BASIC INTERRUPT HOOK part 2

最新推荐文章于 2021-12-23 18:12:12 发布
最新推荐文章于 2021-12-23 18:12:12 发布
阅读量1.4k 收藏
点赞数
文章标签: hook basic timer structure descriptor returning

// ---------------------------
// BASIC INTERRUPT HOOK part 2
// this hooks the timer interrupt
// ---------------------------

#include "ntddk.h"
#include <stdio.h>

#define MAKELONG(a, b) ((unsigned long) (((unsigned short) (a)) | ((unsigned long) ((unsigned short) (b))) << 16))

#define MAX_IDT_ENTRIES 0xFF

#define NT_INT_UNUSED_A    0x20
#define NT_INT_UNUSED_B    0x22
#define NT_INT_UNUSED_C    0x23
#define NT_INT_UNUSED_D    0x24
#define NT_INT_UNUSED_E    0x25
#define NT_INT_UNUSED_F    0x26
#define NT_INT_UNUSED_G    0x27
#define NT_INT_UNUSED_H    0x28
#define NT_INT_UNUSED_I    0x29

#define NT_INT_TIMER    0x30

unsigned long g_i_count = 0;

///
// IDT structures
///
#pragma pack(1)

// entry in the IDT, this is sometimes called
// an "interrupt gate"
typedef struct
{
 unsigned short LowOffset;
 unsigned short selector;
 unsigned char unused_lo;
 unsigned char segment_type:4; //0x0E is an interrupt gate
 unsigned char system_segment_flag:1;
 unsigned char DPL:2; // descriptor privilege level
 unsigned char P:1; /* present */
 unsigned short HiOffset;
} IDTENTRY;

/* sidt returns idt in this format */
typedef struct
{
 unsigned short IDTLimit;
 unsigned short LowIDTbase;
 unsigned short HiIDTbase;
} IDTINFO;

#pragma pack()

unsigned long old_ISR_pointer; // better save the old one!!


VOID OnUnload( IN PDRIVER_OBJECT DriverObject )

 IDTINFO  idt_info;  // this structure is obtained by calling STORE IDT (sidt)
 IDTENTRY* idt_entries; // and then this pointer is obtained from idt_info
 char _t[255];

 // load idt_info
 __asm sidt idt_info 
 idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);

 DbgPrint("ROOTKIT: OnUnload called/n");

 _snprintf(_t, 253, "called %d times", g_i_count);
 DbgPrint(_t);
 
 DbgPrint("UnHooking Interrupt...");

 // restore the original interrupt handler
 __asm cli
 idt_entries[NT_INT_TIMER].LowOffset = (unsigned short) old_ISR_pointer;
 idt_entries[NT_INT_TIMER].HiOffset = (unsigned short)((unsigned long)old_ISR_pointer >> 16);
 __asm sti

 DbgPrint("UnHooking Interrupt complete.");
}

// using stdcall means that this function fixes the stack before returning (opposite of cdecl)
void __stdcall count_syscall( unsigned long system_call_number )
{
 g_i_count++;
}

// naked functions have no prolog/epilog code - they are functionally like the
// target of a goto statement
__declspec(naked) my_interrupt_hook()
{
 __asm
 {
  push eax
  call count_syscall
  jmp  old_ISR_pointer
 }
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
 IDTINFO  idt_info;  // this structure is obtained by calling STORE IDT (sidt)
 IDTENTRY* idt_entries; // and then this pointer is obtained from idt_info
 IDTENTRY* i;
 unsigned long  addr;
 unsigned long count;
 char _t[255];
 
 theDriverObject->DriverUnload  = OnUnload;

 // load idt_info
 __asm sidt idt_info
 
 idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);

 for(count=0;count < MAX_IDT_ENTRIES;count++)
 {
  i = &idt_entries[count];
  addr = MAKELONG(i->LowOffset, i->HiOffset);
  
  _snprintf(_t, 253, "Interrupt %d: ISR 0x%08X", count, addr);
  DbgPrint(_t);
 }

 DbgPrint("Hooking Interrupt...");
 // lets hook an interrupt
 // exercise - choose your own interrupt
 old_ISR_pointer = MAKELONG(idt_entries[NT_INT_TIMER].LowOffset,idt_entries[NT_INT_TIMER].HiOffset);
 
