我想拿KeInsertQueueApc练练手,学习下inline hook。。可老是Bosd,找半天没有头绪。。
请高手们指点下。。。
可能时恢复堆栈时出的问题。。。。主要时红色的代码部分。。。请高手们指点谢谢
#include <ntddk.h>
#include <windef.h>
#define HOOK_FUNCTION_NAME L"KeInsertQueueApc"
#define HOOK_LENGTH 5
UCHAR g_origcode [5] = { 0x00, 0x00, 0x00, 0x00, 0x00 };
UCHAR g_hook_code[5] = { 0xe9/*short jmp*/, 0x00, 0x00, 0x00, 0x00 };
UCHAR g_back_code[7] = { 0xea/*long jmp*/, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00 };
ULONG g_cr0;
ULONG g_function_address;
ULONG get_function_address( IN PCWSTR _pname );
NTSTATUS hook_native_api( );
NTSTATUS un_hook_native_api( );
void fake_my_native_api(PKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment );
void fake_proxy_my_native_api(PKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment);
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
void WPOFF()
{
ULONG uAttr;
_asm
{
push eax;
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax;
cli
};
g_cr0 = uAttr;
}
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
VOID WPON()
{
_asm
{
sti
push eax;
mov eax, g_cr0;
mov cr0, eax;
pop eax;
};
}
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
NTSTATUS hook_native_api()
{
KIRQL oldIrql;
g_function_address = get_function_address( HOOK_FUNCTION_NAME );
*((PULONG)&g_hook_code[1]) = (ULONG)fake_my_native_api - g_function_address - 5;
*((PULONG)&g_back_code[1]) = (ULONG) ((BYTE*)g_function_address + 5);
RtlCopyMemory( g_origcode, (BYTE*)g_function_address, HOOK_LENGTH );
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory( (BYTE*)g_function_address, g_hook_code, 5 );
RtlCopyMemory( (BYTE*)fake_proxy_my_native_api, g_origcode, 5 );
RtlCopyMemory( (BYTE*)fake_proxy_my_native_api+5, g_back_code, 7 );
KeLowerIrql(oldIrql);
WPON();
return STATUS_SUCCESS;
}
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
NTSTATUS un_hook_native_api( )
{
KIRQL oldIrql;
WPOFF();
oldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory( (BYTE*) g_function_address, g_origcode, 5 );
KeLowerIrql(oldIrql);
WPON();
return STATUS_SUCCESS;
}
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
[COLOR="Red"]_declspec (naked )
void fake_my_native_api(PKAPC Apc,
PVOID SystemArgument1,
PVOID SystemArgument2,
KPRIORITY Increment )
{
ULONG ptarget_thread;
ULONG ptarget_process;
ULONG pcurrent_process;
PUCHAR ptarget_process_name;
PUCHAR pcurrent_process_name;
__asm
{
push ebp
pushad
mov ebp, esp
}
ptarget_thread = (ULONG)(Apc->Thread);
ptarget_process = *(PULONG)(ptarget_thread + 0x220);
ptarget_process_name = (PUCHAR)(ptarget_process + 0x174);
pcurrent_process = *(PULONG)PsGetCurrentProcess();
pcurrent_process_name = (PUCHAR)(pcurrent_process + 0x174);
if( _stricmp( ptarget_process_name, "notepad.exe") == 0 )
{
if( _stricmp(pcurrent_process_name, "notepad.exe") != 0 )
{
__asm
{
popad
mov esp, ebp
pop ebp
mov eax, 0x0
ret 0x10
}
}
}
else
{
__asm
{
popad
mov esp, ebp
pop ebp
jmp fake_proxy_my_native_api
}
}
}[/COLOR]
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
_declspec ( naked )
void fake_proxy_my_native_api(PKAPC Apc,
PVOID SystemArgument1,
PVOID SystemArgument2,
KPRIORITY Increment )
{
__asm
{
_emit 0x90 // \
_emit 0x90 // |
_emit 0x90 // |
_emit 0x90 // |
_emit 0x90 // /
_emit 0x90 // jmp (0xea)
_emit 0x90 // \/
_emit 0x90 // |
_emit 0x90 // |
_emit 0x90 // /
_emit 0x90 // ;0x08
_emit 0x90 // ;0x00
}
}
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
ULONG get_function_address( IN PCWSTR _pname )
{
UNICODE_STRING us_function_name;
RtlInitUnicodeString( &us_function_name, _pname );
return (ULONG)MmGetSystemRoutineAddress( &us_function_name );
}
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("My Driver Unloaded!");
un_hook_native_api();
}
/*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// author: herso date: 2009/04/18
--------------------------------------------------------------------------------------------
//
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
DbgPrint("My Driver Loaded!");
theDriverObject->DriverUnload = OnUnload;
hook_native_api();
return STATUS_SUCCESS;
}
[课程]Linux pwn 探索篇!