kernel driver - NTHook

kkmomo

幾年前從一個自稱香港人的 alan 大大那得到的
只有小改一點點讓 vc 可以 compile
當時在 32bits os 測試是可以 work
不過很久沒去碰這個了，剛才整理東西時翻到 給想研究的人看看

2樓  entry.cpp
3樓  NtOpenProcess.h
4樓  NtProtectVirtualMemory.h
5樓  NtReadVirtualMemory.h
6樓  NtWriteVirtualMemory.h

kkmomo

1. // Author : alan
   
2. // entry.cpp
   
3. 
   
4. #include <ntddk.h>
   
5. #include "NtOpenProcess.h"
   
6. #include "NtReadVirtualMemory.h"
   
7. #include "NtProtectVirtualMemory.h"
   
8. #include "NtWriteVirtualMemory.h"
   
9. 
   
10. #define _Driver_name      L"\\Device\\NTHook"
    
11. #define _Symbolic_name      L"\\DosDevices\\NTHook1"
    
12. 
    
13. #define INITCODE code_seg("INIT")
    
14. #define PAGECODE code_seg("PAGE")
    
15. #pragma INITCODE
    
16. 
    
17. VOID DriverUnLoad(PDRIVER_OBJECT driver);
    
18. NTSTATUS DispatchIrp(PDEVICE_OBJECT driver,PIRP irp);
    
19. 
    
20. extern "C"
    
21. NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING driver_object_name)
    
22. {
    
23.   HookNtOpenProcess();
    
24.   HookNtReadVirtualMemory();
    
25.   HookNtProtectVirtualMemory();
    
26.   HookNtWriteVirtualMemory();
    
27. 
    
28.   NTSTATUS status=STATUS_SUCCESS;
    
29.   driver->MajorFunction[IRP_MJ_CREATE]=DispatchIrp;
    
30.   driver->MajorFunction[IRP_MJ_READ]=DispatchIrp;
    
31.   driver->MajorFunction[IRP_MJ_WRITE]=DispatchIrp;
    
32.   driver->MajorFunction[IRP_MJ_CLOSE]=DispatchIrp;
    
33.   driver->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchIrp;
    
34.   driver->DriverUnload=DriverUnLoad;
    
35.   
    
36.   UNICODE_STRING driver_name;
    
37.   RtlInitUnicodeString(&driver_name,_Driver_name);
    
38.   
    
39.   PDEVICE_OBJECT device_object;
    
40.   status=IoCreateDevice(driver,NULL,&driver_name,FILE_DEVICE_UNKNOWN,NULL,FALSE,&device_object);
    
41.   if(!NT_SUCCESS(status))
    
42.   {
    
43.     KdPrint(("創建設備失敗!\n"));
    
44.     return status;
    
45.   }
    
46.   KdPrint(("創建設備成功!\n"));
    
47.   device_object->Flags |= DO_BUFFERED_IO;
    
48.   
    
49.   UNICODE_STRING symbolic_name;
    
50.   RtlInitUnicodeString(&symbolic_name,_Symbolic_name);
    
51.   status=IoCreateSymbolicLink(&symbolic_name,&driver_name);
    
52.   if(!NT_SUCCESS(status))
    
53.   {
    
54.     IoDeleteDevice(device_object);
    
55.     KdPrint(("創建符號鏈接失敗!\n"));
    
56.     return status;
    
57.   }
    
58.   KdPrint(("創建符號鏈接成功!\n"));
    
59.   return STATUS_SUCCESS;
    
60. }
    
61. 
    
62. #pragma PAGEDCODE
    
63. VOID DriverUnLoad(PDRIVER_OBJECT driver)
    
64. {
    
65.   UNICODE_STRING symbol_name;
    
66.   RtlInitUnicodeString(&symbol_name,_Symbolic_name);
    
67.   IoDeleteSymbolicLink(&symbol_name);
    
68.   IoDeleteDevice(driver->DeviceObject);
    
69.   KdPrint(("刪除設備成功!\n"));
    
70.   UnhookNtOpenProcess();
    
71.   UnhookNtReadVirtualMemory();
    
72.   UnhookNtProtectVirtualMemory();
    
73.   UnhookNtWriteVirtualMemory();
    
74. }
    
75. 
    
76. #pragma PAGEDCODE
    
77. NTSTATUS DispatchIrp(PDEVICE_OBJECT driver,PIRP irp)
    
78. {
    
79.   irp->IoStatus.Status=STATUS_SUCCESS;
    
80.   irp->IoStatus.Information=0;
    
81.   IoCompleteRequest(irp,IO_NO_INCREMENT);
    
82.   KdPrint(("進入IRP例程!\n"));
    
83.   return STATUS_SUCCESS;
    
84. }
    

複製代碼

kkmomo

1. // Author : alan
   
2. // NtOpenProcess.h
   
3. 
   
4. #include <ntddk.h>
   
5. 
   
6. typedef struct _SERVICE_DESCRIPTOR_TABLE
   
7. {
   
8. PULONG ServiceTableBase;
   
9. PULONG ServiceCounterTableBase;
   
10. ULONG NumberOfService;
    
11. ULONG ParamTableBase;
    
12. }SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;
    
13. extern "C" PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
    
14. 
    
15. VOID HookNtOpenProcess();
    
16. VOID UnhookNtOpenProcess();
    
17. 
    
18. PEPROCESS  processEPROCESS = NULL;  
    
19. ANSI_STRING  p_str1,p_str2;      
    
20. 
    
21. ULONG OldNtOpenProcessAddress = 0;
    
22. ULONG Addr_NtOpenProcess;
    
23. ULONG Addr_ObWatchHandles;      
    
24. ULONG Addr_SEH_prolog;         
    
25. ULONG Jmp_Addr_NtOpenProcess;   
    
26. 
    
27. __declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(
    
28. OUT PHANDLE ProcessHandle,
    
29. IN ACCESS_MASK AccessMask,
    
30. IN POBJECT_ATTRIBUTES ObjectAttributes,
    
31. IN PCLIENT_ID ClientId)
    
32. {
    
33. processEPROCESS = IoGetCurrentProcess();
    
34. RtlInitAnsiString(&p_str1,(PCSZ)processEPROCESS+0x174);
    
35. RtlInitAnsiString(&p_str2,"MapleStory.exe");
    
36.    if (RtlCompareString(&p_str1,&p_str2,TRUE) == 0)
    
37. {
    
38. _asm
    
39. {
    
40. jmp OldNtOpenProcessAddress
    
41. }  
    
42. }
    
43.    else
    
44.    {
    
45. _asm
    
46. {
    
47. push 0x0c4
    
48. mov edx,Addr_ObWatchHandles
    
49. push edx
    
50. mov edx,Jmp_Addr_NtOpenProcess
    
51. push edx
    
52. mov edx,Addr_SEH_prolog
    
53. jmp edx
    
54.         }
    
55.     }
    
56. }
    
57. 
    
58. VOID HookNtOpenProcess()
    
59. {
    
60.             
    
61. ULONG NtOpenProcessIndexAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase);
    
62. ULONG NtOpenProcessIndexAddress1 = NtOpenProcessIndexAddress + 0x7A*4;
    
63. 
    
64. OldNtOpenProcessAddress = *(ULONG*)NtOpenProcessIndexAddress1;
    
65. 
    
66. __asm{
    
67. cli
    
68. mov eax,cr0
    
69. and eax,not 10000h
    
70. mov cr0,eax
    
71. 
    
72. mov ebx,NtOpenProcessIndexAddress1      
    
73. mov eax,dword ptr [ebx]
    
74. mov Addr_NtOpenProcess,eax   
    
75.       
    
76. add eax,0x0f
    
77. mov Jmp_Addr_NtOpenProcess,eax      
    
78.          
    
