Another way to HOOK in the kernel

最新推荐文章于 2024-02-13 00:58:55 发布
最新推荐文章于 2024-02-13 00:58:55 发布
阅读量1.1k 收藏
点赞数
分类专栏: windows底层核心編程 文章标签: hook descriptor struct object system google
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/iiprogram/article/details/2456950
版权
Rk always use HOOK important functions to hide something , and some ARK first recover these hookers ( common by harddisk files) and then call the function.
And this is another way to HOOK in the kernel by DRX register. About the DRX register ,you can google it, there should be much info. So i only post some simple code next because of my poor english, if you know chinese, you can get the comment.

These code should be run in xp, and it simply act HOOK the ZwCreateFile and print the debug information.



/*
drxhook.h
Written By yykingking@126.com
*/

#ifndef _DRX_HOOK
#define _DRX_HOOK

#include <ntddk.h>

typedef unsigned long DWORD;
typedef unsigned char BOOL;

#pragma pack(push,1)
typedef struct _idtr
{
    //定义中断描述符表的限制,长度两字节;
    short        IDTLimit;
    //定义中断描述服表的基址,长度四字节;
    unsigned int    IDTBase;
}IDTR,*PIDTR;

typedef struct _IDTENTRY
{
    unsigned short LowOffset;
    unsigned short selector;
    unsigned char unused_lo;
    unsigned char segment_type:4;    //0x0E is an interrupt gate
    unsigned char system_segment_flag:1;
    unsigned char DPL:2;    // descriptor privilege level
    unsigned char P:1; /* present */
    unsigned short HiOffset;
} IDTENTRY,*PIDTENTRY;

#pragma pack(pop)

DWORD GetDBEntry();
void HookDBInt();
void UnHookDBInt();

#endif


/*
drxhook.cpp
Written By yykingking@126.com
*/


#include "drxhook.h"

DWORD g_OldDBEntry;
IDTR g_IDTR;
DWORD g_OldCreateFile;
DWORD g_HookNumber = 0;
DWORD g_CR0;
BOOL g_bExit;

void ReLoadCR0AndSti()
{
    __asm
    {
        push    eax
            mov        eax, g_CR0
            mov        cr0, eax
            pop        eax
            sti
    }
}

void CliAndDisableWPBit()
{
    __asm
    {
        cli
            push    eax
            mov        eax, cr0
            mov        g_CR0, eax
            and        eax, 0xFFFEFFFF
            mov        cr0, eax
            pop        eax
    }
}


void PrintHook()
{
    DbgPrint(" Now Get In ZwCreateFile Hook: %d...Pid: %d.../n", g_HookNumber++, (DWORD)PsGetCurrentProcessId());
}

__declspec(naked) void NewZwCreateFile()
{
    __asm
    {    
        pushfd;                        // 仅仅适合于 XP 操作系统
        call PrintHook;
        popfd;
        mov eax,0x25;            
        jmp g_OldCreateFile;
    }
}

void SetHB()            // set hardware breakpoint 设置硬件断点
{
    __asm
    {
        mov eax, ZwCreateFile;        // 想要挂接的函数或者地址
        mov dr0, eax;
        mov eax, dr7;
        or  eax, 0x2703;            // 也要修改 dr7:GD 位,以免DrX被操作系统或其他程序修改
        and eax, 0xfff0ffff;
        mov dr7, eax;
    }
}

__declspec(naked) void NewDBEntry()
{
    __asm
    {
        pushfd;
        push eax;

        mov eax, dr6;
        test eax, 0x2000;
        jz  NOT_EDIT_DRX;

        // 以下是如果有对DRX的操作的简单处理,如有需要可以修改
        // 我只是简单的跳过这些指令
        and eax, 0xFFFFDFFF;
        mov dr6, eax;            // 清除DR6的标志

        cmp g_bExit, 0;
        jnz MY_DRV_EXIT;        // 驱动 Unload

        mov eax, [esp+8];        // 获取堆栈中的 EIP
        add eax, 3;                // 由于所有对 DRX 的操作全都是3个字节的
        mov [esp+8], eax;        // 修改 EIP ,跳过当前指令,返回时执行下条指令

        jmp MY_INT_END;

