SSDTHOOK
#include "ntddk.h"
void PageProtectOff();
void PageProtectOn();
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
NTSTATUS
PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);
UCHAR *PsGetProcessImageFileName(PEPROCESS EProcess);
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
typedef NTSTATUS(*MYNTOPENPROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTESObjectAttributes,
IN PCLIENT_ID ClientId );
ULONG old_openprocee;
void DriverUnload(PDRIVER_OBJECT pdr){
PageProtectOff();
KeServiceDescriptorTable.ServiceTableBase=(unsigned int)old_openprocee;
PageProtectOn();
}
void PageProtectOff()
{
__asm{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
void PageProtectOn()
{
__asm{
mov eax,cr0
oreax,10000h
mov cr0,eax
sti
}
}
BOOLEAN ProtectProcess(HANDLE ProcessId,char *str_ProtectObjName)
{
NTSTATUS status;
PEPROCESS process_obj;
if(!MmIsAddressValid(str_ProtectObjName))
{
return FALSE;
}
if(ProcessId==0)
{
return FALSE;
}
status=PsLookupProcessByProcessId(ProcessId,&process_obj);
if(!NT_SUCCESS(status))
{
return FALSE;
}
if(!strcmp(PsGetProcessImageFileName(process_obj),str_ProtectObjName))
{
ObDereferenceObject(process_obj);
return TRUE;
}
ObDereferenceObject(process_obj);
return FALSE;
}
NTSTATUS MyNtOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
if(ProtectProcess(ClientId->UniqueProcess,"calc.exe"))
{
return STATUS_UNSUCCESSFUL;
}
return ((MYNTOPENPROCESS)old_openprocee)(ProcessHandle,
DesiredAccess,
ObjectAttributes,
ClientId);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject ,PUNICODE_STRING preg){
KdPrint(("MY first driver!"));
PageProtectOff();
old_openprocee=(ULONG)KeServiceDescriptorTable.ServiceTableBase;
KeServiceDescriptorTable.ServiceTableBase=(unsigned int)MyNtOpenProcess;
PageProtectOn();
DriverObject->DriverUnload=DriverUnload;
return STATUS_SUCCESS;
}
途中遇到问题很多 比如= =编译驱动文件的时候居然受误导编译器整成了应用层的EXE文件蛋疼 今天才发现= = 还有 导出 ssdt表的时候 如果你的代码文件名是.c结尾的 一定要在前面加 extern "C" 不然用不了= = 其实 把文件名改了就好 创建项目一定选择空项目= =
页:
[1]