79. mov ebx,Addr_NtOpenProcess        
    
80. mov eax,dword ptr [ebx+6]           
    
81. mov Addr_ObWatchHandles,eax
    
82. 
    
83. mov eax,dword ptr [ebx+0x0b]        
    
84. add eax,Addr_NtOpenProcess
    
85. add eax,0x0a
    
86. add eax,5
    
87. mov Addr_SEH_prolog,eax
    
88. }
    
89. 
    
90. *(ULONG*)NtOpenProcessIndexAddress1 = (ULONG)MyNtOpenProcess;
    
91. DbgPrint("Addr_ObWatchHandles is %x",Addr_ObWatchHandles);
    
92. DbgPrint("Addr_NtOpenProcess is %x",Addr_NtOpenProcess);
    
93. DbgPrint("Addr_SEH_prolog is %x",Addr_SEH_prolog);
    
94. DbgPrint("Jmp_Addr_NtOpenProcess is %x",Jmp_Addr_NtOpenProcess);
    
95. __asm{
    
96. mov eax,cr0
    
97. or eax,10000h
    
98. mov cr0,eax
    
99. sti
    
100. }
     
101. DbgPrint("HookNtOpenProcess");
     
102. }
     
103. 
     
104. VOID UnhookNtOpenProcess()
     
105. {
     
106. ULONG NtOpenProcessIndexAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase);
     
107. ULONG NtOpenProcessIndexAddress1 = NtOpenProcessIndexAddress + 0x7A*4;
     
108. 
     
109. _asm
     
110. {
     
111. cli
     
112. pushad                  
     
113. mov eax,cr0
     
114. and eax,not 10000h
     
115. mov cr0,eax
     
116. }
     
117. *(ULONG*)NtOpenProcessIndexAddress1 = (ULONG)OldNtOpenProcessAddress;
     
118. _asm
     
119. {     
     
120. mov eax,cr0
     
121. or eax,10000h
     
122. mov cr0,eax
     
123. popad
     
124. sti
     
125. }
     
126. 
     
127. DbgPrint("UnhookNtOpenProcess");
     
128. 
     
129. }

複製代碼

kkmomo

1. // Author : alan
   
2. // NtProtectVirtualMemory.h
   
3. 
   
4. #include <ntddk.h>
   
5. 
   
6. VOID HookNtProtectVirtualMemory();
   
7. VOID UnhookNtProtectVirtualMemory();
   
8. 
   
9. ULONG JmpNtProtectVirtualMemory = 0;
   
10. ULONG OldNtProtectVirtualMemoryAddress = 0;
    
11. 
    
12. PEPROCESS  ProtectEPROCESS = NULL;
    
13. ANSI_STRING pp_str1,pp_str2;
    
14. 
    
15. ULONG Addr_NtProtectVirtualMemory;
    
16. ULONG Addr_P_NoAccessPte;  
    
17. ULONG Addr_P_SEH_prolog;        
    
18. ULONG Jmp_Addr_NtProtectVirtualMemory = 0;   
    
19. 
    
20. __declspec(naked) NTSTATUS __stdcall MyNtProtectVirtualMemory(
    
21. IN HANDLE ProcessHandle,
    
22. IN OUT PVOID *BaseAddress,
    
23. IN OUT PULONG NumberOfBytesToProtect,
    
24. IN ULONG NewAccessProtection,
    
25. OUT PULONG OldAccessProtection
    
26. )
    
27. {
    
28. ProtectEPROCESS = IoGetCurrentProcess();
    
29. RtlInitAnsiString(&pp_str1,(PCSZ)ProtectEPROCESS+0x174);
    
30. RtlInitAnsiString(&pp_str2,"MapleStory.exe");
    
31.     if (RtlCompareString(&pp_str1,&pp_str2,TRUE) == 0)
    
32.     {
    
33. _asm
    
34. {
    
35. jmp OldNtProtectVirtualMemoryAddress
    
36. }  
    
37.     }
    
38.     else
    
39.     {
    
40. _asm
    
41. {
    
42. push 0x44
    
43. mov edx,Addr_P_NoAccessPte
    
44. push edx
    
45. mov edx,Jmp_Addr_NtProtectVirtualMemory
    
46. push edx
    
47. mov edx,Addr_P_SEH_prolog
    
48. jmp edx
    
49. }
    
50.     }
    
51. }
    
52. 
    
