S.l.e!ep.¢%

像打了激速一样,以四倍的速度运转,开心的工作
简单、开放、平等的公司文化;尊重个性、自由与个人价值;
posts - 1098, comments - 335, trackbacks - 0, articles - 1
  C++博客 :: 首页 :: 新随笔 :: 联系 :: 聚合  :: 管理

hook NtTerminateProcess

Posted on 2009-08-23 17:03 S.l.e!ep.¢% 阅读(937) 评论(0)  编辑 收藏 引用 所属分类: Windows WDM

#include <ntddk.h>

ULONG g_NtTerminateProcess = 0x8058f695;
UCHAR g_OrigCode[5];
UCHAR g_JmpHookCode[5] = {0xe9};

VOID WpOn()
{
 __asm
 {
  mov eax,cr0
  or eax,10000h
  mov cr0,eax
  sti
 }
}

VOID WpOff()
{
 __asm
 {
  cli
  mov eax,cr0
  and eax,not 10000h
  mov cr0,eax
 }
}

int NTAPI MyNtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
{
 return 1;
}

__declspec(naked) NTSTATUS NTAPI HOOK_NtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
{
 __asm
 {
  mov edi,edi
  push ebp
  mov ebp,esp
  push [ebp+0xc]
  push [ebp+0x8]
 call MyNtTerminateProcess
 cmp eax,1
  jz end
  mov eax,g_NtTerminateProcess
  add eax,5
  jmp eax
  end:
  mov [ebp+8],0
  mov eax,g_NtTerminateProcess
  add eax,5
  jmp eax
 }
}

VOID StartHook()
{
 KIRQL OldIrql;

 RtlCopyMemory((PUCHAR)g_OrigCode, (PUCHAR)g_NtTerminateProcess, 5);
 *(PULONG)((PUCHAR)g_JmpHookCode + 1) = (ULONG)HOOK_NtTerminateProcess - (ULONG)g_NtTerminateProcess - 5;
 WpOff();
 OldIrql = KeRaiseIrqlToDpcLevel();
 RtlCopyMemory((PUCHAR)g_NtTerminateProcess, g_JmpHookCode, 5);
 KeLowerIrql(OldIrql);
 WpOn();
}

VOID StopHook()
{
 KIRQL OldIrql;

 WpOff();
 OldIrql = KeRaiseIrqlToDpcLevel();
 RtlCopyMemory((PUCHAR)g_NtTerminateProcess, (PUCHAR)g_OrigCode, 5);
 KeLowerIrql(OldIrql);
 WpOn();
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
 StopHook();
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
 DriverObject->DriverUnload = DriverUnload;
 StartHook();
 return STATUS_SUCCESS;
}


只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   知识库   博问   管理