在InlineHook中修改了zwOpenProcess函数的中的指令

与Resume HookSSDT同理 找出一个正确的值覆盖上去就行、

突发奇想  有没有可能上去一个驱动或者程序  直接卸载掉InlineHook 岂不是很爽

直接映射WCHAR    wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";

 BOOLEAN
MappingPEFileInRing0Space(WCHAR* wzFileFullPath,OUT PVOID* MappingBaseAddress,PSIZE_T MappingViewSize)
{
UNICODE_STRING uniFileFullPath;
OBJECT_ATTRIBUTES oa;
NTSTATUS Status;
IO_STATUS_BLOCK Iosb; HANDLE hFile = NULL;
HANDLE hSection = NULL; if (!wzFileFullPath || !MappingBaseAddress){
return FALSE;
} RtlInitUnicodeString(&uniFileFullPath, wzFileFullPath);
InitializeObjectAttributes(&oa,
&uniFileFullPath,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
); //获得文件句柄
Status = IoCreateFile(&hFile,
GENERIC_READ | SYNCHRONIZE,
&oa, //文件绝对路径
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
,
CreateFileTypeNone,
NULL,
IO_NO_PARAMETER_CHECKING
);
if (!NT_SUCCESS(Status))
{ return FALSE;
} oa.ObjectName = NULL;
Status = ZwCreateSection(&hSection,
SECTION_QUERY | SECTION_MAP_READ,
&oa,
NULL,
PAGE_WRITECOPY,
SEC_IMAGE, //?? 指示内存对齐
hFile
);
ZwClose(hFile);
if (!NT_SUCCESS(Status))
{ return FALSE;
}
Status = ZwMapViewOfSection(hSection,
NtCurrentProcess(), //映射到当前进程的内存空间中
MappingBaseAddress,
,
,
,
MappingViewSize,
ViewUnmap,
,
PAGE_WRITECOPY
);
ZwClose(hSection);
if (!NT_SUCCESS(Status))
{
return FALSE;
} return TRUE;
}

映射到ring0层

首先 先获取到ntoskrnl模块信息

 BOOLEAN GetSystemMoudleInformationBySystemModuleNameInWin7_X64(char* szFindSystemModuleName,ULONG64* ulMoudleBaseAddress,ULONG32* ulModuleSize)
{
int i = ;
NTSTATUS Status = STATUS_SUCCESS;
PVOID Information = NULL;
ULONG ulNeeds = ; Status = ZwQuerySystemInformation(SystemModuleInformation,NULL,,&ulNeeds); if (Status!=STATUS_INFO_LENGTH_MISMATCH)
{
return FALSE;
}
Information = ExAllocatePool(PagedPool,ulNeeds); //PagedPool(数据段 置换到磁盘) NonPagedPool(代码段 不置换到磁盘) if (Information==NULL)
{
return FALSE;
}
Status = ZwQuerySystemInformation(SystemModuleInformation,Information,ulNeeds,&ulNeeds); if (!NT_SUCCESS(Status))
{
ExFreePool(Information);
return FALSE;
} for (i=;i<((PSYSTEM_MODULE_INFORMATION)Information)->NumberOfModules;i++)
{ if (strstr(((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].ImageName,
szFindSystemModuleName)!=NULL) //Ntoskernel.exe
{
*ulMoudleBaseAddress = ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Base;
*ulModuleSize = ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Size; if (Information!=NULL)
{
ExFreePool(Information);
Information = NULL;
}
return TRUE; } } if (Information!=NULL)
{
ExFreePool(Information);
Information = NULL;
} return FALSE;
}

