(转)SSDTShadow Hook的实现,完整代码
2024-05-11 23:06:54
http://bbs.pediy.com/showthread.php?t=138747&highlight=inline+hook
View Code
1 #include <ntddk.h>
2 //辛苦了几周的成果
3
4
5 typedef struct ServiceDescriptorEntry {
6 PVOID *ServiceTableBase;
7 ULONG *ServiceCounterTableBase; //Used only in checked build
8 ULONG NumberOfService; //Null
9 PVOID *ParamTableBase;
10 } ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
11
12 PServiceDescriptorTableEntry KeServiceDescriptorTableShadow;
13
14 __declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID);
15 __declspec(dllimport) ServiceDescriptorTableEntry KeServiceDescriptorTable;
16
17 //---------------------------------------------------
18
19 typedef enum _SYSTEM_INFORMATION_CLASS {
20 SystemBasicInformation, // 0 Y N
21 SystemProcessorInformation, // 1 Y N
22 SystemPerformanceInformation, // 2 Y N
23 SystemTimeOfDayInformation, // 3 Y N
24 SystemNotImplemented1, // 4 Y N
25 SystemProcessesAndThreadsInformation, // 5 Y N
26 SystemCallCounts, // 6 Y N
27 SystemConfigurationInformation, // 7 Y N
28 SystemProcessorTimes, // 8 Y N
29 SystemGlobalFlag, // 9 Y Y
30 SystemNotImplemented2, // 10 Y N
31 SystemModuleInformation, // 11 Y N
32 SystemLockInformation, // 12 Y N
33 SystemNotImplemented3, // 13 Y N
34 SystemNotImplemented4, // 14 Y N
35 SystemNotImplemented5, // 15 Y N
36 SystemHandleInformation, // 16 Y N
37 SystemObjectInformation, // 17 Y N
38 SystemPagefileInformation, // 18 Y N
39 SystemInstructionEmulationCounts, // 19 Y N
40 SystemInvalidInfoClass1, // 20
41 SystemCacheInformation, // 21 Y Y
42 SystemPoolTagInformation, // 22 Y N
43 SystemProcessorStatistics, // 23 Y N
44 SystemDpcInformation, // 24 Y Y
45 SystemNotImplemented6, // 25 Y N
46 SystemLoadImage, // 26 N Y
47 SystemUnloadImage, // 27 N Y
48 SystemTimeAdjustment, // 28 Y Y
49 SystemNotImplemented7, // 29 Y N
50 SystemNotImplemented8, // 30 Y N
51 SystemNotImplemented9, // 31 Y N
52 SystemCrashDumpInformation, // 32 Y N
53 SystemExceptionInformation, // 33 Y N
54 SystemCrashDumpStateInformation, // 34 Y Y/N
55 SystemKernelDebuggerInformation, // 35 Y N
56 SystemContextSwitchInformation, // 36 Y N
57 SystemRegistryQuotaInformation, // 37 Y Y
58 SystemLoadAndCallImage, // 38 N Y
59 SystemPrioritySeparation, // 39 N Y
60 SystemNotImplemented10, // 40 Y N
61 SystemNotImplemented11, // 41 Y N
62 SystemInvalidInfoClass2, // 42
63 SystemInvalidInfoClass3, // 43
64 SystemTimeZoneInformation, // 44 Y N
65 SystemLookasideInformation, // 45 Y N
66 SystemSetTimeSlipEvent, // 46 N Y
67 SystemCreateSession, // 47 N Y
68 SystemDeleteSession, // 48 N Y
69 SystemInvalidInfoClass4, // 49
70 SystemRangeStartInformation, // 50 Y N
71 SystemVerifierInformation, // 51 Y Y
72 SystemAddVerifier, // 52 N Y
73 SystemSessionProcessesInformation // 53 Y N
74 } SYSTEM_INFORMATION_CLASS;
75
76 typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
77 ULONG Reserved[2];
78 PVOID Base;
79 ULONG Size;
80 ULONG Flags;
81 USHORT Index;
82 USHORT Unknown;
83 USHORT LoadCount;
84 USHORT ModuleNameOffset;
85 CHAR ImageName[256];
86 } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
87
88 typedef struct _SYSTEM_HANDLE_INFORMATION
89 {
90 ULONG ProcessId;
91 UCHAR ObjectTypeNumber;
92 UCHAR Flags;
93 USHORT Handle;
94 PVOID Object;
95 ACCESS_MASK GrantedAccess;
96 } _SYSTEM_HANDLE_INFORMATION, *P_SYSTEM_HANDLE_INFORMATION;
97
98 typedef struct _SYSTEM_HANDLE_INformATION_EX {
99 ULONG NumberOfHandles;
100 _SYSTEM_HANDLE_INFORMATION Information[1];
101 } _SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
102
103
104
105
106
107
108
109 //-----------------------
110 typedef NTSTATUS (*NTGDIGETPIXEL)
111 (
112 );
113
114 NTGDIGETPIXEL g_OriginalNtGdiGetPixel;
115
116
117 //-----------------API申明-----------
