在InlineHook中修改了zwOpenProcess函数的中的指令

与Resume HookSSDT同理 找出一个正确的值覆盖上去就行、

突发奇想  有没有可能上去一个驱动或者程序  直接卸载掉InlineHook 岂不是很爽

直接映射WCHAR    wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";

 BOOLEAN
     MappingPEFileInRing0Space(WCHAR* wzFileFullPath,OUT PVOID* MappingBaseAddress,PSIZE_T MappingViewSize)
 {
     UNICODE_STRING    uniFileFullPath;
     OBJECT_ATTRIBUTES oa;
     NTSTATUS          Status;
     IO_STATUS_BLOCK   Iosb;

     HANDLE   hFile = NULL;
     HANDLE   hSection = NULL;

     if (!wzFileFullPath || !MappingBaseAddress){
         return FALSE;
     }

     RtlInitUnicodeString(&uniFileFullPath, wzFileFullPath);
     InitializeObjectAttributes(&oa,
         &uniFileFullPath,
         OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
         NULL,
         NULL
         );

     //获得文件句柄
     Status = IoCreateFile(&hFile,
         GENERIC_READ | SYNCHRONIZE,
         &oa,   //文件绝对路径
         &Iosb,
         NULL,
         FILE_ATTRIBUTE_NORMAL,
         FILE_SHARE_READ,
         FILE_OPEN,
         FILE_SYNCHRONOUS_IO_NONALERT,
         NULL,
         ,
         CreateFileTypeNone,
         NULL,
         IO_NO_PARAMETER_CHECKING
         );
     if (!NT_SUCCESS(Status))
     {

         return FALSE;
     }

     oa.ObjectName = NULL;
     Status = ZwCreateSection(&hSection,
         SECTION_QUERY | SECTION_MAP_READ,
         &oa,
         NULL,
         PAGE_WRITECOPY,
         SEC_IMAGE,  //??  指示内存对齐
         hFile
         );
     ZwClose(hFile);
     if (!NT_SUCCESS(Status))
     {

         return FALSE;
     }
     Status = ZwMapViewOfSection(hSection,
         NtCurrentProcess(),    //映射到当前进程的内存空间中
         MappingBaseAddress,
         ,
         ,
         ,
         MappingViewSize,
         ViewUnmap,
         ,
         PAGE_WRITECOPY
         );
     ZwClose(hSection);
     if (!NT_SUCCESS(Status))
     {
         return FALSE;
     }

     return TRUE;
 }

映射到ring0层

首先 先获取到ntoskrnl模块信息

 BOOLEAN GetSystemMoudleInformationBySystemModuleNameInWin7_X64(char* szFindSystemModuleName,ULONG64* ulMoudleBaseAddress,ULONG32* ulModuleSize)
 {
     ;
     NTSTATUS  Status = STATUS_SUCCESS;
     PVOID     Information = NULL;
     ULONG     ulNeeds = ;

     Status = ZwQuerySystemInformation(SystemModuleInformation,NULL,,&ulNeeds);

     if (Status!=STATUS_INFO_LENGTH_MISMATCH)
     {
         return FALSE;
     }
     Information = ExAllocatePool(PagedPool,ulNeeds);   //PagedPool(数据段 置换到磁盘)  NonPagedPool(代码段 不置换到磁盘)

     if (Information==NULL)
     {
         return FALSE;
     }
     Status = ZwQuerySystemInformation(SystemModuleInformation,Information,ulNeeds,&ulNeeds);

     if (!NT_SUCCESS(Status))
     {
         ExFreePool(Information);
         return FALSE;
     }

     ;i<((PSYSTEM_MODULE_INFORMATION)Information)->NumberOfModules;i++)
     {

         if (strstr(((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].ImageName,
             szFindSystemModuleName)!=NULL)  //Ntoskernel.exe
         {
             *ulMoudleBaseAddress  =  ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Base;
             *ulModuleSize = ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Size;

             if (Information!=NULL)
             {
                 ExFreePool(Information);
                 Information = NULL;
             }
             return TRUE;

