hook zwcreateprocessex

Just4life發表於2013-04-25

extern "C"
{
#include <ntddk.h>
}
 
//#define dprintf if (DBG) DbgPrint
#define dprintf DbgPrint
 
#define DWORD unsigned long
#define WORD unsigned short
#define BOOL unsigned long
#define BYTE unsigned char
 
extern "C"
{
//宣告核心函式
NTKERNELAPI
UCHAR *
PsGetProcessImageFileName(
        PEPROCESS Process
        );
 
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
       IN PVOID        ProcessId,
       OUT PEPROCESS   *Process
       );
 

NTKERNELAPI
HANDLE
PsGetProcessId(
      PEPROCESS Process
      );
 
NTKERNELAPI NTSTATUS ZwCreateProcessEx(
            PHANDLE ProcessHandle,
            ACCESS_MASK DesiredAccess,
            POBJECT_ATTRIBUTES ObjectAttributes,
            HANDLE ParentProcess,
            ULONG Flags,
            HANDLE SectionHandle,
            HANDLE DebugPort,
            HANDLE ExceptionPort,
            ULONG JobMemberLevel
            );
 
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//SSDT表結構宣告
typedef struct ServiceDescriptorEntry {
 unsigned int *ServiceTableBase;
 unsigned int *ServiceCounterTableBase;
 unsigned int NumberOfServices;
 unsigned char *ParamTableBase;
} SSDT_Entry, *ServiceDescriptorTableEntry_t;
__declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;
}
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//一些巨集定義和MDL表
#define HOOK_SYSCALL(_ServiceId, _Hook, _Orig )       /
 _Orig = (PVOID) InterlockedExchange( (PLONG) /
 &MappedSystemCallTable[_ServiceId], (LONG) _Hook)
#define UNHOOK_SYSCALL(_ServiceId, _Hook, _Orig ) /
 InterlockedExchange((PLONG)           /
 &MappedSystemCallTable[_ServiceId], (LONG) _Hook)
#define SYSTEMSERVICE(_ServiceId) KeServiceDescriptorTable.ServiceTableBase[ _ServiceId ]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//宣告函式
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
VOID DriverUnload(PDRIVER_OBJECT pDriverObj);
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//設定ZwCreateProcessEx的索引,可用冰刃檢視,也可利用函式自行查詢
ULONG ServiceId_ZwCreateProcessEx=0x30;
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//定義一些相關變數
CHAR CreatingProcessImagePath[256]={0};//程式路徑
HANDLE CreatorProcessId=NULL;//父程式Pid
BOOLEAN CreateAllowed=TRUE;//標誌,是否允許執行
BOOLEAN CreateIsProgressing=FALSE;//標誌,防止以後網路延遲造成的混亂,是否正在處理資訊
KEVENT event ; 
char *output;
////////////////////////////////////////////////////////////////////////////////////////////////////
 
//定義一個ZwCreateProcessEx的結構體指標
typedef
NTSTATUS
(*pfnZwCreateProcessEx) (
       PHANDLE ProcessHandle,
       ACCESS_MASK DesiredAccess,
       POBJECT_ATTRIBUTES ObjectAttributes,
       HANDLE ParentProcess,
       ULONG Flags,
       HANDLE SectionHandle,
       HANDLE DebugPort,
       HANDLE ExceptionPort,
       ULONG JobMemberLevel
       );
//宣告Old_ZwCreateProcessEx為pfnZwCreateProcessEx的結構(用來儲存原函式地址)
pfnZwCreateProcessEx Old_ZwCreateProcessEx=NULL;
PVOID      Old_ZwCreateProcessExAddr=NULL;
////////////////////////////////////////////////////////////////////////////////////////////////////
 
// 返回類似於C:/WINDOWS/Explorer.exe (ANSI)
NTSTATUS GetProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName) 
{ 
 PVOID SectionObject;
 PFILE_OBJECT FileObject;
 UNICODE_STRING FilePath; 
 UNICODE_STRING DosName; 
 NTSTATUS Status;
 STRING AnsiString;
 
 SectionObject = NULL; 
 FileObject = NULL; 
 FilePath.Buffer = NULL; 
 FilePath.Length = 0; 
 *ProcessImageName = 0; 
 Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
 if ( NT_SUCCESS(Status) ) 
 { 
  FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200);
  FilePath.MaximumLength = 0x200; 
  FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
  FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
  FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
  ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); 
  RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
  RtlCopyUnicodeString(&FilePath, &DosName); 
  RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
  KdPrint(("Current Process Full Path Name 000: %ws/n",  FileObject->FileName.Buffer));
  ObDereferenceObject(FileObject); 
  ObDereferenceObject(SectionObject); 
  RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); 
  if ( AnsiString.Length >= 256 ) 
  { 
   memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
   *(ProcessImageName + 255) = 0; 
  } 
  else 
  { 
   memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
   ProcessImageName[AnsiString.Length] = 0; 
  } 
  RtlFreeAnsiString(&AnsiString); 
  ExFreePool(DosName.Buffer); 
  ExFreePool(FilePath.Buffer); 
  Status = STATUS_SUCCESS; 
 }
 
 return Status; 
}
 
NTSTATUS ModifyProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName) 
{ 
 PVOID SectionObject;
 PFILE_OBJECT FileObject;
 UNICODE_STRING FilePath; 
 UNICODE_STRING DosName; 
 NTSTATUS Status;
 UNICODE_STRING newName; 
 STRING AnsiString;
 
 SectionObject = NULL; 
 FileObject = NULL; 
 FilePath.Buffer = NULL; 
 FilePath.Length = 0; 
 *ProcessImageName = 0; 
 Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
 if ( NT_SUCCESS(Status) ) 
 { 
  //FilePath.Buffer = (PWSTR)ExAllocatePool(PagedPool,0x200);
  //FilePath.MaximumLength = 0x200; 
  FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
  FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
  FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
  ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); 
  RtlInitUnicodeString(&newName,L"zhang.txt");
  //RtlCopyUnicodeString(&FileObject->FileName, &newName); 
  ObDereferenceObject(FileObject); 
  ObDereferenceObject(SectionObject); 
  /*RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
  RtlCopyUnicodeString(&FilePath, &DosName); 
  RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
  KdPrint(("Current Process Full Path Name 000: %ws/n",  FileObject->FileName.Buffer));
  
  RtlCopyUnicodeString(&FileObject->FileName, &newName); 
  
  RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); */
  /*if ( AnsiString.Length >= 256 ) 
  { 
   memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
   *(ProcessImageName + 255) = 0; 
  } 
  else 
  { 
   memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
   ProcessImageName[AnsiString.Length] = 0; 
  } */
  /*RtlFreeAnsiString(&AnsiString); 
  ExFreePool(DosName.Buffer); 
  ExFreePool(FilePath.Buffer); */
  RtlFreeUnicodeString(&newName);
  Status = STATUS_SUCCESS; 
 }
 
 return Status; 
} 
///////////////////////////////////////////////////////////////////////////////////////////////////
 
//定義我們的新函式及其功能,禁止程式執行和允許的，其中一個註釋掉了
NTSTATUS New_ZwCreateProcessEx (
        PHANDLE ProcessHandle,
        ACCESS_MASK DesiredAccess,
        POBJECT_ATTRIBUTES ObjectAttributes,
        HANDLE ParentProcess,
        ULONG Flags,
        HANDLE SectionHandle,
        HANDLE DebugPort,
        HANDLE ExceptionPort,
        ULONG JobMemberLevel
        )
{
 if (CreateIsProgressing) return STATUS_ACCESS_DENIED;
 CreateIsProgressing=TRUE;
 GetProcessImageName(SectionHandle,CreatingProcessImagePath);
 CreatorProcessId=PsGetProcessId(PsGetCurrentProcess());
 dprintf("呼叫了ZwCreateProcessEx函式. /n程式路徑 = %s /n父程式 = %s /n",CreatingProcessImagePath,PsGetProcessImageFileName(PsGetCurrentProcess()));
 dprintf("父程式Pid = %ld/n",CreatorProcessId);
 CreateIsProgressing=FALSE;
 // return STATUS_ACCESS_DENIED;//返回失敗，也就是禁止執行
 NTSTATUS hr= Old_ZwCreateProcessEx(ProcessHandle,DesiredAccess,ObjectAttributes,ParentProcess,Flags,SectionHandle,DebugPort,ExceptionPort,JobMemberLevel);
 
 PEPROCESS        EProcess,PProcess;
 
 NTSTATUS        status;
 HANDLE            TId;
 
 
 

 /*status = PsLookupProcessByProcessId((PVOID)ProcessHandle, &EProcess);
 char * pEpb=(char*)EProcess;
 if (NT_SUCCESS( status ))
 {
  DbgPrint( "jincheng:%18s/n",(char *)(pEpb+0x174));
  char ch[16]={"zhang.exe"};
  memcpy((char*)(pEpb+0x174), ch, 0x10); 
 }*/
 //ModifyProcessImageName(SectionHandle,CreatingProcessImagePath);
 
 return hr;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
 
//開始HOOK函式
BOOLEAN EnableDriver()
{
 HOOK_SYSCALL(ServiceId_ZwCreateProcessEx,New_ZwCreateProcessEx,Old_ZwCreateProcessExAddr);
 Old_ZwCreateProcessEx=(pfnZwCreateProcessEx)Old_ZwCreateProcessExAddr;
 dprintf("已經開始HOOK./n");
 return TRUE;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
 
//解除HOOK函式
BOOLEAN DisableDriver()
{
 UNHOOK_SYSCALL(ServiceId_ZwCreateProcessEx,Old_ZwCreateProcessExAddr,New_ZwCreateProcessEx);
 dprintf("已經解除HOOK./n");
 return TRUE;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
 
//驅動入口點
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
 dprintf("註冊到登錄檔: %S/n",pRegistryString->Buffer);
 
 
 
 
 

 //開始修改MDL表
 g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
 if(!g_pmdlSystemCall)
  return STATUS_UNSUCCESSFUL;
 MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
 g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;//可寫
 MappedSystemCallTable =(PVOID*) MmMapLockedPages(g_pmdlSystemCall, KernelMode);
 //宣告解除安裝函式
 pDriverObj->DriverUnload = DriverUnload;
 //開始HOOK
 EnableDriver();
 return STATUS_SUCCESS;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////
//驅動解除安裝時所呼叫的函式
VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{ 
 DisableDriver();
 dprintf("驅動已經解除安裝./n");
}
/////////////////////////////////////////////////////////////////////////////////////////////////////

Hook技術之Hook Activity
2019-02-17
Hook
hook!
2018-11-12
Hook
hook初識之inline hook
2024-04-19
Hookinline
IAT Hook
2019-06-04
Hook
exit hook
2022-01-05
Hook
react hook
2018-11-19
ReactHook
Hook原理
2018-06-21
Hook
Javascript Hook
2024-06-24
JavaScriptHook
Hook踩坑記：React Hook react-unity-webgl
2020-06-09
HookReactUnityWeb
HOOK API入門之Hook自己程式的MessageBoxW
2016-03-28
HookAPI
以pytorch的forward hook為例探究hook機制
2024-10-09
PyTorchForwardHook
使用Hook寫Redux
2019-07-29
HookRedux
An example about git hook
2022-09-06
GitHook
gitlab web hook
2015-04-07
GitlabWebHook
關於Hook CreateMutex
2014-08-16
HookMutex
Hook簡介 (轉)
2008-07-07
Hook
Android外掛化原理解析——Hook機制之Binder Hook
2021-09-09
AndroidHook
React Hook測試指南
2020-07-22
ReactHook
域滲透——Hook PasswordChangeNotify
2020-08-19
Hook
新特性 Hook 簡述
2019-08-06
Hook
React Hook快速入門
2019-06-10
ReactHook
php->所謂"hook"
2021-09-09
PHPHook
為ExecutorService增加shutdown hook
2018-11-19
Hook
React Hook 入門使用
2020-12-27
ReactHook
羽夏逆向指引—— Hook
2022-03-28
Hook
鉤子（hook）是啥
2017-12-13
Hook
Hook Directx + CEGUI VC++
2014-08-23
HookGUIC++
Linux Hook 筆記
2016-02-21
LinuxHook筆記
React學習之Hook
2024-03-07
ReactHook
JS HOOK 程式碼段
2024-11-04
JSHook
Android 外掛化原理解析（3）：Hook 機制之 Binder Hook
2016-05-16
AndroidHook
iOS逆向程式碼注入+Hook
2019-12-04
iOSHook
[譯] X 為啥不是 hook？
2019-02-20
Hook
翻譯|How to Use the useReducer Hook
2019-04-28
useReducerHook
React Hook原始碼解析（二）
2021-09-09
ReactHook原始碼
PostgreSQL外掛hook機制
2018-10-31
SQLHook
Windows核心程式設計_Hook
2018-06-22
Windows程式設計Hook
Ajax-hook原理解析
2017-03-16
Hook

hook zwcreateprocessex

相關文章