针对 NtOpenProcess服务函数HOOK SSDT示例代码,保护记事本进程
来源:互联网 发布:java游戏编程pdf 编辑:程序博客网 时间:2024/06/05 16:16
#include <ntddk.h>
//////////////////////////////////////////////////////////////////////////
//函数声明
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath);
VOID Unload(PDRIVER_OBJECT pDriverObject);
NTSTATUS MyNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES pObjatt,
IN PCLIENT_ID Client);
NTSTATUS PsLookupProcessByProcessId(IN HANDLE ProcessId,
OUT PEPROCESS *Process);
PUCHAR PsGetProcessImageFileName(IN PEPROCESS process);
//////////////////////////////////////////////////////////////////////////
//结构体声明
typedef struct _SystemServiceDescriptorTable
{
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfService;
PULONG ParamTableBase;
}SystemServiceDescriptorTable,*PSystemServiceDescriptorTable;
extern PSystemServiceDescriptorTable KeServiceDescriptorTable;
typedef NTSTATUS (*NTOPENPROCESS)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES pObjatt,
IN PCLIENT_ID Client);
NTOPENPROCESS RealOpenProcess;
//////////////////////////////////////////////////////////////////////////
#pragma code_seg("INIT")
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;
//**********************************************************
//Hook SSDT
//**********************************************************
PULONG Address;
PULONG HookPoint;
_asm
{
pushad
mov ebx,KeServiceDescriptorTable;这里获取到SSDT服务的首地址
mov ebx,[ebx];将SSDT首地址值放入EBX寄存器中
mov eax,0x7a;我们知道在XP系统中122号SSDT索引号为NtOpenProcess函数地址
shl eax,2;左移两位表示EAX值乘以4
add ebx,eax;在SSDT基址的基础上加上偏移值就是NtOpenProcess的地址值勤
mov HookPoint,ebx;将获取到的地址值赋值给HookPoint指针变量
mov edx,[ebx];将NOpenProcess函数地址值放入EDX寄存器
mov Address,edx;将NOpenProcess函数地址值赋值给Address指针变量
popad
}
RealOpenProcess = (NTOPENPROCESS)(Address);//这里将真实的NOpenProcess函数地址值备份保存下来
DbgPrint("Address of Real NtOpenProcess:0x%08x\n",(Address));
DbgPrint("Address of Fake NtOpenProcess:0x%08x\n",MyNtOpenProcess);
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
*HookPoint = (ULONG)MyNtOpenProcess;//将真实的NtOpenProcess地址值替换成我们自定义函数的地址值,实现HOOK
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
pDriverObject->DriverUnload = Unload;//卸载例程
return status;
}
#pragma code_seg("PAGE")
VOID Unload(PDRIVER_OBJECT pDriverObject)
_asm
{
pushad
mov ebx,KeServiceDescriptorTable
mov ebx,[ebx]
mov eax,0x7a
shl eax,2
add ebx,eax
mov HookPoint,ebx
popad
}
_asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
*HookPoint = (ULONG)RealOpenProcess;
_asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
return;
}
NTSTATUS MyNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES pObjatt,
IN PCLIENT_ID Client)
PEPROCESS lpPEPROCESS;
PUCHAR ProcessName;
status = PsLookupProcessByProcessId(Client->UniqueProcess,&lpPEPROCESS);
if (NT_SUCCESS(status))
{
ProcessName = _strupr((PCHAR)PsGetProcessImageFileName(lpPEPROCESS));
if (strcmp(ProcessName,"NOTEPAD.EXE") == 0)
{
return STATUS_ACCESS_DENIED;
}
}
status = RealOpenProcess(ProcessHandle,AccessMask,pObjatt,Client);
return status;
}
//////////////////////////////////////////////////////////////////////////
//函数声明
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath);
VOID Unload(PDRIVER_OBJECT pDriverObject);
NTSTATUS MyNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES pObjatt,
IN PCLIENT_ID Client);
NTSTATUS PsLookupProcessByProcessId(IN HANDLE ProcessId,
OUT PEPROCESS *Process);
PUCHAR PsGetProcessImageFileName(IN PEPROCESS process);