         }

     }

     if (Information!=NULL)
     {
         ExFreePool(Information);
         Information = NULL;
     }

     return FALSE;
 }

win7

 BOOLEAN GetSystemMoudleInformationBySystemModuleNameInWinXP_X86(char* szFindSystemModuleName,ULONG32* ulMoudleBaseAddress,ULONG32* ulModuleSize)
 {
     ;
     NTSTATUS  Status = STATUS_SUCCESS;
     PVOID     Information = NULL;
     ULONG     ulNeeds = ;

     Status = ZwQuerySystemInformation(SystemModuleInformation,NULL,,&ulNeeds);

     if (Status!=STATUS_INFO_LENGTH_MISMATCH)
     {
         return FALSE;
     }
     Information = ExAllocatePool(PagedPool,ulNeeds);   //PagedPool(数据段 置换到磁盘)  NonPagedPool(代码段 不置换到磁盘)

     if (Information==NULL)
     {
         return FALSE;
     }
     Status = ZwQuerySystemInformation(SystemModuleInformation,Information,ulNeeds,&ulNeeds);

     if (!NT_SUCCESS(Status))
     {
         ExFreePool(Information);
         return FALSE;
     }

     ;i<((PSYSTEM_MODULE_INFORMATION)Information)->NumberOfModules;i++)
     {

         if (strstr(((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].ImageName,
             szFindSystemModuleName)!=NULL)  //Ntoskernel.exe
         {
             *ulMoudleBaseAddress  =  ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Base;
             *ulModuleSize = ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Size;

             if (Information!=NULL)
             {
                 ExFreePool(Information);
                 Information = NULL;
             }
             return TRUE;

         }

     }

     if (Information!=NULL)
     {
         ExFreePool(Information);
         Information = NULL;
     }

     return FALSE;
 }

winxp

获取到SSDTAddress

 BOOLEAN GetSSDTAddressInWin7_X64(ULONG64* SSDTAddress)
 {

     PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);   //fffff800`03ecf640
     PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
     PUCHAR i = NULL;
     UCHAR   v1=,v2=,v3=;
     INT64   iOffset = ;    //002320c7
     ULONG64 VariableAddress = ;
     *SSDTAddress = NULL;
     for(i=StartSearchAddress;i<EndSearchAddress;i++)
     {
         ) && MmIsAddressValid(i+) )
         {
             v1=*i;
             v2=*(i+);
             v3=*(i+);
             if(v1==0x4c && v2==0x8d && v3==0x15 )
             {
                 memcpy(&iOffset,i+,);
                 *SSDTAddress = iOffset + (ULONG64)i + ;

                 break;
             }
         }
     }

     if (*SSDTAddress==NULL)
     {
         return FALSE;
     }
     return TRUE;
 }

win7

 BOOLEAN GetSSDTAddressInWinXP_X86(ULONG32* SSDTAddress)
 {
     //从NtosKernel.exe 模块中的导出表获得该导出变量  KeServiceDescriptorTable

     /*
     kd> dd KeServiceDescriptorTable
     80563520  804e58a0 00000000 0000011c 805120bc
     */
     *SSDTAddress = NULL;
     *SSDTAddress = (ULONG32)GetExportVariableAddressFormNtosExportTableByVariableName(L"KeServiceDescriptorTable");

     if (*SSDTAddress!=NULL)
     {
         return TRUE;
     }

     return FALSE;
 }

 PVOID
     GetExportVariableAddressFormNtosExportTableByVariableName(WCHAR *wzVariableName)
 {
     UNICODE_STRING uniVariableName;
     PVOID VariableAddress = NULL;

     )
     {
         RtlInitUnicodeString(&uniVariableName, wzVariableName);  

         //从Ntos模块的导出表中获得一个导出变量的地址
         VariableAddress = MmGetSystemRoutineAddress(&uniVariableName);
     }

     return VariableAddress;
 }

WinXP

在通过函数名获取到函数索引

 BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWinXP_X86(CHAR* szFindFunctionName,
     ULONG32* SSDTFunctionIndex)
 {

     ULONG32     ulOffset_SSDTFunctionIndex = ;

