SSDT HOOK source code

Dwar · 2012-07-28, 08:10 AM

Code:

#include<ntddk.h>

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
  PVOID   ServiceTableBase;
  PULONG  ServiceCounterTableBase;
  ULONG   NumberOfService;
  ULONG   ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; // As KeServiceDescriptorTable only one here on the simple point
extern PSERVICE_DESCRIPTOR_TABLE    KeServiceDescriptorTable;//KeServiceDescriptorTable For the exported function

/////////////////////////////////////
VOID Hook();
VOID Unhook();
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
//////////////////////////////////////
ULONG JmpAddress; //Jump to NtOpenProcess address
ULONG OldServiceAddress;//Original NtOpenProcess service address
//////////////////////////////////////
__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
               ACCESS_MASK DesiredAccess,
               POBJECT_ATTRIBUTES ObjectAttributes,
               PCLIENT_ID ClientId) 
{
  DbgPrint("NtOpenProcess() called");
  __asm{
    push    0C4h
    push    804eb560h  //10 bytes
    jmp     [JmpAddress]     
  }
}
///////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
  DriverObject->DriverUnload = OnUnload;
  DbgPrint("Unhooker load");
  Hook();
  return STATUS_SUCCESS;
}
/////////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
  DbgPrint("Unhooker unload!");
  Unhook();
}
/////////////////////////////////////////////////////
VOID Hook()
{
  ULONG  Address;
  Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//0x7A for NtOpenProcess service ID
  DbgPrint("Address:0xX",Address);

  OldServiceAddress = *(ULONG*)Address;//Save original NtOpenProcess address
  DbgPrint("OldServiceAddress:0xX",OldServiceAddress);

  DbgPrint("MyNtOpenProcess:0xX",MyNtOpenProcess);

  JmpAddress = (ULONG)NtOpenProcess + 10; //Jump to NtOpenProcess function header +10
  DbgPrint("JmpAddress:0xX",JmpAddress);
    
  __asm{				//Remove the memory protection
    cli
         mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }

  *((ULONG*)Address) = (ULONG)MyNtOpenProcess;	//HOOK SSDT

  __asm{				//Restore the memory protection
          mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }
}
//////////////////////////////////////////////////////
VOID Unhook()
{
  ULONG  Address;
  Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;	//Find SSDT

  __asm{
    cli
          mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }

  *((ULONG*)Address) = (ULONG)OldServiceAddress;	//Restore SSDT

  __asm{  
         mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }

  //Debugging
  DbgPrint("Unhook");
}

P.S. Code isn't mine, just found in my source archive. Maybe useful for some one

emoisback · 2012-07-28, 08:40 AM

ahaaaa....
this one better to understand >,<..
and i will post my question here if i have

..

darkendemon · 2013-01-10, 07:08 AM

Thank You For ur help.
In that code they specify #include<ntddk.h> to install driver in kernel.It is enough to include that header alone.Can u explain that.I AM confused about that use of header file and how to install as a driver to hook the SSDT.
Thank You

Thread: SSDT HOOK source code

Thread Tools

Display

SSDT HOOK source code

The Following 4 Users Say Thank You to Dwar For This Useful Post:

The Following User Says Thank You to emoisback For This Useful Post:

Doubt

Similar Threads

[C#] Offset Finder with FindPattern Source Code

[AutoIt] RegEx Offset Finder Source code

delphi source code - npcgen.data NPC dumper

[C#] Memory editing application with Source code

Question about tracing source code to memory

Tags for this Thread

Posting Permissions