驱动编程-idt hook--中断描述符表

来源：互联网发布：ubuntu中文输入法编辑：程序博客网时间：2024/06/06 03:55

整理下之前过驱动保护的学习，idt hook也是一个经常用到的hook思路。

还是要用到inline hook进入到中断函数地址进行jmp

//获取idt表地址//修改int3中断函数#include<ntddk.h>#include <windef.h>#ifdef __cplusplusextern "C"{#endif#include <NTDDK.h> //这里包含需要用C方式编译的头文件#ifdef __cplusplus}#endif #pragma pack(push)#pragma pack(1) //typedef struct _IDTR //IDT基址{USHORT limit; //范围 占8位ULONG base;  //基地址 占32位 PIDT_ENTRY类型指针}IDTR,*PIDTR;typedef struct _IDT_ENTRY{USHORT offset_low; //中断处理函数地址低16位USHORT selector;UCHAR  reserved;UCHAR  type:4;     UCHAR  always0:1;UCHAR  dpl:2;UCHAR  present:1;USHORT offset_high;//中断处理函数地址低16位}IDT_ENTRY,*PIDT_ENTRY;//+3.offset_high<<16+offset_low //int 3 中断处理函数地址#pragma pack(pop) //#pragma pack(pop)//======================value=============ULONG jmpaddr_int3proc_9;//======================value end=============ULONG GetIDTAddr(){IDTR idt_info;__asm sidt idt_info//KdPrint(("\n idt_info.base %x\n",idt_info.base));return idt_info.base;}//获取Int3的入口函数ULONG GetInt3Addr(){IDT_ENTRY *idtInt3 = (PIDT_ENTRY)GetIDTAddr();//KdPrint(("idtInt3 %x\n",idtInt3));//KdPrint(("*idtInt3 %x\n",*idtInt3));idtInt3 += 3; //去Int3入口结构//KdPrint(("idtInt3 %x\n",idtInt3));//ULONG int3Addr = (idtInt3->offset_high)<<16+(idtInt3->offset_low);//错误实例 。。。先+在进行<<的ULONG int3Addr = (idtInt3->offset_high<<16)+idtInt3->offset_low;//KdPrint(("int3Addr %x\n",int3Addr));return int3Addr;}void __declspec(naked) myInt3(){_asm{pushad    pushfd} KdPrint(("\n entry my Int3Proc \n")); _asm{ popfd popad } __asm{push 0mov word ptr [esp+2], 0//前2条需要恢复的指令 占9字节jmp jmpaddr_int3proc_9} }//进行IDT inline hookvoid IDThook(){//获取Int3的入口函数ULONG int3Addr = GetInt3Addr();KdPrint(("\n int3Addr %x\n",int3Addr));//保存前9个字节//设置好跳转地址ULONG jmpAddr = (ULONG)&myInt3 - int3Addr - 5;jmpaddr_int3proc_9 = int3Addr + 9;KdPrint(("\n jmpaddr_int3proc_9 %x\n",jmpaddr_int3proc_9));//进行JMP_asm{push eaxpush ebxmov eax,int3Addrmov ebx,jmpAddrmov byte ptr ds:[eax],0xE9mov DWORD ptr ds:[eax+1],ebxpop ebxpop eax}}void __declspec(naked) Int3HookCode(){_asm{push 0mov word ptr [esp+2], 0}}void IDTunhook(){//恢复IDT表的Int3入口函数 9个字节ULONG int3Addr = GetInt3Addr();_asm{push eaxpush ebxpush ecxlea eax,Int3HookCodemov ebx,int3Addrmov ecx,[eax]mov byte ptr ds:[ebx],clmov ecx,[eax+1]mov dword ptr ds:[ebx+1],ecxmov ecx,[eax+5]mov dword ptr ds:[ebx+5],ecxpop ecxpop ebxpop eax}}

