📄 内核级利用通用hook函数方法检测进程.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>内核级利用通用Hook函数方法检测进程 </title><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography,进程" /><link rel="stylesheet" href="../../css/plone.css" type="text/css"></head><body bgcolor="#FFFFFF" text="#000000"><div class="top"> <div class="searchBox"> <form name="searchform" action="http://www.google.com/search" method="get"> <input type="hidden" name="domains" value="www.xfocus.net"> <input type="hidden" name="sitesearch" value="www.xfocus.net"> <input type="text" name="q" size="20"> <input type="submit" name="btnG" value="Google Search"> </form> </div> <img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo"> <img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title"></div><div class="tabs"> <a href="../../index.html" class="plain">首页</a> <a href="../../releases/index.html" class="plain">焦点原创</a> <a href="../../articles/index.html" class="selected">安全文摘</a> <a href="../../tools/index.html" class="plain">安全工具</a> <a href="../../vuls/index.html" class="plain">安全漏洞</a> <a href="../../projects/index.html" class="plain">焦点项目</a> <a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a> <a href="../../about/index.html" class="plain">关于我们</a></div><div class="personalBar"> <a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a></div><table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'>专题文章</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'><b>编程技术 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦点公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>内核级利用通用Hook函数方法检测进程</h1><br>创建时间:2005-05-10<br>文章属性:原创<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=43883'>LionD8</a> (liond8_at_126.com)<br><br>内核级利用通用Hook函数方法检测进程<br />
作者: LionD8<br />
QQ: 10415468<br />
Email: LionD8@126.com<br />
Blog: <a href='http://blog.csdn.net/LionD8 ' target='_blank'>http://blog.csdn.net/LionD8 </a> or <a href='http://liond8.126.com' target='_blank'>http://liond8.126.com</a><br />
<br />
介绍通用Hook的一点思想:<br />
在系统内核级中,MS的很多信息都没公开,包括函数的参数数目,每个参数的类型等。在系统内核中,访问了大量的寄存器,而很多寄存器的值,是上层调用者提供的。如果值改变系统就会变得不稳定。很可能出现不可想象的后果。另外有时候对需要Hook的函数的参数不了解,所以不能随便就去改变它的堆栈,如果不小心也有可能导致蓝屏。所以Hook的最佳原则是在自己的Hook函数中呼叫原函数的时候,所有的寄存器值,堆栈里面的值和Hook前的信息一样。这样就能保证在原函数中不会出错。一般我们自己的Hook的函数都是写在C文件里面的。例如Hook的目标函数KiReadyThread。<br />
那么一般就自己实现一个:<br />
MyKiReadyThread(...)<br />
{<br />
......<br />
call KiReadyThread<br />
......<br />
}<br />
但是用C编译器编译出来的代码会出现一个堆栈帧: <br />
Push ebp<br />
mov ebp,esp<br />
这就和我们的初衷不改变寄存器的数违背了。所以我们可以自己用汇编来实现MyKiReadyThread。<br />
<br />
_func@0 proc<br />
pushad ;保存通用寄存器<br />
call _cfunc@0 ;这里是在进入原来函数前进行的一些处理。<br />
popad ;恢复通用寄存器<br />
push eax <br />
mov eax,[esp+4] ;得到系统在call 目标函数时入栈的返回地址。<br />
mov ds:_OrgRet,eax ;保存在一个临时变量中<br />
pop eax<br />
mov [esp],retaddr ;把目标函数的返回地址改成自己的代码空间的返回地址,使其返回 后能接手继续的处理<br />
jmp _OrgDestFunction ;跳到原目标函数中<br />
retaddr:<br />
pushad ;原函数处理完后保存寄存器<br />
call _HookDestFunction@0 ;再处理<br />
popad ;回复寄存器<br />
jmp ds:_OrgRet ;跳到系统调用目标函数的下一条指令。<br />
_func@0 endp<br />
<br />
当我们要拦截目标API的时候,只要修改原函数头5个字节的机器为一个JMP _func就行了。<br />
然后把原来的5字节保存。在跳入原函数时,恢复那5个字节即可。<br />
<br />
Hook KiReadyThread检测系统中的进程:<br />
在线程调度抢占的的时候会调用KiReadyThread,它的原型为<br />
VOID FASTCALL KiReadyThread (IN PRKTHREAD Thread)<br />
在进入KiReadyThread时,ecx指向Thread。<br />
