备案控制台
探索云世界
开发者社区 开发与运维 文章 正文

【转】SSDT&Shadow Hook的实现,完整代码。可编译

2012-11-29 840
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: 原文连接:http://bbs.pediy.com/showthread.php?t=138747&highlight=inline+hook 转自看雪,写复制到自己博客上慢慢啃,呵呵   #include //辛苦了几周的成果 typedef struct ServiceD...

原文连接:http://bbs.pediy.com/showthread.php?t=138747&highlight=inline+hook

转自看雪,写复制到自己博客上慢慢啃,呵呵

 

#include <ntddk.h>
//辛苦了几周的成果


typedef struct ServiceDescriptorEntry {
  PVOID *ServiceTableBase;
  ULONG *ServiceCounterTableBase; //Used only in checked build
  ULONG NumberOfService;   //Null
  PVOID *ParamTableBase;
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;

PServiceDescriptorTableEntry KeServiceDescriptorTableShadow;

__declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID);
__declspec(dllimport)  ServiceDescriptorTableEntry KeServiceDescriptorTable;

//---------------------------------------------------

typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef struct _SYSTEM_HANDLE_INFORMATION 
{
  ULONG ProcessId;
  UCHAR ObjectTypeNumber;
  UCHAR Flags;
  USHORT Handle;
  PVOID Object;
  ACCESS_MASK GrantedAccess;
} _SYSTEM_HANDLE_INFORMATION, *P_SYSTEM_HANDLE_INFORMATION;

typedef struct _SYSTEM_HANDLE_INformATION_EX {
  ULONG NumberOfHandles;
  _SYSTEM_HANDLE_INFORMATION Information[1];
} _SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;







//-----------------------
typedef NTSTATUS (*NTGDIGETPIXEL)
(
);

NTGDIGETPIXEL               g_OriginalNtGdiGetPixel;


//-----------------API申明-----------

PVOID GetUndocumentFunctionAdress();
VOID Hook();
VOID Unhook();
VOID WPOFF(VOID);
VOID WPON(VOID);
VOID InitCallNumber();
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);

//--------shadow-----------
PVOID GetInfoTable(ULONG ATableType);
HANDLE GetCsrPid();
VOID KeAttPro();
VOID HookShadow();
VOID UnhookShadow();
ULONG MyNtGdiGetPixel();

NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);

NTSTATUS ZwQuerySystemInformation( 
    IN ULONG SystemInformationClass, 
    IN PVOID SystemInformation, 
    IN ULONG SystemInformationLength, 
    OUT PULONG ReturnLength);

NTSTATUS ZwDuplicateObject(
                 IN HANDLE                 SourceProcessHandle,
                 IN PHANDLE                 SourceHandle,
                 IN HANDLE                 TargetProcessHandle,
                 OUT PHANDLE               TargetHandle,
                 IN ACCESS_MASK             DesiredAccess OPTIONAL,
                 IN BOOLEAN                 InheritHandle,
                 IN ULONG                   Options );

NTSTATUS ZwQueryObject(
    IN HANDLE                ObjectHandle,
    IN ULONG                 ObjectInformationClass,
    OUT PVOID                ObjectInformation,
    IN ULONG                 ObjectInformationLength,
    OUT PULONG               ReturnLength OPTIONAL);


NTSTATUS PsLookupProcessByProcessId(
       IN ULONG               ulProcId, 
       OUT PEPROCESS *        pEProcess);


NTSTATUS KeAttachProcess(PEPROCESS pPeb);
NTSTATUS KeDetachProcess();

//--------shadow-----------






//---------------全局变量------------
PEPROCESS crsEProc;

ULONG JmpAddress;
ULONG JmpAddress1;
ULONG JmpAddress2;
ULONG JmpAddress3;
ULONG JmpAddress4;
ULONG JmpAddress5;
ULONG JmpAddress6;
ULONG JmpAddress7;

ULONG JmpAddRead_xp;
ULONG JmpAddWrite_xp;
ULONG JmpAddOpen_xp;

