本文为看雪论坛优秀文章
看雪论坛作者ID:breeze911
防截屏需要hook一个函数NtGdiBitBlt, 实现代码在附件里。
windbg查看SSSDT表的方式
!process 0 0 查看所有进程。
!process 0 0PROCESS 855d3920 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000DirBase: 00185000 ObjectTable: 89201b28 HandleCount: 506.Image: SystemPROCESS 8687ac70 SessionId: 0 Cid: 0140 Peb: 7ffd4000 ParentCid: 0138DirBase: 3f373060 ObjectTable: 99226d70 HandleCount: 455.Image: csrss.exePROCESS 85761838 SessionId: 1 Cid: 098c Peb: 7ffd6000 ParentCid: 0540DirBase: 3f3735e0 ObjectTable: 988b79d8 HandleCount: 120.Image: mspaint.exe.........
kd> .process /p 8687ac70Implicit process is now 8687ac70.cache forcedecodeuser done
kd> x nt!kes*des*table**83fbea00 nt!KeServiceDescriptorTableShadow = <no type information>83fbe9c0 nt!KeServiceDescriptorTable = <no type information>
第二行是SSSDT表
表地址为94726000,函数个数为0x339个
kd> dd 83fbea0083fbea00 83ed2d9c 00000000 00000191 83ed33e483fbea10 94726000 00000000 00000339 9472702c83fbea20 00000000 00000000 83fbea24 0000034083fbea30 00000340 855eeeb0 00000007 0000000083fbea40 855eede8 855e9550 855e96e0 855e961883fbea50 00000000 855e9488 00000000 0000000083fbea60 83ecc809 83ed9eed 83ee83a5 0000000383fbea70 85535000 85536000 00000120 ffffffff
dds 94726000 L294726000 946b3d37 win32k!NtGdiAbortDoc94726004 946cbc23 win32k!NtGdiAbortPath
防截屏实现
第一步获取到csrss常驻进程
HANDLE GetCsrPid() {HANDLE Process, hObject;HANDLE CsrId = (HANDLE)0;OBJECT_ATTRIBUTES obj;CLIENT_ID cid;UCHAR Buff[0x100];POBJECT_NAME_INFORMATION ObjName = (PVOID)&Buff;PSYSTEM_HANDLE_INFORMATION_EX Handles;ULONG r;Handles = GetInfoTable(SystemHandleInformation);if (!Handles) return CsrId;for (r = 0; r < Handles->NumberOfHandles; r++){//Port objectInitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);cid.UniqueProcess = (HANDLE)Handles->Information[r].ProcessId;cid.UniqueThread = 0;if (NT_SUCCESS(NtOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid))){if (NT_SUCCESS(ZwDuplicateObject(Process, (HANDLE)Handles->Information[r].Handle, NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS))){if (NT_SUCCESS(ZwQueryObject(hObject, ObjectNameInformation, ObjName, 0x100, NULL))){if (ObjName->Name.Buffer && !wcsncmp(L"\Windows\ApiPort", ObjName->Name.Buffer, 20)){CsrId = (HANDLE)Handles->Information[r].ProcessId;KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ZwQueryObject:%wZ ID:%d Type::%dn", &ObjName->Name, Handles->Information[r].ProcessId, Handles->Information[r].ObjectTypeNumber));}}ZwClose(hObject);}ZwClose(Process);}}ExFreePool(Handles);return CsrId;}
第二步 附加进程,CR0关写保护
VOID SetHook(){NTSTATUS status;status = PsLookupProcessByProcessId(GetCsrPid(), &g_crsEProc);if (!NT_SUCCESS(status)) {error = %xn", status));return;}KeAttachProcess(g_crsEProc);//将当前线程附加到目标进程的地址空间__try{//关闭写保护_asm{push eaxmov eax, CR0and eax, 0FFFEFFFFhmov CR0, eaxpop eax}KeServiceDescriptorTableShadow = (PServiceDescriptorTableEntry_t)((ULONG)&KeServiceDescriptorTable + 0x50);OldNtDgiBitBlt = KeServiceDescriptorTableShadow->ServiceTableBase[14];= MyNtGdiBitBlt;//恢复写保护_asm{push eaxmov eax, CR0or eax, NOT 0FFFEFFFFhmov CR0, eaxpop eax}}__finally{//切换回来,否则爆炸}}
第三步,自己实现hook函数
int APIENTRY MyNtGdiBitBlt(HDC hDCDest, INT XDest, INT YDest, INT Width, INT Height, HDC hDCSrc, INT XSrc, INT YSrc, DWORD ROP, DWORD crBackColor, FLONG fl) {ULONG_PTR ulPtr = 0;DECLARE_UNICODE_STRING_SIZE(StrProcessName, 260);UNICODE_STRING uExpression;RtlInitUnicodeString(&uExpression, L"*QQ.EXE");ulPtr = (ULONG_PTR)PsGetCurrentProcessId();GetProcessFullNameByPid((HANDLE)ulPtr, &StrProcessName);if (IsPatternMatch(&uExpression, &StrProcessName, TRUE)){KdPrint((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[breeze]Hook成功,路径为:%wZn", &StrProcessName));return FALSE;}return OldNtDgiBitBlt(hDCDest, XDest, YDest, Width, Height, hDCSrc, XSrc, YSrc, ROP, crBackColor, fl);}
测试截图
截图结果
看雪ID:breeze911
https://bbs.pediy.com/user-home-913912.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
原文始发于微信公众号(看雪学苑):内核实现x86QQ防截屏
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论