NOT_EDIT_DRX:

        mov eax, dr6;
        test eax, 0x1;
        jz  SYS_INT;            // 如果不是Dr0 产生的中断,则跳回原系统中断

        mov eax, [esp+8];
        cmp eax, ZwCreateFile;    // 判断一下是不是 ZwCreateFile 的线性地址
        jnz SYS_INT;

        mov eax, NewZwCreateFile;
        mov [esp+8],eax;        // 修改堆栈中的 EIP ,实现返回时跳转


MY_INT_END:    

        mov eax, dr7;
        or  eax, 0x2000;        // 恢复 GD 位
        mov dr7, eax;

MY_DRV_EXIT:                    // 整个驱动 UnLoad æ—¶,不恢复 Dr7

        pop eax;
        popfd;
        iretd;

SYS_INT:
        pop eax;
        popfd;
        jmp g_OldDBEntry;
        
    }
}

DWORD GetDBEntry()
{
    PIDTENTRY IdtEntry;
    DWORD Entry;

    __asm sidt g_IDTR;

    IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);

    Entry = IdtEntry->HiOffset << 16;
    
    Entry |= IdtEntry->LowOffset;

    return Entry;
}

void HookDBInt()
{
    DWORD NewEntry;
    PIDTENTRY IdtEntry;

    NewEntry = (DWORD)NewDBEntry;

    g_OldCreateFile = (DWORD)ZwCreateFile + 5;        // 新的要跳转过去的地址

    g_OldDBEntry = GetDBEntry();

    IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);

    CliAndDisableWPBit();

    IdtEntry->LowOffset = (USHORT)NewEntry;

    IdtEntry->HiOffset = (USHORT)( NewEntry >> 16 );

    ReLoadCR0AndSti();

    SetHB();

    g_bExit = FALSE;

    return;
}

void UnHookDBInt()
{
    PIDTENTRY IdtEntry;
    DWORD Entry;
    
    __asm sidt g_IDTR;
    
    IdtEntry = (PIDTENTRY)(g_IDTR.IDTBase + 8);

    CliAndDisableWPBit();

    g_bExit = TRUE;

    __asm mov eax, dr7;                // 产生一次例外并且清除Dr7:GD

    if ( g_OldDBEntry != 0 )
    {
        IdtEntry->LowOffset = (USHORT)g_OldDBEntry;
        
        IdtEntry->HiOffset = (USHORT)( g_OldDBEntry >> 16 );        
    }

    ReLoadCR0AndSti();
    
    DbgPrint(" UnLoad drx hook../n");

    return;
}

NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject)
{    
    UnHookDBInt();
    
    return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(
                     IN PDRIVER_OBJECT  DriverObject,
                     IN PUNICODE_STRING RegistryPath
                     )
{
    HookDBInt();
    
    DriverObject->DriverUnload = DriverUnload;

    DbgPrint("Load drxhook Driver Ok.../n");

