por cLn Se medica
Hola...

Navegando como siempre cuando hay algo de tiempo...he visto esto...
ZwOpenProcess Hook
Compile it with Meerlat 1.1 (See Kernel-mode section)
Use DbgView to catch informations.
unit ZwOpenProcessHook;

Código: Seleccionar todo

interface

uses
  nt_status,
  ntoskrnl,
  fcall,
  KernelUtils;

function _DriverEntry(
  DriverObject: PDriverObject;
  RegistryPath: PUnicodeString
  ): NTSTATUS; stdcall;

implementation

type
  TZwOpenProcess = function(
    ProcessHandle: PHandle;
    DesiredAccess: TAccessMask;
    ObjectAttributes: PObjectAttributes;
    ClientId: PClientId
    ): NTSTATUS; stdcall;
var
  HookActive: Boolean;
  ZwOpenProcessNextHook: TZwOpenProcess;
  lpKeServiceDescriptorTable: PServiceDescriptorEntry;

function ZwOpenProcessHookProc(ProcessHandle: PHandle; DesiredAccess: TAccessMask; ObjectAttributes: PObjectAttributes; ClientId: PClientId): NTSTATUS; stdcall;
begin
  DbgPrint('ZwOpenProcess HookProc: NewZwOpenProcess(ProcessHandle:0x%.8X,DesiredAccess:0x%.8X,ObjectAttributes:0x%.8X,ClientId:0x%.8X)',
    ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);

  Result := ZwOpenProcessNextHook(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
  DbgPrint('ZwOpenProcess HookProc: NewZwOpenProcess(-):0x%.8X', Result);
end;

procedure DriverUnload(DriverObject: PDriverObject); stdcall;
begin
  if (HookActive) then
  begin
    DisableWriteProtection();
    ZwOpenProcessNextHook := TZwOpenProcess(InterlockedExchange(SystemServiceName(GetImportFunAddr(@ZwOpenProcess)), LONG(@ZwOpenProcessNextHook)));
    EnableWriteProtection();

    DbgPrint('ZwOpenProcess New Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwOpenProcess))^);
    DbgPrint('ZwOpenProcess Old Address: 0x%.8X', DWORD(@ZwOpenProcessNextHook));

    HookActive := False;
  end;
  DbgPrint('DriverUnload(-)');
end;

function _DriverEntry(DriverObject: PDriverObject; RegistryPath: PUnicodeString): NTSTATUS; stdcall;
begin
  Result := STATUS_SUCCESS;
  DriverObject^.DriverUnload := @DriverUnload;
  DbgPrint('DriverEntry(-):0x%.8X', Result);
  lpKeServiceDescriptorTable := GetImportFunAddr(@KeServiceDescriptorTable);
  HookActive := False;

  DbgPrint('ZwOpenProcess Import Address: 0x%.8X', GetImportFunAddr(@ZwOpenProcess));
  DbgPrint('KeServiceDescriptorTable() Address 1: 0x%.8X', @KeServiceDescriptorTable);
  DbgPrint('KeServiceDescriptorTable() Address 2: 0x%.8X', PPointer(@KeServiceDescriptorTable)^);

  DbgPrint('ZwOpenProcess Name Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwOpenProcess))^);

  DbgPrint('ZwOpenProcess HookProc Address: 0x%.8X', @ZwOpenProcessHookProc);

  if not HookActive then
  begin
    DisableWriteProtection();
    ZwOpenProcessNextHook := TZwOpenProcess(InterlockedExchange(SystemServiceName(GetImportFunAddr(@ZwOpenProcess)), LONG(@ZwOpenProcessHookProc)));
    EnableWriteProtection();

    DbgPrint('ZwOpenProcess New Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwOpenProcess))^);
    DbgPrint('ZwOpenProcess Old Address: 0x%.8X', DWORD(@ZwOpenProcessNextHook));

    HookActive := True;
  end else
  begin
    DbgPrint('ZwOpenProcess Hooked');
  end;
end;
end.
unit KernelUtils;

Código: Seleccionar todo

interface

uses
  nt_status,
  ntoskrnl;

function SystemServiceName(AFunc: Pointer): PLONG; stdcall;
function GetImportFunAddr(lpImportAddr: Pointer): Pointer; stdcall;
function SystemServiceOrd(iOrd: ULONG): PLONG; stdcall;
procedure EnableWriteProtection(); stdcall;
procedure DisableWriteProtection(); stdcall;

var uCr0: ULONG;
implementation

procedure DisableWriteProtection(); stdcall;
begin
  asm
   cli
   push eax
   mov  eax, cr0
   mov  [uCr0], eax
   and  eax, not 00010000h
   mov  cr0, eax
   pop  eax
  end;
end;

procedure EnableWriteProtection(); stdcall;
begin
  asm
    push eax
    mov  eax, [uCr0]
    mov  cr0, eax
    pop  eax
    sti
  end;
end;

function GetImportFunAddr(lpImportAddr: Pointer): Pointer; stdcall;
begin
  Result := PPointer(PPointer(Cardinal(lpImportAddr) + 2)^)^;
end;

function SystemServiceName(AFunc: Pointer): PLONG; stdcall;
var lpKeServiceDescriptorTable: PServiceDescriptorEntry;
begin
  lpKeServiceDescriptorTable := GetImportFunAddr(@KeServiceDescriptorTable);
  Result := PLONG(Cardinal(lpKeServiceDescriptorTable^.ServiceTableBase) + (SizeOf(ULONG) * PULONG(ULONG(AFunc) + 1)^));
end;

function SystemServiceOrd(iOrd: ULONG): PLONG; stdcall;
var lpKeServiceDescriptorTable: PServiceDescriptorEntry;
begin
  lpKeServiceDescriptorTable := GetImportFunAddr(@KeServiceDescriptorTable);
  Result := PLONG(PLONG(Cardinal(lpKeServiceDescriptorTable^.ServiceTableBase) + (SizeOf(ULONG) * iOrd)));
end;
end.
Delphi project link: [Enlace externo eliminado para invitados]

Fuente:

[Enlace externo eliminado para invitados]

Espero que os sirva...

Saludos !
Imagen


Solo lo mejor es suficiente...
Temas Recientes
Variantes de tema
Responder

Volver a “Fuentes”