//--------shadow-----------
ULONG JmpAddress_Shadow_GdiGetPixel;
//--------shadow-----------

ULONG OldServiceAddress;
ULONG OldServiceAddress1;
ULONG OldServiceAddress2;
ULONG OldServiceAddress3;
ULONG OldServiceAddress4;
ULONG Adds;
ULONG retAddr1;  
ULONG retAddr;  
ULONG retAddr2;  

ULONG retAddrRwpm_Xp;
ULONG retAddrIoCF_Xp;


//----------------------定义常量---------
ULONG NtOpenProcess_CallNumber = 0;   //服号
ULONG NtReadVirtualMemory_CallNumber = 0;   //服号
ULONG NtWriteVirtualMemory_CallNumber = 0;   //服号
ULONG NtClose_CallNumber = 0; 
ULONG NtDeviceIoControlFile_CallNumber = 0; 

//--------shadow-----------
ULONG NtGdiGetPixel_callnumber = 0;
//--------shadow-----------

#define DELAY_ONE_MICROSECOND (-10)
#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)





//------------------------函数部分---------------

//-----------------shadow--------------
unsigned int getAddressOfShadowTable()
{
    unsigned int i;
    unsigned char *p;
    unsigned int dwordatbyte;

    p = (unsigned char*) KeAddSystemServiceTable;

    for(i = 0; i < 4096; i++, p++)
    {
        __try
        {
            dwordatbyte = *(unsigned int*)p;
        }
        __except(EXCEPTION_EXECUTE_HANDLER)
        {
            return 0;
        }

        if(MmIsAddressValid((PVOID)dwordatbyte))
        {
            if(memcmp((PVOID)dwordatbyte, &KeServiceDescriptorTable, 16) == 0)
            {
                if((PVOID)dwordatbyte == &KeServiceDescriptorTable)
                {
                    continue;
                }

                return dwordatbyte;
            }
        }
    }

    return 0;
}

ULONG getShadowTable()
{
    KeServiceDescriptorTableShadow = (PServiceDescriptorTableEntry) getAddressOfShadowTable();

    if(KeServiceDescriptorTableShadow == NULL)
    {  
        return FALSE;
    }
    else
    {
        return TRUE;
    }
} 

PVOID GetInfoTable(ULONG ATableType)
{
  ULONG mSize = 0x4000;
  PVOID mPtr = NULL;
  NTSTATUS St;
  do
  {
     mPtr = ExAllocatePool(PagedPool, mSize);
     memset(mPtr, 0, mSize);
     if (mPtr)
     {
        St = ZwQuerySystemInformation(ATableType, mPtr, mSize, NULL);
     } else return NULL;
     if (St == STATUS_INFO_LENGTH_MISMATCH)
     {
        ExFreePool(mPtr);
        mSize = mSize * 2;
     }
  } while (St == STATUS_INFO_LENGTH_MISMATCH);
  if (St == STATUS_SUCCESS) return mPtr;
  ExFreePool(mPtr);
  return NULL;
}

//--------------------下面这个函数必须的--------
HANDLE GetCsrPid()
{
  HANDLE Process, hObject;
  HANDLE CsrId = (HANDLE)0;
  OBJECT_ATTRIBUTES obj;
  CLIENT_ID cid;
  UCHAR Buff[0x100];
  POBJECT_NAME_INFORMATION ObjName = (PVOID)&Buff;
  PSYSTEM_HANDLE_INFORMATION_EX Handles;
  ULONG r;

  Handles = GetInfoTable(0x10); //SystemHandleInformation =  0x10

  if (!Handles) return CsrId;

  for (r = 0; r < Handles->NumberOfHandles; r++)
  {
    if (Handles->Information[r].ObjectTypeNumber == 21) //Port object
    {
      InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);

      cid.UniqueProcess = (HANDLE)Handles->Information[r].ProcessId;
      cid.UniqueThread = 0;

      if (NT_SUCCESS(NtOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid)))
      {
        if (NT_SUCCESS(ZwDuplicateObject(Process, (HANDLE)Handles->Information[r].Handle,NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS)))
        {
          if (NT_SUCCESS(ZwQueryObject(hObject, 1, ObjName, 0x100, NULL))) //ObjectNameInformation == 1
          {
            if (ObjName->Name.Buffer && !wcsncmp(L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20))
            {
              CsrId = (HANDLE)Handles->Information[r].ProcessId;
            } 
          }

