http://bbs.pediy.com/thread-210481.htm

来看雪一年了,在这里面学到了很多知识,非常感谢各位前辈对知识的分享和不懈的研究,也非常感谢各位大神对我们这些小白的照顾,特别要感谢MaMy、hksoobe、luolinlove等大神的指导。我也一直非常希望能为看雪贡献一点什么,但是小白的理解估计大神也看不上,这次也是注册看雪一周年,冲着这个也来发表一点自己的理解吧,写的不好还望各位看官海涵



PS:我们不生产技术,只是技术的搬运工



进入正题:

SSSDT就是win32k.sys里面的函数,大多数都跟图形相关,比如什么NtUserGetDCEx或者NtUserCreateWindowEx等。所以要查看这些内核函数地址,光在驱动中进行和SSDT一样的访问会引发异常蓝屏的。

所以有前辈就想出办法,在驱动程序里面调用KeAttachProces到csrss.exe中,获取这个系统进程的地址空间从而在驱动中获取SSSDT中的函数地址,传送门:http://bbs.pediy.com/showthread.php?p=1245567#post1245567

但是我自己可能没有领略到这个方法的精髓,不论怎么做还是蓝屏了,所以就想了另外一个办法,用一个控制台应用程序自己加载自己的驱动(当然是用虚拟机里面的测试模式),然后再在驱动里面打印SSSDT中的各个函数地址,关于怎么自己加载驱动请看http://www.mengwuji.net/forum.php?mod=viewthread&tid=2859&page=1#pid56859

这样做了以后居然成功了,驱动程序成功打印出来了SSSDT中的函数地址而不蓝屏。驱动程序里面打印SSSDT函数地址的代码我会在最后给出。现在看一下一小部分打印出来的样子:

Shadow SSDT ID:4902, Address:FFFFF960000FBC30! Shadow SSDT ID:4903, Address:FFFFF960001A1AB0! Shadow SSDT ID:4904, Address:FFFFF9600019F5F4! Shadow SSDT ID:4905, Address:FFFFF960001A2418! Shadow SSDT ID:4906, Address:FFFFF960001A11C8! Shadow SSDT ID:4907, Address:FFFFF9600019FAB0! Shadow SSDT ID:4908, Address:FFFFF960001A9EE0! Shadow SSDT ID:4909, Address:FFFFF9600019B15C!



最后就是解决SSSDT函数ID对应名称的问题,也可以看一下这篇文章 http://blog.csdn.net/whatday/article/details/9959077

当然我没有做出来上面代码的功能,我是这样实现的:

kd> u FFFFF960001A392C win32k!NtUserQueryDisplayConfig: fffff960`001a392c ?? ??? ^ Memory access error in 'u FFFFF960001A392C' kd> u FFFFF960000FBC30; win32k!NtUserSwitchDesktop: fffff960`000fbc30 ?? ??? ^ Memory access error in 'u FFFFF960000FBC30;' kd> u FFFFF960001A1AB0; win32k!NtUserTestForInteractiveUser: fffff960`001a1ab0 ?? ??? ^ Memory access error in 'u FFFFF960001A1AB0;' kd> u FFFFF9600019F5F4; win32k!NtUserTrackPopupMenuEx: fffff960`0019f5f4 ?? ??? ^ Memory access error in 'u FFFFF9600019F5F4;'



这样就可以把函数地址和函数ID函数名称都对应起来了。

上面做了这么多东西SSSDT的东西,当然是要对SSSDT进行HOOK了,HOOK可以看一下这位前辈的帖子: http://bbs.pediy.com/showthread.php?t=204323&highlight=shadow 。当然现在我也没有做出来HOOK,后续会来做。

到这里应该就写完自己想写的东西了,非常感谢各位看官能耐着性子看到现在,后面我也会加强学习,真正的能写一点有用的东西,不当搬运工了。

如果写的有不对的地方还望各位看官海涵,也希望能指正出来。

最后希望看雪能越来越红火,桃李满天下^^



驱动打印函数代码:

typedef struct _SYSTEM_SERVICE_TABLE{ PVOID ServiceTableBase; PVOID ServiceCounterTableBase; ULONGLONG NumberOfServices; PVOID ParamTableBase; } SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE; PSYSTEM_SERVICE_TABLE g_KeServiceDescriptorTableShadow = NULL; ULONGLONG GetKeServiceDescriptorTableShadow64() { PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082); PUCHAR EndSearchAddress = StartSearchAddress + 0x500; PUCHAR i = NULL; UCHAR b1=0,b2=0,b3=0; ULONG templong=0; ULONGLONG addr=0; for(i=StartSearchAddress;i<EndSearchAddress;i++) { if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) ) { b1=*i; b2=*(i+1); b3=*(i+2); if( b1==0x4c && b2==0x8d && b3==0x1d ) //4c8d1d { memcpy(&templong,i+3,4); addr = (ULONGLONG)templong + (ULONGLONG)i + 7; return addr; } } } return 0; } VOID InitShadowHookSSDT() { g_KeServiceDescriptorTableShadow = (PSYSTEM_SERVICE_TABLE)GetKeServiceDescriptorTableShadow64(); if (g_KeServiceDescriptorTableShadow) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "ShadowSSDT内核表基址:%p\n", g_KeServiceDescriptorTableShadow); } else { DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "获取ShadowSSDT内核表基址失败!\n"); } } ULONGLONG GetSSSDTFuncCurAddr64(ULONG64 Index) { ULONGLONG W32pServiceTable=0, qwTemp=0; LONG dwTemp=0; PSYSTEM_SERVICE_TABLE pWin32k; pWin32k = (PSYSTEM_SERVICE_TABLE)((ULONG64)g_KeServiceDescriptorTableShadow + sizeof(SYSTEM_SERVICE_TABLE)); W32pServiceTable=(ULONGLONG)(pWin32k->ServiceTableBase); qwTemp = W32pServiceTable + 4 * (Index-0x1000); dwTemp = *(PLONG)qwTemp; dwTemp = dwTemp >> 4; qwTemp = W32pServiceTable + (LONG64)dwTemp; return qwTemp; } VOID PrintShadowSSDT() { ULONG64 i = 0; for (i=0x1000; i<0x1338; ++i) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "Shadow SSDT ID:%d, Address:%p!\n", i, GetSSSDTFuncCurAddr64(i)); } }





福利

SSSDT函数表:

