麥洛克菲內(nèi)核開發(fā)第五課hook_第1頁
已閱讀1頁,還剩41頁未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

1、麥洛克菲內(nèi)核開發(fā)第五課HOOK,麥洛克菲www.mallocfree.com,周揚(yáng)榮,麥洛克菲www.mallocfree.com,提綱,SSDTINLINEIRPSYSENTERIDTOBJECTR3等等,SSDT HOOK,API 流程,kernel.dlluser32.dll,ntdll.dll,,,,,API,,IRP,,應(yīng)用層,內(nèi)核層,數(shù)據(jù)命令,封裝,,,,disk.sys,ntfs.sys,,ntosk

2、rnl.exe,,ZW與NT函數(shù)(1),ntdll.dllZw*與nt*函數(shù)ntoskrnl.exeZw*與nt*函數(shù),Ntdll.dll,Ntoskrnl.exe,Nt*,Zw*,Nt*,Zw*,,,ZW與NT函數(shù)(2),區(qū)別:Ntdll.dll中:完全一樣Ntoskrnl.exe中:Zw*?nt*,即nt函數(shù)更底層Zw*函數(shù)會把PreviousMode設(shè)置為KernelMode 然后再調(diào)用Nt*函數(shù),因此在Nt*函數(shù)

3、中就不會進(jìn)行參數(shù)檢查。而如果直接調(diào)用Nt*函數(shù)的話 , 必須自己將PreviousMode設(shè)置為KernelMode,否則PreviousMode很可能仍然是UserMode, 這樣的話 Nt*函數(shù)就會認(rèn)為對它的調(diào)用來自用戶態(tài),從而做一些檢查,這時就會產(chǎn)生問題了.因此要自己調(diào)用Nt*的話必須先將PreviousMode設(shè)為KernelMode,SSDT表,索引1,索引2,索引3,索引4,索引5,。。。,索引N,服務(wù)1,服務(wù)2,服務(wù)3,

4、服務(wù)4,服務(wù)5,。。。,服務(wù)N,API,Kernel32.dll,Ntdll.dll,sysenter,Zw*,Nt*,,,,,,Uf nt!ZwReadFile:.text:00406508                 mov    

5、; eax, 0B7h.text:0040650D                lea      edx, [esp+FileHandle].text:00406511  

6、               pushf.text:00406512                 push

7、0;   8.text:00406514                 call    _KiSystemService.text:00406519    

8、;             retn    24h.text:00406519 _ZwReadFile@36  endp,API調(diào)用流程,Ntdll.dll 中的 API 是一個簡單的包裝函數(shù)。當(dāng) Kernel32.dll 中的 API

9、 通過 Ntdll.dll 時,會完成參數(shù)的檢查再調(diào)用一個中斷(int 2Eh 或者 SysEnter 指令),從而實(shí)現(xiàn)從 Ring3 進(jìn)入 Ring0 層并且將所要調(diào)用的服務(wù)號(也就是在 SSDT 數(shù)組中的索引值)存放到寄存器 EAX 中再根據(jù)存放在 EAX 中的索引值來在 SSDT 數(shù)組中調(diào)用指定的服務(wù)即Nt*系列函數(shù),SSDT表結(jié)構(gòu),結(jié)構(gòu):#pragma pack(1)typedef struct ServiceDes

10、criptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase;} ServiceDescriptorTableEntry_t, *PServiceDesc

11、riptorTableEntry_t;#pragma pack()導(dǎo)出:__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;引用: #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULON

12、G)((PUCHAR)_function+1)] #define SDT SYSTEMSERVICE,要HOOK的API,typedef NTSTATUS (*ZWCREATESECTION)( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES

13、 ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPT

14、IONAL );static ZWCREATESECTION OldZwCreateSection;NTSTATUS NTAPI HOOK_NtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER

15、 SectionSize, ULONG Protect, ULONG Attributes, HANDLE FileHandle) {return OldZwCreateSection(SectionHandle, DesiredAccess, ObjectAttributes, SectionSize, Protect, Attrib

16、utes, FileHandle);},HOOK(1),void StartHook (void){ //獲取未導(dǎo)出的服務(wù)函數(shù)索引號 HANDLE hFile; PCHAR pDllFile; ULONG ulSize; ULONG ulByteReaded; __asm { push eax mov

17、 eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } OldZwCreateSection = (ZWCREATESECTION)InterlockedExchange((PLONG)

18、 &SDT(ZwCreateSection), (LONG)HOOK_NtCreateSection); //關(guān)閉 __asm { push eax mov eax, CR0

19、 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } return ;},HOOK(2),void RemoveHook (void){ __asm { push eax mov eax, CR0 and

20、 eax, 0FFFEFFFFh mov CR0, eax pop eax } InterlockedExchange( (PLONG) &SDT(ZwCreateSection) , (LONG) OldZwCreateSection); __asm { push eax m

