/************************************/
//简单实现隐藏SSDT HOOK By ZzAge
/************************************/
#include <ntddk.h>
#define BYTE unsigned char
#define MEM_TAG 'ZMEM'
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
VOID Unload(
IN PDRIVER_OBJECT DriverObject
);
typedef NTSTATUS (*NTOPENPROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
NTSTATUS PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);
PUCHAR PsGetProcessImageFileName(
IN PEPROCESS Process
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, Unload)
#endif
NTOPENPROCESS OldNtOpenProcess;
BYTE JmpCode[5]={0xE9,0x00,0x00,0x00,0x00};
BYTE OrgCode[5]={0x8B,0x3F,0x8B,0x1C,0x87};
BYTE PushRetCode[6]={0x68,0x00,0x00,0x00,0x00,0xc3};
ULONG uKiFastCallEntryAddr=0;
ULONG HookAddr=0;
ULONG JMPRet=0;
ULONG PushRetMem=0;
//NtOpenProcess代理函数
NTSTATUS MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMase,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
PEPROCESS lpPEPROCESS;
NTSTATUS status;
char *ProcessName;
//取要打开目标进程的PEPROCESS
status=PsLookupProcessByProcessId(ClientId->UniqueProcess,&lpPEPROCESS);
if (NT_SUCCESS(status))
{
if (KeGetCurrentIrql()==PASSIVE_LEVEL)
{
ProcessName=_strupr(PsGetProcessImageFileName(lpPEPROCESS));
if (strcmp(ProcessName,"NOTEPAD.EXE")==0) //判断打开的进程是否为NOTEPAD.EXE
{
return STATUS_ACCESS_DENIED;
}
}
}
return OldNtOpenProcess(ProcessHandle,AccessMase,ObjectAttributes,ClientId);
}
//HOOK KiFastCallEntry过滤函数
__declspec(naked)void OverFuck()
{
_asm
{
pushfd
pushad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
cmp OldNtOpenProcess,ebx; //比较是否为NtOpenProcess
je Label1
popad
popfd
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
jmp [JMPRet];
Label1:
popad
popfd
mov ebx,MyNtOpenProcess //修改NtOpenProcess为我们的代理函数
jmp [JMPRet];
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;
KIRQL oldIrql;
UNICODE_STRING ustrFunctionName;
DbgPrint("[HideSSDT] DriverEntry!\n");
//卸载例程
DriverObject->DriverUnload = Unload;
//获取NtOpenProcess地址
RtlInitUnicodeString(&ustrFunctionName, L"NtOpenProcess" );
OldNtOpenProcess=(NTOPENPROCESS)MmGetSystemRoutineAddress( &ustrFunctionName);
DbgPrint("NtOpenProcess=0x%08X",OldNtOpenProcess);
//系统调用管理器的地址保存在MSR寄存器里面,标识ID为0x176是SYSENTER_EIP_MSR寄存器,存放着KiFastCallEntry地址!所以在这里用rdmsr读取KiFastCallEntry地址;
__asm
{
pushfd
pushad
mov ecx,0x176
rdmsr
mov uKiFastCallEntryAddr,eax //获取KiFastCallEntry地址
xor ecx,ecx
Label1:
cmp ecx,0x100
je Label3
mov edx,DWORD ptr [eax]
cmp edx,0x1C8B3F8B //搜索特征码,获取要Hook的位置
je Label2
inc eax
inc ecx
jmp Label1
Label2:
mov HookAddr,eax
Label3:
popad
popfd
}
if (HookAddr==0)
{
return status;
}
//申请分配二级跳转内存
PushRetMem=(ULONG)ExAllocatePoolWithTag(NonPagedPool,6,MEM_TAG);
if ((PVOID)PushRetMem==NULL)
{
return status;
}
DbgPrint("PushRetMem=0x%08X",PushRetMem);
//一级跳转地址
*(ULONG*)&JmpCode[1]=(ULONG)(PushRetMem)-(HookAddr+5);
//二级跳转地址
*(ULONG*)&PushRetCode[1]=(ULONG)OverFuck;
//HOOK返回地址
JMPRet=HookAddr+5;
//提升中断请求级
oldIrql = KeRaiseIrqlToDpcLevel();
//关闭中断
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
//进行HOOK操作
RtlCopyMemory((PVOID)PushRetMem,PushRetCode,6);
RtlCopyMemory((PVOID)HookAddr,JmpCode,5);
//开启中断
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
//恢复先前中断请求级
KeLowerIrql(oldIrql);
DbgPrint("KiFastCallEntry=0x%08X",uKiFastCallEntryAddr);
DbgPrint("HookAddr=0x%08X",HookAddr);
//添加代码
return status;
}
VOID Unload( IN PDRIVER_OBJECT DriverObject)
{
if (HookAddr!=0)
{
KIRQL oldIrql;
//提升中断请求级
oldIrql = KeRaiseIrqlToDpcLevel();
//关闭中断
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
//进行还原HOOK操作
RtlCopyMemory((PVOID)HookAddr,OrgCode,5);
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
//恢复先前中断请求级
KeLowerIrql(oldIrql);
// 释放内存
ExFreePool((PVOID)PushRetMem);
}
DbgPrint("[HideSSDT] Unloaded\n");
}
[复制链接]
发表于 2010-5-21 10:18
发表于 2010-5-21 10:48