118
119 PVOID GetUndocumentFunctionAdress();
120 VOID Hook();
121 VOID Unhook();
122 VOID WPOFF(VOID);
123 VOID WPON(VOID);
124 VOID InitCallNumber();
125 VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
126
127 //--------shadow-----------
128 PVOID GetInfoTable(ULONG ATableType);
129 HANDLE GetCsrPid();
130 VOID KeAttPro();
131 VOID HookShadow();
132 VOID UnhookShadow();
133 ULONG MyNtGdiGetPixel();
134
135 NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);
136
137 NTSTATUS ZwQuerySystemInformation(
138 IN ULONG SystemInformationClass,
139 IN PVOID SystemInformation,
140 IN ULONG SystemInformationLength,
141 OUT PULONG ReturnLength);
142
143 NTSTATUS ZwDuplicateObject(
144 IN HANDLE SourceProcessHandle,
145 IN PHANDLE SourceHandle,
146 IN HANDLE TargetProcessHandle,
147 OUT PHANDLE TargetHandle,
148 IN ACCESS_MASK DesiredAccess OPTIONAL,
149 IN BOOLEAN InheritHandle,
150 IN ULONG Options );
151
152 NTSTATUS ZwQueryObject(
153 IN HANDLE ObjectHandle,
154 IN ULONG ObjectInformationClass,
155 OUT PVOID ObjectInformation,
156 IN ULONG ObjectInformationLength,
157 OUT PULONG ReturnLength OPTIONAL);
158
159
160 NTSTATUS PsLookupProcessByProcessId(
161 IN ULONG ulProcId,
162 OUT PEPROCESS * pEProcess);
163
164
165 NTSTATUS KeAttachProcess(PEPROCESS pPeb);
166 NTSTATUS KeDetachProcess();
167
168 //--------shadow-----------
169
170
171
172
173
174
175 //---------------全局变量------------
176 PEPROCESS crsEProc;
177
178 ULONG JmpAddress;
179 ULONG JmpAddress1;
180 ULONG JmpAddress2;
181 ULONG JmpAddress3;
182 ULONG JmpAddress4;
183 ULONG JmpAddress5;
184 ULONG JmpAddress6;
185 ULONG JmpAddress7;
186
187 ULONG JmpAddRead_xp;
188 ULONG JmpAddWrite_xp;
189 ULONG JmpAddOpen_xp;
190
191 //--------shadow-----------
192 ULONG JmpAddress_Shadow_GdiGetPixel;
193 //--------shadow-----------
194
195 ULONG OldServiceAddress;
196 ULONG OldServiceAddress1;
197 ULONG OldServiceAddress2;
198 ULONG OldServiceAddress3;
199 ULONG OldServiceAddress4;
200 ULONG Adds;
201 ULONG retAddr1;
202 ULONG retAddr;
203 ULONG retAddr2;
204
205 ULONG retAddrRwpm_Xp;
206 ULONG retAddrIoCF_Xp;
207
208
209 //----------------------定义常量---------
210 ULONG NtOpenProcess_CallNumber = 0; //服号
211 ULONG NtReadVirtualMemory_CallNumber = 0; //服号
212 ULONG NtWriteVirtualMemory_CallNumber = 0; //服号
213 ULONG NtClose_CallNumber = 0;
214 ULONG NtDeviceIoControlFile_CallNumber = 0;
215
216 //--------shadow-----------
217 ULONG NtGdiGetPixel_callnumber = 0;
218 //--------shadow-----------
219
220 #define DELAY_ONE_MICROSECOND (-10)
221 #define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
222
223
224
225
226
227 //------------------------函数部分---------------
228
229 //-----------------shadow--------------
230 unsigned int getAddressOfShadowTable()
231 {
232 unsigned int i;
233 unsigned char *p;
234 unsigned int dwordatbyte;
235
236 p = (unsigned char*) KeAddSystemServiceTable;
237
238 for(i = 0; i < 4096; i++, p++)
239 {
240 __try
241 {
242 dwordatbyte = *(unsigned int*)p;
243 }
244 __except(EXCEPTION_EXECUTE_HANDLER)
245 {
246 return 0;
247 }
248
249 if(MmIsAddressValid((PVOID)dwordatbyte))
250 {
251 if(memcmp((PVOID)dwordatbyte, &KeServiceDescriptorTable, 16) == 0)
252 {
253 if((PVOID)dwordatbyte == &KeServiceDescriptorTable)
254 {
255 continue;
256 }
257
258 return dwordatbyte;
259 }
260 }
261 }
262
263 return 0;
264 }
265
266 ULONG getShadowTable()
267 {
268 KeServiceDescriptorTableShadow = (PServiceDescriptorTableEntry) getAddressOfShadowTable();
269
270 if(KeServiceDescriptorTableShadow == NULL)
271 {
272 return FALSE;
273 }
274 else
275 {
276 return TRUE;
277 }
278 }
279
280 PVOID GetInfoTable(ULONG ATableType)
281 {
282 ULONG mSize = 0x4000;
283 PVOID mPtr = NULL;
284 NTSTATUS St;
285 do
286 {
