A、选取HOOK地址
B、分析等HOOK函数参数
C、构建HOOK 代码
D、实现HOOK
E、测试效果
32 ssdt hook
eb ba52c07e 90
u nt!NtOpenProcess
u nt!NtOpenProcess l 100
jmp //0xE9
//jmp my_NtOpenProcess
// NtOpenProcess=jmp my_NtOpenProcess // my_NtOpenProcess-RealNtOpenProcess-5;
// 定义一下NtOpenProcess的原型
extern "C" typedef NTSTATUS __stdcall NTOPENPROCESS
(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
NTOPENPROCESS * RealNtOpenProcess;
PEPROCESS EP;
// 自定义的NtOpenProcess函数 ZwOpenProcess
#pragma PAGECODE
NTSTATUS __declspec(naked) __stdcall MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId )
{
NTSTATUS rc;
HANDLE PID;
KdPrint(("++++++++++++Entry MyNtOpenProcess int ++++++++++++++\n"));
//rc = (NTSTATUS)RealNtOpenProcess( ProcessHandle, DesiredAccess, ObjectAttributes, ClientId );
if( (ClientId != NULL) )
{
PID = ClientId->UniqueProcess;
KdPrint(( "------------------------- PID=%d--------------\n",(int*)PID ));
// 如果是被保护的PID,则拒绝访问,并将句柄设置为空
if(PID == MyPID)
{
KdPrint(("被保护进程 MyPID=%d \n",(int)MyPID));
//调试输出 类似C语言的 Printf
ProcessHandle = NULL; //这个是关键
rc = STATUS_ACCESS_DENIED; //这个返回值
//PsLookupProcessByProcessId((ULONG)PID,&EP);
EP=PsGetCurrentProcess();
KdPrint((" ACESS Process Name --:%s-- \n",(PTSTR)((ULONG)EP+0x174)));
__asm
{ // int 3
// add esp,10 //弹出4个参数
retn 0x10
}
}
}
__asm
{ // int 3
// add esp,10 //弹出4个参数
push 0x0C4
mov eax,RealNtOpenProcess
add eax,5
jmp eax
}
// return rc;
}
SSDT_Adr=(PLONG)*SSDT_Adr;// 0xE9
ULONG jmpaddr= (ULONG)MyNtOpenProcess- (ULONG)RealNtOpenProcess-5; //SSDT HOOK
__asm
{ mov ebx,SSDT_Adr
mov eax,jmpaddr
mov BYTE ptr ds:[ebx],0xe9
mov DWORD ptr ds:[ebx+1],eax
int 3
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}