          ZwClose(hObject);
        }

        ZwClose(Process);
      }
    }
  }

  ExFreePool(Handles);
  return CsrId;
}

BOOLEAN Sleep(ULONG MillionSecond)
{
  NTSTATUS st;
  LARGE_INTEGER DelayTime;
  DelayTime = RtlConvertLongToLargeInteger(-10000*MillionSecond);
  st=KeDelayExecutionThread( KernelMode, FALSE, &DelayTime );
  return (NT_SUCCESS(st));
}



//-----------------shadow--------------























PVOID
GetUndocumentFunctionAdress()
{

  ULONG size,index;
  PULONG buf;
      ULONG i;
  PSYSTEM_MODULE_INFORMATION module;
  PVOID driverAddress=0;
     ULONG ntosknlBase;
  ULONG ntosknlEndAddr;
  ULONG curAddr;
  NTSTATUS status;

  ULONG  code1_sp2=0x0035ff64,code2_sp2=0x8b000000,code3_sp2=0x89102444,code4_sp2=0x8d10246c;
  ULONG  code1_cal=0x8908758b,code2_cal=0xffff08b5,code3_cal=0x89db33ff,code4_cal=0xffff149d;

  ULONG  code1_Fil=0x33207d8b,code2_Fil=0xd85d89db,code3_Fil=0x831c758b,code4_Fil=0x758903e6;
  ULONG  code1_rwm=0x66f845dd,code2_rwm=0x7f087d81,code3_rwm=0xd9037402,code4_rwm=0xc3c9086d;

  ULONG  code1_IoF=0x5d89db33,code2_IoF=0x1c758be0,code3_IoF=0x8903e683,code4_IoF=0xa164d475;


  ZwQuerySystemInformation(SystemModuleInformation,&size, 0, &size);

  if(NULL==(buf = (PULONG)ExAllocatePool(PagedPool, size)))
  {
    DbgPrint("failed alloc memory failed  \n");
    return 0;
  }
     
  status=ZwQuerySystemInformation(SystemModuleInformation,buf, size , 0);
  if(!NT_SUCCESS( status ))
  {
             DbgPrint("failed  query\n");
          return 0;
  }

  module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);
  
  ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size;
  ntosknlBase=(ULONG)module->Base;
  curAddr=ntosknlBase;
  ExFreePool(buf);

  for (i=curAddr;i<=ntosknlEndAddr;i++)
    {
      if ((*((ULONG *)i)==code1_sp2)&&(*((ULONG *)(i+4))==code2_sp2)&&(*((ULONG *)(i+8))==code3_sp2)&&(*((ULONG *)(i+12))==code4_sp2)) 
       
      {
            
        retAddr = i-5;  //为什么-5 BECAUSE..函数第一句5个字节.
              
      }

      if ((*((ULONG *)i)==code1_cal)&&(*((ULONG *)(i+4))==code2_cal)&&(*((ULONG *)(i+8))==code3_cal)&&(*((ULONG *)(i+12))==code4_cal)) 
       
      {
            
        retAddr1 = i-0xF;
              
      }

      if ((*((ULONG *)i)==code1_Fil)&&(*((ULONG *)(i+4))==code2_Fil)&&(*((ULONG *)(i+8))==code3_Fil)&&(*((ULONG *)(i+12))==code4_Fil)) 
       
      {
            
        retAddr2 = i-0xC;
            
      }
      if ((*((ULONG *)i)==code1_rwm)&&(*((ULONG *)(i+4))==code2_rwm)&&(*((ULONG *)(i+8))==code3_rwm)&&(*((ULONG *)(i+12))==code4_rwm)) 
       
