HOOK SSDT主要代码:
#pragma once
#include <ntifs.h>
/*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * *
* 更多游戏逆向视频www.yxfzedu.com *
* *
* 有任何问题请发邮件至service@yxfzedu.com *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*/
#pragma pack(1) //SSDT表的结构
typedef struct ServiceDescriptorEntry {
unsigned int* ServiceTableBase;
unsigned int* ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char* ParamTableBase;
} ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t;
#pragma pack()
typedef NTSTATUS (*pNtOpenProcess)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL);
ULONG g_OpenProcess;
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
//恢复内存保护
VOID PageProtectOn() {
__asm {
mov eax, cr0;
or eax, 0x10000;
mov cr0, eax;
sti;//开启中断
}
}
//去掉内存保护
VOID PageProtectOFF() {
__asm {
cli;//关闭中断,防止线程切换
mov eax, cr0;
and eax,not 0x10000;
mov cr0, eax;
}
}
//
ULONG GetProcessNameOffset()
{
PEPROCESS curproc;
ULONG procNameOffset;
//获取EPROCESS结构的地址
curproc = PsGetCurrentProcess();
for (int i = 0; i < 4096; i++)
{
if (!strncmp("explo", (PCHAR)curproc + i, strlen("explo")))
{
procNameOffset = i;
return procNameOffset;
}
}
return 0;
}
BOOLEAN ProtectProcess(HANDLE ProcessId) {
PEPROCESS Process;
//HANDLE ProcessId = 100;
if (ProcessId == 0) {
return FALSE;
}
NTSTATUS ProcessByProcessIdStatus = PsLookupProcessByProcessId(ProcessId, &Process);
if (ProcessByProcessIdStatus != STATUS_SUCCESS)
{
KdPrint(("yxfzedu:根据PID获取进程对象失败 \n"));
return FALSE;
}
PEPROCESS pEprocess = PsGetCurrentProcess();
KdPrint(("yxfzedu %s \n", (UCHAR*)pEprocess + 0x16c));
if(strstr((char*)pEprocess + 0x16c,"TraceMe")!=0){
ObDereferenceObject(Process);
return TRUE;
}
ObDereferenceObject(Process);
return FALSE;
}
NTSTATUS MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL) {
KdPrint(("yxfzedu: 进入到了MyNtOpenProcess! \n"));
KdPrint(("yxfzedu: ClientId->UniqueProcess=%d \n", ClientId->UniqueProcess));
if (ClientId->UniqueProcess == (HANDLE)4088)
{
return STATUS_UNSUCCESSFUL;
}
/*ULONG offse= GetProcessNameOffset();
KdPrint(("yxfzedu:%d\n",offse));*/
//PEPROCESS pEprocess = PsGetCurrentProcess();
//KdPrint(("yxfzedu %s \n", (UCHAR*)pEprocess + 0x16c));
NTSTATUS status = ((pNtOpenProcess)g_OpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes,ClientId);
return status;
}
NTSTATUS HookOpenProcess() {
PageProtectOFF();
g_OpenProcess = KeServiceDescriptorTable.ServiceTableBase[190];
KeServiceDescriptorTable.ServiceTableBase[190] = (ULONG)MyNtOpenProcess;
PageProtectOn();
/*for (unsigned int i = 0; i < KeServiceDescriptorTable.NumberOfServices; i++)
{
KdPrint(("yxfzedu: 索引号【%d】函数地址=%X \n",i, KeServiceDescriptorTable.ServiceTableBase[i]));
}*/
return STATUS_SUCCESS;
}
VOID UnHook() {
PageProtectOFF();
KeServiceDescriptorTable.ServiceTableBase[190] = g_OpenProcess;
PageProtectOn();
KdPrint(("yxfzedu:HookOpenProcess 以还原!"));
}
更多游戏逆向视频www.yxfzedu.com
网友评论