PCWSTR g_SSSDTTableName[830] = { L"NtUserGetThreadState", L"NtUserPeekMessage", L"NtUserCallOneParam", L"NtUserGetKeyState", L"NtUserInvalidateRect", L"NtUserCallNoParam", L"NtUserGetMessage", L"NtUserMessageCall", L"NtGdiBitBlt", L"NtGdiGetCharSet", L"NtUserGetDC", L"NtGdiSelectBitmap", L"NtUserWaitMessage", L"NtUserTranslateMessage", L"NtUserGetProp", L"NtUserPostMessage", L"NtUserQueryWindow", L"NtUserTranslateAccelerator", L"NtGdiFlush", L"NtUserRedrawWindow", L"NtUserWindowFromPoint", L"NtUserCallMsgFilter", L"NtUserValidateTimerCallback", L"NtUserBeginPaint", L"NtUserSetTimer", L"NtUserEndPaint", L"NtUserSetCursor", L"NtUserKillTimer", L"NtUserBuildHwndList", L"NtUserSelectPalette", L"NtUserCallNextHookEx", L"NtUserHideCaret", L"NtGdiIntersectClipRect", L"NtUserCallHwndLock", L"NtUserGetProcessWindowStation", L"NtGdiDeleteObjectApp", L"NtUserSetWindowPos", L"NtUserShowCaret", L"NtUserEndDeferWindowPosEx", L"NtUserCallHwndParamLock", L"NtUserVkKeyScanEx", L"NtGdiSetDIBitsToDeviceInternal", L"NtUserCallTwoParam", L"NtGdiGetRandomRgn", L"NtUserCopyAcceleratorTable", L"NtUserNotifyWinEvent", L"NtGdiExtSelectClipRgn", L"NtUserIsClipboardFormatAvailable", L"NtUserSetScrollInfo", L"NtGdiStretchBlt", L"NtUserCreateCaret", L"NtGdiRectVisible", L"NtGdiCombineRgn", L"NtGdiGetDCObject", L"NtUserDispatchMessage", L"NtUserRegisterWindowMessage", L"NtGdiExtTextOutW", L"NtGdiSelectFont", L"NtGdiRestoreDC", L"NtGdiSaveDC", L"NtUserGetForegroundWindow", L"NtUserShowScrollBar", L"NtUserFindExistingCursorIcon", L"NtGdiGetDCDword", L"NtGdiGetRegionData", L"NtGdiLineTo", L"NtUserSystemParametersInfo", L"NtGdiGetAppClipBox", L"NtUserGetAsyncKeyState", L"NtUserGetCPD", L"NtUserRemoveProp", L"NtGdiDoPalette", L"NtGdiPolyPolyDraw", L"NtUserSetCapture", L"NtUserEnumDisplayMonitors", L"NtGdiCreateCompatibleBitmap", L"NtUserSetProp", L"NtGdiGetTextCharsetInfo", L"NtUserSBGetParms", L"NtUserGetIconInfo", L"NtUserExcludeUpdateRgn", L"NtUserSetFocus", L"NtGdiExtGetObjectW", L"NtUserDeferWindowPos", L"NtUserGetUpdateRect", L"NtGdiCreateCompatibleDC", L"NtUserGetClipboardSequenceNumber", L"NtGdiCreatePen", L"NtUserShowWindow", L"NtUserGetKeyboardLayoutList", L"NtGdiPatBlt", L"NtUserMapVirtualKeyEx", L"NtUserSetWindowLong", L"NtGdiHfontCreate", L"NtUserMoveWindow", L"NtUserPostThreadMessage", L"NtUserDrawIconEx", L"NtUserGetSystemMenu", L"NtGdiDrawStream", L"NtUserInternalGetWindowText", L"NtUserGetWindowDC", L"NtGdiD3dDrawPrimitives2", L"NtGdiInvertRgn", L"NtGdiGetRgnBox", L"NtGdiGetAndSetDCDword", L"NtGdiMaskBlt", L"NtGdiGetWidthTable", L"NtUserScrollDC", L"NtUserGetObjectInformation", L"NtGdiCreateBitmap", L"NtUserFindWindowEx", L"NtGdiPolyPatBlt", L"NtUserUnhookWindowsHookEx", L"NtGdiGetNearestColor", L"NtGdiTransformPoints", L"NtGdiGetDCPoint", L"NtGdiCreateDIBBrush", L"NtGdiGetTextMetricsW", L"NtUserCreateWindowEx", L"NtUserSetParent", L"NtUserGetKeyboardState", L"NtUserToUnicodeEx", L"NtUserGetControlBrush", L"NtUserGetClassName", L"NtGdiAlphaBlend", L"NtGdiDdBlt", L"NtGdiOffsetRgn", L"NtUserDefSetText", L"NtGdiGetTextFaceW", L"NtGdiStretchDIBitsInternal", L"NtUserSendInput", L"NtUserGetThreadDesktop", L"NtGdiCreateRectRgn", L"NtGdiGetDIBitsInternal", L"NtUserGetUpdateRgn", L"NtGdiDeleteClientObj", L"NtUserGetIconSize", L"NtUserFillWindow", L"NtGdiExtCreateRegion", L"NtGdiComputeXformCoefficients", L"NtUserSetWindowsHookEx", L"NtUserNotifyProcessCreate", L"NtGdiUnrealizeObject", L"NtUserGetTitleBarInfo", L"NtGdiRectangle", L"NtUserSetThreadDesktop", L"NtUserGetDCEx", L"NtUserGetScrollBarInfo", L"NtGdiGetTextExtent", L"NtUserSetWindowFNID", L"NtGdiSetLayout", L"NtUserCalcMenuBar", L"NtUserThunkedMenuItemInfo", L"NtGdiExcludeClipRect", L"NtGdiCreateDIBSection", L"NtGdiGetDCforBitmap", L"NtUserDestroyCursor", L"NtUserDestroyWindow", L"NtUserCallHwndParam", L"NtGdiCreateDIBitmapInternal", L"NtUserOpenWindowStation", L"NtGdiDdDeleteSurfaceObject", L"NtGdiDdCanCreateSurface", L"NtGdiDdCreateSurface", L"NtUserSetCursorIconData", L"NtGdiDdDestroySurface", L"NtUserCloseDesktop", L"NtUserOpenDesktop", L"NtUserSetProcessWindowStation", L"NtUserGetAtomName", L"NtGdiDdResetVisrgn", L"NtGdiExtCreatePen", L"NtGdiCreatePaletteInternal", L"NtGdiSetBrushOrg", L"NtUserBuildNameList", L"NtGdiSetPixel", L"NtUserRegisterClassExWOW", L"NtGdiCreatePatternBrushInternal", L"NtUserGetAncestor", L"NtGdiGetOutlineTextMetricsInternalW", L"NtGdiSetBitmapBits", L"NtUserCloseWindowStation", L"NtUserGetDoubleClickTime", L"NtUserEnableScrollBar", L"NtGdiCreateSolidBrush", L"NtUserGetClassInfoEx", L"NtGdiCreateClientObj", L"NtUserUnregisterClass", L"NtUserDeleteMenu", L"NtGdiRectInRegion", L"NtUserScrollWindowEx", L"NtGdiGetPixel", L"NtUserSetClassLong", L"NtUserGetMenuBarInfo", L"NtGdiDdCreateSurfaceEx", L"NtGdiDdCreateSurfaceObject", L"NtGdiGetNearestPaletteIndex", L"NtGdiDdLockD3D", L"NtGdiDdUnlockD3D", L"NtGdiGetCharWidthW", L"NtUserInvalidateRgn", L"NtUserGetClipboardOwner", L"NtUserSetWindowRgn", L"NtUserBitBltSysBmp", L"NtGdiGetCharWidthInfo", L"NtUserValidateRect", L"NtUserCloseClipboard", L"NtUserOpenClipboard", L"NtGdiGetStockObject", L"NtUserSetClipboardData", L"NtUserEnableMenuItem", L"NtUserAlterWindowStyle", L"NtGdiFillRgn", L"NtUserGetWindowPlacement", L"NtGdiModifyWorldTransform", L"NtGdiGetFontData", L"NtUserGetOpenClipboardWindow", L"NtUserSetThreadState", L"NtGdiOpenDCW", L"NtUserTrackMouseEvent", L"NtGdiGetTransform", L"NtUserDestroyMenu", L"NtGdiGetBitmapBits", L"NtUserConsoleControl", L"NtUserSetActiveWindow", L"NtUserSetInformationThread", L"NtUserSetWindowPlacement", L"NtUserGetControlColor", L"NtGdiSetMetaRgn", L"NtGdiSetMiterLimit", L"NtGdiSetVirtualResolution", L"NtGdiGetRasterizerCaps", L"NtUserSetWindowWord", L"NtUserGetClipboardFormatName", L"NtUserRealInternalGetMessage", L"NtUserCreateLocalMemHandle", L"NtUserAttachThreadInput", L"NtGdiCreateHalftonePalette", L"NtUserPaintMenuBar", L"NtUserSetKeyboardState", L"NtGdiCombineTransform", L"NtUserCreateAcceleratorTable", L"NtUserGetCursorFrameInfo", L"NtUserGetAltTabInfo", L"NtUserGetCaretBlinkTime", L"NtGdiQueryFontAssocInfo", L"NtUserProcessConnect", L"NtUserEnumDisplayDevices", L"NtUserEmptyClipboard", L"NtUserGetClipboardData", L"NtUserRemoveMenu", L"NtGdiSetBoundsRect", L"NtGdiGetBitmapDimension", L"NtUserConvertMemHandle", L"NtUserDestroyAcceleratorTable", L"NtUserGetGUIThreadInfo", L"NtGdiCloseFigure", L"NtUserSetWindowsHookAW", L"NtUserSetMenuDefaultItem", L"NtUserCheckMenuItem", L"NtUserSetWinEventHook", L"NtUserUnhookWinEvent", L"NtUserLockWindowUpdate", L"NtUserSetSystemMenu", L"NtUserThunkedMenuInfo", L"NtGdiBeginPath", L"NtGdiEndPath", L"NtGdiFillPath", L"NtUserCallHwnd", L"NtUserDdeInitialize", L"NtUserModifyUserStartupInfoFlags", L"NtUserCountClipboardFormats", L"NtGdiAddFontMemResourceEx", L"NtGdiEqualRgn", L"NtGdiGetSystemPaletteUse", L"NtGdiRemoveFontMemResourceEx", L"NtUserEnumDisplaySettings", L"NtUserPaintDesktop", L"NtGdiExtEscape", L"NtGdiSetBitmapDimension", L"NtGdiSetFontEnumeration", L"NtUserChangeClipboardChain", L"NtUserSetClipboardViewer", L"NtUserShowWindowAsync", L"NtGdiCreateColorSpace", L"NtGdiDeleteColorSpace", L"NtUserActivateKeyboardLayout", L"NtGdiAbortDoc", L"NtGdiAbortPath", L"NtGdiAddEmbFontToDC", L"NtGdiAddFontResourceW", L"NtGdiAddRemoteFontToDC", L"NtGdiAddRemoteMMInstanceToDC", L"NtGdiAngleArc", L"NtGdiAnyLinkedFonts", L"NtGdiArcInternal", L"NtGdiBRUSHOBJ_DeleteRbrush", L"NtGdiBRUSHOBJ_hGetColorTransform", L"NtGdiBRUSHOBJ_pvAllocRbrush", L"NtGdiBRUSHOBJ_pvGetRbrush", L"NtGdiBRUSHOBJ_ulGetBrushColor", L"NtGdiBeginGdiRendering", L"NtGdiCLIPOBJ_bEnum", L"NtGdiCLIPOBJ_cEnumStart", L"NtGdiCLIPOBJ_ppoGetPath", L"NtGdiCancelDC", L"NtGdiChangeGhostFont", L"NtGdiCheckBitmapBits", L"NtGdiClearBitmapAttributes", L"NtGdiClearBrushAttributes", L"NtGdiColorCorrectPalette", L"NtGdiConfigureOPMProtectedOutput", L"NtGdiConvertMetafileRect", L"NtGdiCreateBitmapFromDxSurface", L"NtGdiCreateColorTransform", L"NtGdiCreateEllipticRgn", L"NtGdiCreateHatchBrushInternal", L"NtGdiCreateMetafileDC", L"NtGdiCreateOPMProtectedOutputs", L"NtGdiCreateRoundRectRgn", L"NtGdiCreateServerMetaFile", L"NtGdiD3dContextCreate", L"NtGdiD3dContextDestroy", L"NtGdiD3dContextDestroyAll", L"NtGdiD3dValidateTextureStageState", L"NtGdiDDCCIGetCapabilitiesString", L"NtGdiDDCCIGetCapabilitiesStringLength", L"NtGdiDDCCIGetTimingReport", L"NtGdiDDCCIGetVCPFeature", L"NtGdiDDCCISaveCurrentSettings", L"NtGdiDDCCISetVCPFeature", L"NtGdiDdAddAttachedSurface", L"NtGdiDdAlphaBlt", L"NtGdiDdAttachSurface", L"NtGdiDdBeginMoCompFrame", L"NtGdiDdCanCreateD3DBuffer", L"NtGdiDdColorControl", L"NtGdiDdCreateD3DBuffer", L"NtGdiDdCreateDirectDrawObject", L"NtGdiDdCreateFullscreenSprite", L"NtGdiDdCreateMoComp", L"NtGdiDdDDIAcquireKeyedMutex", L"NtGdiDdDDICheckExclusiveOwnership", L"NtGdiDdDDICheckMonitorPowerState", L"NtGdiDdDDICheckOcclusion", L"NtGdiDdDDICheckSharedResourceAccess", L"NtGdiDdDDICheckVidPnExclusiveOwnership", L"NtGdiDdDDICloseAdapter", L"NtGdiDdDDIConfigureSharedResource