了解_idt_hook

来源：互联网发布：网络打印机主机编辑：程序博客网时间：2024/06/10 02:18
#include "ntddk.h"#define WORDUSHORT#define DWORDULONG#define MAKELONG(a, b)      ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) \| ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff))) << 16))typedef struct _IDTR{USHORT   IDT_limit;USHORT   IDT_LOWbase;USHORT   IDT_HIGbase;}IDTR, *PIDTR;typedef struct _IDTENTRY{unsigned short LowOffset;unsigned short selector;unsigned char retention : 5;unsigned char zero1 : 3;unsigned char gate_type : 1;unsigned char zero2 : 1;unsigned char interrupt_gate_size : 1;unsigned char zero3 : 1;unsigned char zero4 : 1;unsigned char DPL : 2;unsigned char P : 1;unsigned short HiOffset;} IDTENTRY, *PIDTENTRY;typedef struct _KGDTENTRY {USHORT  LimitLow;USHORT  BaseLow;union {struct {UCHAR   BaseMid;UCHAR   Flags1;     // Declare as bytes to avoid alignmentUCHAR   Flags2;     // Problems.UCHAR   BaseHi;} Bytes;struct {ULONG   BaseMid : 8;ULONG   Type : 5;ULONG   Dpl : 2;ULONG   Pres : 1;ULONG   LimitHi : 4;ULONG   Sys : 1;ULONG   Reserved_0 : 1;ULONG   Default_Big : 1;ULONG   Granularity : 1;ULONG   BaseHi : 8;} Bits;} HighWord;} KGDTENTRY, *PKGDTENTRY;//globalULONGg_InterruptFunc3;void PageProtectOn(){__asm{//恢复内存保护  mov  eax, cr0or   eax, 10000hmov  cr0, eaxsti}}void PageProtectOff(){__asm{//去掉内存保护climov  eax, cr0and  eax, not 10000hmov  cr0, eax}}void __stdcall FilterInterruptFunc3(){USHORT u_es, u_ds;KdPrint(("当前进程:%s", (char*)PsGetCurrentProcess() + 0x174)); //当前进程触发了 中断历程 进入内核__asm{movu_es, esmov u_ds, ds}KdPrint(("%X,%X", u_es, u_ds));}__declspec(naked)void NewInterruptFunc3(){__asm{pushadpushfdpushfspush0x30popfscallFilterInterruptFunc3popfspopfdpopadjmpg_InterruptFunc3}}ULONGGetInterruptFuncAddress(ULONG InterruptIndex){IDTRidtr;IDTENTRY*pIdtEntry;__asmSIDTidtr;//读idt表pIdtEntry = (IDTENTRY *)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);//求idt表的地址return MAKELONG(pIdtEntry[InterruptIndex].LowOffset, pIdtEntry[InterruptIndex].HiOffset);//得到3号中断函数的地址 老地址 返回的是个4字节的}VOID SetInterrupt(ULONG InterruptIndex, ULONG NewInterruptFunc){ULONGu_fnKeSetTimeIncrement; //ULONG 4字节UNICODE_STRINGusFuncName;ULONGu_index;ULONG*u_KiProcessorBlock;IDTENTRY*pIdtEntry;PKGDTENTRYpGdt;RtlInitUnicodeString(&usFuncName, L"KeSetTimeIncrement");u_fnKeSetTimeIncrement = (ULONG)MmGetSystemRoutineAddress(&usFuncName);//得到系统程序地址 内核模块里的函数的地址if (!MmIsAddressValid((PVOID)u_fnKeSetTimeIncrement)){return;}u_KiProcessorBlock = *(ULONG**)(u_fnKeSetTimeIncrement + 44);//定位得到  全局变量的地址u_index = 0;while (u_KiProcessorBlock[u_index])// 多核4核cpu{pIdtEntry = *(IDTENTRY**)(u_KiProcessorBlock[u_index] - 0xE8);//找到idt表数组PageProtectOff();pIdtEntry[InterruptIndex].LowOffset = (unsigned short)((ULONG)NewInterruptFunc & 0xffff);//取新函数低4位值 16位二进制不变 前16位全是0   pIdtEntry[InterruptIndex].HiOffset = (unsigned short)((ULONG)NewInterruptFunc >> 16);//取新函数高4位值pGdt = *(PKGDTENTRY*)(u_KiProcessorBlock[u_index] - 0xE4);KdPrint(("GDT:%X--%X--%X--%X", pGdt, pGdt[1].BaseLow, pGdt[1].HighWord.Bits.BaseMid, pGdt[1].HighWord.Bits.BaseHi));PageProtectOn();u_index++;}}VOID MyUnload(PDRIVER_OBJECTpDriverObject){SetInterrupt(3, g_InterruptFunc3);}NTSTATUS DriverEntry(PDRIVER_OBJECTpDriverObject, PUNICODE_STRING Reg_Path){USHORT u_cs;g_InterruptFunc3 = GetInterruptFuncAddress(3);__asmmovu_cs, cs;KdPrint(("%X--%X", NewInterruptFunc3, u_cs));SetInterrupt(3, (ULONG)NewInterruptFunc3);pDriverObject->DriverUnload = MyUnload;return STATUS_SUCCESS;}
0 0