HOOK SSDK
HOOK SSDT主要代码
#pragma once
#include
/*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * *
* 更多游戏逆向视频www.yxfzedu.com *
* *
* 有任何问题请发邮件至service@yxfzedu.com *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*/
#pragma pack(1) //SSDT表的结构
typedef struct ServiceDescriptorEntry {
unsigned int* ServiceTableBase;
unsigned int* ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char* ParamTableBase;
} ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t;
#pragma pack()
typedef NTSTATUS (*pNtOpenProcess)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL);
ULONG g_OpenProcess;
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
//恢复内存保护
VOID PageProtectOn() {
\_\_asm {
mov eax, cr0;
or eax, 0x10000;
mov cr0, eax;
sti;//开启中断
} }
//去掉内存保护
VOID PageProtectOFF() {
\_\_asm {
cli;//关闭中断,防止线程切换
mov eax, cr0;
and eax,not 0x10000;
mov cr0, eax;
} }
//
ULONG GetProcessNameOffset()
{
PEPROCESS curproc;
ULONG procNameOffset;
//获取EPROCESS结构的地址
curproc = PsGetCurrentProcess();
for (int i = ; i < ; i++)
{
if (!strncmp("explo", (PCHAR)curproc + i, strlen("explo")))
{
procNameOffset = i;
return procNameOffset;
}
}
return ; }
BOOLEAN ProtectProcess(HANDLE ProcessId) {
PEPROCESS Process;
//HANDLE ProcessId = 100;
if (ProcessId == ) {
return FALSE;
}
NTSTATUS ProcessByProcessIdStatus = PsLookupProcessByProcessId(ProcessId, &Process);
if (ProcessByProcessIdStatus != STATUS\_SUCCESS)
{
KdPrint(("yxfzedu:根据PID获取进程对象失败 \\n"));
return FALSE;
}
PEPROCESS pEprocess = PsGetCurrentProcess();
KdPrint(("yxfzedu %s \\n", (UCHAR\*)pEprocess + 0x16c));
if(strstr((char\*)pEprocess + 0x16c,"TraceMe")!=){
ObDereferenceObject(Process);
return TRUE;
}
ObDereferenceObject(Process);
return FALSE; }
NTSTATUS MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL) {
KdPrint(("yxfzedu: 进入到了MyNtOpenProcess! \n"));
KdPrint(("yxfzedu: ClientId->UniqueProcess=%d \n", ClientId->UniqueProcess));
if (ClientId->UniqueProcess == (HANDLE))
{
return STATUS\_UNSUCCESSFUL;
}
/\*ULONG offse= GetProcessNameOffset();
KdPrint(("yxfzedu:%d\\n",offse));\*/
//PEPROCESS pEprocess = PsGetCurrentProcess();
//KdPrint(("yxfzedu %s \\n", (UCHAR\*)pEprocess + 0x16c));
NTSTATUS status = ((pNtOpenProcess)g\_OpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes,ClientId);
return status; }
NTSTATUS HookOpenProcess() {
PageProtectOFF();
g_OpenProcess = KeServiceDescriptorTable.ServiceTableBase[];
KeServiceDescriptorTable.ServiceTableBase[] = (ULONG)MyNtOpenProcess;
PageProtectOn();
/*for (unsigned int i = 0; i < KeServiceDescriptorTable.NumberOfServices; i++)
{
KdPrint(("yxfzedu: 索引号【%d】函数地址=%X \n",i, KeServiceDescriptorTable.ServiceTableBase[i]));
}*/
return STATUS_SUCCESS;
}
VOID UnHook() {
PageProtectOFF();
KeServiceDescriptorTable.ServiceTableBase[] = g_OpenProcess;
PageProtectOn();
KdPrint(("yxfzedu:HookOpenProcess 以还原!"));
}
更多游戏逆向视频www.yxfzedu.com
手机扫一扫
移动阅读更方便
你可能感兴趣的文章