[开源]驱动里挂起进程

HoviDelphic 发表于 2010-5-29 02:12:17

既然有人问到，就把代码发出来吧，反正留着没用。。。
寻找PsSuspendProcess，然后调用这个函数就可以了。
主要代码：

typedef NTSTATUS (*PSSUSPENDPROCESS)(PEPROCESS Process);
PSSUSPENDPROCESS MySuspendProcess;
ULONG AddressOfPsSuspendProcess=0;
VOID GetPsSuspendProcess()
{
UCHAR *cPtr, *pOpcode;
ULONG Length, CallCount=0;
ULONG AddressOfNtSuspendProcess=0;
AddressOfNtSuspendProcess=GetSSDTRealAddr(GetSysCallIndex("NtSuspendProcess"));
if (AddressOfNtSuspendProcess==0) return;
for (cPtr = (PUCHAR)AddressOfNtSuspendProcess; cPtr < (PUCHAR)AddressOfNtSuspendProcess + PAGE_SIZE; cPtr += Length)
{
Length = SizeOfCode(cPtr, &pOpcode);
if (!Length) return;
if (*pOpcode == 0xE8)
{
CallCount=CallCount+1;
if (CallCount==2)
{
AddressOfPsSuspendProcess=(*(PULONG)(pOpcode+1)+(ULONG)cPtr + 5);
return;
}
}
}
}

VOID SuspendProcess(PEPROCESS Process)
{
if (AddressOfPsSuspendProcess==0) GetPsSuspendProcess();
if (AddressOfPsSuspendProcess!=0)
{
MySuspendProcess=(PSSUSPENDPROCESS)AddressOfPsSuspendProcess;
MySuspendProcess(Process);
}
}

顺便把ssdt.h也发出来吧（这个不是我写的）。。。

#include <NTDDK.H>

typedef struct _System_Service_Table{
PVOIDServiceTableBase;
PVOIDServiceCounterTableBase;
ULONGNumberOfServices;
PVOIDParamTableBase;
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE;

typedef struct _SERVICE_DESCRIPTOR_TABLE{
SYSTEM_SERVICE_TABLE ntoskrnl;// ntoskrnl.exe (native api)
SYSTEM_SERVICE_TABLE win32k; // win32k.sys (gdi/user)
SYSTEM_SERVICE_TABLE Table3; // not used
SYSTEM_SERVICE_TABLE Table4; // not used
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;

externPSYSTEM_SERVICE_TABLE KeServiceDescriptorTable;

