驱动Hook ZwTerminateProcess(mdl方式)
代码#include "ntddk.h"
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfServices;
PUCHAR ParamTableBase;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
__declspec(dllimport) SERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SYSCALL_INDEX(Service) *(PULONG)((PUCHAR)Service+1)
#define HOOK_SYSCALL(Service, HookService, OriginalService) \
OriginalService = (PVOID)InterlockedExchange((PULONG)&SystemServiceTable[SYSCALL_INDEX(Service)], (ULONG)HookService)
#define UNHOOK_SYSCALL(Service, HookService, OriginalService) \
InterlockedExchange((PULONG)&SystemServiceTable[SYSCALL_INDEX(Service)], (ULONG)OriginalService)
BOOLEAN Hooked = FALSE;
MDL *Mdl = NULL;
PVOID *SystemServiceTable;
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitStatus
);
typedef NTSTATUS (NTAPI *NT_TERMINATE_PROCESS)
(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitStatus
);
NT_TERMINATE_PROCESS PtrNtTerminateProcess;
NTSTATUS HookNtTerminateProcess(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitStatus)
{
return STATUS_ACCESS_DENIED;
}
VOID DriverUnload(
IN DRIVER_OBJECT *DriverObject)
{
if(Hooked)
{
UNHOOK_SYSCALL(ZwTerminateProcess, HookNtTerminateProcess, PtrNtTerminateProcess);
if(Mdl)
{
MmUnmapLockedPages(SystemServiceTable, Mdl);
IoFreeMdl(Mdl);
}
}
}
NTSTATUS DriverEntry(
IN DRIVER_OBJECT *DriverObject,
IN UNICODE_STRING *RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
Mdl = IoAllocateMdl(
KeServiceDescriptorTable.ServiceTableBase,
KeServiceDescriptorTable.NumberOfServices * sizeof(ULONG),
FALSE,
FALSE,
NULL);
if(Mdl)
{
MmBuildMdlForNonPagedPool(Mdl);
Mdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
SystemServiceTable = MmMapLockedPages(Mdl, KernelMode);
if(MmIsAddressValid(SystemServiceTable))
{
HOOK_SYSCALL(ZwTerminateProcess, HookNtTerminateProcess, PtrNtTerminateProcess);
Hooked = TRUE;
}
}
return STATUS_SUCCESS;
}
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfServices;
PUCHAR ParamTableBase;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
__declspec(dllimport) SERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SYSCALL_INDEX(Service) *(PULONG)((PUCHAR)Service+1)
#define HOOK_SYSCALL(Service, HookService, OriginalService) \
OriginalService = (PVOID)InterlockedExchange((PULONG)&SystemServiceTable[SYSCALL_INDEX(Service)], (ULONG)HookService)
#define UNHOOK_SYSCALL(Service, HookService, OriginalService) \
InterlockedExchange((PULONG)&SystemServiceTable[SYSCALL_INDEX(Service)], (ULONG)OriginalService)
BOOLEAN Hooked = FALSE;
MDL *Mdl = NULL;
PVOID *SystemServiceTable;
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitStatus
);
typedef NTSTATUS (NTAPI *NT_TERMINATE_PROCESS)
(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitStatus
);
NT_TERMINATE_PROCESS PtrNtTerminateProcess;
NTSTATUS HookNtTerminateProcess(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitStatus)
{
return STATUS_ACCESS_DENIED;
}
VOID DriverUnload(
IN DRIVER_OBJECT *DriverObject)
{
if(Hooked)
{
UNHOOK_SYSCALL(ZwTerminateProcess, HookNtTerminateProcess, PtrNtTerminateProcess);
if(Mdl)
{
MmUnmapLockedPages(SystemServiceTable, Mdl);
IoFreeMdl(Mdl);
}
}
}
NTSTATUS DriverEntry(
IN DRIVER_OBJECT *DriverObject,
IN UNICODE_STRING *RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
Mdl = IoAllocateMdl(
KeServiceDescriptorTable.ServiceTableBase,
KeServiceDescriptorTable.NumberOfServices * sizeof(ULONG),
FALSE,
FALSE,
NULL);
if(Mdl)
{
MmBuildMdlForNonPagedPool(Mdl);
Mdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
SystemServiceTable = MmMapLockedPages(Mdl, KernelMode);
if(MmIsAddressValid(SystemServiceTable))
{
HOOK_SYSCALL(ZwTerminateProcess, HookNtTerminateProcess, PtrNtTerminateProcess);
Hooked = TRUE;
}
}
return STATUS_SUCCESS;
}
