VOID Hook()
{
ULONG  Address;
BYTE data[20] = {0};
Address= (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//0x7A为;
OldServiceAddress=*(ULONG*)Address;
JmpAddress = (ULONG)NtOpenProcess + 15;

data[15] = 0xE9;                                   // 少了这两句!
memcpy(&data[15], &JmpAddress, 4);  // 少了这两句!

  __asm{//去掉内存保护
    cli
    mov  eax,cr0
    and  eax,not 10000h
    mov  cr0,eax
  }
memcpy(NtOpenProcess,data,15);
*((ULONG*)Address) = (ULONG)data;//HOOK SSDT
  __asm{//恢复内存保护  
    mov  eax,cr0
    or   eax,10000h
    mov  cr0,eax
    sti
  }

}

// 这句也是错!
memcpy(NtOpenProcess,data,15);

// 应该是
memcpy(data, NtOpenProcess, 15);

data[15] = 0xE9;                                   // 少了这两句!
memcpy(&data[16], &JmpAddress, 4);  // 少了这两句!

还是蓝了 听说WINDBG可以分析蓝屏的原因 但是我不知道怎么操作 请教各位大神

这个绝对不会蓝屏了!

#include <ntddk.h>

WCHAR DEVICE_NAME[256] = L"\\Device\\test";
WCHAR DEVICE_LINK[256] = L"\\DosDevices\\test";

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
  PVOID   ServiceTableBase;
  PULONG  ServiceCounterTableBase;
  ULONG   NumberOfService;
  ULONG   ParamTableBase;
} SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;

_declspec (dllimport) SERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable[2];

typedef NTSTATUS (NTAPI *fNtOpenProcess) (
    PHANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes,
    PCLIENT_ID ClientId
    );
   
fNtOpenProcess OrigNtOpenProcess = NULL;

NTSTATUS
MyNtOpenProcess (
    PHANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes,
    PCLIENT_ID ClientId
    )
{
        DbgPrint("MyNtOpenProcess: Hooked!\n");
        return OrigNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}

void Hook()
{
        ULONG *pSSDT = NULL;
       
        pSSDT = (ULONG *) KeServiceDescriptorTable[0].ServiceTableBase;
       
        DbgPrint("KeServiceDescriptorTable.ServiceTableBase: 0x%X\r\n", pSSDT);
       
        __asm
        {
                cli
                mov  eax,cr0
                and  eax,not 10000h
                mov  cr0,eax
        }

        OrigNtOpenProcess = (PVOID) InterlockedExchange((PLONG) &pSSDT[0x7A], (LONG) MyNtOpenProcess);
       
        __asm
        {
                mov  eax,cr0
                or   eax,10000h
                mov  cr0,eax
                sti
        }
}

void UnHook()
{
        ULONG *pSSDT = NULL;
       
        pSSDT = (ULONG *) KeServiceDescriptorTable[0].ServiceTableBase;
       
        DbgPrint("KeServiceDescriptorTable.ServiceTableBase: 0x%X\r\n", pSSDT);
       
        __asm
        {
                cli
                mov  eax,cr0
                and  eax,not 10000h
                mov  cr0,eax
        }

        InterlockedExchange((PLONG) &pSSDT[0x7A], (LONG) OrigNtOpenProcess);
       
        __asm
        {
                mov  eax,cr0
                or   eax,10000h
                mov  cr0,eax
                sti
        }
}

NTSTATUS DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
        Irp->IoStatus.Status = STATUS_SUCCESS;
        Irp->IoStatus.Information = 0;

        IoCompleteRequest(Irp, IO_NO_INCREMENT);

        return STATUS_SUCCESS;
}

NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
        PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
        ULONG ulOperation = irpStack->Parameters.DeviceIoControl.IoControlCode;
        NTSTATUS ntStatus = STATUS_SUCCESS;

        Irp->IoStatus.Information = 0;
        Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;

        IoCompleteRequest(Irp, IO_NO_INCREMENT);

        return ntStatus;
}

VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
        PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
        UNICODE_STRING ntWin32NameString;

        UnHook();
       
        RtlInitUnicodeString(&ntWin32NameString, DEVICE_LINK);

        IoDeleteSymbolicLink(&ntWin32NameString);

        if (deviceObject != NULL)
        {
                IoDeleteDevice(deviceObject);
        }
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
        NTSTATUS        ntStatus;
        UNICODE_STRING  ntUnicodeString;
        UNICODE_STRING  ntWin32NameString;
        PDEVICE_OBJECT  deviceObject = NULL;

        DbgPrint("DriverEntry: Entering...\n");

        RtlInitUnicodeString(&ntUnicodeString, DEVICE_NAME);

        DbgPrint("DriverEntry: Name of device: %wZ\r\n", &ntUnicodeString);

        ntStatus = IoCreateDevice(
                DriverObject,
                0,
                &ntUnicodeString,
                FILE_DEVICE_UNKNOWN,
                FILE_DEVICE_SECURE_OPEN,
                FALSE,
                &deviceObject
                );

        if (!NT_SUCCESS(ntStatus))
        {
                DbgPrint("DriverEntry: IoCreateDevice error!\n");
                return ntStatus;
        }