//////////////////////////////////////////////////////////////////////////
//结构体声明
typedef struct _SystemServiceDescriptorTable
{
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfService;
PULONG ParamTableBase;
}SystemServiceDescriptorTable,*PSystemServiceDescriptorTable;
extern PSystemServiceDescriptorTable KeServiceDescriptorTable;
typedef NTSTATUS (*NTOPENPROCESS)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES pObjatt,
IN PCLIENT_ID Client);
NTOPENPROCESS RealOpenProcess;
//////////////////////////////////////////////////////////////////////////
#pragma code_seg("INIT")
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;
//**********************************************************
//Hook SSDT
//**********************************************************
PULONG Address;
PULONG HookPoint;
_asm
{
pushad
mov ebx,KeServiceDescriptorTable;这里获取到SSDT服务的首地址
mov ebx,[ebx];将SSDT首地址值放入EBX寄存器中
mov eax,0x7a;我们知道在XP系统中122号SSDT索引号为NtOpenProcess函数地址
shl eax,2;左移两位表示EAX值乘以4
add ebx,eax;在SSDT基址的基础上加上偏移值就是NtOpenProcess的地址值勤
mov HookPoint,ebx;将获取到的地址值赋值给HookPoint指针变量
mov edx,[ebx];将NOpenProcess函数地址值放入EDX寄存器
mov Address,edx;将NOpenProcess函数地址值赋值给Address指针变量
popad
}
RealOpenProcess = (NTOPENPROCESS)(Address);//这里将真实的NOpenProcess函数地址值备份保存下来
DbgPrint("Address of Real NtOpenProcess:0x%08x\n",(Address));
DbgPrint("Address of Fake NtOpenProcess:0x%08x\n",MyNtOpenProcess);
//关中断,并关闭页保护属性
_asm
{cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
*HookPoint = (ULONG)MyNtOpenProcess;//将真实的NtOpenProcess地址值替换成我们自定义函数的地址值,实现HOOK
//打开中断,并恢复页保据属性
_asm
{mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
pDriverObject->DriverUnload = Unload;//卸载例程
return status;
}
#pragma code_seg("PAGE")
VOID Unload(PDRIVER_OBJECT pDriverObject)
{
//没什么好说的,功能就是卸载时将SSDT中的NtOpenProcess地址值恢复回去,与上面的一样*HookPoint = (ULONG)RealOpenProcess;只不过 //这句是将真实的SSDT中的NtOpenProcess地址恢复回去
PULONG HookPoint;_asm
{
pushad
mov ebx,KeServiceDescriptorTable
mov ebx,[ebx]
mov eax,0x7a
shl eax,2
add ebx,eax
mov HookPoint,ebx
popad
}
_asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
*HookPoint = (ULONG)RealOpenProcess;
_asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
return;
}
NTSTATUS MyNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES pObjatt,
IN PCLIENT_ID Client)
{
//HOOK到以后就可以做我们自己想做的事情了
NTSTATUS status = STATUS_SUCCESS;PEPROCESS lpPEPROCESS;
PUCHAR ProcessName;
status = PsLookupProcessByProcessId(Client->UniqueProcess,&lpPEPROCESS);
if (NT_SUCCESS(status))
{
ProcessName = _strupr((PCHAR)PsGetProcessImageFileName(lpPEPROCESS));
if (strcmp(ProcessName,"NOTEPAD.EXE") == 0)
{
return STATUS_ACCESS_DENIED;
}
}
status = RealOpenProcess(ProcessHandle,AccessMask,pObjatt,Client);
return status;
}
- 针对 NtOpenProcess服务函数HOOK SSDT示例代码,保护记事本进程
- HOOK SSDT NtOpenProcess 保护进程
- SSDT HOOK,通过hook NtOpenProcess达到保护制定进程效果
- 汇编与驱动-采用SSDT Hook NtOpenProcess保护进程
- HOOK NtOpenProcess 保护指定进程
- Hook SSDT NtOpenProcess的完整代码
- Hook SSDT NtOpenProcess的完整代码
- Hook SSDT NtOpenProcess的完整代码
- SSDT HOOK实现进程保护
- 利用HOOK保护记事本进程
- 驱动笔记:SSDT HOOK实现进程保护
- SSDT HOOK驱动开发(2):进程保护
- SSDT HOOK驱动开发(2):进程保护
- 进程隐藏与进程保护(SSDT Hook 实现)
- 进程隐藏与进程保护(SSDT HOOK 实现)
- 进程隐藏与进程保护(SSDT Hook 实现)
- 进程隐藏与进程保护(SSDT Hook 实现)
- SSDT HOOK 保护文件
- python 中的字符串操作
- js原型、继承
- windows内核访问控制机制
- Linux下给挂载U盘或者SD卡
- 50个必备的实用jQuery代码段
- 针对 NtOpenProcess服务函数HOOK SSDT示例代码,保护记事本进程
- 在eclipse中发布项目的方法
- ios网络编程
- git使用
- keyword 汇总
- jquery操作iframe
- 宿主机为linux、windows分别实现VMware三种方式上网
- Robot Framework测试框架学习笔记
- 守护(daemon)线程