大家有时间帮我看看 NtOpenProcess函数 老出错
程序代码:
#include <ntddk.h> #define INITCODE code_seg("INIT") #define PAGECODE code_seg("PAGE") /*表示内存不足时,可以被置换到硬盘*/ typedef struct _ServiceDescriptorTable { PVOID ServiceTableBase; //System Service Dispatch Table 的基地址 PVOID ServiceCounterTable; //包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。 ULONG NumberOfServices; //由 ServiceTableBase 描述的服务的数目。 PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表 }* PServiceDescriptorTable; extern PServiceDescriptorTable KeServiceDescriptorTable; UNICODE_STRING g_DeviceName; UNICODE_STRING g_Symlink; PDEVICE_OBJECT g_pDevice; ULONG ObOpen; //系统函数ntkrnlpa.ObOpenObjectByPointer地址 LONG gAdressPro1Sub; //NtOpenProcess 函数地址差 ULONG addrMyOpenProc1; ULONG addrNtOpenProcess; //NtOpenProcess 函数地址 ULONG jmpProc1End; NTSTATUS MyCreateDevice(PDRIVER_OBJECT _DriverObject); void MyDriverUnload(IN PDRIVER_OBJECT DriverObject); NTSTATUS MyDispatchFunc(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); ULONG GetServiceFunAddress(int index); __declspec(naked) void MyNtOpenProcess1() { __asm //恢复NtOpenProcess 第一个修改的地方 0x805cc61e { push eax push dword ptr [ebp-38h] push dword ptr [ebp-23h] call ObOpen jmp jmpProc1End ret } } #pragma INITCODE NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath) { ULONG CroValue; NTSTATUS status ; ObOpen = 0x805B234A;// 前一个为虚拟机 本地0x805BCC5C; addrNtOpenProcess = GetServiceFunAddress(122); //获得NtOpenProcess函数地址 jmpProc1End = addrNtOpenProcess+0x229 ; __asm int 3 __asm { push eax lea eax,MyNtOpenProcess1 mov addrMyOpenProc1,eax pop eax } gAdressPro1Sub = addrMyOpenProc1 - addrNtOpenProcess - 0x21d - 5; __asm { cli push eax mov eax,cr0 mov CroValue,eax and eax,not 0x10000 mov cr0,eax pop eax } __asm { push eax mov eax ,addrNtOpenProcess add eax,0x21d mov byte ptr [eax],0E9h add eax,1 push ebx mov ebx,gAdressPro1Sub mov dword ptr [eax],ebx pop ebx pop eax } __asm // 恢复页面保护 { push eax mov eax,CroValue mov cr0,eax sti pop eax } status = MyCreateDevice(DriverObject); DriverObject->DriverUnload = MyDriverUnload; return status; } //卸载例程 #pragma PAGECODE void RtlString() { RtlInitUnicodeString(&g_DeviceName,L"\\Device\\PSYS"); RtlInitUnicodeString(&g_Symlink,L"\\??\\SymLink_ME"); } #pragma PAGECODE ULONG GetServiceFunAddress(int index) { ULONG funaddr = index* 4; __asm //获取NtOpenProcess函数地址 { push eax mov eax, KeServiceDescriptorTable mov eax,[eax] //函数表基址 add eax,funaddr mov eax,[eax] mov funaddr,eax pop eax } return funaddr; } #pragma PAGECODE void MyDriverUnload( IN PDRIVER_OBJECT _DriverObject) { NTSTATUS status; status = IoDeleteSymbolicLink(&g_Symlink); if (status == STATUS_SUCCESS) { KdPrint(("删除符号链接成功\n")); IoDeleteDevice(_DriverObject->DeviceObject); KdPrint(("卸载设备成功\n")); } else { KdPrint(("卸载设备失败\n")); } } #pragma PAGECODE NTSTATUS MyCreateDevice(PDRIVER_OBJECT _DriverObject) { NTSTATUS status; RtlString(); //初始化设备字串 status = IoCreateDevice(_DriverObject,0,&g_DeviceName,FILE_DEVICE_UNKNOWN ,0,TRUE,&g_pDevice); if (STATUS_SUCCESS == status) { KdPrint(("创建设备成功\n")); g_pDevice->Flags |= DO_BUFFERED_IO; status = IoCreateSymbolicLink(&g_Symlink,&g_DeviceName); if ( status == STATUS_SUCCESS) { KdPrint(("创建符号链接成功\n")); } else { KdPrint(("创建符号链接失败\n")); } return status; } else { KdPrint(("创建设备失败\n")); if (status == STATUS_INSUFFICIENT_RESOURCES) { KdPrint(("资源不足\n")); } else if (status == STATUS_OBJECT_NAME_EXISTS) { KdPrint(("设备已存在\n")); } else if (status == STATUS_OBJECT_NAME_COLLISION) { KdPrint(("设备名冲突\n")); } else { KdPrint(("未知错误\n")); } } return status; }自己能力有限实在找不出 错误的地方了 希望和大家一起学习
[ 本帖最后由 oicq 于 2012-8-21 14:54 编辑 ]