ssdkhook之ntopenprocess_保护用户层的应用程序不被ce打开_完美版

89 阅读 0 评论 59 点赞

我是靠谱客的博主时尚白云，这篇文章主要介绍ssdkhook之ntopenprocess_保护用户层的应用程序不被ce打开_完美版，现在分享给大家，希望可以做个参考。

复制代码

#include"ntddk.h"
NTSTATUS PsLookupProcessByProcessId(
	_In_  HANDLE    ProcessId,
	_Out_ PEPROCESS *Process
	);
#pragma pack(1) //写这个内存以一字节对齐 如果不写是以4字节的对齐的
typedef struct ServiceDescriptorEntry {//这个结构就是为了管理这个数组而来的 内核api所在的数组 才有这个结构的 这个是ssdt
	unsigned int *ServiceTableBase;//就是ServiceTable ssdt数组
	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本 无用
	unsigned int NumberOfServices;//(ServiceTableBase)数组中有多少个元素 有多少个项
	unsigned char *ParamTableBase;//参数表基址 我们层传过来的api的参数 占用多少字节 多大
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack(1)
_declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;//(名字不要写错)
unsigned int laonthanshu = 0;//老的ntopenprocess 函数的地址
void yebaohuguanbi()//页保护关闭
{
	__asm{//去掉内存保护
		cli
			mov  eax, cr0
			and  eax, not 10000h
			mov  cr0, eax
	}
}
void yebaohukaiqi()//页保护开启
{
	__asm{//恢复内存保护  
		mov  eax, cr0
			or   eax, 10000h
			mov  cr0, eax
			sti
	}
}
typedef  NTSTATUS(*hanshuzhizhen1)(          //申请一个申述
	__out PHANDLE ProcessHandle,
	__in ACCESS_MASK DesiredAccess,
	__in POBJECT_ATTRIBUTES ObjectAttributes,
	__in_opt PCLIENT_ID ClientId
	);
NTSTATUS lisaisaide_ntopenprocess(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
	NTSTATUS zhuangtai;
	PEPROCESS duixiang_jincheng;
	//KdPrint(("我hook了原来的ntopenprocess 进入到我的lisaisaide_ntopenprocess 的过滤历程里来了n"));
	if (ClientId->UniqueProcess==0)//进程pid==0是系统的进程评分调用ntopenprocess 要把0号进程 返回掉否则死机
	{
		return ((hanshuzhizhen1)laonthanshu)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
	}
	zhuangtai=PsLookupProcessByProcessId((HANDLE)ClientId->UniqueProcess, &duixiang_jincheng);//通过进程id得到进程对象  进程对象里有进程名字
	if (!NT_SUCCESS(zhuangtai))
	{
		ObDereferenceObject(duixiang_jincheng);
		return ((hanshuzhizhen1)laonthanshu)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
	}

if (strcmp((char*)duixiang_jincheng+0x16c,"11.exe")==0)
{
	KdPrint(("你调用openprocess函数 传进来的打开进程的参数(进程名)是11.exe 进入了我的过滤历程   不能打开11.exe 进程 n"));
	KdPrint(("当前进程是%s   进程号%d", (char*)PsGetCurrentProcess() + 0x16c, ClientId->UniqueProcess));
	ObDereferenceObject(duixiang_jincheng);
	return STATUS_UNSUCCESSFUL;
}
ObDereferenceObject(duixiang_jincheng);
	return ((hanshuzhizhen1)laonthanshu)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}
VOID xiezai1(PDRIVER_OBJECT qudongduixiang)
{
	yebaohuguanbi();//页保护关闭
	KeServiceDescriptorTable.ServiceTableBase[190] = laonthanshu;//还原历程
	yebaohukaiqi();//页保护开始
	KdPrint(("已经执行到了 驱动卸载历程n"));
}

