zoukankan      html  css  js  c++  java

  • HOOK NtCreateSection

    本程序使用了hde32反汇编引擎,所以性能更加稳定!


    #pragma once
    #include <ntddk.h>


    NTSYSAPI
    NTSTATUS
    NTAPI
    NtCreateSection(OUT PHANDLE SectionHandle,
            IN ACCESS_MASK DesiredAccess,
            IN POBJECT_ATTRIBUTES ObjectAttributes,
            IN PLARGE_INTEGER SectionSize OPTIONAL,
            IN ULONG Protect,
            IN ULONG Attributes,
            IN HANDLE FileHandle);


    NTSTATUS
    DetourNtCreateSection(OUT PHANDLE SectionHandle,
                IN ACCESS_MASK DesiredAccess,
                IN POBJECT_ATTRIBUTES ObjectAttributes,
                IN PLARGE_INTEGER SectionSize OPTIONAL,
                IN ULONG Protect,
                IN ULONG Attributes,
                IN HANDLE FileHandle);


    VOID
    TrueCellUnload(IN PDRIVER_OBJECT DriverObject);


    BOOLEAN
    HookFunc(BOOLEAN IsHook);


    NTSTATUS
    DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath);


    NTSTATUS
    IoQueryFileDosDeviceName(IN PFILE_OBJECT  FileObject,
                OUT POBJECT_NAME_INFORMATION  *ObjectNameInformation );




    #include "Ncs.h"
    #include "hde32.h"


    #pragma comment(lib, "hde32.lib")




    UCHAR OriFuncHead[12]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};//假设目标函数头部有12个字节
    UCHAR NewFuncHead[5]={0xE9,0x00,0x00,0x00,0x00};//jmp [相对偏移] 的字节码——奇妙的地方
    ULONG ulHeadLen=0;


    NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath){
        KdPrint(("[TrueCell] Driver Entry! "));
        DriverObject->DriverUnload=TrueCellUnload;
        return HookFunc(TRUE)?STATUS_SUCCESS:STATUS_UNSUCCESSFUL;
    }


    VOID TrueCellUnload(IN PDRIVER_OBJECT DriverObject){
        HookFunc(FALSE);
        KdPrint(("[TrueCell] Driver Unload! "));
    }




    _declspec(naked) NTSTATUS
    GoNtCreateSection(OUT PHANDLE SectionHandle,
        IN ACCESS_MASK DesiredAccess,
        IN POBJECT_ATTRIBUTES ObjectAttributes,
        IN PLARGE_INTEGER SectionSize OPTIONAL,
        IN ULONG Protect,
        IN ULONG Attributes,
        IN HANDLE FileHandle){//跳板
        _asm{
            nop;//       
            nop;//    |
            nop;//    |
            nop;//    |
            nop;//    |
            nop;//    |   
            nop;//    >开辟足够大的空间来容纳NtCreateSection开头的ulHeadlen个字节的机器码
            nop;//    |
            nop;//    |
            nop;//    |
            nop;//    |
            nop;//    /
            mov        eax,NtCreateSection;
            add     eax,ulHeadLen;
            jmp     eax
        }
    }


    NTSTATUS
    DetourNtCreateSection(OUT PHANDLE SectionHandle,
                IN ACCESS_MASK DesiredAccess,
                IN POBJECT_ATTRIBUTES ObjectAttributes,
                IN PLARGE_INTEGER SectionSize OPTIONAL,
                IN ULONG Protect,
                IN ULONG Attributes,
                IN HANDLE FileHandle){//代理函数
        PFILE_OBJECT    FileObject;
        POBJECT_NAME_INFORMATION wcFilePath;
        //由Protect判断当前Section是否可执行:一般将要执行的DLL和EXE的都是Section可执行的
        if (Protect & (PAGE_EXECUTE|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY) ){
            //获取FileHandle对应的FILE_OBJEC——其有我们感兴趣的成员和作用
            if (NT_SUCCESS(ObReferenceObjectByHandle(FileHandle,0,NULL,KernelMode,&FileObject,NULL))){//获取文件对象       
            //获取FileObject对应的文件全路径
                if (IoQueryFileDosDeviceName(FileObject,&wcFilePath)==STATUS_SUCCESS){//获取文件对象所对应的文件Dos设备名称,即是全路径
                   
                    DbgPrint("[TrueCell] %ws ",wcFilePath->Name.Buffer);
                    ExFreePool(wcFilePath);//IoQueryFileDosDeviceName获取的OBJECT_NAME_INFORMATION 需要手动释放
                }
                ObDereferenceObject(FileObject);//放弃对FileObject的引用
            }       
        }
        //“返回”到真正的“跳板”处,完成Hook过程
        return GoNtCreateSection(SectionHandle,DesiredAccess,ObjectAttributes,SectionSize,Protect,Attributes,FileHandle);   
    }


    BOOLEAN HookFunc(BOOLEAN IsHook){
        ULONG  Offset;
        KIRQL  Irql;   
        ULONG  CR0Value;
        hde32s hs;
        PUCHAR code_pos;


        if (IsHook==FALSE && ulHeadLen==0){
            return FALSE;
        }
        KdPrint(("[TrueCell] %s ",IsHook?"Hook":"UnHook"));


        Irql=KeRaiseIrqlToDpcLevel();
        if (IsHook){
            Offset=(ULONG)DetourNtCreateSection-(ULONG)NtCreateSection-5;
            RtlCopyMemory(NewFuncHead+1,(PUCHAR)&Offset,4);       


            code_pos=(PUCHAR )NtCreateSection;
            while (ulHeadLen<5){//利用反汇编引擎HDE,解析目标函数位置头部能容纳Hook跳转指令所需空间的大小
                RtlZeroMemory(&hs,sizeof(hs));
                ulHeadLen+=hde32_disasm(code_pos,&hs);
                code_pos+=ulHeadLen;
            }
            RtlCopyMemory(OriFuncHead,(PUCHAR)NtCreateSection,ulHeadLen);
            RtlCopyMemory(GoNtCreateSection,(PUCHAR)NtCreateSection,ulHeadLen);//将目标函数位置头部的指令复制到踏板函数体内
        }   
        _asm{//关闭写保护
            cli;
            push eax;   
            mov eax,cr0;
            mov CR0Value,eax;
            and eax,0xfffeffff;
            mov cr0,eax;
            pop eax;
        }
        if (IsHook){
            RtlMoveMemory((PUCHAR)NtCreateSection,NewFuncHead,5);
        }else{
            RtlMoveMemory((PUCHAR)NtCreateSection,OriFuncHead,ulHeadLen);
        }
        _asm{//重启写保护
            push eax;
            mov eax,CR0Value;
            mov cr0,eax;
            pop eax;
            sti;
        }
        KeLowerIrql(Irql);


        return TRUE;
    }
  • 相关阅读:
    reStructuredText学习
    PYTHON编码处理-str与Unicode的区别
    如何参与一个GitHub开源项目?
    Boost库编译安装
    git push失败the remote end hung up unexpectedly
    VBox虚拟机安装debian
    debian设置英文模式
    python 使用json.dumps() 的indent 参数添加缩进空格数,格式化字符串后输出
    unittest之装饰器 @classmethod
    jmeter正则提取信息头数据
  • 原文地址:https://www.cnblogs.com/vcerror/p/4289157.html
Copyright © 2011-2022 走看看