      {
            
        retAddrRwpm_Xp = i+0x10;
            
      }
      if ((*((ULONG *)i)==code1_IoF)&&(*((ULONG *)(i+4))==code2_IoF)&&(*((ULONG *)(i+8))==code3_IoF)&&(*((ULONG *)(i+12))==code4_IoF)) 
       
      {
            
        retAddrIoCF_Xp = i-0xC;
            
      }

  }
return 0;

}

//------------------暂停函数----------------

VOID MySleep(LONG msec)
{
LARGE_INTEGER my_interval;
my_interval.QuadPart = DELAY_ONE_MILLISECOND;
my_interval.QuadPart *= msec;
KeDelayExecutionThread(KernelMode,0,&my_interval);
}

//--------------获取服务号----------------
VOID InitCallNumber()
{
  ULONG majorVersion, minorVersion;
  PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );

  if ( majorVersion == 5 && minorVersion == 1 )
      {
    DbgPrint("Running on Windows Xp");

    NtOpenProcess_CallNumber = 0x7A;
    NtReadVirtualMemory_CallNumber =0xBA;
    NtWriteVirtualMemory_CallNumber = 0x115;
    NtClose_CallNumber = 0x19; 
    NtDeviceIoControlFile_CallNumber = 0x42; 

    NtGdiGetPixel_callnumber = 0xBF;
  }

  else if ( majorVersion == 6 && minorVersion == 1 )
  {
    DbgPrint("Running on Windows 7");

    NtOpenProcess_CallNumber = 0xBE;
    NtReadVirtualMemory_CallNumber =0x115;
    NtWriteVirtualMemory_CallNumber = 0x18F;
    NtClose_CallNumber = 0x32; 
    NtDeviceIoControlFile_CallNumber = 0x6B; 

    NtGdiGetPixel_callnumber = 0xC8;
  }


}

//-------------------下面是处理内存权限-读写开关-----------------

VOID WPOFF(VOID)
{
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}



VOID WPON(VOID)
{
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}



//------------------------构造自己的函数--------------------

__declspec(naked) NTSTATUS MyNtDeviceIoControlFile(
    HANDLE FileHandle,
    HANDLE Event,
    PIO_APC_ROUTINE ApcRoutine,
    PVOID ApcContext,
    PIO_STATUS_BLOCK IoStatusBlock,
    ULONG IoControlCode,
    PVOID InputBuffer,
    ULONG InputBufferLength,
    PVOID OutputBuffer,
    ULONG OutputBufferLength
)
{
  __asm{

//  Jmp [JmpAddress7]
  mov edi, edi
  push ebp
  mov ebp, esp
  push 1
  push dword ptr [ebp+0x2C]
  push dword ptr [ebp+0x28]
  push dword ptr [ebp+0x24]
  push dword ptr [ebp+0x20]
  push dword ptr [ebp+0x1C]
  push dword ptr [ebp+0x18]
  push dword ptr [ebp+0x14]
  push dword ptr [ebp+0x10]
  push dword ptr [ebp+0xC]
  push dword ptr [ebp+0x8]
        call retAddr2
  Jmp [JmpAddress6]
       }
}


__declspec(naked) NTSTATUS __stdcall MyNtClose(HANDLE ObjectHandle)
{
  __asm{
//  Jmp [JmpAddress4]
  mov edi, edi
  push ebp
  mov ebp, esp
  Jmp [JmpAddress5]
       }
}


__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
               ACCESS_MASK DesiredAccess,
               POBJECT_ATTRIBUTES ObjectAttributes,
               PCLIENT_ID ClientId) 
{
 // DbgPrint("NtOpenProcess() called");
  __asm{