", L"NtGdiDdDDICreateAllocation", L"NtGdiDdDDICreateContext", L"NtGdiDdDDICreateDCFromMemory", L"NtGdiDdDDICreateDevice", L"NtGdiDdDDICreateKeyedMutex", L"NtGdiDdDDICreateOverlay", L"NtGdiDdDDICreateSynchronizationObject", L"NtGdiDdDDIDestroyAllocation", L"NtGdiDdDDIDestroyContext", L"NtGdiDdDDIDestroyDCFromMemory", L"NtGdiDdDDIDestroyDevice", L"NtGdiDdDDIDestroyKeyedMutex", L"NtGdiDdDDIDestroyOverlay", L"NtGdiDdDDIDestroySynchronizationObject", L"NtGdiDdDDIEscape", L"NtGdiDdDDIFlipOverlay", L"NtGdiDdDDIGetContextSchedulingPriority", L"NtGdiDdDDIGetDeviceState", L"NtGdiDdDDIGetDisplayModeList", L"NtGdiDdDDIGetMultisampleMethodList", L"NtGdiDdDDIGetOverlayState", L"NtGdiDdDDIGetPresentHistory", L"NtGdiDdDDIGetPresentQueueEvent", L"NtGdiDdDDIGetProcessSchedulingPriorityClass", L"NtGdiDdDDIGetRuntimeData", L"NtGdiDdDDIGetScanLine", L"NtGdiDdDDIGetSharedPrimaryHandle", L"NtGdiDdDDIInvalidateActiveVidPn", L"NtGdiDdDDILock", L"NtGdiDdDDIOpenAdapterFromDeviceName", L"NtGdiDdDDIOpenAdapterFromHdc", L"NtGdiDdDDIOpenKeyedMutex", L"NtGdiDdDDIOpenResource", L"NtGdiDdDDIOpenSynchronizationObject", L"NtGdiDdDDIPollDisplayChildren", L"NtGdiDdDDIPresent", L"NtGdiDdDDIQueryAdapterInfo", L"NtGdiDdDDIQueryAllocationResidency", L"NtGdiDdDDIQueryResourceInfo", L"NtGdiDdDDIQueryStatistics", L"NtGdiDdDDIReleaseKeyedMutex", L"NtGdiDdDDIReleaseProcessVidPnSourceOwners", L"NtGdiDdDDIRender", L"NtGdiDdDDISetAllocationPriority", L"NtGdiDdDDISetContextSchedulingPriority", L"NtGdiDdDDISetDisplayMode", L"NtGdiDdDDISetDisplayPrivateDriverFormat", L"NtGdiDdDDISetGammaRamp", L"NtGdiDdDDISetProcessSchedulingPriorityClass", L"NtGdiDdDDISetQueuedLimit", L"NtGdiDdDDISetVidPnSourceOwner", L"NtGdiDdDDISharedPrimaryLockNotification", L"NtGdiDdDDISharedPrimaryUnLockNotification", L"NtGdiDdDDISignalSynchronizationObject", L"NtGdiDdDDIUnlock", L"NtGdiDdDDIUpdateOverlay", L"NtGdiDdDDIWaitForIdle", L"NtGdiDdDDIWaitForSynchronizationObject", L"NtGdiDdDDIWaitForVerticalBlankEvent", L"NtGdiDdDeleteDirectDrawObject", L"NtGdiDdDestroyD3DBuffer", L"NtGdiDdDestroyFullscreenSprite", L"NtGdiDdDestroyMoComp", L"NtGdiDdEndMoCompFrame", L"NtGdiDdFlip", L"NtGdiDdFlipToGDISurface", L"NtGdiDdGetAvailDriverMemory", L"NtGdiDdGetBltStatus", L"NtGdiDdGetDC", L"NtGdiDdGetDriverInfo", L"NtGdiDdGetDriverState", L"NtGdiDdGetDxHandle", L"NtGdiDdGetFlipStatus", L"NtGdiDdGetInternalMoCompInfo", L"NtGdiDdGetMoCompBuffInfo", L"NtGdiDdGetMoCompFormats", L"NtGdiDdGetMoCompGuids", L"NtGdiDdGetScanLine", L"NtGdiDdLock", L"NtGdiDdNotifyFullscreenSpriteUpdate", L"NtGdiDdQueryDirectDrawObject", L"NtGdiDdQueryMoCompStatus", L"DxEngVisRgnUniq", L"NtGdiDdReenableDirectDrawObject", L"NtGdiDdReleaseDC", L"NtGdiDdRenderMoComp", L"NtGdiDdSetColorKey", L"NtGdiDdSetExclusiveMode", L"NtGdiDdSetGammaRamp", L"NtGdiDdSetOverlayPosition", L"NtGdiDdUnattachSurface", L"NtGdiDdUnlock", L"NtGdiDdUpdateOverlay", L"NtGdiDdWaitForVerticalBlank", L"NtGdiDeleteColorTransform", L"NtGdiDescribePixelFormat", L"NtGdiDestroyOPMProtectedOutput", L"NtGdiDestroyPhysicalMonitor", L"NtGdiDoBanding", L"NtGdiDrawEscape", L"NtGdiDvpAcquireNotification", L"NtGdiDvpCanCreateVideoPort", L"NtGdiDvpColorControl", L"NtGdiDvpCreateVideoPort", L"NtGdiDvpDestroyVideoPort", L"NtGdiDvpFlipVideoPort", L"NtGdiDvpGetVideoPortBandwidth", L"NtGdiDvpGetVideoPortConnectInfo", L"NtGdiDvpGetVideoPortField", L"NtGdiDvpGetVideoPortFlipStatus", L"NtGdiDvpGetVideoPortInputFormats", L"NtGdiDvpGetVideoPortLine", L"NtGdiDvpGetVideoPortOutputFormats", L"NtGdiDvpGetVideoSignalStatus", L"NtGdiDvpReleaseNotification", L"NtGdiDvpUpdateVideoPort", L"NtGdiDvpWaitForVideoPortSync", L"NtGdiDxgGenericThunk", L"NtGdiEllipse", L"NtGdiEnableEudc", L"NtGdiEndDoc", L"NtGdiEndGdiRendering", L"NtGdiEndPage", L"NtGdiEngAlphaBlend", L"NtGdiEngAssociateSurface", L"NtGdiEngBitBlt", L"NtGdiEngCheckAbort", L"NtGdiEngComputeGlyphSet", L"NtGdiEngCopyBits", L"NtGdiEngCreateBitmap", L"NtGdiEngCreateClip", L"NtGdiEngCreateDeviceBitmap", L"NtGdiEngCreateDeviceSurface", L"NtGdiEngCreatePalette", L"NtGdiEngDeleteClip", L"NtGdiEngDeletePalette", L"NtGdiEngDeletePath", L"NtGdiEngDeleteSurface", L"NtGdiEngEraseSurface", L"NtGdiEngFillPath", L"NtGdiEngGradientFill", L"NtGdiEngLineTo", L"NtGdiEngLockSurface", L"NtGdiEngMarkBandingSurface", L"NtGdiEngPaint", L"NtGdiEngPlgBlt", L"NtGdiEngStretchBlt", L"NtGdiEngStretchBltROP", L"NtGdiEngStrokeAndFillPath", L"NtGdiEngStrokePath", L"NtGdiEngTextOut", L"NtGdiEngTransparentBlt", L"NtGdiEngUnlockSurface", L"NtGdiEnumFonts", L