cr0的第16位是WP位,只要将这一位置0就可以禁用写保护,置1则可将其恢复。
// 关闭写保护
__asm
{
cli ;
mov eax, cr0
and eax, ~0x10000
mov cr0, eax
}
// 恢复写保护
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti ;
}
MDL的全称是Memory Descriptor List,即内存描述符表
typedef struct _MDL
{
struct _MDL *Next;
CSHORT Size;
CSHORT MdlFlags;
struct _EPROCESS *Process;
PVOID MappedSystemVa;
PVOID StartVa;
ULONG ByteCount;
ULONG ByteOffset;
} MDL, *PMDL;
我们先来看一段在SSDT HOOK中常见的代码,如下所示:
PMDL MDSystemCall;
PVOID *MappedSCT;
MDSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!MDSystemCall)
{
return STATUS_UNSUCCESSFUL;
}
MmBuildMdlForNonPagedPool(MDSystemCall);
MDSystemCall->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
MappedSCT = MmMapLockedPages(MDSystemCall, KernelMode);
HookOn( ZwTerminateProcess, New_ZwTerminateProcess);