SSDT hook整个流程:
获取SSDT表,自定义函数替换表中函数地址。
通过以下的方式获取SSDT表的内容:
typedef struct ServiceDescriptorTable
{
PVOID ServiceTableBase;
PVOID ServiceCounterTable;
unsigned int NumberOfSection;
PVOID ParamTableBase;
}*PServiceDescriptorTable;
extern "C" PServiceDescriptorTable KeServiceDescriptorTable;
自定义函数:MyNtOpenProcess
extern "C" typedef NTSTATUS _stdcall NTOPENPROCESS
(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
NTOPENPROCESS *Real_NtOpenProcess;
extern "C" NTSTATUS _stdcall MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
NTSTATUS rc;
rc = Real_NtOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);;
int PID = (int)ClientId->UniqueProcess;
if(PID == g_MyPID &&-1 != g_MyPID)
{
KdPrint(("阻止的PID =========%d",PID));
ProcessHandle = NULL;
rc = STATUS_ACCESS_DENIED;
}
return rc;
}
hook 函数:
NTSTATUS Hook()
{
//Real_NtOpenProcess
int* HookAddr;
_asm{
push eax;
push ebx;
mov ebx,KeServiceDescriptorTable;
mov ebx,[ebx];
mov eax,0xBE;
shl eax,2;
add ebx,eax;
mov HookAddr,ebx;
mov ebx,[ebx];
mov Real_NtOpenProcess,ebx;
pop ebx;
pop eax;
}
KdPrint(("Real_NtOpenProcess ====%x",Real_NtOpenProcess));
_asm{
cli
mov eax,cr0;
and eax,0xfffeffff;
mov cr0,eax;
}
*HookAddr = (int)MyNtOpenProcess;
_asm{
mov eax,cr0;
or eax,0x10000;
mov cr0,eax;
sti;
}
return STATUS_SUCCESS;
}
unHook 函数:
NTSTATUS UnHook()
{
int *HookAddr;
_asm{
pushad;
mov eax,KeServiceDescriptorTable;
mov eax,[eax];
mov ebx,0xBE;
shl ebx,2;
add eax,ebx;
mov HookAddr,eax;
popad;
}
_asm{
cli
mov eax,cr0;
and eax,0xfffeffff;
mov cr0,eax;
}
KdPrint(("operator of Unhook is successe Real_NtOpenProcess = %x ",Real_NtOpenProcess));
*HookAddr = (int)Real_NtOpenProcess;
_asm{
mov eax,cr0;
or eax,0x10000;
mov cr0,eax;
}
return STATUS_SUCCESS;
}