    return STATUS_SUCCESS;
}
/***********************/
iiprogram
关注
专栏目录
Way DataMigrator(原名為ETL Manager)
hiwings_126com的专栏
05-09 209
iWay DataMigrator(原名為ETL Manager) 產品簡介 快速建立一個強大且彈性的資料結構 iWay Software提供一個具有擴充性且有效地做到資料管理的方法-使您能夠在操作時直接去存取資料,取得資料倉儲的暫存資料或資料超市,並且可以動態下鑽到明細的資料-所以您可以自行設計結構,定義所有使用者的獨特資訊需求。經由可提供支援廣泛資料介接轉...
android内核hook定制,android kernel syscall table hook
weixin_35183690的博客
05-30 619
I am using android 4.2.2(Jelly Been) with linux-kernel 3.0.31 source code. I am trying to hook open system call but i don't know that how to change a page from read-only to writable given an address b...
Three Ways to Inject Your Code into Another Process
zhiyazw的专栏
10-15 693
From: https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces How to inject code into another processes address space, and then execute it in the context of this ...
coding style for the linux kernel
活在当下,快乐每天,因上努力,果上随缘。
03-11 1436
This is a short document describing the preferred coding style for the linux kernel.  Coding style is very personal, and I won’t _force_ my
(Secure) File Transfer, the Only Way to Fly…err Copy
BLOG域名:programb.blog.csdn.net
05-16 202
Engineering Josh Long August 23, 2010 There are many ways to skin a cat. Many applications today rely on messaging (AMQP, JMS) to bridge the gap between disparate systems and data. Others rely on RPC (typically web-services, or REST). For a great many appl
syzlang语法编写案例学习 —— Looking for Remote Code Execution bugs in the Linux kernel
panhewu9919的博客
07-11 1615
syzlang 模板编写
Debugging the kernel using Ftrace - part 2
mounter625的专栏
05-20 715
 Debugging the kernel using Ftrace - part 2 使用ftrace调试kernel-第二部分 The Ftrace tracing utility has many different features that will assist in tracking down Linux kernel problems. The previous arti
An experiment in porting the Android init system to GNU/Linux
张同光 (Tongguang Zhang):Hello everyone !
01-01 475
https://blog.darknedgy.net/technology/2015/08/05/0-androidinit/   by V.R. Yes I’m trolling/mocking you anti-systemd retards. That’s what Schopenhauer recommends as a strategy against irrational rh...
C# EasyHook2.5 中文翻译
lostgdi的专栏
09-09 5329
在网上找到一遍中英文的教程(但是很多地方中文没翻译好),现在也正需要学习它,看英文资料有时候会更实在,所以边学边继续帮忙翻译吧。由于本人水平有限,如果翻译有问题请及时指出以方便其他英文不太好的朋友学习。谢谢 部分翻译来自:http://blog.cuile.com/blog/a
display:kms-connector-4.14kernel
maze的专栏
05-31 877
DOC: overview In DRM connectors are the general abstraction for display sinks, and include als fixed panels or anything else that can display pixels in some form. As opposed to all other KMS objects...
Linux内核Notifier机制
u013686019的专栏
07-24 5592
notifier是kernel的一种异步通信机制,用于告知某些模块产生了一个事件event。 notifier涉及: 1,publisher,类比于server、provider等概念,负责: 提供一个notifier head链表供subscriber注册handler遍历head链表逐一告知subscriber发生了某个事件 2,subscriber,类比于client
【doghead】bifrost的player 版本 windows构建
突围
02-13 190
doghead
my cloud test bed (by quqi99)
技术并艺术着
03-10 1656
若容器里如果上不了网,如无法访问api.snapcraft.io,是因为lxd容易默认使用了eth1上的dns=10.10.10.1,下面的配置可让eth0, eth1, eth2都默认使用dns=192.168.99.1来避免特色网络对api.snapcraft.io的污染。下列netplan配置创建了br-eth0,也让br-eth0支持wol通过魔术包唤醒,也创建了一个没有dhcp的br-maas用于maas实验。
基于java的贝儿米幼儿教育管理系统答辩PPT.pptx
11-04
基于java的贝儿米幼儿教育管理系统答辩PPT.pptx
课设毕设基于SpringBoot+Vue的养老院管理系统的设计与实现源码可运行.zip
11-04
本压缩包资源说明,你现在往下拉可以看到压缩包内容目录 我是批量上传的基于SpringBoot+Vue的项目,所以描述都一样;有源码有数据库脚本,系统都是测试过可运行的,看文件名即可区分项目~ |Java|SpringBoot|Vue|前后端分离| 开发语言:Java 框架:SpringBoot,Vue JDK版本:JDK1.8 数据库:MySQL 5.7+(推荐5.7,8.0也可以) 数据库工具:Navicat 开发软件: idea/eclipse(推荐idea) Maven包:Maven3.3.9+ 系统环境:Windows/Mac
基于java的消防物资存储系统答辩PPT.pptx
11-04
基于java的消防物资存储系统答辩PPT.pptx
【java毕业设计】饮食营养管理信息系统源码(springboot+vue+mysql+说明文档).zip
最新发布
11-04
项目经过测试均可完美运行! 环境说明: 开发语言:java jdk:jdk1.8 数据库:mysql 5.7+ 数据库工具:Navicat11+ 管理工具:maven 开发工具:idea/eclipse
【java毕业设计】酷听音乐源码(springboot+vue+mysql+说明文档).zip
11-04
项目经过测试均可完美运行! 环境说明: 开发语言:java jdk:jdk1.8 数据库:mysql 5.7+ 数据库工具:Navicat11+ 管理工具:maven 开发工具:idea/eclipse
API Hook技术在C++中的应用研究
标题中提到的'APIhook.rar_The Class_hook'暗示了一个特定的API Hook实现,可能是一个关于如何通过编程方式在应用程序中使用API Hook技术的教程或源代码包。文件'APIHook'和描述中的'api hook est.cpp'文件名则表明...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值