- 注册时间
- 2012-11-7
- 最后登录
- 1970-1-1
该用户从未签到
|
蛋疼死了,按照以前学的方法写的内联HOOK,现在怎么用不了了,调试了几十次了还是蓝屏,加载过一段时间后蓝屏,到底哪里错了啊,自定义的函数找不到哪里错了:- ULONG GetNt_CurAddr(LONG Suoyin/*比如 0X7A*/)//获取当前SSDT_NtOpenProcess的当前地址
- {
- LONG * SSDT_Adr;
- LONG SSDT_NtOpenProcess_Cur_Addr,t_addr;
- //读取SSDT表中索引值为0xXXX的函数
- t_addr=(LONG)KeServiceDescriptorTable->ServiceTableBase;
- SSDT_Adr=(PLONG)(t_addr+Suoyin*4);
- SSDT_NtOpenProcess_Cur_Addr=*SSDT_Adr;
- return SSDT_NtOpenProcess_Cur_Addr;
- }
复制代码 Q
- HANDLE Getpid;
- PEPROCESS PEPE;
- ULONG ADR;
- #pragma PAGECODE
- //声明自己的NtOpenProcess函数
- [code]extern "C" NTSTATUS __declspec(naked) __stdcall NOWOpenProcess(
- OUT PHANDLE ProcessHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- IN PCLIENT_ID ClientId ) {
- NTSTATUS rc;
- HANDLE OPENPID;
-
-
- if (ClientId!=NULL)
- {
- OPENPID=ClientId->UniqueProcess;
- KdPrint(("现在被打开的进程PID=%d",*((int*)OPENPID)));
- //Getpid是在用户层传进来的进程ID
- if (OPENPID==Getpid)
- {
- KdPrint(("发现进程被打开,被保护的进程PID是:%d",(int*)Getpid));
- PEPE=PsGetCurrentProcess();
- KdPrint(("进程__%s__企图打开被保护的进程",(PTSTR)((ULONG)PEPE+0x174)));
- ProcessHandle=NULL;
- __asm{
- retn 0x10
- }
- }
- }
- __asm{
- push 0x0C4
- mov eax ,ADR
- add eax,0x5
- jmp eax
- }
- }
复制代码 入口函数:- extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING B) //TYPEDEF LONG NTSTATUS
- { //////////////////////////////////////////////////////////////////////////
- pDriverObject->MajorFunction[IRP_MJ_CREATE]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
- pDriverObject->MajorFunction[IRP_MJ_CLOSE]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
- pDriverObject->MajorFunction[IRP_MJ_READ]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
- pDriverObject->MajorFunction[IRP_MJ_CLOSE]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
- pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
- CreateMyDevice(pDriverObject);//创建相应的设备
- pDriverObject->DriverUnload=DDK_Unload;
- return (1);
- }
复制代码- case Hook_code:
- {
- int * InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
- _asm
- {
- mov eax,InputBuffer
- mov ebx,[eax]
- mov Getpid,ebx
- }
-
- ADR=GetNt_CurAddr(0x07a);
- OldNtopenprocess =(NTOPENPROCESS*)ADR;
- JMPCODE SAVECODE1;
- PJMPCODE CODE2;
- CODE2=(PJMPCODE)ADR;
- ULONG JMPADR;
- JMPADR=(ULONG)NOWOpenProcess-ADR-5;
- __asm //去掉页面保护
- {
- cli
- mov eax,cr0
- and eax,not 10000h //and eax,0FFFEFFFFh
- mov cr0,eax
- }
- CODE2->E9=0xe9;
- CODE2->JMPADDR=JMPADR;
- __asm //恢复页保护
- {
- mov eax,cr0
- or eax,10000h //or eax,not 0FFFEFFFFh
- mov cr0,eax
- sti
- }
- info = 4;
-
- break;
- }
复制代码 |
|