关于inline hook,求助~-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (1)
leezy 雪币： 167 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 9 粉丝 0 关注私信	leezy 2 楼自己结题. 由于水平有限,所以也说不出个所以然.必须把ObReferenceObjectByHandle的所有压寄存器的操作全部存了. #include "hook.h" char non_paged_memory; __declspec(naked) DetourObReferenceObjectByHandle( // __in HANDLE Handle, //0x08 // __in ACCESS_MASK DesiredAccess, //0x0c //__in_opt POBJECT_TYPE ObjectType, // 0x10 // __in KPROCESSOR_MODE AccessMode, // 0x14 // __out PVOID Object, // 0x18 // __out_opt POBJECT_HANDLE_INFORMATION HandleInformation // 0x1c ) { // mov edi,edi // push ebp // mov ebp,esp // push ecx // push ebx // push esi // push edi __asm { mov edi,edi push ebp mov ebp,esp push ecx push ebx push esi push edi _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 } } VOID Hook() { KIRQL Irql; char actual_function = (char)ObReferenceObjectByHandle; unsigned long detour_address; unsigned long reentry_address; int i = 0; char newCode[] = {0xEA,0x44,0x33,0x22,0x11,0x08,0x00,0x90,0x90}; RtlCopyMemory(OriginalBytes,(char)ObReferenceObjectByHandle,9); reentry_address = ((unsigned long)ObReferenceObjectByHandle)+9; non_paged_memory = ExAllocatePool(NonPagedPool,256); for(i=0;i<256;++i) { ((unsigned char)non_paged_memory)[i]= ((unsigned char)DetourObReferenceObjectByHandle)[i]; } detour_address = (unsigned long)non_paged_memory; ((unsigned long)(&newCode[1])) = detour_address; for(i=0;i<200;++i) { if((0xAA==((unsigned char)non_paged_memory)[i]) && (0xAA==((unsigned char)non_paged_memory)[i+1]) && (0xAA==((unsigned char)non_paged_memory)[i+2]) && (0xAA==((unsigned char)non_paged_memory)[i+3])) { ((unsigned long*)(&non_paged_memory[i])) = reentry_address; break; } } _asm { cli push eax mov eax, cr0 mov Cr0Value, eax and eax, 0fffeffffh mov cr0, eax pop eax } Irql = KeRaiseIrqlToDpcLevel(); for(i=0;i<9;++i) actual_function[i]=newCode[i]; KeLowerIrql(Irql); __asm { push eax mov eax, Cr0Value mov cr0, eax pop eax sti } } VOID Unhook() { //把五个字节再写回到原函数 KIRQL Irql; //关闭写保护 _asm { cli push eax mov eax, cr0 mov Cr0Value, eax and eax, 0fffeffffh mov cr0, eax pop eax } //5351:EC8B55FF //提升IRQL到Dpc Irql=KeRaiseIrqlToDpcLevel(); RtlCopyMemory((PCHAR)ObReferenceObjectByHandle,OriginalBytes,9); KeLowerIrql(Irql); //开启写保护 __asm { push eax mov eax, Cr0Value mov cr0, eax pop eax sti } } NTSTATUS DriverEntry(__in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegisterPath) { NTSTATUS status = STATUS_SUCCESS; UNREFERENCED_PARAMETER( DriverObject ); UNREFERENCED_PARAMETER( RegisterPath ); try{ KdPrint(("InlineHook: DriverEntry \n")); Hook(); DriverObject->DriverUnload = HookUnload; } finally{ } return status; } VOID HookUnload( __in PDRIVER_OBJECT DriverObject ) { UNREFERENCED_PARAMETER( DriverObject ); KdPrint(("InlineHook: HookUnload \n")); Unhook(); ExFreePool(non_paged_memory); } 2010-6-30 22:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

leezy

雪币： 167

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

leezy: 2 楼

自己结题. 由于水平有限,所以也说不出个所以然.必须把ObReferenceObjectByHandle的所有压寄存器的操作全部存了.

