HOOK SSDK
HOOK SSDT主要代码
#pragma once #include <ntifs.h> /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 更多游戏逆向视频www.yxfzedu.com * * * * 有任何问题请发邮件至service@yxfzedu.com * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ #pragma pack(1) //SSDT表的结构 typedef struct ServiceDescriptorEntry { unsigned int* ServiceTableBase; unsigned int* ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char* ParamTableBase; } ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t; #pragma pack() typedef NTSTATUS (*pNtOpenProcess)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL); ULONG g_OpenProcess; __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; //恢复内存保护 VOID PageProtectOn() { __asm { mov eax, cr0; or eax, 0x10000; mov cr0, eax; sti;//开启中断 } } //去掉内存保护 VOID PageProtectOFF() { __asm { cli;//关闭中断,防止线程切换 mov eax, cr0; and eax,not 0x10000; mov cr0, eax; } } // ULONG GetProcessNameOffset() { PEPROCESS curproc; ULONG procNameOffset; //获取EPROCESS结构的地址 curproc = PsGetCurrentProcess(); for (int i = 0; i < 4096; i++) { if (!strncmp("explo", (PCHAR)curproc + i, strlen("explo"))) { procNameOffset = i; return procNameOffset; } } return 0; } BOOLEAN ProtectProcess(HANDLE ProcessId) { PEPROCESS Process; //HANDLE ProcessId = 100; if (ProcessId == 0) { return FALSE; } NTSTATUS ProcessByProcessIdStatus = PsLookupProcessByProcessId(ProcessId, &Process); if (ProcessByProcessIdStatus != STATUS_SUCCESS) { KdPrint(("yxfzedu:根据PID获取进程对象失败 \n")); return FALSE; } PEPROCESS pEprocess = PsGetCurrentProcess(); KdPrint(("yxfzedu %s \n", (UCHAR*)pEprocess + 0x16c)); if(strstr((char*)pEprocess + 0x16c,"TraceMe")!=0){ ObDereferenceObject(Process); return TRUE; } ObDereferenceObject(Process); return FALSE; } NTSTATUS MyNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL) { KdPrint(("yxfzedu: 进入到了MyNtOpenProcess! \n")); KdPrint(("yxfzedu: ClientId->UniqueProcess=%d \n", ClientId->UniqueProcess)); if (ClientId->UniqueProcess == (HANDLE)4088) { return STATUS_UNSUCCESSFUL; } /*ULONG offse= GetProcessNameOffset(); KdPrint(("yxfzedu:%d\n",offse));*/ //PEPROCESS pEprocess = PsGetCurrentProcess(); //KdPrint(("yxfzedu %s \n", (UCHAR*)pEprocess + 0x16c)); NTSTATUS status = ((pNtOpenProcess)g_OpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes,ClientId); return status; } NTSTATUS HookOpenProcess() { PageProtectOFF(); g_OpenProcess = KeServiceDescriptorTable.ServiceTableBase[190]; KeServiceDescriptorTable.ServiceTableBase[190] = (ULONG)MyNtOpenProcess; PageProtectOn(); /*for (unsigned int i = 0; i < KeServiceDescriptorTable.NumberOfServices; i++) { KdPrint(("yxfzedu: 索引号【%d】函数地址=%X \n",i, KeServiceDescriptorTable.ServiceTableBase[i])); }*/ return STATUS_SUCCESS; } VOID UnHook() { PageProtectOFF(); KeServiceDescriptorTable.ServiceTableBase[190] = g_OpenProcess; PageProtectOn(); KdPrint(("yxfzedu:HookOpenProcess 以还原!")); }
更多游戏逆向视频www.yxfzedu.com
浙公网安备 33010602011771号