SSDT_HOOK NtOpenProcess(代码)
#include <ntddk.h> #include <windef.h> #include <stdlib.h> typedef struct _ServiceDescriptorTable { PVOID ServiceTableBase; //System Service Dispatch Table 的基地址 PVOID ServiceCounterTable; //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。 unsigned int NumberOfServices; //由 ServiceTableBase 描述的服务的数目。 PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表 }*PServiceDescriptorTable; extern "C" PServiceDescriptorTable KeServiceDescriptorTable; ULONG Old_NtOpProAddress; ULONG New_NtOpProAddress; typedef NTSTATUS (*NTOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL ); NTSTATUS MyNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL ) { DbgPrint("一次成功!"); return ((NTOPENPROCESS)Old_NtOpProAddress)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); } VOID HOOKNtOpenProcess() { _asm { push ebx push eax push ecx mov ebx,122 mov eax,KeServiceDescriptorTable mov eax,[eax] mov ecx,[eax+ebx*4] mov Old_NtOpProAddress,ecx pop ecx pop eax pop ebx } DbgPrint("旧_NtOpenProcess:0x%X\n",Old_NtOpProAddress); New_NtOpProAddress = (ULONG)MyNtOpenProcess; DbgPrint("新_NtOpenProcess:0x%X\n",New_NtOpProAddress); _asm //关闭保护 { cli mov eax,CR0 and eax,not 10000h mov CR0,eax } _asm { push ebx push eax push ecx mov ebx,122 mov eax,KeServiceDescriptorTable mov eax,[eax] mov ecx,MyNtOpenProcess mov [eax+ebx*4],ecx pop ecx pop eax pop ebx } _asm //开启保护 { mov eax,CR0 or eax,10000h mov CR0,eax sti } } VOID UnHOOKNtOpenProcess() { _asm //关闭保护 { cli mov eax,CR0 and eax,not 10000h mov CR0,eax } _asm { push ebx push eax push ecx mov ebx,122 mov eax,KeServiceDescriptorTable mov eax,[eax] mov ecx,Old_NtOpProAddress mov [eax+ebx*4],ecx pop ecx pop eax pop ebx } _asm //开启保护 { mov eax,CR0 or eax,10000h mov CR0,eax sti } } VOID DriverUnload(PDRIVER_OBJECT pDriverObj) { UnHOOKNtOpenProcess(); DbgPrint("++++驱动卸载++++"); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString) { pDriverObj->DriverUnload = DriverUnload; DbgPrint("++++驱动加载++++"); HOOKNtOpenProcess(); return STATUS_SUCCESS; }