- #pragma once
- typedef struct _ServiceDescriptorTable
- {
- PVOID ServiceTableBase; //System Service Dispatch Table 的基地址
- PVOID ServiceCounterTable; //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。
- unsigned int NumberOfServices; //由 ServiceTableBase 描述的服务的数目。
- PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表
- }*PServiceDescriptorTable;
- extern "C" PServiceDescriptorTable KeServiceDescriptorTable;
- extern ULONG GetSSDTAddr(ULONG uIndex);
- extern VOID UnHookSSDT(ULONG* pOriginalAddr, ULONG uIndex);
- extern BOOLEAN HookSSDT(ULONG* pOriginalAddr, ULONG uNewAddr, ULONG uIndex);
复制代码- #include "StdAfx.h"
- #include "SSDT.h"
- #include "common.h"
- ULONG GetSSDTAddr(ULONG uIndex)
- {
- ULONG uAddr = 0;
- __asm
- {
- push eax
- push ecx
- mov ecx, uIndex
- mov eax, KeServiceDescriptorTable
- mov eax, [eax]
- lea eax, [eax + ecx*4]
- mov eax, [eax]
- mov uAddr, eax
- pop ecx
- pop eax
- }
- return uAddr;
- }
- BOOLEAN HookSSDT(ULONG* pOriginalAddr, ULONG uNewAddr, ULONG uIndex)
- {
- ULONG uServiceTableBase = (ULONG)KeServiceDescriptorTable->ServiceTableBase;
- *pOriginalAddr = ((ULONG*)uServiceTableBase)[uIndex];
- DisableWP();
- ((ULONG*)uServiceTableBase)[uIndex] = uNewAddr;
- EnableWP();
- return TRUE;
- }
- VOID UnHookSSDT(ULONG* pOriginalAddr, ULONG uIndex)
- {
- ULONG uServiceTableBase = (ULONG)KeServiceDescriptorTable->ServiceTableBase;
- DisableWP();
- ((ULONG*)uServiceTableBase)[uIndex] = *pOriginalAddr;
- EnableWP();
- }
复制代码- #include "stdafx.h"
- #include "common.h"
- VOID DisableWP()
- {
- __asm
- {
- cli
- push eax
- mov eax, cr0
- and eax, 0x0FFFEFFFF
- mov cr0,eax
- pop eax
- }
- }
- VOID EnableWP()
- {
- __asm
- {
- push eax
- mov eax, cr0
- or eax, 0x00010000
- mov cr0, eax
- pop eax
- sti
- }
- }
复制代码 |