.386
.model flat, stdcall
option casemap:none
include JmDriver.inc
Target_NtOpenProcess typedef proto :dword,:dword,:dword
PTarget_NtOpenProcess typedef ptr Target_NtOpenProcess
.data
dwFunctionIDs dd 07Ah ;NTOpenProcess
dd 00h
dwOldAddress PTarget_NtOpenProcess ?
dd ?
dd ?
dwHookAddress dd _NtOpenProcess
dd ?
.code
_NtOpenProcess proc dwDesiredAccess:dword , bInheritHandle:dword ,dwProcessID:dword
invoke dwOldAddress[0] , dwDesiredAccess , bInheritHandle , dwProcessID
ret
_NtOpenProcess endp
Hook proc
LOCAL @lpServiceTable:dword
LOCAL @lplpFunc:dword
mov eax , KeServiceDescriptorTable ;现在eax指向ntosknrl.exe导出的SericeDescriptorTable
m2m @lpServiceTable , [eax] ;@lpServiceTable 指向ntoskrnl.exe系统服务表
cli
mov eax , cr0
and eax , not 10000h ;去掉内存写保护
mov cr0 , eax
xor ecx ,ecx
.while TRUE
mov eax , dwFunctionIDs[ecx*4] ;函数ID
.if eax == 0
.break
.endif
add eax , @lpServiceTable ;
m2m dwOldAddress[ecx*4] ,[eax] ;保存目标函数地址。
m2m [eax] , dwHookAddress[ecx*4] ;写入相应的钩子函数地址
inc ecx
.endw
mov eax,cr0
or eax,10000h ;恢复内存写保护
mov cr0,eax
sti
ret
Hook endp
UnHook proc
cli
mov eax , cr0
and eax , not 10000h ;去掉内存写保护
mov cr0 , eax
mov eax,cr0
or eax,10000h ;恢复内存写保护
mov cr0,eax
sti
ret
UnHook endp
DriverEntry proc pDriverObject:PDRIVER_OBJECT,pusRegistryPath:PUNICODE_STRING
assume eax:ptr DRIVER_OBJECT
mov eax , pDriverObject
m2m [eax].DriverUnload , offset DriverUnload ;注册驱动卸载函数
invoke Hook
mov eax , STATUS_SUCCESS
ret
DriverEntry endp
DriverUnload proc
invoke UnHook
ret
DriverUnload endp
end DriverEntry