win7

 BOOLEAN GetSystemMoudleInformationBySystemModuleNameInWinXP_X86(char* szFindSystemModuleName,ULONG32* ulMoudleBaseAddress,ULONG32* ulModuleSize)
{
int i = ;
NTSTATUS Status = STATUS_SUCCESS;
PVOID Information = NULL;
ULONG ulNeeds = ; Status = ZwQuerySystemInformation(SystemModuleInformation,NULL,,&ulNeeds); if (Status!=STATUS_INFO_LENGTH_MISMATCH)
{
return FALSE;
}
Information = ExAllocatePool(PagedPool,ulNeeds); //PagedPool(数据段 置换到磁盘) NonPagedPool(代码段 不置换到磁盘) if (Information==NULL)
{
return FALSE;
}
Status = ZwQuerySystemInformation(SystemModuleInformation,Information,ulNeeds,&ulNeeds); if (!NT_SUCCESS(Status))
{
ExFreePool(Information);
return FALSE;
} for (i=;i<((PSYSTEM_MODULE_INFORMATION)Information)->NumberOfModules;i++)
{ if (strstr(((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].ImageName,
szFindSystemModuleName)!=NULL) //Ntoskernel.exe
{
*ulMoudleBaseAddress = ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Base;
*ulModuleSize = ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Size; if (Information!=NULL)
{
ExFreePool(Information);
Information = NULL;
}
return TRUE; } } if (Information!=NULL)
{
ExFreePool(Information);
Information = NULL;
} return FALSE;
}

winxp

获取到SSDTAddress

 BOOLEAN GetSSDTAddressInWin7_X64(ULONG64* SSDTAddress)
{ PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082); //fffff800`03ecf640
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
PUCHAR i = NULL;
UCHAR v1=,v2=,v3=;
INT64 iOffset = ; //002320c7
ULONG64 VariableAddress = ;
*SSDTAddress = NULL;
for(i=StartSearchAddress;i<EndSearchAddress;i++)
{
if( MmIsAddressValid(i) && MmIsAddressValid(i+) && MmIsAddressValid(i+) )
{
v1=*i;
v2=*(i+);
v3=*(i+);
if(v1==0x4c && v2==0x8d && v3==0x15 )
{
memcpy(&iOffset,i+,);
*SSDTAddress = iOffset + (ULONG64)i + ; break;
}
}
} if (*SSDTAddress==NULL)
{
return FALSE;
}
return TRUE;
}

win7

 BOOLEAN GetSSDTAddressInWinXP_X86(ULONG32* SSDTAddress)
{
//从NtosKernel.exe 模块中的导出表获得该导出变量 KeServiceDescriptorTable /*
kd> dd KeServiceDescriptorTable
80563520 804e58a0 00000000 0000011c 805120bc
*/
*SSDTAddress = NULL;
*SSDTAddress = (ULONG32)GetExportVariableAddressFormNtosExportTableByVariableName(L"KeServiceDescriptorTable"); if (*SSDTAddress!=NULL)
{
return TRUE;
} return FALSE;
} PVOID
GetExportVariableAddressFormNtosExportTableByVariableName(WCHAR *wzVariableName)
{
UNICODE_STRING uniVariableName;
PVOID VariableAddress = NULL; if (wzVariableName && wcslen(wzVariableName) > )
{
RtlInitUnicodeString(&uniVariableName, wzVariableName); //从Ntos模块的导出表中获得一个导出变量的地址
VariableAddress = MmGetSystemRoutineAddress(&uniVariableName);
} return VariableAddress;
}