287 mPtr = ExAllocatePool(PagedPool, mSize);
288 memset(mPtr, 0, mSize);
289 if (mPtr)
290 {
291 St = ZwQuerySystemInformation(ATableType, mPtr, mSize, NULL);
292 } else return NULL;
293 if (St == STATUS_INFO_LENGTH_MISMATCH)
294 {
295 ExFreePool(mPtr);
296 mSize = mSize * 2;
297 }
298 } while (St == STATUS_INFO_LENGTH_MISMATCH);
299 if (St == STATUS_SUCCESS) return mPtr;
300 ExFreePool(mPtr);
301 return NULL;
302 }
303
304 //--------------------下面这个函数必须的--------
305 HANDLE GetCsrPid()
306 {
307 HANDLE Process, hObject;
308 HANDLE CsrId = (HANDLE)0;
309 OBJECT_ATTRIBUTES obj;
310 CLIENT_ID cid;
311 UCHAR Buff[0x100];
312 POBJECT_NAME_INFORMATION ObjName = (PVOID)&Buff;
313 PSYSTEM_HANDLE_INFORMATION_EX Handles;
314 ULONG r;
315
316 Handles = GetInfoTable(0x10); //SystemHandleInformation = 0x10
317
318 if (!Handles) return CsrId;
319
320 for (r = 0; r < Handles->NumberOfHandles; r++)
321 {
322 if (Handles->Information[r].ObjectTypeNumber == 21) //Port object
323 {
324 InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
325
326 cid.UniqueProcess = (HANDLE)Handles->Information[r].ProcessId;
327 cid.UniqueThread = 0;
328
329 if (NT_SUCCESS(NtOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid)))
330 {
331 if (NT_SUCCESS(ZwDuplicateObject(Process, (HANDLE)Handles->Information[r].Handle,NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS)))
332 {
333 if (NT_SUCCESS(ZwQueryObject(hObject, 1, ObjName, 0x100, NULL))) //ObjectNameInformation == 1
334 {
335 if (ObjName->Name.Buffer && !wcsncmp(L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20))
336 {
337 CsrId = (HANDLE)Handles->Information[r].ProcessId;
338 }
339 }
340
341 ZwClose(hObject);
342 }
343
344 ZwClose(Process);
345 }
346 }
347 }
348
349 ExFreePool(Handles);
350 return CsrId;
351 }
352
353 BOOLEAN Sleep(ULONG MillionSecond)
354 {
355 NTSTATUS st;
356 LARGE_INTEGER DelayTime;
357 DelayTime = RtlConvertLongToLargeInteger(-10000*MillionSecond);
358 st=KeDelayExecutionThread( KernelMode, FALSE, &DelayTime );
359 return (NT_SUCCESS(st));
360 }
361
362
363
364 //-----------------shadow--------------
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388 PVOID
389 GetUndocumentFunctionAdress()
390 {
391
392 ULONG size,index;
393 PULONG buf;
394 ULONG i;
395 PSYSTEM_MODULE_INFORMATION module;
396 PVOID driverAddress=0;
397 ULONG ntosknlBase;
398 ULONG ntosknlEndAddr;
399 ULONG curAddr;
400 NTSTATUS status;
401
402 ULONG code1_sp2=0x0035ff64,code2_sp2=0x8b000000,code3_sp2=0x89102444,code4_sp2=0x8d10246c;
403 ULONG code1_cal=0x8908758b,code2_cal=0xffff08b5,code3_cal=0x89db33ff,code4_cal=0xffff149d;
404
405 ULONG code1_Fil=0x33207d8b,code2_Fil=0xd85d89db,code3_Fil=0x831c758b,code4_Fil=0x758903e6;
406 ULONG code1_rwm=0x66f845dd,code2_rwm=0x7f087d81,code3_rwm=0xd9037402,code4_rwm=0xc3c9086d;
407
408 ULONG code1_IoF=0x5d89db33,code2_IoF=0x1c758be0,code3_IoF=0x8903e683,code4_IoF=0xa164d475;
409
410
411 ZwQuerySystemInformation(SystemModuleInformation,&size, 0, &size);
412
413 if(NULL==(buf = (PULONG)ExAllocatePool(PagedPool, size)))
414 {
415 DbgPrint("failed alloc memory failed \n");
416 return 0;
417 }
418
419 status=ZwQuerySystemInformation(SystemModuleInformation,buf, size , 0);
420 if(!NT_SUCCESS( status ))
421 {
422 DbgPrint("failed query\n");
423 return 0;
424 }
425
426 module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);
427
428 ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size;
429 ntosknlBase=(ULONG)module->Base;
430 curAddr=ntosknlBase;
431 ExFreePool(buf);
432
433 for (i=curAddr;i<=ntosknlEndAddr;i++)
434 {
435 if ((*((ULONG *)i)==code1_sp2)&&(*((ULONG *)(i+4))==code2_sp2)&&(*((ULONG *)(i+8))==code3_sp2)&&(*((ULONG *)(i+12))==code4_sp2))
436
437 {
438
439 retAddr = i-5; //为什么-5 BECAUSE..函数第一句5个字节.
