📄 idt_guard.c
字号:
// IDT Offset in ntoskrnl.exe
IDTr = (PKIDTRAWENTRY)( ((DWORD *)(INIT_Sex)) [0]); // Sexy line ^^
(DWORD)IDTr -= (DWORD)ImageBase;
(DWORD)IDTr += (DWORD)pMapping;
for(i=0;i<MAX_INTERRUPTION;i++,IDTr) {
if (IDTr[i].Type == GATE_TASK_16) strcpy(Type, "TaskG16 ");
else if (IDTr[i].Type == GATE_TASK_32) strcpy(Type, "TaskG32 ");
else if (IDTr[i].Type == GATE_INTERRUPT_32) strcpy(Type, "IntG32 ");
else if (IDTr[i].Type == GATE_INTERRUPT_16) strcpy(Type, "IntG16 ");
else if (IDTr[i].Type == GATE_TRAP_32) strcpy(Type, "TrapG32 ");
else if (IDTr[i].Type == GATE_TRAP_16) strcpy(Type, "TrapG16 ");
else strcpy(Type, "Reserved");
if(!(DWORD)IDTr[i].Offset)
IntAddr = 0;
else
IntAddr = ((DWORD)IDTr[i].Offset + KernelBaseAddr);
// ---------------------------------------
IdtRaw[i].Offset = IntAddr;
IdtRaw[i].Reserved = IDTr[i].Reserved;
IdtRaw[i].Type = IDTr[i].Type;
IdtRaw[i].Always0 = IDTr[i].Always0;
IdtRaw[i].Dpl = IDTr[i].Present;
IdtRaw[i].Selector = 0;
// ---------------------------------------
/*
printf("%04X %s %08X DPL=%x %-2s\n",
i,
Type,
IntAddr,
IDTr[i].Dpl,
IDTr[i].Present ? "P" : "NP"
);
*/
}
UnmapViewOfFile(pMapping);
CloseHandle(hMapping);
CloseHandle(hFile);
return TRUE;
}
DWORD StartUp(void) {
DWORD PhysicalAddress, VirtualAddress, Lenght;
KGDT GDT;
PHYSICAL_ADDRESS pAddress;
NTSTATUS Status;
if(!(hPhysMem = OpenPhysicalMemory()))
return FALSE;
_asm {
sgdt [GDT]
mov eax, dword ptr [GDT+2]
mov dword ptr [PhysicalAddress], eax
}
if((PhysicalAddress >> 24) != 0x80) {
printf("You are using a VMM(VMWare, VirtualPC,...) so I cannot get the GDT BaseAddr from ring3.\n");
}
pAddress = GetPhysicalAddress(PhysicalAddress);
Lenght = 0x1000;
VirtualAddress = 0;
Status = NtMapViewOfSection(hPhysMem,
(HANDLE)-1,
(PVOID)&VirtualAddress,
0L,
Lenght,
&pAddress,
(PDWORD)&Lenght,
ViewShare,
0,
PAGE_READWRITE);
if(!NT_SUCCESS(Status)) {
printf("Cannot NtMapViewOfSection.");
NtClose(hPhysMem);
return FALSE;
}
return VirtualAddress;
}
DWORD GetMemoryInterruption(PKIDTRAWENTRY IdtMem, DWORD VirtualAddress) {
DWORD i;
PKIDTENTRY IDTm;
BYTE Type[10];
IDTm = (PKIDTENTRY)(VirtualAddress);
for(i=0;i<MAX_INTERRUPTION;i++,IDTm) {
if (IDTm[i].Type == GATE_TASK_16) strcpy(Type, "TaskG16 ");
else if (IDTm[i].Type == GATE_TASK_32) strcpy(Type, "TaskG32 ");
else if (IDTm[i].Type == GATE_INTERRUPT_32) strcpy(Type, "IntG32 ");
else if (IDTm[i].Type == GATE_INTERRUPT_16) strcpy(Type, "IntG16 ");
else if (IDTm[i].Type == GATE_TRAP_32) strcpy(Type, "TrapG32 ");
else if (IDTm[i].Type == GATE_TRAP_16) strcpy(Type, "TrapG16 ");
else strcpy(Type, "Reserved");
// ---------------------------------------
IdtMem[i].Reserved = IDTm[i].Reserved;
IdtMem[i].Type = IDTm[i].Type;
IdtMem[i].Always0 = IDTm[i].Always0;
