(这是相对于 XP系统的 其实系统要另外找) 这是NTOpenProcess 的 剩下的几个被InLine的函数明天明写出来 #pragma once #ifdef __cplusplus extern "C" { #endif #include <ntddk.h> #ifdef __cplusplus } #endif #include <windef.h> #define INITCODE code_seg("INIT") #define PAGECODE code_seg("PAGE") ULONG RealOPAddr; ULONG ObAddr; ULONG RealWrite; ULONG RealRead; BYTE SavOpen[6]; BYTE SavRead[7]; BYTE SavWrite[7]; BYTE SavObj[5]; BYTE SavOpen2[5]; typedef struct _ServiceDescriptorTable { PVOID ServiceTableBase; //描述表的基址 PVOID ServiceCounterTable; //被调用的计数器 unsigned int NumberOfServices; //描述表的数目 PVOID ParamTableBase; //描述表的参数 }*PServiceDescriptorTable; extern "C" extern PServiceDescriptorTable KeServiceDescriptorTable; extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pUnicode) { Hook(); KdPrint(("驱动加载成功......")); pDriver->DriverUnload = UnLoadDriver; return STATUS_SUCCESS; } #pragma INITCODE VOID UnLoadDriver(PDRIVER_OBJECT pDriver) { UnHook(); KdPrint(("驱动卸载成功....")); } #pragma PAGECODE _declspec(naked) void MyNtOpenProcess() { _asm { push [ebp-0x38] push [ebp-0x24] mov eax,RealOPAddr add eax,0x229 push eax jmp ObAddr } } #pragma PAGECODE _declspec(naked) void MyNtOpenProcess2() { _asm { // int 3 mov eax,RealOPAddr add eax,0x4a6 add eax,5 push eax jmp ObAddr } } void UnHook() { _asm { cli mov eax,cr0 and eax,not 10000h mov cr0,eax } memcpy((PVOID)(RealOPAddr+0x21e),SavOpen,sizeof(SavOpen)); memcpy((PVOID)(RealOPAddr+0x4a6),SavOpen2,sizeof(SavOpen2)); _asm { mov eax,cr0 or eax,10000h mov cr0,eax sti } } void Hook() { // _asm int 3 UNICODE_STRING UniOP; UNICODE_STRING UniOb; RtlInitUnicodeString(&UniOP,L"NtOpenProcess"); RtlInitUnicodeString(&UniOb,L"ObOpenObjectByPointer"); RealOPAddr= (ULONG)MmGetSystemRoutineAddress(&UniOP); ObAddr = (ULONG)MmGetSystemRoutineAddress(&UniOb); RealRead = GetFunctionIndex(186); RealWrite= GetFunctionIndex(277); KdPrint(("NtReadVirtualMemory:%x/n",RealRead)); KdPrint(("NtWriteVirtualMemory:%x/n",RealWrite)); ULONG* seOpenAddr = (ULONG*)(RealOPAddr +0x21e); memcpy(SavOpen,seOpenAddr,sizeof(SavOpen)); ULONG* seOpenAddr2 = (ULONG*)(RealOPAddr +0x4a6); memcpy(SavOpen2,seOpenAddr2,sizeof(SavOpen2)); _asm { mov eax,cr0 and eax,not 0x10000 mov cr0,eax } _asm { mov eax,RealOPAddr add eax,0x21e lea ebx,MyNtOpenProcess sub ebx,eax sub ebx,5 mov byte ptr ds:[eax],0xE9 mov [eax +1],ebx mov [eax +5],0x90 mov eax,RealOPAddr add eax,0x4a6 lea ebx,MyNtOpenProcess2 sub ebx,eax sub ebx,5 mov byte ptr ds:[eax],0xe9 mov [eax+1],ebx } _asm { mov eax,cr0 or eax,10000h mov cr0,eax sti }