OD SOD TP的那些事儿 非法调试
SDO年久失修~~被TP爆非法调试~//OD SOD TP的那些事儿
//恢复SOD的NtOpenThread SSDThook,不然tp爆非法调试
//然后这里接管这个函数的过滤
NTSTATUS __stdcall NewNtOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK AccessMask,
IN PVOID ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
PETHREAD EThread;
PEPROCESS EProcess;
NTSTATUS status;
ZWOPENTHREAD OldZwOpenThread;
ULONG ulPage;
__asm{
push eax
mov eax,
mov ulPage,eax
pop eax
}
//tp的菊花痒,非得用原始KeServiceDescriptorTable里面的函数,经过tp的钩子,才不报非法调试
OldZwOpenThread = KeServiceDescriptorTable->ServiceTable;
//让OD能XXXXXX
if (IsFromDebugProcess(RPsGetCurrentProcess()))
{
OldZwOpenThread = OriginalServiceDescriptorTable->ServiceTable;
}
status = OldZwOpenThread(
ThreadHandle,
AccessMask,
ObjectAttributes,
ClientId
);
if (NT_SUCCESS(status))
{
//如果是自己的驱动调用,则返回哦
if (ulPage >= ulMyDriverBase && ulPage <= ulMyDriverBase+ulMyDriverSize){
return status;
}
//好像这里的判断是多余的~
if (KeGetCurrentIrql() != PASSIVE_LEVEL){
return status;
}
//如果退出了
if (!bIsInitSuccess){
return status;
}
//如果没有保护
if (!bProtectProcess){
return status;
}
//过滤掉桌面进程以及csrss进程
if (_stricmp(PsGetProcessImageFileName(RPsGetCurrentProcess()),"explorer.exe") == 0 ||
RPsGetCurrentProcess() == CsrssEProcess)
{
return status;
}
//get ethread
status = ObReferenceObjectByHandle(
ThreadHandle,
THREAD_ALL_ACCESS,
*PsThreadType,
KernelMode,
(PVOID*)&EThread,
NULL
);
if (NT_SUCCESS(status))
{
ObDereferenceObject(EThread);
//get eprocess
EProcess = IoThreadToProcess(EThread);
if (IsFromDebugProcess(EProcess))
{
if (DebugOn)
KdPrint(("open OD Thread by %s\n",PsGetProcessImageFileName(RPsGetCurrentProcess())));
return STATUS_ACCESS_DENIED;
}
}
status = STATUS_SUCCESS;
}
return status;
}
页:
[1]