// debug, use this if you want some additional info on what is going on
#if 0
 _snprintf(_t, 253, "old address for ISR is 0x%08x", old_ISR_pointer);
 DbgPrint(_t);
 _snprintf(_t, 253, "address of my function is 0x%08x", my_interrupt_hook);
 DbgPrint(_t);
#endif
 
 // remember we disable interrupts while we patch the table
 __asm cli
 idt_entries[NT_INT_TIMER].LowOffset = (unsigned short)my_interrupt_hook;
 idt_entries[NT_INT_TIMER].HiOffset = (unsigned short)((unsigned long)my_interrupt_hook >> 16);
 __asm sti

// debug - use this if you want to check what is now placed in the interrupt vector
#if 0
 i = &idt_entries[NT_INT_TIMER];
 addr = MAKELONG(i->LowOffset, i->HiOffset);
 _snprintf(_t, 253, "Interrupt ISR 0x%08X", addr);
 DbgPrint(_t); 
#endif

 DbgPrint("Hooking Interrupt complete");

 return STATUS_SUCCESS;
}
 

errorlife
关注
测试集(2)-words
马如林的IT博客
11-26 5万+
 aa.ma.mabandonabandonabattoirabilityabilityableableabnormalabnormalaboardaboardaboutaboutaboveaboveabracadabraabroadabroadabsenceabsenceabsentabsent
ATF的接口引导大全(持续完善修订格式)
叫好与叫座虽然不是对立面,但想在同一个作品中达到双重效果很难。
03-07 407
Porting Trusted Firmware-A (TF-A) to a new platform involves making some mandatory and optional modifications for both the cold and warm boot paths. Modifications consist of:The platform-specific functions and variables are declared in . The firmware provi
时钟中断hook
momo_Pluto的专栏
07-05 1236
原文链接: http://cxc200026.blog.163.com/blog/static/34268672009127101618670/
安卓Hook系列教程(二):Xposed插件开发进阶篇
醉猫
11-22 9095
由于本屌意外发现了篇不错的教程,基本上是自己想写的东西,既然已经有了就转载一下,不自己写了。 有轮子就何需再去造轮子? 好吧,其实是懒癌发作了。。。。。。。。 Dalvik 孵化器 Zygote (Android系统中,所有的应用程序进程以及系统服务进程SystemServer都是由Zygote进程孕育/fork出来的)进程对应的程序是/system/bin/app_process. Xpo
反idt hook 隐藏hook idt
05-14 1305
#include "ntddk.h" #include "ntddk.h" #define WORD USHORT #define DWORD ULONG #define MAKELONG(a, b) ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) \ | ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff)
TC397移植FreeRTOS
小小SWQ的博客
12-23 2968
英飞凌TC397移植FreeRTOS一、准备工作1.FreeRTOS源码2.STM驱动代码3.中断相关配置文件4.AURIX Developement Studio初始工程二、配置port.c 一、准备工作 1.FreeRTOS源码 2.STM驱动代码 3.中断相关配置文件 4.AURIX Developement Studio初始工程 二、配置port.c ...
中断学习之timer_interrupt x86实现
shipinsky的博客
07-14 2143
以2.6.23为例 irqreturn_t timer_interrupt(int irq, void *dev_id) =>do_timer_interrupt_hook(); =>global_clock_event->event_handler(global_clock_event);//dev->event_handler = tick_handle...
x86 IDT HOOK
XboxMicro
02-26 916
准备资料:   中断描述符表(Interrupt Descriptor Table,IDT)显然是用来处理中断的。IDT指定了如何处理诸如下一个键、发生页面错误或用户进程请求SSDT时所触发的中断。本文介绍HOOK IDT中的向量0x2E,该钩子在SSDT中的内核函数之前进行调用。   处理IDT时需要注意两点,每个处理器都有自己的IDT,需要钩住系统上的所有IDT。   当应用
线程相关 之 ThreadPoolExecutor源码解析【2】
yunzhonghefei的博客
01-28 312