440
441 }
442
443 if ((*((ULONG *)i)==code1_cal)&&(*((ULONG *)(i+4))==code2_cal)&&(*((ULONG *)(i+8))==code3_cal)&&(*((ULONG *)(i+12))==code4_cal))
444
445 {
446
447 retAddr1 = i-0xF;
448
449 }
450
451 if ((*((ULONG *)i)==code1_Fil)&&(*((ULONG *)(i+4))==code2_Fil)&&(*((ULONG *)(i+8))==code3_Fil)&&(*((ULONG *)(i+12))==code4_Fil))
452
453 {
454
455 retAddr2 = i-0xC;
456
457 }
458 if ((*((ULONG *)i)==code1_rwm)&&(*((ULONG *)(i+4))==code2_rwm)&&(*((ULONG *)(i+8))==code3_rwm)&&(*((ULONG *)(i+12))==code4_rwm))
459
460 {
461
462 retAddrRwpm_Xp = i+0x10;
463
464 }
465 if ((*((ULONG *)i)==code1_IoF)&&(*((ULONG *)(i+4))==code2_IoF)&&(*((ULONG *)(i+8))==code3_IoF)&&(*((ULONG *)(i+12))==code4_IoF))
466
467 {
468
469 retAddrIoCF_Xp = i-0xC;
470
471 }
472
473 }
474 return 0;
475
476 }
477
478 //------------------暂停函数----------------
479
480 VOID MySleep(LONG msec)
481 {
482 LARGE_INTEGER my_interval;
483 my_interval.QuadPart = DELAY_ONE_MILLISECOND;
484 my_interval.QuadPart *= msec;
485 KeDelayExecutionThread(KernelMode,0,&my_interval);
486 }
487
488 //--------------获取服务号----------------
489 VOID InitCallNumber()
490 {
491 ULONG majorVersion, minorVersion;
492 PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );
493
494 if ( majorVersion == 5 && minorVersion == 1 )
495 {
496 DbgPrint("Running on Windows Xp");
497
498 NtOpenProcess_CallNumber = 0x7A;
499 NtReadVirtualMemory_CallNumber =0xBA;
500 NtWriteVirtualMemory_CallNumber = 0x115;
501 NtClose_CallNumber = 0x19;
502 NtDeviceIoControlFile_CallNumber = 0x42;
503
504 NtGdiGetPixel_callnumber = 0xBF;
505 }
506
507 else if ( majorVersion == 6 && minorVersion == 1 )
508 {
509 DbgPrint("Running on Windows 7");
510
511 NtOpenProcess_CallNumber = 0xBE;
512 NtReadVirtualMemory_CallNumber =0x115;
513 NtWriteVirtualMemory_CallNumber = 0x18F;
514 NtClose_CallNumber = 0x32;
515 NtDeviceIoControlFile_CallNumber = 0x6B;
516
517 NtGdiGetPixel_callnumber = 0xC8;
518 }
519
520
521 }
522
523 //-------------------下面是处理内存权限-读写开关-----------------
524
525 VOID WPOFF(VOID)
526 {
527 __asm
528 {
529 cli
530 mov eax,cr0
531 and eax,not 10000h
532 mov cr0,eax
533 }
534 }
535
536
537
538 VOID WPON(VOID)
539 {
540 __asm
541 {
542 mov eax,cr0
543 or eax,10000h
544 mov cr0,eax
545 sti
546 }
547 }
548
549
550
551 //------------------------构造自己的函数--------------------
552
553 __declspec(naked) NTSTATUS MyNtDeviceIoControlFile(
554 HANDLE FileHandle,
555 HANDLE Event,
556 PIO_APC_ROUTINE ApcRoutine,
557 PVOID ApcContext,
558 PIO_STATUS_BLOCK IoStatusBlock,
559 ULONG IoControlCode,
560 PVOID InputBuffer,
561 ULONG InputBufferLength,
562 PVOID OutputBuffer,
563 ULONG OutputBufferLength
564 )
565 {
566 __asm{
567
568 // Jmp [JmpAddress7]
569 mov edi, edi
570 push ebp
571 mov ebp, esp
572 push 1
573 push dword ptr [ebp+0x2C]
574 push dword ptr [ebp+0x28]
575 push dword ptr [ebp+0x24]
576 push dword ptr [ebp+0x20]
577 push dword ptr [ebp+0x1C]
578 push dword ptr [ebp+0x18]
579 push dword ptr [ebp+0x14]
580 push dword ptr [ebp+0x10]
581 push dword ptr [ebp+0xC]
582 push dword ptr [ebp+0x8]
583 call retAddr2
584 Jmp [JmpAddress6]
585 }
586 }
587
588
589 __declspec(naked) NTSTATUS __stdcall MyNtClose(HANDLE ObjectHandle)
590 {
591 __asm{
592 // Jmp [JmpAddress4]
593 mov edi, edi
594 push ebp
595 mov ebp, esp
596 Jmp [JmpAddress5]
