📄 hookproc.h
字号:
#define ZW_DELETE_FILE_INDEX 66
#define ZW_DELETE_KEY_INDEX 67
#define ZW_FIND_ATOM_INDEX 81
#define ZW_LOAD_DRIVER_INDEX 103
#define ZW_MAPVIEW_SECTION_INDEX 115
#define ZW_OPEN_DIRECTORYOBJECT_INDEX 121
#define ZW_OPEN_EVENT_INDEX 122
#define ZW_OPEN_EVENT_PAIR_INDEX 123
#define ZW_OPEN_FILE_INDEX 124
#define ZW_OPEN_JOBOBJECT_INDEX 126
#define ZW_OPEN_KEY_INDEX 127
#define ZW_OPEN_MUTANT_INDEX 129
#define ZW_OPEN_PROCESS_INDEX 131
#define ZW_OPEN_SECTION_INDEX 134
#define ZW_OPEN_SEMAPHORE_INDEX 135
#define ZW_OPEN_SYMLINK_INDEX 136
#define ZW_OPEN_THREAD_INDEX 137
#define ZW_OPEN_TIMER_INDEX 140
#define ZW_QUERY_ATTRIBUTES_FILE_INDEX 148
#define ZW_QUERY_DIRECTORYFILE_INDEX 154
#define ZW_QUERY_FULLATTR_FILE_INDEX 159
#define ZW_QUERY_VALUE_KEY_INDEX 189
#define ZW_SECURECONNECT_PORT_INDEX 223
#define ZW_SET_INFO_FILE_INDEX 238
#define ZW_SET_INFO_TOKEN_INDEX 244
#define ZW_SET_LDT_ENTRIES_INDEX 247
#define ZW_SET_SYSTEM_INFORMATION_INDEX 254
#define ZW_SET_SYSTEM_TIME_INDEX 256
#define ZW_SET_TIMER_RESOLUTION_INDEX 259
#define ZW_SET_VALUE_KEY_INDEX 261
#define ZW_UNLOAD_DRIVER_INDEX 276
#define ZW_VDM_CONTROL_INDEX 283
/*
* make sure we don't try to unload the driver while a system call is in progress
* still not atomic but we shouldn't be unloading this driver in any case
*/
#if DBG
extern int HookedRoutineRunning;
#define HOOK_ROUTINE_ENTER() NTSTATUS rc; ACTION_TYPE Action; InterlockedIncrement(&HookedRoutineRunning);
#define HOOK_ROUTINE_EXIT(status) { InterlockedDecrement(&HookedRoutineRunning); return ((status)); }
extern int HookedTDIRunning;
#define HOOK_TDI_ENTER() NTSTATUS rc; ACTION_TYPE Action; InterlockedIncrement(&HookedTDIRunning);
#define HOOK_TDI_ENTER_NORC() InterlockedIncrement(&HookedTDIRunning);
#define HOOK_TDI_EXIT(status) { InterlockedDecrement(&HookedTDIRunning); return ((status)); }
#else
#define HOOK_ROUTINE_ENTER() NTSTATUS rc; ACTION_TYPE Action;
#define HOOK_ROUTINE_EXIT(status) { return ((status)); }
#define HOOK_TDI_ENTER() NTSTATUS rc; ACTION_TYPE Action;
#define HOOK_TDI_ENTER_NORC()
#define HOOK_TDI_EXIT(status) { return ((status)); }
#endif
/*
* Various macros used by most of the hooking routines
*/
#define POLICY_CHECK_OPTYPE_NAME(OBJECTTYPE, OPTYPE) \
while (KeGetPreviousMode() == UserMode) { \
UCHAR OpType = (OPTYPE); \
PWSTR PolicyFilename = NULL; \
USHORT PolicyLinenumber = 0; \
UCHAR RuleNumber = 0; \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
Action = PolicyCheck(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OpType, &RuleNumber, &PolicyFilename, &PolicyLinenumber);\
if (Action & ACTION_ASK) \
{ \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: (ask) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
/*XXX GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);*/ \
Action = IssueUserlandAskUserRequest(RULE_##OBJECTTYPE, OpType, OBJECTTYPE##NAME); \
} \
if ((Action & ACTION_QUIETDENY) == ACTION_QUIETDENY) \
{ \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: quitely denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); \
} \
else if (Action & ACTION_DENY) \
{ \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action, \
GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); \
} \
else if (Action & ACTION_LOG) \
{ \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: (log) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action, \
GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
} \
break; \
}
#define POLICY_CHECK_OPTYPE(OBJECTTYPE, OPTYPE) \
if (KeGetPreviousMode() == UserMode && GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS) )\
{ \
UCHAR OpType = (OPTYPE); \
PWSTR PolicyFilename = NULL; \
USHORT PolicyLinenumber = 0; \
UCHAR RuleNumber = 0; \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
Action = PolicyCheck(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OpType, &RuleNumber, &PolicyFilename, &PolicyLinenumber);\
if (Action & ACTION_ASK) \
{ \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: (ask) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS); \
Action = IssueUserlandAskUserRequest(RULE_##OBJECTTYPE, OpType, OBJECTTYPE##NAME); \
} \
if ((Action & ACTION_QUIETDENY) == ACTION_QUIETDENY) \
{ \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: quitely denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); \
} \
else if (Action & ACTION_DENY) \
{ \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS); \
LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action, \
GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); \
} \
else if (Action & ACTION_LOG) \
{ \
LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: (log) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS); \
LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action, \
GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
} \
}
#define POLICY_CHECK(OBJECTTYPE) POLICY_CHECK_OPTYPE(OBJECTTYPE, Get_##OBJECTTYPE##_OperationType(DesiredAccess))
#define HOOK_ROUTINE_START_OPTYPE(OBJECTTYPE, OPTYPE) \
CHAR OBJECTTYPE##NAME[MAX_PATH]; \
HOOK_ROUTINE_ENTER(); \
if (LearningMode == FALSE) \
{ \
POLICY_CHECK_OPTYPE(OBJECTTYPE, OPTYPE); \
}
#define HOOK_ROUTINE_START(OBJECTTYPE) HOOK_ROUTINE_START_OPTYPE(OBJECTTYPE, Get_##OBJECTTYPE##_OperationType(DesiredAccess))
#define HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE, OBJECTNAME, OPTYPE) \
if (LearningMode == TRUE /*&& NT_SUCCESS(rc)*/) \
{ \
if (OBJECTNAME) \
{ \
AddRule(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OPTYPE); \
} \
else \
{ \
/*LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: GetPathFromOA() failed. status=%x\n", (ULONG) PsGetCurrentProcessId(), FunctionName, rc));*/ \
} \
} \
HOOK_ROUTINE_EXIT(rc);
#define HOOK_ROUTINE_FINISH_OPTYPE(OBJECTTYPE, OPTYPE) \
HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE, \
GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS), \
OPTYPE)
#define HOOK_ROUTINE_FINISH(OBJECTTYPE) \
HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE, \
GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS), \
Get_##OBJECTTYPE##_OperationType(DesiredAccess))
//#define USE_DEFAULT_HOOK_FUNCTION NULL
extern PCHAR NTDLL_Base;
extern int ZwCallsNumber;
PVOID HookSystemService(PVOID OldService, PVOID NewService);
PVOID HookSystemServiceByIndex(ULONG ServiceIDNumber, PVOID NewService);
BOOLEAN HookSystemServiceByName(PCHAR ServiceName, PULONG_PTR HookFunction);
BOOLEAN InitSyscallsHooks();
BOOLEAN InstallSyscallsHooks();
void RemoveSyscallsHooks();
int FindZwFunctionIndex(PCSTR Name);
PVOID FindFunctionBase(PCHAR ImageBase, PCSTR Name);
ULONG FindSystemServiceNumber(PCHAR ServiceName);
#endif /* __HOOKPROC_H__ */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -