这段时间在学习驱动,然后看到hook ssdt的代码,找了一个写的清晰的学习了一下:
这里是hook NtOpenProcess,但是想自己练手所以hook NtTerminateProcess,经过多次蓝屏后,然后这里记录一下
-
遇到的问题
由于所学的例子是通过应用程序获取pid来控制保护的进程,但是ZwTerminateProcess不能通过参数获得PID,那如何获取PID呢?
-
解决方案
通过ZwQueryInformationProcess获得ProcessInformation再获得PID
-
环境
开发配置:vs2015 x86 debug
测试环境:xp sp3
驱动代码
1 #include2 3 #define NT_DEVICE_NAME L"\\Device\\ProtectProcess" 4 #define DOS_DEVICE_NAME L"\\DosDevices\\ProtectProcess" 5 6 #define IOCTL_PROTECT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) 7 8 9 #pragma pack(1) //SSDT表的结构 10 typedef struct ServiceDescriptorEntry 11 { 12 unsigned int *ServiceTableBase; 13 unsigned int *ServiceCounterTableBase; //Used only in checked build 14 unsigned int NumberOfServices; 15 unsigned char *ParamTableBase; 16 } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; 17 #pragma pack() 18 19 __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; //变量名是不能变的,因为是从外部导入 20 21 //这个用于查询某个函数的地址的宏定义 22 #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)] 23 24 NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess( 25 IN HANDLE ProcessHandle, 26 IN PROCESSINFOCLASS ProcessInformationClass, 27 OUT PVOID ProcessInformation, 28 IN ULONG ProcessInformationLength, 29 OUT PULONG ReturnLength); 30 31 NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess( 32 IN HANDLE ProcessHandle OPTIONAL, 33 IN NTSTATUS ExitStatus); 34 35 36 typedef NTSTATUS (*ZWTERMINATEPROCESS)( 37 IN HANDLE ProcessHandle OPTIONAL, 38 IN NTSTATUS ExitStatus); 39 40 ZWTERMINATEPROCESS OldZwTerminateProcess; 41 long pid = -1; 42 43 NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT deviceObject, IN PIRP Irp) 44 { 45 NTSTATUS nStatus = STATUS_SUCCESS; 46 ULONG IoControlCode = 0; 47 PIO_STACK_LOCATION IrpStack = NULL; 48 49 long* inBuf = NULL; 50 char* outBuf = NULL; 51 ULONG inSize = 0; 52 ULONG outSize = 0; 53 PCHAR buffer = NULL; 54 PMDL mdl = NULL; 55 56 Irp->IoStatus.Status = STATUS_SUCCESS; 57 Irp->IoStatus.Information = 0; 58 59 IrpStack = IoGetCurrentIrpStackLocation(Irp); //利用函数获得当前请求任务的参数 60 switch (IrpStack->MajorFunction) 61 { 62 case IRP_MJ_CREATE: 63 DbgPrint("IRP_MJ_CREATE被调用\n"); 64 break; 65 case IRP_MJ_CLOSE: 66 DbgPrint("IRP_MJ_CLOSE被调用\n"); 67 break; 68 case IRP_MJ_DEVICE_CONTROL: 69 DbgPrint("IRP_MJ_DEVICE_CONTROL被调用\n"); 70 IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode; 71 switch (IoControlCode) 72 { 73 case IOCTL_PROTECT_CONTROL: 74 inSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength; 75 outSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength; 76 77 inBuf = (long*)Irp->AssociatedIrp.SystemBuffer; 78 pid = *inBuf; 79 DbgPrint("=================================="); 80 DbgPrint("IOCTL_PROTECT_CONTROL被调用,通讯成功\n"); 81 DbgPrint("输入缓冲区大小:%d\n", inSize); 82 DbgPrint("输出缓冲区大小:%d\n", outSize); 83 DbgPrint("输入缓冲区内容:%ld\n", inBuf); 84 DbgPrint("当前保护进程ID:%ld\n", pid); 85 DbgPrint("=================================="); 