监控应用层通信_hook_kifastcallentry(系统服务调用)

最新推荐文章于 2018-03-12 13:07:35 发布

「已注销」

最新推荐文章于 2018-03-12 13:07:35 发布

阅读量891

点赞数

分类专栏：内核驱动全部集合

内核驱动全部集合专栏收录该内容

164 篇文章 33 订阅

订阅专栏

#include"ntddk.h"
#pragma pack(1) //写这个内存以一字节对齐 如果不写是以4字节的对齐的    
typedef struct ServiceDescriptorEntry {//这个结构就是为了管理这个数组而来的 内核api所在的数组 才有这个结构的 这个是ssdt    
	unsigned int *ServiceTableBase;//就是ServiceTable ssdt数组    
	unsigned int *ServiceCounterTableBase; //仅适用于checked build版本 无用    
	unsigned int NumberOfServices;//(ServiceTableBase)数组中有多少个元素 有多少个项    
	unsigned char *ParamTableBase;//参数表基址 我们层传过来的api的参数 占用多少字节 多大    
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack(1)    
_declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;//(名字不要写错)  //导入ssdt表  
ULONG sosuohookdiandizhi();
void yebaohuguanbi();
void yebaohukaiqi();
unsigned int lao_ntopenfile;//老的ntopenfile函数的地址
ULONG dizhi1 = 0;//KiFasetCallEntry汇编代码中的 (call ntcreatefile)下一句的地址
ULONG dizhi2 = 0;//KiFasetCallEntry汇编代码中要hook的地址
typedef  NTSTATUS(*hanshuzhizhen1)(
	__out PHANDLE FileHandle,
	__in ACCESS_MASK DesiredAccess,
	__in POBJECT_ATTRIBUTES ObjectAttributes,
	__out PIO_STATUS_BLOCK IoStatusBlock,
	__in_opt PLARGE_INTEGER AllocationSize,
	__in ULONG FileAttributes,
	__in ULONG ShareAccess,
	__in ULONG CreateDisposition,
	__in ULONG CreateOptions,
	__in_bcount_opt(EaLength) PVOID EaBuffer,
	__in ULONG EaLength
	);
VOID xiezai1(PDRIVER_OBJECT qudongduixiang)
{
	yebaohuguanbi();//页保护关闭    
	KeServiceDescriptorTable.ServiceTableBase[66] = (unsigned int)lao_ntopenfile;//还原ntcreatefile
	yebaohukaiqi();//页保护开启    
	UCHAR tezhengma[5] = { 0x2b, 0xe1, 0xc1, 0xe9, 0x02 };
	yebaohuguanbi();//页保护关闭    
	RtlCopyMemory((PVOID)dizhi2, tezhengma, 5);//还原kifastcallentry 
	yebaohukaiqi();//页保护开启    
	KdPrint(("已经执行到驱动卸载历程\n"));
}
void yebaohuguanbi()//页保护关闭    
{
	__asm{//去掉内存保护    
		cli
			mov  eax, cr0
			and  eax, not 10000h
			mov  cr0, eax
	}
}
void yebaohukaiqi()//页保护开启    
{
	__asm{//恢复内存保护      
		mov  eax, cr0
			or   eax, 10000h
			mov  cr0, eax
			sti
	}
}

