[驱动开发]HookOpenProcess

A- A+
流沙团 驱动开发 5288View 0

详细代码,直接看吧 


#include <ntddk.h>

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
	unsigned int *ServiceTableBase;
	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
	unsigned int NumberOfServices;
	unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;


unsigned int g_ntOpenProcess;

// hook openprocess
NTSTATUS
PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);

void PageProtectOn()
{
	__asm{//恢复内存保护  
		mov  eax, cr0
		or   eax, 10000h
			mov  cr0, eax
			sti
	}
}

void PageProtectOff()
{
	__asm{//去掉内存保护
		cli
		mov  eax, cr0
		and  eax, not 10000h
		mov  cr0, eax
	}
}

typedef NTSTATUS (*NEWNTOPENPROCESS)(
	__out PHANDLE  ProcessHandle,
	__in ACCESS_MASK  DesiredAccess,
	__in POBJECT_ATTRIBUTES  ObjectAttributes,
	__in_opt PCLIENT_ID  ClientId
	);

NTSTATUS
MyOpenProcess(
__out PHANDLE  ProcessHandle,
__in ACCESS_MASK  DesiredAccess,
__in POBJECT_ATTRIBUTES  ObjectAttributes,
__in_opt PCLIENT_ID  ClientId
)
{
	//DbgPrint("MyOpenProcess --- ");
	//过滤
	PEPROCESS process_obj;
	NTSTATUS Status;

	if (ClientId->UniqueProcess == 0)
	{
		return STATUS_SUCCESS;
	}

	Status = PsLookupProcessByProcessId(ClientId->UniqueProcess, &process_obj);

	if (!NT_SUCCESS(Status))
	{
		//STATUS_SUCCESS
		DbgPrint("PsLookupProcessByProcessId Error -- %#X", Status);
		ObDereferenceObject(process_obj);
		return Status;
	}

	//过滤打开的进程 Test.exe
	// +0x174
	if (strcmp((char*)process_obj + 0x174, "Test.exe") == 0)
	{
		//谁打开的这个进程
		DbgPrint("Process Name: %s -- %d", (char*)PsGetCurrentProcess() + 0x174, ClientId->UniqueProcess);
		return STATUS_UNSUCCESSFUL;
	}


	ObDereferenceObject(process_obj);
	return ((NEWNTOPENPROCESS)g_ntOpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}


NTSTATUS HookOpenProcess()
{
	PageProtectOff();
	g_ntOpenProcess = KeServiceDescriptorTable.ServiceTableBase[122];
	KeServiceDescriptorTable.ServiceTableBase[122] = (unsigned int)MyOpenProcess;
	PageProtectOn();

	return STATUS_SUCCESS;
}

VOID UnHookOpenProcess()
{
	PageProtectOff();
	KeServiceDescriptorTable.ServiceTableBase[122] = (unsigned int)g_ntOpenProcess;
	PageProtectOn();
}


VOID ListSSDT()
{
	int j = KeServiceDescriptorTable.NumberOfServices;
	int i = 0;
	for (i = 0; i < j; i++)
	{
		DbgPrint("List ssdt -- %d -- %#X", i, KeServiceDescriptorTable.ServiceTableBase[i]);
	}
}


VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
	UnHookOpenProcess();
	DbgPrint("DriverUnload");
}



NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
{
	pDriverObject->DriverUnload = DriverUnload;
	DbgPrint("DriverEntry");

	//ListSSDT();
	HookOpenProcess();
	return STATUS_SUCCESS;
}

原文链接: [驱动开发]HookOpenProcess 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙团 ( https://gyarmy.com/post-489.html )

发表评论

0则评论给“[驱动开发]HookOpenProcess”