[驱动开发]HookOpenKey

A- A+
流沙团 驱动开发 4698View 0

任意位置hook nt函数

详细代码 

#include <ntddk.h>

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
	unsigned int *ServiceTableBase;
	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
	unsigned int NumberOfServices;
	unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;

ULONG g_ntOpenKey = 0;
UCHAR OldTraitCode[5];

void PageProtectOn()
{
	__asm{//恢复内存保护  
		mov  eax, cr0
		or   eax, 10000h
		mov  cr0, eax
		sti
	}
}

void PageProtectOff()
{
	__asm{//去掉内存保护
		cli
		mov  eax, cr0
		and  eax, not 10000h
		mov  cr0, eax
	}
}


void FilterOpenKey()
{
	KdPrint(("InlinkHook Process Name: %s ", (char*)PsGetCurrentProcess() + 0x174));
}


__declspec(naked)
void MyOpenKey()
{
	__asm{
		call FilterOpenKey
		pop eax
		push 0x94
		jmp eax
	}

}



VOID HookNtOpenKey()
{
	UCHAR TraitCode[5];
	ULONG NewAddress = (ULONG)&MyOpenKey;
	ULONG AwayAddress = NewAddress - 5 - g_ntOpenKey;
	//call 
	TraitCode[0] = 0xE8;
	*(ULONG*)&TraitCode[1] = AwayAddress;

	//HOOK
	PageProtectOff();
	RtlCopyMemory(OldTraitCode, (PVOID)g_ntOpenKey, 5);
	RtlCopyMemory((PVOID)g_ntOpenKey, TraitCode, 5);
	PageProtectOn();


}



VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
	PageProtectOff();
	RtlCopyMemory((PVOID)g_ntOpenKey, OldTraitCode, 5);
	PageProtectOn();

	DbgPrint("DriverUnload");
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
{
	g_ntOpenKey = KeServiceDescriptorTable.ServiceTableBase[119];


	HookNtOpenKey();

	pDriverObject->DriverUnload = DriverUnload;
	DbgPrint("DriverEntry");
	return STATUS_SUCCESS;
}


原文链接: [驱动开发]HookOpenKey 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙团 ( https://gyarmy.com/post-490.html )

发表评论

0则评论给“[驱动开发]HookOpenKey”