void lisaisaide_guolvhanshu(ULONG ServiceTableBase, ULONG NumberOfServices)//李赛赛的过滤函数 注意不要在这里加 __declspec (naked)这个不是汇编代码 注意传过来的参数是ulong类型
{
	//KdPrint(("进入到我的的过滤函数来了 欧耶 可以监控应用层传过来的请求(调用nt函数的信息)\n"));
	if (ServiceTableBase == (ULONG)KeServiceDescriptorTable.ServiceTableBase)
	{
		if (NumberOfServices==190)
		{
	KdPrint(("看那些进入KiFasetCallEntry调用ntopenkey进程名是%s\n", (char*)PsGetCurrentProcess() + 0x16c));
		}
	}
}
__declspec (naked)
VOID lisaisaide_KiFasetCallEntry()//李赛赛的KiFasetCallEntry
{
	__asm
	{
		pushad 
		pushfd
		push eax
		push edi 
		call lisaisaide_guolvhanshu //调用我们的过滤函数
		popfd
		popad
		pop eax
		sub esp,ecx         //call lisaisaide_KiFasetCallEntry 替换掉的5个字节的代码
		shr ecx,2
		jmp eax
	}
}
VOID hook_KiFasetCallEntry()//inlinehookKiFasetCallEntry
{
	ULONG  pianyi1 = 0;
	UCHAR tezhengma[5];
	pianyi1 = (ULONG)lisaisaide_KiFasetCallEntry - 5 - dizhi2;
	tezhengma[0] = 0xe8;
	*(ULONG*)&tezhengma[1] = pianyi1;
	//KdPrint(("李赛赛的KiFasetCallEntry地址%x  计算出来的 偏移%x\n", (ULONG)lisaisaide_KiFasetCallEntry, pianyi1));
	yebaohuguanbi();//页保护关闭   
	RtlCopyMemory((PVOID)dizhi2, tezhengma, 5);//inlinehook_KiFasetCallEntry
	yebaohukaiqi();//页保护开启  
}
NTSTATUS lisaisaide_NtCreateFile(    //李赛赛的_NtCreateFile函数
	__out PHANDLE FileHandle,
	__in ACCESS_MASK DesiredAccess,
	__in POBJECT_ATTRIBUTES ObjectAttributes,
	__out PIO_STATUS_BLOCK IoStatusBlock,
	__in_opt PLARGE_INTEGER AllocationSize,
	__in ULONG FileAttributes,
	__in ULONG ShareAccess,
	__in ULONG CreateDisposition,
	__in ULONG CreateOptions,
	__in_bcount_opt(EaLength) PVOID EaBuffer,
	__in ULONG EaLength
	)
{
	__asm
	{
		pushad
		mov eax, [ebp + 0x4]
		mov dizhi1, eax
		popad
	}
	//KdPrint(("通过内核栈得到地址call ebx下一句的地址%x\n", dizhi1));//得到地址正确
	sosuohookdiandizhi();//搜索hook KiFastCallEntry 
	//yebaohuguanbi();//页保护关闭    
	//KeServiceDescriptorTable.ServiceTableBase[66] = (unsigned int)lao_ntopenfile;//还原ntcreatefile
	//yebaohukaiqi();//页保护开启    
	hook_KiFasetCallEntry(); //开始hook
	return   ((hanshuzhizhen1)lao_ntopenfile)(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
}
ULONG sosuohookdiandizhi()//搜索hook KiFastCallEntry 
{
	UCHAR *p = (UCHAR *)dizhi1;
	for (ULONG i = 0; i < 300;i++)
	{
		if (*p==0x2b&&*(p+1)==0xe1&&*(p+2)==0xc1&&*(p+3)==0xe9&&*(p+4)==0x02)
		{
			//KdPrint(("找到地址kifastcallentry的hook点地址  %x\n",(ULONG)p));
			dizhi2 = (ULONG)p;
			return (ULONG)p;
		}
		p--;
	}
	//KdPrint(("没有找到hook点的地址%x 是错误的", (ULONG)p));
	return 0;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang,PUNICODE_STRING zhucebiao)
{
	lao_ntopenfile = KeServiceDescriptorTable.ServiceTableBase[66];//保存老的ntopenfile函数地址
	yebaohuguanbi();//页保护关闭    
	KeServiceDescriptorTable.ServiceTableBase[66] = (unsigned int)lisaisaide_NtCreateFile;//ssdthook_ntopenfile 属于ssdthook
	yebaohukaiqi();//页保护开启    
	qudongduixiang->DriverUnload = xiezai1;
	return STATUS_SUCCESS;
}

「已注销」

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
监控应用层通信_hook_kifastcallentry(系统服务调用)

#include"ntddk.h"#pragma pack(1) //写这个内存以一字节对齐如果不写是以4字节的对齐的 typedef struct ServiceDescriptorEntry {//这个结构就是为了管理这个数组而来的内核api所在的数组才有这个结构的这个是ssdt unsigned int *ServiceTableBase;//就是ServiceT
复制链接

扫一扫