Results 1 to 3 of 3
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    SSDT HOOK source code

    SSDT HOOK source code

    Code:
    #include<ntddk.h>
    
    typedef struct _SERVICE_DESCRIPTOR_TABLE
    {
      PVOID   ServiceTableBase;
      PULONG  ServiceCounterTableBase;
      ULONG   NumberOfService;
      ULONG   ParamTableBase;
    }SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; // As KeServiceDescriptorTable only one here on the simple point
    extern PSERVICE_DESCRIPTOR_TABLE    KeServiceDescriptorTable;//KeServiceDescriptorTable For the exported function
    
    /////////////////////////////////////
    VOID Hook();
    VOID Unhook();
    VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
    //////////////////////////////////////
    ULONG JmpAddress; //Jump to NtOpenProcess address
    ULONG OldServiceAddress;//Original NtOpenProcess service address
    //////////////////////////////////////
    __declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
                   ACCESS_MASK DesiredAccess,
                   POBJECT_ATTRIBUTES ObjectAttributes,
                   PCLIENT_ID ClientId) 
    {
      DbgPrint("NtOpenProcess() called");
      __asm{
        push    0C4h
        push    804eb560h  //10 bytes
        jmp     [JmpAddress]     
      }
    }
    ///////////////////////////////////////////////////
    NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
    {
      DriverObject->DriverUnload = OnUnload;
      DbgPrint("Unhooker load");
      Hook();
      return STATUS_SUCCESS;
    }
    /////////////////////////////////////////////////////
    VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
    {
      DbgPrint("Unhooker unload!");
      Unhook();
    }
    /////////////////////////////////////////////////////
    VOID Hook()
    {
      ULONG  Address;
      Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//0x7A for NtOpenProcess service ID
      DbgPrint("Address:0xX",Address);
    
      OldServiceAddress = *(ULONG*)Address;//Save original NtOpenProcess address
      DbgPrint("OldServiceAddress:0xX",OldServiceAddress);
    
      DbgPrint("MyNtOpenProcess:0xX",MyNtOpenProcess);
    
      JmpAddress = (ULONG)NtOpenProcess + 10; //Jump to NtOpenProcess function header +10
      DbgPrint("JmpAddress:0xX",JmpAddress);
        
      __asm{				//Remove the memory protection
        cli
             mov  eax,cr0
        and  eax,not 10000h
        mov  cr0,eax
      }
    
      *((ULONG*)Address) = (ULONG)MyNtOpenProcess;	//HOOK SSDT
    
      __asm{				//Restore the memory protection
              mov  eax,cr0
        or   eax,10000h
        mov  cr0,eax
        sti
      }
    }
    //////////////////////////////////////////////////////
    VOID Unhook()
    {
      ULONG  Address;
      Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;	//Find SSDT
    
      __asm{
        cli
              mov  eax,cr0
        and  eax,not 10000h
        mov  cr0,eax
      }
    
      *((ULONG*)Address) = (ULONG)OldServiceAddress;	//Restore SSDT
    
      __asm{  
             mov  eax,cr0
        or   eax,10000h
        mov  cr0,eax
        sti
      }
    
      //Debugging
      DbgPrint("Unhook");
    }
    P.S. Code isn't mine, just found in my source archive. Maybe useful for some one
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following 4 Users Say Thank You to Dwar For This Useful Post:


  3. #2
    emoisback
    emoisback is offline
    Full member
    Join Date
    2011 Dec
    Location
    Indonesia there i'm
    Posts
    508
    Thanks Thanks Given 
    83
    Thanks Thanks Received 
    244
    Thanked in
    68 Posts
    Rep Power
    13
    ahaaaa....
    this one better to understand >,<..
    and i will post my question here if i have ..
    Learn from PGC for Share on PGC..


    For another Stuff i have make try to find it [Please, register to view links]
    If i have help you, please thanks and respect ..

  4. The Following User Says Thank You to emoisback For This Useful Post:


  5. #3
    darkendemon
    darkendemon is offline
    Guest
    Join Date
    2013 Jan
    Posts
    1
    Thanks Thanks Given 
    4
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Doubt

    Thank You For ur help.
    In that code they specify #include<ntddk.h> to install driver in kernel.It is enough to include that header alone.Can u explain that.I AM confused about that use of header file and how to install as a driver to hook the SSDT.
    Thank You

Similar Threads

  1. [C#] Offset Finder with FindPattern Source Code
    By Grooguz in forum VB, .NET Framework
    Replies: 3
    Last Post: 2021-01-14, 06:26 PM
  2. [AutoIt] RegEx Offset Finder Source code
    By Grooguz in forum AutoIt
    Replies: 1
    Last Post: 2012-08-04, 03:50 PM
  3. delphi source code - npcgen.data NPC dumper
    By idk123 in forum Perfect World
    Replies: 3
    Last Post: 2012-05-22, 04:23 AM
  4. [C#] Memory editing application with Source code
    By Grooguz in forum Programming Tutorials
    Replies: 2
    Last Post: 2012-01-05, 08:44 AM
  5. Question about tracing source code to memory
    By Bloapie in forum General Game Research
    Replies: 1
    Last Post: 2010-10-19, 09:41 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •