x86 IDT HOOK

来源：互联网发布：手机淘宝查看卖家信誉编辑：程序博客网时间：2024/06/06 03:26

准备资料：

　　中断描述符表(Interrupt Descriptor Table,IDT)显然是用来处理中断的。IDT指定了如何处理诸如下一个键、发生页面错误或用户进程请求SSDT时所触发的中断。本文介绍HOOK IDT中的向量0x2E，该钩子在SSDT中的内核函数之前进行调用。

　　处理IDT时需要注意两点，每个处理器都有自己的IDT，需要钩住系统上的所有IDT。

　　当应用程序需要操作系统的支持时，NTDLL.DLL向EAX寄存器加载SSDT中系统调用的索引号，向EDX寄存器加载用户堆栈参数的指针。然后发出中断指令进入内核。

　　SIDT指令将在内存中为每个CPU寻找IDT。SIDT指令将中断描述符表寄存器IDTR（64bit，16-47bit存有中断描述表符IDT基地址）的内容存入指定地址单元。这个指令不是特权指令。

__asm{    sidt Idt_info ;}

　　Idt_info实际上是IDTINFO结构。

　IDTINFO结构：

  typedef struct   {   　　WORD IDTLimit;   　　WORD LowIDTbase;   //IDT的低半地址   　　WORD HiIDTbase;     //IDT的高半地址   } IDTINFO;      #define MAKELONG(a, b)((LONG)(((WORD)(a))|((DWORD)((WORD)(b)))<< 16))

　　IDT划分为一个较低的WORD值和一个较高的WORD值，可以通过MAKELONG宏来获得正确的DWORD值，其中最高位WORD在前面。

　　IDT中每一项都具有自己的结构，长度为64位。每一项包含一个特定中断处理函数的地址。IDTENTRY结构中的LowOffset和HiOffset组成了中断处理程序的地址。

#pragma pack(1)typedef struct{    unsigned short LowOffset;    unsigned short selector;    unsigned char unused_lo;    unsigned char segment_type:4;    //0x0E is an interrupt gate    unsigned char system_segment_flag:1;    unsigned char DPL:2;    // descriptor privilege level     unsigned char P:1; /* present */    unsigned short HiOffset;} IDTENTRY;/* sidt returns idt in this format */typedef struct{    unsigned short IDTLimit;    unsigned short LowIDTbase;    unsigned short HiIDTbase;} IDTINFO;#pragma pack()

参考代码：(copy from www.rootkit.com)