//------------------------------------函数------------------------------------------
typedef enum _SYSTEM_INFORMATION_CLASS // Q S
{
SystemBasicInformation,             // 00 Y N
SystemProcessorInformation,          // 01 Y N
SystemPerformanceInformation,       // 02 Y N
SystemTimeOfDayInformation,          // 03 Y N
SystemNotImplemented1,             // 04 Y N
SystemProcessesAndThreadsInformation,// 05 Y N
SystemCallCounts,                   // 06 Y N
SystemConfigurationInformation,    // 07 Y N
SystemProcessorTimes,                // 08 Y N
SystemGlobalFlag,                   // 09 Y Y
SystemNotImplemented2,             // 10 Y N
SystemModuleInformation,             // 11 Y N
SystemLockInformation,             // 12 Y N
SystemNotImplemented3,             // 13 Y N
SystemNotImplemented4,             // 14 Y N
SystemNotImplemented5,             // 15 Y N
SystemHandleInformation,             // 16 Y N
SystemObjectInformation,             // 17 Y N
SystemPagefileInformation,          // 18 Y N
SystemInstructionEmulationCounts,    // 19 Y N
SystemInvalidInfoClass1,             // 20
SystemCacheInformation,             // 21 Y Y
SystemPoolTagInformation,          // 22 Y N
SystemProcessorStatistics,          // 23 Y N
SystemDpcInformation,                // 24 Y Y
SystemNotImplemented6,             // 25 Y N
SystemLoadImage,                   // 26 N Y
SystemUnloadImage,                   // 27 N Y
SystemTimeAdjustment,                // 28 Y Y
SystemNotImplemented7,             // 29 Y N
SystemNotImplemented8,             // 30 Y N
SystemNotImplemented9,             // 31 Y N
SystemCrashDumpInformation,          // 32 Y N
SystemExceptionInformation,          // 33 Y N
SystemCrashDumpStateInformation,    // 34 Y Y/N
SystemKernelDebuggerInformation,    // 35 Y N
SystemContextSwitchInformation,    // 36 Y N
SystemRegistryQuotaInformation,    // 37 Y Y
SystemLoadAndCallImage,             // 38 N Y
SystemPrioritySeparation,          // 39 N Y
SystemNotImplemented10,             // 40 Y N
SystemNotImplemented11,             // 41 Y N
SystemInvalidInfoClass2,             // 42
SystemInvalidInfoClass3,             // 43
SystemTimeZoneInformation,          // 44 Y N
SystemLookasideInformation,          // 45 Y N
SystemSetTimeSlipEvent,             // 46 N Y
SystemCreateSession,                // 47 N Y
SystemDeleteSession,                // 48 N Y
SystemInvalidInfoClass4,             // 49
SystemRangeStartInformation,       // 50 Y N
SystemVerifierInformation,          // 51 Y Y
SystemAddVerifier,                   // 52 N Y
SystemSessionProcessesInformation    // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved;
PVOID Base; //The base address of the module.
ULONG Size; //The size of the module.
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName;//The filepath of the module.
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
NTSTATUS ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
typedef struct _MODULE_LIST {
ULONG NumberOfModules;
SYSTEM_MODULE_INFORMATIONSysModuleInfo[];
} MODULE_LIST, *PMODULE_LIST;
typedef struct _SECTION_IMAGE_INFORMATION {
PVOID EntryPoint;
ULONG StackZeroBits;
ULONG StackReserved;
ULONG StackCommit;
ULONG ImageSubsystem;
WORDSubsystemVersionLow;
WORDSubsystemVersionHigh;
ULONG Unknown1;
ULONG ImageCharacteristics;
ULONG ImageMachineType;
ULONG Unknown2;
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
/*NTSTATUS ZwCreateSection(
OUT PHANDLE SectionHandle,
INACCESS_MASK DesiredAccess,
INPOBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
INPLARGE_INTEGER MaximumSize OPTIONAL,
INULONG SectionPageProtection,
INULONG AllocationAttributes,
INHANDLE FileHandle OPTIONAL);*/

ULONG GetKernelBaseAddress(OUT PCHAR lpszModule)
{
NTSTATUS ntStatus;
ULONG NeededSize, KernelAddr=0;
PMODULE_LIST pModuleList;
ZwQuerySystemInformation( SystemModuleInformation, &NeededSize, 0, &NeededSize);
pModuleList = ExAllocatePool( NonPagedPool, NeededSize );
ntStatus = ZwQuerySystemInformation( SystemModuleInformation, pModuleList, NeededSize, NULL );
if ( NT_SUCCESS(ntStatus) )
{
KernelAddr = (ULONG)pModuleList->SysModuleInfo.Base;
if (lpszModule)
{
strcpy( lpszModule, "\\SystemRoot\\System32\\" );
strcat( lpszModule, pModuleList->SysModuleInfo.ModuleNameOffset+ pModuleList->SysModuleInfo.ImageName );
}
}
ExFreePool(pModuleList);
return KernelAddr;
}
//用内存文件头速度快点.
ULONG RVAToRaw(INULONG lpBase, INULONG VirtualAddress )
{
IMAGE_DOS_HEADER *pDosHeader;
IMAGE_NT_HEADERS *pNtHeader;
IMAGE_SECTION_HEADER *pSectionHeader;
ULONGNumOfSections, i;
pDosHeader = (IMAGE_DOS_HEADER*)lpBase;
if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
return 0;
pNtHeader =(IMAGE_NT_HEADERS*)( (unsigned char*)lpBase + pDosHeader->e_lfanew );
NumOfSections = pNtHeader->FileHeader.NumberOfSections;

pSectionHeader = (IMAGE_SECTION_HEADER*)((ULONG)pNtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER)
+ pNtHeader->FileHeader.SizeOfOptionalHeader);
VirtualAddress -= (ULONG)lpBase;
for ( i=0; i<NumOfSections; i++ )
{
pSectionHeader = (IMAGE_SECTION_HEADER*)( (ULONG)pSectionHeader + sizeof(IMAGE_SECTION_HEADER) * i );
if( VirtualAddress > pSectionHeader->VirtualAddress &&
VirtualAddress < pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData )
{
ULONG Offset = VirtualAddress - pSectionHeader->VirtualAddress + pSectionHeader->PointerToRawData;
return Offset;
}
}
return 0;
}
ULONG GetSSDTRealAddr(IN ULONG Index)
{
NTSTATUS ntStatus;
ULONG KernelVirtualBase, KernelImageBase,RealServiceAddress=0;
ULONG NumberOfServices, KiServiceTable, uSSDTRaw,KernelServiceTable;
char szKernelPath;
ANSI_STRING asFileName;
UNICODE_STRING usFileName;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK ioStatus;
FILE_POSITION_INFORMATION FilePos;
HANDLE hFile;
KernelVirtualBase = GetKernelBaseAddress( szKernelPath );
KernelImageBase= ((IMAGE_NT_HEADERS*)(KernelVirtualBase + ((IMAGE_DOS_HEADER*)KernelVirtualBase)->e_lfanew))->OptionalHeader.ImageBase;
NumberOfServices = KeServiceDescriptorTable->NumberOfServices;
KiServiceTable= (ULONG)KeServiceDescriptorTable->ServiceTableBase;
if (Index>=NumberOfServices) return FALSE;
uSSDTRaw = RVAToRaw( KernelVirtualBase, KiServiceTable+Index*4);//文件偏移
if (uSSDTRaw)
{
RtlInitAnsiString( &asFileName, szKernelPath );
ntStatus = RtlAnsiStringToUnicodeString( &usFileName, &asFileName, TRUE );
if( NT_SUCCESS(ntStatus) )
{
InitializeObjectAttributes(&ObjAttr,&usFileName,OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,NULL,NULL);
ntStatus = ZwOpenFile(&hFile,FILE_READ_DATA,&ObjAttr,&ioStatus,FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,FILE_SYNCHRONOUS_IO_NONALERT );
if ( NT_SUCCESS(ntStatus) && hFile )
{
FilePos.CurrentByteOffset.LowPart = uSSDTRaw;
FilePos.CurrentByteOffset.HighPart = 0;
ntStatus = ZwSetInformationFile( hFile,&ioStatus,&FilePos,sizeof(FILE_POSITION_INFORMATION),FilePositionInformation );
if( NT_SUCCESS(ntStatus) )
{
ntStatus = ZwReadFile(hFile,NULL,NULL,NULL,&ioStatus,&KernelServiceTable,sizeof(ULONG),NULL,NULL );
if( NT_SUCCESS(ntStatus) )
{
   RealServiceAddress=KernelServiceTable - KernelImageBase + KernelVirtualBase;
}
}
ZwClose(hFile);
}
}
}
RtlFreeUnicodeString( &usFileName );
return RealServiceAddress;
}

ULONG GetExportFuncAddr(IN PCHAR lpFunctionName, IN PUNICODE_STRING pDllName)
{
HANDLE hThread, hSection, hFile, hMod;
SECTION_IMAGE_INFORMATION sii;
PIMAGE_DOS_HEADER    pDosHeader;
PIMAGE_OPTIONAL_HEADERpOptHeader;
PIMAGE_EXPORT_DIRECTORY pExportTable;
PULONG arrayOfFuncAddr,arrayOfFuncNames;
PSHORTarrayOfFuncOrdinals;
ULONGfuncOrdinal,Base, i, FuncAddr;
PCHARFuncName;
STRING ntFuncName, ntFuncNameSearch;
PVOIDBaseAddress = NULL;
SIZE_T size = 0;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK IoStatusBlock;
InitializeObjectAttributes(&ObjAttr,pDllName,OBJ_CASE_INSENSITIVE,NULL, NULL);
ZwOpenFile(&hFile,FILE_EXECUTE | SYNCHRONIZE,&ObjAttr,&IoStatusBlock,FILE_SHARE_READ,FILE_SYNCHRONOUS_IO_NONALERT);
ObjAttr.ObjectName = 0;
ZwCreateSection(&hSection,SECTION_ALL_ACCESS,&ObjAttr,0,PAGE_EXECUTE,0x1000000,hFile);
ZwMapViewOfSection(hSection,NtCurrentProcess(),&BaseAddress,0,1000, 0,&size,(SECTION_INHERIT)1,MEM_TOP_DOWN, PAGE_READWRITE);
ZwClose(hFile);
hMod = BaseAddress;
pDosHeader = (PIMAGE_DOS_HEADER)hMod;
pOptHeader = (PIMAGE_OPTIONAL_HEADER)((PBYTE)hMod + pDosHeader->e_lfanew + 24 );
pExportTable =(PIMAGE_EXPORT_DIRECTORY)((PBYTE)hMod+ pOptHeader->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
arrayOfFuncAddr = (PULONG)( (PBYTE)hMod + pExportTable->AddressOfFunctions);
arrayOfFuncNames = (PULONG)( (PBYTE)hMod + pExportTable->AddressOfNames);
arrayOfFuncOrdinals = (PSHORT)( (PBYTE)hMod + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
RtlInitString(&ntFuncNameSearch, lpFunctionName);
for( i=0; i<pExportTable->NumberOfFunctions; i++ )
{
FuncName = (PCHAR)( (PBYTE)hMod + arrayOfFuncNames);
RtlInitString( &ntFuncName, FuncName );
funcOrdinal = arrayOfFuncOrdinals + Base - 1;
FuncAddr = (ULONG)( (PBYTE)hMod + arrayOfFuncAddr);
if (RtlCompareString(&ntFuncName, &ntFuncNameSearch, TRUE) == 0)
{
ZwClose(hSection);
return FuncAddr;
}
}
ZwClose(hSection);
return 0;
}

ULONG GetSysCallIndex( PCHAR FuncName )
{
UNICODE_STRING usDllName;
ULONG FuncAddr;
ULONG SysCallIndex;
RtlInitUnicodeString( &usDllName, L"\\SystemRoot\\System32\\ntdll.dll" );
FuncAddr = GetExportFuncAddr(FuncName, &usDllName);
SysCallIndex = *( (PSHORT)(FuncAddr + 1) );
return SysCallIndex;
}

至于效果，就自己测试吧。。。

本网站最菜的人 发表于 2010-5-29 22:07:34

本网站最菜的人 发表于 2010-5-29 22:11:46

Tesla.Angela 发表于 2010-5-30 00:31:00

沙发 + 膜拜 + 学习，感谢TA神牛为我们菜鸟提供代码
貌似只有XP以上才可以用
本网站最菜的人发表于 2010-5-29 22:07 http://www.m5home.com/bbs/images/common/back.gif

　　这不是废话吗，XP以前根本没有NtSuspendProcess。
　　另外到了NT6也不用这么干了，PsSuspendProcess直接被ntosxxxx.exe导出。

364589886 发表于 2010-6-27 11:45:09

貌似我不太喜欢这种邪门功夫。。。。。又或者是我不太喜欢带有inlinehook风格的代码

364589886 发表于 2010-6-27 11:46:00

挂起进程的话，最好另寻它途

364589886 发表于 2010-6-27 11:47:47

比如模拟KeWaitforsignleObject的做法
又或者模拟进程管理器的做法，将进程的执行时间片改为0得了

kxgsmk99 发表于 2012-2-19 15:35:29

好东西啊佩服一定好好学习

siuwai 发表于 2012-7-29 09:54:06

win7可以使用吗?

kk1025 发表于 2013-4-8 16:20:42

好東西! 看看!

wangmin1944 发表于 2014-1-17 17:17:26

囧rz12 发表于 2014-2-4 13:39:24

有没有哪位仁兄愿意把SYS文件发给我好用VB调用哈

囧rz12 发表于 2014-2-4 13:40:03

有没有哪位仁兄愿意把SYS文件发给我好用VB调用哈

页: [1]

紫水晶编程技术论坛 - 努力打造成全国最好的编程论坛's Archiver

[开源]驱动里挂起进程