这几天看了看大牛们写的hook,我想看看自己真正理解了没,于是起床就开始仿照别人的程序写一个HOOK,我想钩住IoAllocateIrp这个函数,于是用windbg看了看这个函数:
kd> u IoAllocateIrp
nt!IoAllocateIrp:
804ef01a 8bff mov edi,edi
804ef01c 55 push ebp
804ef01d 8bec mov ebp,esp
804ef01f 5d pop ebp
804ef020 ff2508d25480 jmp dword ptr [nt!pIoAllocateIrp (8054d208)]
我想更改jmp后边的地址,让它跳到我的函数中执行,也就是只要把IoAllocateIrp地址加7的后四个字节改成我们的函数的地址就可以了。下边是我写的代码:
#include "ntddk.h"
typedef NTSTATUS (FASTCALL
*pIoAllocateIrp)(
CCHAR StackSize,
BOOLEAN ChargeQuota);
pIoAllocateIrp old_function;
ULONG old_cr0;
VOID FASTCALL my_Function()
{
KdPrint(("hook successful\n"));
_asm
{
mov ecx,1024
mov edx,FALSE
Call old_function
}
return;
}
VOID unhook_function()
{
KIRQL oldIrql;
ULONG addr=(ULONG)IoAllocateIrp;
oldIrql=KeRaiseIrqlToDpcLevel();
_asm
{
mov eax,cr0
mov old_cr0,eax
and eax,0xfffeffff
mov cr0,eax
mov eax,addr
mov esi,[eax+7]
mov eax,old_function
mov dword ptr [esi],eax
mov eax,old_cr0
mov cr0,eax
}
KeLowerIrql(oldIrql);
return;
}
VOID my_Unload(PDRIVER_OBJECT pDriverObject)
{
unhook_function();
}
VOID hook_Function()
{
ULONG Addr=(ULONG)IoAllocateIrp;
KIRQL oldIrql;
_asm
{
mov eax,Addr
mov esi,[eax+7]
mov eax,[esi]
mov old_function,eax
}
oldIrql=KeRaiseIrqlToDpcLevel();
_asm
{
mov eax,cr0
mov old_cr0,eax
and eax,0xfffeffff
mov cr0,eax
mov eax,Addr
mov esi,[eax+7]
mov dword ptr[esi],offset my_Function
mov eax,old_cr0
mov cr0,eax
}
KeLowerIrql(oldIrql);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
NTSTATUS status;
pDriverObject->DriverUnload=my_Unload;
hook_Function();
return STATUS_SUCCESS;
}
编译好了后一运行就蓝屏,我用windbg看了看,一执行到hook_function里的 mov eax,[esi]就出问题了这句的意思是把原来的要跳转的地址传给eax,我改了改换成IofCallDriver时不蓝屏,我猜是不是这个函数里的地址不可读啊?谁能看下哪里出了问题啊,高手别笑我啊,我是菜鸟中的菜鸟。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