53. VOID HookNtProtectVirtualMemory()
    
54. {
    
55. 
    
56. ULONG NtProtectVirtualMemoryIndexAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase);
    
57. ULONG NtProtectVirtualMemoryIndexAddress1 = NtProtectVirtualMemoryIndexAddress + 0x89*4;
    
58. 
    
59. OldNtProtectVirtualMemoryAddress = *(ULONG*)NtProtectVirtualMemoryIndexAddress1 ;
    
60. /*
    
61. JmpNtProtectVirtualMemory = OldNtProtectVirtualMemoryAddress + 7;
    
62. Addr_P_NoAccessPte =  OldNtProtectVirtualMemoryAddress - 0xDE38E;
    
63. Addr_P_SEH_prolog = OldNtProtectVirtualMemoryAddress - 0x7C7F6;
    
64. Jmp_Addr_NtProtectVirtualMemory = OldNtProtectVirtualMemoryAddress + 0xC;
    
65. */
    
66. __asm{
    
67. cli
    
68. mov eax,cr0
    
69. and eax,not 10000h
    
70. mov cr0,eax
    
71. 
    
72. mov ebx,NtProtectVirtualMemoryIndexAddress1   
    
73. mov eax,dword ptr [ebx]
    
74. mov Addr_NtProtectVirtualMemory,eax
    
75. 
    
76. add eax,0x0c
    
77. mov Jmp_Addr_NtProtectVirtualMemory,eax   
    
78.          
    
79. mov ebx,Addr_NtProtectVirtualMemory     
    
80. mov eax,dword ptr [ebx+3]      
    
81. mov Addr_P_NoAccessPte,eax   
    
82. 
    
83. mov eax,dword ptr [ebx+8]
    
84. add eax,Addr_NtProtectVirtualMemory
    
85. add eax,7
    
86. add eax,5
    
87. mov Addr_P_SEH_prolog,eax           
    
88. }
    
89. DbgPrint("Addr_NtProtectVirtualMemory is %x",Addr_NtProtectVirtualMemory);
    
90. DbgPrint("Addr_P_NoAccessPte is %x",Addr_P_NoAccessPte);
    
91. DbgPrint("Addr_P_SEH_prolog is %x",Addr_P_SEH_prolog);
    
92. DbgPrint("Jmp_Addr_NtProtectVirtualMemory is %x",Jmp_Addr_NtProtectVirtualMemory);
    
93. 
    
94. *(ULONG*)NtProtectVirtualMemoryIndexAddress1 = (ULONG)MyNtProtectVirtualMemory;
    
95. 
    
96. __asm{
    
97. mov eax,cr0
    
98. or eax,10000h
    
99. mov cr0,eax
    
100. sti
     
101. }
     
102. DbgPrint("HookNtProtectVirtualMemory");
     
103. 
     
104. }
     
105. 
     
106. VOID UnhookNtProtectVirtualMemory()
     
107. {
     
108. ULONG NtProtectVirtualMemoryIndexAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase);
     
109. ULONG NtProtectVirtualMemoryIndexAddress1 = NtProtectVirtualMemoryIndexAddress + 0x89*4;
     
110. _asm
     
111. {
     
112. cli
     
113. pushad                  
     
114. mov eax,cr0
     
115. and eax,not 10000h
     
116. mov cr0,eax
     
117. }
     
118. *(ULONG*)NtProtectVirtualMemoryIndexAddress1 = (ULONG)OldNtProtectVirtualMemoryAddress;
     
119. _asm
     
120. {     
     
121. mov eax,cr0
     
122. or eax,10000h
     
123. mov cr0,eax
     
124. popad
     
125. sti
     
126. }
     
127. 
     