//      jmp     [JmpAddress2]

  mov edi, edi
  push ebp
  mov ebp, esp
  push ecx
  push ecx
  mov eax, fs:[0x124]
  mov al, byte ptr [eax+0x13A]
  mov ecx, [ebp+0x14]
  mov edx, [ebp+0x10]
  mov byte ptr [ebp-0x4], al
  push [ebp-0x4]
  push [ebp-0x4]
  push [ebp+0xC]
  push [ebp+0x8]
  call retAddr1
  jmp     [JmpAddress3]
//      _emit 0x0F 




  }
}

__declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(HANDLE ProcessHandle,
               PVOID BaseAddress,
               PVOID Buffer,
               ULONG NumberOfBytesToRead,
         PULONG NumberOfBytesReaded) 
{
  //跳过去
  __asm
  {
//    jmp     [JmpAddress]
    push    0x18;
    push 0x832a8B08;
    call retAddr
    jmp     [JmpAddress]
  }
}

__declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle,
               PVOID BaseAddress,
               PVOID Buffer,
               ULONG NumberOfBytesToWrite,
         PULONG NumberOfBytesReaded) 
{
  //跳过去
  __asm
  {
//    jmp     [JmpAddress1]

    push    0x18;
    push 0x832a8AE0;
    call retAddr
    jmp     [JmpAddress1] 
  }
}
//-----------------------Xp----------------

__declspec(naked) NTSTATUS MyNtDeviceIoControlFile_Xp(
    HANDLE FileHandle,
    HANDLE Event,
    PIO_APC_ROUTINE ApcRoutine,
    PVOID ApcContext,
    PIO_STATUS_BLOCK IoStatusBlock,
    ULONG IoControlCode,
    PVOID InputBuffer,
    ULONG InputBufferLength,
    PVOID OutputBuffer,
    ULONG OutputBufferLength
)
{
  __asm{

//  Jmp [JmpAddress7]
  mov edi, edi
  push ebp
  mov ebp, esp
  push 1
  push dword ptr [ebp+0x2C]
  push dword ptr [ebp+0x28]
  push dword ptr [ebp+0x24]
  push dword ptr [ebp+0x20]
  push dword ptr [ebp+0x1C]
  push dword ptr [ebp+0x18]
  push dword ptr [ebp+0x14]
  push dword ptr [ebp+0x10]
  push dword ptr [ebp+0xC]
  push dword ptr [ebp+0x8]
        call retAddrIoCF_Xp
  Jmp [JmpAddress6]


       }
}


__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess_Xp(PHANDLE ProcessHandle,
               ACCESS_MASK DesiredAccess,
               POBJECT_ATTRIBUTES ObjectAttributes,
               PCLIENT_ID ClientId) 
{
  __asm{
//  jmp [JmpAddress2]
  push 0xC4
  push 0x804EB0D8
  call retAddrRwpm_Xp
        jmp     [JmpAddOpen_xp]

  }
}

__declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory_Xp(HANDLE ProcessHandle,
               PVOID BaseAddress,
               PVOID Buffer,
               ULONG NumberOfBytesToRead,
         PULONG NumberOfBytesReaded) 
{
  //跳过去
  __asm
  {
//    jmp     [JmpAddress]
    push    0x1C;
    push    0x832a8B08;
    call    retAddrRwpm_Xp
    jmp     [JmpAddRead_xp]
  }
}

__declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory_Xp(HANDLE ProcessHandle,
               PVOID BaseAddress,
               PVOID Buffer,
               ULONG NumberOfBytesToWrite,
         PULONG NumberOfBytesReaded) 
{
  //跳过去
  __asm
  {
//    jmp     [JmpAddress1]
    push    0x1C;
    push    0x832a8AE0;
    call    retAddrRwpm_Xp
    jmp     [JmpAddWrite_xp] 
  }
}

//------------------------驱动入口-------------
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
  DriverObject->DriverUnload = OnUnload;
  InitCallNumber();
  getShadowTable();                     //获得shadow表地址

  GetUndocumentFunctionAdress();        //-------获取Call函数地址----------

  KeAttPro();                 //插入进程

  HookShadow();

