PS: 畢業設計的題目定了,開工了。想起同事的微博,要把勤奮的小人複活!
對於監控系統,替換必要的函數為自己使用是很重要的,用到簡單的替換ssdt表中的跳轉地址就可以實現
1. 首先要建立好自己的fake函數,例如監控阻止某進程建立子進程或可以使用null 指標替換ZwCreateProcess
NTSTATUS FakedZwCreateProcess {
if !needblock(進程名)
return RealZwCreateProcess
else
return STATUS_SUCCESS
2 找到替換函數的dll的地址
網上這個函數很多了~大概就是
2 儲存舊函數入口地址
函數地址中第二位就是在ssdt表中的位移量可以通過*(DWORD(address)+1)來擷取
這樣
RealZwCreateProcess = (ZWCREATEPROCESS)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + position));
就實現了儲存舊函數入口地址的功能
3 在驅動中根據傳過來IRP的參數,進行設定on和off函數
如果是開啟過濾就通過禁用中斷、更換CR0的防寫保護位,把替換函數地址更換為fake函數
_asm{CLI //disable interruptMOV EAX, CR0 //move CR0 register into EAXAND EAX, NOT 10000H //disable WP bitMOV CR0, EAX //write register back}(ZWCREATEPROCESS)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + position)) = FakedZwCreateProcess ;_asm{MOV EAX, CR0 //move CR0 register into EAXOR EAX, 10000H //enable WP bit MOV CR0, EAX //write register back STI //enable interrupt}
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
