Hook Shadow SSDT.docx
《Hook Shadow SSDT.docx》由会员分享,可在线阅读,更多相关《Hook Shadow SSDT.docx(24页珍藏版)》请在冰点文库上搜索。
HookShadowSSDT
网上很多文章都有关于SSDT的完整的实现,但是没有关于ShadowSSDT的完整实现,目前最好的文章是《shadowssdt学习笔记byzhuwg》,我这里的程序也很多参考了他的文章,在这里谢谢了。
我这里给出一个hookshadowssdt的完整实现的驱动和3层的代码。
本教程由深圳天荷伞业()的整理专业雨伞厂\广告伞有您的支持我们会更专注。
这里主要是hook了NtUserFindWindowEx,NtUserBuildHwndList,NtUserQueryWindow,NtUserGetForegroundWindow,NtUserWindowFromPoint来防止其他应用程序通过FindWindow,EnumWindow,WindowFromPoint,GetForegroundWindow这些函数来枚举我们的窗口,不过这个程序对于GetWindowText这个东西无法防护,如果有朋友在驱动层实现了对该函数的保护,是否能一起交流呢。
关于hook的流程,看了上面zhuwg的文章,大家应该很好的了解了。
下面的代码也很简单。
大家随便看看吧,通信方面,随便使用了METHOD_NEITHER方法,这个方法不好,有问题,不过懒得改了,懂驱动的应该很容易改为BUFFERED模式吧。
在这里谢谢给了很多帮助的各位牛人,特别是NetRoc,很细心的帮我测试。
。
代码:
#include
#include
#include
#include
#include"HookShadowSSDT.h"
VOIDUnloadDriver(INPDRIVER_OBJECTDriverObject);
NTSTATUSHideProcess_Create(INPDEVICE_OBJECTDeviceObject,INPIRPIrp);
NTSTATUSHideProcess_Close(INPDEVICE_OBJECTDeviceObject,INPIRPIrp);
NTSTATUSHideProcess_IoControl(INPDEVICE_OBJECTDeviceObject,INPIRPIrp);
PVOIDGetInfoTable(ULONGATableType);
HANDLEGetCsrPid();
VOIDInitCallNumber();
NTSTATUSPsLookupProcessByProcessId(INULONGulProcId,OUTPEPROCESS*pEProcess);
///////////////声明NativeAPI///////////////////////////////////////
typedefNTSTATUS(*NTUSERFINDWINDOWEX)(
INHWNDhwndParent,
INHWNDhwndChild,
INPUNICODE_STRINGpstrClassNameOPTIONAL,
INPUNICODE_STRINGpstrWindowNameOPTIONAL,
INDWORDdwType);
typedefNTSTATUS(*NTUSERBUILDHWNDLIST)(
INHDESKhdesk,
INHWNDhwndNext,
INULONGfEnumChildren,
INDWORDidThread,
INUINTcHwndMax,
OUTHWND*phwndFirst,
OUTULONG*pcHwndNeeded);
typedefUINT_PTR(*NTUSERQUERYWINDOW)(
INULONGWindowHandle,
INULONGTypeInformation);
typedefULONG(*NTUSERGETFOREGROUNDWINDOW)(VOID);
typedefHWND(*NTUSERWINDOWFROMPOINT)(LONG,LONG);
NTSTATUSZwQuerySystemInformation(
INULONGSystemInformationClass,
INPVOIDSystemInformation,
INULONGSystemInformationLength,
OUTPULONGReturnLength);
NTSTATUSZwDuplicateObject(
INHANDLESourceProcessHandle,
INPHANDLESourceHandle,
INHANDLETargetProcessHandle,
OUTPHANDLETargetHandle,
INACCESS_MASKDesiredAccessOPTIONAL,
INBOOLEANInheritHandle,
INULONGOptions);
NTSTATUSZwQueryObject(
INHANDLEObjectHandle,
INULONGObjectInformationClass,
OUTPVOIDObjectInformation,
INULONGObjectInformationLength,
OUTPULONGReturnLengthOPTIONAL);
NTSTATUSPsLookupProcessByProcessId(
INULONGulProcId,
OUTPEPROCESS*pEProcess);
NTSTATUSKeAttachProcess(PEPROCESSpPeb);
NTSTATUSKeDetachProcess();
NTSTATUSMyNtUserFindWindowEx(
INHWNDhwndParent,
INHWNDhwndChild,
INPUNICODE_STRINGpstrClassNameOPTIONAL,
INPUNICODE_STRINGpstrWindowNameOPTIONAL,
INDWORDdwType);
NTSTATUSMyNtUserBuildHwndList(
INHDESKhdesk,
INHWNDhwndNext,
INULONGfEnumChildren,
INDWORDidThread,
INUINTcHwndMax,
OUTHWND*phwndFirst,
OUTULONG*pcHwndNeeded);
UINT_PTRMyNtUserQueryWindow(
INULONGWindowHandle,
INULONGTypeInformation);
ULONGMyNtUserGetForegroundWindow(VOID);
HWNDMyNtUserWindowFromPoint(LONGx,LONGy);
__declspec(dllimport)_stdcallKeAddSystemServiceTable(PVOID,PVOID,PVOID,PVOID,PVOID);
////////////////////定义所用到的全局变量///////////////
__declspec(dllimport)ServiceDescriptorTableEntryKeServiceDescriptorTable;
unsignedlongOldCr0;
UNICODE_STRINGDeviceNameString;
