- #pragma once
- #include "common.h"
- typedef struct _SYSTEM_SERVICE_TABLE
- {
- PULONG ServiceTable; // array of entry points
- PDWORD CounterTable; // array of usage counters
- DWORD ServiceLimit; // number of table entries
- PBYTE ArgumentTable; // array of byte counts
- }SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE;
- typedef struct _ShadowServiceDescriptorTable
- {
- SYSTEM_SERVICE_TABLE ntoskrnl; // ntoskrnl.exe ( native api )
- SYSTEM_SERVICE_TABLE win32k; // win32k.sys (gdi/user support)
- SYSTEM_SERVICE_TABLE Table3; // not used
- SYSTEM_SERVICE_TABLE Table4; // not used
- }ShadowSSDT, *PShadowServiceDescriptorTable;
- extern PVOID GetShadowSSDTAddr();
- extern VOID ShadowSSDTHookTest();
复制代码- #include "StdAfx.h"
- #include "ShadowSSDT.h"
- #include "common.h"
- //#include <ntifs.h>
- //#pragma comment(lib, "ntstrsafe.lib")
- extern "C" PVOID KeServiceDescriptorTable;
- PVOID GetShadowSSDTAddr()
- {
- PUCHAR pKeAddSST = (PUCHAR)KeAddSystemServiceTable;
- for (int i = 0; i < 4096; i++, pKeAddSST++)
- {
- if (MmIsAddressValid((PVOID)(*(ULONG*)pKeAddSST)) && MmIsAddressValid((PUCHAR)(*(ULONG*)pKeAddSST) + sizeof(ShadowSSDT) - 1))
- {
- PVOID pShadowSSDTAddr = (PVOID)(*(ULONG*)pKeAddSST);
- __try
- {
- if ((sizeof(ShadowSSDT) == RtlCompareMemory(pShadowSSDTAddr, KeServiceDescriptorTable, sizeof(ShadowSSDT))) &&
- (pShadowSSDTAddr != KeServiceDescriptorTable))
- {
- //DbgPrint("Shadow SSDT Addr: 0x%8x\n", pShadowSSDTAddr);
- return pShadowSSDTAddr;
- }
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- return NULL;
- }
- }
- }
- return NULL;
- }
- PVOID GetInfoTable(SYSTEM_INFORMATION_CLASS sic)
- {
- ULONG uSize = 0x4000;
- PVOID pPtr = NULL;
- NTSTATUS status;
- do
- {
- pPtr = ExAllocatePool(PagedPool, uSize);
- if (NULL != pPtr)
- {
- memset(pPtr, 0, uSize);
- status = ZwQuerySystemInformation(sic, pPtr, uSize, NULL);
- }
- else
- {
- return NULL;
- }
- if (status == STATUS_INFO_LENGTH_MISMATCH)
- {
- ExFreePool(pPtr);
- uSize = uSize * 2;
- }
- } while (status == STATUS_INFO_LENGTH_MISMATCH);
- if (status == STATUS_SUCCESS)
- {
- return pPtr;
- }
- ExFreePool(pPtr);
- return NULL;
- }
- HANDLE GetCsrPid()
- {
- HANDLE hProcess = NULL;
- HANDLE hObject = NULL;
- HANDLE CsrId = (HANDLE)0;
- OBJECT_ATTRIBUTES oa;
- CLIENT_ID cid;
- UCHAR szBuff[0x100];
- POBJECT_NAME_INFORMATION ObjName = (POBJECT_NAME_INFORMATION)&szBuff;
- PSYSTEM_HANDLE_INFORMATION_EX pSysHandleInfo;
- ULONG uIndex;
- pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)GetInfoTable(SystemHandleInformation);
- if (!pSysHandleInfo)
- {
- return CsrId;
- }
- for (uIndex = 0; uIndex < pSysHandleInfo->NumberOfHandles; uIndex++)
- {
- if (pSysHandleInfo->Information[uIndex].ObjectTypeNumber == 21) //Port object
- {
- InitializeObjectAttributes(&oa, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
- cid.UniqueProcess = (HANDLE)pSysHandleInfo->Information[uIndex].ProcessId;
- cid.UniqueThread = 0;
- if (NT_SUCCESS(NtOpenProcess(&hProcess, PROCESS_DUP_HANDLE, &oa, &cid)))
- {
- if (NT_SUCCESS(ZwDuplicateObject(hProcess,
- (HANDLE)pSysHandleInfo->Information[uIndex].Handle,
- NtCurrentProcess(),
- &hObject,
- 0, 0, DUPLICATE_SAME_ACCESS)))
- {
- if (NT_SUCCESS(ZwQueryObject(hObject,
- ObjectNameInformation,
- ObjName,
- 0x100, NULL)))
- {
- if (ObjName->Name.Buffer &&
- !wcsncmp(L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20))
- {
- CsrId = (HANDLE)pSysHandleInfo->Information[uIndex].ProcessId;
- break;
- }
- }
- ZwClose(hObject);
- }
- ZwClose(hProcess);
- }
- }
- }
- if (NULL != hObject)
- {
- ZwClose(hObject);
- }
- if (NULL != hProcess)
- {
- ZwClose(hProcess);
- }
- ExFreePool(pSysHandleInfo);
- return CsrId;
- }
- VOID ShadowSSDTHookTest()
- {
- //附加csrss.exe
- //..查找csrss.exe
- NTSTATUS status;
- PEPROCESS crsPEProc;
- status = PsLookupProcessByProcessId(GetCsrPid(), &crsPEProc);
- if (!NT_SUCCESS(status))
- {
- return;
- }
-
- KAPC_STATE kapc_state;
- KeStackAttachProcess(crsPEProc, &kapc_state);
- //HOOK Shadow SSDT
- KeUnstackDetachProcess(&kapc_state);
- }
复制代码 |