#include "miniDDK.h"#include "SSDT.h"#include "IDThook.h"#pragma INITCODE extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING b){//=================Init============================//分开注册 派遣函数KdPrint(("\n\n驱动被加载----------\n"));pDriverObject->MajorFunction[IRP_MJ_CREATE]=ddk_DispatchRoutine_CREATE;pDriverObject->MajorFunction[IRP_MJ_CLOSE]=ddk_DispatchRoutine_CLOSE;pDriverObject->MajorFunction[IRP_MJ_READ]=ddk_DispatchRoutine_READ;pDriverObject->MajorFunction[IRP_MJ_WRITE]=ddk_DispatchRoutine_WRITE;pDriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL]=ddk_DispatchRoutine_CONTROL;CreateMyDriver(pDriverObject);pDriverObject->DriverUnload = DDK_Unload;//=================Init============================//=============inlinehook==================SSDT_NtoldProcess_Addr = GetNt_OldAddress();KdPrint(("SSDT_NtoldProcess_Addr  %x\n",SSDT_NtoldProcess_Addr));//利用SSDT读取当前的NtOpenProcess的地址SSDT_NtcurProcess_Addr = GetCurNtOpenProcess();KdPrint(("NtOpenProcessAddr: %x\n",SSDT_NtcurProcess_Addr));//构建inlinehook的参数newAddr.jmp= 0xE9;newAddr.addr = SSDT_NtoldProcess_Addr - SSDT_NtcurProcess_Addr -5;//if(SSDT_NtoldProcess_Addr!=SSDT_NtcurProcess_Addr){//KdPrint(("OpenProcess被HOOK 已修复------------\n"));//temp = (pjmpCode)SSDT_NtcurProcess_Addr;//oldAddr.jmp = temp->jmp;//oldAddr.addr = temp->addr;//temp->jmp = newAddr.jmp;//temp->addr = newAddr.addr;////}//=============inlinehook==================//================ssdt hook==================//Hook();//================ssdt hook==================//==================IDT hook=================//test();IDThook();//==================IDT hook=================return (1);}#pragma PAGECODEVOID DDK_Unload(IN PDRIVER_OBJECT pDriverObject){UNICODE_STRING symbolName;//=============ssdthook==================//UnHook();//还原SSDT表//=============ssdthook==================//=============inlinehook==================//if(SSDT_NtoldProcess_Addr!=SSDT_NtcurProcess_Addr){//oldAddr.jmp=temp->jmp; //oldAddr.addr=temp->addr ;//}//=============inlinehook==================//==================IDT hook=================IDTunhook();//==================IDT hook=================//删除驱动IoDeleteDevice()IoDeleteDevice(pDriverObject->DeviceObject);//删除符号链接IoDeleteSymbolicLink(symLinkName);RtlInitUnicodeString(&symbolName,L"\\??\\djj_DriverSymbol");IoDeleteSymbolicLink(&symbolName);KdPrint(("驱动被卸载------------\n"));}//INITCODE的代码一最好放在CPP吧 毕初始化一次就消失了#pragma INITCODENTSTATUS CreateMyDriver(IN PDRIVER_OBJECT pDriverObject){NTSTATUS status;PDEVICE_OBJECT pDevObj;//创建设备名称  用RtlInitUnicodeString初始化设备名称指针UNICODE_STRING devName;UNICODE_STRING symbolName;RtlInitUnicodeString(&devName,L"\\Driver\\djj_Driver");RtlInitUnicodeString(&symbolName,L"\\??\\djj_DriverSymbol");//创建设备 用IoCreateDevice创建设备,如果不成功则返回status = IoCreateDevice(pDriverObject,0,&devName,FILE_DEVICE_UNKNOWN,0,TRUE,&pDevObj);if(!NT_SUCCESS(status)){KdPrint(("创建设备失败"));return status;}pDevObj->Flags |= DO_BUFFERED_IO;//创建符号链接 用IoCreateSymlicLink创建符号链接，创建成功返回 STATUS_SUCCESS; 创建不成功则调用 status = IoCreateSymbolicLink(&symbolName,&devName);if(!NT_SUCCESS(status)){KdPrint(("创建符号链接失败"));return status;}return STATUS_SUCCESS;}

大家参考着看吧，好久之前写的，忘记的差不多了。当时是想着当框架用的。现在也可以。

修改的地方

void __declspec(naked) myInt3(){
_asm{
  pushad
     pushfd
}
KdPrint(("\n entry my Int3Proc \n"));//这里修改可以进行自己个人的行为
_asm{
   popfd
   popad
}
__asm
{

  push 0
  mov word ptr [esp+2], 0
  //前2条需要恢复的指令占9字节
  jmp jmpaddr_int3proc_9
}

}

0 0