Simple Hooking of Functions not Exported by Ntoskrnl.exe
来源:互联网 发布:Java框架排行榜 编辑:程序博客网 时间:2024/06/04 23:29
Simple Hooking of Functions not Exported by Ntoskrnl.exe
By: gareth As many of you will know, hooking functions not exported by ntoskrnl.exe is a real pain, as you need to hard code their position in KeServiceDescriptorTable, and this will change between windows releases.
Hardcoding the positions seems a poor solution, since it means after a new service pack, the rootkit may no longer work and become discovered.
As I have found the code on this site extremely helpful, I think it is only fair that I return the favour ;-)
I have implemented the method described in previous posts, whereby I have mapped a view of ntdll.dll into the process space of whoever loads the driver initially, and then retrieve the required function positions directly from the dll.
This was relatively simple to do, and only requires knowledge of the pe file format, and a few undocumented apis.
Using the function pasted below, when hooking you simply do as follows:
and here's the function GetDllFunctionAddress:
Hopefully this will be useful to you.
Hardcoding the positions seems a poor solution, since it means after a new service pack, the rootkit may no longer work and become discovered.
As I have found the code on this site extremely helpful, I think it is only fair that I return the favour ;-)
I have implemented the method described in previous posts, whereby I have mapped a view of ntdll.dll into the process space of whoever loads the driver initially, and then retrieve the required function positions directly from the dll.
This was relatively simple to do, and only requires knowledge of the pe file format, and a few undocumented apis.
Using the function pasted below, when hooking you simply do as follows:
RtlInitUnicodeString(&dllName, L"//Device//HarddiskVolume1//Windows//System32//ntdll.dll");
functionAddress = GetDllFunctionAddress(functionName, &dllName);
position = *((WORD*)(functionAddress+1));
g_OriginalZwCreateProcessEx = (ZWCREATEPROCESSEX)(KeServiceDescriptorTable.ServiceTableBase[position]);
and here's the function GetDllFunctionAddress:
DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName)
{
HANDLE hThread, hSection, hFile, hMod;
SECTION_IMAGE_INFORMATION sii;
IMAGE_DOS_HEADER* dosheader;
IMAGE_OPTIONAL_HEADER* opthdr;
IMAGE_EXPORT_DIRECTORY* pExportTable;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, x, functionAddress;
char* functionName;
STRING ntFunctionName, ntFunctionNameSearch;
PVOID BaseAddress = NULL;
SIZE_T size=0;
OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE};
IO_STATUS_BLOCK iosb;
//_asm int 3;
ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
oa.ObjectName = 0;
ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile);
ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
ZwClose(hFile);
hMod = BaseAddress;
dosheader = (IMAGE_DOS_HEADER *)hMod;
opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24);
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
// now we can get the exported functions, but note we convert from RVA to address
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions);
arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames);
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
RtlInitString(&ntFunctionNameSearch, lpFunctionName);
for(x = 0; x < pExportTable->NumberOfFunctions; x++)
{
functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]);
RtlInitString(&ntFunctionName, functionName);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0
// this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]...
// oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!!
functionAddress = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]);
if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
{
ZwClose(hSection);
return functionAddress;
}
}
ZwClose(hSection);
return 0;
}
Hopefully this will be useful to you.
- Simple Hooking of Functions not Exported by Ntoskrnl.exe
- Simple Hooking of Functions not Exported by Ntoskrnl.exe
- Simple Hooking of Functions not Exported by Ntoskrnl.exe
- ntoskrnl.exe(01)
- ntoskrnl.exe implementation
- Vista4Experts by Ntoskrnl
- ntldr丢失,ntoskrnl.exe丢失
- 修改ntoskrnl.exe的方法
- CFF Explorer III by Ntoskrnl
- .NET Generic Unpacker by Ntoskrnl
- How to avoid the detection of hidden regkey by hooking RegSaveKeyA
- How to avoid the detection of hidden regkey by hooking NtSaveKey!
- nfs mount:reason given by server: Permission denied +refused mount request XXX (/): not exported
- WIN2000中断描述符表(NTOSKRNL.EXE)
- ntoskrnl.exe损坏或丢失的解决方案
- Calling Fortran functions from C++ by means of shared libraries
- exp/imp碰到的两则问题处理(ORA-00904和the objects were exported by ABC not by you)
- My simple functions
- BASIC ROOTKIT that hides files, directories, and processes
- (转载)玩转ARP
- 二章
- IP基础--ARP协定
- 三章
- Simple Hooking of Functions not Exported by Ntoskrnl.exe
- port/connection hiding
- 用户态隐藏进程的通用版本
- 黑客新手必需的工具介绍 (转自鹰盟)
- BCB命名规范
- Linux?Free BSD?Solaris
- 林语堂语录
- 一个好的软件工程师应预备的素质
- 刚才去华师大诳了圈