     //从Ntdll模块的导出表中获得7c92d5e0
     //使用内存映射将Ntdll模块映射到System进程的内存空间进行查找(Ntdll.dll模块的导出表中进行搜索)
     ULONG   i;
     BOOLEAN  bOk = FALSE;
     WCHAR    wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
     SIZE_T  MappingViewSize   = ;
     PVOID    MappingBaseAddress = NULL;
     PIMAGE_NT_HEADERS  NtHeader = NULL;
     PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
     ULONG32*  AddressOfFunctions    = NULL;
     ULONG32*  AddressOfNames        = NULL;
     USHORT* AddressOfNameOrdinals = NULL;
     CHAR*   szFunctionName        = NULL;
     ULONG32 ulFunctionOrdinal     = ;
     ULONG32 ulFunctionAddress     = ;

     *SSDTFunctionIndex = -;

     //将Ntdll.dll 当前的空间中
     bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
     if (bOk==FALSE)
     {
         return FALSE;
     }
     else
     {
         __try{
             NtHeader = RtlImageNtHeader(MappingBaseAddress);
             if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
             {
                 ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG32)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

                 AddressOfFunctions = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
                 AddressOfNames = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNames);
                 AddressOfNameOrdinals = (USHORT*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
                 ; i < ExportDirectory->NumberOfNames; i++)
                 {
                     szFunctionName = (char*)((ULONG32)MappingBaseAddress + AddressOfNames[i]);   //获得函数名称
                     )
                     {
                         ulFunctionOrdinal = AddressOfNameOrdinals[i];
                         ulFunctionAddress = (ULONG32)((ULONG32)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]);

                         *SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
                         break;
                     }
                 }
             }
         }__except(EXCEPTION_EXECUTE_HANDLER)
         {
             ;
         }
     }

     ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress);

     )
     {
         return FALSE;
     }

     return TRUE;
 }

WinXP

 BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWin7_X64(CHAR* szFindFunctionName,ULONG32* SSDTFunctionIndex)
 {

     ULONG32     ulOffset_SSDTFunctionIndex = ;

     ULONG   i;
     BOOLEAN  bOk = FALSE;
     WCHAR    wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
     SIZE_T   MappingViewSize   = ;
     PVOID    MappingBaseAddress = NULL;
     PIMAGE_NT_HEADERS  NtHeader = NULL;
     PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
     ULONG32*  AddressOfFunctions    = NULL;
     ULONG32*  AddressOfNames        = NULL;
     USHORT*   AddressOfNameOrdinals = NULL;
     CHAR*     szFunctionName        = NULL;
     ULONG32   ulFunctionOrdinal     = ;
     ULONG64   ulFunctionAddress     = ;

     *SSDTFunctionIndex = -;

     //将Ntdll.dll 当前的空间中
     bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
     if (bOk==FALSE)
     {
         return FALSE;
     }
     else
     {
         __try{
             NtHeader = RtlImageNtHeader(MappingBaseAddress);
             if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
             {
                 ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG64)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

                 AddressOfFunctions = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
                 AddressOfNames = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNames);
                 AddressOfNameOrdinals = (USHORT*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
                 ; i < ExportDirectory->NumberOfNames; i++)
                 {
                     szFunctionName = (char*)((ULONG64)MappingBaseAddress + AddressOfNames[i]);   //获得函数名称
                     )
                     {
                         ulFunctionOrdinal = AddressOfNameOrdinals[i];
                         ulFunctionAddress = (ULONG64)((ULONG64)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]);

                         *SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
                         break;
                     }
                 }
             }
         }__except(EXCEPTION_EXECUTE_HANDLER)
         {
             ;
         }
     }

     ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress);

     )
     {
         return FALSE;
     }

     return TRUE;
 }

win7

得到索引后 就能得到函数的地址

找到函数的地址 然后在映射的内存中取出争取的地址  回复回去

http://www.cnblogs.com/yifi/p/4968944.html

Resume InlineHookSSDT的更多相关文章

  1. Pause/Resume Instance 操作详解 - 每天5分钟玩转 OpenStack(34)

    本节通过日志详细分析 Nova Pause/Resume 操作. 有时需要短时间暂停 instance,可以通过 Pause 操作将 instance 的状态保存到宿主机的内存中.当需要恢复的时候,执 ...

  2. ZeroMQ接口函数之 :zmq_proxy_steerable – 以STOP/RESUME/TERMINATE控制方式开启内置的ZMQ代理

    ZeroMQ API 目录 :http://www.cnblogs.com/fengbohello/p/4230135.html ——————————————————————————————————— ...

  3. Win10开机提示Resume from Hibernation该怎么办?

    Windows10系统的电脑开机提示:Resume from Hibernation(从休眠恢复),这是电脑没有真正关机,而是上次关机时进入了[休眠状态],所以开机时提示:从休眠恢复.如何解决Wind ...

  4. Delphi线程简介---Create及其参数、Resume、Suspend

    TThread在Classes单元里的声明如下 type TThread = class private FHandle: THandle; FThreadID: THandle; FTerminat ...

  5. 转,CV和resume的区别

    一直以来,BBS上的信息资料都传达给我一个网上“主流”的关于CV和resume的看法: CV约等于Resume,前者略倾向于学术,后者略倾向于工作经验,字数控制在1-2页内 说实话,一直以来我也就这么 ...

  6. 被废弃的 Thread.stop, Thread.suspend, Thread.resume 和Runtime.runFinalizersOnExit

    最近学习多线程的知识,看到API里说这些方法被废弃了,就查了一下原因 Thread.stop 这个方法会解除被加锁的对象的锁,因而可能造成这些对象处于不一致的状态,而且这个方法造成的ThreadDea ...

  7. Don’t use Suspend and Resume, but don’t poll either.

    http://www.paradicesoftware.com/blog/2014/02/dont-use-suspend-and-resume-but-dont-poll-either/ Don’t ...

  8. Android中Linux suspend/resume流程

    Android中Linux suspend/resume流程首先我们从linux kernel 的suspend说起,不管你是使用echo mem > /sys/power/state 或者使用 ...

  9. Delphi 线程resume 不能调用Execute

    如果Resume不能唤起线程,请试试如下的函数,试试. GetExitCodeThread(ThreadHandle,ExitCode)来取得ExitCode,如果ExitCode=STILL_ACT ...

随机推荐

  1. asp.net mvc后台操作之读写xml控制首页动态页面开关显示

    一.背景 在asp.net mvc项目里,用户需要开拓几个活动版面,并以侧栏的方式呈现在首页右侧,几个活动时间不一致,为避免浏览者在活动未开放之时进入未开放的服务页面.因此不仅需要在活动代码中加入限制 ...

  2. eclipse PermGen space解决方案

    转自网上 这块内存主要是被JVM存放Class和Meta信息的,Class在被Loader时就会被放到PermGen space中,它和存放类实例(Instance)的Heap区域不同,GC(Garb ...

  3. [转]几种常见SQL分页方式

    创建环境: create table pagetest ( id ,) not null, col01 int null, col02 ) null, col03 datetime null ) -- ...

  4. Ejb: remote调用

    用的是wildfly 9.0.2 一:在myeclipse中新建wildfly 9.0.2的server(如何新建去网上搜) 二:修改wildfly server的argument(在run conf ...

  5. Html5——WEB(客户端)数据存储

    在客户端存储数据 HTML5 提供了两种在客户端存储数据的新方法: localStorage - 没有时间限制的数据存储 sessionStorage - 针对一个 session 的数据存储 之前, ...

  6. ARM Cortex-M3内核的巨大优势

    ARM Cortex-M3相比于ARM其他系列微控制器,具有以下优势或特点: 1. 三级流水线+分支预测 ARM Cortex-M3与ARM7内核一样,采用适合于微控制器应用的三级流水线,但增加了分支 ...

  7. 浏览器输入URL到响应页面的全过程

    B/S网络架构从前端到后端都得到了简化,都基于统一的应用层协议HTTP来交互数据,HTTP协议采用无状态的短链接的通信方式,通常情况下,一次请求就完成了一次数据交互,通常也对应一个业务逻辑,然后这次通 ...

  8. 【网络流】【BZOJ1070】【SCOI2007】修车

    原题链接:http://www.lydsy.com/JudgeOnline/problem.php?id=1070 题意:问你如何分配老司机使得每部车的等待时间之和最短. 解题思路:本题不易正做,考虑 ...

  9. 【QT】打开文件对话框,选择路径下文件

    0.头文件中加入 public: QString fileName; public slots: void showImage(); 1.添加两个头文件 #include<qfiledialog ...

  10. 录制用户的音频,视屏 navigator.mediaDevices.getUserMedia

    google 文档 HACKS 文档 相关代码 获取本地的音频 <input type="file" accept="audio/*" capture=& ...