  Hook();
  return STATUS_SUCCESS;
}
//-------------------卸载---------------------
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
  DbgPrint("驱动卸载中!\n");              //-------无法返回,只能完成--------
  Unhook();  

  KeAttPro();
  UnhookShadow();
                             //-------恢复被HOOK的函数----------
}
//--------------Hook部分函数------------------
VOID Hook()
{
  
  ULONG  Address, Address1, Address2, Address3, Address4;


  Address = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber];
  Address1 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber];
  Address2 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber];   
  Address3 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber];// NtClose
  Address4 = (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber];   //IoDeviceFile

  DbgPrint("SSDT_NtClose:0x%08X",Address3);


 //-------保存原始函数地址----------
  OldServiceAddress  = Address;   //保存原来NtReadVirtualMemory的地址
  OldServiceAddress1 = Address1;
  OldServiceAddress2 = Address2;
  OldServiceAddress3 = Address3;
  OldServiceAddress4 = Address4;

    DbgPrint("备份的地址_NtClose:0x%08X",OldServiceAddress3);



 //--------绕过INLINE跳转到后面的地址

  JmpAddress  = (ULONG)Address + 0xC;
  JmpAddress1 = (ULONG)Address1 + 0xC;
  JmpAddress2 = (ULONG)Address2; 
  JmpAddress3 = (ULONG)Address2 +0x2D; 
  JmpAddress4 = (ULONG)Address3; 
  JmpAddress5 = (ULONG)Address3 +0x5; 
  JmpAddress6 = (ULONG)Address4 +0x2A; 
  JmpAddress7 = (ULONG)Address4; 

  JmpAddRead_xp = (ULONG)OldServiceAddress +0xC; 
  JmpAddWrite_xp = (ULONG)OldServiceAddress1 +0xC; 
  JmpAddOpen_xp = (ULONG)NtOpenProcess +0xF; 




      DbgPrint("跳转_NtReadVirtualMemory:0x%08X",JmpAddress);
      DbgPrint("跳转_NtWriteVirtualMemory:0x%08X",JmpAddress1);
      DbgPrint("跳转_NtOpenProcess:0x%08X",JmpAddress2);
      DbgPrint("跳转_NtDeviceIoControlFile:0x%08X",JmpAddress3);
      DbgPrint("跳转_NtClose:0x%08X",JmpAddress4);


//------------------时钟控制------------------

//while(1)
//{ 

//---------------------------------系统判断---------------------

  if ( NtOpenProcess_CallNumber == 0x7A )
  {


  WPOFF();
    (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = (ULONG)MyNtReadVirtualMemory_Xp;
    (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = (ULONG)MyNtWriteVirtualMemory_Xp;
    (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = (ULONG)MyNtOpenProcess_Xp;
     (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = (ULONG)MyNtClose; 
    (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = (ULONG)MyNtDeviceIoControlFile_Xp; 


  WPON(); 


      DbgPrint("HOOK地址_NtClose:0x%08X",Address3);
      DbgPrint("HOOK地址_NtOpenProcess:0x%08X",Address2);

      DbgPrint("HOOK地址_自己的程序_NtClose:0x%08X",(ULONG)MyNtClose);
  }

  else if ( NtOpenProcess_CallNumber == 0xBE )
  {
  WPOFF();
    (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = (ULONG)MyNtReadVirtualMemory;
    (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = (ULONG)MyNtWriteVirtualMemory;
    (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = (ULONG)MyNtOpenProcess;
     (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = (ULONG)MyNtClose; 
    (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = (ULONG)MyNtDeviceIoControlFile; 
  WPON(); 
  }

//MySleep(2000);
}
//  }  


//--------------------------shadow-------------------------

VOID HookShadow()
{

  __try
  {
    if ((KeServiceDescriptorTableShadow!=NULL)) //读取到地址就保存起来
    {  

  g_OriginalNtGdiGetPixel = KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber];

  JmpAddress_Shadow_GdiGetPixel = (ULONG)g_OriginalNtGdiGetPixel + 0x5;


