使用自旋锁的各种HOOK使用自旋锁的各种HOOK
#include
#define MEM_TAG 'TMEM'
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority; }THREAD_BASIC_INFORMATION, *PTH...
使用自旋锁的各种HOOK
#include
#define MEM_TAG 'TMEM'
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority; }THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
typedef BOOL (*NTUSERPOSTTHREADMESSAGE) (
DWORD idThread,
UINT Msg,
WPARAM wParam,
LPARAM lParam
);
typedef NTSTATUS (*NTOPENPROCESS) (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
typedef NTSTATUS (*NTOPENTHREAD) (
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
typedef NTSTATUS (*NTDUPLICATEOBJECT) (
IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options
);
NTKERNELAPI KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN HANDLE ProcessId,OUT
PEPROCESS *Process);
NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(IN HANDLE ThreadId,OUT
PETHREAD *Thread);
NTKERNELAPI PEPROCESS IoThreadToProcess(IN PETHREAD Thread); NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess (
IN HANDLE ProcessHandle,
IN ULONG ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationThread (
IN HANDLE ThreadHandle,
IN ULONG ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
ULONG idPTM=476; //XP HARD CODE
BYTE JmpCode[5]={0xE9,0x00,0x00,0x00,0x00}; BYTE OrgCode[5]={0x8B,0x3F,0x8B,0x1C,0x87}; BYTE PushRetCode[6]={0x68,0x00,0x00,0x00,0x00,0xc3}; KIRQL f_oldirql;
KSPIN_LOCK f_spinlock;
NTOPENTHREAD OldNtOpenThread;
NTOPENPROCESS OldNtOpenProcess;
NTDUPLICATEOBJECT OldNtDuplicateObject;
NTUSERPOSTTHREADMESSAGE OldNtUserPostThreadMessage; ULONG uKiFastCallEntryAddr=0;
ULONG HookAddr=0;
ULONG JMPRet=0;
ULONG PushRetMem=0;
ULONG ppid=0;
PEPROCESS ppep=NULL;
PSYSTEM_SERVICE_TABLE KeServiceDescriptorTableShadow; extern PSYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
ULONG GetShadowTableAddress()
{
ULONG dwordatbyte,i;
PUCHAR p = (PUCHAR) KeAddSystemServiceTable;
for(i = 0; i < PAGE_SIZE; i++, p++)// 往下找一页 指针递增1
{
__try
{
dwordatbyte = *(PULONG)p;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return FALSE;
}
if(MmIsAddressValid((PVOID)dwordatbyte))
{
if(memcmp((PVOID)dwordatbyte, KeServiceDescriptorTable, 16) == 0)//对比前16字节 相同则找到
{
if((PVOID)dwordatbyte == KeServiceDescriptorTable)//排除自己
{
continue;
}
return dwordatbyte;
}
}
}
return FALSE;
}
ULONG GetSSDTCurAddr(IN ULONG Index,BOOL IsShadow)
{
ULONG ServiceCount,BaseAddr;
if (KeServiceDescriptorTableShadow!=NULL)
{
ServiceCount=KeServiceDescriptorTableShadow[IsShadow?1:0].NumberOfServices;
BaseAddr =
(ULONG)KeServiceDescriptorTableShadow[IsShadow?1:0].ServiceTableBase;
if (Index>=ServiceCount) return FALSE;
return *(PULONG)(BaseAddr+Index * 4);
}
return FALSE;
}
NTSTATUS MyNtOpenThread(OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId)
{
PETHREAD tcmp;
PEPROCESS pcmp;
NTSTATUS st,ntotst;
if(MmIsAddressValid(ClientId)==TRUE)
{
st=PsLookupThreadByThreadId((HANDLE)ClientId->UniqueThread,&tcmp);
if (!NT_SUCCESS(st))
{
ntotst=STATUS_ACCESS_DENIED;
}
else
{
pcmp=IoThreadToProcess(tcmp);
if(pcmp==ppep)
ntotst=STATUS_ACCESS_DENIED;
else
ntotst=OldNtOpenThread(ThreadHandle,DesiredAccess,ObjectAttributes,ClientId);
}
