HOOK SSDT
- NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath )
- {
- DriverObject->DriverUnload = OnUnload;
- Hook();
- return STATUS_SUCCESS;
- }
- // 此处修改SSDT中的NtOpenProcess服务地址
- VOID Hook()
- {
- ULONG Address;
- // 0x7A为NtOpenProcess服务号
- Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;
- RealServiceAddress = *(ULONG*)Address;
- RealNtOpenProcess = (NTOPENPROCESS)RealServiceAddress;
- DbgPrint( "Address of Real NtOpenProcess: 0x%08X/n", RealServiceAddress );
- DbgPrint(" Address of MyNtOpenProcess: 0x%08X/n", MyNtOpenProcess );
- // 去掉内存保护 ,这个主要是跟内存分页有关的,出现BSOD
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- // 修改SSDT中NtOpenProcess服务的地址
- *((ULONG*)Address) = (ULONG)MyNtOpenProcess;
- // 恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- //这里是恢复
- VOID Unhook()
- {
- ULONG Address;
- Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;
- //一样的去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- // 还原SSDT
- *((ULONG*)Address) = (ULONG)RealServiceAddress;
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- DbgPrint("Unhook");
- }
- 本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/webxeyes/archive/2009/03/17/3996783.aspx