[原创]IDT中断异常 HOOK
发表于:
2015-4-16 20:43
5250
//简单内容为了方便查看。。。。xp-win8.1测试通过
///大牛飞过 大牛飞过 大牛飞过 大牛飞过 大牛飞过 大牛飞过 大牛飞过 大牛飞过 大牛飞过 大牛飞过 大牛飞过 #include "ntddk.h"
#include "windef.h"
#pragma pack(2)
typedef struct _IDTR{
USHORT numberofidt;
ULONG highaddress;
}IDTR ,*PIDTR;
#pragma pack()
typedef struct _KTRAP_FRAME
{
ULONG DbgEbp;
ULONG DbgEip;
ULONG DbgArgMark;
ULONG DbgArgPointer;
WORD TempSegCs;
UCHAR Logging;
UCHAR Reserved;
ULONG TempEsp;
ULONG Dr0;
ULONG Dr1;
ULONG Dr2;
ULONG Dr3;
ULONG Dr6;
ULONG Dr7;
ULONG SegGs;
ULONG SegEs;
ULONG SegDs;
ULONG Edx;
ULONG Ecx;
ULONG Eax;
ULONG PreviousPreviousMode;
ULONG ExceptionList;
ULONG SegFs;
ULONG Edi;
ULONG Esi;
ULONG Ebx;
ULONG Ebp;
ULONG ErrCode;
ULONG Eip;
ULONG SegCs;
ULONG EFlags;
ULONG HardwareEsp;
ULONG HardwareSegSs;
ULONG V86Es;
ULONG V86Ds;
ULONG V86Fs;
ULONG V86Gs;
} KTRAP_FRAME, *PKTRAP_FRAME; typedef struct _IDTENTRY
{
unsigned short LowOffset;
unsigned short selector;
unsigned char unused_lo;
unsigned char segment_type:4;
unsigned char system_flag:1;
unsigned char DPL:2;
unsigned char P:1;
unsigned short HiOffset;
} IDTENTRY,*PIDTENTRY;
void onprotect();
void offprotect();
ULONG oldCr0=0;
ULONG old3=0;
PIDTENTRY idtentry;
void DriverUnload(PDRIVER_OBJECT obj){
offprotect();
idtentry[3].LowOffset=(ULONG)old3&0xffff;
idtentry[3].HiOffset=(ULONG)old3>>16;
onprotect();
}
void _stdcall FilterExceptionInfo(PKTRAP_FRAME TrapFRame){
//*(DWORD*)(TrapFRame+0x068)=(DWORD)0;
KdPrint(("TrapFRame.eip =%X",TrapFRame->Eip)); }
void offprotect(){ __asm {
cli;
mov eax, cr0;
mov oldCr0, eax;
and eax, not 10000h;
mov cr0, eax
}
}
void onprotect(){
__asm {
mov eax, oldCr0;
mov cr0, eax;
sti;
}
}
__declspec(naked)void myidthook(){
__asm{
push 0
mov word ptr [esp+2],0
push ebp
push ebx
push esi
push edi
push fs
mov ebx,30h
mov fs,bx
mov ebx,dword ptr fs:[0]
push ebx
sub esp,4h
push eax
push ecx
push edx
push ds
push es
push gs
mov ax,23h
sub esp,30h//以上构造
push esp //陷阱帧首地址
call FilterExceptionInfo
add esp,30h//恢复现场
pop gs
pop es
pop ds
pop edx
pop ecx
pop eax
add esp,4h
pop ebx
pop fs
pop edi
pop esi
pop ebx
pop ebp
add esp,4h
jmp old3//跳回老函数
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT obj,PUNICODE_STRING pregister){
ULONG index=0;
IDTR idt;
//第一个方法获取IDTENTRY
__asm{
sidt idt
}
//第二次就是利用驱动的FS处理器控制块来获取 FS对应这个结构
/**
nt!_KPCR
+0x000 NtTib : _NT_TIB
+0x01c SelfPcr : Ptr32 _KPCR
+0x020 Prcb : Ptr32 _KPRCB
+0x024 Irql : UChar
+0x028 IRR : Uint4B
+0x02c IrrActive : Uint4B
+0x030 IDR : Uint4B
+0x034 KdVersionBlock : Ptr32 Void
+0x038 IDT : Ptr32 _KIDTENTRY
+0x03c GDT : Ptr32 _KGDTENTRY
+0x040 TSS : Ptr32 _KTSS
+0x044 MajorVersion : Uint2B
+0x046 MinorVersion : Uint2B
+0x048 SetMember : Uint4B
+0x04c StallScaleFactor : Uint4B
+0x050 DebugActive : UChar
+0x051 Number : UChar
+0x052 Spare0 : UChar
+0x053 SecondLevelCacheAssociativity : UChar
+0x054 VdmAlert : Uint4B
+0x058 KernelReserved : [14] Uint4B
+0x090 SecondLevelCacheSize : Uint4B
+0x094 HalReserved : [16] Uint4B
+0x0d4 InterruptMode : Uint4B
+0x0d8 Spare1 : UChar
+0x0dc KernelReserved2 : [17] Uint4B
+0x120 PrcbData : _KPRCB
kd> dt _krcp
*/
//还有一个就是获取所有CPU位图也就是个数 然后运行到指定CPU
//下面代码就是通用了 我这里只处理了XP还有只是单核 把上面的CPU 弄好了就行了
idtentry=(PIDTENTRY)idt.highaddress;
old3=MAKELONG(idtentry[3].LowOffset,idtentry[3].HiOffset);//构造3号中断地址
offprotect();
idtentry[3].LowOffset=(ULONG)myidthook&0xffff;//写入中断结构的低16地址
idtentry[3].HiOffset=(ULONG)myidthook >>16;//写入中断结构高16地址
onprotect();
// KdPrint(("Don't use the automatic filtering of IDT interrupt "));
//KdPrint(("idt address: %X ,numberofidt: %d",idt.highaddress,idt.numberofidt));枚举当前处理器所有IDT表内容
/**for(;index<(idt.numberofidt+1)/sizeof(IDTENTRY);index++){
if (MAKELONG(idtentry[index].LowOffset,idtentry[index].HiOffset)!=0)
{
KdPrint(("index: %d address: %X",index,MAKELONG(idtentry[index].LowOffset,idtentry[index].HiOffset)));
}
}*/
obj->DriverUnload=DriverUnload;
return STATUS_SUCCESS;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)