(转)SSDT&Shadow Hook的实现,完整代码
http://bbs.pediy.com/showthread.php?t=138747&highlight=inline+hook
View Code
1 #include <ntddk.h> 2 //辛苦了几周的成果 3 4 5 typedef struct ServiceDescriptorEntry { 6 PVOID *ServiceTableBase; 7 ULONG *ServiceCounterTableBase; //Used only in checked build 8 ULONG NumberOfService; //Null 9 PVOID *ParamTableBase; 10 } ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry; 11 12 PServiceDescriptorTableEntry KeServiceDescriptorTableShadow; 13 14 __declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID); 15 __declspec(dllimport) ServiceDescriptorTableEntry KeServiceDescriptorTable; 16 17 //--------------------------------------------------- 18 19 typedef enum _SYSTEM_INFORMATION_CLASS { 20 SystemBasicInformation, // 0 Y N 21 SystemProcessorInformation, // 1 Y N 22 SystemPerformanceInformation, // 2 Y N 23 SystemTimeOfDayInformation, // 3 Y N 24 SystemNotImplemented1, // 4 Y N 25 SystemProcessesAndThreadsInformation, // 5 Y N 26 SystemCallCounts, // 6 Y N 27 SystemConfigurationInformation, // 7 Y N 28 SystemProcessorTimes, // 8 Y N 29 SystemGlobalFlag, // 9 Y Y 30 SystemNotImplemented2, // 10 Y N 31 SystemModuleInformation, // 11 Y N 32 SystemLockInformation, // 12 Y N 33 SystemNotImplemented3, // 13 Y N 34 SystemNotImplemented4, // 14 Y N 35 SystemNotImplemented5, // 15 Y N 36 SystemHandleInformation, // 16 Y N 37 SystemObjectInformation, // 17 Y N 38 SystemPagefileInformation, // 18 Y N 39 SystemInstructionEmulationCounts, // 19 Y N 40 SystemInvalidInfoClass1, // 20 41 SystemCacheInformation, // 21 Y Y 42 SystemPoolTagInformation, // 22 Y N 43 SystemProcessorStatistics, // 23 Y N 44 SystemDpcInformation, // 24 Y Y 45 SystemNotImplemented6, // 25 Y N 46 SystemLoadImage, // 26 N Y 47 SystemUnloadImage, // 27 N Y 48 SystemTimeAdjustment, // 28 Y Y 49 SystemNotImplemented7, // 29 Y N 50 SystemNotImplemented8, // 30 Y N 51 SystemNotImplemented9, // 31 Y N 52 SystemCrashDumpInformation, // 32 Y N 53 SystemExceptionInformation, // 33 Y N 54 SystemCrashDumpStateInformation, // 34 Y Y/N 55 SystemKernelDebuggerInformation, // 35 Y N 56 SystemContextSwitchInformation, // 36 Y N 57 SystemRegistryQuotaInformation, // 37 Y Y 58 SystemLoadAndCallImage, // 38 N Y 59 SystemPrioritySeparation, // 39 N Y 60 SystemNotImplemented10, // 40 Y N 61 SystemNotImplemented11, // 41 Y N 62 SystemInvalidInfoClass2, // 42 63 SystemInvalidInfoClass3, // 43 64 SystemTimeZoneInformation, // 44 Y N 65 SystemLookasideInformation, // 45 Y N 66 SystemSetTimeSlipEvent, // 46 N Y 67 SystemCreateSession, // 47 N Y 68 SystemDeleteSession, // 48 N Y 69 SystemInvalidInfoClass4, // 49 70 SystemRangeStartInformation, // 50 Y N 71 SystemVerifierInformation, // 51 Y Y 72 SystemAddVerifier, // 52 N Y 73 SystemSessionProcessesInformation // 53 Y N 74 } SYSTEM_INFORMATION_CLASS; 75 76 typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11 77 ULONG Reserved[2]; 78 PVOID Base; 79 ULONG Size; 80 ULONG Flags; 81 USHORT Index; 82 USHORT Unknown; 83 USHORT LoadCount; 84 USHORT