UNICODE_STRINGLinkDeviceNameString;
NTUSERFINDWINDOWEXg_OriginalNtUserFindWindowEx;
NTUSERBUILDHWNDLISTg_OriginalNtUserBuildHwndList;
NTUSERQUERYWINDOWg_OriginalNtUserQueryWindow;
NTUSERGETFOREGROUNDWINDOWg_OriginalNtUserGetForegroundWindow;
NTUSERWINDOWFROMPOINTg_OriginalNtUserWindowFromPoint;
PEPROCESScrsEProc;
CCHARoutBuf[1024];//输入缓冲区大小
HANDLEProcessIdToProtect=(HANDLE)0;//保护的句柄
ULONGNtUserFindWindowEx_callnumber=0;//NtUserFindWindowEx的服号
ULONGNtUserGetForegroundWindow_callnumber=0;
ULONGNtUserQueryWindow_callnumber=0;
ULONGNtUserBuildHwndList_callnumber=0;
ULONGNtUserWindowFromPoint_callnumber=0;
ULONGLastForegroundWindow;
unsignedintgetAddressOfShadowTable()
{
unsignedinti;
unsignedchar*p;
unsignedintdwordatbyte;
p=(unsignedchar*)KeAddSystemServiceTable;
for(i=0;i<4096;i++,p++)
{
__try
{
dwordatbyte=*(unsignedint*)p;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return0;
}
if(MmIsAddressValid((PVOID)dwordatbyte))
{
if(memcmp((PVOID)dwordatbyte,&KeServiceDescriptorTable,16)==0)
{
if((PVOID)dwordatbyte==&KeServiceDescriptorTable)
{
continue;
}
returndwordatbyte;
}
}
}
return0;
}
ULONGgetShadowTable()
{
KeServiceDescriptorTableShadow=(PServiceDescriptorTableEntry)getAddressOfShadowTable();
if(KeServiceDescriptorTableShadow==NULL)
{
DbgPrint("hooker.sys:
Couldntfindshadowtable!
");
returnFALSE;
}
else
{
DbgPrint("hooker.sys:
Shadowtablehasbeenfound!
");
DbgPrint("hooker.sys:
Shadowtableentries:
%d",KeServiceDescriptorTableShadow[1].NumberOfServices);
returnTRUE;
}
}
//根据操作系统来确定具体函数的服务号
VOIDInitCallNumber()
{
ULONGmajorVersion,minorVersion;
PsGetVersion(&majorVersion,&minorVersion,NULL,NULL);
if(majorVersion==5&&minorVersion==2)
{
DbgPrint("comint32:
RunningonWindows2003");
NtUserFindWindowEx_callnumber=0x179;
NtUserGetForegroundWindow_callnumber=0x193;
NtUserBuildHwndList_callnumber=0x137;
NtUserQueryWindow_callnumber=0x1E1;
NtUserWindowFromPoint_callnumber=0x24C;
}
elseif(majorVersion==5&&minorVersion==1)
{
DbgPrint("comint32:
RunningonWindowsXP");
NtUserFindWindowEx_callnumber=0x17A;
NtUserGetForegroundWindow_callnumber=0x194;
NtUserBuildHwndList_callnumber=0x138;
NtUserQueryWindow_callnumber=0x1E3;
NtUserWindowFromPoint_callnumber=0x250;
}
elseif(majorVersion==5&&minorVersion==0)
{
DbgPrint("comint32:
RunningonWindows2000");
NtUserFindWindowEx_callnumber=0x170;
NtUserGetForegroundWindow_callnumber=0x189;
NtUserBuildHwndList_callnumber=0x12E;
NtUserQueryWindow_callnumber=0x1D2;
NtUserWindowFromPoint_callnumber=0x238;
}
}
PVOIDGetInfoTable(ULONGATableType)
{
ULONGmSize=0x4000;
PVOIDmPtr=NULL;
NTSTATUSSt;
do
{
mPtr=ExAllocatePool(PagedPool,mSize);
memset(mPtr,0,mSize);
if(mPtr)
{
St=ZwQuerySystemInformation(ATableType,mPtr,mSize,NULL);
}elsereturnNULL;
if(St==STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(mPtr);
mSize=mSize*2;
}
}while(St==STATUS_INFO_LENGTH_MISMATCH);
if(St==STATUS_SUCCESS)returnmPtr;
ExFreePool(mPtr);
returnNULL;
}
HANDLEGetCsrPid()
{
HANDLEProcess,hObject;
HANDLECsrId=(HANDLE)0;
OBJECT_ATTRIBUTESobj;
CLIENT_IDcid;
UCHARBuff[0x100];
POBJECT_NAME_INFORMATIONObjName=(PVOID)&Buff;
PSYSTEM_HANDLE_INFORMATION_EXHandles;
ULONGr;
Handles=GetInfoTable(SystemHandleInformation);
if(!
