在InlineHook中修改了zwOpenProcess函数的中的指令

与Resume HookSSDT同理 找出一个正确的值覆盖上去就行、

突发奇想  有没有可能上去一个驱动或者程序  直接卸载掉InlineHook 岂不是很爽

直接映射WCHAR    wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";

 BOOLEAN
     MappingPEFileInRing0Space(WCHAR* wzFileFullPath,OUT PVOID* MappingBaseAddress,PSIZE_T MappingViewSize)
 {
     UNICODE_STRING    uniFileFullPath;
     OBJECT_ATTRIBUTES oa;
     NTSTATUS          Status;
     IO_STATUS_BLOCK   Iosb;

     HANDLE   hFile = NULL;
     HANDLE   hSection = NULL;

     if (!wzFileFullPath || !MappingBaseAddress){
         return FALSE;
     }

     RtlInitUnicodeString(&uniFileFullPath, wzFileFullPath);
     InitializeObjectAttributes(&oa,
         &uniFileFullPath,
         OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
         NULL,
         NULL
         );

     //获得文件句柄
     Status = IoCreateFile(&hFile,
         GENERIC_READ | SYNCHRONIZE,
         &oa,   //文件绝对路径
         &Iosb,
         NULL,
         FILE_ATTRIBUTE_NORMAL,
         FILE_SHARE_READ,
         FILE_OPEN,
         FILE_SYNCHRONOUS_IO_NONALERT,
         NULL,
         ,
         CreateFileTypeNone,
         NULL,
         IO_NO_PARAMETER_CHECKING
         );
     if (!NT_SUCCESS(Status))
     {

         return FALSE;
     }

     oa.ObjectName = NULL;
     Status = ZwCreateSection(&hSection,
         SECTION_QUERY | SECTION_MAP_READ,
         &oa,
         NULL,
         PAGE_WRITECOPY,
         SEC_IMAGE,  //??  指示内存对齐
         hFile
         );
     ZwClose(hFile);
     if (!NT_SUCCESS(Status))
     {

         return FALSE;
     }
     Status = ZwMapViewOfSection(hSection,
         NtCurrentProcess(),    //映射到当前进程的内存空间中
         MappingBaseAddress,
         ,
         ,
         ,
         MappingViewSize,
         ViewUnmap,
         ,
         PAGE_WRITECOPY
         );
     ZwClose(hSection);
     if (!NT_SUCCESS(Status))
     {
         return FALSE;
     }

     return TRUE;
 }

映射到ring0层

首先 先获取到ntoskrnl模块信息

 BOOLEAN GetSystemMoudleInformationBySystemModuleNameInWin7_X64(char* szFindSystemModuleName,ULONG64* ulMoudleBaseAddress,ULONG32* ulModuleSize)
 {
     ;
     NTSTATUS  Status = STATUS_SUCCESS;
     PVOID     Information = NULL;
     ULONG     ulNeeds = ;

     Status = ZwQuerySystemInformation(SystemModuleInformation,NULL,,&ulNeeds);

     if (Status!=STATUS_INFO_LENGTH_MISMATCH)
     {
         return FALSE;
     }
     Information = ExAllocatePool(PagedPool,ulNeeds);   //PagedPool(数据段 置换到磁盘)  NonPagedPool(代码段 不置换到磁盘)

     if (Information==NULL)
     {
         return FALSE;
     }
     Status = ZwQuerySystemInformation(SystemModuleInformation,Information,ulNeeds,&ulNeeds);

     if (!NT_SUCCESS(Status))
     {
         ExFreePool(Information);
         return FALSE;
     }

     ;i<((PSYSTEM_MODULE_INFORMATION)Information)->NumberOfModules;i++)
     {

         if (strstr(((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].ImageName,
             szFindSystemModuleName)!=NULL)  //Ntoskernel.exe
         {
             *ulMoudleBaseAddress  =  ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Base;
             *ulModuleSize = ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Size;

             if (Information!=NULL)
             {
                 ExFreePool(Information);
                 Information = NULL;
             }
             return TRUE;

         }

     }

     if (Information!=NULL)
     {
         ExFreePool(Information);
         Information = NULL;
     }

     return FALSE;
 }

win7

 BOOLEAN GetSystemMoudleInformationBySystemModuleNameInWinXP_X86(char* szFindSystemModuleName,ULONG32* ulMoudleBaseAddress,ULONG32* ulModuleSize)
 {
     ;
     NTSTATUS  Status = STATUS_SUCCESS;
     PVOID     Information = NULL;
     ULONG     ulNeeds = ;