"NtGdiEnumObjects", L"NtGdiEudcLoadUnloadLink", L"NtGdiExtFloodFill", L"NtGdiFONTOBJ_cGetAllGlyphHandles", L"NtGdiFONTOBJ_cGetGlyphs", L"NtGdiFONTOBJ_pQueryGlyphAttrs", L"NtGdiFONTOBJ_pfdg", L"NtGdiFONTOBJ_pifi", L"NtGdiFONTOBJ_pvTrueTypeFontFile", L"NtGdiFONTOBJ_pxoGetXform", L"NtGdiFONTOBJ_vGetInfo", L"NtGdiFlattenPath", L"NtGdiFontIsLinked", L"NtGdiForceUFIMapping", L"NtGdiFrameRgn", L"NtGdiFullscreenControl", L"NtGdiGetBoundsRect", L"NtGdiGetCOPPCompatibleOPMInformation", L"NtGdiGetCertificate", L"NtGdiGetCertificateSize", L"NtGdiGetCharABCWidthsW", L"NtGdiGetCharacterPlacementW", L"NtGdiGetColorAdjustment", L"NtGdiGetColorSpaceforBitmap", L"NtGdiGetDeviceCaps", L"NtGdiGetDeviceCapsAll", L"NtGdiGetDeviceGammaRamp", L"NtGdiGetDeviceWidth", L"NtGdiGetDhpdev", L"NtGdiGetETM", L"NtGdiGetEmbUFI", L"NtGdiGetEmbedFonts", L"NtGdiGetEudcTimeStampEx", L"NtGdiGetFontFileData", L"NtGdiGetFontFileInfo", L"NtGdiGetFontResourceInfoInternalW", L"NtGdiGetFontUnicodeRanges", L"NtGdiGetGlyphIndicesW", L"NtGdiGetGlyphIndicesWInternal", L"NtGdiGetGlyphOutline", L"NtGdiGetKerningPairs", L"NtGdiGetLinkedUFIs", L"NtGdiGetMiterLimit", L"NtGdiGetMonitorID", L"NtGdiGetNumberOfPhysicalMonitors", L"NtGdiGetOPMInformation", L"NtGdiGetOPMRandomNumber", L"NtGdiGetObjectBitmapHandle", L"NtGdiGetPath", L"NtGdiGetPerBandInfo", L"NtGdiGetPhysicalMonitorDescription", L"NtGdiGetPhysicalMonitors", L"NtGdiGetRealizationInfo", L"NtGdiGetServerMetaFileBits", L"DxgStubQueryDirectDrawObject", L"NtGdiGetStats", L"NtGdiGetStringBitmapW", L"NtGdiGetSuggestedOPMProtectedOutputArraySize", L"NtGdiGetTextExtentExW", L"NtGdiGetUFI", L"NtGdiGetUFIPathname", L"NtGdiGradientFill", L"NtGdiHLSurfGetInformation", L"NtGdiHLSurfSetInformation", L"NtGdiHT_Get8BPPFormatPalette", L"NtGdiHT_Get8BPPMaskPalette", L"NtGdiIcmBrushInfo", L"WatchdogDrvResetDevice", L"EngGetForm", L"NtGdiMakeFontDir", L"NtGdiMakeInfoDC", L"NtGdiMakeObjectUnXferable", L"NtGdiMakeObjectXferable", L"NtGdiMirrorWindowOrg", L"NtGdiMonoBitmap", L"NtGdiMoveTo", L"NtGdiOffsetClipRgn", L"NtGdiPATHOBJ_bEnum", L"NtGdiPATHOBJ_bEnumClipLines", L"NtGdiPATHOBJ_vEnumStart", L"NtGdiPATHOBJ_vEnumStartClipLines", L"NtGdiPATHOBJ_vGetBounds", L"NtGdiPathToRegion", L"NtGdiPlgBlt", L"NtGdiPolyDraw", L"NtGdiPolyTextOutW", L"NtGdiPtInRegion", L"NtGdiPtVisible", L"NtGdiQueryFonts", L"NtGdiRemoveFontResourceW", L"NtGdiRemoveMergeFont", L"NtGdiResetDC", L"NtGdiResizePalette", L"NtGdiRoundRect", L"NtGdiSTROBJ_bEnum", L"NtGdiSTROBJ_bEnumPositionsOnly", L"NtGdiSTROBJ_bGetAdvanceWidths", L"NtGdiSTROBJ_dwGetCodePage", L"NtGdiSTROBJ_vEnumStart", L"NtGdiScaleViewportExtEx", L"NtGdiScaleWindowExtEx", L"NtGdiSelectBrush", L"NtGdiSelectClipPath", L"NtGdiSelectPen", L"NtGdiSetBitmapAttributes", L"NtGdiSetBrushAttributes", L"NtGdiSetColorAdjustment", L"NtGdiSetColorSpace", L"NtGdiSetDeviceGammaRamp", L"NtGdiSetFontXform", L"NtGdiSetIcmMode", L"NtGdiSetLinkedUFIs", L"NtGdiSetMagicColors", L"NtGdiSetOPMSigningKeyAndSequenceNumbers", L"NtGdiSetPUMPDOBJ", L"NtGdiSetPixelFormat", L"NtGdiSetRectRgn", L"NtGdiSetSizeDevice", L"NtGdiSetSystemPaletteUse", L"NtGdiSetTextJustification", L"NtGdiSfmGetNotificationTokens", L"NtGdiStartDoc", L"NtGdiStartPage", L"NtGdiStrokeAndFillPath", L"NtGdiStrokePath", L"NtGdiSwapBuffers", L"NtGdiTransparentBlt", L"NtGdiUMPDEngFreeUserMem", L"DxgStubQueryDirectDrawObject", L"WatchdogDrvResetDevice", L"NtGdiUpdateColors", L"NtGdiUpdateTransform", L"NtGdiWidenPath", L"NtGdiXFORMOBJ_bApplyXform", L"NtGdiXFORMOBJ_iGetXform", L"NtGdiXLATEOBJ_cGetPalette", L"NtGdiXLATEOBJ_hGetColorTransform", L"NtGdiXLATEOBJ_iXlate", L"NtUserAddClipboardFormatListener", L"NtUserAssociateInputContext", L"NtUserBlockInput", L"NtUserBuildHimcList", L"NtUserBuildPropList", L"NtUserCalculatePopupWindowPosition", L"NtUserCallHwndOpt", L"NtUserChangeDisplaySettings", L"NtUserChangeWindowMessageFilterEx", L"NtUserCheckAccessForIntegrityLevel", L"NtUserCheckDesktopByThreadId", L"NtUserCheckWindowThreadDesktop", L"NtUserChildWindowFromPointEx", L"NtUserClipCursor", L"NtUserCreateDesktopEx", L"NtUserCreateInputContext", L"NtUserCreateWindowStation", L"NtUserCtxDisplayIOCtl", L"NtUserDestroyInputContext", L"NtUserDisableThreadIme", L"NtUserDisplayConfigGetDeviceInfo", L"NtUserDisplayConfigSetDeviceInfo", L"NtUserDoSoundConnect", L"NtUserDoSoundDisconnect", L"NtUserDragDetect", L"NtUserDragObject", L"NtUserDrawAnimatedRects", L"NtUserDrawCaption", L"NtUserDrawCaptionTemp", L"NtUserDrawMenuBarTemp", L"NtUserDwmStartRedirection", L"NtUserDwmStopRedirection", L"NtUserEndMenu", L"NtUserEndTouchOperation", L"NtUserEvent", L"NtUserFlashWindowEx", L"NtUserFrostCrashedWindow", L"NtUserGetAppImeLevel", L"NtUserGetCaretPos", L"NtUserGetClipCursor", L"NtUserGetClipboardViewer", L"NtUserGetComboBoxInfo", L"NtUserGetCursorInfo", L"NtUserGetDisplayConfigBufferSizes", L"NtUserGetGestureConfig", L"NtUserGetGestureExtArgs", L"NtUserGetGestureInfo", L"NtUserGetGuiResources", L"NtUserGetImeHotKey", L"NtUserGetImeInfoEx", L"NtUserGetInputLocaleInfo", L"NtUserGetInternalWindowPos", L"NtUserGetKeyNameText", L"NtUserGetKeyboardLayoutName", L"NtUserGetLayeredWindowAttributes", L"NtUserGetListBoxInfo", L"NtUserGetMenuIndex", L"NtUserGetMenuItemRect", L"NtUserGetMouseMovePointsEx", L"NtUserGetPriorityClipboardFormat", L"NtUserGetRawInputBuffer", L"NtUserGetRawInputData", L"NtUserGetRawInputDeviceInfo", L"NtUserGetRawInputDeviceList", L"NtUserGetRegisteredRawInputDevices", L"NtUserGetTopLevelWindow", L"NtUserGetTouchInputInfo", L"NtUserGetUpdatedClipboardFormats", L"NtUserGetWOWClass", L"NtUserGetWindowCompositionAttribute", L"NtUserGetWindowCompositionInfo", L"NtUserGetWindowDisplayAffinity", L"NtUserGetWindowMinimizeRect", L"NtUserGetWindowRgnEx", L"NtUserGhostWindowFromHungWindow", L"NtUserHardErrorControl", L"NtUserHiliteMenuItem", L"NtUserHungWindowFromGhostWindow", L"NtUserHwndQueryRedirectionInfo", L"NtUserHwndSetRedirectionInfo", L"NtUserImpersonateDdeClientWindow", L"NtUserInitTask", L"NtUserInitialize", L"NtUserInitializeClientPfnArrays", L"NtUserInjectGesture", L"NtUserInternalGetWindowIcon", L"NtUserIsTopLevelWindow", L"NtUserIsTouchWindow", L"NtUserLoadKeyboardLayoutEx", L"NtUserLockWindowStation", L"NtUserLockWorkStation", L"NtUserLogicalToPhysicalPoint", L"NtUserMNDragLeave", L"NtUserMNDragOver", L"NtUserMagControl", L"NtUserMagGetContextInformation", L"NtUserMagSetContextInformation", L"NtUserManageGestureHandlerWindow", L"NtUserMenuItemFromPoint", L"NtUserMinMaximize", L"NtUserModifyWindowTouchCapability", L"NtUserNotifyIMEStatus", L"NtUserOpenInputDesktop", L"NtUserOpenThreadDesktop", L"NtUserPaintMonitor", L"NtUserPhysicalToLogicalPoint", L"NtUserPrintWindow", L"NtUserQueryDisplayConfig", L"NtUserQueryInformationThread", L"NtUserQueryInputContext", L"NtUserQuerySendMessage", L"NtUserRealChildWindowFromPoint", L"NtUserRealWaitMessageEx", L"NtUserRegisterErrorReportingDialog", L"NtUserRegisterHotKey", L"NtUserRegisterRawInputDevices", L"NtUserRegisterServicesProcess", L"NtUserRegisterSessionPort", L"NtUserRegisterTasklist", L"NtUserRegisterUserApiHook", L"NtUserRemoteConnect", L"NtUserRemoteRedrawRectangle", L"NtUserRemoteRedrawScreen", L"NtUserRemoteStopScreenUpdates", L"NtUserRemoveClipboardFormatListener", L"NtUserResolveDesktopForWOW", L"NtUserSendTouchInput", L"NtUserSetAppImeLevel", L"NtUserSetChildWindowNoActivate", L"NtUserSetClassWord", L"NtUserSetCursorContents", L"NtUserSetDisplayConfig", L"NtUserSetGestureConfig", L"NtUserSetImeHotKey", L"NtUserSetImeInfoEx", L"NtUserSetImeOwnerWindow", L"NtUserSetInternalWindowPos", L"NtUserSetLayeredWindowAttributes", L"NtUserSetMenu", L"NtUserSetMenuContextHelpId", L"NtUserSetMenuFlagRtoL", L"NtUserSetMirrorRendering", L"NtUserSetObjectInformation", L"NtUserSetProcessDPIAware", L"NtUserSetShellWindowEx", L"NtUserSetSysColors", L"NtUserSetSystemCursor", L"NtUserSetSystemTimer", L"NtUserSetThreadLayoutHandles", L"NtUserSetWindowCompositionAttribute", L"NtUserSetWindowDisplayAffinity", L"NtUserSetWindowRgnEx", L"NtUserSetWindowStationUser", L"NtUserSfmDestroyLogicalSurfaceBinding", L"NtUserSfmDxBindSwapChain", L"NtUserSfmDxGetSwapChainStats", L"NtUserSfmDxOpenSwapChain", L"NtUserSfmDxQuerySwapChainBindingStatus", L"NtUserSfmDxReleaseSwapChain", L"NtUserSfmDxReportPendingBindingsToDwm", L"NtUserSfmDxSetSwapChainBindingStatus", L"NtUserSfmDxSetSwapChainStats", L"NtUserSfmGetLogicalSurfaceBinding", L"NtUserShowSystemCursor", L"NtUserSoundSentry", L"NtUserSwitchDesktop", L"NtUserTestForInteractiveUser", L"NtUserTrackPopupMenuEx", L"NtUserUnloadKeyboardLayout", L"NtUserUnlockWindowStation", L"NtUserUnregisterHotKey", L"NtUserUnregisterSessionPort", L"NtUserUnregisterUserApiHook", L"NtUserUpdateInputContext", L"NtUserUpdateInstance", L"NtUserUpdateLayeredWindow", L"NtUserUpdatePerUserSystemParameters", L"NtUserUpdateWindowTransform", L"NtUserUserHandleGrantAccess", L"NtUserValidateHandleSecure", L"NtUserWaitForInputIdle", L"NtUserWaitForMsgAndEvent", L"NtUserWindowFromPhysicalPoint" };



