note : SSDT HOOK HOOK宏 转函数
发布日期:2021-06-30 22:03:57
浏览次数:2
分类:技术文章
本文共 8273 字,大约阅读时间需要 27 分钟。
见到工程中用的 SSDT HOOK 用的宏, 用的挺方便的.
有些警告,不好吧.
将HOOK宏整理验证, 容易理解, 便于调试时观察.
将SsdtHook和SsdtUnHook放在DeviceIoControl 中响应了, 用起来挺方便的.
/// @file SsdtHook.h/// @brief Ssdt Hook, unHook; Ssdt Inline Hook, unHook 函数定义#ifndef __SSDT_H__#define __SSDT_H__#include "constDefine.h"extern PMDL g_pMdl;extern PVOID g_pMdlLockedPages;extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;NTSTATUS fnMdlAddSsdt(MDL ** ppMdl, VOID ** ppLockedPages);NTSTATUS fnMdlRemove(MDL ** ppMdl, VOID ** ppLockedPages);NTSTATUS ssdtHook( WCHAR * pcApiName, ULONG_PTR * pulApiRoutineAddress, ULONG_PTR * pulApiFunctionAddrNew, ULONG_PTR * pulApiFunctionAddrOrg);NTSTATUS ssdtUnHook( ULONG_PTR * pulApiRoutineAddress, ULONG_PTR * pulApiFunctionAddrOrg);#endif // #ifndef __SSDT_H__
/// @file SsdtHook.c/// @brief ...#pragma warning(disable:4995)// #include#include "SsdtHook.h"#include "constDefine.h"extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;PMDL g_pMdl = NULL;PVOID g_pMdlLockedPages = NULL;/// 私有函数NTSTATUS MdlSSDTHook( ULONG_PTR ulApiRoutineAddr, ULONG_PTR ulAddrHook, ULONG_PTR * pulAddrOrg);NTSTATUS MdlRemoveSSDTHook( ULONG_PTR ulApiRoutineAddr, ULONG_PTR ulApiAddrOrg);ULONG fnGetSsdtIndexSn(ULONG_PTR ulApiAddr);NTSTATUS fnMdlAddSsdt(MDL ** ppMdl, VOID ** ppLockedPages){ if ((NULL == ppMdl) || (NULL == ppLockedPages)) return STATUS_UNSUCCESSFUL; if ((NULL != *ppMdl) && (NULL != *ppLockedPages)) return STATUS_SUCCESS; *ppMdl = IoAllocateMdl( KeServiceDescriptorTable->ServiceTable, KeServiceDescriptorTable->TableSize * sizeof(ULONG_PTR), FALSE, FALSE, NULL); if (NULL == *ppMdl) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(*ppMdl); (*ppMdl)->MdlFlags = (*ppMdl)->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; *ppLockedPages = MmMapLockedPages(*ppMdl, KernelMode); return (NULL != *ppLockedPages) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;}NTSTATUS fnMdlRemove(MDL ** ppMdl, VOID ** ppLockedPages){ if ((NULL == ppMdl) || (NULL == ppLockedPages)) return STATUS_UNSUCCESSFUL; if (NULL != *ppMdl) { MmUnmapLockedPages(*ppLockedPages, *ppMdl); *ppLockedPages = NULL; IoFreeMdl(*ppMdl); *ppMdl = NULL; return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL;}ULONG fnGetSsdtIndexSn(ULONG_PTR ulApiAddr){/**kd> dt ulApiAddrLocal var @ 0xb2815adc Type unsigned long0x804ff720kd> dt ulSsdtIndexSnLocal var @ 0xb2815ad0 Type unsigned long0x804ff721kd> u 0x804ff720nt!ZwOpenProcess:804ff720 b87a000000 mov eax,7Ah804ff725 8d542404 lea edx,[esp+4]804ff729 9c pushfd804ff72a 6a08 push 8804ff72c e850ed0300 call nt!KiSystemService (8053e481)804ff731 c21000 ret 10hnt!ZwOpenProcessToken:804ff734 