Handles)returnCsrId;
for(r=0;rNumberOfHandles;r++)
{
if(Handles->Information[r].ObjectTypeNumber==21)//Portobject
{
InitializeObjectAttributes(&obj,NULL,OBJ_KERNEL_HANDLE,NULL,NULL);
cid.UniqueProcess=(HANDLE)Handles->Information[r].ProcessId;
cid.UniqueThread=0;
if(NT_SUCCESS(NtOpenProcess(&Process,PROCESS_DUP_HANDLE,&obj,&cid)))
{
if(NT_SUCCESS(ZwDuplicateObject(Process,(HANDLE)Handles->Information[r].Handle,NtCurrentProcess(),&hObject,0,0,DUPLICATE_SAME_ACCESS)))
{
if(NT_SUCCESS(ZwQueryObject(hObject,ObjectNameInformation,ObjName,0x100,NULL)))
{
if(ObjName->Name.Buffer&&!
wcsncmp(L"\\Windows\\ApiPort",ObjName->Name.Buffer,20))
{
CsrId=(HANDLE)Handles->Information[r].ProcessId;
}
}
ZwClose(hObject);
}
ZwClose(Process);
}
}
}
ExFreePool(Handles);
returnCsrId;
}
BOOLEANSleep(ULONGMillionSecond)
{
NTSTATUSst;
LARGE_INTEGERDelayTime;
DelayTime=RtlConvertLongToLargeInteger(-10000*MillionSecond);
st=KeDelayExecutionThread(KernelMode,FALSE,&DelayTime);
return(NT_SUCCESS(st));
}
NTSTATUSDriverEntry(INPDRIVER_OBJECTDriverObject,INPUNICODE_STRINGRegistryPath)
{
NTSTATUSstatus;
PDEVICE_OBJECTdeviceObject;
RtlInitUnicodeString(&DeviceNameString,HIDE_PROCESS_WIN32_DEV_NAME);
RtlInitUnicodeString(&LinkDeviceNameString,HIDE_PROCESS_DEV_NAME);
KdPrint(("DriverEntryEnter............................\n"));
status=IoCreateDevice(
DriverObject,
0,
&DeviceNameString,
FILE_DEVICE_DISK_FILE_SYSTEM,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&deviceObject);
if(!
NT_SUCCESS(status))
{
KdPrint(("DriverEntry:
Errorcreatingcontroldeviceobject,status=%08x\n",status));
returnstatus;
}
status=IoCreateSymbolicLink(
(PUNICODE_STRING)&LinkDeviceNameString,
(PUNICODE_STRING)&DeviceNameString
);
if(!
NT_SUCCESS(status))
{
IoDeleteDevice(deviceObject);
returnstatus;
}
//获得shadow的地址
getShadowTable();
//根据不同的系统获得不同的函数服务号
InitCallNumber();
DriverObject->MajorFunction[IRP_MJ_CREATE]=HideProcess_Create;
DriverObject->MajorFunction[IRP_MJ_CLOSE]=HideProcess_Close;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=HideProcess_IoControl;
DriverObject->DriverUnload=UnloadDriver;
status=PsLookupProcessByProcessId((ULONG)GetCsrPid(),&crsEProc);
if(!
NT_SUCCESS(status))
{
DbgPrint("PsLookupProcessByProcessId()error\n");
returnstatus;
}
KeAttachProcess(crsEProc);
__try
{
if((KeServiceDescriptorTableShadow!
=NULL)\
&&(NtUserFindWindowEx_callnumber!
=0)&&(NtUserGetForegroundWindow_callnumber!
=0)\
&&(NtUserBuildHwndList_callnumber!
=0)&&(NtUserQueryWindow_callnumber!
=0)\
&&(NtUserWindowFromPoint_callnumber!
=0))
{
g_OriginalNtUserFindWindowEx=(NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber];
g_Ori