过滤函数里,tp爆非法模块的解决方法
在hookport过滤函数中,一不小心就种了tp的圈套~~下面是处理方法:NTSTATUS __stdcall NewNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN PVOID ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
PEPROCESS EProcess;
NTSTATUS status;
ZWOPENPROCESS OldZwOpenProcess;
ULONG ulPage;
__asm{
push eax
mov eax,
mov ulPage,eax
pop eax
}
//如果是自己的驱动调用,则返回哦
if (ulPage >= ulMyDriverBase && ulPage <= ulMyDriverBase+ulMyDriverSize)
{
goto _FunctionRet;
}
if (KeGetCurrentIrql() != PASSIVE_LEVEL)
{
goto _FunctionRet;
}
//如果退出了
if (!bIsInitSuccess)
goto _FunctionRet;
//是否要保护
if (!bProtectProcess)
goto _FunctionRet;
//过滤掉桌面进程以及csrss进程
if (_stricmp(PsGetProcessImageFileName(RPsGetCurrentProcess()),"explorer.exe") == 0 ||
RPsGetCurrentProcess() == CsrssEProcess)
{
goto _FunctionRet;
}
if (MmIsAddressValidEx(ClientId))
{
if (IsFromDebugProcessId(ClientId->UniqueProcess))
{
//乾坤大挪移
ClientId->UniqueProcess = PsGetCurrentProcessId();
if (DebugOn)
KdPrint(("open OD process by %s\n",PsGetProcessImageFileName(RPsGetCurrentProcess())));
}
//如果调用者不是csrss,那么所有来自任何进程打开csrss的操作,都XXXX
if (PsGetCurrentProcessId() != CsrssID)
{
if (ClientId->UniqueProcess == CsrssID)
{
//乾坤大挪移
ClientId->UniqueProcess = PsGetCurrentProcessId();
if (DebugOn)
KdPrint(("open csrss process by %s\n",PsGetProcessImageFileName(RPsGetCurrentProcess())));
}
}
}
_FunctionRet:
//tp的菊花痒了,非得用原始KeServiceDescriptorTable里面的函数,经过tp的钩子,才不报非法模块
OldZwOpenProcess = KeServiceDescriptorTable->ServiceTable;
//让OD能XXXXXX
if (IsFromDebugProcess(RPsGetCurrentProcess()))
{
OldZwOpenProcess = OriginalServiceDescriptorTable->ServiceTable;
}
return OldZwOpenProcess(
ProcessHandle,
AccessMask,
ObjectAttributes,
ClientId
);
}
页:
[1]