📄 simple hooking of functions not exported by ntoskrnl_exe - 白日梦 - csdnblog.htm
字号:
<DD>nipcdll:<A title="点击查看《回复:利用 TDI HOOK 实现任意端口复用 》"
href="http://blog.csdn.net/cdrea/archive/2006/05/30/764022.aspx#467228">DMCanon.exe这个哪里有下的?</A>
<DD>Gxter:<A
title="点击查看《回复:Simple Hooking of Functions not Exported by Ntoskrnl.exe》"
href="http://blog.csdn.net/cdrea/archive/2006/04/05/652174.aspx#435082">呵呵,这个东西前几天看的挺迷糊的。
<BR>刚刚又翻出来看了一下。 <BR>让我突然想起来了我以前在写RING 3下的HOOK API时用的一种技术,就是利用IAT来实现HOOK RING 3
API。 <BR>我想这代码的思想也就是在RING 0下用IAT来实现修改Ntoskrnl.exe里面的导出的系统服务表,里面的东西。
<BR><BR>最近接触的东西多了,以前的老代码有点忘了。哈哈</A>
<DD>非我:<A title=点击查看《回复:对付老鼠的一个爽招》
href="http://blog.csdn.net/cdrea/archive/2005/01/30/273738.aspx#422090">够可怕的</A></SPAN></SPAN>
</DD></DL></DIV></DIV></DIV>
<DIV id=csdnblog_content>
<DIV class=gutter>
<DIV class=default_contents>
<DIV class=user_article>
<SCRIPT
src="Simple Hooking of Functions not Exported by Ntoskrnl_exe - 白日梦 - CSDNBlog_files/LoadFeedbackCount.js"
type=text/javascript></SCRIPT>
<H1><IMG height=14 alt=转载 src="" width=15 border=0> <A
href="http://blog.csdn.net/CDrea/archive/2006/04/05/652174.aspx">Simple Hooking
of Functions not Exported by Ntoskrnl.exe</A></H1>
<DIV class=blogstory><SPAN id=Post.ascx_ViewPost_PreviousAndNextEntriesUp>
<H3><A
href="http://blog.csdn.net/cdrea/archive/2006/04/06/652189.aspx">新一篇: Kick
the Heuristic Anti-virus out of the Rootkit</A></H3></SPAN>
<SCRIPT>function StorePage(){d=document;t=d.selection?(d.selection.type!='None'?d.selection.createRange().text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://www.365key.com/storeit.aspx?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t),'keyit','scrollbars=no,width=475,height=575,left=75,top=20,status=no,resizable=yes'));keyit.focus();}</SCRIPT>
<SPAN class=edgeatitle><FONT size=+3>Simple Hooking of Functions not Exported by
Ntoskrnl.exe</FONT></SPAN><BR> <SPAN class=edgeatext>By: <A
href="http://www.marseglia.org/index.pl/7_months?proxiedUrl=http%3A%2F%2Fwww.rootkit.com%2Fuser.php%3Fname%3Dgareth&wid=51&func=view"><FONT
color=#4682b4>gareth</FONT></A>
<P> </P></SPAN><SPAN class=edgeatext>As many of you will know, hooking
functions not exported by ntoskrnl.exe is a real pain, as you need to hard code
their position in KeServiceDescriptorTable, and this will change between windows
releases.<BR><BR>Hardcoding the positions seems a poor solution, since it means
after a new service pack, the rootkit may no longer work and become
discovered.<BR><BR>As I have found the code on this site extremely helpful, I
think it is only fair that I return the favour ;-)<BR><BR>I have implemented the
method described in previous posts, whereby I have mapped a view of ntdll.dll
into the process space of whoever loads the driver initially, and then retrieve
the required function positions directly from the dll.<BR><BR>This was
relatively simple to do, and only requires knowledge of the pe file format, and
a few undocumented apis.<BR><BR>Using the function pasted below, when hooking
you simply do as follows:<BR><BR><CODE><BR>RtlInitUnicodeString(&dllName,
L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll");<BR>functionAddress
= GetDllFunctionAddress(functionName, &dllName);<BR>position =
*((WORD*)(functionAddress+1));<BR> <BR>g_OriginalZwCreateProcessEx
=
(ZWCREATEPROCESSEX)(KeServiceDescriptorTable.ServiceTableBase[position]);<BR></CODE><BR><BR>and
here's the function GetDllFunctionAddress:<BR><BR><CODE><BR>DWORD
GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName)
<BR>{<BR> HANDLE hThread, hSection, hFile,
hMod;<BR> SECTION_IMAGE_INFORMATION
sii;<BR> IMAGE_DOS_HEADER*
dosheader;<BR> IMAGE_OPTIONAL_HEADER*
opthdr;<BR> IMAGE_EXPORT_DIRECTORY*
pExportTable;<BR> DWORD*
arrayOfFunctionAddresses;<BR> DWORD*
arrayOfFunctionNames;<BR> WORD*
arrayOfFunctionOrdinals;<BR> DWORD
functionOrdinal;<BR> DWORD Base, x,
functionAddress;<BR> char*
functionName;<BR> STRING ntFunctionName,
ntFunctionNameSearch;<BR> PVOID BaseAddress =
NULL;<BR> SIZE_T
size=0;<BR><BR> OBJECT_ATTRIBUTES oa = {sizeof oa, 0,
pDllName, OBJ_CASE_INSENSITIVE};<BR><BR> IO_STATUS_BLOCK
iosb;<BR><BR> //_asm int
3;<BR> ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE,
&oa, &iosb, FILE_SHARE_READ,
FILE_SYNCHRONOUS_IO_NONALERT);<BR><BR> oa.ObjectName =
0;<BR><BR> ZwCreateSection(&hSection,
SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE,
hFile);<BR> <BR> ZwMapViewOfSection(hSection,
NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1,
MEM_TOP_DOWN, PAGE_READWRITE);
<BR> <BR> ZwClose(hFile);<BR> <BR> hMod
= BaseAddress;<BR> <BR> dosheader
= (IMAGE_DOS_HEADER
*)hMod;<BR> <BR> opthdr
=(IMAGE_OPTIONAL_HEADER *)
((BYTE*)hMod+dosheader->e_lfanew+24);<BR><BR> pExportTable
=(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[
IMAGE_DIRECTORY_ENTRY_EXPORT].