  1 // ---------------------------  2 // BASIC INTERRUPT HOOK part 3  3 // this hooks the entire table  4 // ---------------------------  5   6 #include "ntddk.h"  7 #include <stdio.h>  8   9 //debuggering 10 //#define _DEBUG 11  12 #define MAKELONG(a, b) ((unsigned long) (((unsigned short) (a)) | ((unsigned long) ((unsigned short) (b))) << 16))  13  14 // set this to the max int you want to hook 15 #define MAX_IDT_ENTRIES 0xFF 16  17 // the starting interrupt for patching 18 // to 'skip' some troublesome interrupts 19 // at the beginning of the table (TODO, find out why) 20 #define START_IDT_OFFSET 0x00 21  22 unsigned long g_i_count[MAX_IDT_ENTRIES]; 23 unsigned long old_ISR_pointers[MAX_IDT_ENTRIES];    // better save the old one!! 24  25 char jump_template[] = {  26     0x90,                                        //nop, debug 27     0x60,                                        //pushad 28     0x9C,                                        //pushfd 29     0xB8, 0xAA, 0x00, 0x00, 0x00,                //mov eax, AAh 30     0x50,                                        //push eax 31     0x9A, 0x11, 0x22, 0x33, 0x44, 0x08, 0x00,    //call 08:44332211h 32     0x58,                                        //pop eax 33     0x9D,                                        //popfd 34     0x61,                                        //popad 35     0xEA, 0x11, 0x22, 0x33, 0x44, 0x08, 0x00    //jmp 08:44332211h 36 }; 37  38 char * idt_detour_tablebase; 39  40  41 /////////////////////////////////////////////////// 42 // IDT structures 43 /////////////////////////////////////////////////// 44 #pragma pack(1) 45  46 // entry in the IDT, this is sometimes called 47 // an "interrupt gate" 48 typedef struct 49 { 50     unsigned short LowOffset; 51     unsigned short selector; 52     unsigned char unused_lo; 53     unsigned char segment_type:4;    //0x0E is an interrupt gate 54     unsigned char system_segment_flag:1; 55     unsigned char DPL:2;    // descriptor privilege level  56     unsigned char P:1; /* present */ 57     unsigned short HiOffset; 58 } IDTENTRY; 59  60 /* sidt returns idt in this format */ 61 typedef struct 62 { 63     unsigned short IDTLimit; 64     unsigned short LowIDTbase; 65     unsigned short HiIDTbase; 66 } IDTINFO; 67  68 #pragma pack() 69  70  71  72 VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) 73 {     74     int i; 75     IDTINFO        idt_info;        // this structure is obtained by calling STORE IDT (sidt) 76     IDTENTRY*    idt_entries;    // and then this pointer is obtained from idt_info 77     char _t[255]; 78  79     // load idt_info 80     __asm    sidt    idt_info     81     idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase); 82  83     DbgPrint("ROOTKIT: OnUnload called\n"); 84  85     for(i=START_IDT_OFFSET;i<MAX_IDT_ENTRIES;i++) 86     { 87         _snprintf(_t, 253, "interrupt %d called %d times", i, g_i_count[i]); 88         DbgPrint(_t); 89     } 90  91     DbgPrint("UnHooking Interrupt..."); 92  93     for(i=START_IDT_OFFSET;i<MAX_IDT_ENTRIES;i++) 94     { 95         // restore the original interrupt handler 96         __asm cli 97         idt_entries[i].LowOffset = (unsigned short) old_ISR_pointers[i]; 98         idt_entries[i].HiOffset = (unsigned short)((unsigned long)old_ISR_pointers[i] >> 16); 99         __asm sti100     }101 102 103     DbgPrint("UnHooking Interrupt complete.");104 }105 106 NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )107 {108     IDTINFO        idt_info;        // this structure is obtained by calling STORE IDT (sidt)109     IDTENTRY*    idt_entries;    // and then this pointer is obtained from idt_info110     IDTENTRY*    i;111     unsigned long     addr;112     unsigned long    count;113     char _t[255];114 115     theDriverObject->DriverUnload  = OnUnload; 116 117     for(count=START_IDT_OFFSET;count<MAX_IDT_ENTRIES;count++)118     {119         g_i_count[count]=0;120     }121 122     // load idt_info123     __asm    sidt    idt_info124     idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);125 126     ////////////////////////////////////////////127     // save old idt pointers128     ////////////////////////////////////////////129     for(count=START_IDT_OFFSET;count < MAX_IDT_ENTRIES;count++)130     {131         i = &idt_entries[count];132         addr = MAKELONG(i->LowOffset, i->HiOffset);133 134         _snprintf(_t, 253, "Interrupt %d: ISR 0x%08X", count, addr);135         DbgPrint(_t);136 137         old_ISR_pointers[count] = MAKELONG(idt_entries[count].LowOffset,idt_entries[count].HiOffset);138     }139 140 141     ///////////////////////////////////////////142     // setup the detour table143     ///////////////////////////////////////////144     idt_detour_tablebase = ExAllocatePool(NonPagedPool, sizeof(jump_template)*256);145 146     for(count=START_IDT_OFFSET;count<MAX_IDT_ENTRIES;count++)147     {148         int offset = sizeof(jump_template)*count;    149         char *entry_ptr = idt_detour_tablebase + offset;150 151         // entry_ptr points to the start of our jump code in the detour_table152 153         // copy the starter code into the template location154         memcpy(entry_ptr, jump_template, sizeof(jump_template));155 156         // stamp the far jump to the original ISR157         *( (unsigned long *)(&entry_ptr[20]) ) = old_ISR_pointers[count];158 159         // finally, make the interrupt point to our template code160         __asm cli161         idt_entries[count].LowOffset = (unsigned short)entry_ptr;162         idt_entries[count].HiOffset = (unsigned short)((unsigned long)entry_ptr >> 16);163         __asm sti164     }165 166     DbgPrint("Hooking Interrupt complete");167 168     return STATUS_SUCCESS;169 }

XP虚拟机加载该驱动后，贴出DbgView日志

View Code

0 0