求助汇编hook NtOpenProcess 系统假死问题

楼主^#

更多发布于：2011-12-23 12:54

;@echo off
;goto make
.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include E:\masm32\include\w2k\ntstatus.inc
include E:\masm32\include\w2k\ntddk.inc
include E:\masm32\include\w2k\ntoskrnl.inc
include E:\masm32\include\w2k\w2kundoc.inc
includelib E:\masm32\lib\w2k\ntoskrnl.lib
include E:\masm32\Macros\Strings.mac
include E:\Program Files\MASMPlus\Exlib\macro.asm

.data
   CCOUNTED_UNICODE_STRING "\\Device\\MyNtOpenProcess", DevName, 4
   CCOUNTED_UNICODE_STRING "\\DosDevices\\MyNtOpenProcess",DevSymbolicLinkName,4
.data?
   AddrNtOpenProcess dd ?
   RealNtOpenProcess dd ?
   dwImageFileNameOffset dd ?
.code
Dispatch proc pDevObj:PDEVICE_OBJECT,pIrp:PIRP
   mov eax,pIrp
   mov (_IRP ptr [eax]).IoStatus.Status,STATUS_SUCCESS
   and (_IRP ptr [eax]).IoStatus.Information,0
   invoke IoCompleteRequest,pIrp,IO_NO_INCREMENT
   mov eax,STATUS_SUCCESS
   ret
Dispatch endp
SafeOn proc
   cli
   mov eax,cr0
   and eax,not 10000h ;and eax,0fffeffffh
   mov cr0,eax
   ret
SafeOn endp
SafeOff proc
   mov eax,cr0
   or eax,1000h
   mov cr0,eax
   sti
   ret
SafeOff endp
MyNtOpenProcess proc hProcess,DesiredAccess,ObjectAttributes,clientId
   local lpEPROCESS:PVOID
   local App:PEPROCESS

   invoke PsGetCurrentProcess
   mov esi,eax
   assume esi:ptr _EPROCESS
   add esi,dwImageFileNameOffset
   assume esi:nothing

   mov eax,clientId

   assume eax:PCLIENT_ID
   mov ebx,[eax].UniqueProcess
   assume eax:nothing
   invoke PsLookupProcessByProcessId,ebx,addr lpEPROCESS;获取打开的目标进程的EPROCESS结构
   .if eax==STATUS_SUCCESS
   mov esi,lpEPROCESS
   add esi,dwImageFileNameOffset ;指向EPROCESS结构的ImageFileName地址
   invoke _strnicmp, esi, CTXT("notepad.exe"),7 ;判断开打的目标进程是否为我们要保护的进程
   .if eax==0
   mov eax,STATUS_ACCESS_DENIED ;如果是打开我们保护的进程，就返回拒绝！
   ret
   .endif
   .endif

   push clientId
   push ObjectAttributes
   push DesiredAccess
   push hProcess
   call RealNtOpenProcess
   ret
MyNtOpenProcess endp
Hook proc
   pushad
   mov ebx,KeServiceDescriptorTable
   mov ebx,[ebx]
   mov ebx,[ebx]
   invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("ZwOpenProcess") ;获取ZwOpenProcess的地址
   inc eax
   movzx ecx,byte ptr[eax];取NtOpenProcess服务号
   sal ecx,2
   add ebx,ecx
   mov AddrNtOpenProcess,ebx
   mov edi,[ebx]
   mov RealNtOpenProcess,edi
   call SafeOn
   mov [ebx],offset MyNtOpenProcess
   call SafeOff
   popad
   ret
Hook endp
UnHook proc
   pushad
   call SafeOn
   mov edi,AddrNtOpenProcess
   mov eax,RealNtOpenProcess
   mov [edi],eax
   call SafeOff
   popad
   ret
UnHook endp
Unload proc pDriverObject:PDRIVER_OBJECT
   local DevObj:PDEVICE_OBJECT
   mov eax,pDriverObject
   assume eax:ptr DRIVER_OBJECT
   mov edx,[eax].DeviceObject
   mov DevObj,edx
   assume eax:nothing
   invoke IoDeleteSymbolicLink,addr DevSymbolicLinkName
   invoke IoDeleteDevice,DevObj
   invoke DbgPrint,$CTA0("unload")
   call SafeOn
   mov edi,AddrNtOpenProcess
   mov eax,RealNtOpenProcess
   mov [edi],eax
   call SafeOff
   ret
Unload endp
GetImageFileNameOffset proc uses esi ebx ;获取EPROCESS结构的ImageFileName偏移量函数
   invoke IoGetCurrentProcess
   mov esi, eax
   xor ebx, ebx
   .while ebx < 1000h
   lea eax, [esi+ebx]
   invoke _strnicmp, eax, $CTA0("system"), 6
   .break .if eax == 0
   inc ebx
   .endw
   .if eax == 0
   mov eax, ebx
   .else
   xor eax, eax
   .endif
   ret
GetImageFileNameOffset endp
DriverEntry proc uses ebx edi esi,pDriverObject:PDRIVER_OBJECT,pRegisterString:PUNICODE_STRING
   local pDeviceObject:PDEVICE_OBJECT
   invoke DbgPrint,CTXT("Driver Strat")
   mov esi,pDriverObject
   assume esi:PDRIVER_OBJECT
   mov [esi].DriverUnload,offset Unload
   mov [esi].MajorFunction[IRP_MJ_READ*(sizeof PVOID)],offset Dispatch
   mov [esi].MajorFunction[IRP_MJ_WRITE*(sizeof PVOID)],offset Dispatch
   mov [esi].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offset Dispatch
   mov [esi].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offset Dispatch
   assume esi:nothing
   call GetImageFileNameOffset
   mov dwImageFileNameOffset,eax ;获取EPROCESS结构的ImageFileName偏移量
   invoke IoCreateDevice,pDriverObject,0,addr DevName,FILE_DEVICE_UNKNOWN,0,TRUE,addr pDeviceObject
   .if eax!=STATUS_SUCCESS
   ret
   .endif
   mov eax,pDeviceObject
   or (DEVICE_OBJECT ptr [eax]).Flags,DO_BUFFERED_IO
   invoke IoCreateSymbolicLink,addr DevSymbolicLinkName,addr DevName
   .if eax!=STATUS_SUCCESS
   invoke IoDeleteDevice,pDeviceObject
   ret
   .endif
   call Hook
   mov eax,STATUS_SUCCESS
   ret
DriverEntry endp
end DriverEntry
:make
set drv=NtOpenProcess
\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj
del %drv%.obj
echo.
pause

汇编写的ssdt hook NtOpenProcess驱动

虚拟机中运行正常，在本机中运行之后不会蓝屏

但是会出现个别进程cpu占用50%左右

两个进程以上系统就会反应不过来，出现假死现象，需要硬关机才行

ssdt hook中把过滤代码去掉，直接调用原函数也是如此

求指教

喜欢0

sdlylz 驱动牛犊注册日期2008-10-07 最后登录2012-05-23 粉丝0 关注0 积分10分威望81点贡献值0点好评度0点原创分0分专家分0分加关注写私信	沙发^# 发布于：2011-12-24 08:39 解决了结贴~~
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

求助 汇编hook NtOpenProcess 系统假死问题

最新喜欢：

求助汇编hook NtOpenProcess 系统假死问题