VirtualAddress);<BR><BR> // now we can get the exported
functions, but note we convert from RVA to
address<BR> arrayOfFunctionAddresses = (DWORD*)(
(BYTE*)hMod +
pExportTable->AddressOfFunctions);<BR><BR> arrayOfFunctionNames
= (DWORD*)( (BYTE*)hMod +
pExportTable->AddressOfNames);<BR><BR> arrayOfFunctionOrdinals
= (WORD*)( (BYTE*)hMod +
pExportTable->AddressOfNameOrdinals);<BR><BR> Base =
pExportTable->Base;<BR><BR> RtlInitString(&ntFunctionNameSearch,
lpFunctionName);<BR><BR> for(x = 0; x <
pExportTable->NumberOfFunctions;
x++)<BR> {<BR> functionName
= (char*)( (BYTE*)hMod +
arrayOfFunctionNames[x]);<BR><BR> RtlInitString(&ntFunctionName,
functionName);<BR><BR> functionOrdinal
= arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array
counts from 0<BR> // this is the
funny bit. you would expect the function pointer to simply be
arrayOfFunctionAddresses[x]...<BR> //
oh no... thats too simple. it is actually
arrayOfFunctionAddresses[functionOrdinal]!!<BR> functionAddress
= (DWORD)( (BYTE*)hMod +
arrayOfFunctionAddresses[functionOrdinal]);<BR> if
(RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0)
<BR> {<BR> ZwClose(hSection);<BR> return
functionAddress;<BR> }<BR> }<BR><BR> ZwClose(hSection);<BR> return
0;<BR>}<BR></CODE><BR><BR>Hopefully this will be useful to you.</SPAN>
<P class="right articalinfo">发表于 @ <A title=permalink
href="http://blog.csdn.net/CDrea/archive/2006/04/05/652174.aspx">2006年04月05日
23:54:00</A>|<A title=评论
href="http://blog.csdn.net/CDrea/archive/2006/04/05/652174.aspx#FeedBack">评论(<SPAN
id=FeedbackCount_652174>loading...</SPAN>
<SCRIPT type=text/javascript>AddFeedbackCountStack("652174")</SCRIPT>
)</A>|<A title=编辑
href="http://writeblog.csdn.net/PostEdit.aspx?entryId=652174">编辑</A></P><SPAN
id=Post.ascx_ViewPost_PreviousAndNextEntriesDown>
<H3><A
href="http://blog.csdn.net/cdrea/archive/2006/04/05/652141.aspx">旧一篇: NDIS
and TDI Hooking, Part II</A></H3></SPAN>
<SCRIPT type=text/javascript>document.write("<img src=http://counter.csdn.net/pv.aspx?id=24 border=0 width=0 height=0>");</SCRIPT>
</DIV>
<SCRIPT type=text/javascript>LoadFeedbackCount();</SCRIPT>
<!-- tag ad for news template --></DIV>
<DIV class=commentslist><SPAN id=Anthem_Post.ascx_Comments_ltlComments__><SPAN
id=Post.ascx_Comments_ltlComments>
<DIV id=commentslist>
<H3>评论</H3>
<DL class=question>
<DT><A
title="permalink: 回复:Simple Hooking of Functions not Exported by Ntoskrnl.exe"
href="http://blog.csdn.net/cdrea/archive/2006/04/05/652174.aspx#435082">#</A><A
name=435082></A><A href="http://gxter.bokee.com/" target=_blank
rel=nofollow>Gxter</A> 发表于2006-04-19 10:40:00 IP:
218.249.119.*
<DD>呵呵,这个东西前几天看的挺迷糊的。 <BR>刚刚又翻出来看了一下。 <BR>让我突然想起来了我以前在写RING 3下的HOOK
API时用的一种技术,就是利用IAT来实现HOOK RING 3 API。 <BR>我想这代码的思想也就是在RING
0下用IAT来实现修改Ntoskrnl.exe里面的导出的系统服务表,里面的东西。
<BR><BR>最近接触的东西多了,以前的老代码有点忘了。哈哈</DD></DL></DIV></SPAN></SPAN></DIV>
<DIV class=spacecommment>
<DIV id=Anthem_Post.ascx_PostComment_CommentUpdatePanel__>
<DIV id=Post.ascx_PostComment_CommentUpdatePanel>
<FIELDSET><LEGEND>发表评论</LEGEND>
<UL>
<LI>姓 名:<INPUT id=Post.ascx_PostComment_tbName disabled
