首页 博客列表 精选博客 智能问答 chat-GPT 关于我
note : SSDT HOOK HOOK宏 转函数
发布日期:2021-06-30 22:03:57 浏览次数:2 分类:技术文章

本文共 8273 字,大约阅读时间需要 27 分钟。

见到工程中用的 SSDT HOOK 用的宏,  用的挺方便的.

有些警告,不好吧.

将HOOK宏整理验证, 容易理解, 便于调试时观察.

将SsdtHook和SsdtUnHook放在DeviceIoControl 中响应了, 用起来挺方便的.

/// @file		SsdtHook.h/// @brief		Ssdt Hook, unHook; Ssdt Inline Hook, unHook 函数定义#ifndef __SSDT_H__#define __SSDT_H__#include "constDefine.h"extern PMDL     g_pMdl;extern PVOID    g_pMdlLockedPages;extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;NTSTATUS fnMdlAddSsdt(MDL ** ppMdl, VOID ** ppLockedPages);NTSTATUS fnMdlRemove(MDL ** ppMdl, VOID ** ppLockedPages);NTSTATUS ssdtHook(	WCHAR * pcApiName, 	ULONG_PTR * pulApiRoutineAddress, 	ULONG_PTR * pulApiFunctionAddrNew,	ULONG_PTR * pulApiFunctionAddrOrg);NTSTATUS ssdtUnHook(	ULONG_PTR * pulApiRoutineAddress, 	ULONG_PTR * pulApiFunctionAddrOrg);#endif // #ifndef __SSDT_H__
/// @file		SsdtHook.c/// @brief		...#pragma warning(disable:4995)// #include 
   
