使用自旋锁的各种HOOK

合集下载

相关主题

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

#include

#define MEM_TAG 'TMEM'

typedef struct _THREAD_BASIC_INFORMA TION

{

NTSTATUS ExitStatus;

PVOID TebBaseAddress;

CLIENT_ID ClientId;

KAFFINITY AffinityMask;

KPRIORITY Priority;

KPRIORITY BasePriority;

}THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMA TION; typedef BOOL (*NTUSERPOSTTHREADMESSAGE)

(

DWORD idThread,

UINT Msg,

WPARAM wParam,

LPARAM lParam

);

typedef NTSTATUS (*NTOPENPROCESS)

(

OUT PHANDLE ProcessHandle,

IN ACCESS_MASK AccessMask,

IN POBJECT_A TTRIBUTES ObjectAttributes,

IN PCLIENT_ID ClientId

);

typedef NTSTATUS (*NTOPENTHREAD)

(

OUT PHANDLE ThreadHandle,

IN ACCESS_MASK DesiredAccess,

IN POBJECT_A TTRIBUTES ObjectAttributes,

IN PCLIENT_ID ClientId

);

typedef NTSTATUS (*NTDUPLICATEOBJECT)

(

IN HANDLE SourceProcessHandle,

IN HANDLE SourceHandle,

IN HANDLE TargetProcessHandle,

OUT PHANDLE TargetHandle OPTIONAL,

IN ACCESS_MASK DesiredAccess,

IN ULONG Attributes,

IN ULONG Options

);

NTKERNELAPI KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID); NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN HANDLE ProcessId,OUT PEPROCESS *Process);

NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(IN HANDLE ThreadId,OUT PETHREAD *Thread);

NTKERNELAPI PEPROCESS IoThreadToProcess(IN PETHREAD Thread);

NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess

(

IN HANDLE ProcessHandle,

IN ULONG ProcessInformationClass,

OUT PVOID ProcessInformation,

IN ULONG ProcessInformationLength,

OUT PULONG ReturnLength OPTIONAL

);

NTSYSAPI NTSTATUS NTAPI ZwQueryInformationThread

(

IN HANDLE ThreadHandle,

IN ULONG ThreadInformationClass,

OUT PVOID ThreadInformation,

IN ULONG ThreadInformationLength,

OUT PULONG ReturnLength OPTIONAL

);

ULONG idPTM=476; //XP HARD CODE

BYTE JmpCode[5]={0xE9,0x00,0x00,0x00,0x00};

BYTE OrgCode[5]={0x8B,0x3F,0x8B,0x1C,0x87};

BYTE PushRetCode[6]={0x68,0x00,0x00,0x00,0x00,0xc3};

KIRQL f_oldirql;

KSPIN_LOCK f_spinlock;

NTOPENTHREAD OldNtOpenThread;

NTOPENPROCESS OldNtOpenProcess;

NTDUPLICATEOBJECT OldNtDuplicateObject;

NTUSERPOSTTHREADMESSAGE OldNtUserPostThreadMessage;

ULONG uKiFastCallEntryAddr=0;

ULONG HookAddr=0;

ULONG JMPRet=0;

ULONG PushRetMem=0;

ULONG ppid=0;

PEPROCESS ppep=NULL;

PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow;

extern PSYSTEM_SERVICE_TABLE KeServiceDescriptorTable;

ULONG GetShadowTableAddress()

{