ShadowSSDT Hook 拦截NtUserFindWindowEx函数
http://www.unpack.cn/attachments/month_0909/20090906_bb0718e96838a17e474fzURevTsaYL7R.jpg硬编码了...只支持XP系统,写得比较搓,有不好的地方,请多多指教!
;ShadowSSDT Hook 拦截NtUserFindWindowEx函数
;Code:zzage
;Bolg:http://hi.baidu.com/zzage
.386
.model flat,stdcall
option casemap:none
include D:\RadASM\masm32\include\w2k\ntstatus.inc
include D:\RadASM\masm32\include\w2k\ntddk.inc
include D:\RadASM\masm32\include\w2k\ntoskrnl.inc
includelib D:\RadASM\masm32\lib\w2k\ntoskrnl.lib
include D:\RadASM\masm32\Macros\Strings.mac
_NTUSERFINDWINDOWEX typedef proto :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
NTUSERFINDWINDOWEX typedef ptr _NTUSERFINDWINDOWEX
.data
KeAddSystemServiceTable_addr dd ?
KeServiceDescriptorTableShadow_addr dd ?
Csrss_EPROCESS dd 0
dwNtUserFindWindowEx dd ?
OldNtUserFindWindowEx NTUSERFINDWINDOWEX ?
g_Cr0 dd ?
.code
WPOFF proc
push eax
cli
mov eax,cr0
mov g_Cr0,eax
and eax,0fffeffffh
mov cr0,eax
pop eax
ret
WPOFF endp
WPON proc
push eax
moveax,g_Cr0
movcr0,eax
sti
popeax
ret
WPON endp
DriverUnload proc pDriverObject: PDRIVER_OBJECT
pushad
invoke KeAttachProcess,Csrss_EPROCESS
invoke DbgPrint,$CTA0("驱动卸载成功\n")
invoke WPOFF
mov esi,dwNtUserFindWindowEx
mov edx,OldNtUserFindWindowEx
mov dword ptr [esi],edx
invoke WPON
invokeKeDetachProcess
popad
ret
DriverUnload endp
FindEPROCESS proc
pushad
invoke IoGetCurrentProcess
lea edi,[eax+88h]
mov esi,dword ptr [edi]
@@:lea ebx,[esi-88h]
mov Csrss_EPROCESS, ebx
lea eax,[ebx+174h]
invoke _strnicmp,eax, $CTA0("csrss.exe"),9
or eax,eax
jne a
jmp b
a: mov esi,dword ptr [esi]
cmp esi,edi
jne @B
b: invoke DbgPrint,$CTA0("Csrss_EPROCESS = %X\n"),Csrss_EPROCESS
popad
ret
FindEPROCESS endp
GetKeServiceDescriptorTableShadow proc
pushad
mov eax,KeAddSystemServiceTable_addr
@@:cmp byte ptr [eax],08dh
je a
inc eax
jmp @B
a: cmp byte ptr [eax+1],088h
je @F
inc eax
jmp @B
@@:mov edx,dword ptr [eax+2]
mov KeServiceDescriptorTableShadow_addr,edx
popad
ret
GetKeServiceDescriptorTableShadow endp
MyNtUserFindWindowEx proc HwndParent,HwndChild,pstrClassName,pstrWindowName,dwType
local strWindowName:ANSI_STRING
mov eax,pstrWindowName
assume eax:ptr UNICODE_STRING
invoke RtlUnicodeStringToAnsiString,addr strWindowName,eax,TRUE
invoke DbgPrint,$CTA0("窗口标题 = %s\n"),strWindowName.Buffer
assume eax:nothing
invoke OldNtUserFindWindowEx,HwndParent,HwndChild,pstrClassName,pstrWindowName,dwType
ret
MyNtUserFindWindowEx endp
DriverEntry proc pDriverObject: PDRIVER_OBJECT,pRegistryPath: PUNICODE_STRING
pushad
invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("KeAddSystemServiceTable")
mov KeAddSystemServiceTable_addr,eax
invoke GetKeServiceDescriptorTableShadow
invoke DbgPrint,$CTA0("KeServiceDescriptorTableShadow_addr = %X\n"),KeServiceDescriptorTableShadow_addr
invoke FindEPROCESS
invoke KeAttachProcess,Csrss_EPROCESS
mov edi,KeServiceDescriptorTableShadow_addr
add edi,010h
mov edi, [edi]
add edi,17ah*4
mov dwNtUserFindWindowEx,edi
mov esi, [edi]
mov OldNtUserFindWindowEx, esi
invoke DbgPrint,$CTA0("OldNtUserFindWindowEx = %X\n"),OldNtUserFindWindowEx
invoke DbgPrint,$CTA0("MyNtUserFindWindowEx = %X\n"),offset MyNtUserFindWindowEx
invoke WPOFF
mov dword ptr[edi],offset MyNtUserFindWindowEx
invoke WPON
invokeKeDetachProcess
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset DriverUnload
assume eax:nothing
popad
mov eax,STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry 都开始硬编码了。。。 硬编不实用~
页:
[1]