ssdt hook NtGetContextThread/NtSetContextThread 在打开OD附件任何程序就蓝屏 [来个接分，已解决]

内存溢出 2011-02-24 05:37:46



#define DNF_EXE "DNF.exe" //DNF进程名 

ULONG uNtSetContextThreadAddress;

ULONG uNtGetContextThreadAddress;

ULONG TenNtSetContextThread,TenNtGetContextThread;



//////////////////////////////////////////////////////////////////////

//  名称:  _MyNtGetThreadContext

//  功能:  两个SSDT HOOK伪造函数的中继函数

//  参数:  

//  返回:  

//////////////////////////////////////////////////////////////////////





NTSTATUS _declspec(naked)  Nakd_NtGetThreadContext(HANDLE hThread,PCONTEXT pContext)

{

  __asm

  {

    jmp dword ptr [TenNtGetContextThread]

  }



}



NTSTATUS _declspec(naked) Nakd_NtSetThreadContext(HANDLE hThread,PCONTEXT pContext)

{

  __asm

  {

    jmp dword ptr [TenNtSetContextThread]

  }



}



//////////////////////////////////////////////////////////////////////

//  名称:  MyNtGetThreadContext && MyNtSetThreadContext

//  功能:  NtGetThreadContext与NtSetThreadContext函数被SSDT HOOK的伪造函数

//  参数:  

//  返回:  

//////////////////////////////////////////////////////////////////////

//UCHAR* PsGetProcessImageFileName( IN PEPROCESS Process ); 



extern "C" UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);







NTSTATUS MyNtGetThreadContext(HANDLE hThread , PCONTEXT pContext)

{

  

  if (_stricmp((const char*)PsGetProcessImageFileName(PsGetCurrentProcess()),DNF_EXE))

  {

    KdPrint(("------------------%S",PsGetProcessImageFileName(PsGetCurrentProcess())));

    return Nakd_NtGetThreadContext(hThread,pContext);

  }

  return STATUS_SUCCESS;

}





NTSTATUS MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)

{

  if (_stricmp((const char*)PsGetProcessImageFileName(PsGetCurrentProcess()),DNF_EXE))

  {

    return Nakd_NtSetThreadContext(hThread,pContext);

  }



  return STATUS_SUCCESS;

}



//////////////////////////////////////////////////////////////////////

//  名称:  My_Recovery_HardwareBreakpoint

//  功能:  通过对set与get进行SSDT HOOK来恢复硬件断点

//  参数:  

//  返回:  

//////////////////////////////////////////////////////////////////////

NTSTATUS My_Recovery_HardwareBreakpoint()

{

  KIRQL Irql;

  uNtGetContextThreadAddress=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0xD5*4;

  uNtSetContextThreadAddress=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x55*4;



  TenNtGetContextThread=uNtGetContextThreadAddress;

  TenNtSetContextThread=uNtSetContextThreadAddress;



  KdPrint(("Set地址:%0X\n",TenNtSetContextThread));

  KdPrint(("Get地址:%0X\n",TenNtGetContextThread));



    WPOFF();

    Irql=KeRaiseIrqlToDpcLevel();

    *(ULONG*)uNtGetContextThreadAddress=(ULONG)MyNtGetThreadContext;

    *(ULONG*)uNtSetContextThreadAddress=(ULONG)MyNtSetThreadContext;

    KeLowerIrql(Irql);

    WPON();



return STATUS_SUCCESS;

加载完自己写的驱动以后，在打开OD附加任务的程序都蓝屏

...全文

474 3 打赏收藏转发到动态举报

写回复

用AI写文章

3 条回复

切换为时间正序

请发表友善的回复…

发表回复

内存溢出 2011-02-24

打赏
举报

jmp dword ptr [TenNtGetContextThread] 地址没跳对



TenNtGetContextThread=*(ULONG*)uNtGetContextThreadAddress;

TenNtSetContextThread=*(ULONG*)uNtSetContextThreadAddress;  这样才对

内存溢出 2011-02-24