所以完全可以Hook KiReadyThread 然后用ecx的值得到但前线程的进程信息。<br />
KiReadyThread没被ntosknrl.exe导出,所以通过硬编码来。在2000Sp4中地址为0x8043141f<br />
<br />
具体实现:<br />
////////////////////////////////<br />
// 1.cpp<br />
////////////////////////////////<br />
#ifdef __cplusplus<br />
extern "C" {<br />
#endif <br />
<br />
#include "ntddk.h"<br />
#include "string.h"<br />
#include "ntifs.h"<br />
#include "stdio.h"<br />
<br />
#define FILE_DEVICE_EVENT 0x8000<br />
<br />
#define IOCTL_PASSBUF \<br />
CTL_CODE(FILE_DEVICE_EVENT, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)<br />
<br />
void DriverUnload (IN PDRIVER_OBJECT pDriverObject);<br />
<br />
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);<br />
<br />
void cfunc ();<br />
<br />
void HookDestFunction();<br />
NTSTATUS DeviceIoControlDispatch(IN PDEVICE_OBJECT DeviceObject,<br />
IN PIRP pIrp);<br />
extern void func();<br />
<br />
void ResumeDestFunction();<br />
<br />
const WCHAR devLink[] = L"\\??\\MyEvent";<br />
const WCHAR devName[] = L"\\Device\\MyEvent";<br />
UNICODE_STRING devNameUnicd;<br />
UNICODE_STRING devLinkUnicd; <br />
<br />
ULONG OrgDestFunction = (ULONG)0x8043141f; //KiReadyThread<br />
<br />
char JmpMyCode [] = {0xE9,0x00,0x00,0x00,0x00};<br />
char OrgCode [5];<br />
<br />
char OutBuf[128][16];<br />
<br />
int Count = 0;<br />
<br />
ULONG orgcr0;<br />
#ifdef __cplusplus<br />
}<br />
#endif<br />
<br />
VOID DisableWriteProtect( PULONG pOldAttr)<br />
{<br />
<br />
ULONG uAttr;<br />
<br />
_asm<br />
{<br />
push eax;<br />
mov eax, cr0;<br />
mov uAttr, eax;<br />
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0<br />
mov cr0, eax;<br />
pop eax;<br />
};<br />
<br />
*pOldAttr = uAttr; //保存原有的 CRO 属性<br />
<br />
}<br />
<br />
VOID EnableWriteProtect( ULONG uOldAttr )<br />
{<br />
<br />
_asm<br />
{<br />
push eax;<br />
mov eax, uOldAttr; //恢复原有 CR0 属性<br />
mov cr0, eax;<br />
pop eax;<br />
};<br />
<br />
}<br />
<br />
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)<br />
{<br />
NTSTATUS Status;<br />
PDEVICE_OBJECT pDevice;<br />
<br />
DbgPrint("DriverEntry called!\n");<br />
RtlInitUnicodeString (&devNameUnicd, devName );<br />
RtlInitUnicodeString (&devLinkUnicd, devLink );<br />
Status = IoCreateDevice ( pDriverObject,<br />
0,<br />
&devNameUnicd,<br />
FILE_DEVICE_UNKNOWN,<br />
0,<br />
TRUE,<br />
&pDevice );<br />
if( !NT_SUCCESS(Status)) <br />
{<br />
DbgPrint(("Can not create device.\n"));<br />
return Status;<br />
}<br />
Status = IoCreateSymbolicLink (&devLinkUnicd, &devNameUnicd);<br />
if( !NT_SUCCESS(Status)) <br />
{<br />
DbgPrint(("Cannot create link.\n"));<br />
return Status;<br />
}<br />
pDriverObject->DriverUnload = DriverUnload; <br />
pDriverObject->MajorFunction[IRP_MJ_CREATE] = <br />
pDriverObject->MajorFunction[IRP_MJ_CLOSE] =<br />
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoControlDispatch;<br />
<br />
pDriverObject->DriverUnload = DriverUnload;<br />
* ( (ULONG*) (JmpMyCode+1) ) = (ULONG)func - (ULONG)OrgDestFunction - 5;<br />
memcpy(OrgCode,(char*)OrgDestFunction,5);<br />
HookDestFunction();<br />
<br />
return STATUS_SUCCESS;<br />
}<br />
<br />
void DriverUnload (IN PDRIVER_OBJECT pDriverObject)<br />
{<br />
NTSTATUS status;<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -