废话不多说,代码如下:
#include <ntddk.h> #include <ntifs.h> #include <windef.h> ULONG g_KiInsertQueueApc; ULONG g_uCr0; BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 }; BYTE g_OrigCode[5] = { 0 }; // Ôº¯ÊýµÄÇ°×Ö½ÚÄÚÈÝ BYTE jmp_orig_code[7] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00 }; //ÒòΪÊdz¤×ªÒÆ£¬ËùÒÔÓиö 0x08 BOOL g_bHooked = FALSE; VOID fake_KiInsertQueueApc ( PKAPC Apc, KPRIORITY Increment ); VOID Proxy_KiInsertQueueApc ( PKAPC Apc, KPRIORITY Increment ); void WPOFF() { ULONG uAttr; _asm { push eax; mov eax, cr0; mov uAttr, eax; and eax, 0FFFEFFFFh; // CR0 16 BIT = 0 mov cr0, eax; pop eax; cli }; g_uCr0 = uAttr; //±£´æÔÓÐµÄ CRO ŒÙÐÔ } VOID WPON() { _asm { sti push eax; mov eax, g_uCr0; //»ÖÍÔÓÐ CR0 ŒÙÐÔ mov cr0, eax; pop eax; }; } // // Í£Ö¹inline hook // VOID UnHookKiInsertQueueApc () { KIRQL oldIrql; WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); RtlCopyMemory ( (BYTE*)g_KiInsertQueueApc, g_OrigCode, 5 ); KeLowerIrql(oldIrql); WPON(); g_bHooked = FALSE; } // // ¿ªÊ¼inline hook -- KiInsertQueueApc // VOID HookKiInsertQueueApc () { KIRQL oldIrql; if (g_KiInsertQueueApc == 0) { DbgPrint("KiInsertQueueApc == NULL/n"); return; } //DbgPrint("¿ªÊ¼inline hook -- KiInsertQueueApc/n"); DbgPrint( "KiInsertQueueApcµÄµØÖ·t0x%08x/n", (ULONG)g_KiInsertQueueApc ); // ±£´æÔº¯ÊýµÄÇ°×Ö½ÚÄÚÈÝ RtlCopyMemory (g_OrigCode, (BYTE*)g_KiInsertQueueApc, 5);//¡ï *( (ULONG*)(g_HookCode + 1) ) = (ULONG)fake_KiInsertQueueApc - (ULONG)g_KiInsertQueueApc - 5;//¡ï // ½ûֹϵͳд±£»¤£¬ÌáÉýIRQLµ½DPC WPOFF(); oldIrql = KeRaiseIrqlToDpcLevel(); RtlCopyMemory ( (BYTE*)g_KiInsertQueueApc, g_HookCode, 5 ); *( (ULONG*)(jmp_orig_code + 1) ) = (ULONG) ( (BYTE*)g_KiInsertQueueApc + 5 );//¡ï RtlCopyMemory ( (BYTE*)Proxy_KiInsertQueueApc, g_OrigCode, 5);//ÐÞ¸ÄProxy_KiInsertQueueApcº¯ÊýÍ· RtlCopyMemory ( (BYTE*)Proxy_KiInsertQueueApc + 5, jmp_orig_code, 7); // »Ö¸´Ð´±£»¤£¬½µµÍIRQL KeLowerIrql(oldIrql); WPON(); g_bHooked = TRUE; } // // Ìøתµ½ÎÒÃǵĺ¯ÊýÀïÃæ½øÐÐÔ¤´¦Àí // __declspec (naked) VOID fake_KiInsertQueueApc ( PKAPC Apc, KPRIORITY Increment ) { // È¥µôDbgPrint,²»È»Õâ¸öhook»á²úÉúµÝ¹é //DbgPrint("inline hook -- KiInsertQueueApc ³É¹¦/n"); __asm { jmp Proxy_KiInsertQueueApc //¡ïÔÚÕâһϵÁÐJMPÖУ¬Ã»ÓÐÒ»´¦Ê¹ÓÃCALL£¬¼ò»¯ÁË´úÂ룬ÔöÇ¿ÁËÎȶ¨ÐÔ } } // // ´úÀíº¯Êý£¬¸ºÔðÌøתµ½Ôº¯ÊýÖмÌÐøÖ´ÐÐ // __declspec (naked) VOID Proxy_KiInsertQueueApc ( PKAPC Apc, KPRIORITY Increment ) { __asm { // ¹²×Ö½Ú _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 // Ç°×Ö½ÚʵÏÖÔº¯ÊýµÄÍ·×Ö½Ú¹¦ÄÜ _emit 0x90 // Õâ¸öÌî³äjmp _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 // Õâ×Ö½Ú±£´æÔº¯Êý+5´¦µÄµØÖ· _emit 0x90 _emit 0x90 // ÒòΪÊdz¤×ªÒÆ,ËùÒÔ±ØÐëÊÇ0x0080 } } ULONG GetFunctionAddr( IN PCWSTR FunctionName) { UNICODE_STRING UniCodeFunctionName; RtlInitUnicodeString( &UniCodeFunctionName, FunctionName ); return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName ); } //¸ù¾ÝÌØÕ÷Öµ£¬´ÓKeInsertQueueApcËÑË÷ÖÐËÑË÷KiInsertQueueApc ULONG FindKiInsertQueueApcAddress() { char * Addr_KeInsertQueueApc = 0; int i = 0; char Findcode[] = { 0xE8, 0xcc, 0x29, 0x00, 0x00 }; ULONG Addr_KiInsertQueueApc = 0; Addr_KeInsertQueueApc = (char *) GetFunctionAddr(L"KeInsertQueueApc"); for(i = 0; i < 100; i ++) { if( Addr_KeInsertQueueApc[i] == Findcode[0] && Addr_KeInsertQueueApc[i + 1] == Findcode[1] && Addr_KeInsertQueueApc[i + 2] == Findcode[2] && Addr_KeInsertQueueApc[i + 3] == Findcode[3] && Addr_KeInsertQueueApc[i + 4] == Findcode[4] ) { Addr_KiInsertQueueApc = (ULONG)&Addr_KeInsertQueueApc[i] + 0x29cc + 5; break; } } return Addr_KiInsertQueueApc; } VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("My Driver Unloaded!"); UnHookKiInsertQueueApc(); } NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { DbgPrint("My Driver Loaded!"); theDriverObject->DriverUnload = OnUnload; g_KiInsertQueueApc = FindKiInsertQueueApcAddress(); HookKiInsertQueueApc(); return STATUS_SUCCESS; } //完毕 |
一份非常棒的inline hook 代码
最新推荐文章于 2023-12-15 22:07:03 发布