#include <ntddk.h>
#include <windef.h>
#define INITCODE code_seg("INIT") /*运行一次就释放内存*/
#define PAGECODE code_seg("PAGE") /*分页内存*/
VOID CloseMemoryProtect(); //关闭写保护
VOID OpenMemoryProtect(); //开启写保护
VOID MyDriver_Unload(PDRIVER_OBJECT pDriverObject); //卸载函数
#pragma pack(1) //一字节对齐
typedef struct JmpCode {
BYTE bytecode; //0xBA , mov edx,MyFunctionAddress,自定义HOOK类型
ULONG Address; //MyFunctionAddress
USHORT JmpEdx; //D2FF , jmp edx
} JmpCode, *PJmpCode;
#pragma pack()
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
extern PServiceDescriptorTableEntry KeServiceDescriptorTable; //SSDT表,声明指针用extern
ULONG MyGetFunAddress( IN PCWSTR FunctionName)
{
UNICODE_STRING UniCodeFunctionName;
RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );
}
ULONG Readdizhi,Writedizhi,OldRead,OldWrite; //读,写
JmpCode CopyCode,CopyCodeT; //保存进程,线程被HOOK的代码,以便卸载时恢复
PJmpCode OldAddress,OldAddressT; //要HOOK的进程和线程地址
PEPROCESS processEPROCESS = NULL,TprocessEPROCESS = NULL; //保存访问者的EPROCESS
ANSI_STRING p_str1,p_str2,p_str3; //保存进程名称
//用SSDT HOOK对抗TP保护的INLINE HOOK
//读内存
static __declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG NumberOfBytesToRead,
PULONG NumberOfBytesReaded)
{
//跳过去
__asm
{
push 0x1C
push 0x804DA4E0
mov edx,0x80538F40