hook.c

HOOK所有IDT表项,在GUI中记录IDT回调函数调用次数,并且查看中断信息

/*
InterruptHook
Copyright (C) 2003  Alexander M.

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
*/

#include <ntddk.h>
#include "hook.h"
#include "handler.h"
#include "debug.h"

LARGE_INTEGER	StartTime = { 0 };

VOID
LoadIDT( 
		OUT	PIDT		pIdt )
{
	__asm
	{
		MOV EAX, [pIdt]
		SIDT [EAX]
	}
}

VOID
LoadINTVector( 
		IN	PIDT		pIdt, 
		IN	UCHAR		iVector, 
		OUT	PINT_VECTOR	pVector )
{
	__try
	{
		DWORD dwBase = pIdt->dwBase + iVector * sizeof(INT_VECTOR);
		memcpy( pVector, (const void *)dwBase, sizeof(INT_VECTOR) );
	}
	__except( 1 )
	{
		DPRINT( "LoadINTVector: Exception\n" );
	}

	DPRINT( "LoadINTVector: Vector 0x%.2X successfully dumped\n", iVector );
}

VOID
SaveINTVector( 
		IN	PIDT		pIdt, 
		IN	UCHAR		iVector, 
		IN	PINT_VECTOR	pVector )
{
	__try
	{
		DWORD dwBase = pIdt->dwBase + iVector * sizeof(INT_VECTOR);
		__asm{ PUSHFD };
		__asm{ CLI };
		memcpy( (void *)dwBase, pVector, sizeof(INT_VECTOR) );
		__asm{ POPFD };
	}
	__except( 1 )
	{
		DPRINT( "SaveINTVector: Exception\n" );
	}

	DPRINT( "SaveINTVector: Vector 0x%.2X successfully set\n", iVector );
}

VOID
HookAllInterrupts()
{
	IDT			Idt;
	INT_VECTOR	Vec;
	ULONG		i;

	LoadIDT( &Idt );

	KeQueryPerformanceCounter( &StartTime );

	for( i = 0; i < 256; i++ )
	{
		if( i == 0x02 || 
			i == 0x08 || 
			( i >= 0x20 && i <= 0x29 ) )
			continue;

		LoadINTVector( 
			&Idt, 
			(UCHAR)i, 
			&Vec );
		
		DWORD_TO_VEC_OFFSET( Vec, InternalHandlers[i] );
		DPRINT( "HookAllInterrupts: Vector - 0x%.8X, 0x%.8X\n", VEC_OFFSET_TO_DWORD( Vec ), InternalHandlers[i] );

		SaveINTVector( 
			&Idt, 
			(UCHAR)i, 
			&Vec );
	}
}

VOID
BackupNtVectors()
{
	IDT			Idt;

	LoadIDT( &Idt );
	memcpy( (void *)&OriginalHandlers, (const void *)Idt.dwBase, Idt.wLimit + 1 );
}

VOID
RestoreNtVectors()
{
	IDT			Idt;

	LoadIDT( &Idt );
	memcpy( (void *)Idt.dwBase, (const void *)&OriginalHandlers, Idt.wLimit + 1 );
}

VOID
SetExternalHandlers()
{
	ULONG	i;

	for( i = 0; i < 256; i++ )
		ExternalHandlers[i] = (PVOID)( (DWORD)VEC_OFFSET_TO_DWORD( OriginalHandlers[i] ) );
}