Windows Kernel Function replacement

PS: the graduation project is fixed and the project is started. I think of my colleagues' Weibo posts and want to restore the diligent villain!

For the monitoring system, it is very important to replace the necessary functions for your own use. You can simply replace the jump address in the ssdt table.

1. First, you must create your own fake function. For example, you can use monitoring to prevent a process from creating a sub-process or replace ZwCreateProcess with a null pointer.

NTSTATUS FakedZwCreateProcess {

If! Needblock (process name)

Return RealZwCreateProcess

Else

Return STATUS_SUCCESS

2. Find the address of the dll used to replace the function.

There are a lot of online functions ~ Probably

2. Save the endpoint address of the old function.

The second digit in the function address is the offset in the ssdt table which can be obtained through * (DWORD (address) + 1 ).

This way

RealZwCreateProcess = (ZWCREATEPROCESS) (* (PServiceDescriptorTableEntry) KeServiceDescriptorTable)-> ServiceTableBase + position ));

The function of saving the endpoint address of the old function is realized.
3. Set the on and off functions based on IRP parameters in the driver.

If filtering is enabled, the replacement function address is replaced with the fake function by disabling the interrupt and changing the CR0 write protection bit.

_asm{CLI                    //disable interruptMOV    EAX, CR0        //move CR0 register into EAXAND EAX, NOT 10000H //disable WP bitMOV    CR0, EAX        //write register back}(ZWCREATEPROCESS)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + position)) = FakedZwCreateProcess ;_asm{MOV    EAX, CR0        //move CR0 register into EAXOR    EAX, 10000H        //enable WP bit     MOV    CR0, EAX        //write register back        STI                    //enable interrupt}