    DbgPrint("获取Shadow地址成功!\n");
      DbgPrint("Shadow:0x%08X",g_OriginalNtGdiGetPixel);

    }




    else
    {
      DbgPrint("获取地址失败!\n");
      KeServiceDescriptorTableShadow=NULL; 
    }



//-----------------系统判断--------------------



  if ( NtOpenProcess_CallNumber == 0x7A )
  {


  WPOFF();
      KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = MyNtGdiGetPixel;
  WPON(); 

  }

  else if ( NtOpenProcess_CallNumber == 0xBE )
  {
//  WPOFF();
//      KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = MyNtGdiGetPixel;
//  WPON(); 

    DbgPrint("暂时没找到WIN7的Shadow Hook解决方案~\n");

  }



  }
  __finally
  {
      KeDetachProcess(); 
  }

}


VOID KeAttPro()
{
  NTSTATUS status;

  status = PsLookupProcessByProcessId((ULONG)GetCsrPid(), &crsEProc);
  if (!NT_SUCCESS( status ))
  {
    DbgPrint("PsLookupProcessByProcessId() error\n");
    return ;
  }
  KeAttachProcess(crsEProc);
}


//////////////////////////////////////////////////////
VOID Unhook()
{
  InitCallNumber();


    WPOFF(); 

      (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtReadVirtualMemory_CallNumber] = OldServiceAddress;
      (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtWriteVirtualMemory_CallNumber] = OldServiceAddress1;
      (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtOpenProcess_CallNumber] = OldServiceAddress2;
       (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtClose_CallNumber] = OldServiceAddress3; 
      (ULONG)KeServiceDescriptorTable.ServiceTableBase[NtDeviceIoControlFile_CallNumber] = OldServiceAddress4; 

    WPON(); 

  DbgPrint("卸载完成\n");
}


VOID UnhookShadow()
{
  __try
  {
//  WPOFF();

//  KeServiceDescriptorTableShadow[1].ServiceTableBase[NtGdiGetPixel_callnumber] = g_OriginalNtGdiGetPixel;

//  WPON();
    DbgPrint("暂时没找到WIN7的Shadow Hook解决方案~\n");
         }
  __finally
       {
     KeDetachProcess();
     Sleep(50);
       }
}







//---------------------shadow自定义函数-----------------------
__declspec(naked) ULONG MyNtGdiGetPixel()
{
  __asm
  {
//  jmp g_OriginalNtGdiGetPixel

  mov edi, edi
  push ebp
  mov ebp, esp

  jmp JmpAddress_Shadow_GdiGetPixel
  }
}

 