#include "hook.h"

char *non_paged_memory;
__declspec(naked)
DetourObReferenceObjectByHandle(
// __in    HANDLE Handle, //0x08
// __in    ACCESS_MASK DesiredAccess, //0x0c
  //__in_opt POBJECT_TYPE ObjectType,  // 0x10
// __in    KPROCESSOR_MODE AccessMode, // 0x14
// __out    PVOID *Object,  // 0x18
// __out_opt  POBJECT_HANDLE_INFORMATION  HandleInformation // 0x1c
)
{
// mov    edi,edi
//  push ebp
//  mov    ebp,esp
//  push ecx
//  push ebx
//  push esi
//  push edi
__asm {
mov edi,edi
push ebp
mov ebp,esp
push ecx
push ebx
push esi
      push edi
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
}
}

VOID
Hook()
{
KIRQL  Irql;
char *actual_function = (char*)ObReferenceObjectByHandle;
unsigned long detour_address;
unsigned long reentry_address;
int i = 0;
char newCode[] = {0xEA,0x44,0x33,0x22,0x11,0x08,0x00,0x90,0x90};
RtlCopyMemory(OriginalBytes,(char*)ObReferenceObjectByHandle,9);
reentry_address = ((unsigned long)ObReferenceObjectByHandle)+9;
non_paged_memory = ExAllocatePool(NonPagedPool,256);
for(i=0;i<256;++i)
{
   ((unsigned char*)non_paged_memory)[i]=
   ((unsigned char*)DetourObReferenceObjectByHandle)[i];
}

detour_address = (unsigned long)non_paged_memory;

*((unsigned long*)(&newCode[1])) = detour_address;
for(i=0;i<200;++i)
{
   if((0xAA==((unsigned char*)non_paged_memory)[i])
   && (0xAA==((unsigned char*)non_paged_memory)[i+1])
   && (0xAA==((unsigned char*)non_paged_memory)[i+2])
   && (0xAA==((unsigned char*)non_paged_memory)[i+3]))
   {
   *((unsigned long*)(&non_paged_memory[i])) =
reentry_address;
   break;
   }
}
_asm
{
   cli
   push eax
   mov eax, cr0
   mov Cr0Value, eax
   and eax, 0fffeffffh
   mov cr0, eax
   pop eax
}
Irql = KeRaiseIrqlToDpcLevel();

for(i=0;i<9;++i) actual_function[i]=newCode[i];

KeLowerIrql(Irql);
   __asm

{
   push eax
   mov eax, Cr0Value
   mov cr0, eax
   pop eax
   sti
}
}

VOID Unhook()
{

//把五个字节再写回到原函数

KIRQL Irql;

//关闭写保护

_asm

{
   cli
   push eax
   mov eax, cr0
   mov Cr0Value, eax
   and eax, 0fffeffffh
   mov cr0, eax
   pop eax
}
  //5351:EC8B55FF
//提升IRQL到Dpc

Irql=KeRaiseIrqlToDpcLevel();

RtlCopyMemory((PCHAR)ObReferenceObjectByHandle,OriginalBytes,9);

KeLowerIrql(Irql);

//开启写保护

__asm

{
   push eax
   mov eax, Cr0Value
   mov cr0, eax
   pop eax
   sti
}
}

NTSTATUS
DriverEntry(__in PDRIVER_OBJECT  DriverObject,
__in PUNICODE_STRING  RegisterPath)
{
NTSTATUS status = STATUS_SUCCESS;

UNREFERENCED_PARAMETER( DriverObject );
UNREFERENCED_PARAMETER( RegisterPath );

try{
      KdPrint(("InlineHook: DriverEntry \n"));
Hook();
DriverObject->DriverUnload = HookUnload;
} finally{
}
return status;
}

VOID
HookUnload(
__in PDRIVER_OBJECT DriverObject
)
{
UNREFERENCED_PARAMETER( DriverObject );

KdPrint(("InlineHook: HookUnload \n"));
Unhook();
ExFreePool(non_paged_memory);
}

2010-6-30 22:41

[旧帖] 关于inline hook,求助~ 0.00雪花