|
{:soso_e136:}
//这些代码到是抄TA大神的
其他3个函数HOOK没问题就是NtUserBuildHwndList有点问题
代码代码
//替换函数
NTSTATUS NtUserBuildHwndListHook(
HDESK hdesk,
HWND hwndNext,
ULONG fEnumChildren,
DWORD idThread,
UINT cHwndMax,
HWND *phwndFirst,
ULONG *pcHwndNeeded)
{
NTSTATUS status;
DbgPrint("NTUSERBUILDHWNDLISTHook: %llx %llx %llx %llx %llx %llx %llx %llx\n",hdesk,hwndNext,fEnumChildren,idThread,cHwndMax,phwndFirst,pcHwndNeeded,g_NtUserBuildHwndList);
status = g_NtUserBuildHwndList(hdesk,
hwndNext,
fEnumChildren,
idThread,
cHwndMax,
phwndFirst,
pcHwndNeeded); //调用真正的NtUserBuildHwndList这里出了问题//返回值错误是0xc0000008或者0xc0000023
DbgPrint("NTUSERBUILDHWNDLISTHook: %llx %llx\n",status,hdesk);
return status;
}
VOID ModifySSSDT(ULONG64 Index, ULONG64 Address)
{
ULONGLONG W32pServiceTable=0, qwTemp=0;
LONG dwTemp=0;
PSYSTEM_SERVICE_TABLE pWin32k;
KIRQL irql;
DbgPrint("ModifySSSDTAddress: %llx %llx",Address,Index);
pWin32k = (PSYSTEM_SERVICE_TABLE)((ULONG64)KeServiceDescriptorTableShadow + sizeof(SYSTEM_SERVICE_TABLE)); //4*8
W32pServiceTable=(ULONGLONG)(pWin32k->ServiceTableBase);
qwTemp = W32pServiceTable + 4 * (Index);
dwTemp = (LONG)(Address - W32pServiceTable);
DbgPrint("ModifySSSDTAddress: %llx %llx",dwTemp,Address - W32pServiceTable);
dwTemp = dwTemp << 4; //DbgPrint("*(PLONG)qwTemp: %x, dwTemp: %x",*(PLONG)qwTemp,dwTemp);
DbgPrint("ModifySSSDTAddress: %llx %llx",dwTemp,qwTemp);
irql=WPOFFx64();
*(PLONG)qwTemp = dwTemp;
WPONx64(irql);
}
VOID HOOK_SSdtFun(ULONG64 X_hookAddress,ULONG64 Index,ULONGLONG MyFun)
{
KIRQL irql;
ULONG64 myfun;
UCHAR jmp_code[]="\xFF\x25\x00\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90"; //需要14字节+4字节(jmp [我的函数])
//代理函数地址
myfun=MyFun;//取函数地址
DbgPrint("HOOK_SSSDTmyfun: %llx",myfun);
//填充shellcode
memcpy(jmp_code+6,&myfun,8);
irql=WPOFFx64();
memcpy((PVOID)(X_hookAddress),jmp_code,14);
DbgPrint("HOOK_SSSDTmyfun: %s %llx",jmp_code,X_hookAddress);
WPONx64(irql);
ModifySSSDT(Index, X_hookAddress);
DbgPrint("HOOK_SSSDT OK!");
} |
|