IdtMem[i].Dpl = IDTm[i].Present;
IdtMem[i].Selector = IDTm[i].Selector;
IdtMem[i].OffsetHigh = IDTm[i].OffsetHigh;
IdtMem[i].OffsetLow = IDTm[i].OffsetLow;
// ---------------------------------------
/*
printf("%04X %s %08X DPL=%x %-2s\n",
i,
Type,
IdtMem[i].Offset,
IDTm[i].Dpl,
IDTm[i].Present ? "P" : "NP"
);
*/
}
return TRUE;
}
DWORD CompareInterruption(PKIDTRAWENTRY IdtRaw, PKIDTRAWENTRY IdtMem) {
ULONG cbBuffer = 0x8000;
LPVOID pBuffer = NULL;
NTSTATUS Status;
PSYSTEM_MODULE_INFORMATION pInfo;
DWORD i, j, Counter = 0;
do {
pBuffer = HeapAlloc(GetProcessHeap(), 0, cbBuffer);
if (!pBuffer) {
printf("HeapAlloc\n");
return FALSE;
}
Status = NtQuerySystemInformation(SystemModuleInformation, pBuffer, cbBuffer, NULL);
if(Status == STATUS_INFO_LENGTH_MISMATCH) {
HeapFree(GetProcessHeap(), 0, pBuffer);
cbBuffer *= 2;
}
else if(Status != STATUS_SUCCESS) {
HeapFree(GetProcessHeap(), 0, pBuffer);
printf("HeapFree\n");
return FALSE;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
// Compare INT
for(i=0; i < MAX_INTERRUPTION; i++) {
if(IdtRaw[i].Offset != IdtMem[i].Offset) {
pInfo = (PSYSTEM_MODULE_INFORMATION)pBuffer;
Status=0;
Counter++;
// -----
for(j = pInfo->ModulesCount;j > 0; j--) {
if( (IdtMem[i].Offset > pInfo->ImageBaseAddress)
&& (IdtMem[i].Offset < (pInfo->ImageBaseAddress+pInfo->ImageSize)) ) {
printf("INT 0x%02X has been hooked at 0x%08X (Org INT = 0x%08X) by %s\n",
i,
IdtMem[i].Offset,
IdtRaw[i].Offset,
pInfo->Name+pInfo->NameOffset
);
j=1;
Status=1;
}
pInfo++;
} // Module List
// -----
if(!j && !Status) {
printf("INT 0x%02X has been hooked at 0x%08X (Org INT = 0x%08X) by Unknow\n",
i,
IdtMem[i].Offset,
IdtRaw[i].Offset
);
}
} // Idt compare
} // Idt Count
return Counter;
}
DWORD CleanUp(DWORD VirtualAddress) {
NTSTATUS Status;
Status = NtUnmapViewOfSection((HANDLE) -1, (PVOID)VirtualAddress);
if(!NT_SUCCESS(Status)) {
printf("Unable to NtUnmapViewOfSection");
}
NtClose(hPhysMem);
return TRUE;
}
DWORD GetKernelInformation(void) {
ULONG cbBuffer = 0x8000;
LPVOID pBuffer = NULL;
NTSTATUS Status;
DWORD BaseAddr;
PSYSTEM_MODULE_INFORMATION pInfo;
do {
pBuffer = HeapAlloc(GetProcessHeap(), 0, cbBuffer);
if (!pBuffer)
return FALSE;
Status = NtQuerySystemInformation(SystemModuleInformation, pBuffer, cbBuffer, NULL);
if(Status == STATUS_INFO_LENGTH_MISMATCH) {
HeapFree(GetProcessHeap(), 0, pBuffer);
cbBuffer *= 2;
}
else if(Status != STATUS_SUCCESS) {
HeapFree(GetProcessHeap(), 0, pBuffer);
return FALSE;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
pInfo = (PSYSTEM_MODULE_INFORMATION)pBuffer;
BaseAddr = pInfo->ImageBaseAddress;
strncpy(KernelPath,pInfo->Name,sizeof(KernelPath)-1);
HeapFree(GetProcessHeap(), 0, pBuffer);
return BaseAddr;
}
DWORD GetNtdllFunction(void) {