maxLength=32 size=40 name=Post.ascx:PostComment:tbName><SPAN
id=Post.ascx_PostComment_RequiredFieldValidator2
style="VISIBILITY: hidden; COLOR: red" initialvalue=""
evaluationfunction="RequiredFieldValidatorEvaluateIsValid"
errormessage="请输入名字"
controltovalidate="Post.ascx_PostComment_tbName">请输入名字</SPAN>
<LI>主 页:<INPUT id=Post.ascx_PostComment_tbUrl disabled
maxLength=256 size=40 name=Post.ascx:PostComment:tbUrl>
<LI>
<DIV id=Post.ascx_PostComment_AntiBotImageRegion>校验码: <INPUT
id=Post.ascx_PostComment_tbAntiBotImage style="WIDTH: 75px"
name=Post.ascx:PostComment:tbAntiBotImage> <SPAN
id=Post.ascx_PostComment_valAntiBotImage style="DISPLAY: none; COLOR: red"
evaluationfunction="CustomValidatorEvaluateIsValid"
display="Dynamic">检验码无效!</SPAN> <SPAN
id=Anthem_Post.ascx_PostComment_imgAntiBotImage__><IMG
id=Post.ascx_PostComment_imgAntiBotImage alt=""
src="Simple Hooking of Functions not Exported by Ntoskrnl_exe - 白日梦 - CSDNBlog_files/AntiBotImage.htm"
align=absMiddle border=0></SPAN> <SPAN
id=Anthem_Post.ascx_PostComment_lbCreateAntiBotImage__><A
id=Post.ascx_PostComment_lbCreateAntiBotImage
onclick="javascript:Anthem_FireCallBackEvent(this,event,'Post.ascx:PostComment:lbCreateAntiBotImage','',false,'','','',true,null,null,null,true,true);return false;"
href="javascript:__doPostBack('Post.ascx$PostComment$lbCreateAntiBotImage','')">看不清,换一张</A></SPAN>
</DIV></LI></UL><SPAN id=Post.ascx_PostComment_RequiredFieldValidator3
style="VISIBILITY: hidden; COLOR: red" initialvalue=""
evaluationfunction="RequiredFieldValidatorEvaluateIsValid" errormessage="请输入评论"
controltovalidate="Post.ascx_PostComment_tbComment">请输入评论</SPAN><BR><TEXTAREA id=Post.ascx_PostComment_tbComment disabled name=Post.ascx:PostComment:tbComment rows=10 cols=50></TEXTAREA><BR><SPAN
id=Anthem_Post.ascx_PostComment_btnSubmit__></SPAN><BR><SPAN
id=Post.ascx_PostComment_Message
style="COLOR: red">当前用户设置只有注册用户才能发表评论。如果你没有登录,请点击<A
href="http://passport.csdn.net/member/UserLogin.aspx?from=http://blog.csdn.net/CDrea/archive/2006/04/05/652174.aspx">登录</A></SPAN>
</FIELDSET> </DIV></DIV></DIV></DIV></DIV></DIV>
<DIV id=pubfooter>
<DL>
<DT>
<DD>Csdn Blog version 3.1a
<DD>Copyright © CDrea </DD></DL>
<SCRIPT
src="Simple Hooking of Functions not Exported by Ntoskrnl_exe - 白日梦 - CSDNBlog_files/counter.js"
type=text/javascript></SCRIPT>
</DIV></DIV>
<SCRIPT type=text/javascript>
<!--
var Page_Validators = new Array(document.getElementById("Post.ascx_PostComment_RequiredFieldValidator2"), document.getElementById("Post.ascx_PostComment_valAntiBotImage"), document.getElementById("Post.ascx_PostComment_RequiredFieldValidator3"));
// -->
</SCRIPT>
<SCRIPT type=text/javascript>
<!--
var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
ValidatorOnLoad();
}
function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return ValidatorCommonOnSubmit();
}
else {
return true;
}
}
// -->
</SCRIPT>
</FORM>
<SCRIPT language=javascript
type=text/javascript>CJB.AsyncTooltip.initAsync();</SCRIPT>
</DIV></BODY></HTML>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -