|
|
楼主 |
发表于 2010-10-8 22:09:05
|
显示全部楼层
本帖最后由 ok100fen 于 2010-10-8 22:40 编辑
- #include <NTDDK.h>
- ULONG TestFunctionAddr=0;
- ULONG TestFunctionAddrNew=0;
- UCHAR SoureCode[5]={0x68,0xc4,0x00,0x00,0x00};
- VOID WPOFF(VOID)
- {
- __asm
- {
- cli
- mov eax,cr0
- and eax,not 10000h
- mov cr0,eax
- }
- }
- VOID WPON(VOID)
- {
- __asm
- {
- mov eax,cr0
- or eax,10000h
- mov cr0,eax
- sti
- }
- }
- VOID MyFunction()
- {
- KdPrint(("NtOpenProcessing"));
- }
- NTSTATUS _declspec(naked) MyNtOpenProcess( OUT PHANDLE ProcessHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- IN PCLIENT_ID ClientId OPTIONAL )
- {
- __asm
- {
- PUSH 0x4130D8
- call MyFunction
- mov eax,TestFunctionAddrNew
- add eax,5
- jmp eax
- }
- }
- VOID StartInLineHook()
- {
- ULONG JmpOffset;
- UCHAR JmpCode[5]={0xe9,0x00,0x00,0x00,0x00};
- if (TestFunctionAddrNew==0)
- {
- KdPrint(("函数地址未找到"));
- return;
- }
- KdPrint(("NtOpenProcess的地址是:%08X",TestFunctionAddrNew));
- KdPrint(("MyNtOpenProcess的地址是:%08X",MyNtOpenProcess));
- JmpOffset=(PCHAR)MyNtOpenProcess-(PCHAR)TestFunctionAddrNew-5;
- KdPrint(("JmpOffset的值是:%08X",JmpOffset));
- RtlCopyMemory(JmpCode+1,&JmpOffset,4);
- WPOFF();
- RtlCopyMemory((PVOID)TestFunctionAddrNew,(PVOID)JmpCode,5);
- WPON();
- }
- VOID DriverUnload (PDRIVER_OBJECT pDriverObject)
- {
- WPOFF();
- RtlCopyMemory((PVOID)TestFunctionAddrNew,SoureCode,5);
- WPON();
- KdPrint(("InLine HOOK已恢复!!!\n驱动服务已卸载\n"));
- }
- NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
- {
- UNICODE_STRING FunctionName;
- KdPrint(("进入驱动入口\n"));
- pDriverObject->DriverUnload =DriverUnload;
- RtlInitUnicodeString(&FunctionName,L"NtOpenProcess");
- TestFunctionAddr=(ULONG)MmGetSystemRoutineAddress(&FunctionName);
- TestFunctionAddrNew=TestFunctionAddr+0x5;
- KdPrint(("NtOpenProcessDE的地址是:%08X",TestFunctionAddr));
- KdPrint(("NtOpenProcessDE的地址是:%08X",TestFunctionAddrNew));
- StartInLineHook();
- return STATUS_SUCCESS;
- }
|
|
发表于 2010-10-8 22:08:16
发表于 2010-10-9 17:19:07