在内核模式下HOOK WTSXXX函数之前的小测试

楼主^#

更多发布于：2008-10-05 15:48

这几天我怀疑我真的是吃饱了没事做...

在内核模式下打开winlogon.exe 然后打算取wtsapi32.dll中WTSEnumerateSessionsW地址，打算把JMP HookProc写到这个地址里去。
JMP的HookProc我想用MmMapLockedPagesSpecifyCache 映射到用户空间为pMappedAddress
于是我首先这样测试了一把

我在驱动中先把我自己的HookProc的地址pMappedAddress，KdPrint，然后写另一个应用程序，这个程序里就一句话 __asm in 3;
当驱动把HookProc的地址输出后，我运行int 3的应用程序，WinDBG这个时候断了下来。
我在WinDBG里用db 查看HookProc的pMappedAddress地址。不成功，都是??

我想请教下,,我的问题出在哪呢？还是这个想法根本就是错的？

// hProcess是winlogon.exe打开后的句柄，获取EPROCESS
if( STATUS_SUCCESS == ObReferenceObjectByHandle( hProcess, FILE_READ_DATA, *PsProcessType, KernelMode, (PVOID)&eProcess, NULL ))
   {
   KeStackAttachProcess(eProcess ,&ApcState);

   ModuleListCurrent = GetProcessModuleListByPeb(Peb);
   ModuleListStart = ModuleListCurrent;

   KdPrint(("MSTDI!EnumProcesses: Process:%ws,PEB:%08X,Module:%08X\n",ProcessName->Buffer,Peb,ModuleListStart));

   do
   {
   ModuleListCurrent = ModuleListCurrent->Flink;
   LdrModule = (LDR_MODULE*)ModuleListCurrent;

   if(!LdrModule)
   {
   continue;
   }

   if( CompareProcessPath(LdrModule->FullDllName.Buffer,(LdrModule->FullDllName.Length / sizeof(WCHAR)),TargetDllName.Buffer,(TargetDllName.Length / sizeof(WCHAR)) ) )
   {
   KdPrint(("\t0x%08x\t\t",LdrModule->BaseAddress));
   KdPrint(("%ws\t",LdrModule->FullDllName.Buffer));
   *HookFunAddr = LdrModule->BaseAddress;
   __try
   {
   pMappedAddress = MmMapLockedPagesSpecifyCache (pMdl,UserMode,MmCached,NULL,FALSE,NormalPagePriority);
   }
   __except(EXCEPTION_EXECUTE_HANDLER)
   {
   KdPrint(("MSTDI!EnumProcesses: Map address except.\n"));
   KeUnstackDetachProcess (&ApcState);
   ObDereferenceObject(eProcess);
   NdisFreeMemory(ProcessName,MAX_PATH,0);
   ZwClose(hProcess);
   NdisFreeMemory(pSpi,dSize,0);
   pSpi = NULL;
   pMappedAddress = NULL;

   return STATUS_UNSUCCESSFUL;
   }

   if (!pMappedAddress)
   {
   KdPrint(("MSTDI!EnumProcesses: Cannot map address.\n"));

   KeUnstackDetachProcess (&ApcState);
   ObDereferenceObject(eProcess);
   NdisFreeMemory(ProcessName,MAX_PATH,0);
   ZwClose(hProcess);
   NdisFreeMemory(pSpi,dSize,0);
   pSpi = NULL;
   pMappedAddress = NULL;
   return STATUS_UNSUCCESSFUL;
   }

   KdPrint(("New Fun:%08X\n",pMappedAddress));
   }

   } while(ModuleListCurrent != ModuleListStart);

   KdPrint(("\n"));

   KeUnstackDetachProcess (&ApcState);
   ObDereferenceObject(eProcess);
   }
   else
   {
   KdPrint(("MSTDI!EnumProcesses: ObReferenceObjectByHandle Failed ,Process = %ws\n",ProcessName->Buffer));
   }

pMDL在驱动入口点初始化,Unload时释放

nSize = (unsigned char *)HookProc - (unsigned char *)HookProcEnd;

   pMdl = IoAllocateMdl (HookProc, nSize, FALSE,FALSE,NULL);
   if (!pMdl)
   {
   KdPrint(("MSTDI!DriverEntry : Allocate MDLs Failed.\n"));
   return STATUS_INSUFFICIENT_RESOURCES;
   }

   __try
   {
   MmProbeAndLockPages (pMdl,KernelMode,IoWriteAccess);
   }
   __except (EXCEPTION_EXECUTE_HANDLER)
   {
   KdPrint(("MSTDI!DriverEntry : Exception during MmProbeAndLockPages.\n"));
   IoFreeMdl (pMdl);
   return STATUS_UNSUCCESSFUL;
   }

喜欢0

发帖回复

« 返回列表

您需要登录后才可以回帖，登录或者注册

返回顶部

在内核模式下HOOK WTSXXX函数之前的小测试

最新喜欢：