Navegando como siempre cuando hay algo de tiempo...he visto esto...
unit ZwOpenProcessHook;ZwOpenProcess Hook
Compile it with Meerlat 1.1 (See Kernel-mode section)
Use DbgView to catch informations.
Código: Seleccionar todo
interface
uses
nt_status,
ntoskrnl,
fcall,
KernelUtils;
function _DriverEntry(
DriverObject: PDriverObject;
RegistryPath: PUnicodeString
): NTSTATUS; stdcall;
implementation
type
TZwOpenProcess = function(
ProcessHandle: PHandle;
DesiredAccess: TAccessMask;
ObjectAttributes: PObjectAttributes;
ClientId: PClientId
): NTSTATUS; stdcall;
var
HookActive: Boolean;
ZwOpenProcessNextHook: TZwOpenProcess;
lpKeServiceDescriptorTable: PServiceDescriptorEntry;
function ZwOpenProcessHookProc(ProcessHandle: PHandle; DesiredAccess: TAccessMask; ObjectAttributes: PObjectAttributes; ClientId: PClientId): NTSTATUS; stdcall;
begin
DbgPrint('ZwOpenProcess HookProc: NewZwOpenProcess(ProcessHandle:0x%.8X,DesiredAccess:0x%.8X,ObjectAttributes:0x%.8X,ClientId:0x%.8X)',
ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
Result := ZwOpenProcessNextHook(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
DbgPrint('ZwOpenProcess HookProc: NewZwOpenProcess(-):0x%.8X', Result);
end;
procedure DriverUnload(DriverObject: PDriverObject); stdcall;
begin
if (HookActive) then
begin
DisableWriteProtection();
ZwOpenProcessNextHook := TZwOpenProcess(InterlockedExchange(SystemServiceName(GetImportFunAddr(@ZwOpenProcess)), LONG(@ZwOpenProcessNextHook)));
EnableWriteProtection();
DbgPrint('ZwOpenProcess New Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwOpenProcess))^);
DbgPrint('ZwOpenProcess Old Address: 0x%.8X', DWORD(@ZwOpenProcessNextHook));
HookActive := False;
end;
DbgPrint('DriverUnload(-)');
end;
function _DriverEntry(DriverObject: PDriverObject; RegistryPath: PUnicodeString): NTSTATUS; stdcall;
begin
Result := STATUS_SUCCESS;
DriverObject^.DriverUnload := @DriverUnload;
DbgPrint('DriverEntry(-):0x%.8X', Result);
lpKeServiceDescriptorTable := GetImportFunAddr(@KeServiceDescriptorTable);
HookActive := False;
DbgPrint('ZwOpenProcess Import Address: 0x%.8X', GetImportFunAddr(@ZwOpenProcess));
DbgPrint('KeServiceDescriptorTable() Address 1: 0x%.8X', @KeServiceDescriptorTable);
DbgPrint('KeServiceDescriptorTable() Address 2: 0x%.8X', PPointer(@KeServiceDescriptorTable)^);
DbgPrint('ZwOpenProcess Name Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwOpenProcess))^);
DbgPrint('ZwOpenProcess HookProc Address: 0x%.8X', @ZwOpenProcessHookProc);
if not HookActive then
begin
DisableWriteProtection();
ZwOpenProcessNextHook := TZwOpenProcess(InterlockedExchange(SystemServiceName(GetImportFunAddr(@ZwOpenProcess)), LONG(@ZwOpenProcessHookProc)));
EnableWriteProtection();
DbgPrint('ZwOpenProcess New Address: 0x%.8X', SystemServiceName(GetImportFunAddr(@ZwOpenProcess))^);
DbgPrint('ZwOpenProcess Old Address: 0x%.8X', DWORD(@ZwOpenProcessNextHook));
HookActive := True;
end else
begin
DbgPrint('ZwOpenProcess Hooked');
end;
end;
end.
Código: Seleccionar todo
interface
uses
nt_status,
ntoskrnl;
function SystemServiceName(AFunc: Pointer): PLONG; stdcall;
function GetImportFunAddr(lpImportAddr: Pointer): Pointer; stdcall;
function SystemServiceOrd(iOrd: ULONG): PLONG; stdcall;
procedure EnableWriteProtection(); stdcall;
procedure DisableWriteProtection(); stdcall;
var uCr0: ULONG;
implementation
procedure DisableWriteProtection(); stdcall;
begin
asm
cli
push eax
mov eax, cr0
mov [uCr0], eax
and eax, not 00010000h
mov cr0, eax
pop eax
end;
end;
procedure EnableWriteProtection(); stdcall;
begin
asm
push eax
mov eax, [uCr0]
mov cr0, eax
pop eax
sti
end;
end;
function GetImportFunAddr(lpImportAddr: Pointer): Pointer; stdcall;
begin
Result := PPointer(PPointer(Cardinal(lpImportAddr) + 2)^)^;
end;
function SystemServiceName(AFunc: Pointer): PLONG; stdcall;
var lpKeServiceDescriptorTable: PServiceDescriptorEntry;
begin
lpKeServiceDescriptorTable := GetImportFunAddr(@KeServiceDescriptorTable);
Result := PLONG(Cardinal(lpKeServiceDescriptorTable^.ServiceTableBase) + (SizeOf(ULONG) * PULONG(ULONG(AFunc) + 1)^));
end;
function SystemServiceOrd(iOrd: ULONG): PLONG; stdcall;
var lpKeServiceDescriptorTable: PServiceDescriptorEntry;
begin
lpKeServiceDescriptorTable := GetImportFunAddr(@KeServiceDescriptorTable);
Result := PLONG(PLONG(Cardinal(lpKeServiceDescriptorTable^.ServiceTableBase) + (SizeOf(ULONG) * iOrd)));
end;
end.
Fuente:
[Enlace externo eliminado para invitados]
Espero que os sirva...
Saludos !