学系统内核,自己驱动想搞点高级功能。我写了一个驱动,Hook 了一个内核函数并取得成功。在驱动中定义了一个全局变量,然后用作缓存,来存取我 Hook 函数中想要的参数。结果 Hook 也没问题,正常走进我的流程,一旦到我将想要得到的参数存到我的全局变量就出错了蓝屏了。我查页属性都是可读可写的,为啥不行呢?如果回答的好,我会提高豆豆数量。
蓝屏报的错误也不清楚,看不出来怎么改。
系统 xp sp3
🙈把代码放上去吧,反正以后我是放到博文里面的:
#include <ntifs.h>
#include <ntddk.h>
int HookAddr = 0;
unsigned int OldThread = 0;
char shellcode[8] = { 0xE9,0,0,0,0 ,0x9c,0x8b,0x0b };
KDPC dpc = { 0 };
KTIMER timer = { 0 };
LARGE_INTEGER duringtime = { 0 };
VOID DPCRoutine(_In_ struct _KDPC* Dpc, _In_opt_ PVOID DeferredContext,
_In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2)
{
DbgPrint("Report Per 2s : Calls Old Thread %x \n", OldThread);
KeSetTimer(&timer, duringtime, &dpc);
}
void __declspec(naked) HookSwapContext()
{
__asm
{
int 3;
mov byte ptr es : [esi + 2Dh] , 2;
lock mov [OldThread], edi; //在这里出错
mov eax, [HookAddr];
add eax, 5;
push eax;
ret;
}
}
unsigned int __declspec(naked) GetKernelBase()
{
__asm
{
mov eax, fs: [34h] ;
mov eax, [eax + 18h];
mov eax, [eax];
mov eax, [eax + 18h];
ret;
}
}
void __declspec(naked) HookProc()
{
_asm
{
pushad;
pushfd;
xor edx, edx;
lea esi, shellcode;
mov ebx, [esi];
mov ecx, [esi + 4];
mov edi, [HookAddr];
mov eax, [edi];
mov edx, [edi + 4];
lock cmpxchg8b qword ptr[edi];
popfd;
popad;
ret;
}
}
NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject)
{
KeCancelTimer(&timer);
DbgPrint("Unloaded Successfully!");
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("Loaded Successfully!");
DriverObject->DriverUnload = UnloadDriver;
DbgBreakPoint();
unsigned int base = GetKernelBase();
HookAddr = base + 0x6A8E2;
//初始化 shellcode
unsigned int jmpdes = (int)HookSwapContext - HookAddr - 5;
RtlCopyMemory(&shellcode[1], &jmpdes, 4);
KeInitializeTimer(&timer);
KeInitializeDpc(&dpc, DPCRoutine, NULL);
duringtime.QuadPart = -20 * 1000 * 1000;
HookProc();
KeSetTimer(&timer, duringtime, &dpc);
return STATUS_SUCCESS;
}
以后好好看文档