        // Initialize the driver object with the driver functions
        DriverObject->DriverUnload                                                        = UnloadDriver;
        DriverObject->MajorFunction[IRP_MJ_CREATE]                        = DispatchCreateClose;
        DriverObject->MajorFunction[IRP_MJ_CLOSE]                        = DispatchCreateClose;
        DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]        = DispatchIoctl;
       
        RtlInitUnicodeString(&ntWin32NameString, DEVICE_LINK);

        DbgPrint("DriverEntry: Symbolic Link of device: %wZ\r\n", &ntWin32NameString);

        // Create symbolic link for our device
        ntStatus = IoCreateSymbolicLink(&ntWin32NameString, &ntUnicodeString);

        if (!NT_SUCCESS(ntStatus))
        {
                IoDeleteDevice(deviceObject);
        }
       
        Hook();

        DbgPrint("DriverEntry: Leaving...\n");

        return ntStatus;
}

这里有两个很好的教材：

WinDBG & VMWare:
02bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4A6L8s2k6W2M7Y4y4@1M7W2)9J5k6i4g2X3K9h3g2K6i4K6u0W2L8%4u0Y4i4K6u0r3L8r3!0@1M7U0m8Q4x3V1k6%4K9h3&6V1j5X3N6Q4x3X3c8$3L8i4N6S2M7X3g2Q4x3X3g2Z5N6r3#2D9

e69K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8J5j5h3&6K6L8r3q4@1k6g2)9J5k6h3N6G2L8$3N6D9k6g2)9J5k6h3y4G2L8g2)9J5k6h3S2C8i4K6u0r3N6s2u0S2L8Y4y4D9j5i4c8W2i4K6y4r3K9r3I4Q4x3@1c8*7K9q4)9J5k6q4c8i4i4K6t1$3M7$3I4Q4x3@1c8W2L8W2)9J5y4Y4c8D9i4K6y4p5P5X3S2Q4x3X3c8o6e0W2)9J5y4Y4g2Q4x3@1c8Z5N6s2c8H3i4K6t1#2x3@1q4Q4x3U0f1J5c8W2)9J5y4e0u0r3M7$3W2D9N6X3g2J5M7%4c8J5i4K6u0W2N6h3k6A6k6i4y4Q4x3X3g2G2M7X3N6Q4x3U0f1J5c8X3I4G2N6s2t1H3i4K6t1#2x3V1k6%4K9h3&6V1j5X3N6Q4x3X3c8$3L8i4N6S2M7X3g2Q4x3X3g2Z5N6r3#2D9

473K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4S2N6r3y4Z5x3U0u0Q4x3X3g2F1k6i4c8Q4x3V1k6@1N6i4c8K6i4K6u0r3N6X3#2%4j5i4u0W2

9c4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8J5j5h3&6K6L8r3q4@1k6g2)9J5k6h3N6G2L8$3N6D9k6g2)9J5k6h3y4G2L8g2)9J5k6h3S2C8i4K6u0r3N6s2u0S2L8Y4y4D9j5i4c8W2i4K6y4r3K9r3I4Q4x3@1c8*7K9q4)9J5k6q4c8i4i4K6t1$3M7$3I4Q4x3@1c8W2L8W2)9J5y4Y4g2Q4x3@1c8Z5N6s2c8H3i4K6y4m8i4K6u0r3i4K6u0r3N6%4N6%4i4K6u0W2j5$3q4@1j5$3R3J5x3W2)9J5k6h3&6W2N6q4)9J5c8Y4c8#2N6s2y4Q4x3V1k6$3L8i4N6S2M7X3g2Q4x3U0k6W2K9g2)9K6c8r3f1$3y4Y4W2e0i4K6g2X3P5X3!0u0d9h3&6s2M7V1q4W2d9%4S2@1L8g2u0n7b7g2)9J5y4Y4y4S2i4K6y4p5h3q4)9J5y4X3!0A6i4K6y4p5N6s2u0S2L8Y4y4D9j5i4c8W2i4K6t1$3j5%4c8Q4x3@1c8J5k6i4y4#2L8s2c8Q4x3U0k6J5k6i4y4F1N6h3#2Q4x3@1b7J5i4K6t1$3N6X3g2V1i4K6y4p5x3p5y4n7f1g2p5%4k6@1g2%4b7g2q4Q4x3U0k6H3M7X3g2$3i4K6y4p5i4K6u0r3M7$3g2S2M7X3y4Z5i4K6t1#2x3@1k6I4i4K6t1#2x3@1c8d9k6h3#2G2N6r3g2Q4x3U0f1J5b7X3c8W2j5Y4g2Y4k6$3W2F1k6#2)9J5y4e0u0n7N6$3W2F1k6r3u0Y4i4K6t1#2x3V1u0F1N6h3I4D9i4K6t1#2x3V1u0U0j5h3u0D9k6g2)9J5y4e0t1$3K9r3I4Q4x3U0f1K6c8s2A6Z5i4K6u0V1g2q4N6Q4x3U0f1J5y4Y4y4S2i4K6t1#2x3@1c8s2

大神 能透露下QQ吗 好讨论

QQ 834919515

听说WINDBG可以分析蓝屏的原因 但是我不知道怎么操作