     Status = ZwQuerySystemInformation(SystemModuleInformation,NULL,,&ulNeeds);

     if (Status!=STATUS_INFO_LENGTH_MISMATCH)
     {
         return FALSE;
     }
     Information = ExAllocatePool(PagedPool,ulNeeds);   //PagedPool(数据段 置换到磁盘)  NonPagedPool(代码段 不置换到磁盘)

     if (Information==NULL)
     {
         return FALSE;
     }
     Status = ZwQuerySystemInformation(SystemModuleInformation,Information,ulNeeds,&ulNeeds);

     if (!NT_SUCCESS(Status))
     {
         ExFreePool(Information);
         return FALSE;
     }

     ;i<((PSYSTEM_MODULE_INFORMATION)Information)->NumberOfModules;i++)
     {

         if (strstr(((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].ImageName,
             szFindSystemModuleName)!=NULL)  //Ntoskernel.exe
         {
             *ulMoudleBaseAddress  =  ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Base;
             *ulModuleSize = ((PSYSTEM_MODULE_INFORMATION)Information)->Modules[i].Size;

             if (Information!=NULL)
             {
                 ExFreePool(Information);
                 Information = NULL;
             }
             return TRUE;

         }

     }

     if (Information!=NULL)
     {
         ExFreePool(Information);
         Information = NULL;
     }

     return FALSE;
 }

winxp

获取到SSDTAddress

 BOOLEAN GetSSDTAddressInWin7_X64(ULONG64* SSDTAddress)
 {

     PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);   //fffff800`03ecf640
     PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
     PUCHAR i = NULL;
     UCHAR   v1=,v2=,v3=;
     INT64   iOffset = ;    //002320c7
     ULONG64 VariableAddress = ;
     *SSDTAddress = NULL;
     for(i=StartSearchAddress;i<EndSearchAddress;i++)
     {
         ) && MmIsAddressValid(i+) )
         {
             v1=*i;
             v2=*(i+);
             v3=*(i+);
             if(v1==0x4c && v2==0x8d && v3==0x15 )
             {
                 memcpy(&iOffset,i+,);
                 *SSDTAddress = iOffset + (ULONG64)i + ;

                 break;
             }
         }
     }

     if (*SSDTAddress==NULL)
     {
         return FALSE;
     }
     return TRUE;
 }

win7

 BOOLEAN GetSSDTAddressInWinXP_X86(ULONG32* SSDTAddress)
 {
     //从NtosKernel.exe 模块中的导出表获得该导出变量  KeServiceDescriptorTable

     /*
     kd> dd KeServiceDescriptorTable
     80563520  804e58a0 00000000 0000011c 805120bc
     */
     *SSDTAddress = NULL;
     *SSDTAddress = (ULONG32)GetExportVariableAddressFormNtosExportTableByVariableName(L"KeServiceDescriptorTable");

     if (*SSDTAddress!=NULL)
     {
         return TRUE;
     }

     return FALSE;
 }

 PVOID
     GetExportVariableAddressFormNtosExportTableByVariableName(WCHAR *wzVariableName)
 {
     UNICODE_STRING uniVariableName;
     PVOID VariableAddress = NULL;

     )
     {
         RtlInitUnicodeString(&uniVariableName, wzVariableName);  

         //从Ntos模块的导出表中获得一个导出变量的地址
         VariableAddress = MmGetSystemRoutineAddress(&uniVariableName);
     }

     return VariableAddress;
 }

WinXP

在通过函数名获取到函数索引

 BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWinXP_X86(CHAR* szFindFunctionName,
     ULONG32* SSDTFunctionIndex)
 {

     ULONG32     ulOffset_SSDTFunctionIndex = ;

     //从Ntdll模块的导出表中获得7c92d5e0
     //使用内存映射将Ntdll模块映射到System进程的内存空间进行查找(Ntdll.dll模块的导出表中进行搜索)
     ULONG   i;
     BOOLEAN  bOk = FALSE;
     WCHAR    wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
     SIZE_T  MappingViewSize   = ;
     PVOID    MappingBaseAddress = NULL;
     PIMAGE_NT_HEADERS  NtHeader = NULL;
     PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
     ULONG32*  AddressOfFunctions    = NULL;
     ULONG32*  AddressOfNames        = NULL;
     USHORT* AddressOfNameOrdinals = NULL;
     CHAR*   szFunctionName        = NULL;
     ULONG32 ulFunctionOrdinal     = ;
     ULONG32 ulFunctionAddress     = ;

