SSDT NtReadVirtualMemory HOOK出现错误求高手
分数就这么多了,希望帮忙。第一个没有问题能正常运行,第二个写进去打开其他软件就提示内存无法操作,最后蓝屏。按道理第二个和第一个是一样的不知道哪错了,求大侠指点。
这是SSDT原始地址数据
CreateProcess | 0xA277030C
186 NtReadVirtualMemory | 0xA88B5B02 | 0x805B52F6
第一个
0x805B52F6 | B8 24DD76A2 | mov eax, A276DD24 | HOOK
0x805B52FB | FFE0 | jmp eax |
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
0x805B52F6 | 6A 1C | push 1C | nohook
0x805B52F8 | 68 F0AE4D80 | push 804DAEF0 |
第二个
0x805B53FA | CC | int3 | hook
0x805B53FB | CC | int3 |
0x805B53FC | CC | int3 |
0x805B53FD | CC | int3 |
0x805B53FE | CC | int3 | 805B53FE- 805B52F6 =0x108 (264)
0x805B53FF | CC | int3 |
0x805B5400 | B8 02DE76A2 | mov eax, A276DE02 |
0x805B5405 | FFE0 | jmp eax |
0x805B5407 | E8 3479F8FF | call 8053CD40 |
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
0x805B53FA | CC | int3 | nohook
0x805B53FB | CC | int3 |
0x805B53FC | CC | int3 |
0x805B53FD | CC | int3 |
0x805B53FE | CC | int3 |
0x805B53FF | CC | int3 |
0x805B5400 | 6A 1C | push 1C |
0x805B5402 | 68 08AF4D80 | push 804DAF08 |
0x805B5407 | E8 3479F8FF | call 8053CD40 |
void SSDTUnHookEngine(int nSSDTIndex,int nOldFunctionAddr)//这个是写入
{
MemoryWritable();
__asm
{
mov ebx,nSSDTIndex
shl ebx,2
mov eax,KeServiceDescriptorTable
mov eax,[eax]
add eax,ebx
mov ecx,nOldFunctionAddr
mov [eax],ecx
}
MemoryNotWritable();
}
int nNtReadVirtualMemoryAddr;//这个函数的首地址
int nNtReadVirtualMemoryAddr_3;
int nNtReadVirtualMemoryAddrJmp;//要跳到我们函数的地址
int nNtReadVirtualMemoryAddr2;//这个函数的首地址
int nNtReadVirtualMemoryAddr_23;
int nNtReadVirtualMemoryAddrJmp2;//要跳到我们函数的地址
__declspec(naked) void MyNtReadVirtualMemory()
{
if(PanDuanProcessName("xxx.exe"))
{
__asm
{
jmp nNtReadVirtualMemoryAddr_3
}
}
__asm
{
push 0x1c
push nNtReadVirtualMemoryAddr_3
jmp nNtReadVirtualMemoryAddrJmp
}
}
__declspec(naked) void MyNtReadVirtualMemory2()
{
if(PanDuanProcessName("xxx.exe"))
{
__asm
{
jmp nNtReadVirtualMemoryAddr_23
}
}
__asm
{
push 0x1c
push nNtReadVirtualMemoryAddr_23
jmp nNtReadVirtualMemoryAddrJmp2
}
}
VOID HookReadVirtualMemory()
{
nNtReadVirtualMemoryAddr=GetSSDTFunctionAddr(186);
nNtReadVirtualMemoryAddr_3= nNtReadVirtualMemoryAddr+3;
nNtReadVirtualMemoryAddr_3=*((int*)nNtReadVirtualMemoryAddr_3);
nNtReadVirtualMemoryAddrJmp=nNtReadVirtualMemoryAddr+7;
SSDTHookEngine(186,(int)MyNtReadVirtualMemory);
//DbgPrint("nNtReadVirtualMemoryAddr=%x\n",nNtReadVirtualMemoryAddr);
}
VOID UnHookReadVirtualMemory()
{
SSDTUnHookEngine(186,nNtReadVirtualMemoryAddr);
}
VOID HookReadVirtualMemory2()
{
nNtReadVirtualMemoryAddr2= nNtReadVirtualMemoryAddr+266;
nNtReadVirtualMemoryAddr_23= nNtReadVirtualMemoryAddr2+3;
nNtReadVirtualMemoryAddr_23=*((int*)nNtReadVirtualMemoryAddr_23);
nNtReadVirtualMemoryAddrJmp2=nNtReadVirtualMemoryAddr2+7;
SSDTHookEngine(186,(int)MyNtReadVirtualMemory2);
}
VOID UnHookReadVirtualMemory2()
{
SSDTUnHookEngine(186,nNtReadVirtualMemoryAddr2);
}
