📄 hookshadowssdt.h
字号:
/******************************************************************************
**
** FileName : HookShadowSSDT.h
** Version : 0.10
** Author : embedlinux(E-mai:hqulyc@126.com QQ:5054-3533)
** Date : 2008-08-04
** Comment :
**
******************************************************************************/
#ifndef __HOOK_SHADOW_SSDT_H__
#define __HOOK_SHADOW_SSDT_H__
#include "HookSysCall.h"
#define SystemHandleInformation 16
//hook shadow system call
#define HOOK_SHADOW_SYSCALL(SysCallIndex, pHookFunc, pOrigFunc ) \
pOrigFunc = (PVOID)InterlockedExchange( \
(PLONG)&MappedSystemCallTable[ (SysCallIndex) ], \
(LONG)pHookFunc)
//unhook shadow system call
#define UNHOOK_SHADOW_SYSCALL(SysCallIndex, pHookFunc, pOrigFunc ) \
InterlockedExchange( \
(PLONG)&MappedSystemCallTable[ (SysCallIndex) ],\
(LONG)pOrigFunc)
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG ProcessId; //进程标识符
UCHAR ObjectTypeNumber; //打开的对象的类型
UCHAR Flags; //句柄属性标志0x01 = PROTECT_FROM_CLOSE, 0x02 = INHERIT
USHORT Handle; //句柄数值,在进程打开的句柄中唯一标识某个句柄
PVOID Object; //这个就是句柄对应的EPROCESS的地址
ACCESS_MASK GrantedAccess; //句柄对象的访问权限
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
ULONG NumberOfHandles; //句柄数目
SYSTEM_HANDLE_INFORMATION Information[1];
} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
//Shadow HOOK
typedef struct _KAPC_STATE
{
LIST_ENTRY ApcListHead[2];
PVOID Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
typedef struct tagMOUSEINPUT {
LONG dx;
LONG dy;
DWORD mouseData;
DWORD dwFlags;
DWORD time;
ULONG_PTR dwExtraInfo;
} MOUSEINPUT, *PMOUSEINPUT;
typedef struct tagKEYBDINPUT {
WORD wVk;
WORD wScan;
DWORD dwFlags;
DWORD time;
ULONG_PTR dwExtraInfo;
} KEYBDINPUT, *PKEYBDINPUT;
typedef struct tagHARDWAREINPUT {
DWORD uMsg;
WORD wParamL;
WORD wParamH;
} HARDWAREINPUT, *PHARDWAREINPUT;
typedef struct tagINPUT {
DWORD type;
union {MOUSEINPUT mi;
KEYBDINPUT ki;
HARDWAREINPUT hi;
};
}INPUT, *PINPUT;
//把系统线程挂接到一个用户进程中
VOID KeStackAttachProcess(
IN PEPROCESS Process, //PsLookupProcessByProcessId
OUT PKAPC_STATE ApcState
);
VOID KeUnstackDetachProcess(
IN PKAPC_STATE ApcState
);
NTSTATUS PsLookupProcessByProcessId( //通过进程ID得到Object
IN HANDLE ProcessId, //输入的进程ID
OUT PEPROCESS *Process //输出进程的EPROCESS
);
// HOOK NtUserFindWindowEx
typedef NTSTATUS (*NTUSERFINDWINDOWEX)(
IN HWND hwndParent,
IN HWND hwndChild,
IN PUNICODE_STRING pstrClassName OPTIONAL,
IN PUNICODE_STRING pstrWindowName OPTIONAL,
IN DWORD dwType
);
NTUSERFINDWINDOWEX OrigNtUserFindWindowEx;
// HOOK NtUserBuildHwndList
typedef NTSTATUS (*NTUSERBUILDHWNDLIST)(
IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG *pcHwndNeeded
);
NTUSERBUILDHWNDLIST OrigNtUserBuildHwndList;
// HOOK NtUserQueryWindow
typedef UINT_PTR (*NTUSERQUERYWINDOW)(
IN ULONG WindowHandle,
IN ULONG TypeInformation);
NTUSERQUERYWINDOW OrigNtUserQueryWindow;
// HOOK NtUserGetForegroundWindow
typedef ULONG (*NTUSERGETFOREGROUNDWINDOW)( void );
NTUSERGETFOREGROUNDWINDOW OrigNtUserGetForegroundWindow;
/*
// HOOK NtUserWindowFromPoint
typedef HWND (*NTUSERWINDOWFROMPOINT)( LONG, LONG );
NTUSERWINDOWFROMPOINT OrigNtUserWindowFromPoint;
// HOOK NtUserSetWindowsHookEx
//挂钩NtuserSetWindowsHookex用来拦截全局钩子
typedef HHOOK (*NTUSERSETWINDOWSHOOKEX)(
HINSTANCE Mod,
PUNICODE_STRING UnsafeModuleName,
DWORD ThreadId,
int HookId,
PVOID HookProc,
BOOL Ansi
);
NTUSERSETWINDOWSHOOKEX OrigNtUserSetWindowsHookEx;
// HOOK NtUserGetDC
typedef HDC (*NTUSERGETDC)(HWND hWnd);
NTUSERGETDC OrigNtUserGetDC;
// HOOK NtUserGetDCEx
typedef HDC (*NTUSERGETDCEX)(
HWND hWnd,
HRGN hrgnClip,
DWORD flags
);
NTUSERGETDCEX OrigNtUserGetDCEx;
// HOOK NtUserSendInput
//挂钩NtUserSendInput来拦截键盘鼠标等模拟输入
typedef UINT (*NTUSERSENDINPUT)(
UINT cInputs,
PINPUT pInputs,
int cbSize
);
NTUSERSENDINPUT OrigNtUserSendInput;
*/
/******************************************************************/
NTSTATUS HookOfNtUserFindWindowEx(
IN HWND hwndParent,
IN HWND hwndChild,
IN PUNICODE_STRING pstrClassName OPTIONAL,
IN PUNICODE_STRING pstrWindowName OPTIONAL,
IN DWORD dwType
);
NTSTATUS HookOfNtUserBuildHwndList(
IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG* pcHwndNeeded
);
UINT_PTR HookOfNtUserQueryWindow(
IN ULONG WindowHandle,
IN ULONG TypeInformation
);
ULONG HookOfNtUserGetForegroundWindow(VOID);
/*
HWND HookOfNtUserWindowFromPoint(LONG x, LONG y);
HHOOK HookOfNtUserSetWindowsHookEx(
HINSTANCE Mod,
PUNICODE_STRING UnsafeModuleName,
DWORD ThreadId,
int HookId,
PVOID HookProc,
BOOL Ansi
);
HDC HookOfNtUserGetDC(HWND hWnd);
HDC HookOfNtUserGetDCEx(HWND hWnd, HRGN hrgnClip, DWORD flags);
UINT HookOfNtUserSendInput(
UINT cInputs,
PINPUT pInputs,
int cbSize
);
*/
/*********************************************************************/
NTSTATUS HookShadowTable(); //启动Shadow Hook
NTSTATUS UnHookShadowTable(); //停止Shadow Hook
VOID InitSysCallIndex();
unsigned int GetAddressOfShadowTable();
ULONG GetShadowTable();
ULONG GetCsrPid();
#endif //__HOOK_SHADOW_SSDT_H__
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -