- 注册时间
- 2011-8-8
- 最后登录
- 1970-1-1
该用户从未签到
|
在hookport过滤函数中,一不小心就种了tp的圈套~~下面是处理方法:- NTSTATUS __stdcall NewNtOpenProcess(
- OUT PHANDLE ProcessHandle,
- IN ACCESS_MASK AccessMask,
- IN PVOID ObjectAttributes,
- IN PCLIENT_ID ClientId
- )
- {
- PEPROCESS EProcess;
- NTSTATUS status;
- ZWOPENPROCESS OldZwOpenProcess;
- ULONG ulPage;
- __asm{
- push eax
- mov eax,[ebp+4]
- mov ulPage,eax
- pop eax
- }
- //如果是自己的驱动调用,则返回哦
- if (ulPage >= ulMyDriverBase && ulPage <= ulMyDriverBase+ulMyDriverSize)
- {
- goto _FunctionRet;
- }
- if (KeGetCurrentIrql() != PASSIVE_LEVEL)
- {
- goto _FunctionRet;
- }
- //如果退出了
- if (!bIsInitSuccess)
- goto _FunctionRet;
- //是否要保护
- if (!bProtectProcess)
- goto _FunctionRet;
- //过滤掉桌面进程以及csrss进程
- if (_stricmp(PsGetProcessImageFileName(RPsGetCurrentProcess()),"explorer.exe") == 0 ||
- RPsGetCurrentProcess() == CsrssEProcess)
- {
- goto _FunctionRet;
- }
- if (MmIsAddressValidEx(ClientId))
- {
- if (IsFromDebugProcessId(ClientId->UniqueProcess))
- {
- //乾坤大挪移
- ClientId->UniqueProcess = PsGetCurrentProcessId();
- if (DebugOn)
- KdPrint(("open OD process by %s\n",PsGetProcessImageFileName(RPsGetCurrentProcess())));
- }
- //如果调用者不是csrss,那么所有来自任何进程打开csrss的操作,都XXXX
- if (PsGetCurrentProcessId() != CsrssID)
- {
- if (ClientId->UniqueProcess == CsrssID)
- {
- //乾坤大挪移
- ClientId->UniqueProcess = PsGetCurrentProcessId();
- if (DebugOn)
- KdPrint(("open csrss process by %s\n",PsGetProcessImageFileName(RPsGetCurrentProcess())));
- }
- }
- }
- _FunctionRet:
- //tp的菊花痒了,非得用原始KeServiceDescriptorTable里面的函数,经过tp的钩子,才不报非法模块
- OldZwOpenProcess = KeServiceDescriptorTable->ServiceTable[ZwOpenProcessIndex];
- //让OD能XXXXXX
- if (IsFromDebugProcess(RPsGetCurrentProcess()))
- {
- OldZwOpenProcess = OriginalServiceDescriptorTable->ServiceTable[ZwOpenProcessIndex];
- }
- return OldZwOpenProcess(
- ProcessHandle,
- AccessMask,
- ObjectAttributes,
- ClientId
- );
- }
复制代码 |
|