清淡小女子 发表于 2013-2-7 09:16:13

[源码]Hook Shadow SSDT

作 者: sislcb

网上很多文章都有关于SSDT的完整的实现,但是没有关于Shadow SSDT的完整实现,目前最好的文章是《shadow ssdt学习笔记 by zhuwg》,我这里的程序也很多参考了他的文章,在这里谢谢了。我这里给出一个hook shadow ssdt的完整实现的驱动和3层的代码。

这里主要是hook 了NtUserFindWindowEx,NtUserBuildHwndList,NtUserQueryWindow,NtUserGetForegroundWindow,NtUserWindowFromPoint来防止其他应用程序通过FindWindow,EnumWindow,WindowFromPoint,GetForegroundWindow这些函数来枚举我们的窗口,不过这个程序对于GetWindowText这个东西无法防护,如果有朋友在驱动层实现了对该函数的保护,是否能一起交流呢。

关于hook的流程,看了上面zhuwg的文章,大家应该很好的了解了。下面的代码也很简单。大家随便看看吧,通信方面,随便使用了METHOD_NEITHER方法,这个方法不好,有问题,不过懒得改了,懂驱动的应该很容易改为BUFFERED模式吧。

在这里谢谢给了很多帮助的各位牛人,特别是NetRoc,很细心的帮我测试。。

**** Hidden Message *****

黑夜圣主 发表于 2013-2-7 15:56:21

vb hook怎么用
2011-02-10 1652提问者: 高级法院法官 浏览次数:1035次
写了个小程序,用键盘控制鼠标移动,但是mouse_event这个API在窗体关闭或最小化后就失去焦点了
他们说让我用HOOK,怎么用啊,各位大虾,帮帮忙,感激不尽
代码太长可以发我邮箱kongchao3581@126.com
我来帮他解答
精彩回答
2011-02-11 1319
'代码写得有些乱,凑合着看吧.

'模块代码,里面有一些没用到的API可以删了.

Option Explicit

Public Declare Function MoveWindow Lib user32 (ByVal hwnd As Long, ByVal x As Long, ByVal y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal bRepaint As Long) As Long
Public Declare Function FindWindow Lib user32 Alias FindWindowA (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function ShowWindow Lib user32 (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Public Declare Function CreateToolhelp32Snapshot Lib KERNEL32.DLL (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function Process32First Lib KERNEL32.DLL (ByVal hSnapshot As Long, ByRef lppe As PROCESSENTRY32) As Long
Public Declare Function Process32Next Lib KERNEL32.DLL (ByVal hSnapshot As Long, ByRef lppe As PROCESSENTRY32) As Long
Public Declare Sub CloseHandle Lib kernel32 (ByVal hPass As Long)
Public Declare Function SetWinEventHook Lib user32.dll (ByVal eventMin As Long, ByVal eventMax As Long, ByVal hmodWinEventProc As Long, ByVal pfnWinEventProc As Long, ByVal IdProcess As Long, ByVal idThread As Long, ByVal dwFlags As Long) As Long
Public Declare Function UnhookWinEvent Lib user32.dll (ByVal hWinEventHook As Long) As Long

Public Const WINEVENT_OUTOFCONTEXT = &H0&
Public Const WINEVENT_SKIPOWNPROCESS = &H2&
Public Const EVENT_SYSTEM_MENUPOPUPSTART = &H6&

Public Const TH32CS_SNAPHEAPLIST = &H1
Public Const TH32CS_SNAPPROCESS = &H2
Public Const TH32CS_SNAPTHREAD = &H4
Public Const TH32CS_SNAPMODULE = &H8
Public Const TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST Or TH32CS_SNAPPROCESS Or TH32CS_SNAPTHREAD Or TH32CS_SNAPMODULE)
Public Const TH32CS_INHERIT = &H80000000
Public Const MAX_PATH As Integer = 260

Public Type PROCESSENTRY32
    dwSize As Long
    cntUsage As Long
    th32ProcessID As Long
    th32DefaultHeapID As Long
    th32ModuleID As Long
    cntThreads As Long
    th32ParentProcessID As Long
    pcPriClassBase As Long
    dwFlags As Long
    szExeFile As StringMAX_PATH
End Type


Dim hEventHook As Long

Public Sub WINEVENTPROC(ByVal hWinEventHook As Long, _
                           ByVal lngevent As Long, _
                           ByVal hwnd As Long, _
                           ByVal idObject As Long, _
                           ByVal idChild As Long, _
                           ByVal idEventThread As Long, _
                           ByVal dwmsEventTime As Long)

    '这里的 hwnd 就是 菜单窗体的句柄
    Call MoveWindow(hwnd, 0, 0, 200, 200, -1) '测试
   
End Sub

Public Function SetHook(ByVal IdProcess As Long) As Long
    hEventHook = SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART, 0&, AddressOf WINEVENTPROC, IdProcess&, 0&, WINEVENT_OUTOFCONTEXT Or WINEVENT_SKIPOWNPROCESS)
    SetHook = hEventHook
End Function

Public Sub UnSetHook()
    If hEventHook Then
      Call UnhookWinEvent(hEventHook)
      hEventHook = 0
    End If
End Sub


Function GetProcessID(ByVal sName As String) As Long
    Dim myhProcess As Long
    Dim mype       As PROCESSENTRY32
    Dim mybRet   As Long
    myhProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
    mype.dwSize = Len(mype)
    mybRet = Process32First(myhProcess, mype)
    Do While mybRet
      If InStr(LCase(mype.szExeFile), sName) Then
            GetProcessID = mype.th32ProcessID
            Call CloseHandle(myhProcess)
            Exit Function
      Else
            mybRet = Process32Next(myhProcess, mype)
      End If
    Loop
    Call CloseHandle(myhProcess)
End Function

'-------------------------------------

'窗体代码

Private Sub Command1_Click()
    Dim IdProcess As Long
    IdProcess = GetProcessID(notepad.exe)
    If IdProcess Then
      If SetHook(IdProcess) Then
            Command1.Enabled = False
            Command2.Enabled = True
      End If
    End If
End Sub

Private Sub Command2_Click()
    Call UnSetHook
    Command1.Enabled = True
    Command2.Enabled = False
End Sub

kongchu6 发表于 2013-2-8 12:05:26

第一个来回复一下,哈哈

lezhen98 发表于 2020-4-4 17:56:01

第一个来回复一下,哈哈

qq1069819564 发表于 2020-4-9 21:24:11

我就看看怎么取这个sssdt地址的
页: [1]
查看完整版本: [源码]Hook Shadow SSDT