597 }
598 }
599
600
601 __declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
602 ACCESS_MASK DesiredAccess,
603 POBJECT_ATTRIBUTES ObjectAttributes,
604 PCLIENT_ID ClientId)
605 {
606 // DbgPrint("NtOpenProcess() called");
607 __asm{
608
609 // jmp [JmpAddress2]
610
611 mov edi, edi
612 push ebp
613 mov ebp, esp
614 push ecx
615 push ecx
616 mov eax, fs:[0x124]
617 mov al, byte ptr [eax+0x13A]
618 mov ecx, [ebp+0x14]
619 mov edx, [ebp+0x10]
620 mov byte ptr [ebp-0x4], al
621 push [ebp-0x4]
622 push [ebp-0x4]
623 push [ebp+0xC]
624 push [ebp+0x8]
625 call retAddr1
626 jmp [JmpAddress3]
627 // _emit 0x0F
628
629
630
631
632 }
633 }
634
635 __declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(HANDLE ProcessHandle,
636 PVOID BaseAddress,
637 PVOID Buffer,
638 ULONG NumberOfBytesToRead,
639 PULONG NumberOfBytesReaded)
640 {
641 //跳过去
642 __asm
643 {
644 // jmp [JmpAddress]
645 push 0x18;
646 push 0x832a8B08;
647 call retAddr
648 jmp [JmpAddress]
649 }
650 }
651
652 __declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle,
653 PVOID BaseAddress,
654 PVOID Buffer,
655 ULONG NumberOfBytesToWrite,
656 PULONG NumberOfBytesReaded)
657 {
658 //跳过去
659 __asm
660 {
661 // jmp [JmpAddress1]
662
663 push 0x18;
664 push 0x832a8AE0;
665 call retAddr
666 jmp [JmpAddress1]
667 }
668 }
669 //-----------------------Xp----------------
670
671 __declspec(naked) NTSTATUS MyNtDeviceIoControlFile_Xp(
672 HANDLE FileHandle,
673 HANDLE Event,
674 PIO_APC_ROUTINE ApcRoutine,
675 PVOID ApcContext,
676 PIO_STATUS_BLOCK IoStatusBlock,
677 ULONG IoControlCode,
678 PVOID InputBuffer,
679 ULONG InputBufferLength,
680 PVOID OutputBuffer,
681 ULONG OutputBufferLength
682 )
683 {
684 __asm{
685
686 // Jmp [JmpAddress7]
687 mov edi, edi
688 push ebp
689 mov ebp, esp
690 push 1
691 push dword ptr [ebp+0x2C]
692 push dword ptr [ebp+0x28]
693 push dword ptr [ebp+0x24]
694 push dword ptr [ebp+0x20]
695 push dword ptr [ebp+0x1C]
696 push dword ptr [ebp+0x18]
697 push dword ptr [ebp+0x14]
698 push dword ptr [ebp+0x10]
699 push dword ptr [ebp+0xC]
700 push dword ptr [ebp+0x8]
701 call retAddrIoCF_Xp
702 Jmp [JmpAddress6]
703
704
705 }
706 }
707
708
709 __declspec(naked) NTSTATUS __stdcall MyNtOpenProcess_Xp(PHANDLE ProcessHandle,
710 ACCESS_MASK DesiredAccess,
711 POBJECT_ATTRIBUTES ObjectAttributes,
712 PCLIENT_ID ClientId)
713 {
714 __asm{
715 // jmp [JmpAddress2]
716 push 0xC4
717 push 0x804EB0D8
718 call retAddrRwpm_Xp
719 jmp [JmpAddOpen_xp]
720
721 }
722 }
723
724 __declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory_Xp(HANDLE ProcessHandle,
725 PVOID BaseAddress,
726 PVOID Buffer,
727 ULONG NumberOfBytesToRead,
728 PULONG NumberOfBytesReaded)
729 {
730 //跳过去
731 __asm
732 {
733 // jmp [JmpAddress]
734 push 0x1C;
735 push 0x832a8B08;
736 call retAddrRwpm_Xp
737 jmp [JmpAddRead_xp]
738 }
739 }
740
741 __declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory_Xp(HANDLE ProcessHandle,
742 PVOID BaseAddress,
743 PVOID Buffer,
744 ULONG NumberOfBytesToWrite,
745 PULONG NumberOfBytesReaded)
746 {
747 //跳过去
748 __asm
749 {
750 // jmp [JmpAddress1]
751 push 0x1C;
752 push 0x832a8AE0;
753 call retAddrRwpm_Xp
754 jmp [JmpAddWrite_xp]
755 }
756 }
757
758 //------------------------驱动入口-------------
759 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