128. DbgPrint("UnhookNtProtectVirtualMemory");
     
129. 
     
130. }

複製代碼

kkmomo

1. // Author : alan
   
2. // NtReadVirtualMemory.h
   
3. 
   
4. #include <ntddk.h>
   
5. 
   
6. VOID HookNtReadVirtualMemory();
   
7. VOID UnhookNtReadVirtualMemory();
   
8. 
   
9. ULONG JmpNtReadVirtualMemory = 0;
   
10. ULONG OldNtReadVirtualMemoryAddress = 0;
    
11. 
    
12. PEPROCESS  ReadEPROCESS = NULL;
    
13. ANSI_STRING r_str1,r_str2;
    
14. 
    
15. ULONG Addr_NtReadVirtualMemory;
    
16. ULONG Addr_MmClaimParameter;   
    
17. ULONG Addr_R_SEH_prolog;        
    
18. ULONG Jmp_Addr_NtReadVirtualMemory = 0;
    
19. 
    
20. __declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(
    
21. IN HANDLE ProcessHandle,
    
22. IN PVOID BaseAddress,
    
23. OUT PVOID Buffer,
    
24. IN ULONG NumberOfBytesToRead,
    
25. OUT PULONG NumberOfBytesReaded OPTIONAL
    
26. )
    
27. {
    
28. ReadEPROCESS = IoGetCurrentProcess();
    
29. RtlInitAnsiString(&r_str1,(PCSZ)ReadEPROCESS+0x174);
    
30. RtlInitAnsiString(&r_str2,"MapleStory.exe");
    
31.     if (RtlCompareString(&r_str1,&r_str2,TRUE) == 0)
    
32.     {
    
33. _asm
    
34. {
    
35. jmp OldNtReadVirtualMemoryAddress
    
36. }  
    
37.     }
    
38.     else
    
39. {
    
40. _asm
    
41. {
    
42. push 0x1c
    
43. mov edx,Addr_MmClaimParameter
    
44. push edx
    
45. mov edx,Jmp_Addr_NtReadVirtualMemory
    
46. push edx
    
47. mov edx,Addr_R_SEH_prolog
    
48. jmp edx
    
49. }
    
50.     }
    
51. }
    
52. 
    
53. VOID HookNtReadVirtualMemory()
    
54. {
    
55. 
    
56. ULONG NtReadVirtualMemoryIndexAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase);
    
57. ULONG NtReadVirtualMemoryIndexAddress1 = NtReadVirtualMemoryIndexAddress + 0xba*4;
    
58. 
    
59. OldNtReadVirtualMemoryAddress = *(ULONG*)NtReadVirtualMemoryIndexAddress1 ;
    
60. 
    
61. /*JmpNtReadVirtualMemory = OldNtReadVirtualMemoryAddress + 7;
    
62. Addr_R_SEH_prolog = OldNtReadVirtualMemoryAddress - 0x7869A;
    
63. Addr_MmClaimParameter = OldNtReadVirtualMemoryAddress - 0xDA3DA;
    
64. Jmp_Addr_NtReadVirtualMemory = OldNtReadVirtualMemoryAddress + 0xC;
    
65. */
    
66. __asm{
    
67. cli
    
68. mov eax,cr0
    
69. and eax,not 10000h
    
70. mov cr0,eax
    
71. 
    
72. mov ebx,NtReadVirtualMemoryIndexAddress1     
    
73. mov eax,dword ptr [ebx]
    
74. mov Addr_NtReadVirtualMemory,eax
    
75.      
    
76. add eax,0x0c        
    
77. mov Jmp_Addr_NtReadVirtualMemory,eax
    
78.          
    
79. mov ebx,Addr_NtReadVirtualMemory
    
80. mov eax,dword ptr [ebx+3]           
    
81. mov Addr_MmClaimParameter,eax
    
82. 
    
