天马阁论坛 › WinAPI编程 › 驱动相关：恢复游戏的InlineHook ZwOpenProcess源码

尘埃416 发表于 2024-3-11 13:27:28

驱动相关：恢复游戏的InlineHook ZwOpenProcess源码

#include<ntddk.h>
#include<windef.h>
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PVOID ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberTableBase;
ULONG ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;

extern PSERVICE_DESCRIPTOR_TABLE    KeServiceDescriptorTable;


typedef NTSTATUS (*REALZWOPENPROCESS)
      (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId);

REALZWOPENPROCESS    RealZwOpenProcess;

//***************************************************************************
VOID Hook();
VOID Unhook();
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS rc;
//////////////////////////////////////
ULONG JmpAddress;//跳转到NtOpenProcess里的地址
ULONG OldServiceAddress;//原来NtOpenProcess的服务地址
//////////////////////////////////////
__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
               ACCESS_MASK DesiredAccess,
               POBJECT_ATTRIBUTES ObjectAttributes,
               PCLIENT_ID ClientId)
{
//DbgPrint("NtOpenProcess() called");
//DbgPrint("RealZwOpenProcess:0x%08X",RealZwOpenProcess);
rc = (NTSTATUS)(REALZWOPENPROCESS)RealZwOpenProcess( ProcessHandle, DesiredAccess, ObjectAttributes, ClientId );

               
__asm{
    push    0C4h
    push    804daab0h//共十个字节
    jmp         
}
}


NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = OnUnload;
DbgPrint("Unhooker load");
Hook();
return STATUS_SUCCESS;
}
/////////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unhooker unload!");
Unhook();
}
/////////////////////////////////////////////////////

VOID Hook()
{
ULONG Address;
Address=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x7A*4;
DbgPrint("Address:0x%08X",Address);
OldServiceAddress=*(ULONG*)Address;
RealZwOpenProcess=(REALZWOPENPROCESS)OldServiceAddress;
DbgPrint("OldServiceAddress:0x%08X",OldServiceAddress);
DbgPrint("MyNtOpenProcess:0x%08X",MyNtOpenProcess);
JmpAddress=OldServiceAddress+10;
DbgPrint("JmpAddress:0x%08X",JmpAddress);

__asm{//去掉内存保护
    cli
         moveax,cr0
    andeax,not 10000h
    movcr0,eax
   }
   
   
*((ULONG*)Address) = (ULONG)MyNtOpenProcess;//HOOK SSDT

__asm{//恢复内存保护   
          moveax,cr0
    or   eax,10000h
    movcr0,eax
    sti
       }

}


VOID Unhook()
{
ULONGAddress;
Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//查找SSDT

__asm{
    cli
          moveax,cr0
    andeax,not 10000h
    movcr0,eax
}

*((ULONG*)Address) = (ULONG)OldServiceAddress;//还原SSDT

__asm{   
         moveax,cr0
    or   eax,10000h
    movcr0,eax
    sti
}

DbgPrint("Unhook");
}

查看完整版本: 驱动相关：恢复游戏的InlineHook ZwOpenProcess源码