HOOK SSDK
2024-09-07 20:04:41
HOOK SSDT主要代码
#pragma once
#include <ntifs.h> /*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * *
* 更多游戏逆向视频www.yxfzedu.com *
* *
* 有任何问题请发邮件至service@yxfzedu.com *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*/
#pragma pack(1) //SSDT表的结构
typedef struct ServiceDescriptorEntry {
unsigned int* ServiceTableBase;
unsigned int* ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char* ParamTableBase;
} ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t;
#pragma pack() typedef NTSTATUS (*pNtOpenProcess)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL);
ULONG g_OpenProcess; __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
//恢复内存保护
VOID PageProtectOn() { __asm {
mov eax, cr0;
or eax, 0x10000;
mov cr0, eax;
sti;//开启中断
}
}
//去掉内存保护
VOID PageProtectOFF() { __asm {
cli;//关闭中断,防止线程切换
mov eax, cr0;
and eax,not 0x10000;
mov cr0, eax;
}
} //
ULONG GetProcessNameOffset()
{ PEPROCESS curproc;
ULONG procNameOffset;
//获取EPROCESS结构的地址
curproc = PsGetCurrentProcess();
for (int i = ; i < ; i++)
{
if (!strncmp("explo", (PCHAR)curproc + i, strlen("explo")))
{
procNameOffset = i;
return procNameOffset;
}
}
return ;
} BOOLEAN ProtectProcess(HANDLE ProcessId) {
PEPROCESS Process;
//HANDLE ProcessId = 100; if (ProcessId == ) {
return FALSE;
}
NTSTATUS ProcessByProcessIdStatus = PsLookupProcessByProcessId(ProcessId, &Process); if (ProcessByProcessIdStatus != STATUS_SUCCESS)
{
KdPrint(("yxfzedu:根据PID获取进程对象失败 \n"));
return FALSE;
}
PEPROCESS pEprocess = PsGetCurrentProcess();
KdPrint(("yxfzedu %s \n", (UCHAR*)pEprocess + 0x16c));
if(strstr((char*)pEprocess + 0x16c,"TraceMe")!=){
ObDereferenceObject(Process);
return TRUE;
}
ObDereferenceObject(Process);
return FALSE;
} NTSTATUS MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL) {
KdPrint(("yxfzedu: 进入到了MyNtOpenProcess! \n"));
KdPrint(("yxfzedu: ClientId->UniqueProcess=%d \n", ClientId->UniqueProcess)); if (ClientId->UniqueProcess == (HANDLE))
{
return STATUS_UNSUCCESSFUL;
}
/*ULONG offse= GetProcessNameOffset();
KdPrint(("yxfzedu:%d\n",offse));*/ //PEPROCESS pEprocess = PsGetCurrentProcess();
//KdPrint(("yxfzedu %s \n", (UCHAR*)pEprocess + 0x16c));
NTSTATUS status = ((pNtOpenProcess)g_OpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes,ClientId);
return status;
} NTSTATUS HookOpenProcess() {
PageProtectOFF();
g_OpenProcess = KeServiceDescriptorTable.ServiceTableBase[];
KeServiceDescriptorTable.ServiceTableBase[] = (ULONG)MyNtOpenProcess;
PageProtectOn();
/*for (unsigned int i = 0; i < KeServiceDescriptorTable.NumberOfServices; i++)
{
KdPrint(("yxfzedu: 索引号【%d】函数地址=%X \n",i, KeServiceDescriptorTable.ServiceTableBase[i]));
}*/
return STATUS_SUCCESS;
} VOID UnHook() {
PageProtectOFF();
KeServiceDescriptorTable.ServiceTableBase[] = g_OpenProcess;
PageProtectOn();
KdPrint(("yxfzedu:HookOpenProcess 以还原!"));
}
更多游戏逆向视频www.yxfzedu.com
最新文章
- 【腾讯Bugly干货分享】Android动态布局入门及NinePatchChunk解密
- ie7中ul不能嵌套div和li平级
- cmd执行mysql操作
- 对atime、mtime和ctime的研究
- Mix and Build(简单DP)
- yii2 学习中
- (原创)LAMP教程2-安装虚拟机软件VirtualBox
- javascript链式调用实现方式总结
- wordpress搭建后地址栏页面显示IP地址的问题
- java服务器获取客户端ip
- JS工厂模式开发实践
- Nginx前端设置反向代理,后端Apache如何获取访客的真实IP,结合PHP
- angular路由详解六(路由守卫)
- os X下mds_stores占用大量cpu的解决办法
- scws安装
- GG的文化课
- 虚拟蜜罐honeyd安装使用
- spring boot 包jar运行
- 痞子衡嵌入式:忘掉cmd.exe吧!选用优雅的控制台终端(ConsoleZ)
- gentoo 工具命令