SSDT Hooking mini-library/example

Results 1 to 7 of 7
  1. #1
    Account Upgraded | Title Enabled! Guy is offline
    Apr 2009 Join Date

    SSDT Hooking mini-library/example

    #include <ntddk.h>
    typedef unsigned long DWORD, *PDWORD;
    typedef unsigned char BYTE, *PBYTE, *PCHAR;
    typedef unsigned long ULONG_PTR;
    typedef ULONG_PTR DWORD_PTR;
    NTSTATUS( *Real_ZwClose )( HANDLE Handle );
    #define _Lookup( _Call )  \
    	KeServiceDescriptorTable.ServiceTable[* ( unsigned int * ) \
    	( ( unsigned char * ) _Call + 1 )]
    typedef struct _SSDT
    	PDWORD ServiceTable;
    	PDWORD CounterTableBase;
    	DWORD ServiceLimit;
    	PCHAR ArgumentTable;
    } SSDT;
    __declspec(dllimport) SSDT KeServiceDescriptorTable;
    DWORD_PTR *SSDT_Hook( DWORD_PTR *_OrigCall, DWORD_PTR *_Hook )
    	unsigned long *returnVal = _Lookup( _OrigCall );
    	_Lookup( _OrigCall ) = _Hook;
    	return( returnVal );
    void DriverUnload( PDRIVER_OBJECT DriverObject)
    	SSDT_Hook( ( DWORD_PTR * ) ZwClose, ( DWORD_PTR * ) Real_ZwClose );
    NTSTATUS my_ZwClose( HANDLE Handle )
    	DbgPrint( "ZwClose called!" );
    	Real_ZwClose( Handle );
    	return( STATUS_SUCCESS );
    NTSTATUS DriverEntry( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath )
    	DriverObject->DriverUnload = DriverUnload;
    	Real_ZwClose = SSDT_Hook( ( DWORD_PTR * ) ZwClose, ( DWORD_PTR * ) my_ZwClose );
    	return( STATUS_SUCCESS );
    Requires WinDDK to compile/link; note, you should remove your hook in the "Unload" event, otherwise, a BSOD will most likely occur dependent on what function you're hooking, how often it's called, etc.

    EDIT: The above example now has a safe-unload mechanism.

    From here, you can write an anti-cheat by hooking functions known to be used for cheats; for example, hook ZwOpenProcess, and check if the PID parameter matches the process ID of the Gunz process; if so, return an error message, and do not hand off the request to the actual ZwOpenProcess call.

    Otherwise, this is just a poc demonstrating how easy it is to hook functions in the SSDT :)

    WinDDK -
    InstDvr (Allows quick loading/unloading of kernel driver) -
    Last edited by Guy; 11-08-09 at 12:47 AM.

  2. #2
    Mako is insane. ThePhailure772 is offline
    Sep 2007 Join Date

    Re: SSDT Hooking mini-library/example

    Very nice release CFX.

  3. #3
    GunZ Developer dacharles is offline
    Oct 2006 Join Date

    Re: SSDT Hooking mini-library/example

    Amm you have any page that xplain what SSDT is?

    P.D.: u are hooking ZwClose? D:
    Last edited by dacharles; 11-08-09 at 05:21 AM.

  4. #4

    Re: SSDT Hooking mini-library/example

    Looks great.


    Phail, you're a moderator now? O_O

  5. #5
    Ā  Phoenix is offline
    Mar 2009 Join Date

    Re: SSDT Hooking mini-library/example

    Phail's a Mod? LOL! Congrats xD

  6. #6
    Mako is insane. ThePhailure772 is offline
    Sep 2007 Join Date

    Re: SSDT Hooking mini-library/example

    I'll just leave this e-book here...

  7. #7
    Account Upgraded | Title Enabled! cerealnp is offline
    Apr 2006 Join Date

    Re: SSDT Hooking mini-library/example

    Will that work at all NT based OS? I don't have too much experience about hooking Kernel functions =D

    Edit: Lol it was at the WDK page:

    This topic applies to the following versions of Windows:
    Windows 7
    Windows Vista
    Windows XP
    Windows Server 2008 R2
    Windows Server 2008
    Windows Server 2003
    Thanks for sharing.
    Last edited by cerealnp; 11-08-09 at 02:36 PM.