86 break; 87 default: 88 break; 89 } 90 break; 91 default: 92 DbgPrint("未知请求包被调用\n"); 93 break; 94 } 95 96 nStatus = Irp->IoStatus.Status; 97 98 IoCompleteRequest(Irp, IO_NO_INCREMENT); 99 100 return nStatus;101 }102 103 NTSTATUS NewZwTerminateProcess(104 IN HANDLE ProcessHandle OPTIONAL,105 IN NTSTATUS ExitStatus)106 {107 NTSTATUS nStatus = STATUS_SUCCESS;108 109 ULONG Ret;110 PROCESS_BASIC_INFORMATION pbi;111 112 //pBuffer = ExAllocatePool(PagedPool, sizeof(PROCESS_BASIC_INFORMATION));113 ZwQueryInformationProcess(ProcessHandle, ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), &Ret);114 115 116 if (pbi.UniqueProcessId == pid)117 {118 DbgPrint("保护进程不被关闭:%d\n", pid);119 return STATUS_ACCESS_DENIED;120 }121 122 nStatus = OldZwTerminateProcess(ProcessHandle, ExitStatus);123 return STATUS_SUCCESS;124 }125 126 VOID DriverUnload(PDRIVER_OBJECT pDriverObject)127 {128 UNICODE_STRING DeviceLinkString;129 PDEVICE_OBJECT DeviceObjectTemp1 = NULL;130 PDEVICE_OBJECT DeviceObjectTemp2 = NULL;131 132 DbgPrint("Driver Unload\n");133 134 RtlInitUnicodeString(&DeviceLinkString, DOS_DEVICE_NAME);135 IoDeleteSymbolicLink(&DeviceLinkString);136 if (pDriverObject)137 {138 DeviceObjectTemp1 = pDriverObject->DeviceObject;139 while (DeviceObjectTemp1)140 {141 DeviceObjectTemp2 = DeviceObjectTemp1;142 DeviceObjectTemp1 = DeviceObjectTemp1->NextDevice;143 IoDeleteDevice(DeviceObjectTemp2);144 }145 }146 147 DbgPrint("设备已经卸载\n");148 DbgPrint("修复SSDT表\n");149 (ZWTERMINATEPROCESS)(SYSTEMSERVICE(ZwTerminateProcess)) = OldZwTerminateProcess;150 DbgPrint("驱动卸载完毕\n");151 }152 153 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)154 {155 NTSTATUS ntStatus = STATUS_SUCCESS;156 UNICODE_STRING ntDeviceName;157 UNICODE_STRING DeviceLinkString;158 PDEVICE_OBJECT deviceObject = NULL;159 160 RtlInitUnicodeString(&ntDeviceName, NT_DEVICE_NAME);161 162 ntStatus = IoCreateDevice(163 pDriverObject,164 0,165 &ntDeviceName,166 FILE_DEVICE_UNKNOWN,167 0,168 FALSE,169 &deviceObject);170 171 if (!NT_SUCCESS(ntStatus))172 {173 DbgPrint("无法创建驱动设备");174 return ntStatus;175 }176 177 RtlInitUnicodeString(&DeviceLinkString, DOS_DEVICE_NAME);178 ntStatus = IoCreateSymbolicLink(&DeviceLinkString, &ntDeviceName);179 180 if (!NT_SUCCESS(ntStatus))181 {182 return ntStatus;183 }184 185 pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchDeviceControl;186 pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchDeviceControl;187 pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;188 pDriverObject->DriverUnload = DriverUnload;189 190 DbgPrint("驱动程序已经启动\n");191 DbgPrint("修改SSDT表。。。\n");192 193 //修改ZwTerminateProcess函数地址194 //将原来ssdt中所要hook的函数地址换成我们自己的函数地址195 OldZwTerminateProcess = (ZWTERMINATEPROCESS)(SYSTEMSERVICE(ZwTerminateProcess));196 SYSTEMSERVICE(ZwTerminateProcess) = (unsigned int)NewZwTerminateProcess;197 198 DbgPrint("驱动程序加载完毕\n");199 200 return STATUS_SUCCESS;201 }