ModuleNameOffset; 85 CHAR ImageName[256]; 86 } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 87 88 typedef struct _SYSTEM_HANDLE_INFORMATION 89 { 90 ULONG ProcessId; 91 UCHAR ObjectTypeNumber; 92 UCHAR Flags; 93 USHORT Handle; 94 PVOID Object; 95 ACCESS_MASK GrantedAccess; 96 } _SYSTEM_HANDLE_INFORMATION, *P_SYSTEM_HANDLE_INFORMATION; 97 98 typedef struct _SYSTEM_HANDLE_INformATION_EX { 99 ULONG NumberOfHandles; 100 _SYSTEM_HANDLE_INFORMATION Information[1]; 101 } _SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; 102 103 104 105 106 107 108 109 //----------------------- 110 typedef NTSTATUS (*NTGDIGETPIXEL) 111 ( 112 ); 113 114 NTGDIGETPIXEL g_OriginalNtGdiGetPixel; 115 116 117 //-----------------API申明----------- 118 119 PVOID GetUndocumentFunctionAdress(); 120 VOID Hook(); 121 VOID Unhook(); 122 VOID WPOFF(VOID); 123 VOID WPON(VOID); 124 VOID InitCallNumber(); 125 VOID OnUnload(IN PDRIVER_OBJECT DriverObject); 126 127 //--------shadow----------- 128 PVOID GetInfoTable(ULONG ATableType); 129 HANDLE GetCsrPid(); 130 VOID KeAttPro(); 131 VOID HookShadow(); 132 VOID UnhookShadow(); 133 ULONG MyNtGdiGetPixel(); 134 135 NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess); 136 137 NTSTATUS ZwQuerySystemInformation( 138 IN ULONG SystemInformationClass, 139 IN PVOID SystemInformation, 140 IN ULONG SystemInformationLength, 141 OUT PULONG ReturnLength); 142 143 NTSTATUS ZwDuplicateObject( 144 IN HANDLE SourceProcessHandle, 145 IN PHANDLE SourceHandle, 146 IN HANDLE TargetProcessHandle, 147 OUT PHANDLE TargetHandle, 148 IN ACCESS_MASK DesiredAccess OPTIONAL, 149 IN BOOLEAN InheritHandle, 150 IN ULONG Options ); 151 152 NTSTATUS ZwQueryObject( 153 IN HANDLE ObjectHandle, 154 IN ULONG ObjectInformationClass, 155 OUT PVOID ObjectInformation, 156 IN ULONG ObjectInformationLength, 157 OUT PULONG ReturnLength OPTIONAL); 158 159 160 NTSTATUS PsLookupProcessByProcessId( 161 IN ULONG ulProcId, 162 OUT PEPROCESS * pEProcess); 163 164 165 NTSTATUS KeAttachProcess(PEPROCESS pPeb); 166 NTSTATUS KeDetachProcess(); 167 168 //--------shadow----------- 169 170 171 172 173 174 175 //---------------全局变量------------ 176 PEPROCESS crsEProc; 177 178 ULONG JmpAddress; 179 ULONG JmpAddress1; 180 ULONG JmpAddress2; 181 ULONG JmpAddress3; 182 ULONG JmpAddress4; 183 ULONG JmpAddress5; 184 ULONG JmpAddress6; 185 ULONG JmpAddress7; 186 187 ULONG JmpAddRead_xp; 188 ULONG JmpAddWrite_xp; 189 ULONG JmpAddOpen_xp; 190 191 //--------shadow----------- 192 ULONG JmpAddress_Shadow_GdiGetPixel; 193 //--------shadow----------- 194 195 ULONG OldServiceAddress; 196 ULONG OldServiceAddress1; 197 ULONG OldServiceAddress2; 198 ULONG OldServiceAddress3; 199 ULONG OldServiceAddress4; 200 ULONG Adds; 201 ULONG retAddr1; 202 ULONG retAddr; 203 ULONG retAddr2; 204 205 ULONG retAddrRwpm_Xp; 206 ULONG retAddrIoCF_Xp; 207 208 209 //----------------------定义常量--------- 210 ULONG NtOpenProcess_CallNumber = 0; //服号 211 ULONG NtReadVirtualMemory_CallNumber = 0; //服号 212 ULONG NtWriteVirtualMemory_CallNumber = 0; //服号 213 ULONG NtClose_CallNumber = 0; 214 ULONG NtDeviceIoControlFile_CallNumber = 0; 215 216 //--------shadow----------- 217 ULONG NtGdiGetPixel_callnumber = 0; 218 //--------shadow----------- 219 220 #define DELAY_ONE_MICROSECOND (-10) 221 #define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000) 222 223 224 225 226 227 //------------------------函数部分--------------- 228 229 //-----------------shadow-------------- 230 unsigned int getAddressOfShadowTable() 231 { 232 unsigned int i; 233 unsigned char *p; 234 unsigned int dwordatbyte; 235 236 p = (unsigned char*) KeAddSystemServiceTable; 237 238 for(i = 0; i < 4096; i++, p++) 239 { 240 __try 241 { 242 dwordatbyte = *(unsigned int*)p; 243 } 244 __except(EXCEPTION_EXECUTE_HANDLER) 245 { 246 return 0; 247 } 248 249 if(MmIsAddressValid((PVOID)dwordatbyte)) 250 { 251 if(memcmp((PVOID)dwordatbyte, &KeServiceDescriptorTable, 16) == 0) 252 { 253 if((PVOID)dwordatbyte == &KeServiceDescriptorTable) 254 { 255 continue; 256 } 257 258 return dwordatbyte; 259 } 260 } 261 } 262 263 return 0; 264 } 265 266 ULONG getShadowTable() 267 { 268 KeServiceDescriptorTableShadow = (PServiceDescriptorTableEntry) getAddressOfShadowTable(); 269 270 if(KeServiceDescriptorTableShadow == NULL) 271 { 272 return FALSE; 273 } 274 else 275 { 276 return TRUE; 277 } 278 } 279 280 PVOID GetInfoTable(ULONG ATableType) 281 { 282 ULONG mSize = 0x4000; 283 PVOID mPtr = NULL; 284 NTSTATUS St; 285 do 286 { 287 mPtr = ExAllocatePool(PagedPool, mSize); 288 memset(mPtr, 0, mSize); 289 if (mPtr) 290 { 291 St = ZwQuerySystemInformation(ATableType, mPtr, mSize, NULL); 292 } else return NULL; 293 if (St == STATUS_INFO_LENGTH_MISMATCH) 294 { 295 ExFreePool(mPtr); 296 mSize = mSize * 2; 297 } 298 } while (St == STATUS_INFO_LENGTH_MISMATCH); 299 if (St == STATUS_SUCCESS) return mPtr; 300 ExFreePool(mPtr); 301 return NULL; 302 } 303 304 //--------------------下面这个函数必须的-------- 305 HANDLE GetCsrPid() 306 { 307 HANDLE Process, hObject; 308 HANDLE CsrId = (HANDLE)0; 309 OBJECT_ATTRIBUTES obj; 310 CLIENT_ID cid; 311 UCHAR Buff[0x100]; 312 POBJECT_NAME_INFORMATION ObjName = (PVOID)&Buff; 313 PSYSTEM_HANDLE_INFORMATION_EX Handles; 314 ULONG r; 315 316 Handles = GetInfoTable(0x10); //SystemHandleInformation = 0x10 317 318 if (!Handles) return CsrId; 319 320 for (r = 0; r < Handles->NumberOfHandles; r++) 321 { 322 if (Handles->Information[r].ObjectTypeNumber == 21) //Port object 323 { 324 InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); 325 326 cid.UniqueProcess = (HANDLE)Handles->Information[r].ProcessId; 327 cid.UniqueThread = 0; 328 329 if (NT_SUCCESS(NtOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid))) 330 { 331 if (NT_SUCCESS(ZwDuplicateObject(Process, (HANDLE)Handles->Information[r].Handle,NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS))) 332 { 333 if (NT_SUCCESS(ZwQueryObject(hObject, 1, ObjName, 0x100, NULL))) //ObjectNameInformation == 1 334 { 335 if (ObjName->Name.Buffer && !wcsncmp(L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20)) 