发博文
公告:系统掌握技术知识 分享系列技术博文
laomms的博客

http://blog.chinaunix.net/space.php?uid=20547722

   
首页 | 博文目录 | 相册 | 博客圈 | 关于我 | 留言
个人资料
langxang
微博 论坛
发纸条 打招呼 加关注 加好友
  • 博客访问:625714
  • 博文数量:198
  • 博客积分:10000
  • 博客等级:上将
  • 关注人气: 1
  • 注册时间:2007-04-05 08:03:04
订阅我的博客
  • 订阅
  • 订阅到鲜果
  • 订阅到抓虾
  • 订阅到Google
字体大小: 博文
hook in ring0 (2007-08-02 13:59)
分类: WIN32位汇编

 

386
    .model flat, stdcall
    option casemap:none

include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc
include \masm32\include\w2k\w2kundoc.inc
includelib \masm32\lib\w2k\ntoskrnl.lib
include \masm32\Macros\Strings.mac
    
    .data
realaddr dd 0
CR0Reg dd 0
Messaga1 db "OpenProcess",0
Messaga2 db "Driver loaded", 0

    .code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID

    pushad
    invoke DbgPrint, addr Messaga2
      mov edi, KeServiceDescriptorTable
    mov edi, [edi]
    mov eax, [edi+(07ah*4)] ;edi+07ah*4 - NtOpenProcess
    mov realaddr, eax
    
    cli
    mov eax, CR0
    mov CR0Reg, eax
    and eax, -1
    mov cr0, eax
    mov [edi+(07ah*4)], dword ptr offset hookproc
    mov eax, CR0Reg
    mov CR0, eax
    sti
    
    mov eax, pDriverObject
    assume eax:PTR DRIVER_OBJECT
    mov [eax].DriverUnload, offset DriverUnload
    assume eax:nothing

    popad
    mov eax, STATUS_SUCCESS
    ret
DriverEntry endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
    pushad
    mov edi, KeServiceDescriptorTable
    mov edi, [edi]

    cli
    mov eax, CR0
    mov CR0Reg, eax
    and eax, -1
    mov cr0, eax
    
    mov eax, dword ptr realaddr
    mov [edi+(07ah*4)], eax
    
    mov eax, CR0Reg
    mov CR0, eax
    sti
    popad
    ret
DriverUnload endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
hookproc proc
    invoke DbgPrint, addr Messaga1
      jmp dword ptr realaddr
; ret
hookproc endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end DriverEntry

博客推荐文章
0
   
阅读(2951)评论 (1)收藏(0)举报打印
前一篇:Inject
[发评论] 评论 重要提示:警惕虚假中奖信息!
  • chinaunix网友 2008-02-18 15:09
    不错的asm驱动例子 硬编码NtOpenProcess.
亲,您还没有登录,请[登录][注册]后再进行评论