     *SSDTFunctionIndex = -;

     //将Ntdll.dll 当前的空间中
     bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
     if (bOk==FALSE)
     {
         return FALSE;
     }
     else
     {
         __try{
             NtHeader = RtlImageNtHeader(MappingBaseAddress);
             if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
             {
                 ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG32)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

                 AddressOfFunctions = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
                 AddressOfNames = (ULONG32*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNames);
                 AddressOfNameOrdinals = (USHORT*)((ULONG32)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
                 ; i < ExportDirectory->NumberOfNames; i++)
                 {
                     szFunctionName = (char*)((ULONG32)MappingBaseAddress + AddressOfNames[i]);   //获得函数名称
                     )
                     {
                         ulFunctionOrdinal = AddressOfNameOrdinals[i];
                         ulFunctionAddress = (ULONG32)((ULONG32)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]);

                         *SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
                         break;
                     }
                 }
             }
         }__except(EXCEPTION_EXECUTE_HANDLER)
         {
             ;
         }
     }

     ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress);

     )
     {
         return FALSE;
     }

     return TRUE;
 }

WinXP

 BOOLEAN GetSSDTFunctionIndexFromNtdllExportTableByFunctionNameInWin7_X64(CHAR* szFindFunctionName,ULONG32* SSDTFunctionIndex)
 {

     ULONG32     ulOffset_SSDTFunctionIndex = ;

     ULONG   i;
     BOOLEAN  bOk = FALSE;
     WCHAR    wzFileFullPath[] = L"\\SystemRoot\\System32\\ntdll.dll";
     SIZE_T   MappingViewSize   = ;
     PVOID    MappingBaseAddress = NULL;
     PIMAGE_NT_HEADERS  NtHeader = NULL;
     PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
     ULONG32*  AddressOfFunctions    = NULL;
     ULONG32*  AddressOfNames        = NULL;
     USHORT*   AddressOfNameOrdinals = NULL;
     CHAR*     szFunctionName        = NULL;
     ULONG32   ulFunctionOrdinal     = ;
     ULONG64   ulFunctionAddress     = ;

     *SSDTFunctionIndex = -;

     //将Ntdll.dll 当前的空间中
     bOk = MappingPEFileInRing0Space(wzFileFullPath,&MappingBaseAddress, &MappingViewSize);
     if (bOk==FALSE)
     {
         return FALSE;
     }
     else
     {
         __try{
             NtHeader = RtlImageNtHeader(MappingBaseAddress);
             if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
             {
                 ExportDirectory =(IMAGE_EXPORT_DIRECTORY*)((ULONG64)MappingBaseAddress + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

                 AddressOfFunctions = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfFunctions);
                 AddressOfNames = (ULONG32*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNames);
                 AddressOfNameOrdinals = (USHORT*)((ULONG64)MappingBaseAddress + ExportDirectory->AddressOfNameOrdinals);
                 ; i < ExportDirectory->NumberOfNames; i++)
                 {
                     szFunctionName = (char*)((ULONG64)MappingBaseAddress + AddressOfNames[i]);   //获得函数名称
                     )
                     {
                         ulFunctionOrdinal = AddressOfNameOrdinals[i];
                         ulFunctionAddress = (ULONG64)((ULONG64)MappingBaseAddress + AddressOfFunctions[ulFunctionOrdinal]);

                         *SSDTFunctionIndex = *(ULONG32*)(ulFunctionAddress+ulOffset_SSDTFunctionIndex);
                         break;
                     }
                 }
             }
         }__except(EXCEPTION_EXECUTE_HANDLER)
         {
             ;
         }
     }

     ZwUnmapViewOfSection(NtCurrentProcess(), MappingBaseAddress);

     )
     {
         return FALSE;
     }

     return TRUE;
 }

win7

得到索引后 就能得到函数的地址

找到函数的地址 然后在映射的内存中取出争取的地址  回复回去

http://www.cnblogs.com/yifi/p/4968944.html

Resume InlineHookSSDT的更多相关文章

  1. Pause/Resume Instance 操作详解 - 每天5分钟玩转 OpenStack(34)

    本节通过日志详细分析 Nova Pause/Resume 操作. 有时需要短时间暂停 instance,可以通过 Pause 操作将 instance 的状态保存到宿主机的内存中.当需要恢复的时候,执 ...