336 { 337 CsrId = (HANDLE)Handles->Information[r].ProcessId; 338 } 339 } 340 341 ZwClose(hObject); 342 } 343 344 ZwClose(Process); 345 } 346 } 347 } 348 349 ExFreePool(Handles); 350 return CsrId; 351 } 352 353 BOOLEAN Sleep(ULONG MillionSecond) 354 { 355 NTSTATUS st; 356 LARGE_INTEGER DelayTime; 357 DelayTime = RtlConvertLongToLargeInteger(-10000*MillionSecond); 358 st=KeDelayExecutionThread( KernelMode, FALSE, &DelayTime ); 359 return (NT_SUCCESS(st)); 360 } 361 362 363 364 //-----------------shadow-------------- 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 PVOID 389 GetUndocumentFunctionAdress() 390 { 391 392 ULONG size,index; 393 PULONG buf; 394 ULONG i; 395 PSYSTEM_MODULE_INFORMATION module; 396 PVOID driverAddress=0; 397 ULONG ntosknlBase; 398 ULONG ntosknlEndAddr; 399 ULONG curAddr; 400 NTSTATUS status; 401 402 ULONG code1_sp2=0x0035ff64,code2_sp2=0x8b000000,code3_sp2=0x89102444,code4_sp2=0x8d10246c; 403 ULONG code1_cal=0x8908758b,code2_cal=0xffff08b5,code3_cal=0x89db33ff,code4_cal=0xffff149d; 404 405 ULONG code1_Fil=0x33207d8b,code2_Fil=0xd85d89db,code3_Fil=0x831c758b,code4_Fil=0x758903e6; 406 ULONG code1_rwm=0x66f845dd,code2_rwm=0x7f087d81,code3_rwm=0xd9037402,code4_rwm=0xc3c9086d; 407 408 ULONG code1_IoF=0x5d89db33,code2_IoF=0x1c758be0,code3_IoF=0x8903e683,code4_IoF=0xa164d475; 409 410 411 ZwQuerySystemInformation(SystemModuleInformation,&size, 0, &size); 412 413 if(NULL==(buf = (PULONG)ExAllocatePool(PagedPool, size))) 414 { 415 DbgPrint("failed alloc memory failed \n"); 416 return 0; 417 } 418 419 status=ZwQuerySystemInformation(SystemModuleInformation,buf, size , 0); 420 if(!NT_SUCCESS( status )) 421 { 422 DbgPrint("failed query\n"); 423 return 0; 424 } 425 426 module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1); 427 428 ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size; 429 ntosknlBase=(ULONG)module->Base; 430 curAddr=ntosknlBase; 431 ExFreePool(buf); 432 433 for (i=curAddr;i<=ntosknlEndAddr;i++) 434 { 435 if ((*((ULONG *)i)==code1_sp2)&&(*((ULONG *)(i+4))==code2_sp2)&&(*((ULONG *)(i+8))==code3_sp2)&&(*((ULONG *)(i+12))==code4_sp2)) 436 437 { 438 439 retAddr = i-5; //为什么-5 BECAUSE..函数第一句5个字节. 440 441 } 442 443 if ((*((ULONG *)i)==code1_cal)&&(*((ULONG *)(i+4))==code2_cal)&&(*((ULONG *)(i+8))==code3_cal)&&(*((ULONG *)(i+12))==code4_cal)) 444 445 { 446 447 retAddr1 = i-0xF; 448 449 } 450 451 if ((*((ULONG *)i)==code1_Fil)&&(*((ULONG *)(i+4))==code2_Fil)&&(*((ULONG *)(i+8))==code3_Fil)&&(*((ULONG *)(i+12))==code4_Fil)) 452 453 { 454 455 retAddr2 = i-0xC; 456 457 } 458 if ((*((ULONG *)i)==code1_rwm)&&(*((ULONG *)(i+4))==code2_rwm)&&(*((ULONG *)(i+8))==code3_rwm)&&(*((ULONG *)(i+12))==code4_rwm)) 459 460 { 461 462 retAddrRwpm_Xp = i+0x10; 463 464 } 465 if ((*((ULONG *)i)==code1_IoF)&&(*((ULONG *)(i+4))==code2_IoF)&&(*((ULONG *)(i+8))==code3_IoF)&&(*((ULONG *)(i+12))==code4_IoF)) 466 467 { 468 469 retAddrIoCF_Xp = i-0xC; 470 471 } 472 473 } 474 return 0; 475 476 } 477 478 //------------------暂停函数---------------- 479 480 VOID MySleep(LONG msec) 481 { 482 LARGE_INTEGER my_interval; 483 my_interval.QuadPart = DELAY_ONE_MILLISECOND; 484 my_interval.QuadPart *= msec; 485 KeDelayExecutionThread(KernelMode,0,&my_interval); 486 } 487 488 //--------------获取服务号---------------- 489 VOID InitCallNumber() 490 { 491 ULONG majorVersion, minorVersion; 492 PsGetVersion( &majorVersion, &minorVersion, NULL, NULL ); 493 494 if ( majorVersion == 5 && minorVersion == 1 ) 495 { 496 DbgPrint("Running on Windows Xp"); 497 498 NtOpenProcess_CallNumber = 0x7A; 499 NtReadVirtualMemory_CallNumber =0xBA; 500 NtWriteVirtualMemory_CallNumber = 0x115; 501 NtClose_CallNumber = 0x19; 502 NtDeviceIoControlFile_CallNumber = 0x42; 503 504 NtGdiGetPixel_callnumber = 0xBF; 505 } 506 507 else if ( majorVersion == 6 && minorVersion == 1 ) 508 { 509 DbgPrint("Running on Windows 7"); 510 511 NtOpenProcess_CallNumber = 0xBE; 512 NtReadVirtualMemory_CallNumber =0x115; 513 NtWriteVirtualMemory_CallNumber = 0x18F; 514 NtClose_CallNumber = 0x32; 515 NtDeviceIoControlFile_CallNumber = 0x6B; 516 517 NtGdiGetPixel_callnumber = 0xC8; 518 } 519 520 521 } 522 523 //-------------------下面是处理内存权限-读写开关----------------- 524 525 VOID WPOFF(VOID) 526 { 527 __asm 528 { 529 cli 530 mov eax,cr0 531 and eax,not 10000h 532 mov cr0,eax 533 } 534 } 535 536 537 538 VOID WPON(VOID) 539 { 540 __asm 541 { 542 mov eax,cr0 543 or eax,10000h 544 mov cr0,eax 545 sti 546 } 547 } 548 549 550 551 //------------------------构造自己的函数-------------------- 552 553 __declspec(naked) NTSTATUS MyNtDeviceIoControlFile( 554 HANDLE FileHandle, 555 HANDLE Event, 556 PIO_APC_ROUTINE ApcRoutine, 557 PVOID ApcContext, 558 PIO_STATUS_BLOCK IoStatusBlock, 559 ULONG IoControlCode, 560 PVOID InputBuffer, 561 ULONG InputBufferLength, 562 PVOID OutputBuffer, 563 ULONG OutputBufferLength 564 ) 565 { 566 __asm{ 567 568 // Jmp [JmpAddress7] 569 mov edi, edi 570 push ebp 571 mov ebp, esp 572 push 1 573 push dword ptr [ebp+0x2C] 574 push dword ptr [ebp+0x28] 575 push dword ptr [ebp+0x24] 576 push dword ptr [ebp+0x20] 577 push dword ptr [ebp+0x1C] 578 push dword ptr [ebp+0x18] 579 push dword ptr [ebp+0x14] 580 push dword ptr [ebp+0x10] 581 push dword ptr [ebp+0xC] 582 push dword ptr [ebp+0x8] 583 call retAddr2 584 Jmp [JmpAddress6] 585 } 586 } 587 588 589 __declspec(naked) NTSTATUS __stdcall MyNtClose(HANDLE ObjectHandle) 590 { 591 __asm{ 592 // Jmp [JmpAddress4] 593 mov edi, edi 594 push ebp 595 mov ebp, esp 596 Jmp [JmpAddress5] 597 } 598 } 599 600 601 __declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle, 602 ACCESS_MASK DesiredAccess, 603 POBJECT_ATTRIBUTES ObjectAttributes, 604 PCLIENT_ID ClientId) 605 { 606 // DbgPrint("NtOpenProcess() called"); 607 __asm{ 608 609 // jmp [JmpAddress2] 610 611 mov edi, edi 612 push ebp 613 mov ebp, esp 614 push ecx 615 push ecx 616 mov eax, fs:[0x124] 617 mov al, byte ptr [eax+0x13A] 618 mov ecx, [ebp+0x14] 619 mov edx, [ebp+0x10] 620 mov byte ptr [ebp-0x4], al 621 push [ebp-0x4] 622 push [ebp-0x4] 