21、ov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax }},一個穩(wěn)定的基本框架,查看HOOK之后的SSDT表x nt!kes*des*table*dds addrdds addr Llength,進(jìn)程保護(hù),Hook_ZwTerminateProcess,驅(qū)動加

22、載監(jiān)控,Hook_ZwLoadDriver,進(jìn)程創(chuàng)建監(jiān)控,Hook_ZwOpenSection,XP:CreateProcessW?CreateProcessInternalW?NtCreateProcessEx?ZwCreateSection,VISTA以上:CreateProcessW?CreateProcessInternalW??NtCreateUserProcess??ZwCreateSection,注冊表操作

23、監(jiān)控,Hook_ZwSetValueKey,Inline hook,Inline hook原理圖,Inline hook的步驟,1。獲得要inline hook的函數(shù)在內(nèi)存中的地址2。實(shí)現(xiàn)T_MyFunc()與MyFunc函數(shù),在該函數(shù)中將參數(shù)壓棧并調(diào)用MyFunc函數(shù)處理。3。HOOK。保存函數(shù)開頭的指令到某個內(nèi)存中,并在該內(nèi)存末尾附加JMP指令到開頭指令的后面的指令。并將開頭的指令替換為JMP T_MyFunc地址。4。在T_

24、MyFunc執(zhí)行完MyFunc之后,調(diào)用保存的指令,跳回去。,如何找到函數(shù)的首地址?,未導(dǎo)出函數(shù):暴力搜索導(dǎo)出函數(shù):直接引用或者M(jìn)mGetSystemRoutineAddress,T_MyFunc,_declspec(naked) T_MyFunc(……){_asm{mov edi, edipush ebpmov ebp ,esp//參數(shù)壓棧,傳給MyFuncpush [ebp+0ch]p

25、ush [ebp+8]call MyFunc //獲得結(jié)果,并跳回原來的指令cmp eax,1jz endmov eax,FuncAddress add eax,5 jmp eaxend://恢復(fù)棧pop ebpretn 8}},Naked call編譯器不會給這種函數(shù)增加初始化和清理代碼,不能用return返回返回值,只能用插入?yún)R編返回結(jié)果。//nake

26、d 調(diào)用約定。用戶自己清理堆棧。不能進(jìn)行原型聲明,否則錯誤。__declspec(naked) int add(int a,int b){ __asm push ebp //必須加上兩句修改棧幀,否則引用了錯誤的數(shù)據(jù) __asm mov ebp, esp __asm mov eax, a __asm add eax, b __asm pop ebp __asm ret}這個修飾是

27、和__stdcall及cdecl結(jié)合使用的,前面是它和cdecl結(jié)合使用的代碼,對于和stdcall結(jié)合的代碼,則變成:__declspec(naked) int __stdcall function(int a,int b) { __asm mov eax, a __asm add eax, b __asm ret 8 //注意后面的8}cdecl/fastcall/stdcall/thiscall/n

28、akedcall擴(kuò)展閱讀(重要):Calling convention: http://gccfeli.cn/tag/naked-call,,拷貝JMP T_MyFunc,_asm{CLIMOV EAX, CR0AND EAX, NOT 10000HMOV CR0, EAX}RtlCopyMemory(…);,SwapContext inline hook,,ObReferenceObjectByHa

29、ndleHook,,PspTerminateProcessHook,,練習(xí),對這些HOOK加彈框達(dá)到允許和禁止目的,作業(yè),,IRP HOOKpDriverObject?MajorFunction[…],IRP HOOK,PFILE_OBJECT pFile_tcp = NULL;PDEVICE_OBJECT pDev_tcp = NULL;PDRIVER_OBJECT pDrv_tcpip = NULL;

30、WCHAR deviceTCPName[] = L"\\Device\\Tcp";typedef NTSTATUS (*OLDIRPMJDEVICECONTROL)(IN PDEVICE_OBJECT, IN PIRP);OLDIRPMJDEVICECONTROL OldIrpMjDeviceControl;NTSTATUS HookedDeviceControl(IN PDEVICE_OBJEC

31、T DeviceObject, IN PIRP Irp){return OldIrpMjDeviceControl(DeviceObject, Irp);}//開始HOOKRtlInitUnicodeString (&deviceTCPUnicodeString, deviceTCP);ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString,

32、 FILE_READ_DATA, &pFile_tcp, &pDev_tcp);if(!NT_SUCCESS(ntStatus)) {return ntStatus;}pDrv_tcpip = pDev_tcp->DriverObject;OldIrpMjDeviceControl = pDrv_tcpip>MajorFunction[IRP_MJ_DEVICE_CONTROL]; if

33、 (OldIrpMjDeviceControl){InterlockedExchange ((PLONG)&pDrv_tcpip->MajorFunction[IRP_MJ_DEVICE_CONTROL], (LONG)HookedDeviceControl);},SYSENTER HOOKrdmsr wrmsr,ULONG d_origKiFastCallEntry; // Original value

