HOOK钩子技术5 SSDT Inline Hook
2015-05-14 22:05
579 查看
原理
内联钩子的原理在R3和R0下是相同的,就是不改变SSDT表项,而是改变函数内部前几条指令。内联钩子的典型伪函数为:
恢复原指令
执行目标操作,或改写参数
执行原函数
返回时重新挂钩
demo
#include "stdafx.h" #ifdef __cplusplus extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath); #endif typedef NTSTATUS (*NtCreateProcess)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL , IN ULONG JobMemberLevel ); typedef struct _SERVICE_DESCRIPTOR_TABLE { PULONG ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfService; PUCHAR ParamTableBase; }SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TALBE; NtCreateProcess real_func_addr = NULL; unsigned char bOldBytes[5]; unsigned char bNewBytes[5]; extern "C" PSERVICE_DESCRIPTOR_TALBE KeServiceDescriptorTable;//name can't change. import member must be global variable. /* cr0 -16th bit = 0 means page can write */ bool REMOVE_ONLYREAD() { __asm { push eax mov eax,CR0 and eax, not 10000h mov CR0,eax pop eax } return TRUE; } /* cr0 -16th bit(WP) = 1,reset to the attribute of ONLY READ */ bool RESET_ONLYREAD() { __asm { push eax mov eax,CR0 or eax,10000h mov CR0,eax pop eax } return TRUE; } VOID RelineHookCreateProcess() { REMOVE_ONLYREAD(); //writememory with "jmp xxxxxxxx"; RtlCopyMemory((PVOID)real_func_addr,(CONST PVOID)bNewBytes,5); RESET_ONLYREAD(); } VOID UnHookCreateProcess() { REMOVE_ONLYREAD(); //__asm int 3 RtlCopyMemory((PVOID)real_func_addr,(const PVOID)bOldBytes,5); RESET_ONLYREAD(); } void InlineSSDTHookUnload(PDRIVER_OBJECT pDriverObject) //no return ,with return compiler error { UnHookCreateProcess(); DbgPrint("GoodBye from InlineHook!\n"); } NTSTATUS MyNtCreateProcessEx( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL , IN ULONG JobMemberLevel ) { NTSTATUS Status = STATUS_SUCCESS; UnHookCreateProcess(); Status = real_func_addr( ProcessHandle, DesiredAccess, ObjectAttributes, ParentProcess, InheritObjectTable, SectionHandle , DebugPort , ExceptionPort , JobMemberLevel ); RelineHookCreateProcess(); DbgPrint("have hook CreateProcess!\r\n"); return Status; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { unsigned i; DbgPrint("Hello from InlineSSDTHook!\n"); DriverObject->DriverUnload = InlineSSDTHookUnload; //hook PULONG PSsdt = (PULONG)KeServiceDescriptorTable->ServiceTableBase; PULONG p_real_func_addr =PSsdt+0x30; //(unsigned char *) pssdt+0x30*4; DbgPrint("%08x,%08x",p_real_func_addr,PSsdt+0x30); //diff compared with ssdt hook real_func_addr = (NtCreateProcess)(*p_real_func_addr); //__asm int 3 RtlCopyMemory((PVOID)bOldBytes,(CONST PVOID)real_func_addr,5); bNewBytes[0] ='\xe9'; *(PULONG)&bNewBytes[1]=(ULONG)MyNtCreateProcessEx-(ULONG)real_func_addr-5; //__asm int 3 RtlCopyMemory((PVOID)real_func_addr,(CONST PVOID)bNewBytes,5); return STATUS_SUCCESS; }
今天在做实验的时候,老是出错,无语了。在本地加载了程序的符号文件后调试出现各种奇葩问题,比如说函数入口指令的第一个字节总是没有改回来,后来也不知道怎么解决的。
挂钩后不能打开程序,提示
文件错误,但是停止服务后恢复正常,所以怀疑是伪函数执行时候有错误,查了半天也没有错误。最后发现是少了一个参数,我函数指针定义成
nt!NtCreatProcess的参数了,
nt!NtCreateProcessEx比
nt!ntCreateProces多了一个参数
JobMemeberLevel。
typedef NTSTATUS (*NtCreateProcessEx)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL , /*************/ IN ULONG JobMemberLevel );
可是非常奇怪,参数错误函数执行肯定出错,昨天的SSDT HOOK却也是少了这个参数,挂钩函数也是
nt!ntCreateProcessEx,按理说应该出错啊,为什么昨天的又是正确的呢???参数不一致也可以?仔细研究一下。
相关文章推荐
- SSDT Hook的妙用-对抗ring0 inline hook
- SSDT Hook的妙用-对抗ring0 inline hook
- 检测和恢复SSDT HOOK,INLINE SSDT HOOK
- 高级Linux Kernel Inline Hook技术分析与实现
- SSDT Hook的妙用-对抗ring0 inline hook
- 转SSDT Hook的妙用-对抗ring0 inline hook
- 普及X64 ssdtshadow inline HOOK
- 对付kernel / fsd inline hook/ssdt hook
- SSDT Hook的妙用-对抗ring0 inline hook
- [转]SSDT Hook的妙用-对抗ring0 inline hook
- 高级Linux Kernel Inline Hook技术分析与实现
- 普及X64 ssdtshadow inline HOOK
- SSDT Hook的妙用-对抗ring0 inline hook
- 【转帖】SSDT Hook的妙用-对抗ring0 inline hook
- SSDT Hook的妙用-对抗ring0 inline hook
- Windows下Hook API技术 inline hook
- 【转】检测和恢复SSDT HOOK,INLINE SSDT HOOK
- 转:SSDT Hook的妙用-对抗ring0 inline hook
- SSDT Hook的妙用-对抗ring0 inline hook
- Inline hook ImmGetCompositionStringW获取中文输入