83. mov eax,dword ptr [ebx+8]
    
84. add eax,Addr_NtReadVirtualMemory
    
85. add eax,7
    
86. add eax,5
    
87. mov Addr_R_SEH_prolog,eax           
    
88. }
    
89. DbgPrint("Addr_NtReadVirtualMemory is %x",Addr_NtReadVirtualMemory);
    
90. DbgPrint("Addr_R_SEH_prolog is %x",Addr_R_SEH_prolog);
    
91. DbgPrint("Addr_MmClaimParameter is %x",Addr_MmClaimParameter);
    
92. DbgPrint("Jmp_Addr_NtReadVirtualMemory is %x",Jmp_Addr_NtReadVirtualMemory);
    
93. *(ULONG*)NtReadVirtualMemoryIndexAddress1 = (ULONG)MyNtReadVirtualMemory;
    
94. 
    
95. __asm{
    
96. mov eax,cr0
    
97. or eax,10000h
    
98. mov cr0,eax
    
99. sti
    
100. }
     
101. DbgPrint("HookNtReadVirtualMemory");
     
102. 
     
103. }
     
104. 
     
105. VOID UnhookNtReadVirtualMemory()
     
106. {
     
107. ULONG NtReadVirtualMemoryIndexAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase);
     
108. ULONG NtReadVirtualMemoryIndexAddress1 = NtReadVirtualMemoryIndexAddress + 0xba*4;
     
109. _asm
     
110. {
     
111. cli
     
112. pushad                  
     
113. mov eax,cr0
     
114. and eax,not 10000h
     
115. mov cr0,eax
     
116. }
     
117. *(ULONG*)NtReadVirtualMemoryIndexAddress1 = (ULONG)OldNtReadVirtualMemoryAddress;
     
118. _asm
     
119. {     
     
120. mov eax,cr0
     
121. or eax,10000h
     
122. mov cr0,eax
     
123. popad
     
124. sti
     
125. }
     
126. 
     
127. DbgPrint("UnhookNtReadVirtualMemory");
     
128. 
     
129. }

複製代碼

kkmomo

1. // Author : alan
   
2. // NtWriteVirtualMemory.h
   
3. 
   
4. #include <ntddk.h>
   
5. 
   
6. VOID HookNtWriteVirtualMemory();
   
7. VOID UnhookNtWriteVirtualMemory();
   
8. 
   
9. ULONG JmpNtWriteVirtualMemory = 0;
   
10. ULONG OldWriteVirtualMemoryAddress = 0;
    
11. 
    
12. PEPROCESS  WriteEPROCESS = NULL;
    
13. ANSI_STRING w_str1,w_str2;
    
14. 
    
15. ULONG Addr_NtWriteVirtualMemory;
    
16. ULONG Addr_W_MmClaimParameter;  
    
17. ULONG Addr_W_SEH_prolog;        
    
18. ULONG Jmp_Addr_NtWriteVirtualMemory = 0;   
    
19. 
    
20. __declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(
    
21. IN HANDLE ProcessHandle,
    
22. IN PVOID BaseAddress,
    
23. IN PVOID Buffer,
    
24. IN ULONG NumberOfBytesToWrite,
    
25. OUT PULONG NumberOfBytesWritten OPTIONAL)
    
26. {
    
27. WriteEPROCESS = IoGetCurrentProcess();
    
28. RtlInitAnsiString(&w_str1,(PCSZ)WriteEPROCESS+0x174);
    
29. RtlInitAnsiString(&w_str2,"MapleStory.exe");
    
30.     if (RtlCompareString(&w_str1,&w_str2,TRUE) == 0)
    
31.     {
    
32. _asm
    
33. {
    
34. jmp OldWriteVirtualMemoryAddress
    
35. }  
    
36.     }
    
37.     else
    
38.     {
    
39. _asm
    
40. {
    
41. push 0x1C
    
42. mov edx,Addr_W_MmClaimParameter
    
43. push edx
    
44. mov edx,Jmp_Addr_NtWriteVirtualMemory
    
45. push edx
    
46. mov edx,Addr_W_SEH_prolog
    
47. jmp edx
    
48. }
    
49.     }
    
50. }
    
51. 
    