623 push [ebp+0xC] 624 push [ebp+0x8] 625 call retAddr1 626 jmp [JmpAddress3] 627 // _emit 0x0F 628 629 630 631 632 } 633 } 634 635 __declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(HANDLE ProcessHandle, 636 PVOID BaseAddress, 637 PVOID Buffer, 638 ULONG NumberOfBytesToRead, 639 PULONG NumberOfBytesReaded) 640 { 641 //跳过去 642 __asm 643 { 644 // jmp [JmpAddress] 645 push 0x18; 646 push 0x832a8B08; 647 call retAddr 648 jmp [JmpAddress] 649 } 650 } 651 652 __declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle, 653 PVOID BaseAddress, 654 PVOID Buffer, 655 ULONG NumberOfBytesToWrite, 656 PULONG NumberOfBytesReaded) 657 { 658 //跳过去 659 __asm 660 { 661 // jmp [JmpAddress1] 662 663 push 0x18; 664 push 0x832a8AE0; 665 call retAddr 666 jmp [JmpAddress1] 667 } 668 } 669 //-----------------------Xp---------------- 670 671 __declspec(naked) NTSTATUS MyNtDeviceIoControlFile_Xp( 672 HANDLE FileHandle, 673 HANDLE Event, 674 PIO_APC_ROUTINE ApcRoutine, 675 PVOID ApcContext, 676 PIO_STATUS_BLOCK IoStatusBlock, 677 ULONG IoControlCode, 678 PVOID InputBuffer, 679 ULONG InputBufferLength, 680 PVOID OutputBuffer, 681 ULONG OutputBufferLength 682 ) 683 { 684 __asm{ 685 686 // Jmp [JmpAddress7] 687 mov edi, edi 688 push ebp 689 mov ebp, esp 690 push 1 691 push dword ptr [ebp+0x2C] 692 push dword ptr [ebp+0x28] 693 push dword ptr [ebp+0x24] 694 push dword ptr [ebp+0x20] 695 push dword ptr [ebp+0x1C] 696 push dword ptr [ebp+0x18] 697 push dword ptr [ebp+0x14] 698 push dword ptr [ebp+0x10] 699 push dword ptr [ebp+0xC] 700 push dword ptr [ebp+0x8] 701 call retAddrIoCF_Xp 702 Jmp [JmpAddress6] 703 704 705 } 706 } 707 708 709 __declspec(naked) NTSTATUS __stdcall MyNtOpenProcess_Xp(PHANDLE ProcessHandle, 710 ACCESS_MASK DesiredAccess, 711 POBJECT_ATTRIBUTES ObjectAttributes, 712 PCLIENT_ID ClientId) 713 { 714 __asm{ 715 // jmp [JmpAddress2] 716 push 0xC4 717 push 0x804EB0D8 718 call retAddrRwpm_Xp 719 jmp [JmpAddOpen_xp] 720 721 } 722 } 723 724 __declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory_Xp(HANDLE ProcessHandle, 725 PVOID BaseAddress, 726 PVOID Buffer, 727 ULONG NumberOfBytesToRead, 728 PULONG NumberOfBytesReaded) 729 { 730 //跳过去 731 __asm 732 { 733 // jmp [JmpAddress] 734 push 0x1C; 735 push 0x832a8B08; 736 call retAddrRwpm_Xp 737 jmp [JmpAddRead_xp] 738 } 739 } 740 741 __declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory_Xp(HANDLE ProcessHandle, 742 PVOID BaseAddress, 743 PVOID Buffer, 744 ULONG NumberOfBytesToWrite, 745 PULONG NumberOfBytesReaded) 746 { 747 //跳过去 748 __asm 749 { 750 // jmp [JmpAddress1] 751 push 0x1C; 752 push 0x832a8AE0; 753 call retAddrRwpm_Xp 754 jmp [JmpAddWrite_xp] 755 } 756 } 757 758 //------------------------驱动入口------------- 759 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath) 760 { 761 DriverObject->DriverUnload = OnUnload; 762 InitCallNumber(); 763 getShadowTable(); //获得shadow表地址 764 765 GetUndocumentFunctionAdress(); //-------获取Call函数地址---------- 766 767 KeAttPro(); //插入进程 768 769 HookShadow(); 770 771 Hook(); 772 return STATUS_SUCCESS; 773 } 774 //-------------------卸载--------------------- 775 VOID OnUnload(IN PDRIVER_OBJECT DriverObject) 776 { 777 DbgPrint("驱动卸载中!