驱动入门之hook内核函数NtOpenProcess
一: 驱动入门环境配置为:vs2012+wdk8,现在微软支持在线安装,安装非常简单只是可能需要远程下载占用不少时间。具体配置方法参考:http://blog.csdn.net/swanabin/article/details/41380449
二:配置好后,可以开始测试了,source文件夹内新建文件:driver.c,具体实现代码为:
#include<NTDDK.H>
#include<windef.h>
#include<ntstatus.h>
BYTE OriginalBytes[5] = {0};
BYTE JmpAddress[5] = {0xe9,0,0,0,0};//跳转地址
ULONG CR0VALUE;
NTSTATUS _stdcall myOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL)
{
DbgPrint("你正在打开我的句柄:%d",(ULONG)ClientId->UniqueProcess);
return STATUS_SUCCESS;
}
void hookOpenProcess()
{
KIRQL Irql;
DbgPrint("NtOpenProcess111] :0x%x",NtOpenProcess);
KdPrint(("[MyNtOpenProcess111] :0x%x",MyNtOpenProcess)); //地址验证
RtlCopyMemory(OriginalBytes,(BYTE *)NtOpenProcess,5);
*(ULONG *)(JmpAddress+1) = (ULONG)myOpenProcess - ((ULONG)NtOpenProcess+5);
//去除写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
//提升IRQL中断级别
Irql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE*)NtOpenProcess,JmpAddress,5);
KeLowerIrql(Irql);
//开启写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
};
DbgPrint("已经hook");
}
void unhookOpenProcess()
{
KIRQL Irql;
//去除写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
//提升IRQL中断级别
Irql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE*)NtOpenProcess,OriginalBytes,5);
KeLowerIrql(Irql);
//开启写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
};
}
void myDriverUnload(PDRIVER_OBJECT P)
{
unhookOpenProcess();
DbgPrint("已经恢复");
}
NTSTATUS DriverEntry(
IN OUT PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
DbgPrint("开始hook");
DriverObject->DriverUnload = myDriverUnload;
hookOpenProcess();
return STATUS_SUCCESS;
}
浙公网安备 33010602011771号