我想hookwin32k里面的函数来保护窗体,驱动可以正常加载,可是Ioctl的时候就蓝屏,哪位大大帮下忙 部分代码如下:
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS ntStatus;
PVOID BufDriverString;
UNICODE_STRING uszDriverString;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING ustrDevName;
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
if (!getShadowTable()||!FindCsrssProcess())
{
DbgPrint("getShadowTable() or FindCsrssProcess() failed!\n");
return STATUS_UNSUCCESSFUL;
}
DbgPrint("Loading driver\n");
RtlInitUnicodeString(&ustrDevName, DeviceName);
ntStatus = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject);
RtlInitUnicodeString(&uszDriverString, LinkName);
ntStatus = IoCreateSymbolicLink(&uszDriverString, &ustrDevName);
if(ntStatus != STATUS_SUCCESS)
{
IoDeleteDevice(pDeviceObject);
return ntStatus;
}
ProtectOn=0;
LastForegroundWindow=0;
ProtectedProcessID=0;
DbgPrint("Driver Loaded.\n");
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS ntStatus = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
PVOID ioBuf = pIrp->AssociatedIrp.SystemBuffer;
ULONG inBufLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG outBufLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
NtUserBuildHwndList_callnumber=0x1138;//0x112e;
NtUserQueryWindow_callnumber=0x11E3;//0x1d2;
NtUserFindWindowEx_callnumber=0x117A;//0x1170;
NtUserGetForegroundWindow_callnumber=0x1194;//0x1189;
switch(uIoControlCode)
{
case IOCTL_PROTECTME:
{
ULONG ProcessID;
ProcessID=*(ULONG *)ioBuf;
ProtectedProcessID=ProcessIdToProcess(ProcessID);
DbgPrint("EPID= %d\n",ProtectedProcessID);
DbgPrint("PID= %d\n",ProcessID);
if (!ProtectOn)
{
DbgPrint("ProtectOff\n");
//Hook
KeAttachProcess(CsrssProcess);
if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserBuildHwndList_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0))
{
OldNtUserQueryWindow=(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber];
OldNtUserBuildHwndList=(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber];
OldNtUserFindWindowEx=(NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber];
OldNtUserGetForegroundWindow=(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber];
__asm
{
cli
mov eax,CR0
and eax,not 0x10000
mov CR0,eax
}
if ((NtUserQueryWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERQUERYWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserQueryWindow_callnumber])=NewNtUserQueryWindow;
if ((NtUserFindWindowEx_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber])=NewNtUserFindWindowEx;
if ((NtUserGetForegroundWindow_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERGETFOREGROUNDWINDOW)(KeServiceDescriptorTableShadow->ServiceTable[NtUserGetForegroundWindow_callnumber])=NewNtUserGetForegroundWindow;
if ((NtUserBuildHwndList_callnumber!=0) && (KeServiceDescriptorTableShadow!=NULL))
(NTUSERBUILDHWNDLIST)(KeServiceDescriptorTableShadow->ServiceTable[NtUserBuildHwndList_callnumber])=NewNtUserBuildHwndList;
__asm
{
mov eax,CR0
xor eax,0x10000
mov CR0,eax
sti
}
ProtectOn=TRUE;
ntStatus=STATUS_SUCCESS;
DbgPrint("ProtectOn\n");
}
}
break;
}
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