  2. ZeroMQ接口函数之 :zmq_proxy_steerable – 以STOP/RESUME/TERMINATE控制方式开启内置的ZMQ代理

    ZeroMQ API 目录 :http://www.cnblogs.com/fengbohello/p/4230135.html ——————————————————————————————————— ...

  3. Win10开机提示Resume from Hibernation该怎么办?

    Windows10系统的电脑开机提示:Resume from Hibernation(从休眠恢复),这是电脑没有真正关机,而是上次关机时进入了[休眠状态],所以开机时提示:从休眠恢复.如何解决Wind ...

  4. Delphi线程简介---Create及其参数、Resume、Suspend

    TThread在Classes单元里的声明如下 type TThread = class private FHandle: THandle; FThreadID: THandle; FTerminat ...

  5. 转,CV和resume的区别

    一直以来,BBS上的信息资料都传达给我一个网上“主流”的关于CV和resume的看法: CV约等于Resume,前者略倾向于学术,后者略倾向于工作经验,字数控制在1-2页内 说实话,一直以来我也就这么 ...

  6. 被废弃的 Thread.stop, Thread.suspend, Thread.resume 和Runtime.runFinalizersOnExit

    最近学习多线程的知识,看到API里说这些方法被废弃了,就查了一下原因 Thread.stop 这个方法会解除被加锁的对象的锁,因而可能造成这些对象处于不一致的状态,而且这个方法造成的ThreadDea ...

  7. Don’t use Suspend and Resume, but don’t poll either.

    http://www.paradicesoftware.com/blog/2014/02/dont-use-suspend-and-resume-but-dont-poll-either/ Don’t ...

  8. Android中Linux suspend/resume流程

    Android中Linux suspend/resume流程首先我们从linux kernel 的suspend说起,不管你是使用echo mem > /sys/power/state 或者使用 ...

  9. Delphi 线程resume 不能调用Execute

    如果Resume不能唤起线程,请试试如下的函数,试试. GetExitCodeThread(ThreadHandle,ExitCode)来取得ExitCode,如果ExitCode=STILL_ACT ...

随机推荐

  1. C程序范例(2)——学生管理系统”链表“实现

    1.对于学生管理系统,能够实现的方法有许多,但是今天我们用链表的方法来实现.虽然初学者很可能看不懂,但是不要紧,这是要在整体的系统的学习完C语言之后,我才编写出的程序.所以大家不必要担心.在这里与大家 ...

  2. kafka原理存储

    http://www.open-open.com/lib/view/open1421150566328.html

  3. 第一章 zookeeper基础概念

    1.ZooKeeper是什么 ZooKeeper为分布式应用提供了高效且可靠的分布式协调服务,提供了统一命名服务. 配置管理和分布式锁等分布式的基础服务.在解决分布式数据一致性方面, ZooKeepe ...

  4. WordPaster-Firefox浏览器控件安装方法

    将WordPaster.xpi拖到Firefox扩展面板中安装       新版Firefox可能无法通过验证,如果Firefox提示无法安装,则需要进入about:config中将xpinstall ...

  5. Daject初探 - 一个开源关系型数据库对象关系映射(ORM)模型

    Daject简介 Daject是用php写的一个关系型数据库抽象模型,通过该模型,可以在不写任何SQL或写很少的SQL就能执行大多数数据库查询操作.Daject具有面向对象,跨数据库的优点,通过数据库 ...

  6. DM8168 编译filesystem步骤

    在板子跑起来之前,需要先编译好8168的文件系统.前提是已经设置好板子的类型等参数,详见<DM8168环境搭建> 1.进入<DVR_RDK_BASE>/dvr_rdk目录 ma ...

  7. JDBC中的Statement和PreparedStatement的差别

    以Oracle为例吧 Statement为一条Sql语句生成运行计划, 假设要运行两条sql语句 select colume from table where colume=1; select col ...

  8. mysql 1194 – Table ‘tbl_video_info’ is marked as crashed and should be repaired 解决方法

    执行REPAIR TABLE `tbl_vedio_info`; 然后就可以了

  9. ESP8266 mDNS

    https://circuits4you.com/2017/12/31/esp8266-mdns/ 本教程介绍如何使用ESP8266进行多播DNS?在网络世界中,很难记住每个网站和计算机的IP地址,解 ...

  10. GT--记录android app消耗的cpu/内存/流量/电量

    腾讯GT简介: 此apk是一款可以对APP进行测试的软件,可以在任何情况下快速测试手机app的CPU.内存.流量.电量.帧率/流畅度等性能测试.有安卓版本和ios版本,分别下载 1.下载腾讯GT ht ...