实现SSDT inline hook NtTerminateProcess进程保护
前言:作为系统调用的巩固练习
SSDT inline hook实现NtTerminateProcess进程保护
1、我实现的判断是哪个进程来关闭的可能有些缺陷,因为我是通过NtTerminateProcess的ExitStatus来进行判断的,那么如果ExitStatus为1的实现我认作为是任务管理器关闭,如果为0那么就是正常右上角的按钮关闭。
2、这里的话extern PSSDT KeServiceDescriptorTable;,通过声明来默认获取内核中的导出变量,比如这里的KeServiceDescriptorTable
#include <ntddk.h>
typedef NTSTATUS(*pZwTerminateProcess)(HANDLE ProcessHandle, NTSTATUS ExitStatus);
typedef struct _SYSTEM_SERVICE_TABLE{
PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
PVOID ServiceCounterTable; //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
unsigned int NumberOfServices; //由 ServiceTableBase 描述的服务的数目。
PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
}SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE;
typedef struct _SSDT{
SYSTEM_SERVICE_TABLE a; // ntoskrnl
SYSTEM_SERVICE_TABLE b; // win32k
SYSTEM_SERVICE_TABLE c; // no use
SYSTEM_SERVICE_TABLE d; // no use
}SSDT, *PSSDT;
extern PSSDT KeServiceDescriptorTable;
ULONG uOldNtTerminateProcess;
void pageProtectOn()
{
__asm
{
push eax;
mov eax, cr0;
or eax, 0x10000; // 开启WP保护
mov cr0, eax;
pop eax;
sti; // 开启硬件中断
}
}
void pageProtectOff()
{
__asm
{
cli; // 禁用硬件中断
push eax;
mov eax, cr0;
or eax, not 0x10000; // 关闭WP保护
mov cr0, eax;
pop eax;
}
}
NTSTATUS MyHookNtTerminateProcess(HANDLE processHandle, NTSTATUS exitStatus)
{
ULONG uPID;
NTSTATUS ntStatus;
PEPROCESS pEProcess;
// 通过进程句柄来获得该进程所对应的 FileObject 对象,由于这里是进程对象,自然获得的是 EPROCESS 对象
ntStatus = ObReferenceObjectByHandle(processHandle, FILE_READ_DATA, NULL, KernelMode, (PVOID*)&pEProcess, NULL);
if (!NT_SUCCESS(ntStatus))
{
return ntStatus;
}
uPID = (ULONG)PsGetProcessId(pEProcess);
DbgPrint("NtTerminateProcess Process Id -> %d\n", uPID);
if (uPID == 512)
{
DbgPrint("NtTerminateProcess exitStatus -> %d\n", exitStatus);
if (exitStatus == 1)
{
DbgPrint("NtTerminateProcess Process Protected -> %d\n", uPID);
return STATUS_INVALID_HANDLE;
}
}
return ((pZwTerminateProcess)uOldNtTerminateProcess)(processHandle, exitStatus);
}
void InstallHookTerminate()
{
pageProtectOff();
DbgPrint("NtTerminateProcess Hook Addr -> %x \n", (ULONG)KeServiceDescriptorTable->a.ServiceTableBase + 0x101 * 4);
uOldNtTerminateProcess = *(PLONG)((ULONG)KeServiceDescriptorTable->a.ServiceTableBase + 0x101*4);
*(PLONG)((ULONG)KeServiceDescriptorTable->a.ServiceTableBase + 0x101 * 4) = (ULONG)MyHookNtTerminateProcess;
DbgPrint("InstallHookTerminate Is Ok \n");
pageProtectOn();
}
void UnHookTerminate()
{
pageProtectOff();
*(PLONG)((ULONG)KeServiceDescriptorTable->a.ServiceTableBase + 0x101 * 4) = uOldNtTerminateProcess;
DbgPrint("UnHookTerminate Is Ok \n");
pageProtectOn();
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
UnHookTerminate();
DbgPrint("Uninstall HookTerminate Is OK \n");
DbgPrint("Uninstall Driver Is OK \n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint(("驱动加载成功 \n"));
InstallHookTerminate();
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
效果如下图所示
浙公网安备 33010602011771号