760 {
761 DriverObject->DriverUnload = OnUnload;
762 InitCallNumber();
763 getShadowTable(); //获得shadow表地址
764
765 GetUndocumentFunctionAdress(); //-------获取Call函数地址----------
766
767 KeAttPro(); //插入进程
768
769 HookShadow();
770
771 Hook();
772 return STATUS_SUCCESS;
773 }
774 //-------------------卸载---------------------
775 VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
776 {
777 DbgPrint("驱动卸载中!\n"); //-------无法返回,只能完成--------
778 Unhook();
779
780 KeAttPro();
781 UnhookShadow();
782 //-------恢复被HOOK的函数----------
783 }
784 //--------------Hook部分函数------------------
785 VOID Hook()
786 {
787
788 ULONG Address, Address1, Address2, Address3, Address4;
789
790
791 Address = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber];
792 Address1 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber];
793 Address2 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber];
794 Address3 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber];// NtClose
795 Address4 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber]; //IoDeviceFile
796
797 DbgPrint("SSDT_NtClose:0x%08X",Address3);
798
799
800 //-------保存原始函数地址----------
801 OldServiceAddress = Address; //保存原来NtReadVirtualMemory的地址
802 OldServiceAddress1 = Address1;
803 OldServiceAddress2 = Address2;
804 OldServiceAddress3 = Address3;
805 OldServiceAddress4 = Address4;
806
807 DbgPrint("备份的地址_NtClose:0x%08X",OldServiceAddress3);
808
809
810
811 //--------绕过INLINE跳转到后面的地址
812
813 JmpAddress = (ULONG)Address + 0xC;
814 JmpAddress1 = (ULONG)Address1 + 0xC;
815 JmpAddress2 = (ULONG)Address2;
816 JmpAddress3 = (ULONG)Address2 +0x2D;
817 JmpAddress4 = (ULONG)Address3;
818 JmpAddress5 = (ULONG)Address3 +0x5;
819 JmpAddress6 = (ULONG)Address4 +0x2A;
820 JmpAddress7 = (ULONG)Address4;
821
822 JmpAddRead_xp = (ULONG)OldServiceAddress +0xC;
823 JmpAddWrite_xp = (ULONG)OldServiceAddress1 +0xC;
824 JmpAddOpen_xp = (ULONG)NtOpenProcess +0xF;
825
826
827
828
829 DbgPrint("跳转_NtReadVirtualMemory:0x%08X",JmpAddress);
830 DbgPrint("跳转_NtWriteVirtualMemory:0x%08X",JmpAddress1);
831 DbgPrint("跳转_NtOpenProcess:0x%08X",JmpAddress2);
832 DbgPrint("跳转_NtDeviceIoControlFile:0x%08X",JmpAddress3);
833 DbgPrint("跳转_NtClose:0x%08X",JmpAddress4);
834
835
836 //------------------时钟控制------------------
837
838 //while(1)
839 //{
840
841 //---------------------------------系统判断---------------------
842
843 if ( NtOpenProcess_CallNumber == 0x7A )
844 {
845
846
847 WPOFF();
848 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = (ULONG)MyNtReadVirtualMemory_Xp;
849 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = (ULONG)MyNtWriteVirtualMemory_Xp;
850 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = (ULONG)MyNtOpenProcess_Xp;
851 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = (ULONG)MyNtClose;
852 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = (ULONG)MyNtDeviceIoControlFile_Xp;
853
854
855 WPON();
856
857
858 DbgPrint("HOOK地址_NtClose:0x%08X",Address3);
859 DbgPrint("HOOK地址_NtOpenProcess:0x%08X",Address2);
860
861 DbgPrint("HOOK地址_自己的程序_NtClose:0x%08X",(ULONG)MyNtClose);
862 }
863
864 else if ( NtOpenProcess_CallNumber == 0xBE )
865 {
866 WPOFF();
867 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = (ULONG)MyNtReadVirtualMemory;
