Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

为啥我成功加载内核了,运行日志也没毛病,就是不生效呢?完全不影响新建文档 #3

Open
fansstan opened this issue Dec 20, 2024 · 5 comments
Open

为啥我成功加载内核了,运行日志也没毛病,就是不生效呢?完全不影响新建文档 #3

fansstan opened this issue Dec 20, 2024 · 5 comments

Comments

@fansstan
Copy link

启动后试了好几次,都毫无影响。。啥情况

[KHook::Initialize] ssdt call back ptr is 0xFFFFF8023C182E24
[KHook::Initialize] build number is 19043
[KHook::Initialize] ntoskrnl address is 0xFFFFF80240C00000
[KHook::Initialize] etwp debugger data is 0xFFFFF80241810DA8
[KHook::Initialize] etwp debugger data silo is 0xFFFFE6046B92A680
[KHook::Initialize] ckcl wmi logger context is 0xFFFFE60475087980
[KHook::Initialize] get cpu clock is 0x0000000000000003
[KHook::Initialize] syscall table is 0xFFFFF80241009000
[KHook::Initialize] HvlpReferenceTscPage is 0xFFFFF802418FC680
[KHook::Initialize] HvlpReferenceTscPage Value Is 0xFFFFF79EC0009000
[KHook::Initialize] HvlGetQpcBias Is 0xFFFFF8024184A3B8
[KHook::Initialize] HvlGetQpcBias Value Is 0x0
[KHook::Initialize] HvlGetReferenceTimeUsingTscPage Is 0xFFFFF8024184A268
[KHook::Initialize] HvlGetReferenceTimeUsingTscPage Value Is 0xFFFFF80240F8B990
[KHook::Initialize] HalpPerformanceCounter Is 0xFFFFF8024184BE48
[KHook::Initialize] HalpPerformanceCounter Value is 0xFFFFF79EC0014000
[KHook::Initialize] HalpOriginalPerformanceCounter Is 0xFFFFF8024184BE40
[KHook::Initialize] HalpOriginalPerformanceCounter Value Is 0xFFFFF79EC0014000
[KHook::Start] Update GetCpuClock Is 0000000000000002
[KHook::Start] Original HalpPerformanceCounterType Value : 8
[KHook::Start] Update HvlGetQpcBias Value is FFFFF8023C182B20
[KHook::Start] Detect Routine Thread ID Is 632
[KHook::Start] Detect Routine Thread Object Is FFFFE604734E2040
[KHook::Stop] Enter...
[KHook::Stop] Wait For Detect Thread Termination
[KHook::Stop] Detect Thread Terminated
[KHook::Stop] Restore GetCpuClock is 0000000000000003
[KHook::Stop] Restore HvlGetQpcBias is 0000000000000000
[KHook::Stop] Stop Finished!
[DriverUnload] Countdown : 10
[DriverUnload] Countdown : 9
[DriverUnload] Countdown : 8
[DriverUnload] Countdown : 7
[DriverUnload] Countdown : 6
[DriverUnload] Countdown : 5
[DriverUnload] Countdown : 4
[DriverUnload] Countdown : 3
[DriverUnload] Countdown : 2
[DriverUnload] Countdown : 1
[DriverUnload] Completed!
@zhutingxf
Copy link
Owner

驱动的例子不是拦截新建文档,而是拦截打开名称为 test.txt 的文本文档

@fansstan
Copy link
Author

谢谢,我刚仔细debug了下,发现了问题,主要中间我建了一个test.txt是在停止服务后做的,晕了
谢谢!
另外请问一下 NtUserCallTwoParam 这个可以hook吗? 我准备试一下,会不会容易蓝屏

@zhutingxf
Copy link
Owner

NtUserCallTwoParam 这个不是 SSDT里的吧 具体能不能我也不清楚,你可以试下

@fansstan
Copy link
Author

fansstan commented Dec 20, 2024
edited
Loading

这个是sssdt的,我试试
KiServiceTables
W32pServiceTables
属于第二个表里的

@zhutingxf
Copy link
Owner

SSSDT的Hook可以么,测试结果怎么样

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhutingxf @fansstan