b87b000000 mov eax,7Bh804ff739 8d542404 lea edx,[esp+4]*/ /// 取SSDT API 的SSDT 索引号码 /// e.g. 804ff720 b87a000000 mov eax,7Ah /// (UCHAR *)ulApiAddr = 804ff720, b8 means mov command /// (ULONG)[ulApiAddr + 1] = 0x7A(7a000000), SSDT Index ULONG ulSsdtIndexSn = 0; UCHAR * pcAddr = (UCHAR *)ulApiAddr; ulSsdtIndexSn = *((ULONG*)(pcAddr + 1)); return ulSsdtIndexSn;}NTSTATUS MdlSSDTHook( ULONG_PTR ulApiRoutineAddr, ULONG_PTR ulAddrHook, ULONG_PTR * pulAddrOrg){ NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG ulSsdtIndexSn = 0; PLONG plTarget = NULL; ULONG * pSsdtApi = NULL; if (NULL != g_pMdlLockedPages) { ulSsdtIndexSn = fnGetSsdtIndexSn(ulApiRoutineAddr); pSsdtApi = (ULONG *)g_pMdlLockedPages; plTarget = (LONG *)(pSsdtApi + ulSsdtIndexSn); *pulAddrOrg = InterlockedExchange(plTarget, (LONG)ulAddrHook); status = STATUS_SUCCESS; } return status;}NTSTATUS MdlRemoveSSDTHook( ULONG_PTR ulApiRoutineAddr, ULONG_PTR ulApiAddrOrg){ NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG ulSsdtIndexSn = 0; PLONG plTarget = NULL; ULONG * pSsdtApi = NULL; ULONG_PTR ulApiAddrPrev = 0; if (NULL != g_pMdlLockedPages) { ulSsdtIndexSn = fnGetSsdtIndexSn(ulApiRoutineAddr); pSsdtApi = (ULONG *)g_pMdlLockedPages; plTarget = (LONG *)(pSsdtApi + ulSsdtIndexSn); ulApiAddrPrev = InterlockedExchange(plTarget, (LONG)ulApiAddrOrg); status = STATUS_SUCCESS; } return STATUS_SUCCESS;}NTSTATUS ssdtHook( WCHAR * pcApiName, ULONG_PTR * pulApiRoutineAddress, ULONG_PTR * pulApiFunctionAddrNew, ULONG_PTR * pulApiFunctionAddrOrg){ NTSTATUS status = STATUS_UNSUCCESSFUL; UNICODE_STRING unistrApiName; PVOID pRoutineAddr = NULL; if ((NULL == pulApiRoutineAddress) || (NULL == pulApiFunctionAddrNew) || (NULL == pulApiFunctionAddrOrg)) { return status; } RtlInitUnicodeString(&unistrApiName, pcApiName); pRoutineAddr = MmGetSystemRoutineAddress(&unistrApiName); *pulApiRoutineAddress = (NULL == pRoutineAddr) ? 0 : (ULONG_PTR)pRoutineAddr; if (*pulApiRoutineAddress) { status = MdlSSDTHook( *pulApiRoutineAddress, *pulApiFunctionAddrNew, pulApiFunctionAddrOrg); } return status;}NTSTATUS ssdtUnHook( ULONG_PTR * pulApiRoutineAddress, ULONG_PTR * pulApiFunctionAddrOrg){ NTSTATUS status = STATUS_UNSUCCESSFUL; if ((NULL == pulApiRoutineAddress) || (NULL == pulApiFunctionAddrOrg) || (0 == *pulApiRoutineAddress) || (0 == *pulApiFunctionAddrOrg)) { return status; } if (0 != *pulApiRoutineAddress) { status = MdlRemoveSSDTHook( *pulApiRoutineAddress, *pulApiFunctionAddrOrg); } return status;}
/// @file SsdtHook.h/// @brief Ssdt Hook, unHook; Ssdt Inline Hook, unHook 函数定义#ifndef __SSDT_HOOK_H__#define __SSDT_HOOK_H__#includeBOOLEAN SsdtHook(BOOLEAN bHook);BOOLEAN SsdtInlineHook(BOOLEAN bHook);NTSTATUS __stdcall NewZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId);#endif // #ifndef __SSDT_HOOK_H__