WinXP

在通过函数名获取到函数索引

 BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWinXP_X86(CHAR* szFindFunctionName,
ULONG32* SSDTFunctionIndex)
{ ULONG32 ulOffset_SSDTFunctionIndex = ; //从Ntdll模块的导出表中获得7c92d5e0
//使用内存映射将Ntdll模块映射到System进程的内存空间进行查找(Ntdll.dll模块的导出表中进行搜索)
ULONG i;
BOOLEAN bOk = FALSE;
WCHAR wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
SIZE_T MappingViewSize = ;
PVOID MappingBaseAddress = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
ULONG32* AddressOfFunctions = NULL;
ULONG32* AddressOfNames = NULL;
USHORT* AddressOfNameOrdinals = NULL;
CHAR* szFunctionName = NULL;
ULONG32 ulFunctionOrdinal = ;
ULONG32 ulFunctionAddress = ; *SSDTFunctionIndex = -; //将Ntdll.dll 当前的空间中
bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
if (bOk==FALSE)
{
return FALSE;
}
else
{
__try{
NtHeader = RtlImageNtHeader(MappingBaseAddress);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG32)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); AddressOfFunctions = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
AddressOfNames = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNames);
AddressOfNameOrdinals = (USHORT*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
for(i = ; i < ExportDirectory->NumberOfNames; i++)
{
szFunctionName = (char*)((ULONG32)MappingBaseAddress + AddressOfNames[i]); //获得函数名称
if (_stricmp(szFunctionName, szFindFunctionName) == )
{
ulFunctionOrdinal = AddressOfNameOrdinals[i];
ulFunctionAddress = (ULONG32)((ULONG32)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]); *SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
break;
}
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
} ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress); if (*SSDTFunctionIndex==-)
{
return FALSE;
} return TRUE;
}

WinXP

 BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWin7_X64(CHAR* szFindFunctionName,ULONG32* SSDTFunctionIndex)
{ ULONG32 ulOffset_SSDTFunctionIndex = ; ULONG i;
BOOLEAN bOk = FALSE;
WCHAR wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
SIZE_T MappingViewSize = ;
PVOID MappingBaseAddress = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
ULONG32* AddressOfFunctions = NULL;
ULONG32* AddressOfNames = NULL;
USHORT* AddressOfNameOrdinals = NULL;
CHAR* szFunctionName = NULL;
ULONG32 ulFunctionOrdinal = ;
ULONG64 ulFunctionAddress = ; *SSDTFunctionIndex = -; //将Ntdll.dll 当前的空间中
bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
if (bOk==FALSE)
{
return FALSE;
}
else
{
__try{
NtHeader = RtlImageNtHeader(MappingBaseAddress);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG64)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); AddressOfFunctions = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
AddressOfNames = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNames);
AddressOfNameOrdinals = (USHORT*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
for(i = ; i < ExportDirectory->NumberOfNames; i++)
{
szFunctionName = (char*)((ULONG64)MappingBaseAddress + AddressOfNames[i]); //获得函数名称
if (_stricmp(szFunctionName, szFindFunctionName) == )
{
ulFunctionOrdinal = AddressOfNameOrdinals[i];
ulFunctionAddress = (ULONG64)((ULONG64)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]); *SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
break;
}
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
} ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress); if (*SSDTFunctionIndex==-)
{
return FALSE;
} return TRUE;
}

win7

得到索引后 就能得到函数的地址

找到函数的地址 然后在映射的内存中取出争取的地址  回复回去

http://www.cnblogs.com/yifi/p/4968944.html

Resume InlineHookSSDT的更多相关文章

  1. Pause/Resume Instance 操作详解 - 每天5分钟玩转 OpenStack(34)

    本节通过日志详细分析 Nova Pause/Resume 操作. 有时需要短时间暂停 instance,可以通过 Pause 操作将 instance 的状态保存到宿主机的内存中.当需要恢复的时候,执 ...

  2. ZeroMQ接口函数之 :zmq_proxy_steerable – 以STOP/RESUME/TERMINATE控制方式开启内置的ZMQ代理

    ZeroMQ API 目录 :http://www.cnblogs.com/fengbohello/p/4230135.html ——————————————————————————————————— ...

  3. Win10开机提示Resume from Hibernation该怎么办?

    Windows10系统的电脑开机提示:Resume from Hibernation(从休眠恢复),这是电脑没有真正关机,而是上次关机时进入了[休眠状态],所以开机时提示:从休眠恢复.如何解决Wind ...

  4. Delphi线程简介---Create及其参数、Resume、Suspend

    TThread在Classes单元里的声明如下 type TThread = class private FHandle: THandle; FThreadID: THandle; FTerminat ...