文章标签:
服务网格
Windows
API
狂斩一条龙
目录
相关文章
Overboom
|
9月前
|
测试技术
QT --- VS2017+Qt5.12 编译报错【E2512 功能测试宏的参数必须是简单标识符 】的解决方法
QT --- VS2017+Qt5.12 编译报错【E2512 功能测试宏的参数必须是简单标识符 】的解决方法
Overboom
252 0
sumith
|
2月前
|
Android开发
Xposed模块 -- Hook函数参数
Xposed模块 -- Hook函数参数
sumith
20 0
禹鼎侯
|
3月前
|
存储 架构师 Linux
内存泄漏专题(7)hook之宏定义
内存泄漏专题(7)hook之宏定义
禹鼎侯
31 0
二进制怪兽
|
6月前
|
C++
[笔记]Lua脚本学习笔记《二》调用cpp动态库
[笔记]Lua脚本学习笔记《二》调用cpp动态库
二进制怪兽
49 0
柳鲲鹏
|
Java
MAC编译的JDK执行出错: [libjvm.dylib+0x482a49] PerfDataManager::destroy()+0xab
MAC编译的JDK执行出错: [libjvm.dylib+0x482a49] PerfDataManager::destroy()+0xab
柳鲲鹏
87 0
1569428123893308
|
Java 图形学
Unity打包符号表 使用ndk addr2line.exe+符号表 将崩溃内存地址解析成函数名
符号表的路径,符号表发布出来的时候是一个zip文件要把它解压出来,里面会有两个文件:arm64-v8a(64位)、armeabi-v7a(32位)不过unity默认打包出来的都是64位的程序,所以这个前面加上你的真实路径+arm64-v8a\libil2cpp.sym.so就可以了。
1569428123893308
443 0
lyshark
|
API
LyScript 实现Hook隐藏调试器
LyScript 插件集成的内置API函数可灵活的实现绕过各类反调试保护机制,前段时间发布的那一篇文章并没有详细讲解各类反调试机制的绕过措施,本次将补充这方面的知识点,运用LyScript实现绕过大多数通用调试机制,实现隐藏调试器的目的。
lyshark
57 0
LyScript 实现Hook隐藏调试器
lyshark
|
存储 编译器 API
Win32汇编:过程与宏调用
在计算机领域,堆栈是一个不容忽视的概念,堆栈是一种`后进先出(LIFO,Last-In,First-Out)`的数据结构,这是因为最后压入堆栈的值总是最先被取出,而新数值在执行PUSH压栈时总是被加到堆栈的最顶端,数据也总是从堆栈的最顶端被取出,堆栈是个`特殊的存储区`,主要功能是暂时存放数据和地址,通常用来保护断点和现场.
lyshark
89 0
lyshark
|
Python
LyScript 实现Hook改写MessageBox
LyScript 可实现自定义汇编指令的替换功能,用户可以自行编写一段汇编指令,将程序中特定的通用函数进行功能改写与转向操作,此功能原理是简单的Hook操作。
lyshark
200 0
LyScript 实现Hook改写MessageBox
程序员诗人
frida hook重载函数的几种写法
apply arguments MyClass.MyFunc.overload("java.util.List").implementation = function() { this.
程序员诗人
4722 0

热门文章

最新文章

  • 1
    Mac安装并使用telnet命令操作
  • 2
    OSS回源的几种方式和应用场景
  • 3
    [剑指offer] 孩子们的游戏(圆圈中最后剩下的数)
  • 4
    网络安全系列之二十二 Windows用户账号加固
  • 5
    我理解的一个程序员如何学习前端开发
  • 6
    《社交网站界面设计(原书第2版)》——1.9 为设备之间的空间进行设计
  • 7
    《Microduino实战》——1.2 为什么要开源
  • 8
    .Net函数Math.Round你会用吗?
  • 9
    麻省理工大学新发明:暗黑WiFi透视技术
  • 10
    2014秋C++第19周 补充代码 哈希法的存储与查找
  • 1
    R语言关联规则模型(Apriori算法)挖掘杂货店的交易数据与交互可视化
    25
  • 2
    R语言近似贝叶斯计算MCMC(ABC-MCMC)轨迹图和边缘图可视化
    21
  • 3
    r语言中对LASSO回归,Ridge岭回归和弹性网络Elastic Net模型实现-4
    31
  • 4
    Sentieon | 每周文献-Multi-omics-第四十一期
    26
  • 5
    数据分享|R语言广义线性模型GLM:线性最小二乘、对数变换、泊松、二项式逻辑回归分析冰淇淋销售时间序列数据和模拟-2
    17
  • 6
    数据分享|R语言广义线性模型GLM:线性最小二乘、对数变换、泊松、二项式逻辑回归分析冰淇淋销售时间序列数据和模拟-1
    23
  • 7
    基于RT-Thread摄像头车牌图像采集系统
    22
  • 8
    R语言极值理论:希尔HILL统计量尾部指数参数估计可视化
    17
  • 9
    【视频】R语言中的分布滞后非线性模型(DLNM)与发病率,死亡率和空气污染示例
    23
  • 10
    sql语句创建数据库
    19

    • 相关电子书

    更多
  • 低代码开发师(初级)实战教程
  • 冬季实战营第三期:MySQL数据库进阶实战
  • 阿里巴巴DevOps 最佳实践手册
    • 下一篇
    部署LAMP环境(Alibaba Cloud Linux 3)