34、 of ntoskrnl!KiFastCallEntryVOID OnUnload( IN PDRIVER_OBJECT DriverObject ){ _asm { mov ecx, 0x176 xor edx,edx mov eax, d_origKiFastCallEntry // Hook function address wrmsr

35、 // Write to the IA32_SYSENTER_EIP register }}// Hook function__declspec(naked) MyKiFastCallEntry(){ __asm { jmp [d_origKiFastCallEntry] //直接跳到原來的 }}NTSTATUS DriverEntry( IN PDRIVER_OBJECT th

36、eDriverObject, IN PUNICODE_STRING theRegistryPath ){ theDriverObject->DriverUnload = OnUnload; __asm { mov ecx, 0x176 rdmsr // read the value of the IA32_SYSENTER_EIP registe

37、r mov d_origKiFastCallEntry, eax mov eax, MyKiFastCallEntry // Hook function address wrmsr // Write to the IA32_SYSENTER_EIP register } return STATUS_SUCCESS;},SYS

38、ENTER HOOK,IDT HOOK__asm sidt idt_info,IDT 表結(jié)構(gòu),///////////////////////////////////////////////////// IDT structures///////////////////////////////////////////////////#pragma pack(1)// entry in the IDT, this is so

39、metimes called// an "interrupt gate"typedef struct{ unsigned short LowOffset; unsigned short selector; unsigned char unused_lo; unsigned char segment_type:4; //0x0E is an interrupt gate unsigned c

40、har system_segment_flag:1; unsigned char DPL:2; // descriptor privilege level unsigned char P:1; /* present */ unsigned short HiOffset;} IDTENTRY;/* sidt returns idt in this format */typedef

41、 struct{ unsigned short IDTLimit; unsigned short LowIDTbase; unsigned short HiIDTbase;} IDTINFO;#pragma pack(),IDT HOOK,#define NT_INT_TIMER 0x30 //中斷向量__asm sidt idt_info //拿到IDT表idt_entries = (IDTENTRY

42、*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);//備份unsigned long old_ISR_pointer; // better save the old one!!old_ISR_pointer = MAKELONG(idt_entries[NT_INT_TIMER].LowOffset,idt_entries[NT_INT_TIMER].HiOffset);

43、//HOOK __asm cli idt_entries[NT_INT_TIMER].LowOffset = (unsigned short)my_interrupt_hook; idt_entries[NT_INT_TIMER].HiOffset = (unsigned short)((unsigned long)my_interrupt_hook >> 16); __asm sti__declspec(

44、naked) my_interrupt_hook(){ __asm {jmp old_ISR_pointer }},OBJECT HOOK,OBJECT HOOK原理,OBJECT?OBJECT_HEADER?OBJECT_TYPE?OBJECT_TYPE_INITIALIZER?: PVOID DumpProcedure; PVOID OpenProcedure; PVOID CloseProc

45、edure; PVOID DeleteProcedure; PVOID ParseProcedure; PVOID SecurityProcedure; PVOID QueryNameProcedure; PVOID OkayToCloseProcedure;,OBJECT HOOK,RtlInitUnicodeString(&Name,L"\\Device\\HarddiskVolume1\\1.

46、txt");InitializeObjectAttributes(&Attr,&Name,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE ,0,NULL);Status = ZwOpenFile(&hFile,GENERIC_ALL,&Attr,&ioStaBlock,0,FILE_NON_DIRECTORY_FILE);if (!NT_SU

47、CCESS(Status)){return Status;} Status = ObReferenceObjectByHandle(hFile,GENERIC_ALL,NULL,KernelMode,&pObject,NULL);if (!NT_SUCCESS(Status)){return Status;} addrs=OBJECT_TO_OBJECT_HEADER(pObject)

48、;//獲取對象頭pType=addrs->Type;//獲取對象類型結(jié)構(gòu) object-10hOldParseProcedure = pType->TypeInfo.ParseProcedurepType->TypeInfo.ParseProcedure = NewParseProcedure;//hook Status = ZwClose(hFile);,R3 HOOK,DLL注入,直接注入

49、DLL:AddDebugPrivilege(void)OpenProcess()VirtualAllocEx()WriteProcessMemory()CreateRemoteThread(),直接注入代碼:static DWORD WINAPI ThreadFunc (INJDATA *pData){}AddDebugPrivilege(void)OpenProcess()VirtualAllocEx

50、()WriteProcessMemory()CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pCodeRemote,pDataRemote, 0 , &dwThreadId);,HOOK engine,可選引擎:nthookenginemhookDetour方法:本進(jìn)程HOOK,直接調(diào)用HOOK函數(shù);否則,寫成一個DLL,

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 眾賞文庫僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論