了解_idt_hook
来源:互联网 发布:网络打印机主机 编辑:程序博客网 时间:2024/06/10 02:18
#include "ntddk.h"#define WORDUSHORT#define DWORDULONG#define MAKELONG(a, b) ((LONG)(((WORD)(((DWORD_PTR)(a)) & 0xffff)) \| ((DWORD)((WORD)(((DWORD_PTR)(b)) & 0xffff))) << 16))typedef struct _IDTR{USHORT IDT_limit;USHORT IDT_LOWbase;USHORT IDT_HIGbase;}IDTR, *PIDTR;typedef struct _IDTENTRY{unsigned short LowOffset;unsigned short selector;unsigned char retention : 5;unsigned char zero1 : 3;unsigned char gate_type : 1;unsigned char zero2 : 1;unsigned char interrupt_gate_size : 1;unsigned char zero3 : 1;unsigned char zero4 : 1;unsigned char DPL : 2;unsigned char P : 1;unsigned short HiOffset;} IDTENTRY, *PIDTENTRY;typedef struct _KGDTENTRY {USHORT LimitLow;USHORT BaseLow;union {struct {UCHAR BaseMid;UCHAR Flags1; // Declare as bytes to avoid alignmentUCHAR Flags2; // Problems.UCHAR BaseHi;} Bytes;struct {ULONG BaseMid : 8;ULONG Type : 5;ULONG Dpl : 2;ULONG Pres : 1;ULONG LimitHi : 4;ULONG Sys : 1;ULONG Reserved_0 : 1;ULONG Default_Big : 1;ULONG Granularity : 1;ULONG BaseHi : 8;} Bits;} HighWord;} KGDTENTRY, *PKGDTENTRY;//globalULONGg_InterruptFunc3;void PageProtectOn(){__asm{//恢复内存保护 mov eax, cr0or eax, 10000hmov cr0, eaxsti}}void PageProtectOff(){__asm{//去掉内存保护climov eax, cr0and eax, not 10000hmov cr0, eax}}void __stdcall FilterInterruptFunc3(){USHORT u_es, u_ds;KdPrint(("当前进程:%s", (char*)PsGetCurrentProcess() + 0x174)); //当前进程触发了 中断历程 进入内核__asm{movu_es, esmov u_ds, ds}KdPrint(("%X,%X", u_es, u_ds));}__declspec(naked)void NewInterruptFunc3(){__asm{pushadpushfdpushfspush0x30popfscallFilterInterruptFunc3popfspopfdpopadjmpg_InterruptFunc3}}ULONGGetInterruptFuncAddress(ULONG InterruptIndex){IDTRidtr;IDTENTRY*pIdtEntry;__asmSIDTidtr;//读idt表pIdtEntry = (IDTENTRY *)MAKELONG(idtr.IDT_LOWbase, idtr.IDT_HIGbase);//求idt表的地址return MAKELONG(pIdtEntry[InterruptIndex].LowOffset, pIdtEntry[InterruptIndex].HiOffset);//得到3号中断函数的地址 老地址 返回的是个4字节的}VOID SetInterrupt(ULONG InterruptIndex, ULONG NewInterruptFunc){ULONGu_fnKeSetTimeIncrement; //ULONG 4字节UNICODE_STRINGusFuncName;ULONGu_index;ULONG*u_KiProcessorBlock;IDTENTRY*pIdtEntry;PKGDTENTRYpGdt;RtlInitUnicodeString(&usFuncName, L"KeSetTimeIncrement");u_fnKeSetTimeIncrement = (ULONG)MmGetSystemRoutineAddress(&usFuncName);//得到系统程序地址 内核模块里的函数的地址if (!MmIsAddressValid((PVOID)u_fnKeSetTimeIncrement)){return;}u_KiProcessorBlock = *(ULONG**)(u_fnKeSetTimeIncrement + 44);//定位得到 全局变量的地址u_index = 0;while (u_KiProcessorBlock[u_index])// 多核4核cpu{pIdtEntry = *(IDTENTRY**)(u_KiProcessorBlock[u_index] - 0xE8);//找到idt表数组PageProtectOff();pIdtEntry[InterruptIndex].LowOffset = (unsigned short)((ULONG)NewInterruptFunc & 0xffff);//取新函数低4位值 16位二进制不变 前16位全是0 pIdtEntry[InterruptIndex].HiOffset = (unsigned short)((ULONG)NewInterruptFunc >> 16);//取新函数高4位值pGdt = *(PKGDTENTRY*)(u_KiProcessorBlock[u_index] - 0xE4);KdPrint(("GDT:%X--%X--%X--%X", pGdt, pGdt[1].BaseLow, pGdt[1].HighWord.Bits.BaseMid, pGdt[1].HighWord.Bits.BaseHi));PageProtectOn();u_index++;}}VOID MyUnload(PDRIVER_OBJECTpDriverObject){SetInterrupt(3, g_InterruptFunc3);}NTSTATUS DriverEntry(PDRIVER_OBJECTpDriverObject, PUNICODE_STRING Reg_Path){USHORT u_cs;g_InterruptFunc3 = GetInterruptFuncAddress(3);__asmmovu_cs, cs;KdPrint(("%X--%X", NewInterruptFunc3, u_cs));SetInterrupt(3, (ULONG)NewInterruptFunc3);pDriverObject->DriverUnload = MyUnload;return STATUS_SUCCESS;}
0 0
- 了解_idt_hook
- 了解
- 了解
- 了解
- 了解
- 了解
- 了解
- 了解
- 了解
- 了解
- 了解
- 全面了解了解Cookie
- 软件开发,了解了解
- 先了解了解DirectX
- 了解了解GDI
- 了解了解RxBus
- 了解 XML
- 了解程序员
- Ubuntu服务器环境配置
- 1. LVS
- three.js3D学习(1)
- 【Android C#开发】Xamarin环境搭建
- DNS
- 了解_idt_hook
- 51Nod 1137 矩阵乘法
- Python学习笔记01
- python中list的拷贝与numpy的array的拷贝
- OpenJudge 1.7 21:单词替换
- 实验五—【项目三】成绩
- 汉若塔问题(递归与栈两种方法)
- ARP协议和RARP协议的使用场景
- Java多线程wait,notify以及同步锁的运用实例