这个表肯定不完整,但是应该够用了



HOOK

上面已经有一篇关于如何HOOK Shadow SSDT的帖子了,思路和想法都很对,我仅仅只是为了篇幅完整,把自己的HOOK加入到这篇文章里面。



就已HOOK NtUserCreateWindowEx为例吧。

关于NtUserCreateWindowEx的原型可以参考这篇帖子 http://bbs.pediy.com/showthread.php?p=590615&mode=threaded



上面的是x86的,x64差不多,就是数据长度变了,我自己分析出来x64原型如下:

NTSTATUS NtUserCreateWindowEx( ULONG32 dwExStyle, ULONG64 qwMaybeClassVer, PLARGE_STRING pStrClassName, PLARGE_STRING pStrWindowName, ULONG32 dwStyle, ULONG32 x, ULONG32 y, ULONG32 nWidth, ULONG32 nHeight, ULONG64 parentHWND, ULONG64 hMenu, ULONG64 hInstance, ULONG64 pParam, ULONG32 dwFlags, ULONG64 pActivationContextInformation );





然后就可以对这个函数进行HOOK了,由于Win7对SSSDT没有PG,所以可以采取TA大牛的做法修改SSSDT的偏移进行二次跳转,也可以直接inline HOOK。

个人采取的是inline HOOK,因为这样可以不破坏SSSDT里面的任何一个函数,inline HOOK需要不破坏汇编语句的完整性,需要知道头部的汇编,可以在双机调试下,输入!process 0 0,然后找到csrss.exe的EPROCESS的地址,在输入.process 地址,就可以访问这个函数了。

kd> !process 0 0 省略 PROCESS fffffa801b0ce9e0 SessionId: 1 Cid: 017c Peb: 7fffffdf000 ParentCid: 0174 DirBase: 0eb60000 ObjectTable: fffff8a008922590 HandleCount: 263. Image: csrss.exe 省略 kd> .process fffffa801b0ce9e0 Implicit process is now fffffa80`1b0ce9e0 WARNING: .cache forcedecodeuser is not enabled kd> u NtUserCreateWindowEx fffff960`000b2b04 488bc4 mov rax,rsp fffff960`000b2b07 4c894820 mov qword ptr [rax+20h],r9 fffff960`000b2b0b 4c894018 mov qword ptr [rax+18h],r8 fffff960`000b2b0f 48895010 mov qword ptr [rax+10h],rdx



现在可以进行HOOK了,代码在后续给出,先看一下效果图。



HOOK代码如下:

typedef struct _LARGE_STRING{ USHORT Length; UCHAR MaxinumLength; UCHAR bAnsi; PULONG64 Buffer; }LARGE_STRING, *PLARGE_STRING; LONG GetShadowSSDTFuncIDByName(PCWSTR name) { UNICODE_STRING BaseFuncName; UNICODE_STRING DestFuncName; LONG i = 0; RtlInitUnicodeString(&DestFuncName, name); for (i = 0; i < 401; ++i) { RtlInitUnicodeString(&BaseFuncName, g_SSSDTTableName[i]); if (RtlEqualUnicodeString(&BaseFuncName, &DestFuncName, FALSE)) { return i+0x1000; } } return -1; } ULONGLONG GetSSSDTFuncCurAddr64(LONG Index) { ULONGLONG qwTemp=0; LONG dwTemp=0; PSYSTEM_SERVICE_TABLE pWin32k; pWin32k = (PSYSTEM_SERVICE_TABLE)((ULONG64)g_KeServiceDescriptorTableShadow + sizeof(SYSTEM_SERVICE_TABLE)); if (!g_SSSDTTableAddress) { g_SSSDTTableAddress=(ULONGLONG)(pWin32k->ServiceTableBase); DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "g_SSSDTTableAddress地址:%p\n", g_SSSDTTableAddress); } qwTemp = g_SSSDTTableAddress + 4 * (Index-0x1000); dwTemp = *(PLONG)qwTemp; dwTemp = dwTemp >> 4; qwTemp = g_SSSDTTableAddress + (LONG64)dwTemp; return qwTemp; } typedef NTSTATUS (__fastcall *pMyNtUserCreateWindowEx)( ULONG32 dwExStyle, ULONG64 qwMaybeClassVer, PLARGE_STRING pStrClassName, PLARGE_STRING pStrWindowName, ULONG32 dwStyle, ULONG32 x, ULONG32 y, ULONG32 nWidth, ULONG32 nHeight, ULONG64 parentHWND, ULONG64 hMenu, ULONG64 hInstance, ULONG64 pParam, ULONG32 dwFlags, ULONG64 pActivationContextInformation ); //NtUserCreateWindowEx 将头部数据取出来的地址 PVOID ori_func_NtUserCreateWindowEx = NULL; //NtUserCreateWindowEx 的代理函数 NTSTATUS Proxy_NtUserCreateWindowEx( ULONG32 dwExStyle, ULONG64 qwMaybeClassVer, PLARGE_STRING pStrClassName, PLARGE_STRING pStrWindowName, ULONG32 dwStyle, ULONG32 x, ULONG32 y, ULONG32 nWidth, ULONG32 nHeight, ULONG64 parentHWND, ULONG64 hMenu, ULONG64 hInstance, ULONG64 pParam, ULONG32 dwFlags, ULONG64 pActivationContextInformation ) { ANSI_STRING aString1; UNICODE_STRING uWindowName; if (pStrWindowName) { if (pStrWindowName->Buffer) { if (pStrWindowName->bAnsi) { RtlInitAnsiString(&aString1, (PCSZ)pStrWindowName->Buffer); RtlAnsiStringToUnicodeString(&uWindowName, &aString1, TRUE); DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "创建的窗口名称:%wZ\n", uWindowName); RtlFreeUnicodeString(&uWindowName); } else { RtlInitUnicodeString(&uWindowName, (PCWSTR)pStrWindowName->Buffer); DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "创建的窗口名称:%wZ\n", uWindowName); } } } if (hInstance) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, 2, "创建的窗口实例:%p\n", hInstance); } return ((pMyNtUserCreateWindowEx)ori_func_NtUserCreateWindowEx)(dwExStyle, qwMaybeClassVer, pStrClassName, pStrWindowName, dwStyle, x, y, nWidth, nHeight, parentHWND, hMenu, hInstance, pParam, dwFlags, pActivationContextInformation); } VOID HookNtUserCreateWindowEx() { KIRQL irql; UCHAR jmp_code[]="\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"; UCHAR fill_code15[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; UCHAR jmp_code_orifunc[]="\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"; ULONG64 tmpv = 0; ULONG64 funcAddr = GetSSSDTFuncCurAddr64(GetShadowSSDTFuncIDByName(L"NtUserCreateWindowEx")); if (g_SSSDTTableAddress) { //step1:由于NtUserCreateWindowEx有15需要覆盖,所以申请15+14个字节的空间,并保存函数的前15个字节 ori_func_NtUserCreateWindowEx=kmalloc(15+14); DbgPrint("ori_func_NtUserCreateWindowEx地址为:%p\n", ori_func_NtUserCreateWindowEx); irql = WPOFF(); memcpy(ori_func_NtUserCreateWindowEx, (PVOID)funcAddr, 15); WPON(irql); //step2:填充跳转回原方法 tmpv = funcAddr + 15; memcpy(jmp_code_orifunc+6,&tmpv,8); memcpy((PUCHAR)ori_func_NtUserCreateWindowEx+15,jmp_code_orifunc,14); //step3:填充NtUserCreateWindowEx的前15个字节nop irql = WPOFF(); memcpy((PVOID)funcAddr,fill_code15,15); WPON(irql); //step4:填充NtUserCreateWindowEx跳转 tmpv = (ULONG64)Proxy_NtUserCreateWindowEx; memcpy(jmp_code+6,&tmpv,8); irql = WPOFF(); memcpy((PVOID)funcAddr,jmp_code,14); WPON(irql); DbgPrint("HOOK NtUserCreateWindowEx成功\n"); } else { DbgPrint("HOOK NtUserCreateWindowEx失败\n"); } }





