mssdthookprocess.bas

使用底层技术结束进程。The use of the underlying technology end of the process.

Attribute VB_Name = "mSSDTHookProcess"
Option Explicit

Private Declare Function LoadLibraryEx Lib "kernel32.dll" Alias "LoadLibraryExA" (ByVal lpLibFileName As String, ByVal hfile As Long, ByVal dwFlags As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32.dll" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetModuleHandle Lib "kernel32.dll" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function FreeLibrary Lib "kernel32.dll" (ByVal hLibModule As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByVal pDestination As Long, ByVal pSource As Long, ByVal Length As Long)
Private Const DONT_RESOLVE_DLL_REFERENCES As Long = &H1
Dim retKnlMod As SYSTEM_MODULE_INFORMATION
Dim hModule As Long

Private Function GetKSDTAddr() As Long 'KeServiceDescriptorTable
On Error GoTo GetKSDTAddr_Err
        If (retKnlMod.Base = 0) Then GoTo GetKSDTAddr_Err
        Dim pfnProc As Long
        pfnProc = GetProcAddress(hModule, "KeServiceDescriptorTable") 'KeServiceDescriptorTable 被导出
        GetKSDTAddr = pfnProc - hModule + retKnlMod.Base

GetKSDTAddr_Err:

End Function

Public Function GetSDTListCount() As Long 'KeServiceDescriptorTable List Count
On Error GoTo GetSDTListCount_Err
        If (retKnlMod.Base = 0) Then GoTo GetSDTListCount_Err
        GetSDTListCount = GetData(GetKSDTAddr + 2 * 4)

GetSDTListCount_Err:

End Function

Private Function GetKSTAddr() As Long 'KiServiceTable
On Error GoTo GetKSTAddr_Err
        GetKSTAddr = GetData(GetKSDTAddr)
GetKSTAddr_Err:

End Function

Public Function GetSSDTFuncRealAddr(ByVal dwFuncOrdinal As Long) As Long  'dwFuncOrdinal 应当传入函数的服务ID
On Error GoTo GetSSDTFuncRealAddr_Err
        Dim pfnFunc As Long
        Dim pService As Long: pService = hModule + GetKSTAddr - retKnlMod.Base
        'pService 现在指向 ntoskrnl!KiServiceTable, 并且 KiServiceTable 的结构和 KeServiceDescriptorTable
        '很相似, 所以我们可以像可以使用类似于 [ 取当前系统服务的地址 ] 的方法来获取 [ 真实的系统服务地址 ]
        '与 KeServiceDescriptorTable 相同, 每 4 个字节是一个地址.
        Call CopyMemory(VarPtr(pfnFunc), (pService + dwFuncOrdinal * 4), Len(pfnFunc)) '每 4 字节一个地址.
        pfnFunc = pfnFunc + retKnlMod.Base
        '&H400000 为文件映像基址 -- 除非设置编译选项, 否则所有的 .exe 文件的文件基址都为 0x400000
        GetSSDTFuncRealAddr = pfnFunc - &H400000
GetSSDTFuncRealAddr_Err:

End Function

Public Function GetSSDTFuncCurrAddr(ByVal dwFuncOrdinal As Long) As Long  'dwFuncOrdinal 应当传入函数的服务ID
On Error GoTo GetSSDTFuncCurrAddr_Err
        Dim pfnFunc As Long
        pfnFunc = GetData(GetKSTAddr + dwFuncOrdinal * 4) 'KeServiceDescriptorTable 中, 4 个字节一个地址.
        GetSSDTFuncCurrAddr = pfnFunc
GetSSDTFuncCurrAddr_Err:

End Function

Public Function GetSSDTFuncOrdinal(ByVal szFuncName As String) As Long  'xzFuncName 应当传入函数的服务名称
On Error GoTo GetSSDTFuncOrdinal_Err
        Dim dwFuncOrd As Long
        Dim pfnFunc As Long
        pfnFunc = GetProcAddress(GetModuleHandle("ntdll.dll"), szFuncName)
        If (pfnFunc = 0) Then GoTo GetSSDTFuncOrdinal_Err
        Call CopyMemory(VarPtr(dwFuncOrd), pfnFunc + 1, Len(dwFuncOrd))
        GetSSDTFuncOrdinal = dwFuncOrd
GetSSDTFuncOrdinal_Err:

End Function

Public Function SetSSDTFuncAddr(ByVal dwFuncOrdinal As Long, ByVal pFunction As Long) As Boolean  'dwFuncOrdinal 应当传入函数的服务ID
On Error GoTo SetSSDTFuncAddr_Err
        'KeServiceDescriptorTable 中, 4 个字节一个地址.
        SetSSDTFuncAddr = SetData(GetKSTAddr + dwFuncOrdinal * 4, pFunction)
SetSSDTFuncAddr_Err:

End Function

Public Function InitSSDTModule() As Boolean
On Error GoTo InitSSDTModule_Err
        Dim retSt As Boolean
        Dim InitModule As Boolean
        Dim retv() As SYSTEM_MODULE_INFORMATION: retv = EnumKernelModule(retSt)
        retKnlMod = retv(0) 'ntosXXXX.exe 总是第一个被装在入内存的模块
        hModule = LoadLibraryEx(KernelFileAddr, 0, DONT_RESOLVE_DLL_REFERENCES)
        InitModule = True
        InitModule = InitModule And retSt
        InitModule = InitModule And retKnlMod.Base <> 0
        InitModule = InitModule And OpenPhysicalMemory
        InitModule = InitModule And hModule <> 0
        InitSSDTModule = InitModule
        Exit Function
InitSSDTModule_Err:
        InitSSDTModule = False
End Function

Public Function TerminateSSDTModule() As Boolean
On Error GoTo TerminateSSDTModule_Err
        Dim TerminateModule As Boolean
        TerminateModule = True
        TerminateModule = TerminateModule And FreeLibrary(hModule)
        TerminateModule = TerminateModule And ClosePhysicalMemory()
        TerminateSSDTModule = TerminateModule
        Exit Function
TerminateSSDTModule_Err:
        TerminateSSDTModule = False
End Function

Public Function KernelFileAddr() As String
On Error GoTo KernelFileAddr_Err
        Dim szKnlFileName As String
        With retKnlMod
                szKnlFileName = StrConv(.ImageName, vbUnicode)
                If (Len(szKnlFileName) = 0) Then GoTo KernelFileAddr_Err
                szKnlFileName = Left(szKnlFileName, InStr(szKnlFileName, vbNullChar) - Len(vbNullChar))
                szKnlFileName = Right(szKnlFileName, Len(szKnlFileName) - .ModuleNameOffset)
        End With
        KernelFileAddr = Replace$(Environ$("SystemRoot") & "\system32\" & szKnlFileName, "\\", "\")
KernelFileAddr_Err:

End Function