    #include "SsdtHook.h"#include "constDefine.h"extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;PMDL    g_pMdl = NULL;PVOID   g_pMdlLockedPages = NULL;/// 私有函数NTSTATUS MdlSSDTHook(	ULONG_PTR ulApiRoutineAddr,	ULONG_PTR ulAddrHook,	ULONG_PTR * pulAddrOrg);NTSTATUS MdlRemoveSSDTHook(    ULONG_PTR ulApiRoutineAddr,    ULONG_PTR ulApiAddrOrg);ULONG fnGetSsdtIndexSn(ULONG_PTR ulApiAddr);NTSTATUS fnMdlAddSsdt(MDL ** ppMdl, VOID ** ppLockedPages){    if ((NULL == ppMdl) || (NULL == ppLockedPages))        return STATUS_UNSUCCESSFUL;    if ((NULL != *ppMdl) && (NULL != *ppLockedPages))        return STATUS_SUCCESS;        *ppMdl = IoAllocateMdl(        KeServiceDescriptorTable->ServiceTable,        KeServiceDescriptorTable->TableSize * sizeof(ULONG_PTR),        FALSE,        FALSE,        NULL);		if (NULL == *ppMdl)        return STATUS_UNSUCCESSFUL;	MmBuildMdlForNonPagedPool(*ppMdl);	(*ppMdl)->MdlFlags = (*ppMdl)->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;	*ppLockedPages = MmMapLockedPages(*ppMdl, KernelMode);    return (NULL != *ppLockedPages) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;}NTSTATUS fnMdlRemove(MDL ** ppMdl, VOID ** ppLockedPages){    if ((NULL == ppMdl) || (NULL == ppLockedPages))        return STATUS_UNSUCCESSFUL;        	if (NULL != *ppMdl)	{		MmUnmapLockedPages(*ppLockedPages, *ppMdl);        *ppLockedPages = NULL;        		IoFreeMdl(*ppMdl);        *ppMdl = NULL;        		return STATUS_SUCCESS;	}    return STATUS_UNSUCCESSFUL;}ULONG fnGetSsdtIndexSn(ULONG_PTR ulApiAddr){/**kd> dt ulApiAddrLocal var @ 0xb2815adc Type unsigned long0x804ff720kd> dt ulSsdtIndexSnLocal var @ 0xb2815ad0 Type unsigned long0x804ff721kd> u 0x804ff720nt!ZwOpenProcess:804ff720 b87a000000      mov     eax,7Ah804ff725 8d542404        lea     edx,[esp+4]804ff729 9c              pushfd804ff72a 6a08            push    8804ff72c e850ed0300      call    nt!KiSystemService (8053e481)804ff731 c21000          ret     10hnt!ZwOpenProcessToken:804ff734 b87b000000      mov     eax,7Bh804ff739 8d542404        lea     edx,[esp+4]*/    /// 取SSDT API 的SSDT 索引号码    /// e.g. 804ff720 b87a000000      mov     eax,7Ah    /// (UCHAR *)ulApiAddr = 804ff720,  b8 means mov command    /// (ULONG)[ulApiAddr + 1] = 0x7A(7a000000), SSDT Index    ULONG   ulSsdtIndexSn = 0;    UCHAR * pcAddr = (UCHAR *)ulApiAddr;    ulSsdtIndexSn = *((ULONG*)(pcAddr + 1));    return ulSsdtIndexSn;}NTSTATUS MdlSSDTHook(	ULONG_PTR ulApiRoutineAddr,	ULONG_PTR ulAddrHook,	ULONG_PTR * pulAddrOrg){    NTSTATUS    status = STATUS_UNSUCCESSFUL;    ULONG       ulSsdtIndexSn = 0;    PLONG       plTarget = NULL;    ULONG *     pSsdtApi = NULL;	if (NULL != g_pMdlLockedPages)	{	    ulSsdtIndexSn = fnGetSsdtIndexSn(ulApiRoutineAddr);        pSsdtApi = (ULONG *)g_pMdlLockedPages;        plTarget = (LONG *)(pSsdtApi + ulSsdtIndexSn);        	    *pulAddrOrg = InterlockedExchange(plTarget, (LONG)ulAddrHook);        status = STATUS_SUCCESS;	}	return status;}NTSTATUS MdlRemoveSSDTHook(    ULONG_PTR ulApiRoutineAddr,    ULONG_PTR ulApiAddrOrg){    NTSTATUS    status = STATUS_UNSUCCESSFUL;    ULONG       ulSsdtIndexSn = 0;    PLONG       plTarget = NULL;    ULONG *     pSsdtApi = NULL;    ULONG_PTR   ulApiAddrPrev = 0;	if (NULL != g_pMdlLockedPages)	{	    ulSsdtIndexSn = fnGetSsdtIndexSn(ulApiRoutineAddr);        pSsdtApi = (ULONG *)g_pMdlLockedPages;        plTarget = (LONG *)(pSsdtApi + ulSsdtIndexSn);                ulApiAddrPrev = InterlockedExchange(plTarget, (LONG)ulApiAddrOrg);                status = STATUS_SUCCESS;	}	return STATUS_SUCCESS;}NTSTATUS ssdtHook(	WCHAR * pcApiName, 	ULONG_PTR * pulApiRoutineAddress, 	ULONG_PTR * pulApiFunctionAddrNew,	ULONG_PTR * pulApiFunctionAddrOrg){    NTSTATUS        status = STATUS_UNSUCCESSFUL;    UNICODE_STRING  unistrApiName;    PVOID           pRoutineAddr = NULL;    if ((NULL == pulApiRoutineAddress)        || (NULL == pulApiFunctionAddrNew)        || (NULL == pulApiFunctionAddrOrg))    {        return status;    }    	RtlInitUnicodeString(&unistrApiName, pcApiName);    pRoutineAddr = MmGetSystemRoutineAddress(&unistrApiName);	*pulApiRoutineAddress =         (NULL == pRoutineAddr) ? 0 : (ULONG_PTR)pRoutineAddr;        	if (*pulApiRoutineAddress)	{		status = MdlSSDTHook(            *pulApiRoutineAddress,            *pulApiFunctionAddrNew,            pulApiFunctionAddrOrg);	}    return status;}NTSTATUS ssdtUnHook(	ULONG_PTR * pulApiRoutineAddress, 	ULONG_PTR * pulApiFunctionAddrOrg){    NTSTATUS    status = STATUS_UNSUCCESSFUL;        if ((NULL == pulApiRoutineAddress)        || (NULL == pulApiFunctionAddrOrg)        || (0 == *pulApiRoutineAddress)        || (0 == *pulApiFunctionAddrOrg))    {        return status;    }	if (0 != *pulApiRoutineAddress)	{        status = MdlRemoveSSDTHook(            *pulApiRoutineAddress,            *pulApiFunctionAddrOrg);	}    return status;}
   
/// @file		SsdtHook.h/// @brief		Ssdt Hook, unHook; Ssdt Inline Hook, unHook 函数定义#ifndef __SSDT_HOOK_H__#define __SSDT_HOOK_H__#include 
   
    BOOLEAN SsdtHook(BOOLEAN bHook);BOOLEAN SsdtInlineHook(BOOLEAN bHook);NTSTATUS __stdcall NewZwOpenProcess(OUT PHANDLE ProcessHandle,	IN ACCESS_MASK DesiredAccess,	IN POBJECT_ATTRIBUTES ObjectAttributes,	IN PCLIENT_ID ClientId);#endif // #ifndef __SSDT_HOOK_H__
   
