驱动获取SSDT表代码

#include <ntddk.h>

typedef struct _SERVICE_DESCRIPTOR_TABLE {
	/*
	* Table containing cServices elements of pointers to service handler
	* functions, indexed by service ID.
	*/
	PULONG   ServiceTable;
	/*
	* Table that counts how many times each service is used. This table
	* is only updated in checked builds.
	*/
	PULONG  CounterTable;
	/*
	* Number of services contained in this table.
	*/
	ULONG   TableSize;
	/*
	* Table containing the number of bytes of parameters the handler
	* function takes.
	*/
	PUCHAR  ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

typedef NTSTATUS (*ZWCREATEFILE)(
    OUT PHANDLE            FileHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES  ObjectAttributes,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN PLARGE_INTEGER      AllocationSize OPTIONAL,
    IN ULONG                FileAttributes,
    IN ULONG                ShareAccess,
    IN ULONG                CreateDisposition,
    IN ULONG                CreateOptions,
    IN PVOID                EaBuffer OPTIONAL,
    IN ULONG                EaLength );
static ZWCREATEFILE                OldZwCreateFile;

extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SSDKREPLACE(_function) KeServiceDescriptorTable->ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
#define SDT SSDKREPLACE


void EndHookSSDT()
{
    __asm
    {
        push    eax
            mov        eax, CR0
            and        eax, 0FFFEFFFFh
            mov        CR0, eax
            pop        eax
    }
    (ZWCREATEFILE)InterlockedExchange((PLONG)&SDT(ZwCreateFile),(LONG)OldZwCreateFile);
    __asm
    {
        push    eax
            mov        eax, CR0
            or        eax, NOT 0FFFEFFFFh
            mov        CR0, eax
            pop        eax
    }
}

void DriverUnLoad(PDRIVER_OBJECT pDriver)
{
    KdPrint(("DriverUnload..."));
    EndHookSSDT();
    return ;
}

void PrintfSSDT()
{   
    int i=0;
    while(i < KeServiceDescriptorTable->TableSize)
    {
        KdPrint(("%d--->%X\n",i+1,KeServiceDescriptorTable->ServiceTable[i++]));
    }
}

NTSTATUS Hook_ZwCreateFile(
    OUT PHANDLE            FileHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES  ObjectAttributes,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN PLARGE_INTEGER      AllocationSize OPTIONAL,
    IN ULONG                FileAttributes,
    IN ULONG                ShareAccess,
    IN ULONG                CreateDisposition,
    IN ULONG                CreateOptions,
    IN PVOID                EaBuffer OPTIONAL,
    IN ULONG                EaLength )
{
    NTSTATUS rc;

    rc = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
        AllocationSize,FileAttributes,ShareAccess,CreateDisposition,
        CreateOptions,EaBuffer,EaLength);
    KdPrint(("new createfile-->%wZ",ObjectAttributes->ObjectName));
    return rc;
}

void StartHookSSDT()
{
    __asm
    {
        push    eax
            mov        eax, CR0
            and        eax, 0FFFEFFFFh
            mov        CR0, eax
            pop        eax
    }
    OldZwCreateFile = (ZWCREATEFILE)InterlockedExchange((PLONG)&SDT(ZwCreateFile),(LONG)Hook_ZwCreateFile);
    __asm
    {
        push    eax
            mov        eax, CR0
            or        eax, NOT 0FFFEFFFFh
            mov        CR0, eax
            pop        eax
    }
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj,PUNICODE_STRING pRegPath)
{
    KdPrint(("Driver Load..."));
    pDrvObj->DriverUnload = DriverUnLoad;

    PrintfSSDT();
    StartHookSSDT();
    return STATUS_SUCCESS;
}

本文链接地址: https://www.dbgpro.com/archives/4745.html

——版权声明——