今天正好是一周年,还是把这个写完吧,把最后一步的HOOK写进去,第一是想完整的写完这篇文章,第二是想证明上面的SSSDT表是正确的,第三是感觉还有很多东西要学,但是难得又看不明白,买本《深入解析Windows操作系统》一页纸写的东西都要研究好几个日夜,希望有大神指导一二,也希望自己能进一个从事软件安全的公司。

关于Win7 x64 Shadow SSDT 的探索和 Inline HOOK相关推荐

  1. [系统底层] x86和x64下ssdt的差异

    2019独角兽企业重金招聘Python工程师标准>>> X86和x64下ssdt的差异 首先介绍一下SSDT相关的结构体 PVOID无类型指针,x86下32位,x64下64位 结构体 ...

  2. [转载] 关于Win7 x64下过TP保护的一些思路,内核层过保护,驱动过保护

    首先特别感谢梦老大,本人一直没搞懂异常处理机制,看了他的教程之后终于明白了. 在他的教程里我学到了不少东西. 第一次在论坛发帖,就说说Win7 x64位下怎么过TP保护.如果有讲错的地方,还望指出. ...

  3. 关于Win7 x64下过TP保护(内核层)(转)

    首先特别感谢梦老大,本人一直没搞懂异常处理机制,看了他的教程之后终于明白了. 在他的教程里我学到了不少东西. 第一次在论坛发帖,就说说Win7 x64位下怎么过TP保护.如果有讲错的地方,还望指出. ...

  4. Windows内核新手上路2——挂钩shadow SSDT

    Windows内核新手上路2--挂钩shadow SSDT 文章核心内容:安全软件窗口保护.安全输入.截屏保护的一些思路.挂钩NtUserFindWindowEx.NtUserGetForegroun ...

  5. Win64 驱动内核编程-22.SHADOW SSDT HOOK(宋孖健)

    SHADOW SSDT HOOK HOOK 和 UNHOOK SHADOW SSDT 跟之前的 HOOK/UNHOOK SSDT 类似,区别是查找SSSDT的特征码,以及根据索引计算函数地址的公式,还 ...

  6. shadow ssdt学习笔记

    1.取得shadow ssdt真实地址 系统只提供了KeServiceDescriptorTable导出 KeServiceDescriptorTableShadow是个未导出结构 定义 Copy c ...

  7. emacs python ide_Emacs Python IDE win7 x64

    安装平台 win7 x64 ,emacs 23.3.1 snippet工具,可自定义一些模板: .emacs 配置如下 (add-to-list 'load-path "~/.emacs.d ...

  8. VC6 Win7 x64 提示 Remote Executable path And File Name

    在win7 x64 位操作系统安装 VC6++ 编译程序提示 Remote Executable path And File Name对话框,且build 下 Debug Remote Connect ...

  9. Dell Latitude 3490 使用 UEFI+GPT 安装 Win7 x64

    转载请注明出处!转载请注明出处!转载请注明出处! 公司近期采购了一批笔记本,由于刚好赶上Dell升级换代,原来的3480升级到了3490. 由于部分同事用不惯Win10系统,再加上有些软件不兼容,于是 ...

最新文章

  1. 技术架构委员需要关注哪些问题
  2. 极大似然估计_极大似然估计、极大后验估计和贝叶斯估计
  3. 字符串操作--宽窄字符转换
  4. Runtime 总结
  5. 先弄个XML解析器代码抄一抄 慢慢研究 O(∩_∩)O哈哈~
  6. 共享共建会让中国的5G加速吗?
  7. bootsect.exe linux,bootsect.exe
  8. 火狐 mysql插件_火狐firebug和firepath插件安装方法(最新)
  9. OpenCV读取网络摄像头视频并保存到本地
  10. 把华为OLT主控设置为上联的方法
  11. java毕业设计开题报告SSM图书馆预约占座系统
  12. Python使用Reportlab处理PDF数据 - 创建pdf库文件
  13. 为什么说c语言是关键字,为什么说C语言既有高级语言又有低级语言的特点
  14. 微信公众号开发者模式工作的开发
  15. Android Studio运行app启动模拟器一直卡在“Wating for target device to come online”解决方法
  16. 七段数码管的使用(使能端分时控制)
  17. 设计一款免费游戏的关键设计原则
  18. java 正则 懒惰_正则表达式的最大最小原则(就是懒惰和贪婪定理),java版本
  19. JDOJ 3055: Nearest Common Ancestors
  20. 好嗨游戏:游戏界的《千与千寻》,7年等待,游戏禅师陈星汉新作《Sky光遇》登录App Store

热门文章

  1. C++实现 小巧蜂鸣报时器Beeper
  2. Git 回退到指定版本
  3. 关于仿射变换矩阵的一点理解
  4. Rabbitmq学习笔记教程-尚硅谷
  5. EPPlus 使用小结
  6. EPPLUS中单元格的属性
  7. Python shutil库
  8. windows 忘记密码 强制修改重置密码
  9. 混音器原理及Mixer API函数介绍
  10. 培训课后作业(1)番外篇