先看类简介: An {@link ExecutorService} that executes each submitted task using one of possibly several pooled threads, normally configured using {@link Executors} factory methods. 线程池主要解决两个问题:处理大量任务时有更好的表现;提供很多可调节的参数以及扩展钩子,上下文切换更有用。 程序员更偏向使用: Executor
ecw2c理解元数据:使用BigQuery k-means将4,000个堆栈溢出标签聚类
热门推荐
cunehu1722的博客
07-24 6万+
您如何将超过4,000个活动的Stack Overflow标签分组为有意义的组? 对于无监督学习和k均值聚类来说,这是一项完美的任务-现在您可以在BigQuery中完成所有这些工作。 让我们找出方法。 Visualizing a universe of clustered tags. Felipe Hoffais a Developer Advocate fo...
英语方面的缩略语
denghuaken9487的博客
10-02 9266
A...AA Auto AnswerAAB All-to-All BroadcastAAL Asynchronous Transfer Mode Adaption LayerAAP Applications Access Point [DEC]AARP AppleTalk Address Resolution ProtocolAAS All-to-All Scatte...
6)线程组、Hook钩子与线程池使用
www.小白
02-17 536
1) 线程组 1.1)简述 1.2)常用方法: 1.2.1)例:interrupt中断线程组内线程 1.2.2 捕获线程的执行异常 2) 注入Hook钩子线程 3)线程池 3.1)概述 3.2 )jdk对线程池的支持 3.2.1)总体架构 3.2.2) ExecutorService的使用 3.2.3) ScheduledExecutorService
键盘过滤_IDT中断表与_修改IOAPIC重定位表寄存器_hook_单核
06-17 891
#include &lt;ntddk.h&gt; //#define BUILD_FOR_IDT_HOOK// 这一句存在,则本程序编译为替换INT0x93的做法。如果不存在,则为IOAPIC重定位做法。 typedef unsigned char P2C_U8;// 由于这里我们必须明确一个域是多少位,所以我们预先定义几个明确知道多少位长度的变量,以避免不同环境下编译的麻烦. typedef ...
中断的系统内部过程
Returns' Station
05-16 1691
了解这个过程之后就能发现hook中断的地方可以有很多。。。 跳过中断硬件支持的部分,从系统的角度去看 Cpu从idt表中查找到routine地址,这个地址实际是保存在中断对象中 kd> !idt Dumping IDT: 37: 806e6864 hal!PicSpuriousService37 3d: 806e7e2c hal!HalpApc
这是我的毕业设计,是一个前端和后端分离的电子商务系统。使用Springboot+Myb
最新发布
10-16
这是我的毕业设计,是一个前端和后端分离的电子商务系统。使用Springboot+Mybatis框架,在前端方面,我使用Vue3.0技术对页面进行了重构。学会了它,也就学会了前后端分离的基础技术。欢迎各
嵌入式-嵌入式产品级项目之洗衣机程序设计-STM32-优秀毕业设计.zip
10-16
嵌入式_嵌入式产品级项目之洗衣机程序设计_STM32_优秀毕业设计
卷积加速-基于TVM实现的用于CUDA+AMDGPU的winograd卷积加速-附项目源码+加速对比测试-优质HPC项目实现
10-16
卷积加速_基于TVM实现的用于CUDA+AMDGPU的winograd卷积加速_附项目源码+加速对比测试_优质HPC项目实现
毕业设计论文SpringBoot+Vue博客系统_32.docx
10-16
毕业设计论文
i2c interrupt pin
04-01
The I2C (Inter-Integrated Circuit) protocol is a communication protocol that allows multiple devices to communicate with each other using a two-wire interface. One of the key features of the I2C protocol is the ability to use an interrupt pin to signal the microcontroller when data is available or an error has occurred. The I2C interrupt pin is typically used to signal the microcontroller that data is ready to be read or written. When a device on the I2C bus has data to transmit, it will pull the interrupt pin low to signal the microcontroller. The microcontroller can then read the data from the device. Similarly, when the microcontroller wants to transmit data to a device on the I2C bus, it can use the interrupt pin to signal the device that data is available. The device can then read the data from the microcontroller. In summary, the I2C interrupt pin is an important feature of the I2C protocol that allows devices on the bus to signal the microcontroller when data is available or an error has occurred.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值