inlinehook.c

这是一个对U盘读写等操作控制的过滤驱动程序

#include "inlinehook.h"
#include "ade_asm.h"

typedef struct _INLINE_HOOK_ITEM
{
	PBYTE	HookAddress;		//inlinehook 的位置
	DWORD	OrgBytesSize;		//原始的字节数
	PBYTE	HookBytes;			//HOOK代码 = OrgBytesSize + InlineHeader + 7字节
}INLINE_HOOK_ITEM, *PINLINE_HOOK_ITEM;

__declspec(naked) void InLineHookHead()
{
	__asm
	{
		POP EAX;
		PUSH 0xAAAAAAAA;			//PUSH OrgFunction
		PUSH EAX;
		_emit 0xea;					//JMP MyHookFunction
		_emit 0xbb;
		_emit 0xbb;
		_emit 0xbb;
		_emit 0xbb;
		_emit 0x08;
		_emit 0x00;
	}
}
void InLineHookHeadEnd(){}

PVOID
SetupInlineHook(
	IN OUT PVOID FunctionAddress,
	IN PVOID NewAddress,
	OUT PVOID OrgFunction
	)
{
	PINLINE_HOOK_ITEM hook_item = NULL;
	PBYTE jmp_back = NULL;
	PBYTE lpDisasm = FunctionAddress;
	
	UINT i, call_head_len;
	
	if (!FunctionAddress || !NewAddress)
		return 0;

	//VMProtectBegin;

	//计算inline hook的长度
	hook_item = ExAllocatePool(NonPagedPool, sizeof(INLINE_HOOK_ITEM));
	hook_item->HookAddress = FunctionAddress;
	hook_item->OrgBytesSize = DisassembleProlog(FunctionAddress, 7);	//JMP FAR 0008:0xffffffff
	if (hook_item->OrgBytesSize < 7)
	{
		KdPrint(("DisassembleProlog Faild At %08x!\n", FunctionAddress));
		ExFreePool(hook_item);
		return 0;
	}
	else
	{
		KdPrint(("Hook %d Bytes At %08x!\n", hook_item->OrgBytesSize, FunctionAddress));
	}

	call_head_len = (ULONG)InLineHookHeadEnd - (ULONG)InLineHookHead;//头字节数 

	hook_item->HookBytes = ExAllocatePool(NonPagedPool, hook_item->OrgBytesSize + call_head_len + 7);
	//------------------------------------------------------------
	//填写HookHeader Bytes 
	memcpy(hook_item->HookBytes, (PBYTE)InLineHookHead, call_head_len);

	if (OrgFunction)
	{
		*(PULONG)OrgFunction = (ULONG)hook_item->HookBytes + call_head_len;
	}

	for (i=0; i<call_head_len; i++)
	{
		if (*(PULONG)&hook_item->HookBytes[i] == 0xAAAAAAAA)
		{
			*(PULONG)&hook_item->HookBytes[i] = (ULONG)hook_item->HookBytes + call_head_len;
			i += 4;
		}
		if (*(PULONG)&hook_item->HookBytes[i] == 0xBBBBBBBB)
		{
			*(PULONG)&hook_item->HookBytes[i] = (ULONG)NewAddress;
			i += 4;
		}
	}
	//here is old bytes
	memcpy(hook_item->HookBytes + call_head_len, FunctionAddress, hook_item->OrgBytesSize);
	//7 bytes jmp back
	jmp_back = hook_item->HookBytes + call_head_len + hook_item->OrgBytesSize;

	KdPrint(("OrgBytesSize:%d jmp_back:%08x\n", hook_item->OrgBytesSize, jmp_back));

	jmp_back[0] = 0xEA;
	*(PULONG)&jmp_back[1] = (ULONG)((ULONG)FunctionAddress + hook_item->OrgBytesSize);
	jmp_back[5] = 0x08;
	jmp_back[6] = 0x00;
	//------------------------------------------------------------
	//setup inline hook
	//------------------------------------------------------------
	_asm 
	{
		MOV EAX, CR0;			//move CR0 register into EAX 
		AND EAX, NOT 10000H;	//disable WP bit 
		MOV CR0, EAX;			//write register back 
	}
	hook_item->HookAddress[0] = 0xEA;//JMP FAR 0008:0xffffffff
	*(PULONG)&hook_item->HookAddress[1] = (ULONG)hook_item->HookBytes;
	hook_item->HookAddress[5] = 0x08;
	hook_item->HookAddress[6] = 0x00;
	for (i=7; i<hook_item->OrgBytesSize; i++)//fill nop
		hook_item->HookAddress[i] = 0x90;
	_asm
	{
		MOV EAX, CR0;
		OR  EAX, 10000H;
		MOV CR0, EAX;
	}
	//------------------------------------------------------------
	KdPrint(("Hook At %08x\n", FunctionAddress));

	//VMProtectEnd;

	return hook_item;
}

VOID
ClearInlineHook(
	IN PVOID HookHandler
	)
/*
 *	卸载InlineHook
 *	HookItem->HookBytes内存分: head_size + OrgBytesSize + 7bytes JMP
 */
{
	UINT head_size = (ULONG)InLineHookHeadEnd - (ULONG)InLineHookHead;//头字节数 
	PINLINE_HOOK_ITEM hook_item = (PINLINE_HOOK_ITEM)HookHandler;

	if (hook_item)
	{
		_asm 
		{
			CLI;
			MOV EAX, CR0;			//move CR0 register into EAX 
			AND EAX, NOT 10000H;	//disable WP bit 
			MOV CR0, EAX;			//write register back 
		}
		memcpy(hook_item->HookAddress, hook_item->HookBytes + head_size, hook_item->OrgBytesSize);
		_asm
		{
			MOV EAX, CR0;
			OR  EAX, 10000H;
			MOV CR0, EAX;
			STI;
		}
		KdPrint(("ClearInlineHook at %08x\n", hook_item->HookAddress));

		ExFreePool(hook_item->HookBytes);
		ExFreePool(hook_item);
	}
}