- 注册时间
- 2011-8-8
- 最后登录
- 1970-1-1
该用户从未签到
|
- SDO年久失修~~被TP爆非法调试~
- //OD SOD TP的那些事儿
- //恢复SOD的NtOpenThread SSDThook,不然tp爆非法调试
- //然后这里接管这个函数的过滤
- NTSTATUS __stdcall NewNtOpenThread(
- OUT PHANDLE ThreadHandle,
- IN ACCESS_MASK AccessMask,
- IN PVOID ObjectAttributes,
- IN PCLIENT_ID ClientId
- )
- {
- PETHREAD EThread;
- PEPROCESS EProcess;
- NTSTATUS status;
- ZWOPENTHREAD OldZwOpenThread;
- ULONG ulPage;
- __asm{
- push eax
- mov eax,[ebp+4]
- mov ulPage,eax
- pop eax
- }
- //tp的菊花痒,非得用原始KeServiceDescriptorTable里面的函数,经过tp的钩子,才不报非法调试
- OldZwOpenThread = KeServiceDescriptorTable->ServiceTable[ZwOpenThreadIndex];
- //让OD能XXXXXX
- if (IsFromDebugProcess(RPsGetCurrentProcess()))
- {
- OldZwOpenThread = OriginalServiceDescriptorTable->ServiceTable[ZwOpenThreadIndex];
- }
- status = OldZwOpenThread(
- ThreadHandle,
- AccessMask,
- ObjectAttributes,
- ClientId
- );
- if (NT_SUCCESS(status))
- {
- //如果是自己的驱动调用,则返回哦
- if (ulPage >= ulMyDriverBase && ulPage <= ulMyDriverBase+ulMyDriverSize){
- return status;
- }
- //好像这里的判断是多余的~
- if (KeGetCurrentIrql() != PASSIVE_LEVEL){
- return status;
- }
- //如果退出了
- if (!bIsInitSuccess){
- return status;
- }
- //如果没有保护
- if (!bProtectProcess){
- return status;
- }
- //过滤掉桌面进程以及csrss进程
- if (_stricmp(PsGetProcessImageFileName(RPsGetCurrentProcess()),"explorer.exe") == 0 ||
- RPsGetCurrentProcess() == CsrssEProcess)
- {
- return status;
- }
- //get ethread
- status = ObReferenceObjectByHandle(
- ThreadHandle,
- THREAD_ALL_ACCESS,
- *PsThreadType,
- KernelMode,
- (PVOID*)&EThread,
- NULL
- );
- if (NT_SUCCESS(status))
- {
- ObDereferenceObject(EThread);
- //get eprocess
- EProcess = IoThreadToProcess(EThread);
- if (IsFromDebugProcess(EProcess))
- {
- if (DebugOn)
- KdPrint(("open OD Thread by %s\n",PsGetProcessImageFileName(RPsGetCurrentProcess())));
- return STATUS_ACCESS_DENIED;
- }
- }
- status = STATUS_SUCCESS;
- }
- return status;
- }
|
|
发表于 2013-1-27 10:10:11