看流星社区

 找回密码
 注册账号
查看: 2242|回复: 0

SSDTHOOK

[复制链接]

该用户从未签到

发表于 2017-6-3 11:06:32 | 显示全部楼层 |阅读模式

#include "ntddk.h"
void PageProtectOff();
void PageProtectOn();
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()


NTSTATUS
PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);
UCHAR *PsGetProcessImageFileName(PEPROCESS EProcess);
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;






typedef NTSTATUS(*MYNTOPENPROCESS)(
OUT PHANDLE       ProcessHandle,
IN ACCESS_MASK     AccessMask,
IN POBJECT_ATTRIBUTES  ObjectAttributes,
IN PCLIENT_ID      ClientId );
ULONG old_openprocee;
void DriverUnload(PDRIVER_OBJECT pdr){
PageProtectOff();

KeServiceDescriptorTable.ServiceTableBase[224]=(unsigned int)old_openprocee;


PageProtectOn();


}


void PageProtectOff()
{
__asm{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
void PageProtectOn()
{
__asm{
mov eax,cr0
or  eax,10000h
mov cr0,eax
sti
}
}
BOOLEAN ProtectProcess(HANDLE ProcessId,char *str_ProtectObjName)
{
NTSTATUS status;

PEPROCESS process_obj;
if(!MmIsAddressValid(str_ProtectObjName))
{
return FALSE;
}
if(ProcessId==0)
{
return FALSE;
}
status=PsLookupProcessByProcessId(ProcessId,&process_obj);
if(!NT_SUCCESS(status))
{

return FALSE;
}
if(!strcmp(PsGetProcessImageFileName(process_obj),str_ProtectObjName))
{
ObDereferenceObject(process_obj);
return TRUE;
}
ObDereferenceObject(process_obj);
return FALSE;
}


NTSTATUS MyNtOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{

if(ProtectProcess(ClientId->UniqueProcess,"calc.exe"))
{

return STATUS_UNSUCCESSFUL;
}
return ((MYNTOPENPROCESS)old_openprocee)(ProcessHandle,
DesiredAccess,
ObjectAttributes,
ClientId);
}


NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject ,PUNICODE_STRING preg){

KdPrint(("MY first driver!"));

PageProtectOff();
old_openprocee=(ULONG)KeServiceDescriptorTable.ServiceTableBase[224];
KeServiceDescriptorTable.ServiceTableBase[224]=(unsigned int)MyNtOpenProcess;


PageProtectOn();







DriverObject->DriverUnload=DriverUnload;


return STATUS_SUCCESS;
}
途中遇到问题很多 比如= =编译驱动文件的时候居然受误导编译器整成了应用层的EXE文件蛋疼 今天才发现= = 还有 导出 ssdt表的时候 如果你的代码文件名是.c结尾的 一定要在前面加 extern "C" 不然用不了= = 其实 把文件名改了就好 创建项目一定选择空项目= =
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-19 17:20

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表