868 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = (ULONG)MyNtWriteVirtualMemory;
869 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = (ULONG)MyNtOpenProcess;
870 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = (ULONG)MyNtClose;
871 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = (ULONG)MyNtDeviceIoControlFile;
872 WPON();
873 }
874
875 //MySleep(2000);
876 }
877 // }
878
879
880 //--------------------------shadow-------------------------
881
882 VOID HookShadow()
883 {
884
885 __try
886 {
887 if ((KeServiceDescriptorTableShadow!=NULL)) //读取到地址就保存起来
888 {
889
890 g_OriginalNtGdiGetPixel = KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber];
891
892 JmpAddress_Shadow_GdiGetPixel = (ULONG)g_OriginalNtGdiGetPixel + 0x5;
893
894
895 DbgPrint("获取Shadow地址成功!\n");
896 DbgPrint("Shadow:0x%08X",g_OriginalNtGdiGetPixel);
897
898 }
899
900
901
902
903 else
904 {
905 DbgPrint("获取地址失败!\n");
906 KeServiceDescriptorTableShadow=NULL;
907 }
908
909
910
911 //-----------------系统判断--------------------
912
913
914
915 if ( NtOpenProcess_CallNumber == 0x7A )
916 {
917
918
919 WPOFF();
920 KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = MyNtGdiGetPixel;
921 WPON();
922
923 }
924
925 else if ( NtOpenProcess_CallNumber == 0xBE )
926 {
927 // WPOFF();
928 // KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = MyNtGdiGetPixel;
929 // WPON();
930
931 DbgPrint("暂时没找到WIN7的Shadow Hook解决方案~\n");
932
933 }
934
935
936
937 }
938 __finally
939 {
940 KeDetachProcess();
941 }
942
943 }
944
945
946 VOID KeAttPro()
947 {
948 NTSTATUS status;
949
950 status = PsLookupProcessByProcessId((ULONG)GetCsrPid(), &crsEProc);
951 if (!NT_SUCCESS( status ))
952 {
953 DbgPrint("PsLookupProcessByProcessId() error\n");
954 return ;
955 }
956 KeAttachProcess(crsEProc);
957 }
958
959
960 //
961 VOID Unhook()
962 {
963 InitCallNumber();
964
965
966 WPOFF();
967
968 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = OldServiceAddress;
969 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = OldServiceAddress1;
970 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = OldServiceAddress2;
971 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = OldServiceAddress3;
972 (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = OldServiceAddress4;
973
974 WPON();
975
976 DbgPrint("卸载完成\n");
977 }
978
979
980 VOID UnhookShadow()
981 {
982 __try
983 {
984 // WPOFF();
985
986 // KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = g_OriginalNtGdiGetPixel;
987
988 // WPON();
989 DbgPrint("暂时没找到WIN7的Shadow Hook解决方案~\n");
990 }
991 __finally
992 {
993 KeDetachProcess();
994 Sleep(50);
995 }
996 }
997
998
999
1000
1001
1002
1003
1004 //---------------------shadow自定义函数-----------------------
1005 __declspec(naked) ULONG MyNtGdiGetPixel()
1006 {
1007 __asm
1008 {
1009 // jmp g_OriginalNtGdiGetPixel
1010
1011 mov edi, edi
1012 push ebp
1013 mov ebp, esp
1014
1015 jmp JmpAddress_Shadow_GdiGetPixel
1016 }
1017 }转载于:https://www.cnblogs.com/himessage/archive/2012/12/21/2828329.html
(转)SSDTShadow Hook的实现,完整代码相关推荐
- 【Android 逆向】函数拦截 ( ARM 架构下的插桩拦截 | 完整代码示例 )
文章目录 一.ARM 架构下的插桩拦截 二.完整代码示例 一.ARM 架构下的插桩拦截 ARM 架构下的跳转指令 : 下面的二进制数都是十六进制数 ; 323232 位指令 ; 04 F0 1F E5 ...
- 好玩的deep dream(清晰版,pytorch完整代码)
本文给出pytorch完整代码实现deep dream,加入了图像金字塔处理和高斯平滑处理,使生成图更加清晰美观.文中还讨论了各种因素对生成图的影响. 1, 完整代码 Deep dream图是 ...
