流沙团
[驱动开发]HookOpenKey
2018-11-18 流沙团


任意位置hook nt函数



详细代码



#include <ntddk.h>



#pragma pack(1)

typedef struct ServiceDescriptorEntry {

	unsigned int *ServiceTableBase;

	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本

	unsigned int NumberOfServices;

	unsigned char *ParamTableBase;

} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;

#pragma pack()



__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;



ULONG g_ntOpenKey = 0;

UCHAR OldTraitCode[5];



void PageProtectOn()

{

	__asm{//恢复内存保护  

		mov  eax, cr0

		or   eax, 10000h

		mov  cr0, eax

		sti

	}

}



void PageProtectOff()

{

	__asm{//去掉内存保护

		cli

		mov  eax, cr0

		and  eax, not 10000h

		mov  cr0, eax

	}

}





void FilterOpenKey()

{

	KdPrint(("InlinkHook Process Name: %s ", (char*)PsGetCurrentProcess() + 0x174));

}





__declspec(naked)

void MyOpenKey()

{

	__asm{

		call FilterOpenKey

		pop eax

		push 0x94

		jmp eax

	}



}







VOID HookNtOpenKey()

{

	UCHAR TraitCode[5];

	ULONG NewAddress = (ULONG)&MyOpenKey;

	ULONG AwayAddress = NewAddress - 5 - g_ntOpenKey;

	//call 

	TraitCode[0] = 0xE8;

	*(ULONG*)&TraitCode[1] = AwayAddress;



	//HOOK

	PageProtectOff();

	RtlCopyMemory(OldTraitCode, (PVOID)g_ntOpenKey, 5);

	RtlCopyMemory((PVOID)g_ntOpenKey, TraitCode, 5);

	PageProtectOn();





}







VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)

{

	PageProtectOff();

	RtlCopyMemory((PVOID)g_ntOpenKey, OldTraitCode, 5);

	PageProtectOn();



	DbgPrint("DriverUnload");

}



NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)

{

	g_ntOpenKey = KeServiceDescriptorTable.ServiceTableBase[119];





	HookNtOpenKey();



	pDriverObject->DriverUnload = DriverUnload;

	DbgPrint("DriverEntry");

	return STATUS_SUCCESS;

}





发表评论:
昵称

邮件地址 (选填)

个人主页 (选填)

内容