Windows简单驱动编程（三）：SSDT HOOK

ssdt hook NtOpenProcess

win7 32环境，注释已标明一些解释

#include 
#include 

ULONG uOldNtOpenProcess;

//定义system_service_table结构体
typedef struct _KSYSTEM_SERVICE_TABLE
{
	PULONG ServiceTableBase;
	PULONG ServiceCounterTableBase;
	ULONG NumberOfService;
	PULONG ParamTableBase;
}KSYSTEM_SERVICE_TABLE, * PKSYSTEM_SERVICE_TABLE;

typedef struct _KERVICE_TABLE_DESCRIPTOR
{
	KSYSTEM_SERVICE_TABLE ntoskrnl;
	KSYSTEM_SERVICE_TABLE win32k;
	KSYSTEM_SERVICE_TABLE notUsed1;
	KSYSTEM_SERVICE_TABLE notUsed2;
}KSERVICE_TABLE_DESCRIPTOR, * PKSERVICE_TABLE_DESCRIPTOR;

extern PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;


//开启内核页保护属性
void PageProtectOn()
{
	__asm {
		mov eax,cr0
		or eax,10000h
		mov cr0,eax
		sti
	}
}

//关闭内核页保护属性
void PageProtectOff()
{
	__asm {
		cli
		mov eax,cr0
		and eax,not 10000h
		mov cr0,eax
	}
}

//自己的NtOpenProcess函数，参数要和原函数一致
NTSTATUS MyNtOpenProcess(
	PHANDLE            ProcessHandle,
	ACCESS_MASK        DesiredAccess,
	POBJECT_ATTRIBUTES ObjectAttributes,
	PCLIENT_ID         ClientId)
{
	KdPrint(("hook succcess!.....\n"));
	return STATUS_SUCCESS;
}


//win7 32位，NtOpenProcess在SSDT偏移0xBE处，可以拿pchunter看一下
NTSTATUS HookNtOpenProcess()
{
	NTSTATUS Status;
	Status = STATUS_SUCCESS;
	PageProtectOff();
	uOldNtOpenProcess = KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[0xBE];
	KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[0xBE] = (ULONG)MyNtOpenProcess;
	PageProtectOn();
	return Status;

}

NTSTATUS UnHookNtOpenProcess()
{
	PageProtectOff();
	KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[0xBE] = (ULONG)uOldNtOpenProcess;
	PageProtectOn();
	return STATUS_SUCCESS;
}


void Unload(PDRIVER_OBJECT driver)
{
	KdPrint(("Unload driver success.....\n"));
	UnHookNtOpenProcess();
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
	KdPrint(("load driver success.....\n"));
	KdPrint(("===> %x \n", KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[0xBE]));
	
	HookNtOpenProcess();

	driver->DriverUnload = Unload;
	return STATUS_SUCCESS;
}