DOC《由于我的C用的比较少,所以大部分都用的汇编,部分地方用...》

//查找SSDT Address1 = (ULONG)KeServiceDescriptorTable->

ServiceTableBase + 0x115 * 4;

__asm{ cli mov eax,cr0 and eax,not 10000h mov cr0,eax } *((ULONG*)Address) = (ULONG)OldServiceAddress;

//还原SSDT *((ULONG*)Address1) = (ULONG)OldServiceAddress1;

//还原SSDT __asm{ mov eax,cr0 or eax,10000h mov cr0,eax sti } DbgPrint( Unhook );

} 由于它不断对DebugPort清零,所以要修改调试相关函数,使得所有的访问DebugPort的地方全部访问EPROCESS中的ExitTime字节,这样它怎么清零都无效了,也检测不到 代码: .386 .model flat, stdcall option casemap:none include dnf_hook.inc .const Dspdo_1 equ 80643db6h Dmpp_1 equ 80642d5eh Dmpp_2 equ 80642d64h Dct_1 equ 806445d3h Dqm_1 equ 80643089h Kde_1 equ 804ff5fdh Dfe_1 equ 80644340h Pcp_1 equ 805d1a0dh Mcp_1 equ 805b0c06h Mcp_2 equ 805b0d7fh Dmvos_1 equ 8064497fh Dumvos_1 equ 80644a45h Pet_1 equ 805d32f8h Det_1 equ 8064486ch Dep_1 equ 806448e6h .code ;

还原自己的Hook DriverUnload proc pDriverObject:PDRIVER_OBJECT ret DriverUnload endp ModifyFuncAboutDbg proc addrOdFunc, cmd_1, cmd_2 pushad mov ebx, addrOdFunc mov eax, cmd_1 mov DWORD ptr [ebx], eax mov eax, cmd_2 mov DWORD ptr [ebx + 4], eax popad ret ModifyFuncAboutDbg endp DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING cli mov eax, cr0 and eax, not 10000h mov cr0, eax invoke ModifyFuncAboutDbg, Dspdo_1, 90784789h, 0fde89090h invoke ModifyFuncAboutDbg, Dmpp_1, 90787e39h, 950f9090h invoke ModifyFuncAboutDbg, Dct_1, 90785e39h, 840f9090h invoke ModifyFuncAboutDbg, Dqm_1, 9078408bh, 45899090h invoke ModifyFuncAboutDbg, Kde_1, 90787839h, 13749090h invoke ModifyFuncAboutDbg, Dfe_1, 9078418bh, 0d2329090h invoke ModifyFuncAboutDbg, Pcp_1, 90784389h, 45f69090h invoke ModifyFuncAboutDbg, Mcp_1, 90785e39h, 950f9090h invoke ModifyFuncAboutDbg, Mcp_2, 90784a89h, 5e399090h invoke ModifyFuncAboutDbg, Dmvos_1, 9078498bh, 0cb3b9090h invoke ModifyFuncAboutDbg, Dumvos_1, 00787983h, 74909090h invoke ModifyFuncAboutDbg, Pet_1, 00787f83h, 74909090h invoke ModifyFuncAboutDbg, Det_1, 9078498bh, 0c9859090h invoke ModifyFuncAboutDbg, Dep_1, 9078498bh, 0c9859090h ;

invoke ModifyFuncAboutDbg, Dmpp_2, 8bc0950fh, 8b90c032h mov eax, pDriverObject assume eax : ptr DRIVER_OBJECT mov [eax].DriverUnload, offset DriverUnload assume eax : nothing mov eax, cr0 or eax, 10000h mov cr0, eax sti mov eax, STATUS_SUCCESS ret DriverEntry endp end DriverEntry 绕过NtOpenProcess,NtOpenThread,KiAttachProcess 以及最重要的,不能让它检测到有硬件断点,所以要对CONTEXT做一些伪装,把真实的DR0~DR7的数据存放到别的地方,OD访问的时候返回正确的数据,如果是DNF要获取上下文,就稍微做下手脚 代码: .386 .model flat, stdcall option casemap:none include dnf_hook.inc .const NtOpenProcessHookAddr equ 805cc626h NtOpenProcessRetAddr equ 805cc631h NtOpenProcessNoChange equ 805cc62ch NtOpenThreadHookAddr equ 805cc8a8h NtOpenThreadRetAddr equ 805cc8b3h NtOpenThreadNoChange equ 805cc8aeh KiAttachProcessAddr equ 804f9a08h KiAttachProcessRetAddr equ 804f9a0fh ObOpenObjectByPointerAddr equ 805bcc78h NtGetContextThreadAddr equ 805d2551h;

805c76a3h NtGetContextThreadRetAddr equ 805c76a7h;

805d2555h .data nameOffset dd ? threadCxtLink dd

0 tmpLink dd ? .code GetProcessName proc invoke PsGetCurrentProcess mov ebx, eax add ebx, nameOffset invoke DbgPrint, $CTA0( \n ) push ebx invoke DbgPrint, ebx pop ebx invoke strncmp, $CTA0( DNF.exe ), ebx,

6 push eax invoke DbgPrint, $CTA0( \n ) pop eax ret GetProcessName endp HookCode proc ;

执行被覆盖的代码 push dword ptr [ebp-38h] push dword ptr [ebp-24h] ;