


NTSTATUS  MyNtOpenProcess(
    OUT PHANDLE ProcessHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN PCLIENT_ID ClientId OPTIONAL
    )
{
    DbgPrint("一次成功！");
    return ((NTOPENPROCESS)Old_NtOpProAddress)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
}



VOID HOOKNtOpenProcess()
{

    _asm
    {
        push ebx
            push eax
            push ecx

            mov  ebx,122
            mov  eax,KeServiceDescriptorTable
            mov  eax,[eax]
            mov  ecx,[eax+ebx*4]
            mov  Old_NtOpProAddress,ecx
            pop  ecx
            pop  eax
            pop  ebx
    }

    DbgPrint("旧_NtOpenProcess:0x%X\n",Old_NtOpProAddress);

    New_NtOpProAddress = (ULONG)MyNtOpenProcess;
    DbgPrint("新_NtOpenProcess:0x%X\n",New_NtOpProAddress);

    _asm //关闭保护
    {
        cli
            mov eax,CR0
            and  eax,not 10000h
            mov CR0,eax
    }


    _asm
    {
        push ebx
            push eax
            push ecx

            mov  ebx,122
            mov  eax,KeServiceDescriptorTable
            mov  eax,[eax]
        mov  ecx,MyNtOpenProcess
            mov  [eax+ebx*4],ecx

            pop  ecx
            pop  eax
            pop  ebx
    }

    _asm //开启保护
    {
        mov eax,CR0
            or  eax,10000h
            mov CR0,eax
            sti
    }
}

VOID UnHOOKNtOpenProcess()
{
    _asm //关闭保护
    {
        cli
            mov eax,CR0
            and  eax,not 10000h
            mov CR0,eax
    }


    _asm
    {
        push ebx
            push eax
            push ecx

            mov  ebx,122
            mov  eax,KeServiceDescriptorTable
            mov  eax,[eax]
            mov  ecx,Old_NtOpProAddress
            mov  [eax+ebx*4],ecx

            pop  ecx
            pop  eax
            pop  ebx
    }

    _asm //开启保护
    {
        mov eax,CR0
            or  eax,10000h
            mov CR0,eax
            sti
    }
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{    
    UnHOOKNtOpenProcess();
    DbgPrint("++++驱动卸载++++");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
    pDriverObj->DriverUnload = DriverUnload;
    DbgPrint("++++驱动加载++++");
    HOOKNtOpenProcess();
    return STATUS_SUCCESS;
}