if(!(*(FARPROC *)&NtQuerySystemInformation = GetProcAddress(LoadLibrary("ntdll"), "ZwQuerySystemInformation")))
return FALSE;
if(!(*(FARPROC *)&NtOpenSection = GetProcAddress(LoadLibrary("ntdll"), "ZwOpenSection")))
return FALSE;
if(!(*(FARPROC *)&NtMapViewOfSection = GetProcAddress(LoadLibrary("ntdll"), "ZwMapViewOfSection")))
return FALSE;
if(!(*(FARPROC *)&NtUnmapViewOfSection = GetProcAddress(LoadLibrary("ntdll"), "ZwUnmapViewOfSection")))
return FALSE;
if(!(*(FARPROC *)&NtClose = GetProcAddress(LoadLibrary("ntdll"), "ZwClose")))
return FALSE;
if(!(*(FARPROC *)&RtlInitUnicodeString = GetProcAddress(LoadLibrary("ntdll"), "RtlInitUnicodeString")))
return FALSE;
if(!(*(FARPROC *)&RtlNtStatusToDosError = GetProcAddress(LoadLibrary("ntdll"), "RtlNtStatusToDosError")))
return FALSE;
return TRUE;
}
// Set Write Access to physicalmemory and return physicalmemory handle.
HANDLE OpenPhysicalMemory(void) {
NTSTATUS Status;
HANDLE hPhysMem;
UNICODE_STRING lpString;
OBJECT_ATTRIBUTES Attributes;
WCHAR lpName[] = L"\\device\\physicalmemory";
PACL lpACL, lpACLNew;
PSECURITY_DESCRIPTOR lpSecDesc;
EXPLICIT_ACCESS ExpAccess;
BYTE lpUserName[MAX_PATH];
DWORD dwNameSize = sizeof(lpUserName)-1;
RtlInitUnicodeString(&lpString, lpName );
InitializeObjectAttributes(Attributes, &lpString, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
Status = NtOpenSection(&hPhysMem, WRITE_DAC | READ_CONTROL, &Attributes );
if(!NT_SUCCESS(Status)) {
printf( "Cannot open \\device\\physicalmemory");
return FALSE;
} else {
if(GetSecurityInfo(hPhysMem, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL,
&lpACL, NULL, &lpSecDesc) == ERROR_SUCCESS){
GetUserName(lpUserName, &dwNameSize);
InitializeUserAccess(ExpAccess, lpUserName);
if(SetEntriesInAcl(1, &ExpAccess, lpACL, &lpACLNew) == ERROR_SUCCESS) {
if(SetSecurityInfo(hPhysMem, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL,
lpACLNew, NULL) != ERROR_SUCCESS) {
NtClose(hPhysMem);
return FALSE;
}
LocalFree(lpACLNew);
} else { NtClose(hPhysMem); return FALSE; }
} else { NtClose(hPhysMem); return FALSE; }
}
Status = NtOpenSection(&hPhysMem, SECTION_MAP_READ | SECTION_MAP_WRITE, &Attributes );
if(!NT_SUCCESS(Status)) {
printf( "Cannot open \\device\\physicalmemory");
return FALSE;
}
return hPhysMem;
}
PHYSICAL_ADDRESS GetPhysicalAddress(ULONG vAddress) {
PHYSICAL_ADDRESS add;
if (vAddress < 0x80000000L || vAddress >= 0xA0000000L)
add.QuadPart = (ULONGLONG) vAddress & 0xFFFF000;
else
add.QuadPart = (ULONGLONG) vAddress & 0x1FFFF000;
return(add);
}
DWORD GetHelp(void) {
printf( "Help:\n"
"\tq :quit\n"
"\ts :reshow list of modified interrupt\n"
"\tr X :restore interruption X in IDT(sample: r 0xA1)\n"
"\th :show this help\n"
"\n"
);
return TRUE;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -