invoke ModifyFuncAboutDbg, Dep_1, 9078498bh, 0c9859090h ;invoke ModifyFuncAboutDbg, Dmpp_2, 8bc0950fh, 8b90c032h
mov eax, pDriverObject
assume eax : ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload assume eax : nothing
mov eax, cr0
or eax, 10000h mov cr0, eax sti
mov eax, STATUS_SUCCESS ret
DriverEntry endp end DriverEntry
绕过NtOpenProcess,NtOpenThread,KiAttachProcess
以及最重要的,不能让它检测到有硬件断点,所以要对CONTEXT做一些伪装,把真实的DR0~DR7的数据存放到别的地方,OD访问的时候返回正确的数据,如果是DNF要获取上下文,就稍微做下手脚 代码: .386
.model flat, stdcall option casemap:none
include dnf_hook.inc
.const
NtOpenProcessHookAddr equ 805cc626h NtOpenProcessRetAddr equ 805cc631h NtOpenProcessNoChange equ 805cc62ch
NtOpenThreadHookAddr equ 805cc8a8h NtOpenThreadRetAddr equ 805cc8b3h NtOpenThreadNoChange equ 805cc8aeh
KiAttachProcessAddr equ 804f9a08h KiAttachProcessRetAddr equ 804f9a0fh
ObOpenObjectByPointerAddr equ 805bcc78h
NtGetContextThreadAddr equ 805d2551h;805c76a3h NtGetContextThreadRetAddr equ 805c76a7h;805d2555h .data
nameOffset dd ? threadCxtLink dd 0 tmpLink dd ?
.code
GetProcessName proc
invoke PsGetCurrentProcess mov ebx, eax
add ebx, nameOffset
invoke DbgPrint, $CTA0(\ push ebx
invoke DbgPrint, ebx pop ebx
invoke strncmp, $CTA0(\ push eax
invoke DbgPrint, $CTA0(\ pop eax ret
GetProcessName endp
HookCode proc
;执行被覆盖的代码
push dword ptr [ebp-38h] push dword ptr [ebp-24h] ;判断是否dnf的进程 invoke GetProcessName
.if !eax ;如果是DNF自己的进程,那么跳转回去执行它的Hook代码 pushad
invoke DbgPrint, $CTA0(\ popad
mov eax, NtOpenProcessNoChange;805c13e6h jmp eax
.else ;如果不是DNF自己的进程,那么直接调用ObOpenObjectByPointer,再返回到后面
pushad
invoke DbgPrint, $CTA0(\ popad
mov eax, ObOpenObjectByPointerAddr;805b13f0h call eax
mov ebx, NtOpenProcessRetAddr;805c13ebh
jmp ebx .endif
HookCode endp
;获取系统名称偏移 GetNameOffset proc epe local tmpOffset pushad
mov ebx, epe
invoke strlen, $CTA0(\ xor ecx, ecx @@:
push eax push ecx
invoke strncmp, $CTA0(\ pop ecx .if !eax pop eax
mov tmpOffset, ecx popad
mov eax, tmpOffset ret .elseif
pop eax inc ebx inc ecx
cmp ecx, 4096 je @F jmp @B .endif @@: popad
mov eax, -1 ret
GetNameOffset endp
Hook proc pushad
;头5字节跳转
mov eax, offset HookCode
sub eax, NtOpenProcessHookAddr;805c13e0h;805c13edh sub eax, 5
mov ebx, NtOpenProcessHookAddr;805c13e0h;805c13edh mov cl, 0E9h
mov BYTE PTR [ebx], cl
mov DWORD PTR [ebx + 1], eax popad ret
Hook endp
HookThreadCode proc ;执行被覆盖的代码
push dword ptr [ebp-34h] push dword ptr [ebp-20h] ;判断是否dnf的进程 invoke GetProcessName
.if !eax ;如果是DNF自己的进程,那么跳转回去执行它的Hook代码 pushad
invoke DbgPrint, $CTA0(\ popad
mov eax, NtOpenThreadNoChange;805c13e6h jmp eax
.else ;如果不是DNF自己的进程,那么直接调用ObOpenObjectByPointer,再返回到后面
pushad
invoke DbgPrint, $CTA0(\ popad
mov eax, ObOpenObjectByPointerAddr;805b13f0h call eax
mov ebx, NtOpenThreadRetAddr;805c13ebh jmp ebx .endif
HookThreadCode endp
HookThread proc pushad
;头5字节跳转
mov eax, offset HookThreadCode
sub eax, NtOpenThreadHookAddr;805c13e0h;805c13edh sub eax, 5
mov ebx, NtOpenThreadHookAddr;805c13e0h;805c13edh mov cl, 0E9h
mov BYTE PTR [ebx], cl
mov DWORD PTR [ebx + 1], eax popad ret
HookThread endp
HookDbg proc mov edi, edi push ebp mov ebp, esp push ebx push esi
mov esi, KiAttachProcessRetAddr jmp esi HookDbg endp
Dbg proc pushad
;头5字节跳转
mov eax, offset HookDbg
sub eax, KiAttachProcessAddr;805c13e0h;805c13edh sub eax, 5
mov ebx, KiAttachProcessAddr;805c13e0h;805c13edh mov cl, 0E9h
mov BYTE PTR [ebx], cl
mov DWORD PTR [ebx + 1], eax popad ret Dbg endp
;还原自己的Hook
DriverUnload proc pDriverObject:PDRIVER_OBJECT cli
mov eax, cr0
and eax, not 10000h mov cr0, eax
;还原进程处理
mov eax, 0ffc875ffh mov ebx, 805cc656h
mov DWORD ptr [ebx], eax mov eax, 43e8dc75h
mov DWORD ptr [ebx + 4], eax ;还原线程处理
mov eax, 0ffcc75ffh mov ebx, 805cc8d8h
mov DWORD ptr [ebx], eax mov eax, 0c1e8e075h
mov DWORD ptr [ebx + 4], eax