/// @file SsdtHook.c/// @brief ...#pragma warning(disable:4995)// #include#include "SsdtHook.h"#include "Ssdt.h"#include "R0ProcessHelper.h"/// 已经存在的内核函数, 声明先UCHAR * PsGetProcessImageFileName( __in PEPROCESS Process); NTSTATUS __stdcall fnHook_ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId);//定义一个原函数指针typedef NTSTATUS (__stdcall *PFN_ZWOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId );#define API_NAME_ZWOPENPROCESS L"ZwOpenProcess"ULONG_PTR g_ulApiRoutineAddr_ZwOpenProcess = 0;ULONG_PTR g_ulAddrHook_ZwOpenProcess = (ULONG_PTR)fnHook_ZwOpenProcess;ULONG_PTR g_ulApiOrg_ZwOpenProcess = 0; ///< 强转成 PFN_ZWOPENPROCESS 使用BOOLEAN SsdtHook(BOOLEAN bHook){ NTSTATUS status = STATUS_UNSUCCESSFUL; BOOLEAN bRc = FALSE; if (bHook) { /// create MDL for ssdt status = fnMdlAddSsdt(&g_pMdl, &g_pMdlLockedPages); if (!NT_SUCCESS(status)) return FALSE; status = ssdtHook( API_NAME_ZWOPENPROCESS, &g_ulApiRoutineAddr_ZwOpenProcess, &g_ulAddrHook_ZwOpenProcess, &g_ulApiOrg_ZwOpenProcess); /// hook other ssdt API ... } else { /// ssdt unHook ssdtUnHook( &g_ulApiRoutineAddr_ZwOpenProcess, &g_ulApiOrg_ZwOpenProcess); /// unHook other ssdt API ... /// free MDL status = fnMdlRemove(&g_pMdl, &g_pMdlLockedPages); } return NT_SUCCESS(status);}BOOLEAN SsdtInlineHook(BOOLEAN bHook){ BOOLEAN bRc = FALSE; UNREFERENCED_PARAMETER(bHook); return bRc;}NTSTATUS __stdcall fnHook_ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId){ NTSTATUS status; status = ((PFN_ZWOPENPROCESS)g_ulApiOrg_ZwOpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId ); return status;}
在DeviceIoControl中响应SsdtHook和SsdtUnHook
status = SsdtHook(eProcessCommunicationCmd_SsdtHook == pCommData->dwCmd);在驱动卸载处理中,主动调用SsdtHook(FALSE);
防止使用者没有执行UnHook就停掉驱动.
转载地址:https://lostspeed.blog.csdn.net/article/details/11858177 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
逛到本站,mark一下
[***.202.152.39]2024年04月07日 18时36分46秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
如何用同期群分析模型提升留存?(Tableau实战)
2019-04-30
爱了,吹爆这个高颜值的流程图工具!
2019-04-30
一个数据项目
2019-04-30
基于JAVA_JSP电子书下载系统
2019-04-30
基于java出租车计价器设计与实现
2019-04-30
十二时辰篇:这该死的 996
2019-04-30
2021最新 上海互联网公司排名
2019-04-30
字节vs快手!取消大小周之战
2019-04-30
送一个闲置显示器!
2019-04-30
Oracle 行转列 pivot函数基本用法
2019-04-30
Oracle字符串分隔符替换(替换奇数个或偶数个)
2019-04-30
Oracle 利用 UTL_SMTP 包发送邮件
2019-04-30
Oracle 的循环中的异常捕捉和处理
2019-04-30
Oracle通过pivot和unpivot配合实现行列转换
2019-04-30
给Oracle数据库换一个1522端口的监听
2019-04-30
Excel表格数据生成ECharts图表
2019-04-30
阿里云短信服务python版,pyinstaller打包运行时缺少文件
2019-04-30
Oracle的pfile和spfile的一点理解和笔记
2019-04-30
WebService的简单案例记录(Java)
2019-04-30