关于inline hook的跳转问题.-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] 关于inline hook的跳转问题. 0.00雪花

发表于: 2010-7-1 21:59 2149

[旧帖] 关于inline hook的跳转问题. 0.00雪花

leezy

2010-7-1 21:59

2149

看见有e9段内跳转的,这个做着没问题...
但是我用rootkit安全防护那本书上的方法,用段间ea跳转,跳了以后,在detour函数里面call都出问题..不知道怎么回事.
附上代码:

#include "hook.h"

char *non_paged_memory;
NTSTATUS
my_obreferenceobjectbyhandle
(
  __in    HANDLE Handle, //0x08
  __in    ACCESS_MASK DesiredAccess, //0x0c
  __in_opt POBJECT_TYPE ObjectType,  // 0x10
  __in    KPROCESSOR_MODE AccessMode, // 0x14
  __out    PVOID *Object,  // 0x18
  __out_opt  POBJECT_HANDLE_INFORMATION  HandleInformation // 0x1c
)
{
KdPrint(("Detour obj\n"));
return STATUS_SUCCESS;
}
__declspec(naked)
DetourObReferenceObjectByHandle(
// __in    HANDLE Handle, //0x08
// __in    ACCESS_MASK DesiredAccess, //0x0c
  //__in_opt POBJECT_TYPE ObjectType,  // 0x10
// __in    KPROCESSOR_MODE AccessMode, // 0x14
// __out    PVOID *Object,  // 0x18
// __out_opt  POBJECT_HANDLE_INFORMATION  HandleInformation // 0x1c
)
{
// mov    edi,edi
//  push ebp
//  mov    ebp,esp
//  push ecx
//  push ebx
//  push esi
//  push edi
// KdPrint(("Detour Obj\n"));
__asm {
mov edi,edi
push ebp
mov ebp,esp
push ecx
push ebx
push esi
      push edi
push dword ptr[ebp+1ch]
push dword ptr[ebp+18h]
push dword ptr[ebp+14h]
push dword ptr[ebp+10h]
push dword ptr[ebp+0ch]
push dword ptr[ebp+08h]
call my_obreferenceobjectbyhandle
_emit 0xEA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0xAA
_emit 0x08
_emit 0x00
/****/}
}

VOID
Hook()
{
KIRQL  Irql;
char *actual_function = (char*)ObReferenceObjectByHandle;
unsigned long detour_address;
unsigned long reentry_address;
int i = 0;
char newCode[] = {0xEA,0x44,0x33,0x22,0x11,0x08,0x00,0x90,0x90};
RtlCopyMemory(OriginalBytes,(char*)ObReferenceObjectByHandle,9);
reentry_address = ((unsigned long)ObReferenceObjectByHandle)+9;
non_paged_memory = ExAllocatePool(NonPagedPool,256);
for(i=0;i<256;++i)
{
   ((unsigned char*)non_paged_memory)[i]=
   ((unsigned char*)DetourObReferenceObjectByHandle)[i];
}

detour_address = (unsigned long)non_paged_memory;

*((unsigned long*)(&newCode[1])) = detour_address;
for(i=0;i<200;++i)
{
   if((0xAA==((unsigned char*)non_paged_memory)[i])
   && (0xAA==((unsigned char*)non_paged_memory)[i+1])
   && (0xAA==((unsigned char*)non_paged_memory)[i+2])
   && (0xAA==((unsigned char*)non_paged_memory)[i+3]))
   {
   *((unsigned long*)(&non_paged_memory[i])) =
reentry_address;
   break;
   }
}
_asm
{
   cli
   push eax
   mov eax, cr0
   mov Cr0Value, eax
   and eax, 0fffeffffh
   mov cr0, eax
   pop eax
}
Irql = KeRaiseIrqlToDpcLevel();

for(i=0;i<9;++i) actual_function[i]=newCode[i];

KeLowerIrql(Irql);
   __asm

{
   push eax
   mov eax, Cr0Value
   mov cr0, eax
   pop eax
   sti
}
}

VOID Unhook()
{

//把五个字节再写回到原函数

KIRQL Irql;

//关闭写保护

_asm

{
   cli
   push eax
   mov eax, cr0
   mov Cr0Value, eax
   and eax, 0fffeffffh
   mov cr0, eax
   pop eax
}
  //5351:EC8B55FF
//提升IRQL到Dpc

Irql=KeRaiseIrqlToDpcLevel();

RtlCopyMemory((PCHAR)ObReferenceObjectByHandle,OriginalBytes,9);

KeLowerIrql(Irql);

//开启写保护

__asm

{
   push eax
   mov eax, Cr0Value
   mov cr0, eax
   pop eax
   sti
}
}

NTSTATUS
DriverEntry(__in PDRIVER_OBJECT  DriverObject,
__in PUNICODE_STRING  RegisterPath)
{
NTSTATUS status = STATUS_SUCCESS;

UNREFERENCED_PARAMETER( DriverObject );
UNREFERENCED_PARAMETER( RegisterPath );

try{
      KdPrint(("InlineHook: DriverEntry \n"));
Hook();
DriverObject->DriverUnload = HookUnload;
} finally{
}
return status;
}

VOID
HookUnload(
__in PDRIVER_OBJECT DriverObject
)
{
UNREFERENCED_PARAMETER( DriverObject );

KdPrint(("InlineHook: HookUnload \n"));
Unhook();
ExFreePool(non_paged_memory);
}

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・0

免费・0

支持