/// @file		SsdtHook.c/// @brief		...#pragma warning(disable:4995)// #include 
   
    #include "SsdtHook.h"#include "Ssdt.h"#include "R0ProcessHelper.h"/// 已经存在的内核函数, 声明先UCHAR *	PsGetProcessImageFileName(	__in PEPROCESS Process); NTSTATUS __stdcall fnHook_ZwOpenProcess(    OUT PHANDLE ProcessHandle,	IN ACCESS_MASK DesiredAccess,	IN POBJECT_ATTRIBUTES ObjectAttributes,	IN PCLIENT_ID ClientId);//定义一个原函数指针typedef NTSTATUS (__stdcall *PFN_ZWOPENPROCESS)(    OUT PHANDLE ProcessHandle,	IN ACCESS_MASK DesiredAccess,	IN POBJECT_ATTRIBUTES ObjectAttributes,	IN PCLIENT_ID ClientId	);#define API_NAME_ZWOPENPROCESS   L"ZwOpenProcess"ULONG_PTR   g_ulApiRoutineAddr_ZwOpenProcess = 0;ULONG_PTR   g_ulAddrHook_ZwOpenProcess = (ULONG_PTR)fnHook_ZwOpenProcess;ULONG_PTR   g_ulApiOrg_ZwOpenProcess = 0; ///< 强转成 PFN_ZWOPENPROCESS 使用BOOLEAN SsdtHook(BOOLEAN bHook){    NTSTATUS    status = STATUS_UNSUCCESSFUL;	BOOLEAN	    bRc = FALSE;    if (bHook)    {        /// create MDL for ssdt        status = fnMdlAddSsdt(&g_pMdl, &g_pMdlLockedPages);        if (!NT_SUCCESS(status))            return FALSE;        status = ssdtHook(            API_NAME_ZWOPENPROCESS,             &g_ulApiRoutineAddr_ZwOpenProcess,             &g_ulAddrHook_ZwOpenProcess,            &g_ulApiOrg_ZwOpenProcess);        /// hook other ssdt API ...    }    else    {        /// ssdt unHook        ssdtUnHook(            &g_ulApiRoutineAddr_ZwOpenProcess,             &g_ulApiOrg_ZwOpenProcess);        /// unHook other ssdt API ...        /// free MDL        status = fnMdlRemove(&g_pMdl, &g_pMdlLockedPages);    }		return NT_SUCCESS(status);}BOOLEAN SsdtInlineHook(BOOLEAN bHook){	BOOLEAN	bRc = FALSE;	UNREFERENCED_PARAMETER(bHook);	return bRc;}NTSTATUS __stdcall fnHook_ZwOpenProcess(    OUT PHANDLE ProcessHandle,	IN ACCESS_MASK DesiredAccess,	IN POBJECT_ATTRIBUTES ObjectAttributes,	IN PCLIENT_ID ClientId){	NTSTATUS status;	status = ((PFN_ZWOPENPROCESS)g_ulApiOrg_ZwOpenProcess)(ProcessHandle, 		DesiredAccess, 		ObjectAttributes, 		ClientId		);	return status;}

在DeviceIoControl中响应SsdtHook和SsdtUnHook

status = SsdtHook(eProcessCommunicationCmd_SsdtHook == pCommData->dwCmd);
在驱动卸载处理中,主动调用SsdtHook(FALSE); 

防止使用者没有执行UnHook就停掉驱动.

转载地址:https://lostspeed.blog.csdn.net/article/details/11858177 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!

上一篇:note : Get PID List
下一篇:note : when FSD HOOK + IRP_MJ_CREATE, judge pFileObject->Flags

发表评论

最新留言

逛到本站,mark一下
[***.202.152.39]2024年04月07日 18时36分46秒

关于作者

    喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!

推荐文章

如何用同期群分析模型提升留存?(Tableau实战) 2019-04-30
爱了,吹爆这个高颜值的流程图工具! 2019-04-30
一个数据项目 2019-04-30
基于JAVA_JSP电子书下载系统 2019-04-30
基于java出租车计价器设计与实现 2019-04-30
十二时辰篇:这该死的 996 2019-04-30
2021最新 上海互联网公司排名 2019-04-30
字节vs快手!取消大小周之战 2019-04-30
送一个闲置显示器! 2019-04-30
Oracle 行转列 pivot函数基本用法 2019-04-30
Oracle字符串分隔符替换(替换奇数个或偶数个) 2019-04-30
Oracle 利用 UTL_SMTP 包发送邮件 2019-04-30
Oracle 的循环中的异常捕捉和处理 2019-04-30
Oracle通过pivot和unpivot配合实现行列转换 2019-04-30
Oracle关于多行字符串根据固定的分隔符进行拆分,connect by递归查询的一些用法 2019-04-30
给Oracle数据库换一个1522端口的监听 2019-04-30
Excel表格数据生成ECharts图表 2019-04-30
阿里云短信服务python版,pyinstaller打包运行时缺少文件 2019-04-30
Oracle的pfile和spfile的一点理解和笔记 2019-04-30
WebService的简单案例记录(Java) 2019-04-30
白红宇的个人博客 - 记录点点滴滴的事 - 您是第 311160753 位访客
访问时间: 2024-05-05 19:05:34 访问IP: 3.145.156.250     Copyright © 2020 - 2023 blog.css8.cn 京ICP备2021015314号-1 手机版