}
else
{
ntotst=STATUS_ACCESS_DENIED;
}
return ntotst;
}
NTSTATUS MyNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMase,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId)
{
PEPROCESS pcmp;
NTSTATUS st,ntopst;
if(MmIsAddressValid(ClientId)==TRUE)
{
st=PsLookupProcessByProcessId((HANDLE)ClientId->UniqueProcess,&pcmp);
if (!NT_SUCCESS(st))
{
ntopst=STATUS_ACCESS_DENIED;
}
else
{
if(pcmp==ppep)
ntopst=STATUS_ACCESS_DENIED;
else
ntopst=OldNtOpenProcess(ProcessHandle,AccessMase,ObjectAttributes,ClientId);
}
}
else
{
ntopst=STATUS_ACCESS_DENIED;
}
return ntopst;
}
NTSTATUS MyNtDuplicateObject(IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options)
{
NTSTATUS ntStatus,Tmp;
PROCESS_BASIC_INFORMATION PBI;
THREAD_BASIC_INFORMATION TBI;
ULONG NowPid;
ntStatus=OldNtDuplicateObject(SourceProcessHandle,SourceHandle,TargetProcessHandle,T
argetHandle,DesiredAccess,Attributes,Options);
if (NT_SUCCESS(ntStatus) )
{
Tmp=ZwQueryInformationProcess(*TargetHandle,0,&PBI,sizeof(PBI),NULL);
if (NT_SUCCESS(Tmp))
{
NowPid=PBI.UniqueProcessId;
if (NowPid==ppid || NowPid==ppid+1 || NowPid==ppid+2 || NowPid==ppid+3)
{
ZwClose(*TargetHandle);
*TargetHandle=0;
ntStatus= STATUS_UNSUCCESSFUL;
}
}
Tmp=ZwQueryInformationThread(*TargetHandle,0,&TBI,sizeof(TBI),NULL);
if (NT_SUCCESS(Tmp))
{
NowPid=(ULONG)TBI.ClientId.UniqueProcess;
if (NowPid==ppid || NowPid==ppid+1 || NowPid==ppid+2 || NowPid==ppid+3)
{
ZwClose(*TargetHandle);
*TargetHandle=0;
ntStatus= STATUS_UNSUCCESSFUL;
}
}
}
return ntStatus;
}
BOOL MyNtUserPostThreadMessage(DWORD idThread,UINT Msg,WPARAM
wParam,LPARAM lParam)
{
PEPROCESS pcmp=NULL;
PETHREAD tcmp=NULL;
NTSTATUS st=STATUS_UNSUCCESSFUL;
BOOL rt=FALSE;
st=PsLookupThreadByThreadId((HANDLE)idThread,&tcmp);
if (NT_SUCCESS(st))
{
pcmp=IoThreadToProcess(tcmp);
if(pcmp==ppep)
rt=FALSE;
else
rt=OldNtUserPostThreadMessage(idThread,Msg,wParam,lParam);
}
else
{
rt=FALSE;
}
return rt;
}
//HOOK KiFastCallEntry过滤函数
__declspec(naked)void FakeKiFastCallEntry()
{
_asm
{
pushfd
pushad
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
cmp OldNtOpenProcess,ebx; //比较是否为NtOpenProcess
je Label1
cmp OldNtDuplicateObject,ebx; //比较是否为NtDuplicateObject
je Label2
cmp OldNtOpenThread,ebx; //比较是否为NtOpenThread
je Label3
cmp OldNtUserPostThreadMessage,ebx; //比较是否为NtOpenThread
je Label4
popad
popfd
mov edi,dword ptr [edi]
mov ebx,dword ptr [edi+eax*4]
jmp [JMPRet];
Label1:
popad
popfd
mov ebx,MyNtOpenProcess //修改NtOpenProcess为我们的代理函数
jmp [JMPRet];
Label2:
popad
popfd
mov ebx,MyNtDuplicateObject //修改NtDuplicateObject为我们的代理函数
jmp [JMPRet];
Label3:
popad
popfd
mov ebx,MyNtOpenThread //修改NtOpenThread为我们的代理函数
jmp [JMPRet];
Label4:
popad
popfd
mov ebx,MyNtUserPostThreadMessage //修改NtUserPostThreadMessage为我们的代理函数
jmp [JMPRet];
}
}
NTSTATUS LoadKiHooker()
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
KIRQL oldIrql;
PMDL pMdl = NULL;
UNICODE_STRING ustrFunctionName,ustrFunctionName2;
//获得“阴影
表
关于同志近三年现实表现材料材料类招标技术评分表图表与交易pdf视力表打印pdf用图表说话 pdf
”的地址
KeServiceDescriptorTableShadow=(PSYSTEM_SERVICE_TABLE)GetShadowTableAddres
s();
if (!KeServiceDescriptorTableShadow)
{
DbgPrint("Find SSSDT Error!");
return STATUS_UNSUCCESSFUL;
