流沙团
[驱动开发]HookOpenProcess
2018-11-17 流沙团


详细代码,直接看吧







#include <ntddk.h>



#pragma pack(1)

typedef struct ServiceDescriptorEntry {

	unsigned int *ServiceTableBase;

	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本

	unsigned int NumberOfServices;

	unsigned char *ParamTableBase;

} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;

#pragma pack()



__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;





unsigned int g_ntOpenProcess;



// hook openprocess

NTSTATUS

PsLookupProcessByProcessId(

IN HANDLE ProcessId,

OUT PEPROCESS *Process

);



void PageProtectOn()

{

	__asm{//恢复内存保护  

		mov  eax, cr0

		or   eax, 10000h

			mov  cr0, eax

			sti

	}

}



void PageProtectOff()

{

	__asm{//去掉内存保护

		cli

		mov  eax, cr0

		and  eax, not 10000h

		mov  cr0, eax

	}

}



typedef NTSTATUS (*NEWNTOPENPROCESS)(

	__out PHANDLE  ProcessHandle,

	__in ACCESS_MASK  DesiredAccess,

	__in POBJECT_ATTRIBUTES  ObjectAttributes,

	__in_opt PCLIENT_ID  ClientId

	);



NTSTATUS

MyOpenProcess(

__out PHANDLE  ProcessHandle,

__in ACCESS_MASK  DesiredAccess,

__in POBJECT_ATTRIBUTES  ObjectAttributes,

__in_opt PCLIENT_ID  ClientId

)

{

	//DbgPrint("MyOpenProcess --- ");

	//过滤

	PEPROCESS process_obj;

	NTSTATUS Status;



	if (ClientId->UniqueProcess == 0)

	{

		return STATUS_SUCCESS;

	}



	Status = PsLookupProcessByProcessId(ClientId->UniqueProcess, &process_obj);



	if (!NT_SUCCESS(Status))

	{

		//STATUS_SUCCESS

		DbgPrint("PsLookupProcessByProcessId Error -- %#X", Status);

		ObDereferenceObject(process_obj);

		return Status;

	}



	//过滤打开的进程 Test.exe

	// +0x174

	if (strcmp((char*)process_obj + 0x174, "Test.exe") == 0)

	{

		//谁打开的这个进程

		DbgPrint("Process Name: %s -- %d", (char*)PsGetCurrentProcess() + 0x174, ClientId->UniqueProcess);

		return STATUS_UNSUCCESSFUL;

	}





	ObDereferenceObject(process_obj);

	return ((NEWNTOPENPROCESS)g_ntOpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);

}





NTSTATUS HookOpenProcess()

{

	PageProtectOff();

	g_ntOpenProcess = KeServiceDescriptorTable.ServiceTableBase[122];

	KeServiceDescriptorTable.ServiceTableBase[122] = (unsigned int)MyOpenProcess;

	PageProtectOn();



	return STATUS_SUCCESS;

}



VOID UnHookOpenProcess()

{

	PageProtectOff();

	KeServiceDescriptorTable.ServiceTableBase[122] = (unsigned int)g_ntOpenProcess;

	PageProtectOn();

}





VOID ListSSDT()

{

	int j = KeServiceDescriptorTable.NumberOfServices;

	int i = 0;

	for (i = 0; i < j; i++)

	{

		DbgPrint("List ssdt -- %d -- %#X", i, KeServiceDescriptorTable.ServiceTableBase[i]);

	}

}





VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)

{

	UnHookOpenProcess();

	DbgPrint("DriverUnload");

}







NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)

{

	pDriverObject->DriverUnload = DriverUnload;

	DbgPrint("DriverEntry");



	//ListSSDT();

	HookOpenProcess();

	return STATUS_SUCCESS;

}

发表评论:
昵称

邮件地址 (选填)

个人主页 (选填)

内容