Too many hook native APIs on undocument is too complicated, you will first hook simple, want hook a native API, record the ID of the process of this API, and return to the user-mode program, then call the truly The API, now I have realized the first step, hook live, and give it down, not blue screen (just like a big thing to get a big one afternoon, blue N times), the next step is how to be RING 0 Under the application, the next fast space, record the ID, and return to it when the user-mode program is required
#include
typedef struct _SYSTEM_SERVICE_TABLE {/ * 000 * / PNTPROC ServiceTable; // array of entry points / * 004 * / LONG * CounterTable; // array of usage counters / * 008 * / LONG ServiceLimit; // number of table entries / * 00C * / Uchar argumenttable; // array of byte counts / * 010 * /} system_service_table, * psystem_service_table, ** ppsystem_service_table;
#define system_service_table_ / sizeof (System_Service_Table) // ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------- Typedef struct _Service_Descriptor_table {/ * 000 * / system_service_table ntoskrnl; // ntoskrnl.exe (Native API) / * 010 * / SYSTEM_SERVICE_TABLE win32k; // win32k.sys (gdi / user) / * 020 * / SYSTEM_SERVICE_TABLE Table3; // not used / * 030 * / SYSTEM_SERVICE_TABLE Table4; // not used / * 040 * /} SERVICE_DESCRIPTOR_TABLE, * PSERVICE_DESCRIPTOR_TABLE, ** PPSERVICE_DESCRIPTOR_TABLE;
#define service_descriptor_table_ / sizeof (service_descriptor_table) // ------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------- EXTERN PSERVICE_DEScriptor_table keserviceDescriptable;
VOID utyDriverUnloAd (IN PDRIVER_OBJECT DriverObject); NTSTATUS utyDriverIO (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); NTSTATUS utyDriverIOControl (IN PDEVICE_OBJECT, IN PIRP Irp); NTPROC utyFunction (void); PDEVICE_OBJECT utyDriverDeviceObject = NULL; ULONG out_size; LONG temp; NTSTATUS DriverEntry (PDRIVER_OBJECT DRIVEROBJECT, PUNICODE_STRING RegistryPath) {Unicode_String NTDeviceName; Unicode_String Win32Devicename; NTSTATUSTUS; PNTProc ServiceTable;
RtlInitUnicodeString (& ntDeviceNAme, L "// Device // utyDriver"); if return STATUS_NO_SUCH_DEVICE (NT_SUCCESS (stAtus = IoCreateDevice (DriverObject, 0, & ntDeviceNAme, FILE_DEVICE_UNKNOWN, 0, FALSE, & utyDriverDeviceObject))!); UtyDriverDeviceObject-> Flags | = DO_BUFFERED_IO ; RtlInitUnicodeString (& win32DeviceNAme, L "// DosDevices // utyDriver"); if (NT_SUCCESS (stAtus = IoCreateSymbolicLink (& win32DeviceNAme, & ntDeviceNAme))!) return STATUS_NO_SUCH_DEVICE; DriverObject-> MajorFunction [IRP_MJ_CREATE] = utyDriverIO; DriverObject-> MajorFunction [IRP_MJ_CLOSE ] = utyDriverIO; DriverObject-> MajorFunction [IRP_MJ_READ] = utyDriverIO; DriverObject-> MajorFunction [IRP_MJ_WRITE] = utyDriverIO; DriverObject-> MajorFunction [IRP_MJ_DEVICE_CONTROL] = utyDriverIOControl; DriverObject-> DriverUnload = utyDriverUnloAd;
InterlockedExchange ((PLONG) & temp, * ((LONG *) KeServiceDescriptorTable-> ntoskrnl.ServiceTable 151)); InterlockedExchange ((PLONG) KeServiceDescriptorTable-> ntoskrnl.ServiceTable 151, (LONG) utyFunction);
Return status_success;} // ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------- void utratriverunload (in pdriver_object driverobject) {unicode_string Win32Devicename; InterlocKedexchange ((plong) keserviceDescriptable-> ntoskrnl.serviceTable 151, (long) TEMP);
RTLinitunicodeString (& Win32Devicename, L "// dosdevices // utrater"); IodeteSymbolicLink (& Win32DeviceName);
IodeleteDevice (utydriverDeviceObject);} // ------------------------------------------ ------------------------------------------- NTSTATUS UTYDRIVERIO (in PDEvice_Object DeviceObject, IN PIRP IRP) {IRP-> iostatus.status = status_success; IOCOMPLETEREQUEST (IRP, IO_NO_INCREMENT); RETURN IRP-> iostatus.status;} // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ----------------- NTSTATUS U TDRIVERICONTROL (in PDEvice_Object DeviceObject, in PIRP IRP) {PIO_STACK_LOCATION Stack; uchar * in_buffer, * out_buffer; Ulong Code, Ret;
Stack = IOGETCURRENTIRPSTACKLOCATION (IRP); // out_size = stack-> parameters.deviceiocontrol.outputbufferlen; code = stack-> parameters.deviceioControl.iocontlcode;
IN_Buffer = OUT_Buffer = IRP-> AssociatedIrp.systemBuffer;
Ret = status_success;
/ * Switch (code) {} * / return ret;} // ---------------------------------- -------------------------------------------------- -NTProc utyfunction (void) {return status_success;} // ------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------
Basic looking HXDEF100, in fact, in the first step, only Driverence and DriverunLoad are just,
Starting a big pile is used to define service_descriptor_table, strange is that DWORD is completed, replaced with long,
I chose ntreadfile by hook, it seems easy to see the effect. When it is replaced, it seems to be used in InterlocKedexchange.
Of particular note is the use of pointers, such InterlockedExchange ((PLONG) & temp, * ((LONG *) KeServiceDescriptorTable-> ntoskrnl.ServiceTable 151));, (LONG *) KeServiceDescriptorTable-> ntoskrnl.ServiceTable pointer, is added 151 Move 151 * 4 addresses, increasing the length of 151 pointers, ((long *) keserviceDescriptable-> ntoskrnl.serviceTable 151) is still a pointer, you need the entry address of the function points to which this pointer is needed, it is necessary to use * , * (Long *) keserviceDescriptable-> ntoskrnl.serviceTable 151), this step is also the most depressed, hook preserved NtReadFile's address, no hook, then save the saved address, did not understand the pointer The result of the result is always wrong, and the assembly will be clearly clear than watching the C program.
