SSDT

SSDT Shadow Table

typedef struct _KSYSTEM_SERVICE_TABLE
{
    PULONG ServiceTableBase;                  // SSDT (System Service Dispatch Table)的基地址
    PULONG  ServiceCounterTableBase;                        // 用于 checked builds, 包含 SSDT 中每个服务被调用的次数
    ULONG   NumberOfService;                                // 服务函数的个数, NumberOfService * 4 就是整个地址表的大小
    PUCHAR   ParamTableBase;                                 // SSPT(System Service Parameter Table)的基地址
} KSYSTEM_SERVICE_TABLE, *PKSYSTEM_SERVICE_TABLE;

typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
    KSYSTEM_SERVICE_TABLE   ntoskrnl;                       // ntoskrnl.exe 的服务函数
    KSYSTEM_SERVICE_TABLE   win32k;                         // win32k.sys 的服务函数(GDI32.dll/User32.dll 的内核支持)
    KSYSTEM_SERVICE_TABLE   notUsed1;
    KSYSTEM_SERVICE_TABLE   notUsed2;
}KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;

extern PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTableShadow;


PLIST_ENTRY FindPsActiveProcessHead() //这个应该有更好的方法
{   
    PEPROCESS process;
    PLIST_ENTRY PsActiveProcessHead=NULL;
    PLIST_ENTRY pList=NULL;
    NTSTATUS status=PsLookupProcessByProcessId((HANDLE)4,&process);//4-->system
    if (!NT_SUCCESS(status))
    {
        KdPrint(("获取process失败\n"));
        return NULL;
    }
    //xp _EPROCESS +0x088 ActiveProcessLinks : _LIST_ENTRY
    pList=(PLIST_ENTRY)((PUCHAR)process+0x88);
    PsActiveProcessHead=pList->Blink;
    //KdPrint(("PsActiveProcessHead地址=%x\n",pList->Blink));

    return PsActiveProcessHead;
} 

ULONG FindProcess(PSTRING Name) //可以通过跟3环通信 
{
    PLIST_ENTRY pHead=NULL,pTemp=NULL;
    ULONG pPor=0;
    STRING porName;
    pHead=FindPsActiveProcessHead();
    pTemp=pHead->Flink;
    while(pTemp!=pHead)
    {
        pPor=(ULONG)pTemp-0x88;
        RtlInitAnsiString(&porName,(PCSZ)(pPor+0x174));
        if(0==RtlCompareString(Name,&porName,0))
        {
            return pPor;
        }
        pTemp=pTemp->Flink;
    }

    KdPrint(("没有找到进程\r\n"));
    return 0;
}
void HookNtUserFindWindowEx()
{
    ULONG exlorerEproc;
    PKAPC_STATE ApcState;
    STRING str;
    PULONG pNtFind=NULL;
    KeServiceDescriptorTableShadow=(PKSERVICE_TABLE_DESCRIPTOR)((ULONG)KeServiceDescriptorTable-0x40);
    RtlInitAnsiString(&str,"explorer.exe"); //必须要附加到窗体程序才会有具体的shadow table
    exlorerEproc=FindProcess(&str);

    KeStackAttachProcess((PEPROCESS)exlorerEproc, ApcState);
    //PageProtectOff(); 要关闭页面保护才能修改SSDT
    KeServiceDescriptorTableShadow->win32k.ServiceTableBase[0x17a]=(ULONG)m_NtUserFindWindowEx;
    //PageProtectOn();
}

你可能感兴趣的:(DT)