返回首页
  1.  或代码
  2. 文章
  3. 编程通用
  4. 未分类的问答

对挂钩蓝屏ZWCREATESECTION

嗨,我想钩ZWCREATESECTION重定向API,我认为这是对规则的名称,,我junt要进口,当然。 xxxxxxx.dll [URLDownloadToFile]和"xxxxxxxx.dll"重定向到"urlmon.dll中",认为如果它的工作,重定向WINSOCK,URLMON,和其他...我一定会非常高兴,如果有人让我的代码运行没有蓝屏...

没有蓝屏代码运行未经过滤来电,只是调用真正的API,错误的是当tryes核实如果OBJECT_ATTRIBUTES是有效的,(我不知道如何验证它),然后过滤,我的代码:

#include <ntddk.h>



#define SYSTEMSERVICE(_name)  KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]

 

#define DEBUG

typedef unsigned long DWORD, *PDWORD;

typedef unsigned char BYTE, *PBYTE;

 

void hooking(void);

void Unhooking();

NTSTATUS DriverEntry(PDRIVER_OBJECT, PUNICODE_STRING); // main() du driver

void Unload_driver(IN PDRIVER_OBJECT);

 

#pragma pack(1)

typedef struct ServiceDescriptorEntry 

{

    PDWORD ServiceTable;

    PDWORD CounterTableBase;

    DWORD  ServiceLimit;

    PBYTE  ArgumentTable;

} SDT;

#pragma pack()

 

__declspec(dllimport) SDT KeServiceDescriptorTable;

 

typedef NTSTATUS (*ZWCREATESECTION)

(OUT PHANDLE  SectionHandle,

IN ACCESS_MASK  DesiredAccess,

IN POBJECT_ATTRIBUTES  ObjectAttributes OPTIONAL,

IN PLARGE_INTEGER  MaximumSize OPTIONAL,

IN ULONG  SectionPageProtection,

IN ULONG  AllocationAttributes,

IN HANDLE  FileHandle OPTIONAL);

 

ZWCREATESECTION OrigZwCreateSection;

extern ZWCREATESECTION OrigZwCreateSection;

 

NTSTATUS FakeZwCreateSection(

OUT PHANDLE  SectionHandle,

IN ACCESS_MASK  DesiredAccess,

IN POBJECT_ATTRIBUTES  ObjectAttributes OPTIONAL,

IN PLARGE_INTEGER  MaximumSize OPTIONAL,

IN ULONG  SectionPageProtection,

IN ULONG  AllocationAttributes,

IN HANDLE  FileHandle OPTIONAL

)

 

{

UNICODE_STRING KernelName;

UNICODE_STRING UrlmonName;

UNICODE_STRING RKernelName;

UNICODE_STRING RUrlmonName;                       

RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll");

RtlInitUnicodeString(&KernelName,  L"\\??\\C:\\windows\\system32\\lld.23lenrek");

RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL");   

RtlInitUnicodeString(&UrlmonName,  L"\\??\\C:\\windows\\system32\\LLD.NOMLRU");					

						

						                  

if(ObjectAttributes != NULL) { //Error BSOD

if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)){

DbgPrint("ZWCREATESECTION redirect acionado - KERNEL32\n");

ObjectAttributes->ObjectName = &RKernelName;

return(((ZWCREATESECTION)(OrigZwCreateSection)) (SectionHandle,DesiredAccess,ObjectAttributes,MaximumSize,SectionPageProtection,AllocationAttributes,FileHandle));

else

if(RtlEqualUnicodeString(ObjectAttributes->ObjectName,&UrlmonName, TRUE)){

DbgPrint("ZWCREATESECTION redirect acionado - URLMON\n");

ObjectAttributes->ObjectName = &RUrlmonName;

return(((ZWCREATESECTION)(OrigZwCreateSection)) (SectionHandle,DesiredAccess,ObjectAttributes,MaximumSize,SectionPageProtection,AllocationAttributes,FileHandle));

else

return(((ZWCREATESECTION)(OrigZwCreateSection)) (SectionHandle,DesiredAccess,ObjectAttributes,MaximumSize,SectionPageProtection,AllocationAttributes,FileHandle));

 

void Hooking(void) {

 

    _asm{cli}

	OrigZwCreateSection = (ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection));

	(ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = FakeZwCreateSection;

    _asm{sti}

    

}

 

void Unhooking() 

{

 

    _asm{cli}

	(ZWCREATESECTION) (SYSTEMSERVICE(ZwCreateSection)) = OrigZwCreateSection;

    _asm{sti}

}

 

void Unload_driver(IN PDRIVER_OBJECT DriverObject) {

    

    DbgPrint("And now, unhooking API :] \n");

    Unhooking();

}

 

NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath) {

    

    driverObject->DriverUnload  = Unload_driver;

    

    DbgPrint("Hooking API!\n");

    Hooking();

    

    return(STATUS_SUCCESS);

}

源是在http://caion90.hostei.com/ViewFile.php?file=/zwcshook/hook.c

请帮助我=]

回答

评论会员: 时间:2