Twitter
Facebook
Flickr
RSS让bsodhook检查任意hook
BSODHOOK非要开个驱动检查SHADOW TABLE和ssdt table
没有HOOK的就不让检查,于是写了个驱动让他能检查任意SSDT/SHADOW HOOK~
先打开bsodhook,load driver,再加载这个驱动即可
要检查的HOOK ID请在need_check_ssdt_id 和need_check_shadow_id里填写~
已测试版本 2.0.0.0
代码:
=================================
#include "ntddk.h"
#include "stdafx.h"
#include "zwfunc.h"
#include "ntifs_48.h"
ULONG oldBsodHookDevCtl ;
ULONG need_check_ssdt_id[] = {0x1 , 0xffffffff};
ULONG need_check_shadow_id[] = {0x1001,0xffffffff };
NTSTATUS NewBsodHookDevCtl(PDEVICE_OBJECT devobj , PIRP irp)
{
NTSTATUS stat ;
PIO_STACK_LOCATION irpstack = IoGetCurrentIrpStackLocation(irp);
ULONG iocontrolcode = irpstack->Parameters.DeviceIoControl.IoControlCode;
PVOID userbuffer = irp->UserBuffer;
ULONG len = irpstack->Parameters.DeviceIoControl.InputBufferLength ;
__asm
{
push irp
push devobj
call oldBsodHookDevCtl
mov stat ,eax
}
if (!NT_SUCCESS(stat))
{
return stat ;
}
//irp 已经完成了~
//这里是get ssdt
if (iocontrolcode == 0xB50D800B)
{
__try
{
ULONG i = 0 ;
while(need_check_ssdt_id[i] != 0xffffffff)
{
*(ULONG*)((ULONG)userbuffer + need_check_ssdt_id[i] * 4 + 4 ) = 0xffffffff;
i++;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return stat ;
}
}
//这里是get shadow ssdt
else if (iocontrolcode == 0xB50D800F)
{
__try
{
ULONG i = 0 ;
while(need_check_shadow_id[i] != 0xffffffff)
{
*(ULONG*)((ULONG)userbuffer + (need_check_shadow_id[i] - 0x1000) * 4 + 4) = 0xffffffff;
i++;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return stat ;
}
}
return stat ;
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistry )
{
UNICODE_STRING Name ;
PDRIVER_OBJECT DriverObject ;
NTSTATUS stat ;
RtlInitUnicodeString(&Name , L"\\Driver\\BSODhook");
stat = ObReferenceObjectByName(&Name ,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType ,
KernelMode ,
NULL,
&DriverObject
);
if (!NT_SUCCESS(stat))
{
return STATUS_UNSUCCESSFUL ;
}
oldBsodHookDevCtl = DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL];
InterlockedExchangePointer(&DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] , NewBsodHookDevCtl);
ObfDereferenceObject(DriverObject);
return STATUS_SUCCESS ;
0 意見 (+add yours?)
張貼留言