  5. 转,CV和resume的区别

    一直以来,BBS上的信息资料都传达给我一个网上“主流”的关于CV和resume的看法: CV约等于Resume,前者略倾向于学术,后者略倾向于工作经验,字数控制在1-2页内 说实话,一直以来我也就这么 ...

  6. 被废弃的 Thread.stop, Thread.suspend, Thread.resume 和Runtime.runFinalizersOnExit

    最近学习多线程的知识,看到API里说这些方法被废弃了,就查了一下原因 Thread.stop 这个方法会解除被加锁的对象的锁,因而可能造成这些对象处于不一致的状态,而且这个方法造成的ThreadDea ...

  7. Don’t use Suspend and Resume, but don’t poll either.

    http://www.paradicesoftware.com/blog/2014/02/dont-use-suspend-and-resume-but-dont-poll-either/ Don’t ...

  8. Android中Linux suspend/resume流程

    Android中Linux suspend/resume流程首先我们从linux kernel 的suspend说起,不管你是使用echo mem > /sys/power/state 或者使用 ...

  9. Delphi 线程resume 不能调用Execute

    如果Resume不能唤起线程,请试试如下的函数,试试. GetExitCodeThread(ThreadHandle,ExitCode)来取得ExitCode,如果ExitCode=STILL_ACT ...

随机推荐

  1. STRUTS2 标签 循环次数

    *<s:property value="menus.size()"/> * <s:if test='menus.size()>8'>    sssss ...

  2. [转载] HTTP 协议漫谈

    原文: http://blog.jobbole.com/88199/ 简介 网络上已经有不少介绍HTTP的的好文章.对HTTP的一些细节介绍的比较好,所以本篇文章不会对HTTP的细节进行深究,而是从够 ...

  3. linux学习笔记2-命令总结2

    权限管理命令  chmod 其他权限管理名  chgrp  chown  umask ========================================================= ...

  4. 01 Developing Successful Oracle Applications

    varchar2 类型定义时, 个人认为应该选择byte 类型, 即 varchar2(20), oracle 支持的最大的字符串是 varchar2(4000), 同时, 个人认为, 当你定义一个v ...

  5. JavaSE复习_10 多线程复习

    △wait()和sleep()的区别:  1.wait():没有等待时间,而sleep()需要有等待时间作为参数.  2.在同步中对于CPU的执行权和锁的处理不同:   wait()会释放执行权和锁. ...

  6. 【夯实Mysql基础】记一次mysql语句的优化过程!

      1. [事件起因] 今天在做项目的时候,发现提供给客户端的接口时间很慢,达到了2秒多,我第一时间,抓了接口,看了运行的sql,发现就是 2个sql慢,分别占了1秒多. 一个sql是 链接了5个表同 ...

  7. 【Todo】pthread_key_t 和 pthread_once_t学习

    这两个函数应该都是和线程局部变量有关的.有时间学习一下. 可以参考如下文章: <Linux线程私有数据pthread_key_t> <posix多线程有感--线程高级编程(pthre ...

  8. iOS开发之Xcode6 之手动添加Pch预编译文件

    参考文档 http://blog.csdn.net/crazyzhang1990/article/details/44243343 红色部分为本人自己补充注意事项 在Xcode6之前,创建一个新工程x ...

  9. hdu 4864 Task

    题目链接:hdu 4864 其实就是个贪心,只是当初我想的有偏差,贪心的思路不对,应该是这样子的: 因为 xi 的权值更重,所以优先按照 x 来排序,而这样的排序方式决定了在满足任务(即 xi > ...

  10. NowCoder猜想(素数筛法+位压缩)

    在期末被各科的大作业碾压快要窒息之际,百忙之中抽空上牛客网逛了逛,无意中发现一道好题,NowCoder猜想,题意很明显,就是个简单的素数筛法,但竟然超内存了,我晕(+﹏+)~  明明有 3 万多 k ...