SSDT HOOK禁止指定进程结束(2)_各类编程

VOID DriverUnload(PDRIVER_OBJECT DriverObject) //卸载函数

{

DbgPrint("succeed!");

}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)

{

ULONG Address;

ULONG_PTR RealOPServiceAddress;

_asm //取消ssdt的保护

{

cli

mov eax,cr0

and eax,not 10000h

mov cr0,eax

}

Address=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x7A*4;//得到真实地址

*((ULONG*)Address)=(ULONG)MyNtOpenProcess;//替换为自己回调函数的地址

RealOPServiceAddress = *(ULONG*)Address; //保存真是地址

RealNtOpenProcess = (NTOPENPROCESS)RealOPServiceAddress;//根据论坛上一位大神的的说法，两次寄存器的操作之间的代码要尽量少，因为调用的函数也有可能使用寄存器，改变寄存器的值

_asm //关闭保护

{

cli

mov eax,cr0

or eax,10000h

mov cr0,eax

sti

}

DriverObject->DriverUnload=DriverUnload;

return STATUS_SUCCESS;

}

NTSTATUS MyNtOpenProcess(PHANDLE ProcessHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId)

{

NTSTATUS rc=NULL;

ULONG dwPID;

//rc=(NTSTATUS)(REALZWOPENPROCESS)RealZwOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);

if(ClientId!=NULL) //判读是否是制定的PID

{

dwPID=(ULONG)ClientId->UniqueProcess;

if(dwPID==1884)

{

SSDT HOOK禁止指定进程结束(2)