}
//获取NtUserPostThreadMessage地址
OldNtUserPostThreadMessage=(NTUSERPOSTTHREADMESSAGE)GetSSDTCurAddr(idPTM,TRUE);
DbgPrint("NtUserPostThreadMessaged=0x%08X",OldNtUserPostThreadMessage);
//获取NtOpenProcess地址
RtlInitUnicodeString(&ustrFunctionName, L"NtOpenProcess");
OldNtOpenProcess=(NTOPENPROCESS)MmGetSystemRoutineAddress( &ustrFunctionNa
me);
DbgPrint("NtOpenProcess=0x%08X",OldNtOpenProcess);
//获取NtDuplicateObject地址
RtlInitUnicodeString(&ustrFunctionName2, L"NtDuplicateObject");
OldNtDuplicateObject=(NTDUPLICATEOBJECT)MmGetSystemRoutineAddress(&ustrFun
ctionName2);
DbgPrint("NtDuplicateObject=0x%08X",OldNtDuplicateObject);
//获取NtOpenThread地址
OldNtOpenThread=(NTOPENTHREAD)GetSSDTRealAddr(GetSysCallIndex("NtOpenThre
ad"));
DbgPrint("NtOpenThread=0x%08X",OldNtOpenThread);
//系统调用管理器的地址保存在MSR寄存器里面,标识ID为0x176是
SYSENTER_EIP_MSR寄存器,存放着KiFastCallEntry地址~所以在这里用rdmsr读取
KiFastCallEntry地址;
__asm
{
pushfd
pushad
mov ecx,0x176
rdmsr
mov uKiFastCallEntryAddr,eax //获取KiFastCallEntry地址
xor ecx,ecx
Label1:
cmp ecx,0x100
je Label3
mov edx,DWORD ptr [eax]
cmp edx,0x1C8B3F8B //搜索特征码,获取要Hook的位置
je Label2
inc eax
inc ecx
jmp Label1
Label2:
mov HookAddr,eax
Label3:
popad
popfd
}
if (HookAddr==0)
{
return status;
}
//申请分配二级跳转内存
PushRetMem=(ULONG)ExAllocatePoolWithTag(NonPagedPool,6,MEM_TAG);
if ((PVOID)PushRetMem==NULL)
{
return status;
}
DbgPrint("PushRetMem=0x%08X",PushRetMem);
//一级跳转地址
*(ULONG*)&JmpCode[1]=(ULONG)(PushRetMem)-(HookAddr+5);
//二级跳转地址
*(ULONG*)&PushRetCode[1]=(ULONG)FakeKiFastCallEntry;
//HOOK返回地址
JMPRet=HookAddr+5;
//申请MDL
pMdl = IoAllocateMdl((PBYTE)HookAddr, 5, FALSE, FALSE, NULL);
if (pMdl)
{
//锁定内存页面
__try
{
MmProbeAndLockPages(pMdl, KernelMode, IoWriteAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(pMdl);
return status;
}
//申请并使用自旋锁
KeInitializeSpinLock(&f_spinlock);
KeAcquireSpinLock(&f_spinlock,&f_oldirql);
//提升中断请求级
oldIrql = KeRaiseIrqlToDpcLevel();
//关闭中断
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
//进行HOOK操作
RtlCopyMemory((PVOID)PushRetMem,PushRetCode,6);
RtlCopyMemory((PVOID)HookAddr,JmpCode,5);
//开启中断
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
//恢复先前中断请求级
KeLowerIrql(oldIrql);
//释放自旋锁
KeReleaseSpinLock(&f_spinlock, f_oldirql);
DbgPrint("KiFastCallEntry=0x%08X",uKiFastCallEntryAddr);
DbgPrint("HookAddr=0x%08X",HookAddr);
status=STATUS_SUCCESS;
}
return status;
}
VOID UnloadKiHooker()
{
PMDL pMdl = NULL;
KIRQL oldIrql;
if (HookAddr!=0)
{
pMdl = IoAllocateMdl((PBYTE)HookAddr, 5, FALSE, FALSE, NULL);
if (pMdl)
{
//锁定内存页面
__try
{
MmProbeAndLockPages(pMdl, KernelMode, IoWriteAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(pMdl);
return;
}
//申请并使用自旋锁
KeInitializeSpinLock(&f_spinlock);
KeAcquireSpinLock(&f_spinlock,&f_oldirql);
//提升中断请求级
oldIrql = KeRaiseIrqlToDpcLevel();
//关闭中断
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
//进行还原HOOK操作
RtlCopyMemory((PVOID)HookAddr,OrgCode,5);
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
//恢复先前中断请求级
KeLowerIrql(oldIrql);
//释放自旋锁
KeReleaseSpinLock(&f_spinlock, f_oldirql);
//释放内存
ExFreePool((PVOID)PushRetMem);
}
}
}
本文档为【使用自旋锁的各种HOOK】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。
浙公网安备 33021202002483