52. VOID HookNtWriteVirtualMemory()
    
53. {
    
54. 
    
55. ULONG NtWriteVirtualMemoryIndexAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase);
    
56. ULONG NtWriteVirtualMemoryIndexAddress1 = NtWriteVirtualMemoryIndexAddress + 0x115*4;
    
57. 
    
58. OldWriteVirtualMemoryAddress = *(ULONG*)NtWriteVirtualMemoryIndexAddress1;
    
59. /*
    
60. JmpNtWriteVirtualMemory = OldWriteVirtualMemoryAddress + 7;
    
61. Addr_W_MmClaimParameter =  OldWriteVirtualMemoryAddress - 0xDA4CC;
    
62. Addr_W_SEH_prolog = OldWriteVirtualMemoryAddress - 0x787A4;
    
63. Jmp_Addr_NtWriteVirtualMemory = OldWriteVirtualMemoryAddress + 0xC;
    
64. */
    
65. __asm{
    
66. cli
    
67. mov eax,cr0
    
68. and eax,not 10000h
    
69. mov cr0,eax
    
70. 
    
71. mov ebx,NtWriteVirtualMemoryIndexAddress1   
    
72. mov eax,dword ptr [ebx]
    
73. mov Addr_NtWriteVirtualMemory,eax
    
74. 
    
75. add eax,0x0c
    
76. mov Jmp_Addr_NtWriteVirtualMemory,eax   
    
77.          
    
78. mov ebx,Addr_NtWriteVirtualMemory     
    
79. mov eax,dword ptr [ebx+3]      
    
80. mov Addr_W_MmClaimParameter,eax   
    
81. 
    
82. mov eax,dword ptr [ebx+8]
    
83. add eax,Addr_NtWriteVirtualMemory
    
84. add eax,7
    
85. add eax,5
    
86. mov Addr_W_SEH_prolog,eax           
    
87. }
    
88. DbgPrint("Addr_NtWriteVirtualMemory is %x",Addr_NtWriteVirtualMemory);
    
89. DbgPrint("Addr_W_MmClaimParameter is %x",Addr_W_MmClaimParameter);
    
90. DbgPrint("Addr_W_SEH_prolog is %x",Addr_W_SEH_prolog);
    
91. DbgPrint("Jmp_Addr_NtWriteVirtualMemory is %x",Jmp_Addr_NtWriteVirtualMemory);
    
92. 
    
93. *(ULONG*)NtWriteVirtualMemoryIndexAddress1 = (ULONG)MyNtWriteVirtualMemory;
    
94. 
    
95. __asm{
    
96. mov eax,cr0
    
97. or eax,10000h
    
98. mov cr0,eax
    
99. sti
    
100. }
     
101. DbgPrint("HookNtWriteVirtualMemory");
     
102. 
     
103. }
     
104. 
     
105. VOID UnhookNtWriteVirtualMemory()
     
106. {
     
107. ULONG NtWriteVirtualMemoryIndexAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase);
     
108. ULONG NtWriteVirtualMemoryIndexAddress1 = NtWriteVirtualMemoryIndexAddress + 0x115*4;
     
109. _asm
     
110. {
     
111. cli
     
112. pushad                  
     
113. mov eax,cr0
     
114. and eax,not 10000h
     
115. mov cr0,eax
     
116. }
     
117. *(ULONG*)NtWriteVirtualMemoryIndexAddress1 = (ULONG)OldWriteVirtualMemoryAddress;
     
118. _asm
     
119. {     
     
120. mov eax,cr0
     
121. or eax,10000h
     
122. mov cr0,eax
     
123. popad
     
124. sti
     
125. }
     
126. 
     
127. DbgPrint("UnhookNtWriteVirtualMemory");
     
128. 
     
129. }

複製代碼

zaq947

好多的API阿~~
也許學習外褂這是必經的過程XD