Hook NtOpenProcess,一个小小的进步
昨晚写的一个驱动可以放点代码什么的,这样也方便别的鱼油学习 XP还是WIN7 10,7 10好像不支持XUERT之类的 很简单的,修改cr0或者映射都行
NTSTATUS installhook()
{
//Curaddr = GetCurrentAddr();//获取当前openprocess函数在ssdt表里的地址
ULONG* addr=KeServiceDescriptorTable->funcaddr;
PHYSICAL_ADDRESS physicaladdr = MmGetPhysicalAddress(addr);
ULONG* g_functable = MmMapIoSpace(physicaladdr, PAGE_SIZE, MmNonCached);
g_functable = (ULONG)MyNtOpenProcess;
return STATUS_SUCCESS;
}
NTSTATUS uninstallhook()
{
UNICODE_STRING old_NtOpenProcess = RTL_CONSTANT_STRING(L"NtOpenProcess");
ULONG* oldaddr = (ULONG*)MmGetSystemRoutineAddress(&old_NtOpenProcess);
ULONG* addr = KeServiceDescriptorTable->funcaddr;
PHYSICAL_ADDRESS physicaladdr= MmGetPhysicalAddress(addr);
ULONG* g_functable = MmMapIoSpace(physicaladdr, PAGE_SIZE, MmNonCached);
g_functable = (ULONG)oldaddr;
return STATUS_SUCCESS;
} //if (Curaddr == oldaddr)
//{
// BYTE hookcode = { 0xe9,0,0,0,0};
// ULONG res=oldaddr - Curaddr - 5;
// memcpy(&hookcode, &res, 4);
// __asm
// {
// cli;//避免执行指令时候被打扰
// mov eax, cr0;
// and eax,0xFFFFEFFF;
// mov cr0, eax;
// //保存指令
// lea ebx, Curaddr;
// lea ecx, oldcode;
// mov al, byte ptr;
// mov byte ptr, al;
// mov eax, dword ptr;
// mov dword ptr,eax;
// //开始hook
// lea ebx, Curaddr;
// lea ecx, hookcode;
// mov al, byte ptr ;//e9
// mov byte ptr, al;
// mov eax, ;
// mov dword ptr, eax;
// mov eax, cr0;
// or eax, 0x10000;
// mov cr0, eax;
// sti;
// }
// //跳转
//}
修改cr0
页:
[1]