- Hook 钩子技术及代码注入的 3 种方式
Hook 技术介绍 Hook 技术中文又叫作钩子技术,它就是在程序运行的过程中,对其中的某个方法进行重写, 在原有的方法前后加入我们自定义的代码.相当于在系统没有调用该函数之前,钩子程序就先捕获该消息 ...
- python 贴吧盖楼_ es6 + canvas 开源 盖楼小游戏 完整代码注释 从零教你做游戏(一)...
盖楼游戏 一个基于 Canvas 的盖楼游戏 Demo 预览 手机设备可以扫描下方二维码 github Game Rule 游戏规则 以下为默认游戏规则,也可参照下节自定义游戏参数 每局游戏生命值为3 ...
- 【YOLOV4】(7) 特征提取网络代码复现(CSPDarknet53+SPP+PANet+Head),附Tensorflow完整代码
各位同学好,今天和大家分享一下如何使用 TensorFlow 构建YOLOV4目标检测算法的特征提取网络. 完整代码在我的Gitee中,有需要的自取:https://gitee.com/dgvv4/y ...
- 【神经网络】(19) ConvNeXt 代码复现,网络解析,附Tensorflow完整代码
各位同学好,今天和大家分享一下如何使用 Tensorflow 构建 ConvNeXt 卷积神经网络模型. 论文地址:https://arxiv.org/pdf/2201.03545.pdf 完整代码在 ...
- 【图像分类案例】(2) DenseNet 天气图片四分类(权重迁移学习),附Tensorflow完整代码
各位同学好,今天和大家分享一下使用 Tensorflow 构建 DenseNet 卷积神经网络模型,并使用预训练模型的权重,完成对四种天气图片的分类. 完整代码在我的 Gitee 中,有需要的自取: ...
- 【图像分类案例】(1) ResNeXt 交通标志四分类,附Tensorflow完整代码
各位同学好,今天和大家分享一下如何使用 Tensorflow 构建 ResNeXt 神经网络模型,通过案例实战 ResNeXt 的训练以及预测过程.每个小节的末尾有网络.训练.预测的完整代码.想要数据 ...
- 【神经网络】(18) EfficientNetV2 代码复现,网络解析,附Tensorflow完整代码
各位同学好,今天和大家分享一下如何使用 Tensorflow 搭建 EfficientNetV2 卷积神经网络模型. EfficientNetV2 在 EfficientNetV1 的基础上进行了改进 ...
- 【神经网络】(17) EfficientNet 代码复现,网络解析,附Tensorflow完整代码
各位同学好,今天和大家分享一下如何使用 Tensorflow 复现 EfficientNet 卷积神经网络模型. EfficientNet 的网络结构和 MobileNetV3 比较相似,建议大家在学 ...
最新文章
- session_id
- SQL 解决从分组数据中总是挑选第一条数据的问题
- easyui 常用按钮图标
- 一位非常要好的朋友,零基础转行 Python!
- 看动画学算法之:linkedList
- 电脑技巧:盘点常用的Win组合快捷键
- Primefaces dataTable设置某个cell的样式问题
- 《我也能做CTO之.程序员职业规划》 水准之上,期望以下
- snmp 获得硬件信息_计算机网络基础课程—简单网络管理协议(SNMP)
- 如何使用GDAL进行图像镶嵌
- Leetcode 刷题笔记(十七) —— 二叉树篇之公共祖先问题
- Javascript特效:导航栏楼层效果
- 完成类似百度贴吧客户端tableview滑动效果
- 开发者拒绝写技术博客的常见理由
- PS图片压缩教程,教你快速压缩jpg图片文件的大小而又不失真!
- Ext中TextField的 label和feild的间距的设定
- 【云栖大会】三个物联网案例,看懂阿里巴巴为何布局最难的物联网道路
- matlab使用自带的拟合工具cftool对数据进行拟合并生成拟合函数代码
- leetcode.1402做菜顺序
- 期货平盘(期货大单压盘)
热门文章
- jQuery 学习-DOM篇(一):jQuery 创建元素并添加属性
- linux内存映射起始地址,内存初始化代码分析(三):创建系统内存地址映射
- Powerdesigner设置表字段注释与name相同
- 【PAT (Basic Level) Practice (中文)】1029 旧键盘 (20分)
- mysql锁问题排查_Mysql死锁问题如何排查和解决?
- pythonpandas无列名数据合并_python – Pandas:合并多个数据帧和控制列名?
- 现代计算机是以多用户,计算机操作系统 第7章 设备管理 练习题
- JavaScript文档对象模型document对象改变Html元素样式属性(5)
- SQL Server 删除数据表数据
- 各种手机处理器排行榜_11月新机性能排行榜:荣耀V30第四,vivo S5上榜