\n"); //-------无法返回,只能完成-------- 778 Unhook(); 779 780 KeAttPro(); 781 UnhookShadow(); 782 //-------恢复被HOOK的函数---------- 783 } 784 //--------------Hook部分函数------------------ 785 VOID Hook() 786 { 787 788 ULONG Address, Address1, Address2, Address3, Address4; 789 790 791 Address = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber]; 792 Address1 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber]; 793 Address2 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber]; 794 Address3 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber];// NtClose 795 Address4 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber]; //IoDeviceFile 796 797 DbgPrint("SSDT_NtClose:0x%08X",Address3); 798 799 800 //-------保存原始函数地址---------- 801 OldServiceAddress = Address; //保存原来NtReadVirtualMemory的地址 802 OldServiceAddress1 = Address1; 803 OldServiceAddress2 = Address2; 804 OldServiceAddress3 = Address3; 805 OldServiceAddress4 = Address4; 806 807 DbgPrint("备份的地址_NtClose:0x%08X",OldServiceAddress3); 808 809 810 811 //--------绕过INLINE跳转到后面的地址 812 813 JmpAddress = (ULONG)Address + 0xC; 814 JmpAddress1 = (ULONG)Address1 + 0xC; 815 JmpAddress2 = (ULONG)Address2; 816 JmpAddress3 = (ULONG)Address2 +0x2D; 817 JmpAddress4 = (ULONG)Address3; 818 JmpAddress5 = (ULONG)Address3 +0x5; 819 JmpAddress6 = (ULONG)Address4 +0x2A; 820 JmpAddress7 = (ULONG)Address4; 821 822 JmpAddRead_xp = (ULONG)OldServiceAddress +0xC; 823 JmpAddWrite_xp = (ULONG)OldServiceAddress1 +0xC; 824 JmpAddOpen_xp = (ULONG)NtOpenProcess +0xF; 825 826 827 828 829 DbgPrint("跳转_NtReadVirtualMemory:0x%08X",JmpAddress); 830 DbgPrint("跳转_NtWriteVirtualMemory:0x%08X",JmpAddress1); 831 DbgPrint("跳转_NtOpenProcess:0x%08X",JmpAddress2); 832 DbgPrint("跳转_NtDeviceIoControlFile:0x%08X",JmpAddress3); 833 DbgPrint("跳转_NtClose:0x%08X",JmpAddress4); 834 835 836 //------------------时钟控制------------------ 837 838 //while(1) 839 //{ 840 841 //---------------------------------系统判断--------------------- 842 843 if ( NtOpenProcess_CallNumber == 0x7A ) 844 { 845 846 847 WPOFF(); 848 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = (ULONG)MyNtReadVirtualMemory_Xp; 849 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = (ULONG)MyNtWriteVirtualMemory_Xp; 850 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = (ULONG)MyNtOpenProcess_Xp; 851 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = (ULONG)MyNtClose; 852 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = (ULONG)MyNtDeviceIoControlFile_Xp; 853 854 855 WPON(); 856 857 858 DbgPrint("HOOK地址_NtClose:0x%08X",Address3); 859 DbgPrint("HOOK地址_NtOpenProcess:0x%08X",Address2); 860 861 DbgPrint("HOOK地址_自己的程序_NtClose:0x%08X",(ULONG)MyNtClose); 862 } 863 864 else if ( NtOpenProcess_CallNumber == 0xBE ) 865 { 866 WPOFF(); 867 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = (ULONG)MyNtReadVirtualMemory; 868 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = (ULONG)MyNtWriteVirtualMemory; 869 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = (ULONG)MyNtOpenProcess; 870 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = (ULONG)MyNtClose; 871 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = (ULONG)MyNtDeviceIoControlFile; 872 WPON(); 873 } 874 875 //MySleep(2000); 876 } 877 // } 878 879 880 //--------------------------shadow------------------------- 881 882 VOID HookShadow() 883 { 884 885 __try 886 { 887 if ((KeServiceDescriptorTableShadow!=NULL)) //读取到地址就保存起来 888 { 889 890 g_OriginalNtGdiGetPixel = KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber]; 891 892 JmpAddress_Shadow_GdiGetPixel = (ULONG)g_OriginalNtGdiGetPixel + 0x5; 893 894 895 DbgPrint("获取Shadow地址成功!\n"); 896 DbgPrint("Shadow:0x%08X",g_OriginalNtGdiGetPixel); 897 898 } 899 900 901 902 903 else 904 { 905 DbgPrint("获取地址失败!\n"); 906 KeServiceDescriptorTableShadow=NULL; 907 } 908 909 910 911 //-----------------系统判断-------------------- 912 913 914 915 if ( NtOpenProcess_CallNumber == 0x7A ) 916 { 917 918 919 WPOFF(); 920 KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = MyNtGdiGetPixel; 921 WPON(); 922 923 } 924 925 else if ( NtOpenProcess_CallNumber == 0xBE ) 926 { 927 // WPOFF(); 928 // KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = MyNtGdiGetPixel; 929 // WPON(); 930 931 DbgPrint("暂时没找到WIN7的Shadow Hook解决方案~\n"); 932 933 } 934 935 936 937 } 938 __finally 939 { 940 KeDetachProcess(); 941 } 942 943 } 944 945 946 VOID KeAttPro() 947 { 948 NTSTATUS status; 949 950 status = PsLookupProcessByProcessId((ULONG)GetCsrPid(), &crsEProc); 951 if (!NT_SUCCESS( status )) 952 { 953 DbgPrint("PsLookupProcessByProcessId() error\n"); 954 return ; 955 } 956 KeAttachProcess(crsEProc); 957 } 958 959 960 ////////////////////////////////////////////////////// 961 VOID Unhook() 962 { 963 InitCallNumber(); 964 965 966 WPOFF(); 967 968 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = OldServiceAddress; 969 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = OldServiceAddress1; 970 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = OldServiceAddress2; 971 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = OldServiceAddress3; 972 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = OldServiceAddress4; 973 974 WPON(); 975 976 DbgPrint("卸载完成\n"); 977 } 978 979 980 VOID UnhookShadow() 981 { 982 __try 983 { 984 // WPOFF(); 985 986 // KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = g_OriginalNtGdiGetPixel; 987 988 // WPON(); 989 DbgPrint("暂时没找到WIN7的Shadow Hook解决方案~\n"); 990 } 991 __finally 992 { 993 KeDetachProcess(); 994 Sleep(50); 995 } 996 } 997 998 999 1000 1001 1002 1003 1004 //---------------------shadow自定义函数----------------------- 1005 __declspec(naked) ULONG MyNtGdiGetPixel() 1006 { 1007 __asm 1008 { 1009 // jmp g_OriginalNtGdiGetPixel 1010 1011 mov edi, edi 1012 push ebp 1013 mov ebp, esp 1014 1015 jmp JmpAddress_Shadow_GdiGetPixel 1016 } 1017 }
