ShadowSSDT Hook 拦截NtUserFindWindowEx函数

zzage · 发表于 2009-9-6 02:28

硬编码了...只支持XP系统,写得比较搓,有不好的地方,请多多指教!

;ShadowSSDT Hook 拦截NtUserFindWindowEx函数
;Code:zzage[LCG][DST]
;Bolg:http://hi.baidu.com/zzage
.386
.model flat,stdcall
option casemap:none

include D:\RadASM\masm32\include\w2k\ntstatus.inc
include D:\RadASM\masm32\include\w2k\ntddk.inc
include D:\RadASM\masm32\include\w2k\ntoskrnl.inc
includelib D:\RadASM\masm32\lib\w2k\ntoskrnl.lib
include D:\RadASM\masm32\Macros\Strings.mac

_NTUSERFINDWINDOWEX typedef proto :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
NTUSERFINDWINDOWEX typedef ptr _NTUSERFINDWINDOWEX

.data
KeAddSystemServiceTable_addr dd ?
KeServiceDescriptorTableShadow_addr dd ?
Csrss_EPROCESS dd 0
dwNtUserFindWindowEx dd ?
OldNtUserFindWindowEx NTUSERFINDWINDOWEX ?
g_Cr0 dd ?

.code

WPOFF proc
push eax
cli
mov eax,cr0
mov g_Cr0,eax
and eax,0fffeffffh
mov cr0,eax
pop eax
ret
WPOFF endp

WPON proc
      push eax
      mov  eax,g_Cr0
      mov  cr0,eax
      sti
      pop  eax
      ret
WPON endp

DriverUnload proc pDriverObject: PDRIVER_OBJECT

pushad
invoke KeAttachProcess,Csrss_EPROCESS
      invoke DbgPrint,$CTA0("驱动卸载成功\n")
      invoke WPOFF
      mov esi,dwNtUserFindWindowEx
      mov edx,OldNtUserFindWindowEx
      mov dword ptr [esi],edx
      invoke WPON
      invoke  KeDetachProcess
      popad
ret

DriverUnload endp

FindEPROCESS proc
      pushad
      invoke IoGetCurrentProcess
      lea edi,[eax+88h]
      mov esi,dword ptr [edi]
   @@:lea ebx,[esi-88h]
      mov Csrss_EPROCESS, ebx
      lea eax,[ebx+174h]
      invoke _strnicmp,eax, $CTA0("csrss.exe"),9
      or    eax,eax
      jne a
      jmp b
   a: mov esi,dword ptr [esi]
      cmp esi,edi
      jne @B
   b: invoke DbgPrint,$CTA0("Csrss_EPROCESS = %X\n"),Csrss_EPROCESS
      popad
      ret
FindEPROCESS endp

GetKeServiceDescriptorTableShadow proc

      pushad
      mov eax,KeAddSystemServiceTable_addr
   @@:cmp byte ptr [eax],08dh
      je a
      inc eax
      jmp @B
   a: cmp byte ptr [eax+1],088h
      je @F
      inc eax
      jmp @B
   @@:mov edx,dword ptr [eax+2]
      mov KeServiceDescriptorTableShadow_addr,edx
popad
ret

GetKeServiceDescriptorTableShadow endp

MyNtUserFindWindowEx proc HwndParent,HwndChild,pstrClassName,pstrWindowName,dwType

      local strWindowName:ANSI_STRING

mov eax,pstrWindowName
      assume eax:ptr UNICODE_STRING
      invoke RtlUnicodeStringToAnsiString,addr strWindowName,eax,TRUE
      invoke DbgPrint,$CTA0("窗口标题 = %s\n"),strWindowName.Buffer
      assume eax:nothing
invoke OldNtUserFindWindowEx,HwndParent,HwndChild,pstrClassName,pstrWindowName,dwType
ret

MyNtUserFindWindowEx endp

DriverEntry proc pDriverObject: PDRIVER_OBJECT,pRegistryPath: PUNICODE_STRING

pushad
invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("KeAddSystemServiceTable")
mov KeAddSystemServiceTable_addr,eax
      invoke GetKeServiceDescriptorTableShadow
      invoke DbgPrint,$CTA0("KeServiceDescriptorTableShadow_addr = %X\n"),KeServiceDescriptorTableShadow_addr
      invoke FindEPROCESS
      invoke KeAttachProcess,Csrss_EPROCESS
      mov edi,KeServiceDescriptorTableShadow_addr
      add edi,010h
      mov edi, [edi]
      add edi,17ah*4
      mov dwNtUserFindWindowEx,edi
      mov esi, [edi]
      mov OldNtUserFindWindowEx, esi
      invoke DbgPrint,$CTA0("OldNtUserFindWindowEx = %X\n"),OldNtUserFindWindowEx
      invoke DbgPrint,$CTA0("MyNtUserFindWindowEx = %X\n"),offset MyNtUserFindWindowEx
      invoke WPOFF
      mov dword ptr[edi],offset MyNtUserFindWindowEx
      invoke WPON
      invoke  KeDetachProcess
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset DriverUnload
assume eax:nothing
popad
mov eax,STATUS_SUCCESS
ret

DriverEntry endp

end DriverEntry

ximo · 发表于 2009-9-7 22:36

都开始硬编码了。。。

panti · 发表于 2012-5-2 16:47

硬编不实用~

帐号		自动登录	找回密码
密码			注册[Register]

[其他转载] ShadowSSDT Hook 拦截NtUserFindWindowEx函数