驱动基础之Inline hook(导出函数模板)
R3下的inline hook某个函数。可以通过修改函数的前5个字节实现。这种方法R0下同样也可以。
声明:
NTSTATUS DetourMyObReferenceObjectByHandle( IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL ); extern POBJECT_TYPE *PsProcessType;
全局变量:
ULONG g_ObReferenceObjectByHandle; //保存原来函数的地址 CHAR byOrigCode[5] = {0}; //保存原来函数的前5个字节 CHAR byJmpAddress[5] = {0xE9,0,0,0,0}; //需要跳转的地址 KIRQL oldirql;
核心代码:
VOID InStallHookObReferenceObjectByHandle() { dprintf("[InlineHookTest]:OrigFunctionAddress:0x%X\n", ObReferenceObjectByHandle); // // 保存原来函数的地址 // g_ObReferenceObjectByHandle = (ULONG)ObReferenceObjectByHandle; // // 保存原函数的前5个字节 // RtlCopyMemory(byOrigCode,(char *)ObReferenceObjectByHandle, 5); // // 组成Jmp 0xXXXX // *(ULONG *)(byJmpAddress + 1) = (ULONG)DetourMyObReferenceObjectByHandle - (ULONG)ObReferenceObjectByHandle -5; // // 关闭写保护,写入jmp 0xXXXX到ObReferenceObjectByHandle写5个字节 // 然后开启保护 // WriteProtect(0); oldirql = KeRaiseIrqlToDpcLevel(); RtlCopyMemory((char *)ObReferenceObjectByHandle, byJmpAddress, 5); KeLowerIrql(oldirql); WriteProtect(1); } VOID UnStallHookObReferenceObjectByHandle() { dprintf("[InlineHookTest]:Hook FunctionAddress:0x%X\n",ObReferenceObjectByHandle); // // 恢复函数前5个字节 // WriteProtect(0); oldirql = KeRaiseIrqlToDpcLevel(); RtlCopyMemory((char *)ObReferenceObjectByHandle, byOrigCode, 5); KeLowerIrql(oldirql); WriteProtect(1); } NTSTATUS DetourMyObReferenceObjectByHandle( IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL ) { NTSTATUS ntStatus; ntStatus = OriginalObReferenceObjectByHandle(Handle ,DesiredAccess ,ObjectType ,AccessMode ,Object ,HandleInformation); // // 执行成功,并且确认是结束进程 // PROCESS_CREATE_PROCESS 创建进程 // if (NT_SUCCESS(ntStatus)&&DesiredAccess == 1) { if (ObjectType == *PsProcessType) { if (_stricmp((char *)((ULONG)(*Object))+0x174, "notepad.exe") == 0) { ObDereferenceObject(*Object); return STATUS_INVALID_HANDLE; } } } return ntStatus; } _declspec (naked) NTSTATUS OriginalObReferenceObjectByHandle( IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL ) { __asm { mov edi,edi push ebp mov ebp,esp mov eax,g_ObReferenceObjectByHandle add eax,5 jmp eax } } //************************************ // Method: WriteProtect // Access: public // Returns: VOID // Parameter: INT nFlag // nFlag = 0 关闭内存写保护 // nFlag = 1 开启内存写保护 // // Description: 关闭或开启内存写保护 // // Modify time: 2012/10/30 22:52 // Author: markro //************************************ VOID WriteProtect(INT nFlag) { if (nFlag) { __asm { push eax mov eax,cr0 or eax,10000h mov cr0,eax pop eax sti } } else { __asm { cli push eax mov eax,cr0 and eax,0FFFEFFFFh mov cr0,eax pop eax } } }
2012-10-31
浙公网安备 33010602011771号