VOID bianlissdt()//遍历ssdt
{
	ULONG j = KeServiceDescriptorTable.NumberOfServices;//nt_开头函数的个数
	for (ULONG i = 0; i <j; i++)
	{
		KdPrint(("函数%d 地址%xn", i, KeServiceDescriptorTable.ServiceTableBase[i]));
	}
}
VOID hookopenprocess()
{
	yebaohuguanbi();//页保护关闭
	laonthanshu = KeServiceDescriptorTable.ServiceTableBase[190];
	KeServiceDescriptorTable.ServiceTableBase[190] = (unsigned int )lisaisaide_ntopenprocess;
	yebaohukaiqi();//页保护开始
}
NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang, PUNICODE_STRING zhucebiao1)
{
	//bianlissdt();//遍历ssdt的函数 打印的是原始函数地址
	hookopenprocess();//hook系统ntopenprocess;
	qudongduixiang->DriverUnload = xiezai1;
	return STATUS_SUCCESS;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#include"ntddk.h"
NTSTATUS PsLookupProcessByProcessId(
	_In_  HANDLE    ProcessId,
	_Out_ PEPROCESS *Process
	);
#pragma pack(1) //写这个内存以一字节对齐 如果不写是以4字节的对齐的
typedef struct ServiceDescriptorEntry {//这个结构就是为了管理这个数组而来的 内核api所在的数组 才有这个结构的 这个是ssdt
	unsigned int *ServiceTableBase;//就是ServiceTable ssdt数组
	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本 无用
	unsigned int NumberOfServices;//(ServiceTableBase)数组中有多少个元素 有多少个项
	unsigned char *ParamTableBase;//参数表基址 我们层传过来的api的参数 占用多少字节 多大
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack(1)
_declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;//(名字不要写错)
unsigned int laonthanshu = 0;//老的ntopenprocess 函数的地址
void yebaohuguanbi()//页保护关闭
{
	__asm{//去掉内存保护
		cli
			mov  eax, cr0
			and  eax, not 10000h
			mov  cr0, eax
	}
}
void yebaohukaiqi()//页保护开启
{
	__asm{//恢复内存保护  
		mov  eax, cr0
			or   eax, 10000h
			mov  cr0, eax
			sti
	}
}
typedef  NTSTATUS(*hanshuzhizhen1)(          //申请一个申述
	__out PHANDLE ProcessHandle,
	__in ACCESS_MASK DesiredAccess,
	__in POBJECT_ATTRIBUTES ObjectAttributes,
	__in_opt PCLIENT_ID ClientId
	);
NTSTATUS lisaisaide_ntopenprocess(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
	NTSTATUS zhuangtai;
	PEPROCESS duixiang_jincheng;
	//KdPrint(("我hook了原来的ntopenprocess 进入到我的lisaisaide_ntopenprocess 的过滤历程里来了n"));
	if (ClientId->UniqueProcess==0)//进程pid==0是系统的进程评分调用ntopenprocess 要把0号进程 返回掉否则死机
	{
		return ((hanshuzhizhen1)laonthanshu)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
	}
	zhuangtai=PsLookupProcessByProcessId((HANDLE)ClientId->UniqueProcess, &duixiang_jincheng);//通过进程id得到进程对象  进程对象里有进程名字
	if (!NT_SUCCESS(zhuangtai))
	{
		ObDereferenceObject(duixiang_jincheng);
		return ((hanshuzhizhen1)laonthanshu)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
	}

if (strcmp((char*)duixiang_jincheng+0x16c,"11.exe")==0)
{
	KdPrint(("你调用openprocess函数 传进来的打开进程的参数(进程名)是11.exe 进入了我的过滤历程   不能打开11.exe 进程 n"));
	KdPrint(("当前进程是%s   进程号%d", (char*)PsGetCurrentProcess() + 0x16c, ClientId->UniqueProcess));
	ObDereferenceObject(duixiang_jincheng);
	return STATUS_UNSUCCESSFUL;
}
ObDereferenceObject(duixiang_jincheng);
	return ((hanshuzhizhen1)laonthanshu)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}
VOID xiezai1(PDRIVER_OBJECT qudongduixiang)
{
	yebaohuguanbi();//页保护关闭
	KeServiceDescriptorTable.ServiceTableBase[190] = laonthanshu;//还原历程
	yebaohukaiqi();//页保护开始
	KdPrint(("已经执行到了 驱动卸载历程n"));
}

VOID bianlissdt()//遍历ssdt
{
	ULONG j = KeServiceDescriptorTable.NumberOfServices;//nt_开头函数的个数
	for (ULONG i = 0; i <j; i++)
	{
		KdPrint(("函数%d 地址%xn", i, KeServiceDescriptorTable.ServiceTableBase[i]));
	}
}
VOID hookopenprocess()
{
	yebaohuguanbi();//页保护关闭
	laonthanshu = KeServiceDescriptorTable.ServiceTableBase[190];
	KeServiceDescriptorTable.ServiceTableBase[190] = (unsigned int )lisaisaide_ntopenprocess;
	yebaohukaiqi();//页保护开始
}
NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang, PUNICODE_STRING zhucebiao1)
{
	//bianlissdt();//遍历ssdt的函数 打印的是原始函数地址
	hookopenprocess();//hook系统ntopenprocess;
	qudongduixiang->DriverUnload = xiezai1;
	return STATUS_SUCCESS;
}