Ssdt hook disables Specified Process Termination

After two weeks of hard work, ssdt Hook was finally successful. Here, I would like to thank a great god in the forum. Thank you very much. What is his ID, after adding his friends, I remember the words Lenin under his name. It's a very interesting name. If you want to add a name, you can read my post.

There are still a lot of top-level figures in the forum. We cannot use the level to measure a person's knowledge level, just as I saw a post about eager to hire C ++ senior programmers that day, two or more stars of users preferred admission. I think this is unwise, the kernel that I know is a five-pants-level user. Some people are right. The underpants are great, and star cainiao are everywhere.

As a great god, in fact, if you think it is very casual, you think that a very simple answer may be able to help a cainiao take a long journey, so when a cainiao is bothering you with something, if you can pay a little more, you will not only receive thanks, but also enjoy a helpful pleasure.

This cainiao is about to make remarks.

After writing the first kernel program, I obviously felt that I was mature step by step. The first time I wrote was that the hook Distribution Function intercepted the keyboard record, if you are interested in reading another blog, I am writing an API function hook to an ssdt table at the R0 layer.

Before I write the driver hook, I got the idea of reading the anti-DDoS magazine. I also want to try ssdt hook on my own. I read the materials, read books, write code by myself or use the successful code of others, and write some ssdt hook code. But all the compiled code is passed, that is, once running is not a blue screen, it will crash, so I repeatedly checked the information and changed the code, and finally failed to pass the code. So I went to the Forum to post a post, and no one posted the post on the forum for the last week. I had to be depressed, some errors have been modified and the source code is not the same. I wrote a new post, and I met the "Lenin" Great God that night. He carefully read it, I read it carefully and made a five-point error to my code. I took a closer look and found a serious logic error. No wonder blue screen, huh, huh, or not carefully, in addition, Lenin, as an experienced Kernel Program designer, pointed out some small errors caused by lack of experience, which benefited me a lot. Thanks again.

The following is the modified hook Code. It is the same as the last one. For convenience, I did not write the unmount function. I used the brute force Cr0 register modification method, so stability remains to be verified. After my tests, there will still be blue screens. However, the code written as a cainiao does implement the functions that this code should have. Here, I will post it to show you, don't laugh. After all, it's a cainiao.

 # Include <ntddk. h> </P> <p> typedef struct _ servicedescriptorenty // define the structure <br/> {<br/> unsigned int * servicetablebase; <br/> unsigned int * servicecountertablebase; <br/> unsigned int numberofservices; <br/> unsigned char * paramtablebase; <br/>} servicedescriptortableentry, * pservicedescriptortableentry; </P> <p> typedef ntstatus (_ stdcall * ntopenprocess) (Out phandle processhandle, in access_mask accessma SK, in pobject_attributes objectattributes, in pclient_id clientid); // defines the function </P> <p> ntopenprocess realntopenprocess; </P> <p> extern pservicedescriptortableentry external; </P> <p> ntstatus myntopenprocess (phandle processhandle, access_mask desiredaccess, incluobjectattributes, pclient_id clientid); </P> <p> void driverunload (pdriver_object driverobject) // unmount the function <br/>{< br/> dbuplin T ("succeed! "); <Br/>}</P> <p> ntstatus DriverEntry (in pdriver_object driverobject, in punicode_string registrypath) <br/>{< br/> ulong address; <br/> ulong_ptr realopserviceaddress; <br/> _ ASM // cancel ssdt Protection <br/>{< br/> CLI <br/> mov eax, cr0 <br/> and eax, not 10000 h <br/> mov Cr0, eax <br/>}< br/> address = (ulong) keservicedescriptortable-> servicetablebase + 0x7a * 4; // obtain the actual address <br/> * (ulong *) Address) = (ulong) myntopenpr Ocess; // replace it with the callback function address <br/> realopserviceaddress = * (ulong *) address; // Save the address <br/> realntopenprocess = (ntopenprocess) realopserviceaddress; // according to a great God on the Forum, the code between two register operations should be as few as possible, because the called function may also use registers, change the register value </P> <p> _ ASM // disable Protection <br/> {<br/> CLI <br/> mov eax, cr0 <br/> or eax, 10000 h <br/> mov Cr0, eax <br/> STI <br/>}</P> <p> driverobject-> driverunload = driverunload; <br/> return STATUS_SUCCESS; <br/>}</P> <p> Ntstatus myntopenprocess (phandle processhandle, access_mask desiredaccess, pobject_attributes objectattributes, pclient_id clientid) <br/>{< br/> ntstatus rc = NULL <br/> ulong dwpid; <br/> // rc = (ntstatus) (realzwopenprocess) realzwopenprocess (processhandle, desiredaccess, objectattributes, clientid); <br/> If (clientid! = NULL) // determine whether the PID is set <br/>{< br/> dwpid = (ulong) clientid-> uniqueprocess; <br/> If (dwpid = 1884) <br/>{ <br/> dbuplint ("PID 1884 has been accessed, need forbidden"); <br/> processhandle = 0; <br/> rc = STATUS_ACCESS_DENIED; // return failure handle <br/>}< br/> else <br/> rc = (ntstatus) (ntopenprocess) realntopenprocess (processhandle, desiredaccess, objectattributes, clientid); // If not, call the original ntopenprocess address <br/> return RC; <br/>}< br/>